3. You might know me from...
Being active in the CF/web dev community in
AU and NZ
Having a very strong opinion on SOAP-based
web services
Having been at many webDUs in the last few
years
4. What you might not know...
I’m also a fully trained mathematician
THERE IS A NEED FOR DEVELOPER
EDUCATION ON CRYPTOGRAPHY
16. Definition of a crypto system (I)
Crypto system S = <M,C,K,E,D>
M - set of plaintexts (messages)
C - set of ciphertexts (encrypted messages)
K - set keys
E - set of encryption transforms Ek: M -> C
D - set of decryption transforms Dk: C ->M
17. Definition of a crypto system (II)
Every m∊M can be decrypted again after
being encrypted (∀m∊M: Dk(Ek(m))=m)
Different m∊M can not be encrypted to the
same c∊C (∀k∊K,c∊C ∃! m∊M: Ek(m)=c)
18. Desired properties of a crypto system
Both E, D must be efficient and easy to use.
Both E, D should be assumed known.
It should be infeasible to deduce (without
knowing k):
m from c
Dk from c (even if m is known)
Ek from m (even if c is known)
c, unless Ek and m are known
19. Practical application
If your crypto system doesn’t fulfill the desired
properties, it’s most likely not secure.
Common attack vectors:
Ciphertext-only
Known plaintext
Chosen plaintext
Chosen ciphertext
24. Implementation of Caesar cipher
Very easy to implement via modulo operation:
For an integer m and a positive integer n, m mod n is
the smallest non-negative integer r so that m=nq+r
for some integer q.
Caesar cipher is essentially a transformation
from position n to position (n+s) mod 26.
25. Problems
Easy to crack with dictionary attacks
(frequency of characters)
Rotation cipher is too simple, make algorithm
more complex? Mix alphabet? Or even more
complex:
Good?
26.
27. Problems
Symmetric cryptography (any scheme that
uses a codebook or private key) suffers from a
few drawbacks:
Adversary learns what the code is → decoding
becomes trivial
If the coding scheme is used often enough over time
& adversary has enough time and computing power
they could break the code
30. Polyalphabetical ciphers - try it yourself
Plaintext: renaissance
Ciphertext: seadjsfdocr
Decode the following ciphertext: hobgxenwiee
31. What’s considered good and secure?
Block ciphers: a block of data is encrypted at a
time, using the same key on each block. Block
ciphers have various modes:
ECB, CBC, CFB, OFB etc...
Stream ciphers: operate on a single bit at a
time and provide a feedback mechanism to
change the key
32.
33. What’s considered good and secure?
DES (Data Encryption Standard) - considered
to be insecure, mainly due to 56-bit keysize
TripleDES (key bundle of 3 56-bit keys) -
practically secure-ish with known theoretical
attack vectors & slow!!!!
AES (128-,192-,256-bit keys) - considered
mostly secure, there are some related-key
attack vectors
(All block ciphers)
34. What’s considered good and secure?
Blowfish (variable key length) - there are some
limited (# of rounds) attack vectors, but
there’s currently no known cryptanalytic
weakness
Blowfish is also patent- and royalty-free.
Others: Serpent, Twofish, RC6, MARS etc
35. Public-key (asymmetric) Cryptography
Protocol:
Both Alice and Bob have a public and private key (key
pair)
Each participant’s public key is made public
Alice encrypts a message to Bob with Bob’s public
key. Bob decrypts the message with his private key:
m = Sb(Pb(m))
38. The hard part of public-key cryptography
Bob’s dilemma: Sb and Pb have to be easily
computable for him. Also: Sb has to be
extremely hard to compute for everyone else
but him (even if Pb is open and well known).
Creating proper public-key cryptography
needs a lot of know-how in discrete
mathematics.
39. A simple (unsecure) public-key example
Messages: integers between 1 and 999
Bob’s public key is Pb(M)=rev(1000-M)
Bob’s private key is Sb(C)=1000-rev(C)
Alice: M=167 therefore
C=rev(1000-167)=rev(833)=338
Bob: Receives C=338 therefore M=1000-
rev(338)=1000-833=167
41. Example was flawed because if you know Pb,
you can easily figure out Sb.
The challenge is to design a function Pb so that
even if you know Pb and C=Pb(M) it is
exceptionally difficult to figure out what M is.
42. A better (and more famous PK crypto system)
RSA: Rivest-Shamir-Adleman
Built on the idea of “mod n” calculations in
arithmetic body Zn
Let’s do that!
45. We don’t have enough time to introduce:
Zn and arithmetic in Zn
Inverses, Greatest Common Divisors
Euclid’s Division Theorem
Fermat’s Little Theorem
(this is the core of RSA)
46. How does RSA work though?
Bob’s chooses an RSA key:
(1) Choose 2 large prime numbers p and q
(2) n = p·q
(3) Choose e ≠ 1 so that e is relatively prime to (p − 1)·(q − 1)
(4) Compute d = e−1 mod (p − 1)·(q − 1)
(5) Publish e and n
(6) Keep d secret and keep the factorisation n = p·q secret
Alice sends to Bob:
(1) Alice reads the public directory for Bob’s keys e and n
(2) Compute y = xe mod n
(3) Send y to Bob
Bob does the following:
(4) Receive y from Alice
(5) Compute z = yd mod n, using secret key d
(6) Read z
47.
48. The trick is:
There’s no scheme or algorithm to calculate
the e-th root mod n (and break the code).
Someone who doesn’t know the prime
factorisation of n = p·q can not break the
code analytically.
Modular exponentiation is a one-way function.
Note: BRUTE FORCE is still possible!
49. What’s considered good and secure?
RSA (min suggested key length today is 2048-
bit, rather 3072-bit) - still the most common
public key crypto system and with long keys
very secure
Others: Diffie-Hellman, DSA, various PKCS
Worth mentioning:
Elliptic Curve Cryptography - field of current
research
50. Hashing
Speaking of one-way functions...how do you
store passwords?
A hash function is a one-way function that
can’t be reversed. You always want to store
hashed passwords in your DB.
51. Problems with MD5 hashing
Even though hashing is one-way, there are
MD5 hash libraries/websites
Google the hash
http://www.lib.muohio.edu/multifacet/record/az-4602da187c6e221d00d02826db1bfd6a
MD5 is not collision resistant and
considered insecure now, use SHA-2
instead!
52.
53. Salting
The same hash input creates the same hash
output:
test12→60474c9c10d7142b7508ce7a50acf414
But if you salt every password, the hash value
is much harder to reverse-engineer:
<userID>test12<RandomSalt>→...
54. References
An Overview of Cryptography
http://garykessler.net/library/crypto.html
CS651 (Principles of Cryptography) Lecture Notes
http://www.cs.virginia.edu/~shelat/651/www/index.html
CS70 (Discrete Mathematics for Computer Scientists) Lecture Notes
http://www.cs.berkeley.edu/~daw/teaching/cs70-s05/
Various Cryptography and Number Theory Articles
http://di-mgt.com.au/crypto.html
RSA in Javascript
http://www.ohdave.com/rsa/
Recommended text books with further (deeper) information:
Discrete Mathematics for Computer Scientists
http://www.amazon.com/Discrete-Mathematics-Computer-Scientists-Cliff/dp/0132122715/ref=pd_sim_b_1
Introduction to Modern Cryptography: Principles and Protocols
http://www.amazon.com/Introduction-Cryptography-Chapman-Network-Security/dp/1584885513/
Ciphertext only: Attacker knows limited number of ciphertexts and wants to get the plaintexts and keys\nKP: attacker knows limited number of ciphers & their plaintexts and wants to get the key\nCP: Attacker knows encryption function (not key) and can encrypt his own plaintexts. Wants to be able to decrypt and get key\nCC: Attacker knows decryption function (not key) and can decrypt spied ciphers. Wants to get key \n
\n
\n
\n
Can be shifted by as many characters as one likes\n
\n
Pure shift cipher: Crack by brute force - just <length of alphabet keys>\nSubstitution/mix cipher: Number of keys <length of alphabet>! - for 26 it&#x2019;s > 4*10^26 -> dictionary attack\n
The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011.[22] The attack is based on bicliques and is faster than brute force by a factor of about four. It requires 2126.1 operations to recover an AES-128 key. For AES-192 and AES-256, 2189.7 and 2254.4 operations are needed, respectively.\n
\n
Pb public key\n\nSb secret key\n
\n
\n
Problem is that we need to find a function that&#x2019;s really hard to apply but extremely hard to reverse.\n
\n
\n
\n
\n
\n
\n
One might ask: If Bob publishes e and n and Alice encrypts a message x by y = xe mod n\nWHY THE HELL can&#x2019;t an ADVERSARY who learns xe mod n not just compute the e-th root mod n and break the code?\np = 3, q = 11. e can be: 7, 11, 13, 17, 19 (not 5)\nn=33, e=7 public key d=3 => e*d=1(mod 20) -> 7*d=1(mod20)\n\n\n\n\n
\n
impertant - distinction between brute force cracking and analytic crackign\n
PKCS: Public Key Cryptography standards\n
Very common password-storage issue\n\n
What would a password cracker do if they get access to your hash&#x2019;ed database of user accounts/passwords?\n\nLookup tables -> Rainbow Tables\n\nA collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor\n\nMD5 digests have been widely used in the software world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 (known as Md5sum) checksum for the files, so that a user can compare the checksum of the downloaded file to it. Unix-based operating systems include MD5 sum utilities in their distribution packages, whereas Windows users use third-party applications. Android ROMs also utilize this type of checksum.\n
\n
You need to make sure if you create random salts that they are crytographically safe (system.random) or whatever is usually not.\n