Transcript CSCI6268L06

Foundations of Network and
Computer Security
John Black
CSCI 6268/TLEN 5550, Spring 2015
OpenSSL
• Was SSLeay
• Open Source
• Has everything we’ve talked about and a lot
more
• Most everything can be done on the command
line
• Ungainly, awkward, inconsistent
– Mostly because of history
– Have fun, it’s the only game in town
• http://www.openssl.org/
Brief Tutorial
• This is a grad class; you can figure it out
from the man page, but…
– Syntax is
% openssl <cmd> <parms>
– cmd can be ‘enc’, ‘rsautl’, ‘x509’, and
more
– We’ll start with the ‘enc’ command
(symmetric encryption)
– Let’s look at the enc command in more detail
OpenSSL enc command
•
•
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [a] [-K key] [-iv IV] [-p] [-P]
-ciphername can be
– des-ecb (yuk!), des-cbc (hmm), des (same as des-cbc), des-ede3-cbc, des3
(same), aes-128-cbc, bf, cast, idea, rc5
– Can omit the ‘enc’ command if specifying these… kind of hokey
•
If you don’t specify filenames, reads from and writes to stdin/stdout
– Looks like garbage, of course
•
If you don’t specify a password on the command line, it prompts you for
one
– Why are command-line passwords bad?
– You can use environment variables but this is bad too
– You can point to a file on disk… less bad
•
What does the password do?
– Password is converted to produce IV and blockcipher key
enc (cont)
% openssl aes-128-cbc –P
enter aes-128-cbc encryption password:
salt=39A9CF66C733597E
key=FB7D6E2490318E5CFC113751C10402A4
iv =6ED946AD35158A2BD3E7B5BAFC9A83EA
• salt is a random number generated for each encryption in order to
make the key and iv different even with the same password
– Begins to get confusing… didn’t we just change the IV before?
– Use this mode only when deriving a new key for each encryption
• Eg, when encrypting a file on disk for our own use
– If key is fixed, we specify it and the iv explicitly
% openssl aes-128-cbc –K FB7D6E2490318E5CFC113751C10402A4 –iv
6ED946AD35158A2BD3E7B5BAFC9A83EA
Understanding Passwords vs. a
Specified IV and Key
• So there are two modes you can use with enc
– 1) Specify the key and IV yourself
• This means YOU are in charge of ensuring the IV doesn’t
repeat
– Use a good random number source or
– Use a counter (which you have to maintain… headache!)
– 2) Use a passphrase
• OpenSSL uses randomness for you by generating a salt
along with the IV and AES key
• Passphrases are less secure (more guessable) in general
• Either way, we get non-deterministic encryption
Passphrase-Based enc
Passphrase
salt
hash function
iv, key (128 bits each)
AES-128-CBC
salt
plaintext
ciphertext
Things to think about:
• How to decrypt? Is the IV needed in the ciphertext?
• Is the passphrase safe even though the salt and iv are known?
So How to Encrypt
• Let’s encrypt the file ‘test’
% cat test
hi there
% openssl aes-128-cbc -in test
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
Salted__mTR&Qi¦¹K¯¿Óàg&5&kE
• What’s up with the garbage?
– Of course the AES outputs aren’t ASCII!
– Use –base64 option
base64
• This is an encoding scheme (not cryptographic)
– Translates each set of 6 bits into a subset of ASCII
which is printable
– Makes ‘garbage’ binary into printable ASCII
• Kind of like uuencode
–
–
–
–
Of course this mapping is invertible
For encryption we want to do this after we encrypt
For decryption, we undo this before we decrypt
This is the –a flag for ‘enc’ but –base64 works as
well and is preferable
Example: base64
• Let’s encrypt file ‘test’ again, but output
readable ciphertext
% openssl aes-128-cbc -in test -base64
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY=
• We’ll always use this option when dealing
with portability issues
– Like sending ciphertext over email
Decrypting
• The command to decrypt is once again
‘enc’
– This makes no sense; get used to it
– Use the –d flag to tell enc to decrypt
– Let’s decrypt the string
U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY=
which I’ve placed into a file called ‘test.enc’
% openssl enc -d -in test.enc
U2FsdGVkX18FZENOZFZdYvLoqPdpRTgZw2CZIQs6bMQ=
Hunh?
• It just gave back the ciphertext?!
– We didn’t specify an encryption algorithm
– Default is the identity map (get used to it)
– Let’s try again
% openssl aes-128-cbc -d -in test.enc
enter aes-128-cbc decryption password:
bad magic number
• Ok, now what’s wrong?
Error messages not useful
• We forgot to undo the –base64
– The error msg didn’t tell us that (get used to
it)
– One more try:
% openssl aes-128-cbc -d -in test.enc -base64
enter aes-128-cbc decryption password:
hi there
– It was all worth it, right?
– Now it’s your turn
Project #0
• I’ll give you a ciphertext, you find the
password
– Password is a three-letter lowercase alpha
string
– Main purpose is to get you to figure out where
openssl lives on your computer(s)
– Don’t do it by hand
– Full description on our web page
• Due Feb 18th, in class
Symmetric vs. Asymmetric
• Thus far we have been in the symmetric key
model
– We have assumed that Alice and Bob share some
random secret string
– In practice, this is a big limitation
• Bootstrap problem
• Forces Alice and Bob to meet in person or use some
mechanism outside our protocol
• Not practical when you want to buy books at Amazon
• We need the Asymmetric Key model!
Asymmetric Cryptography
• In this model, we no longer require an
initial shared key
– First envisioned by Diffie in the late 70’s
– Some thought it was impossible
– MI6 purportedly already knew a method
– Diffie-Hellman key exchange was first public
system
• Later turned into El Gamal public-key system
– RSA system announced shortly thereafter
But first, a little math…
• A group is a nonempty set G along with an
operation # : G x G → G such that for all a, b, c
∈G
– (a # b) # c = a # (b # c)
– ∃ e ∈ G such that e # a = a # e = a
– ∃ a-1 ∈ G such that a # a-1 = e
(associativity)
(identity)
(inverses)
• If ∀a,b ∈ G, a # b = b # a we say the group is
“commutative” or “abelian”
– All groups in this course will be abelian
Notation
• We’ll get tired of writing the # sign and just use
juxtaposition instead
– In other words, a # b will be written ab
– If some other symbol is conventional, we’ll use it instead
(examples to follow)
• We’ll use power-notation in the usual way
– ab means aaaaa repeated b times
– a-b means a-1a-1a-1a-1 repeated b times
– Here a ∈ G, b ∈ Z
• Instead of e we’ll use a more conventional identity name
like 0 or 1
• Often we write G to mean the group (along with its
operation) and the associated set of elements
interchangeably
Examples of Groups
•
•
•
•
•
•
•
Z (the integers) under + ?
Q, R, C, under + ?
N under + ?
Q under x ?
Z under x ?
2 x 2 matrices with real entries under x ?
Invertible 2 x 2 matrices with real entries under x ?
• Note all these groups are infinite
– Meaning there are an infinite number of elements in them
• Can we have finite groups?
Finite Groups
• Simplest example is G = {0} under +
– Called the “trivial group”
• Almost as simple is G = {0, 1} under addition
mod 2
• Let’s generalize
–
–
–
–
–
–
Zm is the group of integers modulo m
Zm = {0, 1, …, m-1}
Operation is addition modulo m
Identity is 0
Inverse of any a ∈ Zm is m-a
Also abelian
The Group Zm
• An example
–
–
–
–
–
Let m = 6
Z6 = {0,1,2,3,4,5}
2+5 = 1
3+5+1 = 3 + 0 = 3
Inverse of 2 is 4
• 2+4 = 0
• We can always pair an element with its inverse
a :
a -1 :
0
0
1
5
2
4
3
3
4
2
• Inverses are always unique
• An element can be its own inverse
– Above, 0 and 0, 3 and 3
5
1
Another Finite Group
• Let G = {0,1}n and operation is ⊕
– A group?
– What is the identity?
– What is the inverse of a ∈ G?
• We can put some familiar concepts into
group-theoretic notation:
– Caesar cipher was just P + K = C in Z26
– One-time pad was just P ⊕ K = C in the
group just mentioned above
Multiplicative Groups
• Is {0, 1, …, m-1} a group under
multiplication mod m?
– No, 0 has no inverse
• Ok, toss out 0; is {1, …, m-1} a group
under multiplication mod m?
– Hmm, try some examples…
•
•
•
•
m = 2, so G = {1}
X
m = 3, so G = {1,2}
X
m = 4, so G = {1,2,3} oops!
m = 5, so G = {1,2,3,4} X
Multiplicative Groups (cont)
• What was the problem?
– 2,3,5 all prime
– 4 is composite (meaning “not prime”)
• Theorem: G = {1, 2, …, m-1} is a group under
multiplication mod m iff m is prime
Proof:
→: suppose m is composite, then m = ab where a,b ∈
G and a, b  1. Then ab = m = 0 and G is not closed
←: follows from a more general theorem we state in a
moment
The Group Zm*
• a,b ∈ N are relatively prime iff gcd(a,b) = 1
– Often we’ll write (a,b) instead of gcd(a,b)
• Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1}
and operation is multiplication mod m
yields a group
– We name this group Zm*
– We won’t prove this (though not too hard)
– If m is prime, we recover our first theorem
Examples of Zm*
• Let m = 15
– What elements are in Z15*?
• {1,2,4,7,8,11,13,14}
– What is 2-1 in Z15*?
• First you should check that 2 ∈ Z15*
• It is since (2,15) = 1
– Trial and error:
• 1, 2, 4, 7, 8 X
– There is a more efficient way to do this called
“Euclid’s Extended Algorithm”
• Trust me
Euler’s Phi Function
• Definition: The number of elements of a group G
is called the order of G and is written |G|
– For infinite groups we say |G| = 1
– All groups we deal with in cryptography are finite
• Definition: The number of integers i < m such
that (i,m) = 1 is denoted (m) and is called the
“Euler Phi Function”
– Note that |Zm*| = (m)
– This follows immediately from the definition of ()
Evaluating the Phi Function
• What is (p) if p is prime?
– p-1
• What is (pq) if p and q are distinct
primes?
– If p, q distinct primes, (pq) = (p)(q)
– Not true if p=q
– We won’t prove this, though it’s not hard
Examples
• What is (3)?
– |Z3*| = |{1,2}| = 2
• What is (5)?
• What is (15)?
– (15) = (3)(5) = 2 x 4 = 8
– Recall, Z15* = {1,2,4,7,8,11,13,14}
LaGrange’s Theorem
• Last bit of math we’ll need for RSA
• Theorem: if G is any finite group of order
n, then ∀ a ∈ G, an = 1
– Examples:
• 6 ∈ Z22, 6+6+…+6, 22 times = 0 mod 22
• 2 ∈ Z15*, 28 = 256 = 1 mod 15
• Consider {0,1}5 under ⊕
– 01011 2 {0,1}5, 0101132 = 0000016 =00000
– It always works (proof requires some work)
Basic RSA Cryptosystem
• Basic Setup:
– Alice and Bob do not share a key to start with
– Alice will be the sender, Bob the receiver
• Reverse what follows for Bob to reply
– Bob first does key generation
• He goes off in a corner and computes two keys
• One key is pk, the “public key”
• Other key is sk, the “secret key” or “private key”
– After this, Alice can encrypt with pk and Bob
decrypts with sk