06. Cryptography 101

Anyone who tries to create his or her own cryptographic primitive is either a genius or a fool. Given the genius/fool ratio of our species, the odds aren’t very good.

Bruce Schneier

Current Events: Experian

Experian: US credit score service.

Past month:

• Accounts were being hijacked
• Hypothesis: if you create a new account created with an existing user’s account details (e.g. email), you can get access to their details
• Experian denied allegations, even after researchers hacked their own accounts
• Class action lawsuit filed

Principles

Security protocols are more than passwords.

At the core, security protocols are about preventing malicious people from doing bad things.

Security protocols exist outside of software:

• Accessing a building with a card
• Making sure you get the wine you paid for, not some cheap substitute
• Accessing your car or house with a key

Eavesdropping risks:

• Lurked PINs on your credit card/phone
• Amplified then stolen encrypted car key codes
• Vaccine pass QR codes

Simple Authentication Principle

Notation:

Where:

• $T$ is a token
• $G$ is an access gateway (e.g. garage door)
• $N$ is a nonce - a single use, unique number used to prevent replay attacks
• $KT$ is an encryption key
• $\left\{ T, N \right\}_{KT}$ is the encrypted value of $T$ and $N$ with key $K$
• The LHS of the colon denotes communication between entities (sender/receiver)

The nonce is used to prevent replay attacks.

Challenge and Response

Often used by car transponders:

Where:

• $E$ is the engine controller
• $T$ is the car key transponder (e.g. RFID, radio)
• $N$ is a nonce
• $\left\{ T, N \right\}_{K}$ is the encrypted value of $T$ and $N$ with key $K$

Early 2FA

Where:

• $S$ is the server
• $U$ is the user
• $P$ is the password generator
• $N$ is the nonce/random challenge generated by the server
• $\text{PIN}$ is the user’s PIN/password
• $K$ is the key stored on the password generator and server
• $\left\{ N, \text{PIN} \right\}_K$ is the encrypted value of the nonce and PIN with key $K$

Physical 2FA Devices

A physical device is used to generate authentication numbers:

• Chap authentication program (CAP): challenge-response with key and mask
• One time password (OTP): psuedo-random password generated on a device, or via SMS

Generation algorithm (protocol):

• Requires clock synchronization between the device and remote server
• Previous values (i.e. sequence to avoid replay attack) or challenge

Reflection Attack

Adversary finds a legitimate ‘password’ generator and then performs a MITM attack.

Where:

• $S$ is the server
• $U$ is the user
• $A$ is the adversary

Failures

Failures are often in the protocol:

• CAP button overloaded: allowed repeat transactions with amount = 0
  • Attackers could social engineer the code from the users (who believe it is safe), then use the code to perform non-zero amount transactions
• OTP only checked against previous passcode
  • If you had two cards, you could simply switch between them?
• SSL/TLS encrypt data, but endpoints/metadata can leak data
• Key fob cloning (repeat attack):
  • Some car keys would broadcast the same key continuously, allowing an attacker in range of the signal to later replay the same signal to unlock the car
  • Simple solution: use a counter; value must be strictly increasing

Reducing the amount of failures:

• Use the right math for the right purpose
• Ensure encryption keys are kept secret
• Ensure keys can be revoked

General Encryption Principles

Where:

• $P$ is the plain text and $C$ is the encrypted text
• $E$ is the encryption function and $D$ the decryption function
• $K$ is the encryption key and $K'$ is the decryption key

Examples:

• $K = K'$: symmetric keys (e.g. AES)
• $K = F(K')$: particular derived keys (e.g. flashed on micro-controllers)

Cipher Examples

Ceasar Cipher:

• $$\forall P_i: C_i = \left( P_i + K \right)$$
  where $P$ is the plaintext, $K$ is the encryption key and $C$ is the encrypted character
• Weakness: frequency analysis

Vernam cipher:

• Bit-by-bit symmetric encryption with a key $k$ that is as long as the plaintext
• $$\forall c : c_i = m_i \oplus k_i$$
  where $c$ is the encrypted bit and $m$ is the plaintext bit
• Theoretically unbreakable if the keystream is truly random and only used once
  • But does not ensure integrity: attacker can flip bits. If they know the data structure, they may be able to flip specific bits for harmful effects

Playfair block cipher:

• Simple shift-based block cipher
• Frequency analysis can be performed using repeating blocks
• Hence, transformations are applied to the plaintext to prevent repeated blocks

Feistel cipher:

• Ladder structure with multiple rounds applied to each half of the plaintext
• Round function $F(K, P)$ applied to RHS
• Result XORed with LHS
• Swap left and right, then repeat
• Round keys usually derived from one master key

Hash functions and control keys:

• Used to check the integrity of messages
• Initially used with wired telegraph payments using a codebook
• e.g. SHA-1, SHA-256

Key Management

User-defined keys are relatively weak:

• Not enough entropy: key needs to be larger
• Using proof of a common secret: vulnerable to replay attacks
• Public key encryption: how can you trust the public keys you receive?

Public key infrastructure:

• Have a chain of trust, hard-coding trust for one or more root certificates
• Trust models for CAs:
  • Separate domains: one root CA
  • Cross-certification/mesh: each CA issues cross-certificates to each other
    • Cross certification: each CA issues certificate to the other, allowing devices which trust only one of them to trust certificates signed by the other
    • Requires $O(n^2)$ certificates
  • Bridge-CA model: one central bridge CA which cross-certifies with each CA