Crypto 101 LaurensVanHoutven(lvh) 1 2 Copyright2013-2014,LaurensVanHoutven Thisbookismadepossiblebyyourdonations. Ifyouenjoyedit,please considermakingadonation,soitcanbemadeevenbetterandreach evenmorepeople. ThisworkisavailableundertheCreativeCommonsAttribution-NonCommercial 4.0International(CCBY-NC4.0)license. Youcanfindthefulltextof thelicenseathttps://creativecommons.org/licenses/by-nc/4.0/. Thefollowingisahuman-readablesummaryof(andnotasubstitute for)thelicense. Youcan: • Share: copy and redistribute the material in any medium or format • Adapt: remix,transform,andbuilduponthematerial The licensor cannot revoke these freedoms as long as you follow thelicenseterms: • Attribution: youmustgiveappropriatecredit,providealinkto thelicense,andindicateifchangesweremade. Youmaydoso inanyreasonablemanner,butnotinanywaythatsuggeststhe licensorendorsesyouoryouruse. • NonCommercial: youmaynotusethematerialforcommercial purposes. • No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anythingthelicensepermits. 3 You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicableexceptionorlimitation. No warranties are given. The license may not give you all of the permissionsnecessaryforyourintendeduse. Forexample,otherrights suchaspublicity,privacy,ormoralrightsmaylimithowyouusethe material. Pomidorkowi 4 Contents Contents 5 I Foreword 10 1 Aboutthisbook 11 2 Advancedsections 13 3 Development 14 4 Acknowledgments 15 II Buildingblocks 17 5 Exclusiveor 18 5.1 Description . . . . . . . . . . . . . . . . . . . . . . 18 5.2 AfewpropertiesofXOR . . . . . . . . . . . . . . . 19 5.3 BitwiseXOR . . . . . . . . . . . . . . . . . . . . . 20 5.4 One-timepads . . . . . . . . . . . . . . . . . . . . 21 5.5 Attackson“one-timepads” . . . . . . . . . . . . . . 23 5.6 Remainingproblems . . . . . . . . . . . . . . . . . 29 5 CONTENTS 6 6 Blockciphers 30 6.1 Description . . . . . . . . . . . . . . . . . . . . . . 30 6.2 AES . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.3 DESand3DES . . . . . . . . . . . . . . . . . . . . 38 6.4 Remainingproblems . . . . . . . . . . . . . . . . . 41 7 Streamciphers 42 7.1 Description . . . . . . . . . . . . . . . . . . . . . . 42 7.2 Anaiveattemptwithblockciphers . . . . . . . . . . 42 7.3 Blockciphermodesofoperation . . . . . . . . . . . 50 7.4 CBCmode . . . . . . . . . . . . . . . . . . . . . . 50 7.5 AttacksonCBCmodewithpredictableIVs . . . . . 52 7.6 AttacksonCBCmodewiththekeyastheIV . . . . 54 7.7 CBCbitflippingattacks . . . . . . . . . . . . . . . 56 7.8 Padding . . . . . . . . . . . . . . . . . . . . . . . . 59 7.9 CBCpaddingattacks . . . . . . . . . . . . . . . . . 60 7.10 Nativestreamciphers . . . . . . . . . . . . . . . . . 68 7.11 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . 70 7.12 Salsa20 . . . . . . . . . . . . . . . . . . . . . . . . 80 7.13 Nativestreamciphersversusmodesofoperation . . . 82 7.14 CTRmode . . . . . . . . . . . . . . . . . . . . . . 82 7.15 Streamcipherbitflippingattacks . . . . . . . . . . . 84 7.16 Authenticatingmodesofoperation . . . . . . . . . . 85 7.17 Remainingproblems . . . . . . . . . . . . . . . . . 85 8 Keyexchange 86 8.1 Description . . . . . . . . . . . . . . . . . . . . . . 86 8.2 AbstractDiffie-Hellman . . . . . . . . . . . . . . . 87 8.3 Diffie-Hellmanwithdiscretelogarithms . . . . . . . 91 8.4 Diffie-Hellmanwithellipticcurves . . . . . . . . . . 92 8.5 Remainingproblems . . . . . . . . . . . . . . . . . 94 9 Public-keyencryption 96 9.1 Description . . . . . . . . . . . . . . . . . . . . . . 96 CONTENTS 7 9.2 Whynotusepublic-keyencryptionforeverything? . 97 9.3 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 98 9.4 Ellipticcurvecryptography . . . . . . . . . . . . . . 104 9.5 Remainingproblem: unauthenticatedencryption . . 104 10 Hashfunctions 106 10.1 Description . . . . . . . . . . . . . . . . . . . . . . 106 10.2 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . 108 10.3 SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . 108 10.4 SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . 108 10.5 KeccakandSHA-3 . . . . . . . . . . . . . . . . . . 109 10.6 BLAKEandBLAKE2 . . . . . . . . . . . . . . . . 109 10.7 Passwordstorage . . . . . . . . . . . . . . . . . . . 109 10.8 Lengthextensionattacks . . . . . . . . . . . . . . . 114 10.9 Hashtrees . . . . . . . . . . . . . . . . . . . . . . . 116 10.10Remainingissues . . . . . . . . . . . . . . . . . . . 116 11 Messageauthenticationcodes 117 11.1 Description . . . . . . . . . . . . . . . . . . . . . . 117 11.2 CombiningMACandmessage . . . . . . . . . . . . 120 11.3 Anaiveattemptwithhashfunctions . . . . . . . . . 122 11.4 HMAC . . . . . . . . . . . . . . . . . . . . . . . . 126 11.5 One-timeMACs . . . . . . . . . . . . . . . . . . . 128 11.6 Carter-WegmanMAC . . . . . . . . . . . . . . . . 132 11.7 Authenticatedencryptionmodes . . . . . . . . . . . 133 11.8 OCBmode . . . . . . . . . . . . . . . . . . . . . . 135 11.9 GCMmode . . . . . . . . . . . . . . . . . . . . . . 138 12 Signaturealgorithms 139 12.1 Description . . . . . . . . . . . . . . . . . . . . . . 139 12.2 RSA-basedsignatures . . . . . . . . . . . . . . . . . 140 12.3 DSA . . . . . . . . . . . . . . . . . . . . . . . . . . 140 12.4 ECDSA . . . . . . . . . . . . . . . . . . . . . . . . 145 12.5 Repudiableauthenticators . . . . . . . . . . . . . . . 145 CONTENTS 8 13 Keyderivationfunctions 147 13.1 Description . . . . . . . . . . . . . . . . . . . . . . 147 13.2 Passwordstrength . . . . . . . . . . . . . . . . . . . 149 13.3 PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . 149 13.4 bcrypt . . . . . . . . . . . . . . . . . . . . . . . . . 149 13.5 scrypt . . . . . . . . . . . . . . . . . . . . . . . . . 149 13.6 HKDF. . . . . . . . . . . . . . . . . . . . . . . . . 149 14 Randomnumbergenerators 154 14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . 154 14.2 Truerandomnumbergenerators . . . . . . . . . . . 155 14.3 Cryptographicallysecurepseudorandomgenerators . 158 14.4 Yarrow . . . . . . . . . . . . . . . . . . . . . . . . . 159 14.5 BlumBlumShub . . . . . . . . . . . . . . . . . . . 159 14.6 Dual_EC_DRBG . . . . . . . . . . . . . . . . . . . . . 160 14.7 MersenneTwister . . . . . . . . . . . . . . . . . . . 168 IIICompletecryptosystems 176 15 SSLandTLS 177 15.1 Description . . . . . . . . . . . . . . . . . . . . . . 177 15.2 Handshakes . . . . . . . . . . . . . . . . . . . . . . 178 15.3 Certificateauthorities . . . . . . . . . . . . . . . . . 179 15.4 Self-signedcertificates . . . . . . . . . . . . . . . . 180 15.5 Clientcertificates . . . . . . . . . . . . . . . . . . . 180 15.6 Perfectforwardsecrecy . . . . . . . . . . . . . . . . 181 15.7 Attacks . . . . . . . . . . . . . . . . . . . . . . . . 182 15.8 HSTS . . . . . . . . . . . . . . . . . . . . . . . . . 186 15.9 Certificatepinning . . . . . . . . . . . . . . . . . . 188 15.10Secureconfigurations . . . . . . . . . . . . . . . . . 188 16 OpenPGPandGPG 190 16.1 Description . . . . . . . . . . . . . . . . . . . . . . 190 CONTENTS 9 16.2 Theweboftrust . . . . . . . . . . . . . . . . . . . . 191 17 Off-The-RecordMessaging(OTR) 194 17.1 Description . . . . . . . . . . . . . . . . . . . . . . 194 IV Appendices 197 A Modulararithmetic 198 A.1 Additionandsubtraction . . . . . . . . . . . . . . . 199 A.2 Primenumbers . . . . . . . . . . . . . . . . . . . . 201 A.3 Multiplication . . . . . . . . . . . . . . . . . . . . . 203 A.4 Divisionandmodularinverses . . . . . . . . . . . . 203 A.5 Exponentiation . . . . . . . . . . . . . . . . . . . . 205 A.6 Exponentiationbysquaring . . . . . . . . . . . . . . 206 A.7 Montgomeryladderexponentiation . . . . . . . . . 208 A.8 Discretelogarithm . . . . . . . . . . . . . . . . . . 214 B Ellipticcurves 217 B.1 Theellipticcurvediscretelogproblem . . . . . . . . 219 C Side-channelattacks 221 C.1 Timingattacks . . . . . . . . . . . . . . . . . . . . 221 C.2 Powermeasurementattacks . . . . . . . . . . . . . . 221 Bibliography 222 Glossary 228 Acronyms 235 Part I Foreword 10