Cryptography is the underpinning of digital security. Get introduced to the building blocks of crypto, how they’re applied to secure web connections and bitcoin, and how cryptosystems are attacked in the wild. (Source: RSA USA 2016-San Francisco)

1. SESSION ID:
Crypto 101:
Encryption, Codebreaking,
SSL and Bitcoin
BAS-M06
Benjamin
HVF Labs
@BenjaminJun
Some material adapted from Ivan Ristic, Qualys (RSAC 2011)

2. `
2
Crypto 101
Cryptography is the art and science of keeping
messages secure.
Cryptography building blocks
Cryptographic protocols
SSL / TLS
Bitcoin
Attacks on cryptography

3. `
3
Security si-ˈkyu̇r-ə-tē
Cryptography terms
Confidentiality
Integrity
Authentication
Access control
Non-repudiation
the state of being free
from danger or threat
Other Criteria
Interoperability
Performance
Usability

4. `
#RSAC
Crypto Building Blocks

5. `
5
Encryption
Obfuscation that is fast when you know the secrets, but
impossible or slow when you don’t.
Scytale
300BC
Image credit: Luringen, Sobebunny, R Boo
Enigma Machine
1920s
Jefferson Wheel (M94)
1900s

6. `
6
Symmetric encryption
Use shared key to encrypt/decrypt
Algorithm does not need to be secret
Key must be agreed and communicated in advance
Convenient and fast
Examples: RC4, 3DES, AES

7. `
Asymmetric encryption
Two related keys: one private, one public
Anyone with the public key can encrypt the message
Only the private key holder can decrypt message
Enables encryption, key exchange, and authentication
Examples: RSA, Diffie-Hellman, ElGamal, DSA, Elliptic curve (ECDH /
ECDSA)
Significantly slower than symmetric encryption

8. `
8
Authentication
Confirm data integrity and message origin
Mark of the Fisherman
(1200AD)
British Museum, flikr:favoritethings
Egyptian signet ring
(500BC)
US nuclear “football”
(present day)
On death, Cardinal
Camerlengo to destroy
Keys roll at noon on
inauguration day

9. `
9
Digital signatures
Asymmetric cryptography can authenticate messages
Only the private key holder can generate a signature
Anyone with the public key can validate the signature
Signatures protect digital certificates from modification or forgery
sign verifySigned
documen
t

10. `
10
Digital certificates
Digital ID can include public/private keypair
Digital certificate conveys identity
Credential holder info (name, address, etc.)
Identity’s public key
Validity period
Digital signature of Certificate Authority (CA)
Authentication has 3 steps
CA signature confirms data is authentic, vouched for
Do we approve of data in the certificate?
Identity keypair validated to confirm ID holder has the private key

11. `
11
Randomness matters
Random numbers at heart of crypto
Used for key generation
Weak keys = weak encryption
Random number generators
True random (TRNG) – truly random
Pseudorandom (PRNG) – look
random
PRNGs fine if properly seeded,
properly designed 60
“elliptic curve discrete logarithm problem” (ECDLP): given points P and Q on an ellipt
curve of order n, find a such that Q aP.
Dual_EC_DRBG uses an initial seed that is 2 * security_strength bits in length to initia
the generation of outlen-bit pseudorandom strings by performing scalar multiplications
two points in an elliptic curve group, where the curve is defined over a field approxima
2m
in size. For all the NIST curves given in this Recommendation, m is at least twice th
security_strength, and never less than 256. Throughout this DRBG mechanism
specification, m will be referred to as seedlen; the term “seedlen” is appropriate because
the internal state of Dual_EC_DRBG is used as a “seed” for the random block it produ
Figure 13 depicts the Dual_EC_DRBG.
The instantiation of this DRBG mechanism requires the selection of an appropriate ellip
curve and curve points specified in Appendix A.1 for the desired security strength. The
seed used to determine the initial value (s) of the DRBG mechanism shall have at least
security_strength bits of entropy. Further requirements for the seed are provided in Sect
8.6. This DRBG mechanism uses the derivation function specified in Section 10.4.1 dur
instantiation and reseeding.
The maximum security strength that can be supported by the Dual_EC_DRBG is the
security strength of the curve used; the security strengths for the curves are provided in
800-57].
seed
0
Instant. or
reseed only
+
(x (t*P)) (x (s*Q))
t
P Q
s r
If additional input = Null
Extract
Bits
Pseudorandom
Bits
[Optional]
additional input
Figure 13: Dual_EC_DRBG
77
Appendix A: (Normative) Application-Specific Constants
A.1 Constants for the Dual_EC_DRBG
The Dual_EC_DRBG requires the specifications of an elliptic curve and two points on the
elliptic curve. One of the following NIST approved curves with associated points shall be
used in applications requiring certification under [FIPS 140]. More details about these
curves may be found in [FIPS 186]. If alternative points are desired, they shall be
generated as specified in Appendix A.2.
Each of following curves is given by the equation:
y2
= x3
- 3x + b (mod p)
Notation:
p - Order of the field Fp , given in decimal
n - Order of the Elliptic Curve Group, in decimal .
a – (-3) in the above equation
b - Coefficient above
The x and y coordinates of the base point, i.e., generator G, are the same as for the point P.
A.1.1 Curve P-256
p = 11579208921035624876269744694940757353008614
3415290314195533631308867097853951
n = 11579208921035624876269744694940757352999695
5224135760342422259061068512044369
b = 5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e
27d2604b
Px = 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0
f4a13945 d898c296
Py = 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece
cbb64068 37bf51f5
Qx = c97445f4 5cdef9f0 d3e05e1e 585fc297 235b82b5 be8ff3ef
ca67c598 52018192
Qy = b28ef557 ba31dfcb dd21ac46 e2a91e3c 304f44cb 87058ada
2cb81515 1e610046
NIST SP800-90A: Dual EC
DRBG with NIST NSA*
constants
* NYT Snowden memos, September 2013
(don’t use these)

12. `
12
Hash functions
One-way transformation to
generate data fingerprints for:
Digital signatures
Integrity validation
Tokenization (e.g., storing passwords)
Examples
MD5 considered broken
SHA-1 (160) some concerns
SHA-2 (256) ok
Keccak and SHA-3
SHA2 (SHA-256) compression function
◆
Desirable qualities
Preimage resistance (one-wayness
Collision resistance and birthday

13. `
13
Stay humble
Don’t roll your own crypto
Failure modes subtle, catastrophic
Standard crypto has been strongly vetted
Avoid unnecessary complexity
System only as strong as its weakest link
Complexity = more stuff to go wrong
Never rely on obscurity
“If I can barely understand it, then it must be strong!”
Kerckhoffs's principle: only the key should be secure
Auguste Kerckhoffs (1835-1903)

14. `
#RSAC
Putting It All Together
- SSL / TLS
- Bitcoin

15. `
15
TLS
Transport Layer Security
World’s most widely used cryptographic protocol
From Netscape SSL3 (Kocher, 1995)
Security requirements
Securely connect with someone you have never met
Data privacy, data integrity, no site impersonation, no
man-in-middle

16. `
16
Getting to https
1. Webserver provides digital
certificate to browser
• “Amazon.com’s passport”
2. TLS layer + browser
“authenticates passport”
• Confirms data fields in cert
• Confirms digital signature
3. TLS layer confirms that
webserver holds private key
• Sends encrypted data that can only
be decrypted w/private key
Cert. Authority signature
Amazon public RSA key
Amazon info
Certificate Authority info

17. `
17
TLS: Connection
TLS 1.2 protocol for
secure socket &
session mgmt
Certificate
check passed!
AES_128_GCM for bulk data
• Symmetric crypto
• AES128 block cipher (privacy)
• Galois authentication
(integrity)
ECDHE_RSA for key
exchange
• Asymmetric crypto
• Confidentiality: Elliptic curve
Diffie-Hellman
• Authentication: RSA2048
• “Perfect forward secrecy”

18. `
18
Bitcoin (1/2)
Peer-to-peer, decentralized
currency
Not underwritten by any entity
“Satoshi Nakamoto” paper (2008)
180K transactions/day (Jan
‘16)
$6.5B in circulation (Jan ’16)
(US M0 Supply: $4,007B, Nov ‘15)
Diagrams from blockchain.info
Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto
satoshin@gmx.com
www.bitcoin.org
Abstract. A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution. Digital signatures provide part of the solution, but the main
benefits are lost if a trusted third party is still required to prevent double-spending.
We propose a solution to the double-spending problem using a peer-to-peer network.
The network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without redoing
the proof-of-work. The longest chain not only serves as proof of the sequence of
events witnessed, but proof that it came from the largest pool of CPU power. As
long as a majority of CPU power is controlled by nodes that are not cooperating to
attack the network, they'll generate the longest chain and outpace attackers. The
network itself requires minimal structure. Messages are broadcast on a best effort
basis, and nodes can leave and rejoin the network at will, accepting the longest
proof-of-work chain as proof of what happened while they were gone.
1. Introduction
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as
trusted third parties to process electronic payments. While the system works well enough for
most transactions, it still suffers from the inherent weaknesses of the trust based model.
Completely non-reversible transactions are not really possible, since financial institutions cannot
avoid mediating disputes. The cost of mediation increases transaction costs, limiting the
minimum practical transaction size and cutting off the possibility for small casual transactions,
and there is a broader cost in the loss of ability to make non-reversible payments for non-
reversible services. With the possibility of reversal, the need for trust spreads. Merchants must
be wary of their customers, hassling them for more information than they would otherwise need.
A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties
can be avoided in person by using physical currency, but no mechanism exists to make payments
over a communications channel without a trusted party.
What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party. Transactions that are computationally impractical to reverse would protect sellers
from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In

19. `
19
Bitcoin (2/2)
Characteristic What happens Cryptography
Value creation
Mined by searching for magic
values KWh —> BTC!
Proof-of-work method uses
SHA-256 hash function
Coin transfers Digital signatures ECDSA digital signature
Recordkeeping
(no double-
spending)
Distributed ledger with financial
incentive for a “single view”
Block chain uses SHA-256
hash function
Backing entity NONE!
Everything regulated by
market forces + math!
Great technical resource: Bitcoin Developer Reference by Krzysztof Okupski

20. `
#RSAC
Attacks on Cryptography

21. `
21
Brute force
DES Keysearch Machine, 1998
Tests 90 billion keys/sec, average
time to crack 56-bit DES: 5 days
(Cryptography Research, AWT, EFF)
US Navy Bombe, 1943
Contains 16 four-rotor Enigma
equivalents to perform exhaustive
key search.

22. `
22
Cryptanalysis
HDCP = “High bandwidth Digital Copy
Protection”
Protects digital content, interoperability
Fast, offline, any-to-any negotiation
Encryption and authentication
“Clever” key management
No one device contains global secret
HDCP master key published (2010)
Unlicensed implementations cannot
be revoked
A Cryptanalysis of the High-bandwidth
Digital Content Protection System
(Crosby, Goldberg, Johnson, Song, Wagner)
image from www.hdmi.org
But keys from
~40 devices can
reveal the master
key

23. `
23
Implementation: Side Channel (1/2)
Simple EM attack with radio at distance of 10 feet
Devices
Antennas
Receiver ($350)
Digitizer,
GNU Radio peripheral
($1000)
Signal Processing
(demodulation, filtering)
Images from Cryptography Research

24. `
24
Implementation: Side Channel (2/2)
Focus on Mpdp mod p calculation (Mqdq mod q similar)
For each bit i of secret dp
perform “Square”
if (bit i == 1)
perform “Multiply”
endif
endfor
SM S S S S S S S SM S SM SM S S S SM SM S S S S S S S S S
Images from Cryptography Research

25. `
25
Crypto necessary, but not sufficient
Game King poker (2014)
Bug allows user to adjust bet
after hand played
Siemens Simatic S7-315
Target of Stuxnet
Operation Olympic Games
http://www.wired.com/2014/10/cheating-video-poker/

26. `
#RSAC
Learn More!

27. `
27
Resources
Understanding Cryptography
Christof Paar and Jan Pelzl
(Springer, 2009)
Cryptography online course
Dan Boneh, Stanford University
Dan$Boneh$
Genera7ng$keys:$a$toy$protocol$
Alice$wants$a$shared$key$with$Bob.$$$$$Eavesdropping$security$only.$
$
Bob#(kB) $ $Alice#(kA) $ $ $ $TTP#
7cket$
kAB## kAB##
“Alice$wants$key$with$Bob”$
(E,D)$a$CPANsecure$cipher$
choose$$
random$kAB$
Dan$Boneh$
Insecure$against$manNinNtheNmiddle$
As$described,$the$protocol$is$insecure$against$acJve$aFacks$
Alice# Bob#MiTM#

28. `
28
How to apply what you have learned
In the first three months:
Identify where cryptography is used in your organization
Identify infrastructure required (key management, certificates)
Within six months:
Know what crypto can do. Explain the different security
properties.
Know what crypto can’t do. Understand basic implementation
security issues.

29. `
29
@BenjaminJun
Friday March 4, 10:10am
Our Road Ahead: Today’s Tech Developments,
Tomorrow’s Security Challenges
Fireside chat with Benjamin Jun and Hugh Thompson
Industry Experts EXP-F02
Questions?