1. 1CryptographyOverviewSymmetric Key CryptographyPublic Key CryptographyMessage integrity and digital signaturesReferences:StallingsKurose and RossNetwork Security: Private Communication in a PublicWorld, Kaufman, Perlman, Speciner
2. 2Cryptography issuesConfidentiality: only sender, intendedreceiver should “understand” messagecontentssender encrypts messagereceiver decrypts messageEnd-Point Authentication: sender, receiverwant to confirm identity of each otherMessage Integrity: sender, receiver want toensure message not altered (in transit, orafterwards) without detection
3. 3Friends and enemies: Alice, Bob, Trudywell-known in network security worldBob, Alice (lovers!) want to communicate “securely”Trudy (intruder) may intercept, delete, add messagessecuresendersecurereceiverchannel data, controlmessagesdata dataAlice BobTrudy
4. 4Who might Bob, Alice be?… well, real-life Bobs and Alices!Web browser/server for electronictransactions (e.g., on-line purchases)on-line banking client/serverDNS serversrouters exchanging routing table updates
5. 5The language of cryptographym plaintext messageKA(m) ciphertext, encrypted with key KAm = KB(KA(m))plaintext plaintextciphertextKAencryptionalgorithmdecryptionalgorithmAlice’sencryptionkeyBob’sdecryptionkeyKB
6. 6Simple encryption schemesubstitution cipher: substituting one thing for anothermonoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbcE.g.:Key: the mapping from the set of 26 letters to theset of 26 letters
7. 7Polyalphabetic encryptionn monoalphabetic cyphers, M1,M2,…,MnCycling pattern:e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2;For each new plaintext symbol, usesubsequent monoalphabetic pattern incyclic patterndog: d from M1, o from M3, g from M4Key: the n ciphers and the cyclic pattern
8. 8Breaking an encryption schemeCipher-text onlyattack: Trudy hasciphertext that shecan analyzeTwo approaches:Search through allkeys: must be able todifferentiate resultingplaintext fromgibberishStatistical analysisKnown-plaintext attack:trudy has some plaintextcorresponding to someciphertexteg, in monoalphabeticcipher, trudy determinespairings for a,l,i,c,e,b,o,Chosen-plaintext attack:trudy can get thecyphertext for somechosen plaintext
9. 9Types of CryptographyCrypto often uses keys:Algorithm is known to everyoneOnly “keys” are secretPublic key cryptographyInvolves the use of two keysSymmetric key cryptographyInvolves the use one keyHash functionsInvolves the use of no keysNothing secret: How can this be useful?
10. 10CryptographyOverviewSymmetric Key CryptographyPublic Key CryptographyMessage integrity and digital signaturesReferences:StallingsKurose and RossNetwork Security: Private Communication in a PublicWorld, Kaufman, Perlman, Speciner
11. 11Symmetric key cryptographysymmetric key crypto: Bob and Alice share same(symmetric) key: Ke.g., key is knowing substitution pattern in monoalphabetic substitution cipherQ: how do Bob and Alice agree on key value?plaintextciphertextK SencryptionalgorithmdecryptionalgorithmSK Splaintextmessage, mK (m)Sm = KS(KS(m))
12. 12Two types of symmetric ciphersStream ciphersencrypt one bit at timeBlock ciphersBreak plaintext message in equal-size blocksEncrypt each block as a unit
13. 13Stream CiphersCombine each bit of keystream with bit ofplaintext to get bit of ciphertextm(i) = ith bit of messageks(i) = ith bit of keystreamc(i) = ith bit of ciphertextc(i) = ks(i) ⊕ m(i) (⊕ = exclusive or)m(i) = ks(i) ⊕ c(i)keystreamgeneratorkey keystreampseudo random
14. 14Problems with stream ciphersKnown plain-text attackThere’s often predictableand repetitive data incommunication messagesattacker receives somecipher text c and correctlyguesses correspondingplaintext mks = m ⊕ cAttacker now observes c’,obtained with samesequence ksm’ = ks ⊕ c’Even easierAttacker obtains twociphertexts, c and c’,generating with same keysequencec ⊕ c’ = m ⊕ m’There are well knownmethods for decrypting 2plaintexts given their XORIntegrity problem toosuppose attacker knows cand m (eg, plaintext attack);wants to change m to m’calculates c’ = c ⊕ (m ⊕ m’)sends c’ to destination
15. 15RC4 Stream CipherRC4 is a popular stream cipherExtensively analyzed and considered goodKey can be from 1 to 256 bytesUsed in WEP for 802.11Can be used in SSL
16. 16Block ciphersMessage to be encrypted is processed inblocks of k bits (e.g., 64-bit blocks).1-to-1 mapping is used to map k-bit block ofplaintext to k-bit block of ciphertextExample with k=3:input output000 110001 111010 101011 100input output100 011101 010110 000111 001What is the ciphertext for 010110001111 ?
17. 17Block ciphersHow many possible mappings are there fork=3?How many 3-bit inputs?How many permutations of the 3-bit inputs?Answer: 40,320 ; not very many!In general, 2k! mappings; huge for k=64Problem:Table approach requires table with 264entries,each entry with 64 bitsTable too big: instead use function thatsimulates a randomly permuted table
19. 19Why rounds in prototpe?If only a single round, then one bit of inputaffects at most 8 bits of output.In 2ndround, the 8 affected bits getscattered and inputted into multiplesubstitution boxes.How many rounds?How many times do you need to shuffle cardsBecomes less efficient as n increases
20. 20Encrypting a large messageWhy not just break message in 64-bitblocks, encrypt each block separately?If same block of plaintext appears twice, willgive same cyphertext.How about:Generate random 64-bit number r(i) for eachplaintext block m(i)Calculate c(i) = KS( m(i) ⊕ r(i) )Transmit c(i), r(i), i=1,2,…At receiver: m(i) = KS(c(i)) ⊕ r(i)Problem: inefficient, need to send c(i) and r(i)
21. 21Cipher Block Chaining (CBC)CBC generates its own random numbersHave encryption of current block depend on result ofprevious blockc(i) = KS( m(i) ⊕ c(i-1) )m(i) = KS( c(i)) ⊕ c(i-1)How do we encrypt first block?Initialization vector (IV): random block = c(0)IV does not have to be secretChange IV for each message (or session)Guarantees that even if the same message is sentrepeatedly, the ciphertext will be completely differenteach time
22. 22Symmetric key crypto: DESDES: Data Encryption StandardUS encryption standard [NIST 1993]56-bit symmetric key, 64-bit plaintext inputBlock cipher with cipher block chainingHow secure is DES?DES Challenge: 56-bit-key-encrypted phrasedecrypted (brute force) in less than a dayNo known good analytic attackmaking DES more secure:3DES: encrypt 3 times with 3 different keys(actually encrypt, decrypt, encrypt)
23. 23Symmetric keycrypto: DESinitial permutation16 identical “rounds” offunction application,each using different48 bits of keyfinal permutationDES operation
24. 24AES: Advanced Encryption Standardnew (Nov. 2001) symmetric-key NISTstandard, replacing DESprocesses data in 128 bit blocks128, 192, or 256 bit keysbrute force decryption (try each key)taking 1 sec on DES, takes 149 trillionyears for AES
25. 25CryptographyOverviewSymmetric Key CryptographyPublic Key CryptographyMessage integrity and digital signaturesReferences:StallingsKurose and RossNetwork Security: Private Communication in a PublicWorld, Kaufman, Perlman, Speciner
26. 26Public Key Cryptographysymmetric key cryptorequires sender,receiver know sharedsecret keyQ: how to agree on keyin first place(particularly if never“met”)?public key cryptographyradically differentapproach [Diffie-Hellman76, RSA78]sender, receiver donot share secret keypublic encryption keyknown to allprivate decryptionkey known only toreceiver
28. 28Public key encryption algorithmsneed K ( ) and K ( ) such thatB B. .given public key K , it should beimpossible to compute privatekey K BBRequirements:12RSA: Rivest, Shamir, Adelson algorithm+ -K (K (m)) = mBB- ++-
29. 29Prerequisite: modular arithmeticx mod n = remainder of x when divide by nFacts:[(a mod n) + (b mod n)] mod n = (a+b) mod n[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod nThus(a mod n)dmod n = admod nExample: x=14, n=10, d=2:(x mod n)dmod n = 42mod 10 = 6xd= 142= 196 xdmod 10 = 6
30. 30RSA: getting readyA message is a bit pattern.A bit pattern can be uniquely represented by aninteger number.Thus encrypting a message is equivalent toencrypting a number.Examplem= 10010001 . This message is uniquelyrepresented by the decimal number 145.To encrypt m, we encrypt the correspondingnumber, which gives a new number (thecyphertext).
31. 31RSA: Creating public/private keypair1. Choose two large prime numbers p, q.(e.g., 1024 bits each)2. Compute n = pq, z = (p-1)(q-1)3. Choose e (with e<n) that has no common factorswith z. (e, z are “relatively prime”).4. Choose d such that ed-1 is exactly divisible by z.(in other words: ed mod z = 1 ).5. Public key is (n,e). Private key is (n,d).KB+KB-
32. 32RSA: Encryption, decryption0. Given (n,e) and (n,d) as computed above1. To encrypt message m (<n), computec = m mod ne2. To decrypt received bit pattern, c, computem = c mod ndm = (m mod n)e mod ndMagichappens!c
33. 33RSA example:Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z).bit pattern m me c = m mod ne0000l000 12 24832 17c m = c mod nd17 481968572106750915091411825223071697 12cdencrypt:decrypt:Encrypting 8-bit messages.
34. 34Why does RSA work?Must show that cdmod n = mwhere c = memod nFact: for any x and y: xymod n = x(y mod z)mod nwhere n= pq and z = (p-1)(q-1)Thus,cdmod n = (memod n)dmod n= medmod n= m(ed mod z)mod n= m1mod n= m
35. 35RSA: another important propertyThe following property will be very useful later:K (K (m)) = mBB- +K (K (m))BB+ -=use public keyfirst, followedby private keyuse private keyfirst, followedby public keyResult is the same!
36. 36Follows directly from modular arithmetic:(memod n)dmod n = medmod n= mdemod n= (mdmod n)emod nK (K (m)) = mBB- +K (K (m))BB+ -=Why ?
37. 37Why is RSA Secure?Suppose you know Bob’s public key (n,e).How hard is it to determine d?Essentially need to find factors of nwithout knowing the two factors p and q.Fact: factoring a big number is hard.Generating RSA keysHave to find big primes p and qApproach: make good guess then applytesting rules (see Kaufman)
38. 38Session keysExponentiation is computationally intensiveDES is at least 100 times faster than RSASession key, KSBob and Alice use RSA to exchange asymmetric key KSOnce both have KS, they use symmetric keycryptography
39. 39Diffie-HellmanAllows two entities to agree on shared key.But does not provide encryptionp is a large prime; g is a number less than p.p and g are made publicAlice and Bob each separately choose 512-bit random numbers, SA and SB.the private keysAlice and Bob compute public keys:TA = gSA mod p ; TB = gSB mod p ;
40. 40Diffie-Helman (2)Alice and Bob exchange TA and TB in the clearAlice computes (TB)SA mod pBob computes (TA)SB mod pshared secret:S = (TB)SA mod p = = gSASB mod p = (TA)SB mod pEven though Trudy might sniff TB and TA, Trudycannot easily determine S.Problem: Man-in-the-middle attack:Alice doesn’t know for sure that TB came from Bob;may be Trudy insteadSee Kaufman et al for solutions
41. 41Diffie-Hellman: Toy Examplep = 11 and g = 5Private keys: SA = 3 and SB = 4Public keys:TA = gSA mod p = 53mod 11 = 125 mod 11 = 4TB = gSB mod p = 54mod 11 = 625 mod 11 = 9Exchange public keys & compute shared secret:(TB)SA mod p = 93mod 11 = 729 mod 11 = 3(TA)SB mod p = 44mod 11 = 256 mod 11 = 3Shared secret:3 = symmetric key
42. 42CryptographyOverviewSymmetric Key CryptographyPublic Key CryptographyMessage integrity and digital signaturesReferences:StallingsKurose and RossNetwork Security: Private Communication in a PublicWorld, Kaufman, Perlman, Speciner
43. 43Message IntegrityAllows communicating parties to verify thatreceived messages are authentic.Content of message has not been alteredSource of message is who/what you think it isMessage has not been artificially delayed(playback attack)Sequence of messages is maintainedLet’s first talk about message digests
44. 44Message DigestsFunction H( ) that takes asinput an arbitrary lengthmessage and outputs afixed-length string:“message signature”Note that H( ) is a many-to-1 functionH( ) is often called a “hashfunction”Desirable properties:Easy to calculateIrreversibility: Can’tdetermine m from H(m)Collision resistance:Computationally difficultto produce m and m’ suchthat H(m) = H(m’)Seemingly random outputlargemessagemH: HashFunctionH(m)
45. 45Internet checksum: poor messagedigestInternet checksum has some properties of hash function:produces fixed length digest (16-bit sum) of inputis many-to-oneBut given message with given hash value, it is easy to find anothermessage with same hash value.Example: Simplified checksum: add 4-byte chunks at a time:I O U 10 0 . 99 B O B49 4F 55 3130 30 2E 3939 42 D2 42message ASCII formatB2 C1 D2 ACI O U 90 0 . 19 B O B49 4F 55 3930 30 2E 3139 42 D2 42message ASCII formatB2 C1 D2 ACdifferent messagesbut identical checksums!
46. 46Hash Function AlgorithmsMD5 hash function widely used (RFC 1321)computes 128-bit message digest in 4-stepprocess.SHA-1 is also used.US standard [NIST, FIPS PUB 180-1]160-bit message digest
48. 48HMACPopular MAC standardAddresses some subtle security flaws1. Concatenates secret to front of message.2. Hashes concatenated message3. Concatenates the secret to front ofdigest4. Hashes the combination again.
49. 49Example: OSPFRecall that OSPF is anintra-AS routingprotocolEach router createsmap of entire AS (orarea) and runsshortest pathalgorithm over map.Router receives link-state advertisements(LSAs) from all otherrouters in AS.Attacks:Message insertionMessage deletionMessage modificationHow do we know if anOSPF message isauthentic?
50. 50OSPF AuthenticationWithin an AutonomousSystem, routers sendOSPF messages toeach other.OSPF providesauthentication choicesNo authenticationShared password:inserted in clear in 64-bit authentication fieldin OSPF packetCryptographic hashCryptographic hashwith MD564-bit authenticationfield includes 32-bitsequence numberMD5 is run over aconcatenation of theOSPF packet andshared secret keyMD5 hash thenappended to OSPFpacket; encapsulated inIP datagram
51. End-point authenticationWant to be sure of the originator of themessage – end-point authentication.Assuming Alice and Bob have a sharedsecret, will MAC provide messageauthentication.We do know that Alice created the message.But did she send it?51
52. MACTransfer $1Mfrom Bill to TrudyMACTransfer $1M fromBill to TrudyPlayback attackMAC =f(msg,s)
53. “I am Alice”RMACTransfer $1Mfrom Bill to SusanMAC =f(msg,s,R)Defending against playbackattack: nonce
54. 54Digital SignaturesCryptographic technique analogous to hand-written signatures.sender (Bob) digitally signs document,establishing he is document owner/creator.Goal is similar to that of a MAC, except now usepublic-key cryptographyverifiable, nonforgeable: recipient (Alice) canprove to someone that Bob, and no one else(including Alice), must have signed document
55. 55Digital SignaturesSimple digital signature for message m:Bob signs m by encrypting with his private keyKB, creating “signed” message, KB(m)--Dear AliceOh, how I have missedyou. I think of you all thetime! …(blah blah blah)BobBob’s message, mPublic keyencryptionalgorithmBob’s privatekeyKB-Bob’s message,m, signed(encrypted) withhis private keyKB-(m)
57. 57Digital Signatures (more)Suppose Alice receives msg m, digital signature KB(m)Alice verifies m signed by Bob by applying Bob’spublic key KB to KB(m) then checks KB(KB(m) ) = m.If KB(KB(m) ) = m, whoever signed m must have usedBob’s private key.+ +--- -+Alice thus verifies that:Bob signed m.No one else signed m.Bob signed m and not m’.Non-repudiation: Alice can take m, and signature KB(m) tocourt and prove that Bob signed m.-
58. 58Public-key certificationMotivation: Trudy plays pizza prank on BobTrudy creates e-mail order:Dear Pizza Store, Please deliver to me fourpepperoni pizzas. Thank you, BobTrudy signs order with her private keyTrudy sends order to Pizza StoreTrudy sends to Pizza Store her public key, butsays it’s Bob’s public key.Pizza Store verifies signature; then deliversfour pizzas to Bob.Bob doesn’t even like Pepperoni
59. 59Certification AuthoritiesCertification authority (CA): binds public key toparticular entity, E.E (person, router) registers its public key with CA.E provides “proof of identity” to CA.CA creates certificate binding E to its public key.certificate containing E’s public key digitally signed by CA– CA says “this is E’s public key”Bob’spublickey KB+Bob’sidentifyinginformationdigitalsignature(encrypt)CAprivatekeyKCA-KB+certificate forBob’s public key,signed by CA
60. 60Certification AuthoritiesWhen Alice wants Bob’s public key:gets Bob’s certificate (Bob or elsewhere).apply CA’s public key to Bob’s certificate, getBob’s public keyBob’spublickeyKB+digitalsignature(decrypt)CApublickeyKCA+KB+
61. 61Certificates: summaryPrimary standard X.509 (RFC 2459)Certificate contains:Issuer nameEntity name, address, domain name, etc.Entity’s public keyDigital signature (signed with issuer’s privatekey)Public-Key Infrastructure (PKI)Certificates and certification authoritiesOften considered “heavy”
62. 62CryptographyOverviewSymmetric Key CryptographyPublic Key CryptographyMessage integrity and digital signaturesReferences:StallingsKurose and RossNetwork Security: Private Communication in a PublicWorld, Kaufman, Perlman, Speciner