Fundamentals of Security in Next Generation Networks Igor Faynberg
Outline  <ul><li>Scope and purpose; NGN vs. the Internet </li></ul><ul><li>Introduction to general network security issues...
Scope and purpose <ul><li>This tutorial is just  </li></ul><ul><ul><li>an introduction into a very large field </li></ul><...
Next Generation Networks vs. the Internet <ul><li>The Internet was designed and built by people who wanted a great tool; t...
NGN  Subsystem Architecture Overview
Security may mean… <ul><li>Limitation of data disclosure </li></ul><ul><li>Privacy </li></ul><ul><li>Anonymous communicati...
Basic Network Security Issues <ul><li>Confidentiality </li></ul><ul><ul><li>Keeping information secret from unintended use...
ITU-T Recommendation X.805 Security Architecture—the foundation of NGN Security studies
An example: E-mail… <ul><li>Can you send a message that is truly private? </li></ul><ul><li>Do you know who really sent yo...
Another example: Buying on-line <ul><li>Can you be sure that the information you are supplying (including your credit card...
Ensuring Confidentiality, Integrity, and Non-Repudation: Cryptography  <ul><li>   (secret)     (writing) </li...
Ciphers and Codes <ul><li>Cipher:  an atom-for-atom (e.g., character-for-character or bit-for-bit) transformation of the  ...
Basics of Cryptography All algorithms must be public; only the keys are secret.  August Kerckhoff, 1883.
Intruders and Cryptanalysis <ul><li>An  intruder  listens to all communications and it may copy or delete any message </li...
Classification of Ciphers <ul><li>Substitution ciphers </li></ul><ul><ul><li>Cesar’s cipher </li></ul></ul><ul><ul><li>Aff...
Substitution Ciphers <ul><li>Each symbol is replaced by another symbol (Example: with Latin alphabet, in  monoalphabetic s...
Case Study: Cesar’s Cipher Plaintext:  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z 0  1  ...
Affine Transformation Ciphers  <ul><ul><li>Substitution ciphers are easy to break with a relatively small amount of cipher...
A Cryptanalysis Example  Guess: P(7) = E(13) =>  15 = 4 + k (mod 26) => k = 11. Plaintext: NUMBE RTHEO RYISU SEFUL FOREN C...
Transposition Cipher <ul><li>All symbols are reordered according to a permutation specified by the key </li></ul><ul><li>E...
<ul><li>Any bit sequence the size of plaintext can be a key. Each bit of plaintext is XOR-ed with the corresponding bit of...
Block Ciphers (Affine Transformation) <ul><li>Key: </li></ul><ul><ul><li>A   is a square integer matrix of order  n  such ...
A Llittle Detour:   Three Facts of the Elementary Number Theory <ul><li>Euler’s Theorem:   If  m > 0  and  a  and  m  are ...
Exponentiation Ciphers <ul><li>After Pohlig and Hellman, 1978: </li></ul><ul><li>p  is a prime </li></ul><ul><li>The  key,...
Exponentiation Ciphers: An Example <ul><li>p = 2633; </li></ul><ul><li>the key  e = 29; (e, p-1) = (29, 2632) = 1; </li></...
Exponentiation Ciphers—Major Properties <ul><li>For encryption each plaintext block  P,  we use  O([ln p] 3 )  operations....
One Immediate Application: The Diffie-Hellman Algorithm Problem:   Establish  common  keys (for symmetric cryptography) to...
A Simple Example of a DH Exchange p   =17 a   = 2 k 1   = 3 k 2   = 5 =
The Diffie-Hellman Exchange among  n  parties <ul><li>Let  </li></ul><ul><li>p   be a large prime </li></ul><ul><li>a   be...
Fundamental Principles of Cryptography <ul><li>Redundancy </li></ul><ul><ul><li>Ensure that the cipher space is  larger  t...
Modern  Symmetric -Key Algorithms <ul><li>Combine transpositions and substitutions and cascade them to make the algorithms...
Some Common Symmetric-Key Cryptographic Algorithms (after A. Tanenbaum) Weak 56 DES Some keys are weak 1-2048 RC4 Good (bu...
Public-Key Cryptography <ul><li>A (public key, private key) pair </li></ul><ul><ul><li>Publish the public key (= encryptio...
RSA (Rivest, Shamir, Adleman) <ul><li>Parameters:  p, q, n, z, d, e </li></ul><ul><ul><li>Choose, large (1024 bits)  prime...
RSA: An Example <ul><li>p = 43, q=59; n = 43*59 = 2357;  φ(n) = 42*58 =2436 </li></ul><ul><li>Exponent e = 13; (e,  φ(n)  ...
Analysis of RSA <ul><li>100- digit primes  p  and  q,  the encryption exponent  e,  and its inverse,  d,  can be found in ...
Properties of RSA <ul><li>The algorithm is secure because of the difficulty of factoring  N.  Factoring a 500-digit number...
Typical use of RSA for Key Distribution in Symmetric Cryptography (hybrid encryption) Sender  randomly  generates  K , and...
Other Public-Key Algorithms <ul><li>Knapsack  (Merkle and Hellman, 1978)—based on NP-completeness of the Knapsack problem ...
Digital Signatures and Non-Repudiation <ul><li>Requirements </li></ul><ul><ul><li>The receiver can verify the claimed iden...
Non-Repudiation with  Symmetric-Key  Digital Signatures <ul><li>A single third party (Central Authority,  A ) keeps everyo...
Non-Repudiation with Public-Key Digital Signatures Works with any public key algorithm with the property  E[D(P)] = P (RSA...
Non-Repudiation  and   Confidentiality with Public-Key Digital Signatures Again, use any public key algorithm with the pro...
Some Problems with Public-Key Digital Signatures <ul><li>If  X  discloses his or her private key (or claims that it was st...
One-Way Functions and Digests <ul><li>Given an algorithm for computing  f(x),  it is  easy  to compute  y = f(x)  for any ...
Digital Signatures with Message Digest (non-repudiation) <ul><li>(a)  D  is the  private key   of the sender </li></ul><ul...
Two Popular Message Digest Algorithms <ul><ul><li>Message Digest (MD5)  (Rivest, 1992) </li></ul></ul><ul><ul><ul><li>Prod...
The Birthday Attack <ul><li>Q: How many people need to be in a room before the probability of having there two people with...
Back to Problems with Public-Key Digital Signatures <ul><li>If  X  discloses his private key (or claims that it was stolen...
Certificates (Public Key Distribution) <ul><li>To use the public key signature scheme, the sender’s public key must be kno...
A Certificate <ul><li>Presumably, your computer has been pre-loaded with the SuperCert public key,  P  so you can always  ...
A Different Use of a Certificate: Binding An Attribute to a Key An important feature: It preserves privacy! I, the SuperCe...
Questions: <ul><li>What are all the possible formats (of attributes and all), and who could possibly manage them? </li></u...
X.509: A standard for certificates <ul><li>Contained in ITU-T Recommendation X.509  </li></ul>
Public Key Infrastructure (PKI) Schematic description RA: Regional Authority CA: Certificate Authority : Chain of trust I,...
More on PKI <ul><li>There are many roots with their own trees. Modern browsers come pre-loaded with over 100 roots known a...
Symmetric Key Distribution: Diffie-Hellman  revisited Problem:   Establish  common  keys (for symmetric cryptography) to b...
The Man-in-the-Middle Attack Establish K 1 Establish K 2
Avoiding a Man in the Middle: Signed  Diffie-Hellman <ul><li>Let  </li></ul><ul><li>p   be a large prime </li></ul><ul><li...
Authentication Protocols <ul><li>Needed for the establishment of sessions (VoIP conversations [streams and signaling], TCP...
Introduction of the Key Players <ul><li>Alice </li></ul>Bob Trudy the Intruder
The General Model <ul><li>Alice starts by sending a message to Bob or to a trusted Key Distribution Center (KDC) </li></ul...
Challenge-Response Protocol (first attempt) Alice Bob A  identity R B  Challenge: A  nonce -- a large random number, not t...
Challenge-Response Protocol (Can we do this faster?) Alice Bob No! An improvement: 3 instead of 5 messages! A, R A R B , K...
The Reflection Attack Trudy Bob K AB (R B  ) First Session A, R T R B , K AB (R T  ) A, R B R B* , K AB (R B  ) Second Ses...
General Rules <ul><li>The initiator has to prove its identity  before  the responder </li></ul><ul><li>The initiator and r...
But was the First Attempt Really Faultless? A K AB (R A  ) Trudy Alice B R A R A K AB (R A  ) R A* R A* K AB (R A*  ) K AB...
A Few Conclusions <ul><li>The authentication protocols are hard… </li></ul><ul><li>In the previous example, again the Rule...
Another Class of Protocols That Work (HMAC) <ul><li>Hashed Message Authentication Code (HMAC),  in general, is the hash (e...
Key Distribution Centers (KDCs) <ul><li>If a process needs to talk to  n  other processes, it will need to share  n  keys....
Authentication with the Key Distribution Center  (First attempt) I want to use the key  K   to talk to Bob A, K A (B, K) K...
The Replay Attack <ul><li>Trudy is working for Alice. She knows that today at noon she will transfer her salary into her b...
Solutions to Replay Attack (for KDC Protocols) <ul><li>Include a timestamp in each message </li></ul><ul><ul><li>Problem :...
The Needham-Schroeder Authentication Protocol (1978) (After A. Tanenbaum) But it still has a weakness (possible replay of ...
The Otway-Rees Authentication Protocol (1987) This protocol fixes the problem with Needham-Shroeder more elegantly than Ne...
A Few Notes on KDC Issues <ul><li>KDCs can support hundreds of clients but not millions (scalability) </li></ul><ul><li>Th...
Authentication with Kerberos <ul><li>Kerberos was designed in MIT, and it is based on a variant of Needham-Shroeder </li><...
The Kerberos Model: Three Servers <ul><li>Authentication Server (AS) </li></ul><ul><ul><li>Authenticates users during the ...
Operation of Kerberos (V4) AS AS At this point,  1) Alice is prompted for a password by the client, and this password is u...
Operation of Kerberos (V4) TGS TGS Now Alice can start talking to the real-work server—Bob  K TGS (A, K S ), B, K S  (t) T...
Operation of Kerberos (V4) Server Server Now Alice can work with Bob, but if she needs to change to another real-work serv...
Kerberos Realms AS TGS Servers One can ask TGS for a ticket to a server in another realm AS TGS Servers
Authentication with Public Key Cryptography: A Naïve “Solution” … R = “I, undersigned Alice, owe Trudy $100,000” or R=encr...
Authentication with Public Key Cryptography PKI Directory Bob’s Public Key? E B E B  (A, R A ) Alice’s Public Key? E A Pro...
Communication Security Overview  Text S/MIME TSL/SSL DNSsec Secure File Systems Mobile code security Firewalls PGP IPsec/V...
Network Security in the Protocol Stack Encrypt the whole session Application-specific protocols Network Layer:  firewalls ...
Two Views in the Internet Camp <ul><li>Security must be end-to-end, and for this reason alone must be implemented in the A...
IP Security Protocol ( IPsec ) <ul><li>IPsec  is a framework for multiple </li></ul><ul><li>Services </li></ul><ul><ul><li...
Security Association (SA) <ul><li>SA is a simplex connection identified by  Security Parameters Index (SPI)  carried by al...
Establishing an SA <ul><li>This involves </li></ul><ul><ul><li>Authenticating both ends </li></ul></ul><ul><ul><li>Establi...
Two Parts of  IPsec <ul><li>The  Internet Security Association and Key Management Protocol (ISAKMP)  deals with establishi...
Transport- and Tunnel Modes <ul><li>Transport mode </li></ul>IP header IPsec  header   IP payload Via the  Protocol  field...
Two (Historical) Headers <ul><li>The  Authentication Header (AH)  deals only with integrity checking but  not  confidentia...
Authentication Header (AH)  (IPv4 Transport Mode) (After A. Tanenbaum) Stores the value that  IP Protocol  field had Numbe...
Encapsulating Security Payload (ESP) Header (After A. Tanenbaum) Transport mode Tunnel Mode 32   bits Security Parameters ...
Virtual Private Networks (VPNs) (After A. Tanenbaum) Before After
Firewalls <ul><li>While  IPsec  protects the data in transit, it does nothing to keep bad bits out </li></ul><ul><li>Firew...
Firewalls (cont.)
What Firewalls Cannot Do <ul><li>Deal with encrypted traffic or examine and restrict graphic (or video or . wav ) content ...
E-Mail Security <ul><li>There are two systems: </li></ul><ul><li>Pretty Good Privacy (PGP) and </li></ul><ul><li>Secure Mu...
PGP <ul><li>Uses International Data Encryption Algorithm (IDEA) with 128-bit keys </li></ul><ul><li>Is a one-man (Phil Zim...
How PGP Works (After A. Tanenbaum) Based on random input from Alice
A PGP Message After A. Tanenbaum
S/MIME <ul><li>Is similar to but more structured than PGP </li></ul><ul><li>Uses triple-DES rather than IDEA </li></ul><ul...
Web Security Issues <ul><li>Secure Naming </li></ul><ul><li>Secure Connections </li></ul><ul><li>Secure mobile code </li><...
Secure Naming: Threats www.bob.com 42.9.9.9 36.1.2.3 DNS Server www.bob.com : 36.1.2.3 42.9.9.9 Poisoned Cache
Secure DNS (DNSsec) <ul><li>All information sent by a DNS server is signed with the originating zone’s private key (proof ...
Secure Sockets Layer (SSL) <ul><li>Was first developed in 1995 by Nestcape and now widely used everywhere  </li></ul><ul><...
Position of the SSL/TSL in the OSI Reference Architecture SSL/TSL Network Layer Physical Layer Link Layer Transport Layer ...
SSL/TSL Connection Establishment Compute session key K S ( E server ,   R client  ,   R Server ) Compute session key K S (...
The Rest of the SSL/TSL Session Unit 1 Unit 1 Unit 2 … Unit  n Unit 1 Compression (if agreed on) ?#@18*99&^%$ Everything i...
Mobile Code <ul><li>Java   applet s,  ActiveX controls , and  JavaScript s present a massive security risk </li></ul><ul><...
Social Issues <ul><li>Privacy </li></ul><ul><li>Freedom of speech </li></ul><ul><li>Copyright </li></ul><ul><li>Covert com...
Privacy <ul><li>The Fourth Amendment to the US Constitution prohibits searching people’s houses, papers, and effects witho...
E-mail privacy (Anonymous Re-mailers) <ul><li>Initially, the anonymous  Type 1  re-mailers   kept the trace of corresponde...
How Re-mailers Work <ul><li>E S   (  To: Bob </li></ul><ul><li>Message  ) </li></ul>To: S.address Public Key E S S From:  ...
Chaining Re-mailers  Public Key E 3 S 3 ) E 3   (  To: Bob Message  ) To: S 3 .address E 2   ( ) E 1   ( To: S 2 .address ...
Re-mailers Protect Anonymity, but… <ul><li>They aid  </li></ul><ul><ul><li>Mail spam  and </li></ul></ul><ul><ul><li>Phish...
Freedom of Speech <ul><li>Censorhip  is its opposite </li></ul><ul><li>Materials that a government may choose to ban from ...
Steganography ( στεγανω γραφ:  covered writing) <ul><li>The color image uses 1024 * 769  picture cells (pixels) </li></ul>...
Steganography <ul><li>http://www.jjtc.com/Security/stegtools. htm </li></ul><ul><li>http://www.spychecker.com/program/stoo...
Steganography Demo M. A. Bulgakov M. A. Bulgakov and an excerpt from a draft of “Master and Margarita”
Copyright <ul><li>Copyright is the granting to the creators of  intellectual property —writers, artists, composers, etc.—t...
Limited Bibliography <ul><li>K. H. Rosen,  Elementary Number Theory and Its Application, 3 rd  Edition, Addison Wesley, 19...
Upcoming SlideShare
Loading in …5
×

ppt - CEENet HOME Page - Central and Eastern European Networking ...

1,214 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,214
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ppt - CEENet HOME Page - Central and Eastern European Networking ...

  1. 1. Fundamentals of Security in Next Generation Networks Igor Faynberg
  2. 2. Outline <ul><li>Scope and purpose; NGN vs. the Internet </li></ul><ul><li>Introduction to general network security issues </li></ul><ul><li>Cryptography, digests, and digital signatures </li></ul><ul><li>Authentication protocols </li></ul><ul><li>Communication security with application examples </li></ul><ul><li>Social issues </li></ul>
  3. 3. Scope and purpose <ul><li>This tutorial is just </li></ul><ul><ul><li>an introduction into a very large field </li></ul></ul><ul><ul><li>description of basic problems and general review of the existing solutions </li></ul></ul><ul><li>It should help you decide </li></ul><ul><ul><li>whether you need to learn more </li></ul></ul><ul><ul><li>where to look for more information </li></ul></ul><ul><ul><li>what you need to do yourself and what you can trust others to do for you </li></ul></ul>
  4. 4. Next Generation Networks vs. the Internet <ul><li>The Internet was designed and built by people who wanted a great tool; they had never thought (until 1989) that someone would think up Denial of Service (DOS) </li></ul><ul><li>The Internet was concerned with very few applications in mind (file transfer, e-mail)—no one even thought about e-commerce , VoIP, IPTV, etc. at the onset </li></ul><ul><li>As the result, the Internet security was put in reactively and… late </li></ul><ul><li>NGN must support many new resource-intensive applications in networks that will connect mutually distrusting organizations </li></ul><ul><li>It takes a small percentage of hostile mischief to do considerable damage </li></ul><ul><li>The society and its major institutions will depend on the NGN security </li></ul>
  5. 5. NGN Subsystem Architecture Overview
  6. 6. Security may mean… <ul><li>Limitation of data disclosure </li></ul><ul><li>Privacy </li></ul><ul><li>Anonymous communications </li></ul><ul><li>Prevention of changing data in transit </li></ul><ul><li>Law enforcement </li></ul><ul><ul><li>destruction of pirated content </li></ul></ul><ul><ul><li>tracking criminals </li></ul></ul><ul><ul><li>monitoring enemy’s communications </li></ul></ul>
  7. 7. Basic Network Security Issues <ul><li>Confidentiality </li></ul><ul><ul><li>Keeping information secret from unintended users </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Confirming the identity of the presenter of the information </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Determining whether a user may be given a resource </li></ul></ul><ul><li>Non-repudiation </li></ul><ul><ul><li>A property that no party that has signed a contract can later deny having signed it </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Ensuring that a message received was the one that was actually sent </li></ul></ul>People had (more or less) learned how to deal with these issues in “normal” life. But how do we deal with them in the e-world ?
  8. 8. ITU-T Recommendation X.805 Security Architecture—the foundation of NGN Security studies
  9. 9. An example: E-mail… <ul><li>Can you send a message that is truly private? </li></ul><ul><li>Do you know who really sent you a message? </li></ul><ul><li>Can you be sure that the message you know was sent to you by a friend was not modified in transit? </li></ul><ul><li>Can you send a truly anonymous message? </li></ul>
  10. 10. Another example: Buying on-line <ul><li>Can you be sure that the information you are supplying (including your credit card number and code —which proves your possession of the card) is not reached by a thief? </li></ul><ul><li>Can you be really sure that you are paying to the real merchant? </li></ul><ul><li>Can you buy anonymously? </li></ul><ul><li>Can you deny the payment after receiving the product (i.e., can the merchant prove that you have ordered the product)? </li></ul>
  11. 11. Ensuring Confidentiality, Integrity, and Non-Repudation: Cryptography <ul><li> (secret)  (writing) </li></ul>Ciphers Certificates Key Distribution Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures
  12. 12. Ciphers and Codes <ul><li>Cipher: an atom-for-atom (e.g., character-for-character or bit-for-bit) transformation of the plaintext into ciphertext . </li></ul><ul><li>Code: replaces longer strings (e.g., words or sentences with symbols) </li></ul>
  13. 13. Basics of Cryptography All algorithms must be public; only the keys are secret. August Kerckhoff, 1883.
  14. 14. Intruders and Cryptanalysis <ul><li>An intruder listens to all communications and it may copy or delete any message </li></ul><ul><ul><li>An active intruder modifies some messages and re-inserts them </li></ul></ul><ul><ul><li>A passive intruder just listens </li></ul></ul><ul><li>To decrypt a message without having a key, an intruder practices the art of cryptanalysis </li></ul>
  15. 15. Classification of Ciphers <ul><li>Substitution ciphers </li></ul><ul><ul><li>Cesar’s cipher </li></ul></ul><ul><ul><li>Affine transformation ciphers </li></ul></ul><ul><li>Transposition ciphers </li></ul><ul><li>One-time pad </li></ul><ul><li>Block ciphers </li></ul><ul><li>Exponentiation ciphers </li></ul><ul><ul><li>RSA </li></ul></ul>
  16. 16. Substitution Ciphers <ul><li>Each symbol is replaced by another symbol (Example: with Latin alphabet, in monoalphabetic substituion , the key is a 26-letter string that represents the substituting permutation of the alphabet, so 26! keys are available) </li></ul><ul><li>Case study : Caesar cipher (A -> D, B -> E, C->F, …Z->C ) , or </li></ul><ul><li>ord (s) = [ord(s) + 3] mod 26. </li></ul><ul><li>Letters are packed in equal blocks to prevent cryptanalysis based on the word length </li></ul>
  17. 17. Case Study: Cesar’s Cipher Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Ciphertext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 THIS MESSAGE IS TOP SECRET THISM ESSAG EISTO PSECR ET 19 7 8 18 12 | 4 18 18 0 6 | 4 8 18 19 14 | 15 18 4 2 17 | 4 19| 22 10 11 21 15 | 7 21 21 3 9 | 7 11 21 22 17 | 18 21 7 5 20 | 7 22 WKLVP HVVDJ HLVWR SVHFU HW
  18. 18. Affine Transformation Ciphers <ul><ul><li>Substitution ciphers are easy to break with a relatively small amount of ciphertext, using statistical properties of the language (frequency of letters, digrams , trigrams , etc.) </li></ul></ul><ul><li>More general: </li></ul><ul><li>C = P + k (mod 26) is a shift transformation cipher; </li></ul><ul><li>C = aP + b (mod 26), where (a, 26) = 1, is an affine transformation cipher </li></ul><ul><ul><ul><li>φ(26) = 12 choices for a, 26 choices for b , altogether 312 transformations </li></ul></ul></ul><ul><ul><ul><li>Inverse is computed as P = a’(C-b) (mod 26), where </li></ul></ul></ul><ul><ul><ul><li>aa’ ≡ 1 (mod 26) </li></ul></ul></ul>Key: (a, b)
  19. 19. A Cryptanalysis Example Guess: P(7) = E(13) => 15 = 4 + k (mod 26) => k = 11. Plaintext: NUMBE RTHEO RYISU SEFUL FOREN CIPHE RINGM ESSAG ES (NUMBER THEORY IS USEFUL FOR ENCIPHERING MESSAGES) Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Frequency 7 1 3 4 13 3 2 3 8 <1 <1 4 3 8 7 3 <1 8 6 9 3 1 1 <1 2 <1 The frequencies of occurrence of letters in English text: Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Frequency 1 0 4 5 1 3 0 0 0 1 0 1 1 1 0 7 2 2 2 3 0 0 1 2 3 2 Analysis of the frequencies of occurrence of letters in the ciphertext: Ciphertext: YFXMP CESPZ CJTDF DPQFW QZCPY NTASP CTYRX PDDLR PD (Suppose, we know that shift transformation cipher was used)
  20. 20. Transposition Cipher <ul><li>All symbols are reordered according to a permutation specified by the key </li></ul><ul><li>Example: ILOVEY the key —must have no repeated symbols </li></ul><ul><li>2345 16 the relative order of each symbol in the key </li></ul><ul><li> LETUSM plaintext is written in rows of the key’s size </li></ul><ul><li>EETTON </li></ul><ul><li>IGHT XY the last row is padded </li></ul><ul><li>1 2 3 4 5 6 </li></ul><ul><li>SOXLEIEEGTTHUTTMNY (ciphertext is written in columns permuted in the order of key’s symbols) </li></ul>Transposition ciphers can also be broken by guessing the key size and using statistical analysis when the cryptanalyst knows that it is a transposition cipher.
  21. 21. <ul><li>Any bit sequence the size of plaintext can be a key. Each bit of plaintext is XOR-ed with the corresponding bit of the key to produce a bit of the ciphertext </li></ul>One-Time Pad Cipher One-time Pad is unbreakable; however key distribution is a big problem… ( Quantum cryptography may help!) 0 1 1 1 0 0 1 0 (XOR) + = Plaintext: 001110011010010110 Key: 100100100111110110 Ciphertext: 101010111101100000 Example:
  22. 22. Block Ciphers (Affine Transformation) <ul><li>Key: </li></ul><ul><ul><li>A is a square integer matrix of order n such that (| A |, 26) = 1 </li></ul></ul><ul><ul><li>B is an n- vector of integers </li></ul></ul><ul><li>The ciphertext is split into blocks of length n; the last block is padded </li></ul><ul><li>For each block P , compute </li></ul><ul><ul><li>C = (AP + B) (mod 26) </li></ul></ul>
  23. 23. A Llittle Detour: Three Facts of the Elementary Number Theory <ul><li>Euler’s Theorem: If m > 0 and a and m are integers, such that (a, m) = 1 , then </li></ul><ul><li>a φ(m) ≡ 1 (mod m). </li></ul><ul><li>Let a, b, and m be integers, m > 0 and (a, m) = d. If d | b, then the equation ax ≡ b (mod m) has exactly d incongruent solutions; otherwise, it has no solutions. </li></ul><ul><li>Fermat’s Little Theorem: If p is prime and a > 0 is an integer, which is indivisible by p , then a p-1 ≡ 1 (mod p). </li></ul>
  24. 24. Exponentiation Ciphers <ul><li>After Pohlig and Hellman, 1978: </li></ul><ul><li>p is a prime </li></ul><ul><li>The key, e > 0 satisfies: (e, p-1) = 1 </li></ul>Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <ul><li>Group the resulting numbers into blocks of 2m decimal digits, where m is the largest even integer such that the decimal value of each block is less than p </li></ul><ul><li>For each plaintext block, P, compute a ciphertext block C = P e (mod p) </li></ul><ul><li>To decipher, find d such that de ≡ 1 (mod p-1) and compute P = C d (mod p) </li></ul>C d ≡ P ed P ≡ P k(p-1)+1 ≡ [P (p-1) ] k P ≡ P (mod p) (By Fermat’s Little Theorem)
  25. 25. Exponentiation Ciphers: An Example <ul><li>p = 2633; </li></ul><ul><li>the key e = 29; (e, p-1) = (29, 2632) = 1; </li></ul><ul><li>Block length is 4 ( m=2) </li></ul>Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER 1907 0818 0818 0013 0423 0012 1511 0414 0500 1304 2315 1413 0413 1908 0019 0814 1302 0815 0704 17 23 1907 29 ≡ 2199 (mod 2633) 2199 1745 1745 1206 2437 2425 1729 1619 0935 0960 1072 1541 1701 1553 0735 2064 1351 1794 1841 1459 d = 2269 2269*2622 ≡ 1 (mod 2622) 2199 2269 ≡ 1907 (mod 2633)
  26. 26. Exponentiation Ciphers—Major Properties <ul><li>For encryption each plaintext block P, we use O([ln p] 3 ) operations. Ditto for decryption (including finding an inverse d of e module p-1 ) </li></ul><ul><li>Cryptanalysis cannot be done rapidly. To discover the key e (knowing the prime p) takes—to the best of the present knowledge— exp([ln p ln ln p] 1/2 operations ( The Discrete Algorithm Problem). </li></ul><ul><li>Special cases (when p-1 has only small prime factors) exist, where it is possible to compute the discrete algorithm in O(ln 3 p); these have to be carefully avoided when choosing p . </li></ul>If p has 100 decimal digits, finding logarithms module p requires about 74 years; if it has 200 digits, about 3800000000 years are required!
  27. 27. One Immediate Application: The Diffie-Hellman Algorithm Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time. <ul><li>Let </li></ul><ul><li>p be a large prime </li></ul><ul><li>a be an integer relatively prime to p </li></ul>These are known to all! Pick k 1 relatively prime to p-1 Pick k 2 relatively prime to p-1 =
  28. 28. A Simple Example of a DH Exchange p =17 a = 2 k 1 = 3 k 2 = 5 =
  29. 29. The Diffie-Hellman Exchange among n parties <ul><li>Let </li></ul><ul><li>p be a large prime </li></ul><ul><li>a be an integer relatively prime to p </li></ul>These are known to all! k n relatively prime to p-1 k 2 relatively prime to p-1 Broadcast: Compute and broadcast: k 1 relatively prime to p-1 Pick: Pick: Pick: Compute:
  30. 30. Fundamental Principles of Cryptography <ul><li>Redundancy </li></ul><ul><ul><li>Ensure that the cipher space is larger than the actual problem space in the plaintext (DOS!) </li></ul></ul><ul><li>Freshness </li></ul><ul><ul><li>Ensure that a receiver can establish that a message is fresh (not a replay of another message) </li></ul></ul>ID (0-7) ID space (0-1024) But don’t overdo it—ease of cryptanalysis!
  31. 31. Modern Symmetric -Key Algorithms <ul><li>Combine transpositions and substitutions and cascade them to make the algorithms very complex (to prevent cryptanalysis even when large amounts of ciphertext are available) </li></ul><ul><li>Often use block ciphers </li></ul>4-bit transposition (T) S S S S S S T S T S T Cascading into a product 4 to 2 encoder 2-bit substitution (S) T 2 to 4 decoder
  32. 32. Some Common Symmetric-Key Cryptographic Algorithms (after A. Tanenbaum) Weak 56 DES Some keys are weak 1-2048 RC4 Good (but patented) 128-256 RC5 Good (but patented) 128 IDEA Very strong 128-256 Serpent, Twofish Second best 168 Triple DES Best 128-256 Rijndael Characteristics Key size (bits) Cipher
  33. 33. Public-Key Cryptography <ul><li>A (public key, private key) pair </li></ul><ul><ul><li>Publish the public key (= encryption key) </li></ul></ul><ul><ul><li>Keep the private key (= decryption key) secret </li></ul></ul><ul><ul><li>Two essential requirements: </li></ul></ul><ul><ul><li>1) </li></ul></ul><ul><ul><li>2) It is very hard ( i.e, computationally infeasible) to obtain from </li></ul></ul><ul><ul><li>To send a message M to you, I send </li></ul></ul><ul><ul><li>You decrypt it, obtaining: </li></ul></ul>
  34. 34. RSA (Rivest, Shamir, Adleman) <ul><li>Parameters: p, q, n, z, d, e </li></ul><ul><ul><li>Choose, large (1024 bits) primes : p, q </li></ul></ul><ul><ul><li>Compute n = pq, z = φ(n) = (p-1)(q-1) </li></ul></ul><ul><ul><li>Choose the exponent e relatively prime to z </li></ul></ul><ul><ul><li>Find d: ed ≡ 1(mod z) </li></ul></ul><ul><li>Keys: public , ( e , n) ; private , ( d , n) ; </li></ul><ul><li>Encryption and decryption: </li></ul><ul><ul><li>Brake the plaintext into largest equal even-digit blocks ( P ) shorter than n bits </li></ul></ul><ul><ul><li>Encrypt each block P by computing C = E(P) ≡ P e (mod n) </li></ul></ul><ul><ul><li>Decrypt C by computing D(C) ≡ C d (mod n) ≡ P ed (mod n) ≡ P k φ(n)+1 (mod n) ≡ P k φ(n) P(mod n) ≡ P(mod n) </li></ul></ul>Euler’s Theorem: If n > 0 and e and d are integers, such that (a, m) = 1 , then a φ(m) ≡ 1 (mod m). The probability that P and n are not relatively prime is extremely low!
  35. 35. RSA: An Example <ul><li>p = 43, q=59; n = 43*59 = 2357; φ(n) = 42*58 =2436 </li></ul><ul><li>Exponent e = 13; (e, φ(n) ) = (13, 42*58) = 1; </li></ul><ul><li>Block length is 4 </li></ul>Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 PUBLIC KEY CRYPTOGRAPHY 1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 24 23 1520 13 ≡ 95 (mod 2537) 0095 1648 1410 1299 0811 2333 2132 0370 1185 1457 1084 937* 13 ≡ 1 (mod 2436) 0095 937 ≡ 1520 (mod 2537) d = 937 <ul><ul><li>E(P) ≡ P e (mod n) </li></ul></ul>P ≡ C d (mod n) Public key: (13, 2357) Private key: (937, 2357)
  36. 36. Analysis of RSA <ul><li>100- digit primes p and q, the encryption exponent e, and its inverse, d, can be found in a few minutes of computer time. Now, both keys are ready! </li></ul><ul><li>Modular exponentiation for encryption can be performed in a few seconds when the modulus, exponent, and base have as many as 200 digits </li></ul><ul><li>Decryption (private key operations) takes longer, in general </li></ul><ul><li>Any known method of finding d from e and n is based on factoring n </li></ul>The security of RSA is based on the difficulty of factoring large integers
  37. 37. Properties of RSA <ul><li>The algorithm is secure because of the difficulty of factoring N. Factoring a 500-digit number should take 10 25 years using a CPU with 1 microsecond instruction time </li></ul><ul><li>Encryption and decryption are inverse and commutative (an important property for digital signatures ) </li></ul><ul><li>The algorithm is slow (compared to DES and other symmetric algorithms with much shorter keys) </li></ul>RSA may be prohibitively slow when dealing with large blocks of data. It is typically used for one-time session key distribution for a symmetric-key algorithm (such as triple-DES)
  38. 38. Typical use of RSA for Key Distribution in Symmetric Cryptography (hybrid encryption) Sender randomly generates K , and sends: <ul><li>Receiver </li></ul><ul><li>Decrypts K using the private key </li></ul><ul><li>Decrypts the message using D K </li></ul>Plaintext encrypted with the symmetric-key algorithm E K K, encrypted using RSA with the public key of the receiver +
  39. 39. Other Public-Key Algorithms <ul><li>Knapsack (Merkle and Hellman, 1978)—based on NP-completeness of the Knapsack problem </li></ul><ul><ul><li>Was the first public-key algorithm, but is considered unsecure and not used </li></ul></ul><ul><li>El Gamal (1985) is based on difficulties computing discrete algorithms </li></ul><ul><ul><li>More computationally-intensive than RSA </li></ul></ul><ul><ul><li>Is totally unencumbered by copyright and patents </li></ul></ul><ul><li>RSA </li></ul><ul><ul><li>Users can have problems with proper generation of primes (some primes or pseudo-primes may aid factoring) </li></ul></ul><ul><ul><li>not appropriate for use in situations where key generation occurs regularly </li></ul></ul><ul><ul><li>Patents expired </li></ul></ul><ul><li>Elliptic-Curve Cryptography (ECC) (Miller and Koblits, 1985) hinges on the intractability of the discrete logarithm problem in the algebraic system defined on the elliptic curve points </li></ul><ul><ul><li>Uses smaller keys than RSA or El Gamal </li></ul></ul><ul><ul><li>Is significantly faster than RSA (for the same security) </li></ul></ul><ul><ul><li>Is patented </li></ul></ul>
  40. 40. Digital Signatures and Non-Repudiation <ul><li>Requirements </li></ul><ul><ul><li>The receiver can verify the claimed identity of the sender </li></ul></ul><ul><ul><li>The sender cannot repudiate the contents of the message </li></ul></ul><ul><ul><li>The receiver cannot sign its own message with someone else’s signature </li></ul></ul><ul><li>The implementations can be based both on symmetric- and public-key signatures </li></ul>
  41. 41. Non-Repudiation with Symmetric-Key Digital Signatures <ul><li>A single third party (Central Authority, A ) keeps everyone’s keys </li></ul>A X Y <ul><li>K(X)—X’s key with A </li></ul><ul><li>M—the message from X to Y </li></ul><ul><li>Y—the receiver’s identity </li></ul><ul><li>R X — a random number </li></ul><ul><li>t, t’— timestamps </li></ul><ul><li>K(Y)—Y’s key with A </li></ul><ul><li>K(A)—the key only A knows </li></ul><ul><li>X—the sender’s identity </li></ul>Now X cannot deny having sent M to Y ! E K(X) (M, Y, R X , t) E K(Y) [ M, X, R X, t’, E K(A) (M, X, t)]
  42. 42. Non-Repudiation with Public-Key Digital Signatures Works with any public key algorithm with the property E[D(P)] = P (RSA is one of them , but there are others ) S=D Pr(X) (M) <ul><li>Pu(Y)—Y’s public key </li></ul><ul><li>Pr(X)—X’s private key </li></ul>No third party needed! X Y M=E Pu(X) (S)
  43. 43. Non-Repudiation and Confidentiality with Public-Key Digital Signatures Again, use any public key algorithm with the property E[D(P)] = P X Y S= E Pu(Y) [ D Pr(X) (M)] <ul><li>Pu(X)—X’s public key </li></ul><ul><li>Pr(X)—X’s private key </li></ul><ul><li>Pu(Y)—Y’s public key </li></ul><ul><li>Pr(Y)—Y’s public key </li></ul>No third party needed! M= D Pr(Y) [E Pu(X) (S)]
  44. 44. Some Problems with Public-Key Digital Signatures <ul><li>If X discloses his or her private key (or claims that it was stolen), it can no longer be proven that X had sent the message </li></ul><ul><li>Ditto if X decides to change his or her key </li></ul><ul><li>The scheme is an overkill (it is slow) because it combines authentication with confidentiality </li></ul>An improvement is needed! (We will start by addressing the last item.)
  45. 45. One-Way Functions and Digests <ul><li>Given an algorithm for computing f(x), it is easy to compute y = f(x) for any x </li></ul><ul><li>Given the value of y = f(x), it is hard (i.e., computationally infeasible) to compute x </li></ul><ul><li>Given x , it is hard to find t such that f(x)=f(t) </li></ul><ul><ul><li>to meet this criterion, the hash should be at least 128 bits long </li></ul></ul><ul><li>One-bit change to x produces a very different output, f(x) </li></ul><ul><ul><li>to meet this criterion, the algorithm must toss the bits very thoroughly—quite differently from what symmetric key algorithms do! </li></ul></ul>Computing and encrypting a message digest is much faster than encrypting the whole text!
  46. 46. Digital Signatures with Message Digest (non-repudiation) <ul><li>(a) D is the private key of the sender </li></ul><ul><li>(b) The receiver uses the public key of the sender to check the signature </li></ul>(b) The trick: Sign only the digest, not the whole message!
  47. 47. Two Popular Message Digest Algorithms <ul><ul><li>Message Digest (MD5) (Rivest, 1992) </li></ul></ul><ul><ul><ul><li>Produces a 64 -bit result </li></ul></ul></ul><ul><ul><ul><li>supercedes the previous four MDs in a series, but they are all “broken” </li></ul></ul></ul><ul><ul><li>Secure Hash Algorithm (SHA-1) </li></ul></ul><ul><ul><ul><li>produces a 160 -bit result </li></ul></ul></ul><ul><ul><ul><li>Is standardized by NIST in FIPS 180-1 </li></ul></ul></ul><ul><ul><ul><li>Is on its way to replace MD5 </li></ul></ul></ul>
  48. 48. The Birthday Attack <ul><li>Q: How many people need to be in a room before the probability of having there two people with the same birthday exceeds 1/2? </li></ul><ul><li>A: 23 </li></ul>More generally, in matching n inputs with k<n outputs, the probability of two inputs assigned to the same output, a match is likely for n=k 1/2 . And so, with MD5, one could generate 2 32 matches and probably get two with the same digest.
  49. 49. Back to Problems with Public-Key Digital Signatures <ul><li>If X discloses his private key (or claims that it was stolen), it can no longer be proven that X had sent the message </li></ul><ul><li>Ditto if X decides to change his key </li></ul><ul><li>The scheme is an overkill (it is slow) because it combines authentication with confidentiality </li></ul>An improvement is needed! And then there is a basic problem: Where do I get your public key, and how can I trust the place I get it from?
  50. 50. Certificates (Public Key Distribution) <ul><li>To use the public key signature scheme, the sender’s public key must be known </li></ul><ul><li>It could be published (on a web site, for example), but then it could also be altered </li></ul><ul><li>A common solution is to use certificates: </li></ul><ul><ul><li>A sender attaches his or her (name, public key) pair, digitally signed by the trusted third party —the Certification Authority (CA) </li></ul></ul><ul><ul><li>Once the receiver obtained the public key of CA, the receiver can accept certificates from all senders who use this CA </li></ul></ul>
  51. 51. A Certificate <ul><li>Presumably, your computer has been pre-loaded with the SuperCert public key, P so you can always </li></ul><ul><ul><li>Compute the SHA-1 digest D of the declaration part of the certificate </li></ul></ul><ul><ul><li>Verify that D = P(signature) </li></ul></ul>There is nothing secret about certificates; they can be sent in the open I, the SuperCert Certification Authority, am delighted to confirm that the public key A789FHAFFDEG8600FFA belongs to Igor Faynberg The SHA-1 digest of the above, signed with the SuperCert private key SuperCert
  52. 52. A Different Use of a Certificate: Binding An Attribute to a Key An important feature: It preserves privacy! I, the SuperCert Certification Authority, am delighted to confirm that person who owns the public key A789FHAFFDEG8600FFA is older than 21, and so you can legally sell him alcohol in New Jersey. The SHA-1 digest of the above, signed with the SuperCert private key
  53. 53. Questions: <ul><li>What are all the possible formats (of attributes and all), and who could possibly manage them? </li></ul><ul><li>How can one CA possibly manage all certificates, and which organization is it anyway? </li></ul><ul><li>And suppose everyone trusts this organization, but how could it preserve its single public key from being modified? </li></ul>
  54. 54. X.509: A standard for certificates <ul><li>Contained in ITU-T Recommendation X.509 </li></ul>
  55. 55. Public Key Infrastructure (PKI) Schematic description RA: Regional Authority CA: Certificate Authority : Chain of trust I, the SuperCert Certification Authority, am delighted to confirm the public key A789FHAFFDEG8600FFA belongs to Igor Faynberg The SHA-1 digest of the above, signed with the SuperCert private key
  56. 56. More on PKI <ul><li>There are many roots with their own trees. Modern browsers come pre-loaded with over 100 roots known as trust anchors </li></ul><ul><ul><li>So, there is no single world-wide authority </li></ul></ul><ul><li>Certificates can be stored at the user’s sites, but it would be more convenient (easier to look them up) to use the Domain Name System and store them at DNS sites </li></ul><ul><li>Certificates are timed, and they can also be revoked (CAs issue Certificate Revocation Lists [CRLs]) </li></ul>
  57. 57. Symmetric Key Distribution: Diffie-Hellman revisited Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time. <ul><li>Let </li></ul><ul><li>p be a large prime </li></ul><ul><li>a be an integer relatively prime to p </li></ul>Pick k 1 relatively prime to p-1 Pick k 2 relatively prime to p-1 =
  58. 58. The Man-in-the-Middle Attack Establish K 1 Establish K 2
  59. 59. Avoiding a Man in the Middle: Signed Diffie-Hellman <ul><li>Let </li></ul><ul><li>p be a large prime </li></ul><ul><li>a be an integer relatively prime to p </li></ul>Pick k 1 relatively prime to p-1 Pick k 2 relatively prime to p-1 A B Signed with A’s private key Signed with B’s private key He cannot sign!
  60. 60. Authentication Protocols <ul><li>Needed for the establishment of sessions (VoIP conversations [streams and signaling], TCP sessions, etc.) </li></ul>Text Kerberos Authentication with Public Key Cryptography HMAC-based protocols General Rules Shared-key-based Protocols Known Pitfalls Key Distribution Centers Challenge-Response
  61. 61. Introduction of the Key Players <ul><li>Alice </li></ul>Bob Trudy the Intruder
  62. 62. The General Model <ul><li>Alice starts by sending a message to Bob or to a trusted Key Distribution Center (KDC) </li></ul><ul><li>An exchange follows </li></ul><ul><li>Trudy may intercept, modify, or replay any message </li></ul>
  63. 63. Challenge-Response Protocol (first attempt) Alice Bob A identity R B Challenge: A nonce -- a large random number, not to be repeated K AB (R B ) Response, encrypted with the shared key R A K AB (R A )
  64. 64. Challenge-Response Protocol (Can we do this faster?) Alice Bob No! An improvement: 3 instead of 5 messages! A, R A R B , K AB (R A ) K AB (R B )
  65. 65. The Reflection Attack Trudy Bob K AB (R B ) First Session A, R T R B , K AB (R T ) A, R B R B* , K AB (R B ) Second Session
  66. 66. General Rules <ul><li>The initiator has to prove its identity before the responder </li></ul><ul><li>The initiator and responder must use different keys for proof (a need for two shared keys) </li></ul><ul><li>Initiator and responder must draw challenges from different sets (e.g., odd/even) </li></ul><ul><li>It must be impossible to use authentication information obtained in one session in a different one </li></ul>
  67. 67. But was the First Attempt Really Faultless? A K AB (R A ) Trudy Alice B R A R A K AB (R A ) R A* R A* K AB (R A* ) K AB (R A* ) Now Trudy has two sessions with Alice! Alice Bob A R A R B K AB (R B ) K AB (R A )
  68. 68. A Few Conclusions <ul><li>The authentication protocols are hard… </li></ul><ul><li>In the previous example, again the Rules were violated </li></ul><ul><li>There is a method of designing protocols of this kind that are provably correct: R. Bird & al, Systematic Design of a Family of Attack-Resistant Authentication Protocols, IEEE Journal on Selected Areas in Communications, vol. 11, pp. 679-693, June 1993 </li></ul>
  69. 69. Another Class of Protocols That Work (HMAC) <ul><li>Hashed Message Authentication Code (HMAC), in general, is the hash (e.g., MD5 or SHA-1) of </li></ul><ul><li>(some data + shared key) </li></ul>Alice Bob R B , HMAC(R A , R B , A, B, K AB ) R A HMAC(R A , R B , K AB ) Trudy does not know K AB , and so she cannot compute HMAC!
  70. 70. Key Distribution Centers (KDCs) <ul><li>If a process needs to talk to n other processes, it will need to share n keys. As n grows, key management becomes a burden… </li></ul><ul><li>Another approach: Each user has a key shared with KDC, and all authentication and session key management go through KDC </li></ul>
  71. 71. Authentication with the Key Distribution Center (First attempt) I want to use the key K to talk to Bob A, K A (B, K) K B (A, K) <ul><li>Authentication happens automatically: </li></ul><ul><li>KDC knows it is Alice (because of the shared key) </li></ul><ul><li>Bob knows that the message came from KDC (for the same reason) </li></ul>But there is a big problem here! KDC KDC
  72. 72. The Replay Attack <ul><li>Trudy is working for Alice. She knows that today at noon she will transfer her salary into her bank account in Bob’s bank </li></ul>12:00 12:15 K B (A, K) K(“Transfer $20,000 to Trudy”) KDC KDC A, K A (B, K) K B (A, K) K(“Transfer $20,000 to Trudy”)
  73. 73. Solutions to Replay Attack (for KDC Protocols) <ul><li>Include a timestamp in each message </li></ul><ul><ul><li>Problem : Clocks are not exactly synchronized over the network; the differences can be used to sneak a replay </li></ul></ul><ul><li>Put a nonce in each message </li></ul><ul><ul><li>Problem : Each party has to remember all previous nonces forever </li></ul></ul><ul><li>Combine timestamps with nonces (so as to remember nonces only for maximum misaligned time periods) </li></ul><ul><ul><li>Problem: The protocol will become too complex… </li></ul></ul><ul><li>Use a multiway challenge-response protocol </li></ul>
  74. 74. The Needham-Schroeder Authentication Protocol (1978) (After A. Tanenbaum) But it still has a weakness (possible replay of 3 if plaintext of a previous session is found)!
  75. 75. The Otway-Rees Authentication Protocol (1987) This protocol fixes the problem with Needham-Shroeder more elegantly than Needham and Shroeder did (also in 1987) (After A. Tanenbaum)
  76. 76. A Few Notes on KDC Issues <ul><li>KDCs can support hundreds of clients but not millions (scalability) </li></ul><ul><li>There is not a single KDC whom all other KDCs trust </li></ul><ul><li>There is no standard for inter-KDC communications for cross-realm authentication </li></ul>
  77. 77. Authentication with Kerberos <ul><li>Kerberos was designed in MIT, and it is based on a variant of Needham-Shroeder </li></ul><ul><ul><li>Kerberos V.4 is widely used (for example, in Microsoft Windows 2000) </li></ul></ul><ul><ul><li>Kerberos V.5 is being deployed </li></ul></ul><ul><li>Kerberos assumes that all clocks are synchronized </li></ul><ul><li>Kerberos modifies the KDC model </li></ul>
  78. 78. The Kerberos Model: Three Servers <ul><li>Authentication Server (AS) </li></ul><ul><ul><li>Authenticates users during the login session </li></ul></ul><ul><ul><li>Shares a secret (password) with every user </li></ul></ul><ul><li>Ticket-Granting Server (TGS) </li></ul><ul><ul><li>Issues proof-of-identity tickets, which convince other servers that the owners of the tickets are who they claim to be </li></ul></ul><ul><li>The real-work server </li></ul><ul><ul><li>Does the real work (performs services such as banking transactions, telephone calls, etc.) </li></ul></ul>
  79. 79. Operation of Kerberos (V4) AS AS At this point, 1) Alice is prompted for a password by the client, and this password is used for generating K A , so she obtains the session key and the the ticket for TGS 2) The client overwrites the password 3) Alice says she wants to use Bob’s services K A (K S , K TGS [A, K S ]) A plaintext Session key To pass to TGS
  80. 80. Operation of Kerberos (V4) TGS TGS Now Alice can start talking to the real-work server—Bob K TGS (A, K S ), B, K S (t) TGS’s secret key Encrypted timestamp (so that Trudy could not replay the message with a younger timestamp) K S (B, K AB ), K B (A, K AB ) Session key for talking to Bob Ticket to Bob
  81. 81. Operation of Kerberos (V4) Server Server Now Alice can work with Bob, but if she needs to change to another real-work server, she just restarts with the request to TGS (no passwords are ever transmitted) K AB (t+1) Timestamped proof of Bob’s identity (Trudy could not do that!) Encrypted timestamp K B (A, K AB ), B, K AB (t) Ticket to Bob
  82. 82. Kerberos Realms AS TGS Servers One can ask TGS for a ticket to a server in another realm AS TGS Servers
  83. 83. Authentication with Public Key Cryptography: A Naïve “Solution” … R = “I, undersigned Alice, owe Trudy $100,000” or R=encrypted message from Bob A R Pr A (R)
  84. 84. Authentication with Public Key Cryptography PKI Directory Bob’s Public Key? E B E B (A, R A ) Alice’s Public Key? E A Proof of freshness and Bob’s identity E A (R A , R B , K S ) K S (R B )
  85. 85. Communication Security Overview Text S/MIME TSL/SSL DNSsec Secure File Systems Mobile code security Firewalls PGP IPsec/VPNs
  86. 86. Network Security in the Protocol Stack Encrypt the whole session Application-specific protocols Network Layer: firewalls help with limited success Physical Layer : Prevent wiretapping by enclosing transmission lines in sealed tubes containing argon at high pressure monitored by an alarm Link Layer: nothing needs to be done, if it is really point-to-point; otherwise, use link encryption Transport Layer Session Layer Presentation Layer Application Layer
  87. 87. Two Views in the Internet Camp <ul><li>Security must be end-to-end, and for this reason alone must be implemented in the Application Layer (which will make plaintext unavailable to operating systems) </li></ul><ul><li>Problem : Then all applications must be re-written and… how many people really understand security to rewrite them? </li></ul>Security must be implemented in the Network Layer without users ever approaching it! Problem : Even though this view has prevailed, a truly network-layer implementation proved to be impossible, and Internet principles had to be violated.
  88. 88. IP Security Protocol ( IPsec ) <ul><li>IPsec is a framework for multiple </li></ul><ul><li>Services </li></ul><ul><ul><li>confidentiality, integrity, protection from replay—among the major ones </li></ul></ul><ul><li>Algorithms </li></ul><ul><ul><li>to make it algorithm-independent (and there is a Null algorithm ) </li></ul></ul><ul><li>Granularities </li></ul><ul><ul><li>from a single TCP connection to an aggregate </li></ul></ul>IPsec is… connection-oriented!
  89. 89. Security Association (SA) <ul><li>SA is a simplex connection identified by Security Parameters Index (SPI) carried by all packets </li></ul><ul><li>SA is needed because </li></ul><ul><ul><li>a key must be used for some period of time—the duration of the connection </li></ul></ul><ul><ul><li>the set up time is amortized among many packets </li></ul></ul>
  90. 90. Establishing an SA <ul><li>This involves </li></ul><ul><ul><li>Authenticating both ends </li></ul></ul><ul><ul><li>Establishing the key </li></ul></ul><ul><ul><li>Agreeing on cryptographic algorithms </li></ul></ul><ul><ul><li>Initializing the sequence number (which will run through the life of the association) </li></ul></ul><ul><ul><li>Establishing SPI </li></ul></ul>
  91. 91. Two Parts of IPsec <ul><li>The Internet Security Association and Key Management Protocol (ISAKMP) deals with establishing symmetric keys </li></ul><ul><ul><li>The main protocol is called Internet Key Exchange (IKE) . It has problems, and it is being replaced by IKE2 </li></ul></ul><ul><li>The other part deals with the headers defined for the two modes of IPsec operation </li></ul><ul><ul><li>Transport mode and </li></ul></ul><ul><ul><li>Tunnel mode </li></ul></ul>
  92. 92. Transport- and Tunnel Modes <ul><li>Transport mode </li></ul>IP header IPsec header IP payload Via the Protocol field <ul><li>Tunnel mode </li></ul>IP packet New IP header <ul><li>Useful for </li></ul><ul><li>terminating at other than end-user locations (e.g., firewalls) and </li></ul><ul><li>aggregation to prevent traffic analysis </li></ul>
  93. 93. Two (Historical) Headers <ul><li>The Authentication Header (AH) deals only with integrity checking but not confidentiality; hashed message authentication code (HMAC) integrity check covers only immutable IP fields (not TTL) </li></ul><ul><li>The Encapsulating Security Payload (ESP) supports both HMAC integrity and full confidentiality. In a way, it makes AH superfluous </li></ul>
  94. 94. Authentication Header (AH) (IPv4 Transport Mode) (After A. Tanenbaum) Stores the value that IP Protocol field had Number of 32-bit words in AH minus 2 The “virtual circuit number” associated with the shared key Runs for the life of the SA Payload + key, signed
  95. 95. Encapsulating Security Payload (ESP) Header (After A. Tanenbaum) Transport mode Tunnel Mode 32 bits Security Parameters Index Sequence Number Initialization vector for encryption Trails to help hardware run all bits through before the calculation
  96. 96. Virtual Private Networks (VPNs) (After A. Tanenbaum) Before After
  97. 97. Firewalls <ul><li>While IPsec protects the data in transit, it does nothing to keep bad bits out </li></ul><ul><li>Firewalls are supposed to do that. The combine </li></ul><ul><ul><li>An outgoing layer 3 packet filter </li></ul></ul><ul><ul><li>An incoming layer 3 packet filter </li></ul></ul><ul><ul><li>An application gateway to carefully check (wherever possible) application data </li></ul></ul>
  98. 98. Firewalls (cont.)
  99. 99. What Firewalls Cannot Do <ul><li>Deal with encrypted traffic or examine and restrict graphic (or video or . wav ) content </li></ul><ul><li>Prevent attacks from inside (and this is 70% of all attacks!) </li></ul><ul><li>Prevent the Denial of Service (DoS) attacks—especially the Distributed DoS, from several different sources </li></ul><ul><li>Interwork well with real-time multimedia services (VoIP including) because of the dynamic port allocation by the Real Time Transport Protocol (RTP) </li></ul>
  100. 100. E-Mail Security <ul><li>There are two systems: </li></ul><ul><li>Pretty Good Privacy (PGP) and </li></ul><ul><li>Secure Multipurpose Internet Mail Extensions (S/MIME) </li></ul>
  101. 101. PGP <ul><li>Uses International Data Encryption Algorithm (IDEA) with 128-bit keys </li></ul><ul><li>Is a one-man (Phil Zimmermann) show </li></ul><ul><li>Has an interesting history (Zimmerman had been investigated for five years for “exporting munition”) </li></ul><ul><li>Supports text compression, confidentiality, digital signatures </li></ul><ul><li>Provides extensive key management facilities </li></ul><ul><li>Takes plaintext as input and produces a base64- encoded ASCII string as output </li></ul>
  102. 102. How PGP Works (After A. Tanenbaum) Based on random input from Alice
  103. 103. A PGP Message After A. Tanenbaum
  104. 104. S/MIME <ul><li>Is similar to but more structured than PGP </li></ul><ul><li>Uses triple-DES rather than IDEA </li></ul><ul><li>Uses X.509 certification for keys </li></ul><ul><li>Allows multiple trust anchors </li></ul><ul><li>Replaces an earlier IETF standard called Privacy Enhanced Mail (PEM) , which had specified a rigid certification system with one anchor. No one used it. </li></ul>
  105. 105. Web Security Issues <ul><li>Secure Naming </li></ul><ul><li>Secure Connections </li></ul><ul><li>Secure mobile code </li></ul>
  106. 106. Secure Naming: Threats www.bob.com 42.9.9.9 36.1.2.3 DNS Server www.bob.com : 36.1.2.3 42.9.9.9 Poisoned Cache
  107. 107. Secure DNS (DNSsec) <ul><li>All information sent by a DNS server is signed with the originating zone’s private key (proof of origin) </li></ul><ul><li>Both requests and transactions are authenticated making spoofing and replay impossible </li></ul><ul><li>DNSsec relies on PKI for key distribution </li></ul>
  108. 108. Secure Sockets Layer (SSL) <ul><li>Was first developed in 1995 by Nestcape and now widely used everywhere </li></ul><ul><li>Builds a secure connection between two sockets (application process’ endpoints) </li></ul><ul><ul><li>Parameter negotiation between client and server </li></ul></ul><ul><ul><li>Mutual authentication </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Data integrity protection </li></ul></ul><ul><li>Has evolved into the IETF Transport Layer Security TSL standard (which is stronger than SSL but has not been yet deployed) </li></ul>
  109. 109. Position of the SSL/TSL in the OSI Reference Architecture SSL/TSL Network Layer Physical Layer Link Layer Transport Layer Session Layer Presentation Layer Application Layer HTTPS (no change to HTTP!)
  110. 110. SSL/TSL Connection Establishment Compute session key K S ( E server , R client , R Server ) Compute session key K S ( E server , R client , R Server ) Client Server SSL version, preferences (cryptographic algorithms, compression), nonce R Client SSL version, choices, nonce R Server Certificate with Public key E Server , X.509 trust chain E server (384 bit pre-master key—randomly chosen) End ACK
  111. 111. The Rest of the SSL/TSL Session Unit 1 Unit 1 Unit 2 … Unit n Unit 1 Compression (if agreed on) ?#@18*99&^%$ Everything is encrypted using K S ?#@18*99&^%$ Header Transport header is attached HMAC is added (K S and pre-master key are concatenated with the unit, and the result is hashed) Unit 1
  112. 112. Mobile Code <ul><li>Java applet s, ActiveX controls , and JavaScript s present a massive security risk </li></ul><ul><li>How are they handled? </li></ul><ul><ul><li>Sandboxes for not trusted Java applets </li></ul></ul><ul><ul><li>Digital signatures accompanying ActiveX controls. An extremely dangerous technique proven to have a disastrous potential! </li></ul></ul><ul><ul><li>Nothing for JavaScripts (remain very dangerous) </li></ul></ul>
  113. 113. Social Issues <ul><li>Privacy </li></ul><ul><li>Freedom of speech </li></ul><ul><li>Copyright </li></ul><ul><li>Covert communications (steganography) </li></ul><ul><li>Use of steganography to protect copyright </li></ul>
  114. 114. Privacy <ul><li>The Fourth Amendment to the US Constitution prohibits searching people’s houses, papers, and effects without a search warrant </li></ul><ul><li>Strong cryptography (like PGP’s) provides privacy to every user, including criminals, spies, and terrorists—so their correspondence cannot be perlustrated even in place of search warrants </li></ul><ul><li>Lawful intercept is an essential self-protection task of every state, however </li></ul><ul><li>Many countries (e.g., France up to 1999) used to forbid the encryption unless all cryptographic keys are placed in escrow with their governments </li></ul>
  115. 115. E-mail privacy (Anonymous Re-mailers) <ul><li>Initially, the anonymous Type 1 re-mailers kept the trace of correspondents. Consequently, under the order of a court, an anonymous re-mailer had to disclose the true identity of a sender who was sued </li></ul><ul><li>The new re-mailers ( cyberpunk re-mailers ) are not supposed to keep any trace of anything </li></ul>
  116. 116. How Re-mailers Work <ul><li>E S ( To: Bob </li></ul><ul><li>Message ) </li></ul>To: S.address Public Key E S S From: Anonym To: Bob Message
  117. 117. Chaining Re-mailers Public Key E 3 S 3 ) E 3 ( To: Bob Message ) To: S 3 .address E 2 ( ) E 1 ( To: S 2 .address From: Alice To: S 1 .address Public Key E 1 S 1 Public Key E 2 S 2 E 3 ( To: Bob Message ) To: S 3 .address E 2 ( ) To: S 2 .address From: Anonym To: Bob Message E 3 ( To: Bob Message ) To: S 3 .address
  118. 118. Re-mailers Protect Anonymity, but… <ul><li>They aid </li></ul><ul><ul><li>Mail spam and </li></ul></ul><ul><ul><li>Phishing </li></ul></ul>By the way, not only e-mail servers provide anonymity; there are also HTTP anonymizers
  119. 119. Freedom of Speech <ul><li>Censorhip is its opposite </li></ul><ul><li>Materials that a government may choose to ban from web sites include pornography, hate, manuals for building weapons, etc. </li></ul><ul><li>But a particular server may reside in a country that does not restrict specific materials that are banned by another country </li></ul><ul><li>Since the prosecuting country often has no jurisdiction in such cases, little can be enforced </li></ul><ul><li>The Internet, in general, opposes any censorship </li></ul>
  120. 120. Steganography ( στεγανω γραφ: covered writing) <ul><li>The color image uses 1024 * 769 picture cells (pixels) </li></ul><ul><li>Each pixel consists of three 8-bit numbers ( R G B ): { red intensity , green intensity , blue intensity } </li></ul><ul><li>Stealing one bit from each color (7-bit color is practically undistinguishable from 8-bit color), one gets 1024*769*3/8 = 294,912 bytes to store secret information (which can also be compressed and encrypted) </li></ul><ul><li>It is even simpler with black-and-white photography </li></ul>
  121. 121. Steganography <ul><li>http://www.jjtc.com/Security/stegtools. htm </li></ul><ul><li>http://www.spychecker.com/program/stools.html </li></ul><ul><li>Using S-tools (Steganography tools for Windows) by A. Brown </li></ul>Steganography also works with digital audio (e.g., . wav ) files
  122. 122. Steganography Demo M. A. Bulgakov M. A. Bulgakov and an excerpt from a draft of “Master and Margarita”
  123. 123. Copyright <ul><li>Copyright is the granting to the creators of intellectual property —writers, artists, composers, etc.—the exclusive right to exploit it </li></ul><ul><li>Many on the Internet have been violating copyright by making copyrighted material available to others </li></ul><ul><li>Lawmakers, lawyers, and various industries are very busy balancing the economic interests of copyright owners and the public </li></ul><ul><li>Steganography provides an excellent watermarking tool that allows to enforce prosecution of certain violations (e.g., plagiarism) </li></ul>
  124. 124. Limited Bibliography <ul><li>K. H. Rosen, Elementary Number Theory and Its Application, 3 rd Edition, Addison Wesley, 1993 </li></ul><ul><li>A. Tanenbaum, Computer Networks, 4 th Edition, Prentice Hall, 2003 </li></ul><ul><li>C. Kaufman, R. Perlman, and M. Speciner, Network Security, 2 nd Edition, Prentice Hall, 2003 </li></ul><ul><li>www.ietf.org </li></ul><ul><li>www.itu.int (Go to the SG 17 site for security; SG 13 and FG NGN, for NGN) </li></ul><ul><li>www.iso.org (Look for ISO/IEC JTC1 SC 27) </li></ul>

×