Uploaded bySofoklisEfremidisAIT
139 views

Security fundamentals

The document discusses security fundamentals and classical ciphers. It defines computer and network security, and lists common security problems. It then covers security goals like authentication, access control, confidentiality and integrity. It discusses security services, mechanisms, and attacks. Finally, it provides examples of classical ciphers like the Shift Cipher, Substitution Cipher, Vigenere Cipher, Vernam Cipher, and Transposition Ciphers. It explains how to analyze and break some of these classical ciphers.

Technology
Related topics:
Computer Security

Embed presentation

Download to read offline
1 / 239
2 / 239
3 / 239
4 / 239
5 / 239
6 / 239
7 / 239
8 / 239
9 / 239
10 / 239
11 / 239
12 / 239
13 / 239
14 / 239
15 / 239
16 / 239
17 / 239
18 / 239
19 / 239
20 / 239
21 / 239
22 / 239
23 / 239
24 / 239
25 / 239
26 / 239
27 / 239
28 / 239
29 / 239
30 / 239
31 / 239
32 / 239
33 / 239
34 / 239
35 / 239
36 / 239
37 / 239
38 / 239
39 / 239
40 / 239
41 / 239
42 / 239
43 / 239
44 / 239
45 / 239
46 / 239
47 / 239
48 / 239
49 / 239
50 / 239
51 / 239
52 / 239
53 / 239
54 / 239
55 / 239
56 / 239
57 / 239
58 / 239
59 / 239
60 / 239
61 / 239
62 / 239
63 / 239
64 / 239
65 / 239
66 / 239
67 / 239
68 / 239
69 / 239
70 / 239
71 / 239
72 / 239
73 / 239
74 / 239
75 / 239
76 / 239
77 / 239
78 / 239
79 / 239
80 / 239
81 / 239
82 / 239
83 / 239
84 / 239
85 / 239
86 / 239
87 / 239
88 / 239
89 / 239
90 / 239
91 / 239
92 / 239
93 / 239
94 / 239
95 / 239
96 / 239
97 / 239
98 / 239
99 / 239
100 / 239
101 / 239
102 / 239
103 / 239
104 / 239
105 / 239
106 / 239
107 / 239
108 / 239
109 / 239
110 / 239
111 / 239
112 / 239
113 / 239
114 / 239
115 / 239
116 / 239
117 / 239
118 / 239
119 / 239
120 / 239
121 / 239
122 / 239
123 / 239
124 / 239
125 / 239
126 / 239
127 / 239
128 / 239
129 / 239
130 / 239
131 / 239
132 / 239
133 / 239
134 / 239
135 / 239
136 / 239
137 / 239
138 / 239
139 / 239
140 / 239
141 / 239
142 / 239
143 / 239
144 / 239
145 / 239
146 / 239
147 / 239
148 / 239
149 / 239
150 / 239
151 / 239
152 / 239
153 / 239
154 / 239
155 / 239
156 / 239
157 / 239
158 / 239
159 / 239
160 / 239
161 / 239
162 / 239
163 / 239
164 / 239
165 / 239
166 / 239
167 / 239
168 / 239
169 / 239
170 / 239
171 / 239
172 / 239
173 / 239
174 / 239
175 / 239
176 / 239
177 / 239
178 / 239
179 / 239
180 / 239
181 / 239
182 / 239
183 / 239
184 / 239
185 / 239
186 / 239
187 / 239
188 / 239
189 / 239
190 / 239
191 / 239
192 / 239
193 / 239
194 / 239
195 / 239
196 / 239
197 / 239
198 / 239
199 / 239
200 / 239
201 / 239
202 / 239
203 / 239
204 / 239
205 / 239
206 / 239
207 / 239
208 / 239
209 / 239
210 / 239
211 / 239
212 / 239
213 / 239
214 / 239
215 / 239
216 / 239
217 / 239
218 / 239
219 / 239
220 / 239
221 / 239
222 / 239
223 / 239
224 / 239
225 / 239
226 / 239
227 / 239
228 / 239
229 / 239
230 / 239
231 / 239
232 / 239
233 / 239
234 / 239
235 / 239
236 / 239
237 / 239
238 / 239
239 / 239
5: Security Fundamentals
Computer and Network Security • Computer Security: generic name for the collection of tools designed to protect data and to thwart hackers • Network Security: measures to protect data during their transmission over a collection of interconnected networks
Sample of Security Problems • How do I know with whom I am communicating? • Can data be manipulated? • Can data be read by unauthorized individuals? • How can actions be carried out in a binding way? • And so on… Internet
Security Goals • Derived requirements – Authentication: Who is who? – Access control: Only selective access is authorized Confidentiality Integrity Availability
Services, Mechanisms, Attacks • To assess the security needs of a system and choose appropriate policies, one needs a systematic way to define the requirements for security • One approach is to consider three aspects of information security: – security attacks – security mechanisms – security services
Security Services • Enhance the security of systems and the information transfers between them. It is intended to – counter security attacks – make use of one or more security mechanisms to provide the service – replicate functions normally associated with physical documents • E.g. have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; Be recorded or licensed • These functions must be performed on electronic documents as well
Security Services • Confidentiality – protection from passive attacks • Authentication – you are who you say you are • Integrity – received as sent, no modifications, insertions, shuffling or replays • Nonrepudiation – can’t deny a message was sent or received • Access Control – ability to limit and control access to host systems and apps • Availability – attacks affecting loss or reduction on availability
Security Mechanisms • A mechanism that is designed to detect, prevent, or recover from a security attack – No single mechanism that will support all functions required – However one particular element underlies many of the security mechanisms in use: cryptographic techniques – Our focus… • Specific security mechanisms: – Encryption, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control…
Security Attacks • Any action that compromises the security of information – Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems • Example of attacks – Unauthorized access, – Impersonation – Claim to have received or sent information that was not sent – Modify information – Prevent communications – Insert self into a communications link – etc…
Security Attacks • Normal flow Information Source Information Destination
Security Attacks • Attack on availability Information Source Information Destination Interruption
Security Attacks • Attack on confidentiality Information Source Information Destination Interception
Security Attacks • Attack on integrity Information Source Information Destination Modification
Security Attacks • Attack on Authenticity Information Source Information Destination Fabrication
Security Attack Classification • Eavesdropping, monitoring of transmissions Passive Attacks Release of message contents Traffic Analysis
Security Attack Classification • Some modification of the data stream Active Attacks Masquerade Denial of Service Replay Modification of Message contents
Kerckhoffs’ Principle • Kerckhoffs defined a list of requirements for the design of cryptosystems (1883) that remains, for the most part, useful today 1. The system should be, if not theoretically unbreakable, unbreakable in practice; 2. Compromise of the system details should not inconvenience the correspondents; 3. The key should be rememberable without notes and easily changed; 4. The cryptogram should be transmissible by telegraph; 5. The encryption apparatus should be portable and operable by a single person; and 6. The system should be easy, requiring neither the knowledge of a long list of rules nor mental strain.
Symmetric Encryption • Also known as private-key • Sender and recipient share a common key • All classical encryption algorithms are private-key • Was only type prior to invention of public-key in 1970’s
Terminology • Plaintext - the original message • Ciphertext - the encrypted message • Key - information used in cipher known only to sender/receiver • Encrypt - converting plaintext to ciphertext • Decrypt - recovering ciphertext from plaintext • Cryptosystem: An encryption/decryption algorithm plus the description of the format of messages and keys. It consists of the following: – A plaintext message space – A ciphertext message space – A set of possible encryption/decryption keys – An efficient key generation algorithm – Efficient encryption/decryption algorithms
Ciphers • A cipher is a means of transforming plaintext into ciphertext under the control of a secret key • We write c = Ek(m), where – m is the plaintext – E is the encryption function – k is the secret key – c is the ciphertext produced • Decryption is denoted by m = Dk(c) • According to Kerchoffs principle both E and D should be public. – The secrecy of m given c depends totally on the secrecy of k.
Attacks on Encryption Schemes • A ciphertext-only attack is one where the adversary tries to deduce the decryption key or plaintext by only observing ciphertext (almost never true). – Any encryption scheme vulnerable to this type of attack is considered to be completely insecure. • A known-plaintext attack is one where the adversary has a quantity of plaintext and corresponding ciphertext. – Sometimes there are messages which are easy to predict • “I’m away on vacations” e-mail auto-responders – Press releases of embassies – Protocols have standard headers that must be encrypted as well.
Attacks on Encryption Schemes • A chosen-plaintext attack is one where the adversary chooses plaintext and is then given corresponding ciphertext. – There is a large number of cryptographic protocols in which the attacker prepares the data to be encrypted… • A chosen-ciphertext (and plaintext) attack is one where the adversary selects the ciphertext and is then given the corresponding plaintext. – Adversary gains access to decryption equipment. • Distinguishing attacks – Do not recover the message but reveal some partial information about the message. • Birthday attacks – Named after the “Birthday paradox”.
Brute Force Attack • Always possible to simply try every key – Most basic attack, proportional to key size – The number of keys must be large to prevent exhaustive search
Security Level • Any system built today really needs a 128-bit security level. – This means that any attack will require at least 2128 steps. • A new designed system will likely be in operation 30 years from now and should provide at least 20 years of confidentiality of data. – We should aim to provide security for the next 50 years! • Lenstra and Verheul in “Selecting Cryptographic Key Sizes” suggest the use of 110 bits. – No cryptographic primitives exist with 110-bit keys, so 128 bits is preferred…
Lenstra—Verheul Recommendations • Analysis based on 4 assumptions – 5×105 MIPS Years (MY) was an adequate security margin for commercial applications up to 1982. • This number was derived from the assumption that DES was sufficient for such applications in 1982 • 1MY = 1 year of computation on a VAX 11/780 = 20 hours on a 450MHz PII • 5×105 MY = 14000 months on a 450MHz PII = 2 months on 7000 such processors – The amount of computing power and RAM one gets for a dollar doubles every 18 months. • Every 10 years one expects about 210×(12/18) more power and RAM
Lenstra—Verheul Recommendations • The budgets of organizations (attackers) doubles every 10 years • The computational effort required to break hard cryptographic problems halves every 18 months. Example • If 5×105MY was infeasible in 1982 then • … 100 × 2 × (5×105MY) = 108 infeasible in 1992 • … 100 × 2 × (108MY) = 2 × 1010 infeasible in 2002 • … 100 × 2 × (2 × 1010MY) = 4 × 1012 infeasible in 2012 • … 100 × 2 × (4 × 1012MY) = 8 × 1014 infeasible in 2022
Lenstra—Verheul Recommendations Year |n| or |p| Year |n| or |p| Year |n| or |p| Year |n| or |p| 2000 70 2010 78 2020 86 2030 93 2001 71 2011 79 2021 86 2031 94 2002 72 2012 80 2022 87 2032 95 2003 73 2013 80 2023 88 2033 96 2004 73 2014 81 2024 889 2034 96 2005 74 2015 82 2025 89 2035 97 2006 75 2016 83 2026 90 2036 98 2007 76 2017 83 2027 91 2037 99 2008 76 2018 84 2028 92 2038 99 2009 77 2019 85 2029 93 2039 100
Unconditional Security • Unconditional security – No matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext – Very “expensive”, as the length of the key must be as long as the data to be encrypted. – One time pad. • For unconditional security we place no bound on the computational power of the adversary. – In other words a system is unconditionally secure if it cannot be broken even with infinite computing power. – Other names for unconditionally secure are: Perfectly secure, Information Theoretically Secure
Computational Security • Computational security – Given limited computing resources (e.g., time needed for calculations is greater than age of universe and/or the computers used are more than the atoms in the universe), the cipher cannot be broken. – Works with adversaries of limited computational power. – If adversary works harder, she can learn more, but any feasible amount of effort should not reveal any noticeable information! • Breaking the system is reduced to solving some well studied hard problem.
CLASSICAL CIPHERS
Computational Security • When considering schemes which are computationally secure – We need to be careful about the key sizes – We need to keep ahead of algorithmic developments – At some point in the future we should expect our system to become broken (may be many millennia though). – Most schemes in use today are computationally secure. • Examples – The following are not computationally secure: Caesar cipher, Substitution cipher, Vigenere cipher – The following are computationally secure but not unconditionally secure: DES – AES, RSA – One time pad is unconditionally secure if used correctly.
Classical Ciphers • Classical ciphers are divided into two main categories: – Substitution ciphers • The encryption algorithm Ek(m) is a substitution function which replaces each message m with a corresponding ciphertext c. • The encryption function is parameterized by the secret key k. • The decryption algorithm is the reverse process – Transposition ciphers • Transform a message by rearranging the positions of the elements in the message without changing the identities of the elements in the message. • The importance of classic cipher techniques is illustrated by their use in modern ciphers.
Shift Ciphers • Each letter is identified with a number A = 0, B = 1, C = 2, …, Z = 25 – The key k (or the shift) is a number in the range 0-25 • Encryption is addition of k onto each letter modulo 26. – Julius Caesar used the key k = 3. – Example CRYPTOGRAPHY → FYBSWRJYDSKB
Shift Cipher • Break by using statistical occurrence of letters
Substitution Cipher • The problem with the Shift cipher is that the number of keys is too small. – How many keys? • One way to strengthen the cipher is to permute the letters of the alphabet. – Encryption involves replacing each letter by its permuted version. – Decryption involves use of the inverse permutation. – Example A B C D E F G H I J K L M N O P Q R S T U V W X Y Z L U N I M X K Y F G T S J P W C E Z V Q R A D O B H • The key space for this cipher has size 26! > 4 x 1026 ≈ 288 – This is far too large a number to brute force search using modern computers. • Is this safe to use?
• Break by using – Frequency of letter occurrence – Frequency of bigrams • QY(4.57), MP(2.80), QW(2.65), LP(2.51), JM(2.21), MV(2.21)
Language redundancy and Cryptanalysis • We were able to tackle the previous ciphers because human languages are redundant – W dnt actly nd ll lttrs t ndrstnd nglsh txt – Here vowels were removed, but they’re not the only redundancy. – In “party conversations”, we can hear one person speaking out of hubbub of many, again because of redundancy in aural language also. – This redundancy is also the reason we can compress text files – Basic idea is to count the relative frequencies of letters, and note the resulting pattern. • Key concept - monoalphabetic substitution ciphers do not change relative letter frequencies
Polyalphabetic Ciphers • A substitution cipher is called polyalphabetic if a plaintext message may be substituted into more than one ciphertexts – This attempts to reduce the “spikyness” of natural language texts – Makes cryptanalysis harder with more alphabets to guess and flattens frequency distribution • The most famous cipher is the Vigenere Cipher (16th century), believed to be unbreakable for a number of years. – Effectively multiple Caesar ciphers – The ith letter of the key specifies ith alphabet to use – Use each alphabet in turn – Repeat from start after d letters in message, where d is key length – Decryption simply works in reverse
Security of Vigenère Cipher • In general, letter frequencies are obscured but not totally lost – So, Vigenere is still “easy” to break. • Once we have found the length of the key then breaking the message is the same as breaking the Shift Cipher a number of times. – If the keyword length is d, the cipher consists of d shift ciphers – So the elements in positions 1, d+1, 2d+1, etc. are encrypted with the same letter. – Thus we can use the known frequency characteristics to attack each of the mono-alphabetic ciphers separately. – In general the approach is to find a number of duplicated sequences, collect all their distances apart, look for common factors.
Vernam Cipher (One-Time- Pad) • Extension of Vigenere cipher. – Key is as long as the message. • Is unbreakable since ciphertext bears no statistical relationship to the plaintext – For any plaintext and any ciphertext there exists a key mapping one to other – Called a One-Time pad, since key can only be used once! • Example – key: kdiwhapwi diewsgewk – plaintext: attacknow howareyou – ciphertext: lxcxkldlf lxcxkldlf
Key Distribution • One time pad is perfectly secure if used only once and key is random. – Perfect secrecy : length of key is at least length of plaintext. • If this is a perfect cipher why look for more? – Making random keys is not an easy task especially if you have to generate zillions of characters to encode traffic. – Even greater problem is key distribution and protection. For every message to be sent, a key of equal length must be used by sender and receiver… • Aim of modern cryptography is to design systems where – One key can be used many times. – One small key can encrypt a long message. – Such systems will not be unconditionally secure, but should be at least computationally secure.
Transposition Ciphers • Transposition Ciphers form the second basic building block of ciphers – These hide the message by rearranging the letter order without altering the actual letters used – Must be very careful how to do this in order to avoid easy cryptanalysis…
Product Ciphers • Ciphers using substitutions or transpositions are not secure because of language characteristics • Consider using several ciphers in succession to make harder: – Two substitutions make a more complex substitution – Two transpositions make more complex transposition – But a substitution followed by a transposition makes a new much harder cipher • This is bridge from classical to modern ciphers – Substitution and transposition are still the most important kernel techniques in the construction of modern symmetric encryption algorithms.
Usefulness of Classical Ciphers • Classical ciphers, even simple substitution ones, can be secure in a very strong sense if the use of keys follows certain conditions – With proper key usage, such ciphers are widely used in cryptographic protocols. • Example: – Using a shift cipher we’ll construct a Zero-Knowledge-proof protocol that allows Alice to prove to Bob that she knows a secret without revealing that secret to Bob. • The secret may be a cryptographic credential proving her identity or entitlement to a service. • The protocol will show how Alice can use the credential without Bob know anything about it…
Usefulness of Classical Ciphers • Assumptions – We have again a magic function f that is easy to compute and difficult to invert. – This function is also Homomorphic, i.e., f(x1+x2) = f(x1) ⋅ f(x2)
MODERN BLOCK CIPHERS
Modern Block Ciphers • Block ciphers are used widely in the design of protocols for symmetric key cryptography. – Provide secrecy and/or authentication services. – They are the main “technology” we have in our disposal. – We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them
Modern Block Ciphers • Ciphers are just tools! – They don’t, by themselves, do anything that any end user would care about. As with any tool, one must learn how to use it… – We’ll give emphasis in their correct use and not how to design them…
Stream Ciphers • A stream cipher process messages a bit or byte at a time. – Basic idea: replace the random key in one time pad by a pseudorandom sequence, generated by a cryptographic pseudo- random generator that is ‘seeded’ with the key. – Properties • Short key, but only practical security. • Encryption in small quantities (bit/byte). • No error propagation. • Very fast. K Pseudo-random sequence 11010010100001010010101...
Stream Cipher Properties • Design considerations are: – Long period with no repetitions – Statistically random – Depends on large enough key • Key must be large to defend against brute force attacks – Must provide confusion and diffusion
Stream vs. Block Ciphers • Block ciphers work on a block at a time, each of which is then encrypted/decrypted – Typically blocks have length 64 or 128 bits. – They have a substitution-permutation network structure. – Operate like a substitution on very big characters (64- bits or more) • Many current ciphers are block ciphers, hence our focus
Block CIphers • A block cipher is a function E: {0, 1}k × {0,1}L→ {0,1}L that takes two inputs, a k-bit key K and an L-bit plaintext M, to return an L-bit encryption C = E(K, M) – A block cipher is a permutation on l-bit strings, which means that there exists an inverse function denoted by EK -1 or D . – Hence EK -1 (EK(M)) = M and EK(EK -1 (C)) = C – The block cipher is a public and fully specified algorithm – Security lies on the secrecy of the key, so key recovery by an adversary should be a difficult problem. EM K C
Block Cipher Principles • Most symmetric block ciphers are based on a Feistel Cipher Structure • Partitions input block into two halves. Then process through multiple rounds which – Perform a substitution on left data half based on round function of right half & sub-key – Then have permutation swapping halves • This mechanism implements Shannon’s concepts of diffusion and confusion. Li-1 Ri-1 Li Ri f K
Confusion and Diffusion • The cipher must hide statistical properties of original message, just like the one-time pad. – The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. – Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. • Diffusion and confusion capture the essence of the desired attributes of block ciphers – They have become the cornerstone of modern block cipher design.
Data Encryption Standard (DES) • The most widely used block cipher in the world. Even though it is now feeling its age, no discussion on block ciphers should omit its construction. – Remarkably well engineered algorithm. – Has widespread use. Every time you use an ATM machine, you are using DES. – DES has key length k = 56 bits and block length L = 64 bits. • Adopted in 1977 by NBS (now NIST) as FIPS PUB 46 – Proved remarkably secure – There has been concerns about exhaustive-key search but for a fair amount time 56 bits was good enough against all but very well founded organizations. – Interesting attacks emerged only in the 90’s but even so they don’t really break DES.
DES Design Controversy • In 1973 NBS issued request for proposals for a national cipher standard. – IBM developed Lucifer cipher by team led by Feistel – Used 64-bit data blocks with 128-bit key – Then redeveloped as a commercial cipher with input from NSA and others • There was considerable controversy over design – In choice of 56-bit key (vs. Lucifer 128-bit) and because design criteria were classified – Afraid of hidden trapdoor – Subsequent events and public analysis show in fact design was appropriate
DES Round Structure • Uses two 32-bit L & R halves. As for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 ⊕ F(Ri–1, Ki) • It takes 32-bit R half and 48-bit subkey and: – Expands R to 48-bits using permutation E – Adds to subkey – Passes through 8 S-boxes to get 32-bit result – Finally permutes this using 32- bit permutation P – S-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, giving “diffusion”.
Structure of round - detail
Substitution Boxes S • There are eight S-boxes which map 6 to 4 bits – Outer bits 1 & 6 (row bits) select one rows – Inner bits 2-5 (column bits) are substituted – Result is 8 tuples of 4 bits, or 32 bits – Row selection depends on both data & key • Each S-box is a non-linear permutation function, which provides the non-linearity needed in message distribution.
S-boxes of DES
Avalanche Effect • This is a desirable property of every encryption algorithm. – Change of one input or key bit results in changing approximately half output bits • If the change were small, this might provide a way to reduce the search space. • DES exhibits strong avalanche
Strength of DES – Key Size • 56-bit keys have 256 = 7.2 x 1016 values • Brute force search looks hard although recent advances have shown is possible – In 1997 on Internet in a few months – In July 1998, the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose “DES cracker” machine that was built for less than $250,000. The attack took less than three days. – In 1999 above combined in 22hrs! • Now considering alternatives to DES with a higher key space (AES) • Moore’s law: – Computing power doubles every 18 months. – After 21 years the effective key size is reduced by 14 bits. – Long term: key length and block length of 128 bits.
Strength of DES – Timing Attacks • Attacks actual implementation of cipher – Use knowledge of consequences of implementation to derive knowledge of some/all subkey bits – Specifically use fact that calculations can take varying times depending on the value of the inputs to it • Particularly problematic on smartcards
Strength of DES – Analytic Attacks • Now have several analytic attacks on DES • These utilise some deep structure of the cipher – By gathering information about encryptions can eventually recover some/all of the sub-key bits – If necessary then exhaustively search for the rest • Generally these are statistical attacks. They include – Differential cryptanalysis – Linear cryptanalysis – Related key attacks
Differential Cryptanalysis • One of the most significant recent (public) advances in cryptanalysis – However, known by NSA in 70’s cf . DES design • Murphy, Biham & Shamir published 1990 a powerful method to analyse block ciphers – They show Differential Cryptanalysis can successfully cryptanalyse DES with an effort on the order of 247, requiring 247 chosen plaintexts. • DES reasonably resistant to it, cf Lucifer – Differential cryptanalysis was known to the IBM DES design team as early as 1974, and influenced the design of the S-boxes and the permutation P. – Compare with cryptanalysis of an eight-round LUCIFER algorithm requires only 256 chosen plaintexts, whereas an attack on an eightround version of DES requires 214 chosen plaintexts.
Differential Cryptanalysis • Differential Cryptanalysis compares two related pairs of encryptions with a known difference in the input searching for a known difference in output when same subkeys are used – Have some input difference giving some output difference with probability p – If find instances of some higher probability input / output difference pairs occurring, can infer subkey that was used in round – Then must iterate process over many rounds (with decreasing probabilities) • The attack is performed by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • Can then deduce keys values for the rounds
Linear Cryptanalysis • Another recent development which is also a statistical method – Developed by Matsui et al in early 90's – Based on finding linear approximations • Can attack DES with 247 known plaintexts, still in practice infeasible • Still brute force attack remains the main attack of DES.
Double DES • Given the potential vulnerability of DES to exhaustive search, alternatives have been proposed. – One such alternative is to use multiple encryptions with DES and multiple keys. – This gives rise to 2-DES Not safe due to a Meet-in- the-middle attack. Given pair (P, C) form 2 tables. Then check for a match. EM K1 CE K2 EK1(M) EK2(M) EK3(M) … EK56(M) DK1(C) DK2(C) DK3(C) … DK56(C)
Triple-DES with Two-Keys • To withstand the meet-in-the-middle attack one can use 2 stages of encryption with 3 different keys. • One alternative is to use 2 keys with E-D-E sequence (also known as EDE DES) – C = EK1[DK2[EK1[P]]] – Encrypt & decrypt equivalent in security – What is the significance of using D in the middle?? • No current known practical attacks – The cost of exhaustive key search is of the order 2112
AES • January 1997: NIST call for algorithms to replace DES. – Block cipher: 128-bit blocks, 128/192/256- bit keys. – Strength 3-DES, efficiency much higher. • Designers give up all intellectual rights. • Open process: public comments, international submissions. – Website: http://www.nist.gov/aes/
MODES OF OPERATION
Modes of Operation • DES (or any block cipher) forms a basic building block, which encrypts a fixed sized block of data (of length L). – Typically the block size is 64 or 128 bits. – To use these in practice, we need to handle arbitrary amounts of data. – To do that we use a block cipher in some mode of operation. • We will describe three of them that exhibit different kinds of features. – Electronic Code-Book (ECB) – Cipher Block Chaining (CBC) – Counter (CTR) – In all cases the input string is a multiple of block length. If not padding is used (padding, however, introduces security risks). Message L bits L bits L bits …
Electronic Code Book (ECB) • The message is broken into blocks which are encoded independently of the other blocks. Encrypt (<m1,m2,…,mn>) for i=1 to n do ci = EK(mi) return (<c1,c2,…,cn>) Decrypt (<c1,c2,…,cn>) for i=1 to n do mi = EK -1(ci) return (<m1,m2,…,mn>) EKm1 c1 EKm2 c2 EKmn cn . . . . . .
Limitations of ECB • The mode is deterministic. Hence repetitions in message may show in ciphertext – Weakness due to encrypted message blocks being independent – Furthermore blocks can be shuffled/inserted without affecting the en/decryption of each block. • Main use is when only a single block of info needs to be sent (e.g. a session key encrypted using a master key).
Cipher Block Chaining (CBC) • Message is broken into blocks but these are linked together in the encryption operation. – Each previous cipher block is chained with current plaintext block, hence name – Attempts to make the ciphertext depend on all blocks before it. • To start the process, use an Initial Value (IV), which is usually random. • CBC mode is applicable whenever large amounts of data need to be sent securely, provided that it’s available in advance (e.g., email, FTP, web, etc.) – Uses: bulk data encryption, authentication
Cipher Block Chaining (CBC) Encrypt (<m1,m2,…,mn>) Let IV =R {0,1}L for i=1 to n do ci = EK(mi ⊕ ci-1) return (<IV, c1,c2,…,cn>) Decrypt (<c0,c1,c2,…,cn>) for i=1 to n do mi = EK -1(ci) ⊕ ci-1 return (<m1,m2,…,mn>) EKm1 c1 EKm2 c2 EKmn cn . . . . . . IV c0
Advantages and Limitations of CBC • Each ciphertext block depends on all message blocks – A change in the message affects all ciphertext blocks after the change as well as the original block • Need Initial Value (IV) known to sender & receiver – If IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate – Hence it must be sent encrypted in ECB mode before rest of message or use a synchronized counter. • At end of message, handle possible last short block using padding – This however poses a security risk • A misconception is that this mode provides protection against unauthorized data modification such as deletion and insertion because blocks are chained together. – This is not so!
Counter (CTR) • Counter mode uses an auxiliary value (IV) which is an integer in the range 0...2L-1. – In the following addition is done modulo 2L Encrypt (<m1,m2,…,mn>) Let IV =R {0,1}L for i=1 to n do ci = EK(IV+i)⊕ mi return (<IV, c1,c2,…,cn>) Decrypt (<c0,c1,c2,…,cn>) for i=1 to n do mi = EK(IV+i) ⊕ ci return (<m1,m2,…,mn>) EKIV+1 c1 EK c2 EK cn . . . . . . IV c0 m1 m2 mn IV+2 IV+n
Advantages and Limitations of CTR • Efficiency – Can do parallel encryptions – In advance of need • Provides random access to encrypted data blocks • Provable security (good as other modes) – Must ensure never reuse key/counter values, otherwise could break • Uses: high-speed network encryptions
SECURITY MODELS
A Vulnerable Environment • A large network of computers such as the Internet is typically open. – Anyone (a computer, a device, a person, an organization) can join and start sending/receiving messages without the need for an authorization. – In such an open environment there may exist bad guys who will do all sort of bad things (eavesdropping, altering, forging, rerouting, deleting or injecting messages). – Our active attacker is Eve. Cartoon by Peter Steiner. The New Yorker, July 5, 1993
A Vulnerable Environment • In such an environment Eve can manipulate communications – Her manipulation techniques are unpredictable • May represent a coalition of bad guys, thus she can control a large number of network nodes geographically apart. – In anticipation of such a vulnerable environment, Dolev and Yao (1981) proposed a threat model that has become a standard
The Dolev-Yao threat model • In the Dolev-Yao threat model – Eve can obtain any message passing through the network – Eve is a legit user of the network and thus can initiate and participate in a conversation with any other user – Eve can become the receiver of messages – Eve can send messages to anybody through impersonation – Any message sent is considered to be available to Eve – Any message received is considered to have been through Eve.
The Dolev-Yao threat model Eve is considered to have complete control of the entire network. In fact we should think of the open network as Eve. Eve
Vulnerability of communications • Since Eve can inject or forge messages, she will try to fool the receivers about the origin of messages. – To use such a vulnerable communication medium in a secure manner, protection against eavesdropping is inadequate. – We need mechanisms which can enable a message receiver to verify that • A message has come from the claimed source • A message has not been altered during transmission
Vulnerability of communications • Data Integrity is the security service that protects/warns against unauthorized modification of messages. – Is closely related to error-detection codes in communications • Working Principle: A transmitter of the message creates a “check value” that appends to the message.
Authenticity vs. privacy • In many settings, security requires that communicated data has not been altered during transmission • Examples – An online stock broker responds to a quote request by sending the value of a certain stock. • If the value is changed during transmission by an adversary, this may lead to a bad financial decision. – Data obtained from a database; its value lies in its authenticity as vouched by the service provider. – Transmit data of only two kinds: buy/sell or fire/don’t fire. • If the value is encoded in a single bit and the adversary manages to flip that bit, the wrong action will be taken. – Electronic transfer of amounts: changing 100€ to 1000000€.
Authenticity vs. Privacy Authenticity of data transmitted across a network can be even more important to security than privacy of data.
Is encryption the right tool? • The authentication problem is very different from the encryption problem. – We are not worried about secrecy of data; let the data be in the clear. – We are worried about the adversary modifying it.
Is encryption the right tool? • Consider the following method for providing integrity – Fix a symmetric encryption scheme and let Alice and Bob share a key K for this scheme. – When Alice wants to send a message m to Bob, she encrypts it and transfers the ciphertext c = EK(m). Similarly, Bob decrypts it to obtain m. • Alice uses this scheme to transfer 1000€ from her account. • If the message is sent in the clear, Eve can modify it. • But if the message is encrypted, how can Eve modify it without knowing the key K? • Privacy appears to make tampering difficult… – How good is this scheme for data integrity?
NO!!! • The previous argument is fallacious. – Recall CCA2 attacks last time – Even if we do not know the value of the original bit, damage may be caused by flipping it to opposite value. • One should recognize the disparity of goals. – There is no reason to expect encryption to provide integrity. – However, there are many places (even in literature) where encryption and authentication are confused. – There is no reason to expect a tool to solve a problem it was not designed to solve. Encryption does NOT provide Data Integrity
DATA INTEGRITY
Data integrity methods • Manipulation Detection Codes (MDC). – Based on the use of hash functions • Message Authentication Codes (MAC). – (Mainly) Hash functions with a key – Both authentication and integrity • The idea is to use cryptographic function to get a check-value and send it with data. – We’ll start with hash functions
Hash functions • A hash function is a deterministic, efficient function which maps binary strings of arbitrary length to binary strings of fixed length. – The output of the hash function is called the hash- value, the fingerprint , or the digest of the message Hash functions are used for data integrity in conjunction with digital signature schemes, where for several reasons a message is typically hashed first, and then the hash- value, as a representative of the message, is signed in place of the original message. A distinct class of hash functions, called message authentication codes (MACs), allows message authentication by symmetric techniques. MAC algorithms may be viewed as hash functions which take two functionally distinct inputs, a message and a secret key, and produce a fixed-size (say n-bit) output, with the design intent that it be infeasible in practice to produce the same output without knowledge of the key. MACs can be used to provide data integrity and symmetric data origin authentication, as well as identification in symmetric- key schemes. xA19283B6F290h
Properties of hash functions • Mixing transformation – On any input message x, the hashed value h(x) should be computationally indistinguishable from a random binary string of the same length. • Practical efficiency – It should be easy to compute h(x) for some input x
One-wayness • One-way property (or pre-image resistance) – Given a hash value h, it should be computationally infeasible to find a string x such that h(x) = h. – For this assumption to be reasonable, the output space should be large (128, 160 bits) – In practice we need something stronger than this to prevent the following attack: • An attacker obtains your signature h(m) on some message m • The attacker finds another message m' with h(m) = h(m'). • The attacker has your signature on the message m'.
2nd pre-image Resistance • 2nd pre-image resistance (or weak collision resistance) – Given message x and h(x) it should be hard to find another message y such that h(x) = h(y). – In practice we need something stronger than this to prevent the following attack: • The attacker chooses two messages m and m' with h(m) = h(m'). • She has m “signed” by sending the fingerprint h(m) • Later they repudiate, saying it was m' that was signed.
Collision Resistance • Collision resistance (or strong collision resistance) – It should be computationally infeasible to find two inputs x, y, with x≠y, such that h(x) = h(y). – Again the output space should be large enough but this property is harder to enforce due to the birthday paradox.
Properties of hash functions easy hard One-way property y x x’ [Strong] Collision resistance
Classification Hash function unkeyed keyed other application MDC other application MAC OWHF CRHF preimage res 2nd-preimage collision res
Hash Properties required in Applications Properties One-way 2nd preimage Collision resistance MDC+ asymmetric signature yes yes yes* MDC+ authentic channel yes yes* Password File (MDC) yes MAC (unknown key) yes yes yes*
Model for iterated hash functions Arbitrary length Input Iterated compression function Optional transformation output Fixed length output
Birthday Paradox • How many students must be in a class so that there is a greater than 50% chance that – One of the students shares the teacher’s birthday (up to the day and month)? Answer: ~366/2 = 188 – Any two of the students share the same birthday (up to the day and month)?
Birthday Attacks • The Birthday Attack exploits the birthday paradox – The chance that in a group of people two will share the same birthday – Only 23 people are needed for a Pr > 0.5 • Probability increases quite rapidly since in a group of 30 people we obtain a probability of approximately 0.7 • In a group of 100 people, probability is over 0.999 – Can generalize the problem to one wanting a matching pair from any two sets, and show that need 2m/2 in each to get a matching m-bit hash.
Birthday Attacks q Pr[2 have same birthdate] 15 0.253 18 0.347 20 0.411 21 0.444 23 0.507 25 0.569 27 0.627 30 0.796 35 0.818 40 0.891 50 0,970
Birthday Attacks • Birthday attacks work like this: – Opponent generates 2m/2 variations of a valid message all with essentially the same meaning. • Note that creating many message variants is relatively easy, either by rewording or just varying the amount of white- space in the message. – Opponent also generates 2m/2 variations of a desired fraudulent message – Two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) – Then have user sign the valid message, then substitute the forgery which will have a valid signature
Birthday Attacks I, Victim, that I have on from Sofoklis on 2014. This should be to no later than the day of February 2014 J.D. John hereby - state confirm received borrowed a book a textbook Security Cryptography Dr. Prof. Efremidis Efraimidis February 26 26/2 book textbook returned given back Prof. Dr. Efremidis Efraimidis 28th 27th
Birthday Attacks I, Victim, that I have Euros from Sofoklis on 2014. This should be to no later than the day of February 2014 J.D. John hereby - state confirm received borrowed 1000000 one million Dr. Prof. Efremidis Efraimidis February 26 26/2 amount money returned given back Prof. Dr. Efremidis Efraimidis 28th 27th
Output space of hash functions • Due to the birthday attack, the size of the output space of a hash function must have a lower bound. – The current widely used hash functions in applied cryptography are • SHA-1: US government standard • RIPEMD-160: European design – Both process blocks of 512 bits and produce 160 bits fingerprints – Their strength against the birthday attack is therefore 280. • This is compatible to the strength of a block cipher with key length up to 80 bits. – The previous popular hash function has 128 bit output which was tailored to suit the DES’ key length of 56 bits.
Security of some hash functions MD2 (Rivest ‘88) MD4 (Rivest ‘90) MD5 (Rivest ‘90) SHA-0 SHA-1 RIPEMED-128 RIPEMED-160 Weakness discovered by NSA (1995) Found collision on the compression function (Dobbertin ’96) SHA-256, SHA-384, SHA-512
Example Outputs RIPMED160 • RIPEMD-160("The quick brown fox jumps over the lazy dog") = 37f332f68db77bd9d7edd4969571ad671cf9dd3b • RIPEMD-160("The quick brown fox jumps over the lazy cog") = 132072df690933835eb8b6ad0b77e7b6f14acad7 • RIPEMD-160("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31 SHA-1 • SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 • SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3 • SHA1("") = da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709
Quest for a Good Hash Function
Applications of Hash Functions • Digital Signatures • Advantages – Shorter signatures – Much faster computations – Larger resistance to manipulation (one block instead of several blocks of signature) – Resistance to the multiplicative attacks – Avoids problems with different sizes of the sender and the receiver moduli – This usage adds certain verifiable redundancy to a message to be signed. – Unforgeability of a signature scheme depends on some redundant information contained in the message signed.
Applications of Hash Functions • Fingerprint of a program or a document – To detect a modification by a virus or an intruder… Program Hash Fingerprint Fingerprint Safe Place Equal?
Applications of Hash Functions • Storing passwords – To detect a modification by a virus or an intruder… Password Hash h(password) Instead of storing ( id, password ) Store ( id, hash(password) )
Applications of Hash Functions • In public key cryptosystems – Hash functions are widely used for realizing a ciphertext correctness verification algorithm. – This scheme is necessary to achieve provable security against active attackers. • Use as pseudo-random functions – In many applications (authentication protocols, key agreement, electronic commerce protocols, proof of knowledge protocols, etc.) pseudo-randomness is required.
MESSAGE AUTHENTICATION CODES (MACS)
MACs • Message Authentication Code (MAC) – (Usually) A hash function with a key Text MAC 73BAF87D9 K Text MAC 73BAF87D9 K = ?
Use of MA Schemes Dear Bob, this is to certify that… MAC Scheme K Alice Message Digest Original Data Dear Bob, this is to certify that… MAC Scheme Bob K Message Digest Message Digest If both identical validate data integrity
Properties of MAC • MAC is a family of functions hk (parameterized by the secret key k) • Properties of MAC: – Ease of computation (if key is known) – Compression, x is of arbitrary length, hk(x) has fixed length – Computation resistance, given some pairs (xi, MACk(xi)) is infeasible to compute a new pair (x, MACk(x)) for any new x ≠ xi
Objectives of Adversaries • Against MDC – OWHF: given y find x such that h(x)=y; or given (x, h(x)) find x' ≠ x such that h(x') = h(x) – CRHF: find any two inputs x' ≠ x such that h(x') = h(x) (birthday attack) • Against MAC – Without knowing the key k compute (x, hk(x)) given (xi, hk(xi)) with xi ≠ x – Known-text attack, chosen text-attack, adaptive chosen text attack
Forgeries Against MACs • When MAC forgery is possible, practical consequences depend on the degree of control an adversary has over the message m for which a MAC may be forged. – Selective forgery: The adversary is able to produce a new message-MAC pair for a message of her choice. – Existential forgery: The adversary is able to produce a new message-MAC pair, but with no control over the value of that text.
A Security Framework for Message Authentication • A Message Authentication (MA) scheme is a triple of algorithms <G, T, V>, where – G is a key generation algorithm, i.e., a randomized algorithm that returns a key K – T is a tagging algorithm which is a (possibly randomized) algorithm that takes the key and the message and produces a tag σ; we write σ←TK(m) • Unlike encryption schemes, tagging algorithms can be deterministic • The tag represents the fingerprint of the message and is sent along with the message. – V is a verification algorithm which is a deterministic algorithm that takes the key, a message m and the tag σ for m to return a bit • The receiver computes VK(m, σ) and verifies integrity of m
Public-Key Cryptography • Probably most significant advance in the 3000 year history of cryptography – Uses two keys – a public and a private key – Asymmetric since parties are not equal • These two keys are linked in a mathematical way. – Knowing the public key tells you nothing about the private key. – But knowing the private key allows you to unlock information • Note that public key schemes are – neither more secure than private key (security depends on the key size for both), – nor do they replace private key schemes (they are too slow to do so), rather they complement them.
Public-Key Cryptography • Public-key/asymmetric cryptography involves the use of two keys: – A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures – Why they call it asymmetric?
Public-Key Cryptography • Is asymmetric because – Those who encrypt messages or verify signatures cannot decrypt messages or create signatures • This may seem strange, and will require some thought. – The concept was so strange it was not until 1976 that anyone thought of it. – Diffie and Hellman: “New Directions in Cryptography”. – A few years later the first system was invented, i.e. RSA.
Encryption/decryption using… • ... Symmetric Cryptography • ... Public-Key Cryptography
The big picture
Why Public-Key Cryptography? • The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. – The concept had been previously described in a classified report in 1970 by James Ellis (UK Communications Headquarters) – and subsequently declassified in 1987. – Its interesting to note that they (Clifford Cocks, 1973) discovered RSA first, then (Malcolm Williamson, 1974) Diffie-Hellman, opposite to the order of public discovery! • Developed to address two key issues: – Key distribution – how to have secure communications in general without having to trust a KDC with your key – Digital signatures – how to verify a message comes intact from the claimed sender
Public-Key Characteristics • Public key schemes utilise problems that are easy (P type) one way but hard (NP type) the other way, e.g. exponentiation vs. logs, multiplication vs. factoring. – Traditional schemes involve the sender putting a message in a box and locking it, sending that to the receiver, and somehow securely also sending them the key to unlock the box. – The radical advance in public key schemes was to turn this around • the receiver sends an unlocked box to the sender, who puts the message in the box and locks it (easy - and having locked it cannot get at the message), • and sends the locked box to the receiver who can unlock it (also easy), having the key. An attacker would have to pick the lock on the box (hard).
One-way functions • A function f : X→Y is a one-way function iff – For all x ∈ X it is very easy or efficient to compute f(x). – For almost all y ∈ Y, finding an x ∈ X with f (x) = y is computationally infeasible. • A trapdoor one-way function is a one-way function f : X→Y , but given some extra information, called the trapdoor information, it is easy to invert f , i.e. – given y ∈ Y and the trapdoor info, it is easy to find x ∈ X such that f (x) = y. • One-way functions are believed to exist. Nobody proved that actually exist. – Proving existence would imply that P ≠ NP.
One-way functions • Candidate one-way functions: – Multiplication: • Given primes p and q, compute N = p ⋅ q. • This is very easy to compute, since we just multiply p and q. • The inverse problem: given N, find p and q is called factoring. – Modular exponentiation: • Given N and an element a ∈ ZN, compute y ≡ ax (mod N). • This can be computed efficiently using repeated squaring. • The inverse problem: given N, a,y ∈ ZN find x such that y ≡ ax (mod N) is called the discrete logarithm problem. – What is the trapdoor in each case?
Security of Public Key Schemes • Public key schemes are no more or less secure than private key schemes – In both cases the size of the key determines the security. – Note also that you can’t compare key sizes - a 64-bit private key scheme has very roughly similar security to a 512-bit RSA – both could be broken given sufficient resources. – But with public key schemes at least there’s usually a firmer theoretical basis for determining the security since its based on well-known and well studied number theory problems. • Requires the use of very large numbers – Hence is slow compared to private key schemes – And computationally expensive
Diffie-Hellman Key Exchange • Establishment of a shared key between two entities had always been a difficult problem – Required a confidential channel – An important advantage of public key cryptography is its use in the exchange of a secret key • The first practical scheme was proposed by Diffie-Hellman in 1976 – Known as Diffie-Hellman key exchange Ralph Merkle - left Martin Hellman - middle Whitfield Diffie - right
Diffie-Hellman Key Exchange Protocol Premise: Alice and Bob have agreed on a large prime p and a generator g of Zp * Steps 1. Alice picks a large random integer a∈[1, p-1), computes ga mod p and sends it to Bob. 2. Bobs picks a large random integer b∈[1, p-1), computes gb mod p and sends it to Alice. 3. Alice computes k ← (gb)a mod p 4. Bob computes k ← (ga)b mod p 1 2 3 4
DF-Key Exchange example • Let p = 43. A generator of the group is 3. Alice and Bob agree on public material elements (p, g) = (43, 3) 1. Alice picks her random secret exponent a = 8, and sends to Bob 38 ≡ 25 (mod 43) 2. Bob picks his random secret exponent b = 37, and sends to Alice 337 ≡ 20 (mod 43) The secret key agreed between them is 9 = 38  37= 208 ≡ 2537 (mod 43)
Textbook algorithms • The previous protocol is an example of “textbook cryptography” – We’ll use this term because these algorithms/protocols can be found in most textbooks on cryptography – However, these algorithms should not be used “as is” in real-world applications • With the scope of public-key cryptosystems, a “textbook encryption” algorithm has a confidentiality property stated as – All-or-nothing security: The attacker’s task is to retrieve the whole plaintext. The attacker either succeeds or fails with nothing. – Passive attacker: The attacker does not manipulate or modify ciphertexts and does not ask for encryption/decryption services
Diffie-Hellman Key Exchange Protocol How can the previous protocol be attacked? • We are looking for an active attack where Eve can fool the two participants • This would be an attack on what?
The Man-in-the-Middle Attack 1. Alice picks a∈R[1, p-1), computes ga =ga mod p; she sends ga to Eve (“Bob”) 1’.Eve(“Alice”) computes ge =ge mod p for some e∈R[1, p-1) and sends ge to Bob. 2. Bobs picks b∈R[1, p-1), computes gb =gb mod p; He sends gb to Eve (“Alice”). 2’.Eve(“Bob”) sends ge to Alice. 3. Alice computes k1 ← (ge)a mod p (shared between her and Eve) 4. Bob computes k2 ← (ge)b mod p (shared between him and Eve) 1 2’ 1’ 2
The Diffie-Hellman problem The secrecy of the agreed shared key from the Diffie- Hellman key exchange protocol is the problem of computing gab (mod p) given ga and gb. Diffie-Hellman Problem (DHP) Input: A generator g of Zp * and ga and gb, for some integers 0 < a, b < p Output: gab The DHP problem lies in turn in the difficulty of the discrete logarithm problem Discrete Logarithm Problem (DLP) Input: A generator g of Zp* and an element h of Zp * Output: The unique integer x such that h = gx
Relationship between DLP and DHP Assume you have an algorithm that solves the DLP problem. • How would you use it to solve the DHP?
DHP reduces to DLP • Here we show how to reduce DHP to DLP, i.e. we give an efficient algorithm for solving the DHP given an algorithm for the DLP. • Goal: Given ga and gb we wish to find gab. – First compute b = DLP(gb) using the algorithm. – Then compute (ga)b = gab. – So DHP is no harder than DLP, i.e. DHP ≤P DLP or equivalently the DH assumption is a stronger assumption than the DL assumption. – The converse of this statement is an open question: “Can the DL assumption be true if the DH assumption is false?
RSA (Textbook version) • RSA is the best known, and by far the most widely used general public key encryption algorithm. – Developed by Rivest, Shamir & Adleman of MIT – “A method for obtaining digital signatures and public key cryptosystems”, Comm. of the ACM, 21(2):120-126, 1978 • It is based on exponentiation in a finite field over integers modulo a prime – Exponentiation takes O((log n)3) operations (easy) – Uses large integers (e.g. 1024 bits) – Security due to cost of factoring large numbers – Factorization takes O(e log n log log n) operations (hard) RSA 2003 SRA 1978
RSA Key Generation • Each user generates a public/private key pair by: – Selecting two large primes p and q of at least 512 bits each – Computing the modulus N = p ⋅ q and φ(N) = (p-1)(q-1) – Selecting a random integer e where 1< e < φ(N) such that gcd(e, φ(N)) = 1 – Using the Extended GCD compute the unique integer d such that e ⋅ d ≡ 1 mod φ(N) • Publish their public encryption key: (e,N) • Keep secret private decryption key: (d,p,q)
RSA Use • If Bob wants to encrypt a message for Alice he does the following: – Obtains Alice’s authentic public key (e, N) – Represent the message as a number 0 < m < N. – Compute c = me mod N – Send the ciphertext c to Alice. • Alice, upon receiving c: – Uses her private key d and – Computes: m = cd mod N
RSA example Select primes: p = 17 and q = 11 – Compute N = p ⋅ q =17 ⋅ 11 = 187 – Compute φ(n) = (p-1)(q-1) = 16 ⋅ 10 = 160 Select e such that gcd(e, 160)=1; choose e=7 – Determine d such that d ⋅ e ≡ 1 mod 160 and d < 160. • Value is d = 23 since 23×7=161= 10×160+1 – Publish public key (7, 187) – Keep secret private key (23, 17, 11) Sample RSA encryption/decryption given message m = 88 (note 88 < 187) – Encryption: c = 887 mod 187 = 11 – Decryption: m = 1123 mod 187 = 88
DIGITAL SIGNATURES
Digital Signatures • Have looked at message authentication – But does not address issues of lack of trust – Recall Diffie-Hellman exchange protocol and “man-in-the-middle” attack • Digital signatures provide a guarantee of – authorship – integrity – non-repudiation • Not given by MACs • Digital signatures is a great advantage of Public Key cryptography over Symmetric cryptography – The other one is the possibility of achieving key distribution between remote parties.
Digital Signature Properties • Must depend on the message signed • Must use information unique to sender – to prevent both forgery and denial • Must be relatively easy to produce, recognize and verify • Be computationally infeasible to forge – with new message for existing digital signature – with fraudulent digital signature for given message • Be practical to save digital signature in storage
The big picture Hash Algorithm Message Digest Original Data Digital Signature Sign with Bob’s private key Digital Signature Hash Algorithm Original Data Verify with Bob’s public key Message Digest Message Digest’ If both Identical Validate Data integrity Bob Alice Dear Alice I have received … Dear Alice I have received …
A Definition • A Digital Signature Scheme is specified by a triple of algorithms <G, S, V> – G is a key generation algorithm, which is a randomized algorithm that returns a public key K and a private key K-1 • This algorithm takes as a parameter the size k of the keys to be generated. – S is a signing algorithm which takes a message m and a secret key K-1 to produce a string σ which we call the signature of m; we write – V is a verification algorithm which takes the key K, the message m and the signature σ for m to return TRUE or FALSE • The receiver computes VK(m, σ) and verifies that σ is the signature for m )(1 mSK 
Signing with RSA • Recall Key setup – Select two large primes p and q of at least 512 bits each – Compute the modulus N = p ⋅ q and φ(N) = (p-1) ⋅ (q-1) – Select a random integer e such that gcd(e, φ(N)) = 1 – Compute the unique integer d such that e ⋅ d ≡ 1 mod φ(N) • Signature generation Sd(m) – To create a signature of a message m, compute σ = md (mod N) • Signature verification Ve(m, σ) – Compute m´ = σe (mod N) – If m´ = m, return True else return False. • Is this secure?
PUBLIC KEY INFRASTRUCTURE
PKI • With secret key cryptography the main problems were ones of – key management – key distribution as keys need to be distributed via secure channels • In public key systems we replace these problems with those of – key authentication, i.e. which key belongs to whom as keys need to be distributed via authentic channels • The system which provides authentic public keys to applications is called a public key infrastructure or PKI
Randomness of Public Keys • A public key generation algorithm contains the following step Public Key = F(Private Key) where F is some one-way function that maps from the private key space to the public key space – Hence public keys contain a random looking part • It becomes necessary that a principal’s public key becomes associated with a principal’s identity in a verifiable and trustworthy way. – To send an encrypted message we must be sure about the authenticity of the public key. – Same with verifying a signature.
Certification Authority (CA) • A trusted server used to perform the key management of public keys is called a certification authority (CA). – A CA is a special principal who is well known and trusted directly by the principals in the domain it serves. – For each user within its domain, the CA issues a public key certificate certifying the user’s key material. • The “trust” required by a CA is much weaker as opposed to the trust needed to be placed to a server for secret-key based protocols – The security service provided is message authentication, which can be performed without need of handling any secret. – The service can be provided also offline.
Certificates • Every user submits their public key to the CA. The CA concatenates – User name, – User public key (encryption or verification), – Name of CA – Expiry date, – Serial Number of Certificate, – .... and generates a signature (of the CA) on this data string. • The combination of the data and signature is the public key certificate. This is sent back to the user. – Anyone with the CA’s public key can verify the user’s public key certificate, and so obtain a trusted copy of the users public key. – Certificates can be stored in repositories and retrieved as needed. – Since they are digitally signed, there’s no need to be secured.
The world without a CA • To see the advantage of certificates and CAs consider the world without a CA – You obtain many individual public keys from each individual in some secure fashion 6A5DEF....A21 Sofoklis Efremidis’ Public Key 7F341A....BFF Jane Doe’s Public Key B5F34A....E6D Microsoft’s Update Key • Each key needs to be obtained in a secure manner, as does every new key you obtain.
The world with a CA • First, you obtain a single public key securely, namely the CAs public key. Then you obtain many individual public keys, signed by the CA A45EFB....C45 Trent’s totally trustworthy key. 6A5DEF....A21 Trent says “This is S. Efremidis’ Public Key” 7F341A....BFF Trent says “This is Jane Doe’s Public Key” B5F34A....E6D Trent says “This is Microsoft’s Update Key” • If you trust Trent’s key and you trust Trent to do his job correctly then you trust all of them
CA Hierarchies • In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several certificate authorities. – For example, the number of certificates required may be too large for a single CA to maintain; – Different organizational units may have different policy requirements; – or it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates. • Hence it is common for more than one CA to exist – Look at your browser’s certificate authorities
CA Hierarchies • The root CA is at the top of the hierarchy. The root CA's certificate is a self- signed certificate • The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. ... and so one Root CA Asia CA Europe CA USA CA Sales CA Engineering CA Marketing CA Subordinate CA Subordinate CA Subordinate CA Certificate Issued by Engineering CA Subordinate CA Subordinate CA Subordinate CA
Certificate chains • A certificate chain is a series of certificates issued by successive CAs – The user first verifies the appropriate cross-certificate, and then verifies the user certificate itself • So – Check validity period and verify that this is signed by Engineering CA. Since this is not trusted proceed with next. – Check validity period and verify that this is signed by Europe CA. Since this is not trusted proceed with next. – Check validity period and verify that this is signed by Root CA. Since Root CA is trusted, verification succeeds. Asia CA USA CA Sales CA Marketing CA Trusted Authority Certificate Issued by Engineering CA CA Certificate signed by self Untrusted Authority Untrusted Authority CA Certificate signed by Root CA CA Certificate signed by Europe CA Program verifying the certificate Root CA Engineering CA Europe CA
Revocation • Reasons for revoking a certificate – Invalid period of use: Like a driver’s license, a certificate specifies a period of time during which it is valid. Attempts to use a certificate for authentication before or after its validity period will fail. – Bad use: A driver’s license can be suspended even if it has not expired • for example, as punishment for a serious driving offense. – Similarly, it's sometimes necessary to revoke a certificate before it has expired –for example, if an employee leaves a company or moves to a new job within the company. – If a user’s public key is compromised, i.e., a third party has gained knowledge of the private key then the corresponding public key must be revoked • The CA must somehow inform all users that the certificate(s) containing this public key is/are no longer valid. This is called certificate revocation
Certificate Revocation Lists (CRLs) • A Certificate Revocation List is a way of telling users about revoked certificates. • A CRL is a list of the serial numbers of all the certificates revoked by a particular CA, signed by the CA concerned. – A CRL is a bit like the list of bad credit card numbers which used to be kept next to the tills in supermarkets. • Users must ensure they have the latest CRL – Can be achieved by issuing CRLs at regular intervals even if list has not changed. • Easy to do in a corporate environment • Hard to distribute them otherwise, especially if there are many CAs involved.
Examples of PKI • In the following we look at some real systems which distribute trust via certificates • Examples are – X509 – SSL – PGP – SPKI
X.509 • The contents of certificates supported by Netscape and many other software companies are organized according to the X.509 v3 certificate specification, which has been recommended by the International Telecommunications Union (ITU) since 1988 • X509 defines a structure for public key certificates – A CA assigns a unique name to each user and issues a signed certificate – Often name is the URL or Email address • CAs are connected in a tree structure – Each CA issues a certificate for those beneath it • The basic structure is very simple, but ends up being very complex in any reasonable application
X.509 certificate structure • Every certificate consists of two sections – The data section includes the following • The version number of the X.509 standard supported by the certificate. • The certificate's serial number. • Information about the user's public key, including the algorithm used and a representation of the key itself. • Name of the CA that issued the certificate. • The period during which the certificate is valid • The name of the certificate subject (for example, in a client SSL certificate this would be the user's name), also called the subject name. • Optional certificate extensions, which may provide additional data used by the client or server such as the type of the certificate.
X.509 certificate structure – The signature section includes the following information: • The cryptographic algorithm, or cipher, used by the issuing CA to create its own digital signature. • The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.
Typical X.509 certificate Data: Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 Not After: Sun Oct 17 18:36:25 1999 Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: Modulus: 00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86: ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22: 43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00: 98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9: 73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e: 9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0: 7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54: 91:f4:15 Public Exponent: 65537 (0x10001) Extensions: ... ... Signature: Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06: 30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb: f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc: 2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5: b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5: 4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8: dd:c4
Secure Socket Layer (SSL) • SSL adds security to TCP level (Network layer) – When the socket layer communications are secured, communications in all application-level protocols will be secured in the same manner. • Various protocols can then be transparently layered on top – HTTP, FTP, TELNET, etc • Commercial standard originally driven by Netscape – Later adopted by Microsoft and other developers and evolved in the de facto standard for Web Security
SSL objectives • Aims to establish a secure channel between client and server, to enable the encrypted transmission of credit card details or passwords • Private – All traffic is encrypted after an initial handshake • Authenticated – The server end is always authenticated (for the benefit of the client) – The client may optionally be authenticated too but rarely done • Reliable – The message transport includes an integrity check
SSL Structure • Bulk encryption is performed using a block or a stream cipher – Client and server agree on the encryption algorithm during the initial handshake – The session key to be used is derived using standard protocols such as Diffie-Hellman or RSA based key transport • The server is authenticated since it provides the client with a X509 public key certificate – For web based transactions, this is signed by some global CA – Public key of CA comes embedded in user’s browser such as Netscape of Explorer
SSL Key Transport • The following is a simplified overview – Client establishes connection with Server on a special port number to signal the secure session – Server sends a certified public key to client • The client verifies the certificate and decides whether it trusts the public key – Client chooses random secret • Client encodes this with the Server’s public key and sends it back – Client and Server now securely share secret – Server authenticates itself by responding using the secret
Pretty Good Privacy (PGP) • PGP, developed by Zimmermann, takes a bottom up approach to the distribution of trust – Design goals were to give low cost encryption/signature system for all – Web of Trust, rather than global PKI • The public key management is done from the bottom up by users themselves – Each user acts as their own CA and signs other people’s key certificates (pairs <name, key>) – “If he trusts her and since I trust him, I will also trust her”. – Can trust keys others have signed if have a chain of signatures to them • With enough such signatures, maybe you can trust <name, key> as not all these signers would be corrupt – As users keep doing this certification, a web of trust is built
PGP Operation – Authentication • Sender creates a message – SHA-1 used to generate 160-bit hash code of message – Timestamp is added – Hash code is encrypted with RSA using the sender’s private key, and result is attached to message – Receiver uses RSA or DSS with sender's public key to decrypt and recover hash code – Receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic
PGP Operation – Confidentiality • Sender generates message and random 128-bit number to be used as session key for this message only – message is encrypted, using CAST-128 / IDEA / 3DES with session key – session key is encrypted using RSA with recipient’s public key, then attached to message – receiver uses RSA with its private key to decrypt and recover session key – session key is used to decrypt message • For Authentication and Confidentiality use both services on same message – create signature & attach to message – encrypt both message & signature – attach RSA encrypted session key
PGP Operation – Summary X  file Signature required? Generate signature X  signature || X Compress X  Z(X) Confidentiality required? Encrypt key, X X  EKUb[KS] || EKs[X] Convert to radix 64 X  R64(X) Y Y N N Convert from radix 64 X  R64-1(X) Confidentiality required? Decrypt key, X K  DKRb[EKUb[KS]] X  DK[X] Decompress X  Z-1(X) Signature required? Strip signature from X Verify signature Y Y N N Generic Transmission Diagram Generic Reception Diagram
PGP Session Keys • Need a session key for each message – of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES • Uses random inputs taken from previous uses and from keystroke timing of user
PGP Key Rings • Each PGP user has a pair of key-rings – Public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID – Private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase
SPKI • SPKI stands for Simple Public Key Infrastructure. Tries to address a number of problems with X509/PKI – Mainly that of a globally distinguished name with a key bound to it • An application needs to know whether the key holder is permitted some action or authorized access – Collections of directory entries are considered valuable to be released by organizations in the form of a directory tree • Binds authorizations as well as identities – Allows a form of delegation – Could make it suitable for e-commerce – SPKI does not assume a global CA hierarchy – More a ground up approach like PGP • Currently not much commercially used since PKI vendors have a lot of investment in X.509
SPKI • To describe certificates, SPKI uses s-expressions – These are LISP like structures – Very simple to use and describe – Developed by Rivest • S-expressions can be made very simple for humans to understand • Each SPKI certificate has an issuer and a subject both of which are public keys
SPKI 4-tuples • To give an identity certificate, like X509 does, SPKI uses a 4- tuple structure – This is an internal abstraction of what the certificate represents (Issuer, Name, Subject, Validity) • In real life this would be the following – Issuers Public Key – Name of Subject – Subjects Public Key – Validity Period – Signature of Issuer on the triple (Name, Subject, Validity) • Anyone can issue a certificate, and hence become a CA
SPKI 5-tuples • These bind keys to authorizations – This is an internal abstraction of what the certificate represents (Issuer, Subject, Delegation, Authorization, Validity) • In real life this would be the following – Issuers Public Key – Subjects Public Key – Delegation: A Yes or No flag, saying whether the subject can delegate the permission or not – Authorization: What permission the subject is given to do – Validity: How long the authorization is for – Signature of Issuer on the quadruple (S, D, A,V)
Sizes of Standard Certificates • Recall, a standard certificate looks like the following X || S where X = (INFO, Users Public Key) S = CA’s signature on X • INFO is the stuff which is linked to the Users Public Key it could be – Name – Time – Authorization – ...
Standard Certificate Sizes • Ignoring the size of INFO, this gives something quite big e.g. • This assumes for RSA – 1024 bits for user keys – 2048 bits for CA keys and for EC-DSA – 160 bits for user keys – 400 bits for CA keys • The main question is whether this can be made smaller RSA DSA EC-DSA Users Key 1024 1024 160 CA Signature 2048 320 400
Implicit Certificates • We cannot reduce the size of the INFO but we could possibly reduce the size of the rest of it • An implicit certificate looks like X || Y where X = (INFO) Y = Implicit certificate on X • From Y we can – Recover the public key of the User – Implicit assurance that the certificate was issued by the CA • For DSA type signatures Y has size  1024 bits • For EC-DSA type signatures Y has size  160 bits
Problems with Implicit Certificates • There are a number of problems with the above system which means that implicit certificates are not used much in real life • What do you do if the CA’s key is compromised – Usually you pick a new CA key and re-certify users keys – You cannot do this since the users public key is chosen interactively during the certification process • Implicit certificates require the CA and users to work at the same security level – This is not considered good practice • However for small bandwidth devices they seem to be the best solution
REAL LIFE PROTOCOLS
Cryptographic systems • In the previous lectures we looked at the major elements of security – Confidentiality, authentication , integrity, key exchange, message replay protection, etc. • In any ongoing dialog, all these protections are necessary, not just one. – Consequently, we should not expect average end users to be able to implement dialog security themselves.
Cryptographic systems • Fortunately, cryptographic systems automatically provide all these security features – These systems work with little or no user intervention. • These systems offer automatic protections – In fact users often are not even aware that their communication is protected by a cryptographic system. – For example, every time you make a purchase over the Internet, the transaction is protected by SSL/TLS
Cryptographic Systems • Cryptographic systems usually work in a series of four stages. – The first three are initial handshake stages – The fourth one is where 99% of communication take place Stage 1: Initial Negotiation of Security Parameters Stage 2: Mutual Authentication Stage 3: Key Exchange or Key Agreement Server
Cryptographic Systems • Re-authentication and re-keying. – Although the three handshake stages are done only once, there is often periodic re-authentication to ensure than an attacker has not hijacked the connection. – What is periodic re-keying used for? Stage 4: Ongoing Communication with Message-by-Message Confidentiality, Authentication. and Message Integrity Server
Various Cryptographic Systems • For safety, companies often use two systems simultaneously at different layers. – This provides defense in depth. This, however, increases cost. Layer Cryptographic System Application Kerberos Transport SSL/TLS Internet Ipsec Data Link PPTP, L2TP Physical Not applicable. No messages are sent at this layer—only individual bits
SSL/TLS • When you make a purchase over the Internet, sensitive traffic is usually protected by a cryptographic system originally called Secure Sockets Layer (SSL) – SSL originally created by Netscape and placed in its browser. • When SSL is used, how do URLs begin with? – Then, all major browser vendors supported SSL, including Microsoft – Later, it became a standard by IETF named Transport Layer Security (TLS)
SSL/TLS • SSL/TLS offers transport layer protection, meaning that all application layer traffic can be secured. • However, this protection of higher-layer messages is not transparent as higher layer messages are not automatically protected. – To be protected, applications have to be SSL-aware – Most browsers and web server applications are. Very few others…
SSL/TLS Operation Protects all application traffic that is SSL/TLS-Aware Verifier (Merchant Server) Applicant (Customer Client) SSL/TLS Works at transport layer
SSL/TLS Operation • The reason for optional client authentication is pure pragmatism. – To lock out the vast majority of customers (not willing to get digital certs) does not make business sense 1. Negotiation of security options (Brief) Verifier (Merchant Server) Applicant (Customer Client) 2. Merchant authenticates itself to customer by sending a Digital Certificate. (Customer Authentication is optional and uncommon)
SSL/TLS Operation 3. Client generates random session key which sends it to server encrypted using Public Key Encryption Verifier (Merchant Server) Applicant (Customer Client) 4. Ongoing communication with confidentiality and merchant Digital Signatures
Perspective on SSL/TLS • SSL is a “flawed” cryptographic system. – Only one side usually is authenticated – Also it had many weaknesses • Provides only medium security, but exploitation is difficult – Usually, it is far easier to hack into merchant servers and steal lists of thousands of credit numbers. – There has not been a single reported case of a credit card number being read en route while protected by SSL.
Perspective on SSL/TLS • SSL/TLS uses PK encryption to sign every message, which makes it very computationally expensive. – Merchants can handle only a few percent of the transactions they could without SSL. – SSL/TLS is built into all browsers and web servers has been one of strong security points for the Internet.
IPSec • For very strong security some VPNs use a family of security standards collectively called IPSec (IP Security) – IPSec offers much stronger security than PPTP or L2TP. – Also more complex and expensive to introduce than its Layer 2 cousin. • SSL/TLS for non-transparent Transport Layer security – SSL lack of transparency limits it primarily to HTTP webservice and some e-mail systems.
IPSec • In contrast IPSec operates at the Internet layer offering transparent layer security – This allows it to provide security for the transport layer • This includes all TCP and UDP traffic and all other messages carried in the data field of the IP packet. – Application layer messages are also protected. • This protection is transparent – There is no need to modify applications or transport layer protocols to work with IPSec – These protocols are not even aware that IPSec is used
IPSec • IPSec originally was intended for the new version of the Internet protocol, IPv6 – However, IPSec can be used with IPv4 as well. – In other words, no matter what version of IP the network uses, IPSec still protects it. • The most basic concept in IPSec is that there are two modes, i.e. ways of operation. – These are the transport mode and the tunnel mode.
IPsec Operation: Transport Mode • Transport mode is used for host-to-host security. – This mode allows two hosts to communicate securely with no regard to what else is happening in the network. • End-to-end security – This mode is attractive because it provides security when packets travel over internal networks as well as over the Internet. Site Network Site Network Secure Connection Security in site network Security in site network Secure on the Internet
IPsec Operation: Transport Mode • The IPSec header is inserted after the main IP header. – This header provides protection for higher layer protocols (transport and application ones) • However, because the IP destination address is needed to route the packet to the destination host, the IP header must be transmitted in the clear. – This allows a sniffer to understand the distribution of IP addresses Destination IP address is actual address Orig. IP Header IPsec Header Protected Packet Data Field
IPsec Operation: Transport Mode • Probable need to install IPSec software on the two hosts. – Transport mode typically requires adding software to the computers instead of using native operating system protocol support.
IPsec Operation: Tunnel Mode • Tunnel mode is normally used to protect communications between two IPSec gateways. – The two gateways securely send traffic to the Internet between themselves by encapsulating/decapsulating IP packets from/to gateway’s site network Site Network Site Network Tunneled Connection No security in site network No security in site network Secure on the Internet IPsec Gateway IPsec Gateway
IPsec Operation: Tunnel Mode • In tunnel mode, the original IP header is fully protected. – The transmitting gateway encapsulates the original packet to a new packet by adding a new IP header and an IPSec header. – The new IP header contains the address of the destination gateway. – An attacker snooping the company’s traffic will learn nothing about other IP addresses. Destination IP address is IPsec gateway address. Host IP address is not revealed; New IP Header IPsec Header Protected Original Packet
IPsec Operation: Tunnel Mode • No software is required on the two hosts. – In fact the clients and servers do not even know that their packets are being protected as they travel over the Internet. • On the negative site, tunnel mode provides no protection for IP packets passing through the site network at the two sites. – It only provides protection during the passage of packets through the Internet. – This leaves packets open to attack for network sites.
IPsec Operation: Transport and Tunnel Modes • How can these modes be combined? • What are the advantages of such an approach?
IPsec Headers • The previous discussion left open two questions: – What is an IPSec header? – What do we really mean about “protection”? • This was deliberate because in both transport and tunnel modes, IPSec offers two types of protection. – For each type of protection, IPSec uses a different type of IPSec header – Therefore, four mode-header combinations exist
IPsec ESP • The most commonly used IPSec header is the Encapsulating Security Payload (ESP) header. – It offers full security (confidentiality, message-by-message authentication and integrity.) – IP packets carrying ESP headers have the value 50 in their protocol fields. – ESP has two parts. A header and a trailer Encapsulating Security Payload IP Header ESP Header Protected ESP Trailer Confidentiality Authentication and message integrityProtocol = 50
IPsec Authentication • The other type of IPSec header is the Authentication Header (AH). – Like ESP it offers authentication and message integrity but no confidentiality. Anyone intercepting a message can read it. Authentication Header IP Header Authentication Header Protected Authentication and message integrity No confidentiality Protocol = 51
Modes and Protections ESP Confidentiality Authentication Integrity AH Authentication Integrity Transport Mode (End-to-End) Possible Possible Tunnel Mode (IPsec Gateway to Gateway) Possible Possible
IPsec Security Associations • Before two hosts or IPSec gateways communicate, they have to establish security associations (SAs). – Perhaps the most confusing part of IPSec • A security association is an agreement about how the two communicating parties will provide security. – Specifies what algorithms will be used to implement the security processes for confidentiality, authentication, etc. • When two parties communicate, two associations must exist, one in each direction – This allows for different levels of protections in the two directions, if it is desirable.
IPsec Security Associations • SAs are governed by policies built into the hosts or the IPSec gateways. – The company may permit only certain combinations of algorithms as some of them may be considered too weak. The security association may be different in each direction Party A Party B IPsec policy server
Establishing Security Associations • To establish security associations, IPSec relies on the Internet Key Exchange (IKE) standard. IKE handles all the steps needed to establish a SA. These include – Communication to agree upon security algorithms to be used in setting up the IKE SA. – Authentication – Exchange of symmetric session keys. Different keys can be used for confidentiality and authentication. • IKE is not limited to IPSec. It is a general protocol used for establishing SAs in cryptographic systems used over the Internet.
Establishing IPsec Security Associations Using IKE • When two parties establish an IKE SA, this forms a blanket of protection within which the two parties can safely negotiate IPSec SAs. – For example, two IPSec gateways may establish different SAs for traffic types of different sensitivity. Party A Party B Internet Key Exchange Security Association UDP Port 500 IPsec policy server
IPSec mandatory default protocols • Negotiation permits two parties to negotiate which algorithms will be used for confidentiality and other matters. • However, mandatory default algorithms must be supported and will be used automatically when the two sites do not specify an alternative. These include: – Diffie-Hellman key agreement – DES-CBC for encryption – HMAC for message-by-message authentication for SPEED as digital signatures are very slow
Key-Hashed Message Authentication Codes (HMACs) • HMACs, however, lack non-repudiation. Why? How do they operate? – When non-repudiation is important, HMACs should not be used… Shared Key Original Plaintext HMAC Original Plaintext HMAC Hashing with MD5, SHA-1, etc. Key-Hashed Message Authentication Code (HMAC) Appended to Plaintext Before Transmission
Kerberos • In Greek mythology, Cerberus was the hound of Hades — a monstrous three-headed dog (sometimes said to have fifty or one-hundred heads), (sometimes) with a snake for a tail and innumerable snake heads on his back. – He guarded the gate to Hades (the Greek underworld) and ensured that the dead could not leave and the living could not enter. – Cerberus is the offspring of Echidna and Typhon. • He was overcome several times: – Heracles’ final labour was to capture Cerberus. First, Heracles went to Eleusis to be initiated into the Eleusinian mysteries. He did this to absolve himself of guilt for killing the centaurs and to learn how to enter and exit the underworld alive. – Athena and Hermes helped him through and back from Hades. Heracles asked Hades for permission to take Cerberus. Hades agreed as long as Heracles didn’t harm him, though in some versions, Heracles shot Hades with an arrow. When Heracles dragged the dog out of Hades, he passed through the cavern Acherusia. – Orpheus used his musical skills to lull Cerberus to sleep.
Motivation • Consider a distributed architecture consisting of dedicated user workstations (clients) and distributed servers – In such an environment, the user must prove identity for each service invoked. – Similarly, servers must prove their identity to clients • This is the approach supported by Kerberos. – Kerberos assumes a distributed client/server architecture and employs one or more Kerberos servers to provide an authentication service.
Kerberos requirements • The first published result “Kerberos: An authentication Service for Open Networked Systems”, (1988) listed the following requirements for Kerberos: – Secure: A network eavesdropper should not be able to impersonate a user. – Reliable: Lack of availability means lack of access control. Hence Kerberos should be highly reliable and employ a distributed architecture. – Transparent: Ideally, the user should not be able to tell that authentication is taking place, beyond the requirement to enter a password. – Scalable: The system should be capable of supporting large number of clients and servers.
A simple authentication dialog • We will build the full protocol step by step by looking at several hypothetical dialogs • In an unprotected environment, any client can apply to any server for service. The obvious security risk is that of impersonation. – Servers must be able to confirm the identities of clients who request service. – To undertake this task for every client/server interaction, places a substantial burden on each server. • An alternative is to use an Authentication Server (AS) that knows the passwords of all users and also shares a unique secret key with each server.
A simple authentication dialog • Problems: – Need to minimize the number of times a user has to enter the password to access the same service (say e-mail) – Furthermore, it remains the case that a user would need a new ticket for every different service (print, e-mail, etc.) – Plaintext transmission of password Alice, PasswordAlice, TypeOfService Ticket Ticket = EKv (Alice, IPAlice, ServerID)
A more secure authentication dialog • To solve these problems, we introduce a scheme for avoiding plaintext passwords and a new server, known as the ticket-granting server (TGS). 1. The client requests a ticket-granting ticket from the AS 2. The AS responds with a TicketTGS that is encrypted with a key derived from the user’s password. • The client opens it – no transmission of passwords • This ticket is reusable; it can be used by the client to request multiple service-granting tickets 3. The client requests from TGS a service-granting ticket. 4. TGS decrypts the incoming TicketTGS and issues TicketService 5. The client uses the new ticket to gain access to particular service.
Kerberos Authentication System Kerberos Server Key Distribution Center Verifier (particular server) Applicant Kerberos is a client- server Authentication system developed at MIT that solves the single sign on problem
Kerberos Authentication Service • The first phase in the Kerberos protocol is for the applicant to be authenticated by the Kerberos Server. • Each applicant has a master key (Key mA), which is created by hashing a password. – This key is shared with the Kerberos server – Applicant uses this master key to authenticate itself to the Kerberos server • The server sends a symmetric network login key to the applicant; the applicant will use this key in future conversations with the server – This reduces the number of times the master key is used • The Kerberos server also sends the applicant a Ticket- Granting Ticket for use in future communications with the Kerberos server. This TGT confirms that the client has been authenticated
Kerberos Authentication System Key nA (Network Login Key for A) is encrypted with A’s Master Key (Key mA). In future interactions with KDC, A will use nA to limit the master key’s exposure TGT (Ticket-Granting Ticket) is encrypted in a way that only KDC can decrypt. Information in this ticket is required for the applicant to request connections to other stations Kerberos Server Key Distribution Center (KDC) Applicant (A) 1. Request for ticket-granting ticket 2. Response: TGT, Key nA
Kerberos Ticket-Granting Service • The authentication service is used only once in a network login session – usually for a day or less – However, during that network session, the client may want to connect to other stations or services – Each time a client wants to make a connection to a verifier server, the applicant must use the Ticket Granting Service
Kerberos Ticket-Granting Service: Part 1 • The client wishes to talk to a specific Verifier (Service). The client starts the process by sending the server a ticket granting request message – The client sends its Ticket-Granting Ticket along with an authenticator (to prove it knows the network login key) – The Server sends back a symmetric session key to use with the verifier (Key AV) – The server also sends back a Service Ticket • Why does the client need to send back to the server the Ticket-granding ticket? Didn’t the server create this in the first place?
Kerberos Ticket-Granting Service: Part 1 Authenticator is A’s IP address, user name, and time stamp. This authenticator is encrypted with Key nA to prove that A sent it. Key AV is a symmetric session key that A will use with V. Kerberos Server Key Distribution Center Applicant (A) 1. Request Ticket for V; TGT; Authenticator encrypted with Key nA 2. Response: Key AV encrypted with Key nA; Service Ticket
The Service Ticket • The Kerberos server sends back a response message that contains two main things: – A session key AV that the client will use to communicate with the verifier for confidentiality – A Service Ticket which also contains the session key AV, encrypted however with the verifier’s master key mV (shared between the verifier and the Kerberos server) • Consequently only the verifier can read the ticket
Kerberos Ticket-Granting Service: Part 2 • The Applicant sends the Service Ticket to the Verifier. • It also sends an authenticator to prove that it knows Key AV – The authenticator contains the client’s IP address and other cleartext info encrypted with key AV • How is the verifier convinced that the client is not cheating?
Kerberos Ticket-Granting Service: Part 2 Authenticator (Auth) encrypted with Key AV. Service Ticket contains Key AV encrypted with the Verifier’s master key, Key mV. Applicant (A) 3. Request for Connection: Authenticator; Service Ticket 4. Verifier decrypts Service Ticket; Uses key AV to test Auth Verifier
Kerberos Ticket-Granting Service: Part 2 • Now that the client is authenticated, the client and verifier engage in on going communication using the symmetric session key AV. • The Kerberos server is not involved anymore Applicant (A) 5. Ongoing Communications with key AV Verifier
Kerberos in Perspective • Although Kerberos is viewed as an authentication system, in reality is a complete cryptographic system – Authentication • Normally one-way • Can be two-way – Key Exchange – Confidential exchanges with the symmetric session key
Kerberos in Perspective • Kerberos does not use any Public key crypto. – This makes Kerberos fast – It also means that it is not necessary to distribute digital certificates to all stations on the network – However, it can be used with PKI during the authentication phase
Kerberos in Perspective • Kerberos provides Single Sign-on service – A client needs only a single key, namely its master key. – Even if it deals with dozens of servers throughout the day, it will not need multiple keys. – This is good news for users.

More Related Content

PDF
RSA Algoritmn
byDr. Kapil Gupta
 
PPT
Security attacks
byTejaswi Potluri
 
PPT
Prof. Fred Piper: Professor Fred Piper -: Cryptography - From Black Art to Po...
byGurbir Singh
 
PPTX
Cryptography
byAbhi Prithi
 
ODP
CISSP Week 16
byjemtallon
 
PDF
Encryption: Who, What, When, Where, and Why It's Not a Panacea
byResilient Systems
 
PPT
Cryptography
byJohnsonDaniel JohnsonDaniel
 
PPTX
Cyber security
byJahirUddinKomol
 
RSA Algoritmn
byDr. Kapil Gupta
 
Security attacks
byTejaswi Potluri
 
Prof. Fred Piper: Professor Fred Piper -: Cryptography - From Black Art to Po...
byGurbir Singh
 
Cryptography
byAbhi Prithi
 
CISSP Week 16
byjemtallon
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
byResilient Systems
 
Cryptography
byJohnsonDaniel JohnsonDaniel
 
Cyber security
byJahirUddinKomol
 

What's hot

PPT
Network sec 1
byJasleen Kaur
 
PPTX
Network security
byABHISHEK KUMAR
 
PPTX
Dos unit 5
byJebasheelaSJ
 
ODP
CISSP Week 21
byjemtallon
 
PPTX
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
PPTX
Threat hunting and achieving security maturity
byDNIF
 
PPTX
Preatorian Secure partners with Cipher loc - New Encryption Technology
byAustin Ross
 
PPTX
Praetorian secure encryption_services_overview
byBrent Bernard, CISSP & PCI-QSA
 
PPTX
Cryptography using python
byKaushikRamabhotla
 
PPTX
Cryptography
byMuhammad Shoaib Saleem
 
PPTX
Building a Successful Threat Hunting Program
byCarl C. Manion
 
PDF
Cryptography in Python
byAmirali Sanatinia
 
PPSX
Secure and Privacy-Preserving Big-Data Processing
byShantanu Sharma
 
PPT
Network Security
byFederal Urdu University
 
PDF
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
byBAINIDA
 
PPT
Introduction to computer security syllabus
byAyebazibwe Kenneth
 
PPTX
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
byDanny Akacki
 
DOCX
network security
byBishalWosti1
 
PPTX
501 ch 6 threats vulnerabilities attacks
bygocybersec
 
Network sec 1
byJasleen Kaur
 
Network security
byABHISHEK KUMAR
 
Dos unit 5
byJebasheelaSJ
 
CISSP Week 21
byjemtallon
 
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
Threat hunting and achieving security maturity
byDNIF
 
Preatorian Secure partners with Cipher loc - New Encryption Technology
byAustin Ross
 
Praetorian secure encryption_services_overview
byBrent Bernard, CISSP & PCI-QSA
 
Cryptography using python
byKaushikRamabhotla
 
Cryptography
byMuhammad Shoaib Saleem
 
Building a Successful Threat Hunting Program
byCarl C. Manion
 
Cryptography in Python
byAmirali Sanatinia
 
Secure and Privacy-Preserving Big-Data Processing
byShantanu Sharma
 
Network Security
byFederal Urdu University
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
byBAINIDA
 
Introduction to computer security syllabus
byAyebazibwe Kenneth
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
byDanny Akacki
 
network security
byBishalWosti1
 
501 ch 6 threats vulnerabilities attacks
bygocybersec
 

Similar to Security fundamentals

PPTX
cyber security attacks cyber security attacks
byNiharikaGuptas
 
PDF
paper2.pdf
byaminasouyah
 
PDF
lecture1.pdf
byaminasouyah
 
PDF
sheet2.pdf
byaminasouyah
 
PDF
paper9.pdf
byaminasouyah
 
PDF
doc2.pdf
byaminasouyah
 
PPTX
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
byasjadzaki2021
 
PPTX
Cryptography and Network Security-ch1-4.pptx
bySamiDan3
 
PPTX
chapter 7.pptx
byMelkamtseganewTigabi1
 
PPTX
IEDA 3302 e-commerce_secure-communications.pptx
byssuser6d0da2
 
PPTX
CRYPTOGRAPHY crytopgraphy wh is sd wkd ,w d .pptx
byabduganiyevbekzod011
 
PPTX
Net
byRaviteja
 
PPTX
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
bydarkchocolate5556
 
PDF
chapter 1-4.pdf
byzerihunnana
 
PDF
information technology cryptography Msc chapter 1-4.pdf
bywondimagegndesta
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPTX
Security Fundamentals Security Issues Earlier
bymvk11
 
PPTX
cryptography
byPriyamvada Singh
 
PPT
Computer and Network Security
byMuhammad Yousuf Abdul Qadir
 
PPTX
Cryptography Introduction Classical Encryption
byRajarajanS15
 
cyber security attacks cyber security attacks
byNiharikaGuptas
 
paper2.pdf
byaminasouyah
 
lecture1.pdf
byaminasouyah
 
sheet2.pdf
byaminasouyah
 
paper9.pdf
byaminasouyah
 
doc2.pdf
byaminasouyah
 
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
byasjadzaki2021
 
Cryptography and Network Security-ch1-4.pptx
bySamiDan3
 
chapter 7.pptx
byMelkamtseganewTigabi1
 
IEDA 3302 e-commerce_secure-communications.pptx
byssuser6d0da2
 
CRYPTOGRAPHY crytopgraphy wh is sd wkd ,w d .pptx
byabduganiyevbekzod011
 
Net
byRaviteja
 
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
bydarkchocolate5556
 
chapter 1-4.pdf
byzerihunnana
 
information technology cryptography Msc chapter 1-4.pdf
bywondimagegndesta
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Security Fundamentals Security Issues Earlier
bymvk11
 
cryptography
byPriyamvada Singh
 
Computer and Network Security
byMuhammad Yousuf Abdul Qadir
 
Cryptography Introduction Classical Encryption
byRajarajanS15
 

Recently uploaded

PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 

Security fundamentals

  • 1.
  • 2.
    Computer and Network Security •Computer Security: generic name for the collection of tools designed to protect data and to thwart hackers • Network Security: measures to protect data during their transmission over a collection of interconnected networks
  • 3.
    Sample of SecurityProblems • How do I know with whom I am communicating? • Can data be manipulated? • Can data be read by unauthorized individuals? • How can actions be carried out in a binding way? • And so on… Internet
  • 4.
    Security Goals • Derivedrequirements – Authentication: Who is who? – Access control: Only selective access is authorized Confidentiality Integrity Availability
  • 5.
    Services, Mechanisms, Attacks • Toassess the security needs of a system and choose appropriate policies, one needs a systematic way to define the requirements for security • One approach is to consider three aspects of information security: – security attacks – security mechanisms – security services
  • 6.
    Security Services • Enhancethe security of systems and the information transfers between them. It is intended to – counter security attacks – make use of one or more security mechanisms to provide the service – replicate functions normally associated with physical documents • E.g. have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; Be recorded or licensed • These functions must be performed on electronic documents as well
  • 7.
    Security Services • Confidentiality– protection from passive attacks • Authentication – you are who you say you are • Integrity – received as sent, no modifications, insertions, shuffling or replays • Nonrepudiation – can’t deny a message was sent or received • Access Control – ability to limit and control access to host systems and apps • Availability – attacks affecting loss or reduction on availability
  • 8.
    Security Mechanisms • Amechanism that is designed to detect, prevent, or recover from a security attack – No single mechanism that will support all functions required – However one particular element underlies many of the security mechanisms in use: cryptographic techniques – Our focus… • Specific security mechanisms: – Encryption, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control…
  • 9.
    Security Attacks • Anyaction that compromises the security of information – Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems • Example of attacks – Unauthorized access, – Impersonation – Claim to have received or sent information that was not sent – Modify information – Prevent communications – Insert self into a communications link – etc…
  • 10.
    Security Attacks • Normalflow Information Source Information Destination
  • 11.
    Security Attacks • Attackon availability Information Source Information Destination Interruption
  • 12.
    Security Attacks • Attackon confidentiality Information Source Information Destination Interception
  • 13.
    Security Attacks • Attackon integrity Information Source Information Destination Modification
  • 14.
    Security Attacks • Attackon Authenticity Information Source Information Destination Fabrication
  • 15.
    Security Attack Classification •Eavesdropping, monitoring of transmissions Passive Attacks Release of message contents Traffic Analysis
  • 16.
    Security Attack Classification •Some modification of the data stream Active Attacks Masquerade Denial of Service Replay Modification of Message contents
  • 17.
    Kerckhoffs’ Principle • Kerckhoffsdefined a list of requirements for the design of cryptosystems (1883) that remains, for the most part, useful today 1. The system should be, if not theoretically unbreakable, unbreakable in practice; 2. Compromise of the system details should not inconvenience the correspondents; 3. The key should be rememberable without notes and easily changed; 4. The cryptogram should be transmissible by telegraph; 5. The encryption apparatus should be portable and operable by a single person; and 6. The system should be easy, requiring neither the knowledge of a long list of rules nor mental strain.
  • 18.
    Symmetric Encryption • Alsoknown as private-key • Sender and recipient share a common key • All classical encryption algorithms are private-key • Was only type prior to invention of public-key in 1970’s
  • 19.
    Terminology • Plaintext -the original message • Ciphertext - the encrypted message • Key - information used in cipher known only to sender/receiver • Encrypt - converting plaintext to ciphertext • Decrypt - recovering ciphertext from plaintext • Cryptosystem: An encryption/decryption algorithm plus the description of the format of messages and keys. It consists of the following: – A plaintext message space – A ciphertext message space – A set of possible encryption/decryption keys – An efficient key generation algorithm – Efficient encryption/decryption algorithms
  • 20.
    Ciphers • A cipheris a means of transforming plaintext into ciphertext under the control of a secret key • We write c = Ek(m), where – m is the plaintext – E is the encryption function – k is the secret key – c is the ciphertext produced • Decryption is denoted by m = Dk(c) • According to Kerchoffs principle both E and D should be public. – The secrecy of m given c depends totally on the secrecy of k.
  • 21.
    Attacks on Encryption Schemes •A ciphertext-only attack is one where the adversary tries to deduce the decryption key or plaintext by only observing ciphertext (almost never true). – Any encryption scheme vulnerable to this type of attack is considered to be completely insecure. • A known-plaintext attack is one where the adversary has a quantity of plaintext and corresponding ciphertext. – Sometimes there are messages which are easy to predict • “I’m away on vacations” e-mail auto-responders – Press releases of embassies – Protocols have standard headers that must be encrypted as well.
  • 22.
    Attacks on Encryption Schemes •A chosen-plaintext attack is one where the adversary chooses plaintext and is then given corresponding ciphertext. – There is a large number of cryptographic protocols in which the attacker prepares the data to be encrypted… • A chosen-ciphertext (and plaintext) attack is one where the adversary selects the ciphertext and is then given the corresponding plaintext. – Adversary gains access to decryption equipment. • Distinguishing attacks – Do not recover the message but reveal some partial information about the message. • Birthday attacks – Named after the “Birthday paradox”.
  • 23.
    Brute Force Attack •Always possible to simply try every key – Most basic attack, proportional to key size – The number of keys must be large to prevent exhaustive search
  • 24.
    Security Level • Anysystem built today really needs a 128-bit security level. – This means that any attack will require at least 2128 steps. • A new designed system will likely be in operation 30 years from now and should provide at least 20 years of confidentiality of data. – We should aim to provide security for the next 50 years! • Lenstra and Verheul in “Selecting Cryptographic Key Sizes” suggest the use of 110 bits. – No cryptographic primitives exist with 110-bit keys, so 128 bits is preferred…
  • 25.
    Lenstra—Verheul Recommendations • Analysis basedon 4 assumptions – 5×105 MIPS Years (MY) was an adequate security margin for commercial applications up to 1982. • This number was derived from the assumption that DES was sufficient for such applications in 1982 • 1MY = 1 year of computation on a VAX 11/780 = 20 hours on a 450MHz PII • 5×105 MY = 14000 months on a 450MHz PII = 2 months on 7000 such processors – The amount of computing power and RAM one gets for a dollar doubles every 18 months. • Every 10 years one expects about 210×(12/18) more power and RAM
  • 26.
    Lenstra—Verheul Recommendations • The budgetsof organizations (attackers) doubles every 10 years • The computational effort required to break hard cryptographic problems halves every 18 months. Example • If 5×105MY was infeasible in 1982 then • … 100 × 2 × (5×105MY) = 108 infeasible in 1992 • … 100 × 2 × (108MY) = 2 × 1010 infeasible in 2002 • … 100 × 2 × (2 × 1010MY) = 4 × 1012 infeasible in 2012 • … 100 × 2 × (4 × 1012MY) = 8 × 1014 infeasible in 2022
  • 27.
    Lenstra—Verheul Recommendations Year |n| or|p| Year |n| or |p| Year |n| or |p| Year |n| or |p| 2000 70 2010 78 2020 86 2030 93 2001 71 2011 79 2021 86 2031 94 2002 72 2012 80 2022 87 2032 95 2003 73 2013 80 2023 88 2033 96 2004 73 2014 81 2024 889 2034 96 2005 74 2015 82 2025 89 2035 97 2006 75 2016 83 2026 90 2036 98 2007 76 2017 83 2027 91 2037 99 2008 76 2018 84 2028 92 2038 99 2009 77 2019 85 2029 93 2039 100
  • 28.
    Unconditional Security • Unconditionalsecurity – No matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext – Very “expensive”, as the length of the key must be as long as the data to be encrypted. – One time pad. • For unconditional security we place no bound on the computational power of the adversary. – In other words a system is unconditionally secure if it cannot be broken even with infinite computing power. – Other names for unconditionally secure are: Perfectly secure, Information Theoretically Secure
  • 29.
    Computational Security • Computationalsecurity – Given limited computing resources (e.g., time needed for calculations is greater than age of universe and/or the computers used are more than the atoms in the universe), the cipher cannot be broken. – Works with adversaries of limited computational power. – If adversary works harder, she can learn more, but any feasible amount of effort should not reveal any noticeable information! • Breaking the system is reduced to solving some well studied hard problem.
  • 30.
  • 31.
    Computational Security • Whenconsidering schemes which are computationally secure – We need to be careful about the key sizes – We need to keep ahead of algorithmic developments – At some point in the future we should expect our system to become broken (may be many millennia though). – Most schemes in use today are computationally secure. • Examples – The following are not computationally secure: Caesar cipher, Substitution cipher, Vigenere cipher – The following are computationally secure but not unconditionally secure: DES – AES, RSA – One time pad is unconditionally secure if used correctly.
  • 32.
    Classical Ciphers • Classicalciphers are divided into two main categories: – Substitution ciphers • The encryption algorithm Ek(m) is a substitution function which replaces each message m with a corresponding ciphertext c. • The encryption function is parameterized by the secret key k. • The decryption algorithm is the reverse process – Transposition ciphers • Transform a message by rearranging the positions of the elements in the message without changing the identities of the elements in the message. • The importance of classic cipher techniques is illustrated by their use in modern ciphers.
  • 33.
    Shift Ciphers • Eachletter is identified with a number A = 0, B = 1, C = 2, …, Z = 25 – The key k (or the shift) is a number in the range 0-25 • Encryption is addition of k onto each letter modulo 26. – Julius Caesar used the key k = 3. – Example CRYPTOGRAPHY → FYBSWRJYDSKB
  • 34.
    Shift Cipher • Breakby using statistical occurrence of letters
  • 35.
    Substitution Cipher • Theproblem with the Shift cipher is that the number of keys is too small. – How many keys? • One way to strengthen the cipher is to permute the letters of the alphabet. – Encryption involves replacing each letter by its permuted version. – Decryption involves use of the inverse permutation. – Example A B C D E F G H I J K L M N O P Q R S T U V W X Y Z L U N I M X K Y F G T S J P W C E Z V Q R A D O B H • The key space for this cipher has size 26! > 4 x 1026 ≈ 288 – This is far too large a number to brute force search using modern computers. • Is this safe to use?
  • 36.
    • Break byusing – Frequency of letter occurrence – Frequency of bigrams • QY(4.57), MP(2.80), QW(2.65), LP(2.51), JM(2.21), MV(2.21)
  • 37.
    Language redundancy and Cryptanalysis •We were able to tackle the previous ciphers because human languages are redundant – W dnt actly nd ll lttrs t ndrstnd nglsh txt – Here vowels were removed, but they’re not the only redundancy. – In “party conversations”, we can hear one person speaking out of hubbub of many, again because of redundancy in aural language also. – This redundancy is also the reason we can compress text files – Basic idea is to count the relative frequencies of letters, and note the resulting pattern. • Key concept - monoalphabetic substitution ciphers do not change relative letter frequencies
  • 38.
    Polyalphabetic Ciphers • Asubstitution cipher is called polyalphabetic if a plaintext message may be substituted into more than one ciphertexts – This attempts to reduce the “spikyness” of natural language texts – Makes cryptanalysis harder with more alphabets to guess and flattens frequency distribution • The most famous cipher is the Vigenere Cipher (16th century), believed to be unbreakable for a number of years. – Effectively multiple Caesar ciphers – The ith letter of the key specifies ith alphabet to use – Use each alphabet in turn – Repeat from start after d letters in message, where d is key length – Decryption simply works in reverse
  • 39.
    Security of VigenèreCipher • In general, letter frequencies are obscured but not totally lost – So, Vigenere is still “easy” to break. • Once we have found the length of the key then breaking the message is the same as breaking the Shift Cipher a number of times. – If the keyword length is d, the cipher consists of d shift ciphers – So the elements in positions 1, d+1, 2d+1, etc. are encrypted with the same letter. – Thus we can use the known frequency characteristics to attack each of the mono-alphabetic ciphers separately. – In general the approach is to find a number of duplicated sequences, collect all their distances apart, look for common factors.
  • 40.
    Vernam Cipher (One-Time- Pad) •Extension of Vigenere cipher. – Key is as long as the message. • Is unbreakable since ciphertext bears no statistical relationship to the plaintext – For any plaintext and any ciphertext there exists a key mapping one to other – Called a One-Time pad, since key can only be used once! • Example – key: kdiwhapwi diewsgewk – plaintext: attacknow howareyou – ciphertext: lxcxkldlf lxcxkldlf
  • 41.
    Key Distribution • Onetime pad is perfectly secure if used only once and key is random. – Perfect secrecy : length of key is at least length of plaintext. • If this is a perfect cipher why look for more? – Making random keys is not an easy task especially if you have to generate zillions of characters to encode traffic. – Even greater problem is key distribution and protection. For every message to be sent, a key of equal length must be used by sender and receiver… • Aim of modern cryptography is to design systems where – One key can be used many times. – One small key can encrypt a long message. – Such systems will not be unconditionally secure, but should be at least computationally secure.
  • 42.
    Transposition Ciphers • TranspositionCiphers form the second basic building block of ciphers – These hide the message by rearranging the letter order without altering the actual letters used – Must be very careful how to do this in order to avoid easy cryptanalysis…
  • 43.
    Product Ciphers • Ciphersusing substitutions or transpositions are not secure because of language characteristics • Consider using several ciphers in succession to make harder: – Two substitutions make a more complex substitution – Two transpositions make more complex transposition – But a substitution followed by a transposition makes a new much harder cipher • This is bridge from classical to modern ciphers – Substitution and transposition are still the most important kernel techniques in the construction of modern symmetric encryption algorithms.
  • 44.
    Usefulness of Classical Ciphers •Classical ciphers, even simple substitution ones, can be secure in a very strong sense if the use of keys follows certain conditions – With proper key usage, such ciphers are widely used in cryptographic protocols. • Example: – Using a shift cipher we’ll construct a Zero-Knowledge-proof protocol that allows Alice to prove to Bob that she knows a secret without revealing that secret to Bob. • The secret may be a cryptographic credential proving her identity or entitlement to a service. • The protocol will show how Alice can use the credential without Bob know anything about it…
  • 45.
    Usefulness of Classical Ciphers •Assumptions – We have again a magic function f that is easy to compute and difficult to invert. – This function is also Homomorphic, i.e., f(x1+x2) = f(x1) ⋅ f(x2)
  • 46.
  • 47.
    Modern Block Ciphers •Block ciphers are used widely in the design of protocols for symmetric key cryptography. – Provide secrecy and/or authentication services. – They are the main “technology” we have in our disposal. – We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them
  • 48.
    Modern Block Ciphers •Ciphers are just tools! – They don’t, by themselves, do anything that any end user would care about. As with any tool, one must learn how to use it… – We’ll give emphasis in their correct use and not how to design them…
  • 49.
    Stream Ciphers • Astream cipher process messages a bit or byte at a time. – Basic idea: replace the random key in one time pad by a pseudorandom sequence, generated by a cryptographic pseudo- random generator that is ‘seeded’ with the key. – Properties • Short key, but only practical security. • Encryption in small quantities (bit/byte). • No error propagation. • Very fast. K Pseudo-random sequence 11010010100001010010101...
  • 50.
    Stream Cipher Properties •Design considerations are: – Long period with no repetitions – Statistically random – Depends on large enough key • Key must be large to defend against brute force attacks – Must provide confusion and diffusion
  • 51.
    Stream vs. BlockCiphers • Block ciphers work on a block at a time, each of which is then encrypted/decrypted – Typically blocks have length 64 or 128 bits. – They have a substitution-permutation network structure. – Operate like a substitution on very big characters (64- bits or more) • Many current ciphers are block ciphers, hence our focus
  • 52.
    Block CIphers • Ablock cipher is a function E: {0, 1}k × {0,1}L→ {0,1}L that takes two inputs, a k-bit key K and an L-bit plaintext M, to return an L-bit encryption C = E(K, M) – A block cipher is a permutation on l-bit strings, which means that there exists an inverse function denoted by EK -1 or D . – Hence EK -1 (EK(M)) = M and EK(EK -1 (C)) = C – The block cipher is a public and fully specified algorithm – Security lies on the secrecy of the key, so key recovery by an adversary should be a difficult problem. EM K C
  • 53.
    Block Cipher Principles •Most symmetric block ciphers are based on a Feistel Cipher Structure • Partitions input block into two halves. Then process through multiple rounds which – Perform a substitution on left data half based on round function of right half & sub-key – Then have permutation swapping halves • This mechanism implements Shannon’s concepts of diffusion and confusion. Li-1 Ri-1 Li Ri f K
  • 54.
    Confusion and Diffusion •The cipher must hide statistical properties of original message, just like the one-time pad. – The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. – Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. • Diffusion and confusion capture the essence of the desired attributes of block ciphers – They have become the cornerstone of modern block cipher design.
  • 55.
    Data Encryption Standard (DES) •The most widely used block cipher in the world. Even though it is now feeling its age, no discussion on block ciphers should omit its construction. – Remarkably well engineered algorithm. – Has widespread use. Every time you use an ATM machine, you are using DES. – DES has key length k = 56 bits and block length L = 64 bits. • Adopted in 1977 by NBS (now NIST) as FIPS PUB 46 – Proved remarkably secure – There has been concerns about exhaustive-key search but for a fair amount time 56 bits was good enough against all but very well founded organizations. – Interesting attacks emerged only in the 90’s but even so they don’t really break DES.
  • 56.
    DES Design Controversy •In 1973 NBS issued request for proposals for a national cipher standard. – IBM developed Lucifer cipher by team led by Feistel – Used 64-bit data blocks with 128-bit key – Then redeveloped as a commercial cipher with input from NSA and others • There was considerable controversy over design – In choice of 56-bit key (vs. Lucifer 128-bit) and because design criteria were classified – Afraid of hidden trapdoor – Subsequent events and public analysis show in fact design was appropriate
  • 57.
    DES Round Structure •Uses two 32-bit L & R halves. As for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 ⊕ F(Ri–1, Ki) • It takes 32-bit R half and 48-bit subkey and: – Expands R to 48-bits using permutation E – Adds to subkey – Passes through 8 S-boxes to get 32-bit result – Finally permutes this using 32- bit permutation P – S-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, giving “diffusion”.
  • 58.
  • 59.
    Substitution Boxes S •There are eight S-boxes which map 6 to 4 bits – Outer bits 1 & 6 (row bits) select one rows – Inner bits 2-5 (column bits) are substituted – Result is 8 tuples of 4 bits, or 32 bits – Row selection depends on both data & key • Each S-box is a non-linear permutation function, which provides the non-linearity needed in message distribution.
  • 60.
  • 61.
    Avalanche Effect • Thisis a desirable property of every encryption algorithm. – Change of one input or key bit results in changing approximately half output bits • If the change were small, this might provide a way to reduce the search space. • DES exhibits strong avalanche
  • 62.
    Strength of DES– Key Size • 56-bit keys have 256 = 7.2 x 1016 values • Brute force search looks hard although recent advances have shown is possible – In 1997 on Internet in a few months – In July 1998, the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose “DES cracker” machine that was built for less than $250,000. The attack took less than three days. – In 1999 above combined in 22hrs! • Now considering alternatives to DES with a higher key space (AES) • Moore’s law: – Computing power doubles every 18 months. – After 21 years the effective key size is reduced by 14 bits. – Long term: key length and block length of 128 bits.
  • 63.
    Strength of DES– Timing Attacks • Attacks actual implementation of cipher – Use knowledge of consequences of implementation to derive knowledge of some/all subkey bits – Specifically use fact that calculations can take varying times depending on the value of the inputs to it • Particularly problematic on smartcards
  • 64.
    Strength of DES– Analytic Attacks • Now have several analytic attacks on DES • These utilise some deep structure of the cipher – By gathering information about encryptions can eventually recover some/all of the sub-key bits – If necessary then exhaustively search for the rest • Generally these are statistical attacks. They include – Differential cryptanalysis – Linear cryptanalysis – Related key attacks
  • 65.
    Differential Cryptanalysis • Oneof the most significant recent (public) advances in cryptanalysis – However, known by NSA in 70’s cf . DES design • Murphy, Biham & Shamir published 1990 a powerful method to analyse block ciphers – They show Differential Cryptanalysis can successfully cryptanalyse DES with an effort on the order of 247, requiring 247 chosen plaintexts. • DES reasonably resistant to it, cf Lucifer – Differential cryptanalysis was known to the IBM DES design team as early as 1974, and influenced the design of the S-boxes and the permutation P. – Compare with cryptanalysis of an eight-round LUCIFER algorithm requires only 256 chosen plaintexts, whereas an attack on an eightround version of DES requires 214 chosen plaintexts.
  • 66.
    Differential Cryptanalysis • DifferentialCryptanalysis compares two related pairs of encryptions with a known difference in the input searching for a known difference in output when same subkeys are used – Have some input difference giving some output difference with probability p – If find instances of some higher probability input / output difference pairs occurring, can infer subkey that was used in round – Then must iterate process over many rounds (with decreasing probabilities) • The attack is performed by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • Can then deduce keys values for the rounds
  • 67.
    Linear Cryptanalysis • Anotherrecent development which is also a statistical method – Developed by Matsui et al in early 90's – Based on finding linear approximations • Can attack DES with 247 known plaintexts, still in practice infeasible • Still brute force attack remains the main attack of DES.
  • 68.
    Double DES • Giventhe potential vulnerability of DES to exhaustive search, alternatives have been proposed. – One such alternative is to use multiple encryptions with DES and multiple keys. – This gives rise to 2-DES Not safe due to a Meet-in- the-middle attack. Given pair (P, C) form 2 tables. Then check for a match. EM K1 CE K2 EK1(M) EK2(M) EK3(M) … EK56(M) DK1(C) DK2(C) DK3(C) … DK56(C)
  • 69.
    Triple-DES with Two-Keys •To withstand the meet-in-the-middle attack one can use 2 stages of encryption with 3 different keys. • One alternative is to use 2 keys with E-D-E sequence (also known as EDE DES) – C = EK1[DK2[EK1[P]]] – Encrypt & decrypt equivalent in security – What is the significance of using D in the middle?? • No current known practical attacks – The cost of exhaustive key search is of the order 2112
  • 70.
    AES • January 1997:NIST call for algorithms to replace DES. – Block cipher: 128-bit blocks, 128/192/256- bit keys. – Strength 3-DES, efficiency much higher. • Designers give up all intellectual rights. • Open process: public comments, international submissions. – Website: http://www.nist.gov/aes/
  • 71.
  • 72.
    Modes of Operation •DES (or any block cipher) forms a basic building block, which encrypts a fixed sized block of data (of length L). – Typically the block size is 64 or 128 bits. – To use these in practice, we need to handle arbitrary amounts of data. – To do that we use a block cipher in some mode of operation. • We will describe three of them that exhibit different kinds of features. – Electronic Code-Book (ECB) – Cipher Block Chaining (CBC) – Counter (CTR) – In all cases the input string is a multiple of block length. If not padding is used (padding, however, introduces security risks). Message L bits L bits L bits …
  • 73.
    Electronic Code Book(ECB) • The message is broken into blocks which are encoded independently of the other blocks. Encrypt (<m1,m2,…,mn>) for i=1 to n do ci = EK(mi) return (<c1,c2,…,cn>) Decrypt (<c1,c2,…,cn>) for i=1 to n do mi = EK -1(ci) return (<m1,m2,…,mn>) EKm1 c1 EKm2 c2 EKmn cn . . . . . .
  • 74.
    Limitations of ECB •The mode is deterministic. Hence repetitions in message may show in ciphertext – Weakness due to encrypted message blocks being independent – Furthermore blocks can be shuffled/inserted without affecting the en/decryption of each block. • Main use is when only a single block of info needs to be sent (e.g. a session key encrypted using a master key).
  • 75.
    Cipher Block Chaining(CBC) • Message is broken into blocks but these are linked together in the encryption operation. – Each previous cipher block is chained with current plaintext block, hence name – Attempts to make the ciphertext depend on all blocks before it. • To start the process, use an Initial Value (IV), which is usually random. • CBC mode is applicable whenever large amounts of data need to be sent securely, provided that it’s available in advance (e.g., email, FTP, web, etc.) – Uses: bulk data encryption, authentication
  • 76.
    Cipher Block Chaining(CBC) Encrypt (<m1,m2,…,mn>) Let IV =R {0,1}L for i=1 to n do ci = EK(mi ⊕ ci-1) return (<IV, c1,c2,…,cn>) Decrypt (<c0,c1,c2,…,cn>) for i=1 to n do mi = EK -1(ci) ⊕ ci-1 return (<m1,m2,…,mn>) EKm1 c1 EKm2 c2 EKmn cn . . . . . . IV c0
  • 77.
    Advantages and Limitations ofCBC • Each ciphertext block depends on all message blocks – A change in the message affects all ciphertext blocks after the change as well as the original block • Need Initial Value (IV) known to sender & receiver – If IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate – Hence it must be sent encrypted in ECB mode before rest of message or use a synchronized counter. • At end of message, handle possible last short block using padding – This however poses a security risk • A misconception is that this mode provides protection against unauthorized data modification such as deletion and insertion because blocks are chained together. – This is not so!
  • 78.
    Counter (CTR) • Countermode uses an auxiliary value (IV) which is an integer in the range 0...2L-1. – In the following addition is done modulo 2L Encrypt (<m1,m2,…,mn>) Let IV =R {0,1}L for i=1 to n do ci = EK(IV+i)⊕ mi return (<IV, c1,c2,…,cn>) Decrypt (<c0,c1,c2,…,cn>) for i=1 to n do mi = EK(IV+i) ⊕ ci return (<m1,m2,…,mn>) EKIV+1 c1 EK c2 EK cn . . . . . . IV c0 m1 m2 mn IV+2 IV+n
  • 79.
    Advantages and Limitations ofCTR • Efficiency – Can do parallel encryptions – In advance of need • Provides random access to encrypted data blocks • Provable security (good as other modes) – Must ensure never reuse key/counter values, otherwise could break • Uses: high-speed network encryptions
  • 80.
  • 81.
    A Vulnerable Environment •A large network of computers such as the Internet is typically open. – Anyone (a computer, a device, a person, an organization) can join and start sending/receiving messages without the need for an authorization. – In such an open environment there may exist bad guys who will do all sort of bad things (eavesdropping, altering, forging, rerouting, deleting or injecting messages). – Our active attacker is Eve. Cartoon by Peter Steiner. The New Yorker, July 5, 1993
  • 82.
    A Vulnerable Environment •In such an environment Eve can manipulate communications – Her manipulation techniques are unpredictable • May represent a coalition of bad guys, thus she can control a large number of network nodes geographically apart. – In anticipation of such a vulnerable environment, Dolev and Yao (1981) proposed a threat model that has become a standard
  • 83.
    The Dolev-Yao threatmodel • In the Dolev-Yao threat model – Eve can obtain any message passing through the network – Eve is a legit user of the network and thus can initiate and participate in a conversation with any other user – Eve can become the receiver of messages – Eve can send messages to anybody through impersonation – Any message sent is considered to be available to Eve – Any message received is considered to have been through Eve.
  • 84.
    The Dolev-Yao threatmodel Eve is considered to have complete control of the entire network. In fact we should think of the open network as Eve. Eve
  • 85.
    Vulnerability of communications • SinceEve can inject or forge messages, she will try to fool the receivers about the origin of messages. – To use such a vulnerable communication medium in a secure manner, protection against eavesdropping is inadequate. – We need mechanisms which can enable a message receiver to verify that • A message has come from the claimed source • A message has not been altered during transmission
  • 86.
    Vulnerability of communications • DataIntegrity is the security service that protects/warns against unauthorized modification of messages. – Is closely related to error-detection codes in communications • Working Principle: A transmitter of the message creates a “check value” that appends to the message.
  • 87.
    Authenticity vs. privacy •In many settings, security requires that communicated data has not been altered during transmission • Examples – An online stock broker responds to a quote request by sending the value of a certain stock. • If the value is changed during transmission by an adversary, this may lead to a bad financial decision. – Data obtained from a database; its value lies in its authenticity as vouched by the service provider. – Transmit data of only two kinds: buy/sell or fire/don’t fire. • If the value is encoded in a single bit and the adversary manages to flip that bit, the wrong action will be taken. – Electronic transfer of amounts: changing 100€ to 1000000€.
  • 88.
    Authenticity vs. Privacy Authenticityof data transmitted across a network can be even more important to security than privacy of data.
  • 89.
    Is encryption theright tool? • The authentication problem is very different from the encryption problem. – We are not worried about secrecy of data; let the data be in the clear. – We are worried about the adversary modifying it.
  • 90.
    Is encryption theright tool? • Consider the following method for providing integrity – Fix a symmetric encryption scheme and let Alice and Bob share a key K for this scheme. – When Alice wants to send a message m to Bob, she encrypts it and transfers the ciphertext c = EK(m). Similarly, Bob decrypts it to obtain m. • Alice uses this scheme to transfer 1000€ from her account. • If the message is sent in the clear, Eve can modify it. • But if the message is encrypted, how can Eve modify it without knowing the key K? • Privacy appears to make tampering difficult… – How good is this scheme for data integrity?
  • 91.
    NO!!! • The previousargument is fallacious. – Recall CCA2 attacks last time – Even if we do not know the value of the original bit, damage may be caused by flipping it to opposite value. • One should recognize the disparity of goals. – There is no reason to expect encryption to provide integrity. – However, there are many places (even in literature) where encryption and authentication are confused. – There is no reason to expect a tool to solve a problem it was not designed to solve. Encryption does NOT provide Data Integrity
  • 92.
  • 93.
    Data integrity methods •Manipulation Detection Codes (MDC). – Based on the use of hash functions • Message Authentication Codes (MAC). – (Mainly) Hash functions with a key – Both authentication and integrity • The idea is to use cryptographic function to get a check-value and send it with data. – We’ll start with hash functions
  • 94.
    Hash functions • Ahash function is a deterministic, efficient function which maps binary strings of arbitrary length to binary strings of fixed length. – The output of the hash function is called the hash- value, the fingerprint , or the digest of the message Hash functions are used for data integrity in conjunction with digital signature schemes, where for several reasons a message is typically hashed first, and then the hash- value, as a representative of the message, is signed in place of the original message. A distinct class of hash functions, called message authentication codes (MACs), allows message authentication by symmetric techniques. MAC algorithms may be viewed as hash functions which take two functionally distinct inputs, a message and a secret key, and produce a fixed-size (say n-bit) output, with the design intent that it be infeasible in practice to produce the same output without knowledge of the key. MACs can be used to provide data integrity and symmetric data origin authentication, as well as identification in symmetric- key schemes. xA19283B6F290h
  • 95.
    Properties of hashfunctions • Mixing transformation – On any input message x, the hashed value h(x) should be computationally indistinguishable from a random binary string of the same length. • Practical efficiency – It should be easy to compute h(x) for some input x
  • 96.
    One-wayness • One-way property(or pre-image resistance) – Given a hash value h, it should be computationally infeasible to find a string x such that h(x) = h. – For this assumption to be reasonable, the output space should be large (128, 160 bits) – In practice we need something stronger than this to prevent the following attack: • An attacker obtains your signature h(m) on some message m • The attacker finds another message m' with h(m) = h(m'). • The attacker has your signature on the message m'.
  • 97.
    2nd pre-image Resistance •2nd pre-image resistance (or weak collision resistance) – Given message x and h(x) it should be hard to find another message y such that h(x) = h(y). – In practice we need something stronger than this to prevent the following attack: • The attacker chooses two messages m and m' with h(m) = h(m'). • She has m “signed” by sending the fingerprint h(m) • Later they repudiate, saying it was m' that was signed.
  • 98.
    Collision Resistance • Collisionresistance (or strong collision resistance) – It should be computationally infeasible to find two inputs x, y, with x≠y, such that h(x) = h(y). – Again the output space should be large enough but this property is harder to enforce due to the birthday paradox.
  • 99.
    Properties of hashfunctions easy hard One-way property y x x’ [Strong] Collision resistance
  • 100.
    Classification Hash function unkeyed keyed other application MDCother application MAC OWHF CRHF preimage res 2nd-preimage collision res
  • 101.
    Hash Properties requiredin Applications Properties One-way 2nd preimage Collision resistance MDC+ asymmetric signature yes yes yes* MDC+ authentic channel yes yes* Password File (MDC) yes MAC (unknown key) yes yes yes*
  • 102.
    Model for iteratedhash functions Arbitrary length Input Iterated compression function Optional transformation output Fixed length output
  • 103.
    Birthday Paradox • Howmany students must be in a class so that there is a greater than 50% chance that – One of the students shares the teacher’s birthday (up to the day and month)? Answer: ~366/2 = 188 – Any two of the students share the same birthday (up to the day and month)?
  • 104.
    Birthday Attacks • TheBirthday Attack exploits the birthday paradox – The chance that in a group of people two will share the same birthday – Only 23 people are needed for a Pr > 0.5 • Probability increases quite rapidly since in a group of 30 people we obtain a probability of approximately 0.7 • In a group of 100 people, probability is over 0.999 – Can generalize the problem to one wanting a matching pair from any two sets, and show that need 2m/2 in each to get a matching m-bit hash.
  • 105.
    Birthday Attacks q Pr[2have same birthdate] 15 0.253 18 0.347 20 0.411 21 0.444 23 0.507 25 0.569 27 0.627 30 0.796 35 0.818 40 0.891 50 0,970
  • 106.
    Birthday Attacks • Birthdayattacks work like this: – Opponent generates 2m/2 variations of a valid message all with essentially the same meaning. • Note that creating many message variants is relatively easy, either by rewording or just varying the amount of white- space in the message. – Opponent also generates 2m/2 variations of a desired fraudulent message – Two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) – Then have user sign the valid message, then substitute the forgery which will have a valid signature
  • 107.
    Birthday Attacks I, Victim,that I have on from Sofoklis on 2014. This should be to no later than the day of February 2014 J.D. John hereby - state confirm received borrowed a book a textbook Security Cryptography Dr. Prof. Efremidis Efraimidis February 26 26/2 book textbook returned given back Prof. Dr. Efremidis Efraimidis 28th 27th
  • 108.
    Birthday Attacks I, Victim,that I have Euros from Sofoklis on 2014. This should be to no later than the day of February 2014 J.D. John hereby - state confirm received borrowed 1000000 one million Dr. Prof. Efremidis Efraimidis February 26 26/2 amount money returned given back Prof. Dr. Efremidis Efraimidis 28th 27th
  • 109.
    Output space ofhash functions • Due to the birthday attack, the size of the output space of a hash function must have a lower bound. – The current widely used hash functions in applied cryptography are • SHA-1: US government standard • RIPEMD-160: European design – Both process blocks of 512 bits and produce 160 bits fingerprints – Their strength against the birthday attack is therefore 280. • This is compatible to the strength of a block cipher with key length up to 80 bits. – The previous popular hash function has 128 bit output which was tailored to suit the DES’ key length of 56 bits.
  • 110.
    Security of somehash functions MD2 (Rivest ‘88) MD4 (Rivest ‘90) MD5 (Rivest ‘90) SHA-0 SHA-1 RIPEMED-128 RIPEMED-160 Weakness discovered by NSA (1995) Found collision on the compression function (Dobbertin ’96) SHA-256, SHA-384, SHA-512
  • 111.
    Example Outputs RIPMED160 • RIPEMD-160("Thequick brown fox jumps over the lazy dog") = 37f332f68db77bd9d7edd4969571ad671cf9dd3b • RIPEMD-160("The quick brown fox jumps over the lazy cog") = 132072df690933835eb8b6ad0b77e7b6f14acad7 • RIPEMD-160("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31 SHA-1 • SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 • SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3 • SHA1("") = da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709
  • 112.
    Quest for aGood Hash Function
  • 113.
    Applications of Hash Functions •Digital Signatures • Advantages – Shorter signatures – Much faster computations – Larger resistance to manipulation (one block instead of several blocks of signature) – Resistance to the multiplicative attacks – Avoids problems with different sizes of the sender and the receiver moduli – This usage adds certain verifiable redundancy to a message to be signed. – Unforgeability of a signature scheme depends on some redundant information contained in the message signed.
  • 114.
    Applications of Hash Functions •Fingerprint of a program or a document – To detect a modification by a virus or an intruder… Program Hash Fingerprint Fingerprint Safe Place Equal?
  • 115.
    Applications of Hash Functions •Storing passwords – To detect a modification by a virus or an intruder… Password Hash h(password) Instead of storing ( id, password ) Store ( id, hash(password) )
  • 116.
    Applications of Hash Functions •In public key cryptosystems – Hash functions are widely used for realizing a ciphertext correctness verification algorithm. – This scheme is necessary to achieve provable security against active attackers. • Use as pseudo-random functions – In many applications (authentication protocols, key agreement, electronic commerce protocols, proof of knowledge protocols, etc.) pseudo-randomness is required.
  • 117.
  • 118.
    MACs • Message AuthenticationCode (MAC) – (Usually) A hash function with a key Text MAC 73BAF87D9 K Text MAC 73BAF87D9 K = ?
  • 119.
    Use of MASchemes Dear Bob, this is to certify that… MAC Scheme K Alice Message Digest Original Data Dear Bob, this is to certify that… MAC Scheme Bob K Message Digest Message Digest If both identical validate data integrity
  • 120.
    Properties of MAC •MAC is a family of functions hk (parameterized by the secret key k) • Properties of MAC: – Ease of computation (if key is known) – Compression, x is of arbitrary length, hk(x) has fixed length – Computation resistance, given some pairs (xi, MACk(xi)) is infeasible to compute a new pair (x, MACk(x)) for any new x ≠ xi
  • 121.
    Objectives of Adversaries •Against MDC – OWHF: given y find x such that h(x)=y; or given (x, h(x)) find x' ≠ x such that h(x') = h(x) – CRHF: find any two inputs x' ≠ x such that h(x') = h(x) (birthday attack) • Against MAC – Without knowing the key k compute (x, hk(x)) given (xi, hk(xi)) with xi ≠ x – Known-text attack, chosen text-attack, adaptive chosen text attack
  • 122.
    Forgeries Against MACs •When MAC forgery is possible, practical consequences depend on the degree of control an adversary has over the message m for which a MAC may be forged. – Selective forgery: The adversary is able to produce a new message-MAC pair for a message of her choice. – Existential forgery: The adversary is able to produce a new message-MAC pair, but with no control over the value of that text.
  • 123.
    A Security Frameworkfor Message Authentication • A Message Authentication (MA) scheme is a triple of algorithms <G, T, V>, where – G is a key generation algorithm, i.e., a randomized algorithm that returns a key K – T is a tagging algorithm which is a (possibly randomized) algorithm that takes the key and the message and produces a tag σ; we write σ←TK(m) • Unlike encryption schemes, tagging algorithms can be deterministic • The tag represents the fingerprint of the message and is sent along with the message. – V is a verification algorithm which is a deterministic algorithm that takes the key, a message m and the tag σ for m to return a bit • The receiver computes VK(m, σ) and verifies integrity of m
  • 124.
    Public-Key Cryptography • Probablymost significant advance in the 3000 year history of cryptography – Uses two keys – a public and a private key – Asymmetric since parties are not equal • These two keys are linked in a mathematical way. – Knowing the public key tells you nothing about the private key. – But knowing the private key allows you to unlock information • Note that public key schemes are – neither more secure than private key (security depends on the key size for both), – nor do they replace private key schemes (they are too slow to do so), rather they complement them.
  • 125.
    Public-Key Cryptography • Public-key/asymmetriccryptography involves the use of two keys: – A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures – Why they call it asymmetric?
  • 126.
    Public-Key Cryptography • Isasymmetric because – Those who encrypt messages or verify signatures cannot decrypt messages or create signatures • This may seem strange, and will require some thought. – The concept was so strange it was not until 1976 that anyone thought of it. – Diffie and Hellman: “New Directions in Cryptography”. – A few years later the first system was invented, i.e. RSA.
  • 127.
    Encryption/decryption using… • ... SymmetricCryptography • ... Public-Key Cryptography
  • 128.
  • 129.
    Why Public-Key Cryptography? • Theidea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. – The concept had been previously described in a classified report in 1970 by James Ellis (UK Communications Headquarters) – and subsequently declassified in 1987. – Its interesting to note that they (Clifford Cocks, 1973) discovered RSA first, then (Malcolm Williamson, 1974) Diffie-Hellman, opposite to the order of public discovery! • Developed to address two key issues: – Key distribution – how to have secure communications in general without having to trust a KDC with your key – Digital signatures – how to verify a message comes intact from the claimed sender
  • 130.
    Public-Key Characteristics • Publickey schemes utilise problems that are easy (P type) one way but hard (NP type) the other way, e.g. exponentiation vs. logs, multiplication vs. factoring. – Traditional schemes involve the sender putting a message in a box and locking it, sending that to the receiver, and somehow securely also sending them the key to unlock the box. – The radical advance in public key schemes was to turn this around • the receiver sends an unlocked box to the sender, who puts the message in the box and locks it (easy - and having locked it cannot get at the message), • and sends the locked box to the receiver who can unlock it (also easy), having the key. An attacker would have to pick the lock on the box (hard).
  • 131.
    One-way functions • Afunction f : X→Y is a one-way function iff – For all x ∈ X it is very easy or efficient to compute f(x). – For almost all y ∈ Y, finding an x ∈ X with f (x) = y is computationally infeasible. • A trapdoor one-way function is a one-way function f : X→Y , but given some extra information, called the trapdoor information, it is easy to invert f , i.e. – given y ∈ Y and the trapdoor info, it is easy to find x ∈ X such that f (x) = y. • One-way functions are believed to exist. Nobody proved that actually exist. – Proving existence would imply that P ≠ NP.
  • 132.
    One-way functions • Candidateone-way functions: – Multiplication: • Given primes p and q, compute N = p ⋅ q. • This is very easy to compute, since we just multiply p and q. • The inverse problem: given N, find p and q is called factoring. – Modular exponentiation: • Given N and an element a ∈ ZN, compute y ≡ ax (mod N). • This can be computed efficiently using repeated squaring. • The inverse problem: given N, a,y ∈ ZN find x such that y ≡ ax (mod N) is called the discrete logarithm problem. – What is the trapdoor in each case?
  • 133.
    Security of PublicKey Schemes • Public key schemes are no more or less secure than private key schemes – In both cases the size of the key determines the security. – Note also that you can’t compare key sizes - a 64-bit private key scheme has very roughly similar security to a 512-bit RSA – both could be broken given sufficient resources. – But with public key schemes at least there’s usually a firmer theoretical basis for determining the security since its based on well-known and well studied number theory problems. • Requires the use of very large numbers – Hence is slow compared to private key schemes – And computationally expensive
  • 134.
    Diffie-Hellman Key Exchange •Establishment of a shared key between two entities had always been a difficult problem – Required a confidential channel – An important advantage of public key cryptography is its use in the exchange of a secret key • The first practical scheme was proposed by Diffie-Hellman in 1976 – Known as Diffie-Hellman key exchange Ralph Merkle - left Martin Hellman - middle Whitfield Diffie - right
  • 135.
    Diffie-Hellman Key Exchange Protocol Premise:Alice and Bob have agreed on a large prime p and a generator g of Zp * Steps 1. Alice picks a large random integer a∈[1, p-1), computes ga mod p and sends it to Bob. 2. Bobs picks a large random integer b∈[1, p-1), computes gb mod p and sends it to Alice. 3. Alice computes k ← (gb)a mod p 4. Bob computes k ← (ga)b mod p 1 2 3 4
  • 136.
    DF-Key Exchange example •Let p = 43. A generator of the group is 3. Alice and Bob agree on public material elements (p, g) = (43, 3) 1. Alice picks her random secret exponent a = 8, and sends to Bob 38 ≡ 25 (mod 43) 2. Bob picks his random secret exponent b = 37, and sends to Alice 337 ≡ 20 (mod 43) The secret key agreed between them is 9 = 38  37= 208 ≡ 2537 (mod 43)
  • 137.
    Textbook algorithms • Theprevious protocol is an example of “textbook cryptography” – We’ll use this term because these algorithms/protocols can be found in most textbooks on cryptography – However, these algorithms should not be used “as is” in real-world applications • With the scope of public-key cryptosystems, a “textbook encryption” algorithm has a confidentiality property stated as – All-or-nothing security: The attacker’s task is to retrieve the whole plaintext. The attacker either succeeds or fails with nothing. – Passive attacker: The attacker does not manipulate or modify ciphertexts and does not ask for encryption/decryption services
  • 138.
    Diffie-Hellman Key Exchange Protocol Howcan the previous protocol be attacked? • We are looking for an active attack where Eve can fool the two participants • This would be an attack on what?
  • 139.
    The Man-in-the-Middle Attack 1. Alicepicks a∈R[1, p-1), computes ga =ga mod p; she sends ga to Eve (“Bob”) 1’.Eve(“Alice”) computes ge =ge mod p for some e∈R[1, p-1) and sends ge to Bob. 2. Bobs picks b∈R[1, p-1), computes gb =gb mod p; He sends gb to Eve (“Alice”). 2’.Eve(“Bob”) sends ge to Alice. 3. Alice computes k1 ← (ge)a mod p (shared between her and Eve) 4. Bob computes k2 ← (ge)b mod p (shared between him and Eve) 1 2’ 1’ 2
  • 140.
    The Diffie-Hellman problem Thesecrecy of the agreed shared key from the Diffie- Hellman key exchange protocol is the problem of computing gab (mod p) given ga and gb. Diffie-Hellman Problem (DHP) Input: A generator g of Zp * and ga and gb, for some integers 0 < a, b < p Output: gab The DHP problem lies in turn in the difficulty of the discrete logarithm problem Discrete Logarithm Problem (DLP) Input: A generator g of Zp* and an element h of Zp * Output: The unique integer x such that h = gx
  • 141.
    Relationship between DLP andDHP Assume you have an algorithm that solves the DLP problem. • How would you use it to solve the DHP?
  • 142.
    DHP reduces toDLP • Here we show how to reduce DHP to DLP, i.e. we give an efficient algorithm for solving the DHP given an algorithm for the DLP. • Goal: Given ga and gb we wish to find gab. – First compute b = DLP(gb) using the algorithm. – Then compute (ga)b = gab. – So DHP is no harder than DLP, i.e. DHP ≤P DLP or equivalently the DH assumption is a stronger assumption than the DL assumption. – The converse of this statement is an open question: “Can the DL assumption be true if the DH assumption is false?
  • 143.
    RSA (Textbook version) •RSA is the best known, and by far the most widely used general public key encryption algorithm. – Developed by Rivest, Shamir & Adleman of MIT – “A method for obtaining digital signatures and public key cryptosystems”, Comm. of the ACM, 21(2):120-126, 1978 • It is based on exponentiation in a finite field over integers modulo a prime – Exponentiation takes O((log n)3) operations (easy) – Uses large integers (e.g. 1024 bits) – Security due to cost of factoring large numbers – Factorization takes O(e log n log log n) operations (hard) RSA 2003 SRA 1978
  • 144.
    RSA Key Generation •Each user generates a public/private key pair by: – Selecting two large primes p and q of at least 512 bits each – Computing the modulus N = p ⋅ q and φ(N) = (p-1)(q-1) – Selecting a random integer e where 1< e < φ(N) such that gcd(e, φ(N)) = 1 – Using the Extended GCD compute the unique integer d such that e ⋅ d ≡ 1 mod φ(N) • Publish their public encryption key: (e,N) • Keep secret private decryption key: (d,p,q)
  • 145.
    RSA Use • IfBob wants to encrypt a message for Alice he does the following: – Obtains Alice’s authentic public key (e, N) – Represent the message as a number 0 < m < N. – Compute c = me mod N – Send the ciphertext c to Alice. • Alice, upon receiving c: – Uses her private key d and – Computes: m = cd mod N
  • 146.
    RSA example Select primes:p = 17 and q = 11 – Compute N = p ⋅ q =17 ⋅ 11 = 187 – Compute φ(n) = (p-1)(q-1) = 16 ⋅ 10 = 160 Select e such that gcd(e, 160)=1; choose e=7 – Determine d such that d ⋅ e ≡ 1 mod 160 and d < 160. • Value is d = 23 since 23×7=161= 10×160+1 – Publish public key (7, 187) – Keep secret private key (23, 17, 11) Sample RSA encryption/decryption given message m = 88 (note 88 < 187) – Encryption: c = 887 mod 187 = 11 – Decryption: m = 1123 mod 187 = 88
  • 147.
  • 148.
    Digital Signatures • Havelooked at message authentication – But does not address issues of lack of trust – Recall Diffie-Hellman exchange protocol and “man-in-the-middle” attack • Digital signatures provide a guarantee of – authorship – integrity – non-repudiation • Not given by MACs • Digital signatures is a great advantage of Public Key cryptography over Symmetric cryptography – The other one is the possibility of achieving key distribution between remote parties.
  • 149.
    Digital Signature Properties •Must depend on the message signed • Must use information unique to sender – to prevent both forgery and denial • Must be relatively easy to produce, recognize and verify • Be computationally infeasible to forge – with new message for existing digital signature – with fraudulent digital signature for given message • Be practical to save digital signature in storage
  • 150.
    The big picture Hash Algorithm Message Digest Original Data Digital Signature Signwith Bob’s private key Digital Signature Hash Algorithm Original Data Verify with Bob’s public key Message Digest Message Digest’ If both Identical Validate Data integrity Bob Alice Dear Alice I have received … Dear Alice I have received …
  • 151.
    A Definition • ADigital Signature Scheme is specified by a triple of algorithms <G, S, V> – G is a key generation algorithm, which is a randomized algorithm that returns a public key K and a private key K-1 • This algorithm takes as a parameter the size k of the keys to be generated. – S is a signing algorithm which takes a message m and a secret key K-1 to produce a string σ which we call the signature of m; we write – V is a verification algorithm which takes the key K, the message m and the signature σ for m to return TRUE or FALSE • The receiver computes VK(m, σ) and verifies that σ is the signature for m )(1 mSK 
  • 152.
    Signing with RSA •Recall Key setup – Select two large primes p and q of at least 512 bits each – Compute the modulus N = p ⋅ q and φ(N) = (p-1) ⋅ (q-1) – Select a random integer e such that gcd(e, φ(N)) = 1 – Compute the unique integer d such that e ⋅ d ≡ 1 mod φ(N) • Signature generation Sd(m) – To create a signature of a message m, compute σ = md (mod N) • Signature verification Ve(m, σ) – Compute m´ = σe (mod N) – If m´ = m, return True else return False. • Is this secure?
  • 153.
  • 154.
    PKI • With secretkey cryptography the main problems were ones of – key management – key distribution as keys need to be distributed via secure channels • In public key systems we replace these problems with those of – key authentication, i.e. which key belongs to whom as keys need to be distributed via authentic channels • The system which provides authentic public keys to applications is called a public key infrastructure or PKI
  • 155.
    Randomness of PublicKeys • A public key generation algorithm contains the following step Public Key = F(Private Key) where F is some one-way function that maps from the private key space to the public key space – Hence public keys contain a random looking part • It becomes necessary that a principal’s public key becomes associated with a principal’s identity in a verifiable and trustworthy way. – To send an encrypted message we must be sure about the authenticity of the public key. – Same with verifying a signature.
  • 156.
    Certification Authority (CA) •A trusted server used to perform the key management of public keys is called a certification authority (CA). – A CA is a special principal who is well known and trusted directly by the principals in the domain it serves. – For each user within its domain, the CA issues a public key certificate certifying the user’s key material. • The “trust” required by a CA is much weaker as opposed to the trust needed to be placed to a server for secret-key based protocols – The security service provided is message authentication, which can be performed without need of handling any secret. – The service can be provided also offline.
  • 157.
    Certificates • Every usersubmits their public key to the CA. The CA concatenates – User name, – User public key (encryption or verification), – Name of CA – Expiry date, – Serial Number of Certificate, – .... and generates a signature (of the CA) on this data string. • The combination of the data and signature is the public key certificate. This is sent back to the user. – Anyone with the CA’s public key can verify the user’s public key certificate, and so obtain a trusted copy of the users public key. – Certificates can be stored in repositories and retrieved as needed. – Since they are digitally signed, there’s no need to be secured.
  • 158.
    The world withouta CA • To see the advantage of certificates and CAs consider the world without a CA – You obtain many individual public keys from each individual in some secure fashion 6A5DEF....A21 Sofoklis Efremidis’ Public Key 7F341A....BFF Jane Doe’s Public Key B5F34A....E6D Microsoft’s Update Key • Each key needs to be obtained in a secure manner, as does every new key you obtain.
  • 159.
    The world witha CA • First, you obtain a single public key securely, namely the CAs public key. Then you obtain many individual public keys, signed by the CA A45EFB....C45 Trent’s totally trustworthy key. 6A5DEF....A21 Trent says “This is S. Efremidis’ Public Key” 7F341A....BFF Trent says “This is Jane Doe’s Public Key” B5F34A....E6D Trent says “This is Microsoft’s Update Key” • If you trust Trent’s key and you trust Trent to do his job correctly then you trust all of them
  • 160.
    CA Hierarchies • Inlarge organizations, it may be appropriate to delegate the responsibility for issuing certificates to several certificate authorities. – For example, the number of certificates required may be too large for a single CA to maintain; – Different organizational units may have different policy requirements; – or it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates. • Hence it is common for more than one CA to exist – Look at your browser’s certificate authorities
  • 161.
    CA Hierarchies • Theroot CA is at the top of the hierarchy. The root CA's certificate is a self- signed certificate • The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. ... and so one Root CA Asia CA Europe CA USA CA Sales CA Engineering CA Marketing CA Subordinate CA Subordinate CA Subordinate CA Certificate Issued by Engineering CA Subordinate CA Subordinate CA Subordinate CA
  • 162.
    Certificate chains • Acertificate chain is a series of certificates issued by successive CAs – The user first verifies the appropriate cross-certificate, and then verifies the user certificate itself • So – Check validity period and verify that this is signed by Engineering CA. Since this is not trusted proceed with next. – Check validity period and verify that this is signed by Europe CA. Since this is not trusted proceed with next. – Check validity period and verify that this is signed by Root CA. Since Root CA is trusted, verification succeeds. Asia CA USA CA Sales CA Marketing CA Trusted Authority Certificate Issued by Engineering CA CA Certificate signed by self Untrusted Authority Untrusted Authority CA Certificate signed by Root CA CA Certificate signed by Europe CA Program verifying the certificate Root CA Engineering CA Europe CA
  • 163.
    Revocation • Reasons forrevoking a certificate – Invalid period of use: Like a driver’s license, a certificate specifies a period of time during which it is valid. Attempts to use a certificate for authentication before or after its validity period will fail. – Bad use: A driver’s license can be suspended even if it has not expired • for example, as punishment for a serious driving offense. – Similarly, it's sometimes necessary to revoke a certificate before it has expired –for example, if an employee leaves a company or moves to a new job within the company. – If a user’s public key is compromised, i.e., a third party has gained knowledge of the private key then the corresponding public key must be revoked • The CA must somehow inform all users that the certificate(s) containing this public key is/are no longer valid. This is called certificate revocation
  • 164.
    Certificate Revocation Lists (CRLs) •A Certificate Revocation List is a way of telling users about revoked certificates. • A CRL is a list of the serial numbers of all the certificates revoked by a particular CA, signed by the CA concerned. – A CRL is a bit like the list of bad credit card numbers which used to be kept next to the tills in supermarkets. • Users must ensure they have the latest CRL – Can be achieved by issuing CRLs at regular intervals even if list has not changed. • Easy to do in a corporate environment • Hard to distribute them otherwise, especially if there are many CAs involved.
  • 165.
    Examples of PKI •In the following we look at some real systems which distribute trust via certificates • Examples are – X509 – SSL – PGP – SPKI
  • 166.
    X.509 • The contentsof certificates supported by Netscape and many other software companies are organized according to the X.509 v3 certificate specification, which has been recommended by the International Telecommunications Union (ITU) since 1988 • X509 defines a structure for public key certificates – A CA assigns a unique name to each user and issues a signed certificate – Often name is the URL or Email address • CAs are connected in a tree structure – Each CA issues a certificate for those beneath it • The basic structure is very simple, but ends up being very complex in any reasonable application
  • 167.
    X.509 certificate structure •Every certificate consists of two sections – The data section includes the following • The version number of the X.509 standard supported by the certificate. • The certificate's serial number. • Information about the user's public key, including the algorithm used and a representation of the key itself. • Name of the CA that issued the certificate. • The period during which the certificate is valid • The name of the certificate subject (for example, in a client SSL certificate this would be the user's name), also called the subject name. • Optional certificate extensions, which may provide additional data used by the client or server such as the type of the certificate.
  • 168.
    X.509 certificate structure –The signature section includes the following information: • The cryptographic algorithm, or cipher, used by the issuing CA to create its own digital signature. • The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.
  • 169.
    Typical X.509 certificate Data: Version:v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 Not After: Sun Oct 17 18:36:25 1999 Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: Modulus: 00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86: ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22: 43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00: 98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9: 73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e: 9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0: 7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54: 91:f4:15 Public Exponent: 65537 (0x10001) Extensions: ... ... Signature: Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06: 30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb: f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc: 2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5: b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5: 4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8: dd:c4
  • 170.
    Secure Socket Layer(SSL) • SSL adds security to TCP level (Network layer) – When the socket layer communications are secured, communications in all application-level protocols will be secured in the same manner. • Various protocols can then be transparently layered on top – HTTP, FTP, TELNET, etc • Commercial standard originally driven by Netscape – Later adopted by Microsoft and other developers and evolved in the de facto standard for Web Security
  • 171.
    SSL objectives • Aimsto establish a secure channel between client and server, to enable the encrypted transmission of credit card details or passwords • Private – All traffic is encrypted after an initial handshake • Authenticated – The server end is always authenticated (for the benefit of the client) – The client may optionally be authenticated too but rarely done • Reliable – The message transport includes an integrity check
  • 172.
    SSL Structure • Bulkencryption is performed using a block or a stream cipher – Client and server agree on the encryption algorithm during the initial handshake – The session key to be used is derived using standard protocols such as Diffie-Hellman or RSA based key transport • The server is authenticated since it provides the client with a X509 public key certificate – For web based transactions, this is signed by some global CA – Public key of CA comes embedded in user’s browser such as Netscape of Explorer
  • 173.
    SSL Key Transport •The following is a simplified overview – Client establishes connection with Server on a special port number to signal the secure session – Server sends a certified public key to client • The client verifies the certificate and decides whether it trusts the public key – Client chooses random secret • Client encodes this with the Server’s public key and sends it back – Client and Server now securely share secret – Server authenticates itself by responding using the secret
  • 174.
    Pretty Good Privacy(PGP) • PGP, developed by Zimmermann, takes a bottom up approach to the distribution of trust – Design goals were to give low cost encryption/signature system for all – Web of Trust, rather than global PKI • The public key management is done from the bottom up by users themselves – Each user acts as their own CA and signs other people’s key certificates (pairs <name, key>) – “If he trusts her and since I trust him, I will also trust her”. – Can trust keys others have signed if have a chain of signatures to them • With enough such signatures, maybe you can trust <name, key> as not all these signers would be corrupt – As users keep doing this certification, a web of trust is built
  • 175.
    PGP Operation – Authentication •Sender creates a message – SHA-1 used to generate 160-bit hash code of message – Timestamp is added – Hash code is encrypted with RSA using the sender’s private key, and result is attached to message – Receiver uses RSA or DSS with sender's public key to decrypt and recover hash code – Receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic
  • 176.
    PGP Operation – Confidentiality •Sender generates message and random 128-bit number to be used as session key for this message only – message is encrypted, using CAST-128 / IDEA / 3DES with session key – session key is encrypted using RSA with recipient’s public key, then attached to message – receiver uses RSA with its private key to decrypt and recover session key – session key is used to decrypt message • For Authentication and Confidentiality use both services on same message – create signature & attach to message – encrypt both message & signature – attach RSA encrypted session key
  • 177.
    PGP Operation –Summary X  file Signature required? Generate signature X  signature || X Compress X  Z(X) Confidentiality required? Encrypt key, X X  EKUb[KS] || EKs[X] Convert to radix 64 X  R64(X) Y Y N N Convert from radix 64 X  R64-1(X) Confidentiality required? Decrypt key, X K  DKRb[EKUb[KS]] X  DK[X] Decompress X  Z-1(X) Signature required? Strip signature from X Verify signature Y Y N N Generic Transmission Diagram Generic Reception Diagram
  • 178.
    PGP Session Keys •Need a session key for each message – of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES • Uses random inputs taken from previous uses and from keystroke timing of user
  • 179.
    PGP Key Rings •Each PGP user has a pair of key-rings – Public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID – Private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase
  • 180.
    SPKI • SPKI standsfor Simple Public Key Infrastructure. Tries to address a number of problems with X509/PKI – Mainly that of a globally distinguished name with a key bound to it • An application needs to know whether the key holder is permitted some action or authorized access – Collections of directory entries are considered valuable to be released by organizations in the form of a directory tree • Binds authorizations as well as identities – Allows a form of delegation – Could make it suitable for e-commerce – SPKI does not assume a global CA hierarchy – More a ground up approach like PGP • Currently not much commercially used since PKI vendors have a lot of investment in X.509
  • 181.
    SPKI • To describecertificates, SPKI uses s-expressions – These are LISP like structures – Very simple to use and describe – Developed by Rivest • S-expressions can be made very simple for humans to understand • Each SPKI certificate has an issuer and a subject both of which are public keys
  • 182.
    SPKI 4-tuples • Togive an identity certificate, like X509 does, SPKI uses a 4- tuple structure – This is an internal abstraction of what the certificate represents (Issuer, Name, Subject, Validity) • In real life this would be the following – Issuers Public Key – Name of Subject – Subjects Public Key – Validity Period – Signature of Issuer on the triple (Name, Subject, Validity) • Anyone can issue a certificate, and hence become a CA
  • 183.
    SPKI 5-tuples • Thesebind keys to authorizations – This is an internal abstraction of what the certificate represents (Issuer, Subject, Delegation, Authorization, Validity) • In real life this would be the following – Issuers Public Key – Subjects Public Key – Delegation: A Yes or No flag, saying whether the subject can delegate the permission or not – Authorization: What permission the subject is given to do – Validity: How long the authorization is for – Signature of Issuer on the quadruple (S, D, A,V)
  • 184.
    Sizes of StandardCertificates • Recall, a standard certificate looks like the following X || S where X = (INFO, Users Public Key) S = CA’s signature on X • INFO is the stuff which is linked to the Users Public Key it could be – Name – Time – Authorization – ...
  • 185.
    Standard Certificate Sizes •Ignoring the size of INFO, this gives something quite big e.g. • This assumes for RSA – 1024 bits for user keys – 2048 bits for CA keys and for EC-DSA – 160 bits for user keys – 400 bits for CA keys • The main question is whether this can be made smaller RSA DSA EC-DSA Users Key 1024 1024 160 CA Signature 2048 320 400
  • 186.
    Implicit Certificates • Wecannot reduce the size of the INFO but we could possibly reduce the size of the rest of it • An implicit certificate looks like X || Y where X = (INFO) Y = Implicit certificate on X • From Y we can – Recover the public key of the User – Implicit assurance that the certificate was issued by the CA • For DSA type signatures Y has size  1024 bits • For EC-DSA type signatures Y has size  160 bits
  • 187.
    Problems with Implicit Certificates •There are a number of problems with the above system which means that implicit certificates are not used much in real life • What do you do if the CA’s key is compromised – Usually you pick a new CA key and re-certify users keys – You cannot do this since the users public key is chosen interactively during the certification process • Implicit certificates require the CA and users to work at the same security level – This is not considered good practice • However for small bandwidth devices they seem to be the best solution
  • 188.
  • 189.
    Cryptographic systems • Inthe previous lectures we looked at the major elements of security – Confidentiality, authentication , integrity, key exchange, message replay protection, etc. • In any ongoing dialog, all these protections are necessary, not just one. – Consequently, we should not expect average end users to be able to implement dialog security themselves.
  • 190.
    Cryptographic systems • Fortunately,cryptographic systems automatically provide all these security features – These systems work with little or no user intervention. • These systems offer automatic protections – In fact users often are not even aware that their communication is protected by a cryptographic system. – For example, every time you make a purchase over the Internet, the transaction is protected by SSL/TLS
  • 191.
    Cryptographic Systems • Cryptographicsystems usually work in a series of four stages. – The first three are initial handshake stages – The fourth one is where 99% of communication take place Stage 1: Initial Negotiation of Security Parameters Stage 2: Mutual Authentication Stage 3: Key Exchange or Key Agreement Server
  • 192.
    Cryptographic Systems • Re-authenticationand re-keying. – Although the three handshake stages are done only once, there is often periodic re-authentication to ensure than an attacker has not hijacked the connection. – What is periodic re-keying used for? Stage 4: Ongoing Communication with Message-by-Message Confidentiality, Authentication. and Message Integrity Server
  • 193.
    Various Cryptographic Systems • Forsafety, companies often use two systems simultaneously at different layers. – This provides defense in depth. This, however, increases cost. Layer Cryptographic System Application Kerberos Transport SSL/TLS Internet Ipsec Data Link PPTP, L2TP Physical Not applicable. No messages are sent at this layer—only individual bits
  • 194.
    SSL/TLS • When youmake a purchase over the Internet, sensitive traffic is usually protected by a cryptographic system originally called Secure Sockets Layer (SSL) – SSL originally created by Netscape and placed in its browser. • When SSL is used, how do URLs begin with? – Then, all major browser vendors supported SSL, including Microsoft – Later, it became a standard by IETF named Transport Layer Security (TLS)
  • 195.
    SSL/TLS • SSL/TLS offerstransport layer protection, meaning that all application layer traffic can be secured. • However, this protection of higher-layer messages is not transparent as higher layer messages are not automatically protected. – To be protected, applications have to be SSL-aware – Most browsers and web server applications are. Very few others…
  • 196.
    SSL/TLS Operation Protects allapplication traffic that is SSL/TLS-Aware Verifier (Merchant Server) Applicant (Customer Client) SSL/TLS Works at transport layer
  • 197.
    SSL/TLS Operation • Thereason for optional client authentication is pure pragmatism. – To lock out the vast majority of customers (not willing to get digital certs) does not make business sense 1. Negotiation of security options (Brief) Verifier (Merchant Server) Applicant (Customer Client) 2. Merchant authenticates itself to customer by sending a Digital Certificate. (Customer Authentication is optional and uncommon)
  • 198.
    SSL/TLS Operation 3. Clientgenerates random session key which sends it to server encrypted using Public Key Encryption Verifier (Merchant Server) Applicant (Customer Client) 4. Ongoing communication with confidentiality and merchant Digital Signatures
  • 199.
    Perspective on SSL/TLS •SSL is a “flawed” cryptographic system. – Only one side usually is authenticated – Also it had many weaknesses • Provides only medium security, but exploitation is difficult – Usually, it is far easier to hack into merchant servers and steal lists of thousands of credit numbers. – There has not been a single reported case of a credit card number being read en route while protected by SSL.
  • 200.
    Perspective on SSL/TLS •SSL/TLS uses PK encryption to sign every message, which makes it very computationally expensive. – Merchants can handle only a few percent of the transactions they could without SSL. – SSL/TLS is built into all browsers and web servers has been one of strong security points for the Internet.
  • 201.
    IPSec • For verystrong security some VPNs use a family of security standards collectively called IPSec (IP Security) – IPSec offers much stronger security than PPTP or L2TP. – Also more complex and expensive to introduce than its Layer 2 cousin. • SSL/TLS for non-transparent Transport Layer security – SSL lack of transparency limits it primarily to HTTP webservice and some e-mail systems.
  • 202.
    IPSec • In contrastIPSec operates at the Internet layer offering transparent layer security – This allows it to provide security for the transport layer • This includes all TCP and UDP traffic and all other messages carried in the data field of the IP packet. – Application layer messages are also protected. • This protection is transparent – There is no need to modify applications or transport layer protocols to work with IPSec – These protocols are not even aware that IPSec is used
  • 203.
    IPSec • IPSec originallywas intended for the new version of the Internet protocol, IPv6 – However, IPSec can be used with IPv4 as well. – In other words, no matter what version of IP the network uses, IPSec still protects it. • The most basic concept in IPSec is that there are two modes, i.e. ways of operation. – These are the transport mode and the tunnel mode.
  • 204.
    IPsec Operation: Transport Mode •Transport mode is used for host-to-host security. – This mode allows two hosts to communicate securely with no regard to what else is happening in the network. • End-to-end security – This mode is attractive because it provides security when packets travel over internal networks as well as over the Internet. Site Network Site Network Secure Connection Security in site network Security in site network Secure on the Internet
  • 205.
    IPsec Operation: Transport Mode •The IPSec header is inserted after the main IP header. – This header provides protection for higher layer protocols (transport and application ones) • However, because the IP destination address is needed to route the packet to the destination host, the IP header must be transmitted in the clear. – This allows a sniffer to understand the distribution of IP addresses Destination IP address is actual address Orig. IP Header IPsec Header Protected Packet Data Field
  • 206.
    IPsec Operation: Transport Mode •Probable need to install IPSec software on the two hosts. – Transport mode typically requires adding software to the computers instead of using native operating system protocol support.
  • 207.
    IPsec Operation: Tunnel Mode •Tunnel mode is normally used to protect communications between two IPSec gateways. – The two gateways securely send traffic to the Internet between themselves by encapsulating/decapsulating IP packets from/to gateway’s site network Site Network Site Network Tunneled Connection No security in site network No security in site network Secure on the Internet IPsec Gateway IPsec Gateway
  • 208.
    IPsec Operation: Tunnel Mode •In tunnel mode, the original IP header is fully protected. – The transmitting gateway encapsulates the original packet to a new packet by adding a new IP header and an IPSec header. – The new IP header contains the address of the destination gateway. – An attacker snooping the company’s traffic will learn nothing about other IP addresses. Destination IP address is IPsec gateway address. Host IP address is not revealed; New IP Header IPsec Header Protected Original Packet
  • 209.
    IPsec Operation: Tunnel Mode •No software is required on the two hosts. – In fact the clients and servers do not even know that their packets are being protected as they travel over the Internet. • On the negative site, tunnel mode provides no protection for IP packets passing through the site network at the two sites. – It only provides protection during the passage of packets through the Internet. – This leaves packets open to attack for network sites.
  • 210.
    IPsec Operation: Transport andTunnel Modes • How can these modes be combined? • What are the advantages of such an approach?
  • 211.
    IPsec Headers • Theprevious discussion left open two questions: – What is an IPSec header? – What do we really mean about “protection”? • This was deliberate because in both transport and tunnel modes, IPSec offers two types of protection. – For each type of protection, IPSec uses a different type of IPSec header – Therefore, four mode-header combinations exist
  • 212.
    IPsec ESP • Themost commonly used IPSec header is the Encapsulating Security Payload (ESP) header. – It offers full security (confidentiality, message-by-message authentication and integrity.) – IP packets carrying ESP headers have the value 50 in their protocol fields. – ESP has two parts. A header and a trailer Encapsulating Security Payload IP Header ESP Header Protected ESP Trailer Confidentiality Authentication and message integrityProtocol = 50
  • 213.
    IPsec Authentication • Theother type of IPSec header is the Authentication Header (AH). – Like ESP it offers authentication and message integrity but no confidentiality. Anyone intercepting a message can read it. Authentication Header IP Header Authentication Header Protected Authentication and message integrity No confidentiality Protocol = 51
  • 214.
    Modes and Protections ESP Confidentiality Authentication Integrity AH Authentication Integrity TransportMode (End-to-End) Possible Possible Tunnel Mode (IPsec Gateway to Gateway) Possible Possible
  • 215.
    IPsec Security Associations •Before two hosts or IPSec gateways communicate, they have to establish security associations (SAs). – Perhaps the most confusing part of IPSec • A security association is an agreement about how the two communicating parties will provide security. – Specifies what algorithms will be used to implement the security processes for confidentiality, authentication, etc. • When two parties communicate, two associations must exist, one in each direction – This allows for different levels of protections in the two directions, if it is desirable.
  • 216.
    IPsec Security Associations •SAs are governed by policies built into the hosts or the IPSec gateways. – The company may permit only certain combinations of algorithms as some of them may be considered too weak. The security association may be different in each direction Party A Party B IPsec policy server
  • 217.
    Establishing Security Associations • Toestablish security associations, IPSec relies on the Internet Key Exchange (IKE) standard. IKE handles all the steps needed to establish a SA. These include – Communication to agree upon security algorithms to be used in setting up the IKE SA. – Authentication – Exchange of symmetric session keys. Different keys can be used for confidentiality and authentication. • IKE is not limited to IPSec. It is a general protocol used for establishing SAs in cryptographic systems used over the Internet.
  • 218.
    Establishing IPsec Security AssociationsUsing IKE • When two parties establish an IKE SA, this forms a blanket of protection within which the two parties can safely negotiate IPSec SAs. – For example, two IPSec gateways may establish different SAs for traffic types of different sensitivity. Party A Party B Internet Key Exchange Security Association UDP Port 500 IPsec policy server
  • 219.
    IPSec mandatory default protocols •Negotiation permits two parties to negotiate which algorithms will be used for confidentiality and other matters. • However, mandatory default algorithms must be supported and will be used automatically when the two sites do not specify an alternative. These include: – Diffie-Hellman key agreement – DES-CBC for encryption – HMAC for message-by-message authentication for SPEED as digital signatures are very slow
  • 220.
    Key-Hashed Message Authentication Codes (HMACs) •HMACs, however, lack non-repudiation. Why? How do they operate? – When non-repudiation is important, HMACs should not be used… Shared Key Original Plaintext HMAC Original Plaintext HMAC Hashing with MD5, SHA-1, etc. Key-Hashed Message Authentication Code (HMAC) Appended to Plaintext Before Transmission
  • 221.
    Kerberos • In Greekmythology, Cerberus was the hound of Hades — a monstrous three-headed dog (sometimes said to have fifty or one-hundred heads), (sometimes) with a snake for a tail and innumerable snake heads on his back. – He guarded the gate to Hades (the Greek underworld) and ensured that the dead could not leave and the living could not enter. – Cerberus is the offspring of Echidna and Typhon. • He was overcome several times: – Heracles’ final labour was to capture Cerberus. First, Heracles went to Eleusis to be initiated into the Eleusinian mysteries. He did this to absolve himself of guilt for killing the centaurs and to learn how to enter and exit the underworld alive. – Athena and Hermes helped him through and back from Hades. Heracles asked Hades for permission to take Cerberus. Hades agreed as long as Heracles didn’t harm him, though in some versions, Heracles shot Hades with an arrow. When Heracles dragged the dog out of Hades, he passed through the cavern Acherusia. – Orpheus used his musical skills to lull Cerberus to sleep.
  • 222.
    Motivation • Consider adistributed architecture consisting of dedicated user workstations (clients) and distributed servers – In such an environment, the user must prove identity for each service invoked. – Similarly, servers must prove their identity to clients • This is the approach supported by Kerberos. – Kerberos assumes a distributed client/server architecture and employs one or more Kerberos servers to provide an authentication service.
  • 223.
    Kerberos requirements • Thefirst published result “Kerberos: An authentication Service for Open Networked Systems”, (1988) listed the following requirements for Kerberos: – Secure: A network eavesdropper should not be able to impersonate a user. – Reliable: Lack of availability means lack of access control. Hence Kerberos should be highly reliable and employ a distributed architecture. – Transparent: Ideally, the user should not be able to tell that authentication is taking place, beyond the requirement to enter a password. – Scalable: The system should be capable of supporting large number of clients and servers.
  • 224.
    A simple authentication dialog •We will build the full protocol step by step by looking at several hypothetical dialogs • In an unprotected environment, any client can apply to any server for service. The obvious security risk is that of impersonation. – Servers must be able to confirm the identities of clients who request service. – To undertake this task for every client/server interaction, places a substantial burden on each server. • An alternative is to use an Authentication Server (AS) that knows the passwords of all users and also shares a unique secret key with each server.
  • 225.
    A simple authentication dialog •Problems: – Need to minimize the number of times a user has to enter the password to access the same service (say e-mail) – Furthermore, it remains the case that a user would need a new ticket for every different service (print, e-mail, etc.) – Plaintext transmission of password Alice, PasswordAlice, TypeOfService Ticket Ticket = EKv (Alice, IPAlice, ServerID)
  • 226.
    A more secure authenticationdialog • To solve these problems, we introduce a scheme for avoiding plaintext passwords and a new server, known as the ticket-granting server (TGS). 1. The client requests a ticket-granting ticket from the AS 2. The AS responds with a TicketTGS that is encrypted with a key derived from the user’s password. • The client opens it – no transmission of passwords • This ticket is reusable; it can be used by the client to request multiple service-granting tickets 3. The client requests from TGS a service-granting ticket. 4. TGS decrypts the incoming TicketTGS and issues TicketService 5. The client uses the new ticket to gain access to particular service.
  • 227.
    Kerberos Authentication System Kerberos Server KeyDistribution Center Verifier (particular server) Applicant Kerberos is a client- server Authentication system developed at MIT that solves the single sign on problem
  • 228.
    Kerberos Authentication Service • Thefirst phase in the Kerberos protocol is for the applicant to be authenticated by the Kerberos Server. • Each applicant has a master key (Key mA), which is created by hashing a password. – This key is shared with the Kerberos server – Applicant uses this master key to authenticate itself to the Kerberos server • The server sends a symmetric network login key to the applicant; the applicant will use this key in future conversations with the server – This reduces the number of times the master key is used • The Kerberos server also sends the applicant a Ticket- Granting Ticket for use in future communications with the Kerberos server. This TGT confirms that the client has been authenticated
  • 229.
    Kerberos Authentication System Key nA(Network Login Key for A) is encrypted with A’s Master Key (Key mA). In future interactions with KDC, A will use nA to limit the master key’s exposure TGT (Ticket-Granting Ticket) is encrypted in a way that only KDC can decrypt. Information in this ticket is required for the applicant to request connections to other stations Kerberos Server Key Distribution Center (KDC) Applicant (A) 1. Request for ticket-granting ticket 2. Response: TGT, Key nA
  • 230.
    Kerberos Ticket-Granting Service • Theauthentication service is used only once in a network login session – usually for a day or less – However, during that network session, the client may want to connect to other stations or services – Each time a client wants to make a connection to a verifier server, the applicant must use the Ticket Granting Service
  • 231.
    Kerberos Ticket-Granting Service: Part1 • The client wishes to talk to a specific Verifier (Service). The client starts the process by sending the server a ticket granting request message – The client sends its Ticket-Granting Ticket along with an authenticator (to prove it knows the network login key) – The Server sends back a symmetric session key to use with the verifier (Key AV) – The server also sends back a Service Ticket • Why does the client need to send back to the server the Ticket-granding ticket? Didn’t the server create this in the first place?
  • 232.
    Kerberos Ticket-Granting Service: Part1 Authenticator is A’s IP address, user name, and time stamp. This authenticator is encrypted with Key nA to prove that A sent it. Key AV is a symmetric session key that A will use with V. Kerberos Server Key Distribution Center Applicant (A) 1. Request Ticket for V; TGT; Authenticator encrypted with Key nA 2. Response: Key AV encrypted with Key nA; Service Ticket
  • 233.
    The Service Ticket •The Kerberos server sends back a response message that contains two main things: – A session key AV that the client will use to communicate with the verifier for confidentiality – A Service Ticket which also contains the session key AV, encrypted however with the verifier’s master key mV (shared between the verifier and the Kerberos server) • Consequently only the verifier can read the ticket
  • 234.
    Kerberos Ticket-Granting Service: Part2 • The Applicant sends the Service Ticket to the Verifier. • It also sends an authenticator to prove that it knows Key AV – The authenticator contains the client’s IP address and other cleartext info encrypted with key AV • How is the verifier convinced that the client is not cheating?
  • 235.
    Kerberos Ticket-Granting Service: Part2 Authenticator (Auth) encrypted with Key AV. Service Ticket contains Key AV encrypted with the Verifier’s master key, Key mV. Applicant (A) 3. Request for Connection: Authenticator; Service Ticket 4. Verifier decrypts Service Ticket; Uses key AV to test Auth Verifier
  • 236.
    Kerberos Ticket-Granting Service: Part2 • Now that the client is authenticated, the client and verifier engage in on going communication using the symmetric session key AV. • The Kerberos server is not involved anymore Applicant (A) 5. Ongoing Communications with key AV Verifier
  • 237.
    Kerberos in Perspective •Although Kerberos is viewed as an authentication system, in reality is a complete cryptographic system – Authentication • Normally one-way • Can be two-way – Key Exchange – Confidential exchanges with the symmetric session key
  • 238.
    Kerberos in Perspective •Kerberos does not use any Public key crypto. – This makes Kerberos fast – It also means that it is not necessary to distribute digital certificates to all stations on the network – However, it can be used with PKI during the authentication phase
  • 239.
    Kerberos in Perspective •Kerberos provides Single Sign-on service – A client needs only a single key, namely its master key. – Even if it deals with dozens of servers throughout the day, it will not need multiple keys. – This is good news for users.