Professional Documents
Culture Documents
Basic terminology
Plaintext: original message to be
encrypted
decryption
Cryptography issues
Confidentiality: only sender, intended receiver should understand message contents sender encrypts message receiver decrypts message End-Point Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
5
Ciphers
Symmetric cipher: same key used for
cipher: encrypts a block of plaintext at a cipher: encrypts data one bit or one
byte at a time
Asymmetric cipher: different keys used
Classical Ciphers
Plaintext is viewed as a sequence of
elements (e.g., bits or characters) Substitution cipher: replacing each element of the plaintext with another element. Transposition (or permutation) cipher: rearranging the order of the elements of the plaintext.
7
Substitution ciphers A substitution cipher replaces one symbol with another. If the symbols in the plaintext are alphabetic characters, we replace one character with another.
i
A substitution cipher replaces one symbol with another. The simplest substitution cipher is a shift cipher (additive cipher).
16. 8
Example 16.1
Use the additive cipher with key = 15 to encrypt the message hello.
Solution We apply the encryption algorithm to the plaintext, character by character:
Caesar Cipher
Earliest known substitution cipher
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
10
Caesar Cipher
Mathematically, map letters to numbers:
c = EK(p) = (p + k) mod 26
p = DK(c) = (c k) mod 26
11
Transposition ciphers A transposition cipher does not substitute one symbol for another, instead it changes the location of the symbols. A symbol in the first position of the plaintext may appear in the tenth position of the ciphertext, while a symbol in the eighth position in the plaintext may appear in the first position of the ciphertext. In other words, a transposition cipher reorders (transposes) the symbols.
i
16. 12
Double Transposition
Plaintext: attackxatxdawn
Permute rows and columns
Ciphertext:
16. 14
Symmetric Encryption
Mathematically: Y = EK(X) or Y = E(K, X) X = DK(Y) or X = D(K, Y) X = plaintext Y = ciphertext K = secret key E = encryption algorithm D = decryption algorithm Both E and D are known to public
15
Symmetric Encryption
Same key used at sender and receiver
and a secret key which is independent of information Encryption algorithm must be such that the encrypted information is impractical to decrypt without knowing key Key used for encryption and decryption must be secret but the encryption and decryption algorithm need not be confidential
17
This can be
in an S-P network
DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day No known good analytic attack making DES more secure: 3DES: encrypt 3 times with 3 different keys (actually encrypt, decrypt, encrypt)
19
20
This can be
in an S-P network
key
32
expand 32 48 48
28 shift
28 shift 28 28
Ki
48 28
compress 28
S-boxes
32 32
P box
32 32 key
openly involved Transparent process Many strong algorithms proposed Rijndael Algorithm ultimately selected
Pronounced like Rain Doll or Rhine Doll
Iterated block cipher (like DES) Not a Feistel cipher (unlike DES)
AES Overview
Block size: 128, 192 or 256 bits
(independent of block size) 10 to 14 rounds (depends on key length) Each round uses 4 functions (in 3 layers)
ByteSub (nonlinear layer) ShiftRow (linear mixing layer) MixColumn (nonlinear layer) AddRoundKey (key addition layer)
Figure 16.7 shows the general idea of asymmetric-key cryptography as used for confidentiality. The figure shows that, unlike symmetric-key cryptography, there are distinctive keys in asymmetric-key cryptography: a private key and a public key. If encryption and decryption are thought of as locking and unlocking padlocks with keys, then the padlock that is locked with a public key can be unlocked only with the corresponding private key. Eve should not be able to advertise her public key to the community pretending that it is Bobs public key.
16. 25
non-repudiation
16. 27
encryption. Source A uses the public key KUb of the destination to encrypt M This scheme does not provide any authentication because any opponent could also use Bs public key to encrypt a message claiming to be A B can decrypt at the destination because he is the only one who has the private key KRb
To provide the authentication part A uses its private key to encrypt the
message, and B uses As public key to decrypt to authenticate. The principle here is similar to the digital signature principle. The reasoning is that A should be the only one who as As private key to generate that ciphered text. However this does not provide confidentiality since anyone with As public key can decrypt and see the message.
can encrypt M first using its private key (the digital signature), then use Bs public key which will provide confidentiality. The only disadvantage is that the public key algorithm, which is complex must be exercised four times rather than two in each communication.
Message Integrity
Allows communicating parties to verify
Content of message has not been altered Source of message is who/what you think it is Message has not been artificially delayed (playback attack) Sequence of messages is maintained
31
message authentication. Advantage is that it does not require the distribution of keys to communicating parties. The entire message is not encrypted.
RSA
Invented by Cocks (GCHQ), independently,
by Rivest, Shamir and Adleman Let p and q be two large prime numbers Let N = pq be the modulus Choose e relatively prime to (p1)(q1) Find d s.t. ed = 1 mod (p1)(q1) Public key is (N,e) Private key is (N,d)
RSA
To encrypt message M compute
C = Me mod N M = Cd mod N
To decrypt C compute
Recall that e and N are public If attacker can factor N, he can use e to
easily find d since ed = 1 mod (p1)(q1) Factoring the modulus breaks RSA It is not known whether factoring is the only way to break RSA
Select large primes p = 11, q = 3 Then N = pq = 33 and (p1)(q1) = 20 Choose e = 3 (relatively prime to 20) Find d such that ed = 1 mod 20, we find that d = 7 works
Private key: d = 7
Suppose message M = 8 Ciphertext C is computed as C = Me mod N = 83 = 512 = 17 mod 33 Decrypt C to recover the message M by
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). Encrypting 8-bit messages. me 24832 c = me mod n
encrypt:
m 12 d c
17 m = cd mod n 12
decrypt:
c 17
481968572106750915091411825223071697
37
How hard is it to determine d? Essentially need to find factors of n without knowing the two factors p and q. Fact: factoring a big number is hard.
testing rules
38
To use symmetric-key cryptography, a shared secret key needs to be established between the two parties. To use asymmetric-key cryptography, each entity needs to create a pair of keys and distribute the public key securely to the community. Key management defines some procedures to create and distribute keys securely.
16. 39
Symmetric-key distribution
In a community with n entities, n (n 1)/2 keys are needed for symmetric-key communication. The number of keys is not the only problem: the distribution of keys is another. If Alice and Bob want to communicate, they need a way to exchange a secret key. If Alice wants to communicate with a million people, how can she exchange a million keys with them? Using the Internet is definitely not a secure method. It is obvious that we need an efficient way to maintain and distribute secret keys.
16. 40
One of the communication party chooses key Physically delivers to other party Third party can generate and deliver physically to both the party Implementation in large network is infeasible Good for link level encryption or between pair of adjacent nodes but not for end to end encryption
Channel
Keys are different for different session Key for first session is delivered physically Key for next session is encrypted using previous session key and sent
41
A practical solution is the use of a trusted third party, referred to as a key-distribution center (KDC). Each person establishes a shared secret key with the KDC. A secret key is established between the KDC and each member. The process is as follows:
1. Alice sends a request to the KDC stating that she needs a session (temporary) secret key between herself and Bob. 2. The KDC informs Bob about Alices request. 3. If Bob agrees, a session key is created between the two.
i
Diffie-Hellman
Invented by Williamson (GCHQ) and, A key exchange algorithm
Diffie-Hellman
Let p be prime, let g be a generator which is
primitive root of p
Alice selects secret value a Bob selects secret value b Alice sends ga mod p to Bob Bob sends gb mod p to Alice Both compute shared secret gab mod p Shared secret can be used as symmetric key
Diffie-Hellman
Suppose that Bob and Alice use gab mod p
as a symmetric key Trudy can see ga mod p and gb mod p Note ga gb mod p = ga+b mod p gab mod p If Trudy can find a or b, system is broken If Trudy can solve discrete log problem, then she can find a or b
Diffie-Hellman
Public: g and p
gb mod p
Alice, a Bob, b
Alice computes (gb)a = gba = gab mod p Bob computes (ga)b = gab mod p Could use K = gab mod p as symmetric key
Diffie-Hellman
Subject to man-in-the-middle (MiM) attack
ga mod p gt mod p Alice, a Trudy, t gt mod p gb mod p Bob, b
Trudy shares secret gat mod p with Alice Trudy shares secret gbt mod p with Bob Alice and Bob dont know Trudy exists!
Public keys: TA = gSA mod p = 53 mod 11 = 125 mod 11 = 4 TB = gSB mod p = 54 mod 11 = 625 mod 11 = 9 Exchange public keys & compute shared secret: (TB)SA mod p = 93 mod 11 = 729 mod 11 = 3 (TA)SB mod p = 44 mod 11 = 256 mod 11 = 3 Shared secret: 3 = symmetric key
48
HASH FUNCTIONS
49
Message Digests
Function H( ) that takes as
input an arbitrary length message and outputs a fixed-length string: message signature Note that H( ) is a manyto-1 function H( ) is often called a hash function
large message m
H: Hash Function
H(m)
Desirable properties:
Easy to calculate Irreversibility: Cant determine m from H(m) Collision resistance: Computationally difficult to produce m and m such that H(m) = H(m) Seemingly random output
50
computes 128-bit message digest in 4-step process. SHA-1 is also used. US standard [NIST, FIPS PUB 180-1] 160-bit message digest
51
MD5
designed by Ronald Rivest (the R in RSA) latest in a series of MD2, MD4 produces a 128-bit hash value until recently was the most widely used hash
algorithm
MD5 Overview
MD5 Overview
1. 2. 3. 4. 5. 6.
pad message so its length is 448 mod 512 append a 64-bit length value to message initialise 4-word (128-bit) MD buffer (A,B,C,D) process message in 16-word (512-bit) blocks Divide 512 bit block into 16 sub blocks(32 bits) Each block is processed in 4 rounds
Input to each round are 16 sub blocks buffer values and some constants t[k] where k= 1,2 ...64 There are 16 iterations in each round Output of intermediate and final iteration is copied to buffer
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
a,b,c,d refer to the 4 words of the buffer,
but used in varying permutations note this updates 1 word only of the buffer where g(b,c,d) is a different nonlinear function in each round T[i] is a constant value derived from sin
revised 1995 as SHA-1 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS
now the generally preferred hash algorithm based on design of MD4 with key
differences
SHA Overview
1. 2. 3.
4.
5.
pad message so its length is 448 mod 512 append a 64-bit length value to message initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e 1f0) process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value output hash value is the final buffer value
(A,B,C,D,E) <(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
is nonlinear function for round Wt is derived from the message block Kt is a constant value derived from sin
bits for MD5) not vulnerable to any known attacks (compared to MD4/5) a little slower than MD5 (80 vs 64 steps) both designed as simple and compact optimised for big endian CPU's (vs MD5 which is optimised for little endian CPUs)
H( )
Digital Signatures
Cryptographic technique analogous to handwritten signatures.
sender (Bob) digitally signs document,
establishing he is document owner/creator. Goal is similar to that of a MAC, except now use public-key cryptography verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document
H(m)
digital signature (encrypt) encrypted msg digest
KB
large message m
H: Hash function
KB(H(m))
KB
KB(H(m))
H(m)
H(m)
equal ?
Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m. Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob signed m.
Public-key certification
Motivation: Trudy plays pizza prank on Bob
Trudy
Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob
Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, but says its Bobs public key. Pizza Store verifies signature; then delivers four pizzas to Bob. Bob doesnt even like Pepperoni
Certification Authorities
Certification authority (CA): binds public key to
particular entity, E. E (person, router) registers its public key with CA.
E provides proof of identity to CA. CA creates certificate binding E to its public key. certificate containing Es public key digitally signed by CA CA says this is Es public key
Bobs public key
KB
K-
CA
Certification Authorities
When Alice wants Bobs public key:
gets Bobs certificate (Bob or elsewhere). apply CAs public key to Bobs certificate, get Bobs public key
+ KB
+ K CA
Certificates: summary
Primary standard X.509 (RFC 2459)
Certificate contains: Issuer name Entity name, address, domain name, etc. Entitys public key Digital signature (signed with issuers private key)
Public-Key Infrastructure (PKI) Certificates and certification authorities Often considered heavy
KERBEROS
Kerberos
Part of project Athena (MIT). Trusted 3rd party authentication scheme. Assumes that hosts are not trustworthy. Requires that each client (each request for service) prove its identity. Does not require user to enter password every time a service is requested!
Kerberos Design
User must identify itself once at the beginning of a workstation session (login session).
Passwords are never sent across the network in cleartext (or stored in memory)
Kerberos Database
Workstation
Authentication Server
Kerberos Key Distribution Service
74
The encryption used by current Kerberos implementations is DES, although Kerberos V5 has hooks so that other algorithms can be used.
encryption key decryption ciphertext plaintext
plaintext ciphertext
Tickets
Each request for a service requires a ticket. A ticket provides a single client with access to a single server.
Tickets (cont.)
Tickets are dispensed by the Ticket Granting Server (TGS), which has knowledge of all the encryption keys.
Tickets are meaningless to clients, they simply use them to gain access to servers.
Tickets (cont.)
The TGS seals (encrypts) each ticket with the secret encryption key of the server. Sealed tickets can be sent safely over a network - only the server can make sense out of it. Each ticket has a limited lifetime (a few hours).
Ticket Contents
Client name (user login name) Server name Client Host network address Session Key for Client/Server Ticket lifetime Creation timestamp
Session Key
Random number that is specific to a session. Session Key is used to seal client requests to server. Session Key can be used to seal responses (application specific usage).
Authenticators
Authenticators prove a clients identity. Includes:
Client user name. Client network address. Timestamp.
Bootstrap
Each time a client wants to contact a server, it must first ask the 3rd party (TGS) for a ticket and session key. In order to request a ticket from the TGS, the client must already have a TG ticket and a session key for communicating with the TGS!
Authentication Server
The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. REQUEST:
Since this request contains only well-known names, it does not need to be sealed.
TGS name
login name
Authentication Server
The AS finds the keys corresponding to the login name and the TGS name. The AS creates a ticket:
login name
The AS also creates a random session key for the client and the TGS to use. The session key and the sealed ticket are sealed with the user (login name) secret key. Sealed with TGS key
Ticket:
When a client wants to start using a server (service), the client must first obtain a ticket. The client composes a request to send to the TGS: TGS Ticket
Authenticator
Server Name
TGS response
The TGS decrypts the ticket using its secret key. Inside is the TGS session key. The TGS decrypts the Authenticator using the session key. The TGS check to make sure login names, client addresses and TGS server name are all OK. TGS makes sure the Authenticator is recent.
TGS Response
Once everything checks out - the TGS: builds a ticket for the client and requested server. The ticket is sealed with the server key. creates a session key seals the entire message with the TGS session key and sends it to the client.
Kerberos Summary
Every service request needs a ticket. Tickets come from the TGS (except the ticket for the TGS!). Workstations cannot understand tickets, they are encrypted using the server key. Every ticket has an associated session key. Tickets are reusable.
92
93
cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller.
curve groups is believed to be more difficult than the corresponding problem in Diffie-Helman Key Exchange.
involving elliptic curves is the elliptic group. All public-key cryptosystems have some underlying mathematical operation.
RSA has exponentiation (raising the message or ciphertext to the public or private values) ECC has point multiplication (repeated addition of two points).
96
P1
If P1 and P2 are on E, we
ECC
Choose an elliptic curve, make it public Choose a point F on the curve and make it public Check if the selected curve satisfies addition rule
Pvt(B)) on the elliptic curve as private key Each party computes public key
Public keys are exchanged between parties Both party calculates session key Session key= Pvt(A)*Pub(B) at user A Session key= Pvt(B)*Pub(A) at user B Pvt(A)*Pub(B)= Pvt(B)*Pub(A) =Pvt(A)* Pvt(B)* F
98
Firewalls
Firewalls
Internet
Firewall
Internal network
internal network and/or what to let out Access control for the network
Firewall Terminology
Types of firewalls
Packet filter works at network layer Stateful packet filter transport layer Application proxy application layer Personal firewall for single user, home network, etc.
Packet Filter
Operates at network layer
Can filters based on Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress
application transport network link physical
Packet Filter
Advantage Speed
Disadvantages No state Cannot see TCP connections Blind to application data
application transport network link
physical
flag bits Can even remember UDP packets (e.g., DNS requests)
physical
physical
Application Proxy
A proxy is something that acts
on your behalf Application proxy looks at incoming application data Verifies that data is safe before letting it in
physical
Application Proxy
Advantages
Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros)
Disadvantage Speed
physical
Application Proxy
Creates a new packet before sending it
thru to internal network Attacker must talk to proxy and convince it to forward message Proxy has complete view of connection Prevents some attacks stateful packet filter cannot
Exchange of Public keys before Communication Possible for attacker to impersonate as another
Use of Public key Certificates Digital certificate A Hybrid Approach Diffie-Hellman,ECC
109