CPS 290 Computer Security Network Tools Cryptography Basics CPS 290

advertisement
CPS 290 Computer Security
Network Tools
Cryptography Basics
CPS 290
Page 1
Discovering My Laptop’s IPv4 Address
On Windows, use program ipconfig. On Mac or Linux, use ifconfig or
ip.
Only my wired ethernet interface has an IP address (152.3.136.127.)
CPS 290
Page 2
Resolving the name www.cs.duke.edu to an IP address
On Windows, use nslookup. On Mac or Linux, use dig.
The answer is provided by the authoritative name server
duke.cs.duke.edu (152.3.140.1)
www.cs.duke.edu is an alias for the canonical name (CNAME)
sibyl.cs.duke.edu
The address for sibyl.cs.duke.edu is 152.3.140.31.
CPS 290
Page 3
Capturing and Examining Packets
I begin to capture packets on my wired ethernet interface using the program
called wireshark (for Windows, Mac, or Linux).
I make a request to http://www.cs.duke.edu/~bmm through my browser.
I enter the filter (ip.src == 152.3.136.127 || ip.dst == 152.3.136.127) && (ip.dst
== 152.3.140.31 || ip.src == 152.3.140.31) to examine only packets between
my machine and www.cs.duke.edu.
CPS 290
Page 4
TCP Three-Way Handshake
SYN
SYN-ACK
ACK
First three packets show the TCP three-way handshake, SYN, SYNACK, ACK, which is used to establish a TCP connection.
Note: The handshake makes it difficult to establish a TCP connection
with a spoofed (forged) browser source address in the SYN packet:
Server will send SYN-ACK to the spoofed address, which won’t
reply with an ACK.
Sender of spoofed SYN packet doesn’t receive the SYN-ACK,
doesn’t know the correct sequence number to ACK.
CPS 290
Page 5
Browser Sends HTTP GET Request
CPS 290
Page 6
Server Responds with HTTP 301 Code
The server didn’t like my request for http://www.cs.duke.edu/~bmm
It wanted me to enter http://www.cs.duke.edu/~bmm/
Criminy!
CPS 290
Page 7
Basic Cryptography Definitions
Plaintext
Key1
Encryption Ekey1(M) = C
Cyphertext
Key2
Decryption
Dkey2(C) = M
Original Plaintext
Private Key or Symmetric: Key1 = Key2
Public Key or Asymmetric: Key1  Key2
Key1 or Key2 is public depending on the protocol
CPS 290
Page 8
What does it mean to be secure?
Unconditionally Secure: Encrypted message cannot
be decoded without the key
Shannon showed in 1943 that key must be as long as
the message to be unconditionally secure – this is
based on information theory
A one time pad – xor a random key with a message
(Used in 2nd world war)
Security based on computational cost: it is
computationally “infeasible” to decode a message
without the key.
E.g., there is no (probabilistic) polynomial time
algorithm can decode the message.
CPS 290
Page 9
Primitives: One-Way Functions
(Informally): A function
Y = f(x)
is one-way if it is easy to compute y from x but
“hard” to compute x from y
Building block of most cryptographic protocols
And, the security of most protocols rely on their
existence.
Unfortunately, not proved to exist, even if we
assume P  NP.
CPS 290
Page 10
One-way functions:
possible definition
1. F(x) is polynomial time
2. F-1(y) is NP-hard
What is wrong with this definition?
“F-1(y) is NP-hard” is a statement only about worst-case
complexity
F-1(y) may be NP-hard, but still easy to solve for most y
Efforts to base cryptosystems on NP-hard problems have all
failed. We don’t know how to generate difficult to solve
instances.
CPS 290
Page 11
One-way functions:
better definition
For almost all y no single PPT (probabilistic
polynomial time) algorithm can compute x
Roughly: at most a fraction 1/|x|k instances x are
easy for any k and as |x| -> 
This definition can be used to make the probability
of hitting an easy instance arbitrarily small.
CPS 290
Page 12
Some examples (conjectures)
Factoring:
x = (u,v)
y = f(u,v) = u*v
If u and v are prime it is hard to generate them
from y.
Discrete Log: y = gx mod p
where p is prime and g is a “generator” (i.e., g1, g2,
g3, … generates all values < p).
DES with fixed message: y = DESx(m)
This would assume a family of DES functions of
increasing key size (for asymptotics)
CPS 290
Page 13
One-way functions in
private-key protocols
y = ciphertext
m = plaintext
y = Ek(m) = E(k,m) = Em(k)
k = key
(i.e. f = Em)
Given y and m, should Em be a one-way function?
In a known-plaintext attack we know a (y,m) pair.
The m along with E defines f
Em(k) needs to be easy (plug in k and compute)
Em-1(y) should be hard
Otherwise we could extract the key k.
CPS 290
Page 14
One-way functions in
public-key protocols
y = ciphertext m = plaintext k = public key
Consider: y = Ek(m) (i.e., f = Ek)
We know k and thus f
Ek(m) needs to be easy
Ek-1(y) should be hard
Otherwise we could decrypt y.
But what about the intended recipient, who should be
able to decrypt y?
CPS 290
Page 15
One-Way Trapdoor Functions
A one-way function with a “trapdoor”
The trapdoor is a key that makes it easy to invert
the function y = f(x)
Example: RSA (conjectured to be hard to invert
without trapdoor)
y = xe mod n
Where n = pq (p, q are prime)
p or q or d (where ed = 1 mod (p-1)(q-1)) can be
used as trapdoors
In public-key algorithms
f(x) = public key (e.g., e and n in RSA)
Trapdoor = private key (e.g., d in RSA)
CPS 290
Page 16
One-way Hash Functions
Y = h(x) where
– y is a fixed length independent of the size of x.
In general this means h is not invertible since it
is many to one.
– Calculating y from x is easy
– Calculating any x such that y = h(x) give y is
hard
Used in digital signatures and other protocols.
CPS 290
Page 17
Protocols: Digital Signatures
Goals:
1. Convince recipient that message was actually
sent by a trusted source
2. Do not allow repudiation, i.e., that’s not my
signature.
3. Do not allow tampering with the message
without invalidating the signature
Item 2 turns out to be hard to do
CPS 290
Page 18
Using Public Keys
Alice
Dk1(m)
Bob
K1 = Alice’s private key
Bob decrypts it with her public key
More Efficiently
Alice
Dk1(h(m)) + m
Bob
h(m) is a one-way hash of m
CPS 290
Page 19
Download