Cryptography Block Cipher – Breaks the plaintext into blocks and encrypts each with the same algorithm Cipher – Cryptographic transformation operates on the characters or bites Ciphertext or Cryptogram – unintelligible message Clustering – plaintext message generates identical ciphertext using the same algorithm but different keys Codes – A cryptographic transformation that operates at the word or phrase level Cryptanalysis – act of obtaining plaintext or key from ciphertext. It is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. Cryptographic Algorithm – Step-by-step procedure used to encipher plaintext and decipher ciphertext Cryptography – Art and Science of hiding the meaning of communication Cryptology – encompasses cryptography and cryptanalysis Cryptosystem – set of transformations from message space to ciphertext space; A strong cryptosystem has a large keyspace (entire keyspace to choose the values from) . It has a reasonably large unicity distance. A system that provides encryption and decryption. Strength of cryptosystem: An algorithm with no flaws, a large key, using all possible values within a key space and protecting the actual key are important elements of encryption. If one is weak it affects the whole process. Cryptoperiod: period for which the same is used. Decipher - to undo cipherment process Encipher – to make a message unintelligible to all except recipient End-to-end encryption – Encrypted information that is send from sender to receiver. End-to-end encryption: refers to the protection of data from the originating host all the way to the final destination host with no unprotected transmission points. In a complex environment, end to end encryption is provided at the presentation or application layer. Encryption (Encipher) is the transformation of data into a form that is as close to impossible as possible to read with out the appropriate knowledge (a key). Its purpose is to ensure privacy by keeping information hidden from anyone for whom it is not intended, even those who have access to the encrypted data. Decryption (Decipher) is the reverse of encryption; it is the transformation of encrypted data back into an intelligible form. Exclusive Or Boolean Operation Indicated by XOR Indicated by symbol Easily implemented in hardware 0+0=0, 0+1=1, 1+1=0, 1+1=0 Input A 0 Input B 0 Output T 0 0 1 1 1 0 1 1 1 0 XOR operated on the bit level XOR the plain text (byte level) with the keystream source Can be reversed by simple XOR of output plus keystream. A XOR B = T T XOR B = A Key – cryptovariable Information or sequence that controls enciphering and deciphering of message Plaintext – a message in clear text Steganogrophy Secret communication of a message where communication is hidden Example – least significant bit of each pixel in an image file contains bit of a message. Hiding the existence of the message. A digital watermark would be used to detect copying of digital images Work Function (Factor) Difficulty in recovering plain text from ciphertext as a factor if time and cost Systems security is directly proportional to the work function Work function should be commensurate with the value of the data Security of cryptosystem should depend ONLY on the secrecy of keys and not on algorithm History of Cryptography Traced back to the Egyptians in 3000B.C. Scytale used by Spartans in 400B.C. – wrap message around wooden dowel diameter and length are the keys to the cipher. Caesar cipher Monoalphabetic substitution – only used one alphabet Specifically - Involved shifting the alphabet three letters Known as C3 (Caesar shift 3 places) Cipher Disks Two concentric disks with letters on the edge Can be used to match up letters Arabs invented cryptanalysis Arab philosopher al-Kindi wrote Manuscript on Deciphering Cryptographic Messages Thomas Jefferson - disks 1790 developed device with 26 disks that could be rotated individually Message would assembled by lining up the disks to the alignment bar Then the bar was rotated a given angle and the resulting letters were the cipher text The angle of rotation of the alignment bar was the key Disks used extensively during the civil war UNIX – ROT13 shift the alphabet 13 places Hagelin Machine Developed in 1920 by Boris Hagelin – Stockholm Sweden Known as the M-209 in the US 1920’a Herbert O. Yardley was in charge of U.S. MI-8 (a.k.a. the Black Chamber) Cracked codes of a number of Nations Gave U.S edge in Japanese negotiations in 1921-1922 U.S. State Department shut down MI-8 Upset, Yardley published book The American Black Chamber 1931 Japanese got new codes Yardley is father of American Cryptology William Frederick Frederick published the Index of coincidence and its applications in cryptography. He is referred to as the “father of modern cryptography”. Japanese Purple Machine After Yardley William Friedman resumed cryptanalysis for U.S. Army Broke the new Japanese cipher. U.S. Navy broke the Purple Machine naval codes during World War II German Enigma Machine Polyalphabetic substitution cipher - using mechanical rotors Developed in 1919 by Dutchman Arthur Scherbius obtained US Patent for Berlin firm Polish cryptanalyst broke the three-ring system with card file of all 6 x 17,576 possible rotor positions 1938 German went to six rings In 1938 Poles and French developed the “Bombe” there own Enigma machine British took over in 1940 and by 1943 British and US had high speed “bombe” Disks have 26 contacts on each side, to communicate with each neighboring disk one of them makes contact with the other disk Also rotates the disks after encryption of each letter Rotates next highest rotor like a “gas pump” – polyalphabetic Other rotor machines – German Enigma, Japanese Red, Japanese Purple and American SIGABA “Big Machine” Vigenere Polyalphabetic Cipher Caesar is a subset of the Vigenere Polyalphabetic Cipher Vigenere used 26 alphabets Each letter of the message corresponds to a different alphabet Subject to guessing the period, when the alphabet changes Modulo returns the remainder over the modulo value C=(M+b) mod N Where C = Cipher Text M= Message B = fixed integer N = size of alphabet Caesar monoalphabetic can be attacked by using frequency analysis. Polyalphabetic cipher is accomplished through the use of multiple substitution: counters frequency analysis but can be attacked by discovery of periods. Transposition – Permutation Columnar Transposition – write the message vertically and read horizontally Can be attacked through frequency analysis however hides the statistical properties of letter pairs such as IS and TOO. Book or Running Key Cipher Using text from a book as the key and performing modulo26 addition on it. Would use specific line and page number Codes - Deal with words and phrases and represent them with other numbers or letter Identify types of Encryption systems Types of Cipher Classical substitution ciphers Transposition (permutation) ciphers Monoalphabetic or simple substitution ciphers Polyalphabetic Ciphers Running key ciphers Concealment Digital System Codes Characteristcs Replaces bits, characters, or blocks of characters with different bits, characters, or blocks. The letters of the plaintext are permuted. Only one alphabet was used, which are monoalphabetic substitution Does not replace the original text with different text but moves the original text around. Is accomplished through use of multiple substitution ciphers Using text from a book as the key and performing modulo26 addition on it. Would use specific line and page number Does not require electronic algorithm and bit alterations The true letters of plaintext are hidden/disguised in a sentence say every third word in a sentence. Does not require electronic algorithm and bit alterations Problems Frequency analysis But it hides the statistical properties of letter pairs and triples such as IS and TOO. Frequency analysis Counters Frequency analysis however, attacked by discovery of periods. - - Deal with words and phrases and represent them with other numbers or letter Steganography Hiding the existence of the message. A digital watermark would be used to detect copying of digital images Machines End-to-end encryption Encrypted information that is send from sender to receiver Protection of data from the originating host all the way to the final destination host with no unprotected transmission points. In a complex environment, end to end encryption is provided at the presentation or application layer. Start to finish; more flexibility; higher Headers, addresses, routing and trailer information are not encrypted hence attackers can learn more about capture packet Destination to have same encryption mechanism to properly decrypt the message. Link-to-link encryption : One-Time pad Clipper Chip Double/Triple DES Public Key granularity becos each application different key; hop computer does not need to have key for decryption. Each entity has key in common with two neighboring nodes. Node 1 –Encrypts with key A Node 2 – Decrypts with key A and encrypts with key B Node 3 – Decrypts with Key B and encrypts with Key C The term refers to the use of encryption to protect a single segment between two physically contiguous nodes. It is usually a hardware device operating at layer 2. Such devices are used by financial firms to protect automatic teller machines transactions. Another common form of link-to-link encryption in the secure telephone unit (STU) used by the military. Provides data flow security since everything is encrypted. Users need not do anything; works at lowest layer – physical layer Vernam Cipher. Unbreakable and each pad is used exactly once. Truly non-repeating set of random bits that are combined bitwise XOR with message to produce cipher text. Encryption with key K ith components k1, k2,…kn, the encipherment uses each component of k to encrypt message M with components m1, m2,…mn. The Key is the same length as the Message; Random key Key only used once and never again Key must be completely random Two identical key pads one with sender and another with receiver Unbreakable by exhaustive search Relies on physical security of the pad Used Invented 1917 by the US Army Signal Corps and AT&T Clipper Chip – implemented in tamper proof hardware Skipjack algorithm -refer above-refer above- Key distribution and key management is more complex because each hop computer must receive a key and when the keys change each must be updated. Messages are decrypted at each hop thus there are more points of vulnerability. Both End to End and link should be used to strengthen the process: The data is encrypted with the End to End and entire packet ie header and encrypted data packet is encrypted with link – great More overhead Distribution of pad, or key can be challenging Perfect synchronization of timing for usage. Cipher Long as message hence infeasible to use in all application. Not very practical Only 80 bit hence weak and not opened for testing or any proof of trying out. 16 bit checksum can be defeated CC id tagged and identified every communication session. RSA Elliptic curve PGP El Gamal Diffie-Hellman Escrowed encryption Key Escrow -refer above-refer above-refer below-refer above-refer aboveUS government clipper chip; Allowing law enforcement to obtain the keys to view peoples encrypted data Escrow the key in two pieces with two trusted escrow agents Court order to get both pieces Clipper Chip – implemented in tamper proof hardware 80 bit family key and 80 bit unit key ( which is to be secret and this encrypts the session key). Session key is used to encrypt the message. Based on Skipjack algorithm Key exchange through DiffieHellman Uses public key cryptography Fair Cryptosystems – Sylvio Micali, MIT Private key is split and distributed Can verify each portion of the key without joining. Public key is also split and sent along Criminal encryption use exists. Encryption is not regulatable outside the US. Key recovery is expensive for both government and software companies. Escrow has not been thoroughly tested. Mandatory escrow can be circumvented. There is no way to "scan" the Internet to detect use of non-escrowed encryption. Escrow involves humans. The government would hold the key to everyone's personal data. Under current proposed legislation, keys would be released by a court subpoena, not a judicial order. Types of Encryption Secret Key Cryptography – Symmetric Key Sender and receiver both know the key Encrypt and decrypt with the same key Secret key should be changed frequently Requires secure distribution of keys – by alternate channel; Out of band method is used to exchange the key. Ideally only used once Secret Key Cryptosystem does have both public and private information Large keys like >128 bit are very hard to break Very fast Key needs to be secret. Sender requires different key for each receiver Time stamps can be associated to the key so valid only during time window (counters replay) Symmetric key do no Authentication or repudiation Best known is DES developed by IBM in 1970’s for commercial use Key Management: only for symmetric wide distribution of keys. Can be manual, or through link or end to end encryption and last choice is through KDC. Algorithm need not be secret though we need strong algorithm. Used in : low cost chip implementations which are widely available and incorporated into a number of products, because algorithm need not be secure. The encryption scheme is computationally secure if the cipher text meets one or both criteria such as cost of breaking the cipher exceeds the value of the encrypted information and time required is more than the useful life of the data. Public Algorithm for enciphering plaintext Possibly some plaintext and cipher text Possibly encipherment of chosen plaintext Private The KEY One cryptographic transformation out of many possible transformations Fiestal : Dr. Horst Feistel led a research project at the IBM Watson Research Lab in the 1960's which developed the Lucifer cipher. This later inspired the US DES (below) and other product ciphers, creating a family labeled ``Feistel ciphers''. 1. 2. 3. 4. Higher block size it is safe but reduced speed; tradeoff 64 key size – higher the better ; trade off 128 number of rounds : higher the better typical is 16 subkey generation algorithm and round key function : more complex the better. Speed is a concern if the encryption is embedded in applications which precludes the hardware hence slower; also, ease of analysis is good but DES is not done that way. Public Key Cryptography Employee private and public key Public made available to anyone wanting to encrypt a message Private key is used to decrypt Public Key cannot decrypt the message it encrypted Ideally private key cannot be derived from the public key The other can decrypt a message encrypted by one of the keys Private key is kept private 1,000 to 10,000 times slower than secret key encryption Hybrids use public key to encrypt the symmetric key Important algorithms Diffie-Helllman RSA, El Gamal, Knapsack, Elliptic Curve Whitfield Diffie and Martin Hellman published ``New Directions in Cryptography'', introducing the idea of public key cryptography. Key management: only transcription and storage. Very slow, better key distribution, scalability and provide confidentiality, authentication and nonrepudiation. In order to be useful should have a trap door, a secret mechanism that enables you to accomplish the reverse function in a ONE WAY HASH FUNCTION. A mathematical function that is easier to compute in one direction (forward direction) than in the opposite direction (inverse direction) Forward direction could take seconds, inverse months ‘Trap-door one way function’ is a one way function for which the inverse direction is easy given a piece of information (the trap door) Public Key Cryptography is based on ‘trap-door one way functions’ Public key: gives info about the function Private key: gives info about the trap door Whoever knows the trap door (private key) can compute function easily in both directions Under Public Key Cryptography, there are two formats: Open message ( if authentication is more important) Sender encodes message with own private key Receiver decodes with sender's public key Secure message format ( if confidentiality is more important) Sender encodes in the receiver’s public key. Receiver decodes with own private key Secure & signed message Sender encodes message with own private key Sender re-encodes message with receiver's public key Receiver decodes message with own private key Receiver decodes message with sender's public key Hybrid systems Using Symmetric and Asymmetric known as public key cryptography: symmetric for bulk data encryption and asymmetric for protecting encryption keys and key distribution. Asymmetric algorithm performs encryption and decryption by using public and private keys Symmetric algorithm performs encryption and decryption by using a secret key. A secret key is used to encrypt the actual message Public and private keys are used to encrypt the secret key A secret key is synonymous to a symmetric key An asymmetric key refers to a public or private key Symmetric Algorith Developer m IBM under US government DES contract (devised in 1972 64 bit as a derivative of Lucifer block algorithm by size Horst Feistal at IBM. Modified by NSA to come up with US DES Provides Confidentiality . It can be used in many applications including during data transmission and file security. Implemented in electronic devices including VLSI, RAM, PROM, EEPROM and ROM Key Size (bits) 56 bits Characteristics Defacto industry standard. 64 bit block size. It begins with a 64-bit key and strips off 8 parity (1 odd in each byte) bits. 8 bit parity can be used for error detection 16 rounds of transposition and substitution Uses techniques of confusion and diffusion. Adopted as US federal standard in 1976 Increasing concern over resistance to brute-force attack (though with 56 bit key , one has to try 256 or 70 quadrillion keys, can be broken using large computers in a network U.S. Government no longer uses it Patented in 1974 - Block Cipher Cryptographic System Commercial and non-classified systems DES describes the Data Encryption Algorithm DEA Federal Information Processing Standard FIPS adopted DES in 1977 Re-certified in 1993 by National Institute of Standards and Technology but will be replaced by AES Advanced Encryption Standard by Rijndael. DES Operates in four modes Cipher Block Chaining (CBC) Electronic Code Book (ECB) Cipher Feedback (CFB) Output Feedback (OFB) 13) Never adopted for national security applications. 14) single chip installation (hardware) now software. Commercial and non-classified systems DES uses confusion and diffusion as suggested by Claude Shannon Confusion conceals statistical connection Accomplished through non-linear S-boxes in DES. Diffusion spread the influence of plaintext character 3DES 3 sequential applications of DES. Algorithm is too sluggish in software, hence very slow and 64 bit block size can be higher. IDEA (Internatio Developed in Switzerland by Xuejia Lai and James 112 (using 2 keys) 168 (using 3 keys) 7 modes of operation of TDEA 128 bit key over many ciphertext characters: Accomplished through p-boxes Distributed systems can break it. U.S. Government no longer uses it DES is considered vulnerable by brute force (exhaustive) search of the key – replaced by triple DES and AES. If the attack is only the brute force, then counter it by longer keys. Hence 128 key is better. Knowledge of expected plain text and automatically distinguishing plaintext from garble is needed for breaking the key. Triple DES – three encryptions using DEA are now being used until AES is adopted 1) Slow 2) Double encryption is subject to meet in the middle attack Encrypt on one end decrypt on the other and compare the values Work factor of DES and Double DES is the same. So Triple DES is used Can be done several different ways a) DES – EDE2 (encrypt key 1, decrypt key 2, encrypt key 1) b) DES – EE2 (encrypt key 1, encrypt key 2, encrypt key 1) c) DES –EE3 (encrypt key 1, encrypt key 2, encrypt key 3) - most secure however Triple DES with two keys will prevent the brute force and meet in the middle with a less payload. 3 keys are also known as key bundle. TDEA is a formidable algorithm. Same resistence as to DEA. Stronger 168 bit key, brute force is not possible. If security is only concern, then TDEA is best for the years to come. 1) 64 bit block, 8 rounds 2) Used in PGP nal Data Encryptio n Algorith m) Massey. Blowfish Bruce Schneier 3) Much more difficult than DES 4) Differs in round function and subkey generation function. 5) Uses both confusion and diffusion but confusion is not achieved through use of S-boxes 6) Instead XOR, binary addition and binary multiplication of 16 bit integers. 7) Highly resistant to cryptanalysis. Key length Up to 448 Twofish Developed by Counterpane based on Blowfish (also by Counterpane) - Bruce Schnier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, U.S.A. up to 256 bit RC5 – Family of algorith Developed by Ronald Rivest in 1994 0 to 2048 bit keys 1) Upto 16 rounds of data blocks 2) Published in 1993. 3) Fast, compact and flexible. 4) Uses S-boxes, X0r and binary addition 5) Variable S-boxes Suitable: Due to its high execution speed and easy implementation and compact algorithm, < than 5 k of memory, its is used in number of commercial applications. Since sub keys and S-boxes are generated by repeated application, it is not suitable for applications in which secret key changes frequently. 1) 128 bit blocks in 16 rounds 2) Employs whitening before first round and after last round 3) Need to break whitening keys in addition to Twofish key prewhitening” 4) Employs prewhitening” and “post whitening” where additional subkeys are XORed with the plaintext before the first round and after the sixteenth round. 5) In twofish algorithm, the MDS matrix, the PHT, and key additions provide diffusion 1) 32,64 or 128 bit blocks, up to 0 to 255 rounds 2) RSA patented in 1997 Suitablity ms It is suitable for hardware or software – uses primitive computational operations commonly found on microprocessors Fast, with a simple algorithm Variable number of rounds & variable key length Easy to implement Low memory requirement makes it suitable for smart cards other devices with restricted memory; higher security with suitable parameters. Number of RSA products uses this. AES 1) Block Cipher that will replace DES Anticipated that Triple DES will remain approved for Government Use AES announced by NIST in January 1997 to find replacement for DES Five finalist MARS IBM Corp. (represented by Nevenko Zunic), U.S.A. RC6 RSA Laboratories (represented by Matthew Robshaw), U.S.A. Rijndael Joan Daemen and Vincent Rijmen, Belgium SERPENT Ross Anderson, Eli Biham and Lars Knudsen, U.K., israel and Norway TWOFISH- Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, U.S.A. 3) October 2, 2000 NIST Selected Rijndael 2 Belgian Cryptographers Dr. Daeman and Dr. Rijmen Will be used by government for sensitive but unclassified documents Rijndael Block Cipher Joan Daemen and Vincent Rijmen variable block length and key lengths that 1) Iterative block cipher 2) Resistance to all known attacks 3) Design Simplicity (AES) SERPEN T RC6 Weakness: One issue was with then underlying architecture: some opined that its internal mathematics is simple. The Rijndael team defended its design pointing that simpler mathematics made Rijndael easier to implement in embedded hardware.They argued that obfuscation was not needed. Ross Anderson, Eli Biham and Lars Knudsen, U.K., israel and Norway RSA Laboratories (represented by Matthew can be independently chosen as 128, 192 or 256 bits. To break 128 bit AES key, it is estimated to take 140 trillion years. 4) Code compactness and speed on wide variety of platforms 5) Intermediate cipher result is called “state” that transformations operate on 6) Does not use Feistel transposition structure from DES 7) Uses round transformation of 3 layers Non-linear layer – S-boxes Linear mixing layer – shifting of rows and mixing of columns Key addition layer – An exclusive OR of the round key to the intermediate. 8) Suitable for High Speed Chips and compact coprocessor on smart cards 9) Key taken from cipher key through key schedule which consists of key expansion and round key selection: total number of round key bit is equal to block length multiplied by the number of rounds plus 1. 10) High speed chip; no area restriction. 11) It is a substitution-linear transformation network (non Fiestal) NIST selected Rijndael for the following reasons: Good performance in both hardware and software across wide range of computing environments Good Performance in both feedback and nonfeedback modes Key setup time is excellent. Key agility is good Very low memory requirements Easy to defend against power and timing attacks, without significantly impacting performance. Robshaw), U.S.A RC4 MARS IBM Corp. (represented by Nevenko Zunic), U.S.A. There are 4 primary modes of operation on which the block ciphers can be based: Type Character Electronic Code Book Native mode of DES (natural mode – The weakness in ECB is that direct application) identical input blocks will produce Block Cipher identical cipher results of the same ECB is applied to 64 bits of plain text and length. produces corresponding 64 bit blocks of ciphertext 64 input vector is broken in to two block Suitable for short messages and non repeating patterns ECB is (right block and left block) best with small amounts of data ( Each 32 bit block is copied into a 48 bit like challenge response operations block and key management, encrypting Each 48 bit block is XORed with a 48 bit PIN etc., encryption key Exists pairs of plain text an corresponding code Can be used for IV encryption in the case of CBC because along with the key the IV also should be sent. Cipher Block Chaining (CBC) Widely used in security applications Cipher Feedback (CFB) – Errors Plaintext block of 64 bits Randomly generated 64 bit Initialization Vector is XORed with the first block Then encrypted with DES First ciphertext will then be XORed with the next plaintext 64 bit block Enhanced mode of ECB which chains together block of cipher text. Stream cipher where cipher text is used as Problem Replay & Substitution attack. Interestingly, this is a fundamental encryption flaw that affected the Enigma. Errors are propagated using this method Errors will will propogate Output Feedback (OFB) - Errors will not propogate feedback into the key generation source to develop the next key stream Ie. Input to the DES to generate pseudorandom number which are combined with plain text to produce the cipher Feedback is used to generate the key stream Therefore the key stream varies Errors do not propagate Functioning like a stream cipher by generating random binary bits to be combined with plaintext to create ciphertext. Previous output of DES is used as input OFB does not chain the cipher propogate A block cipher is a type of symmetric key encryption algorithm that accepts a fixed block of plaintext to produce cipher text of the same length – a linear relationship. Block Ciphers are more suited to implementation in software to execute on a general purpose computer. This guideline is not absolute, and there are variety of operational reasons to choose one method over the other. Types of block ciphers DES, 3DES, Idea, RC5, Rijndeal, Twofish, DES CBC, DES ECB, The secret to the secret sauce is the key. It is the key that provides the randomness of the encryption process. Stream Cipher Tend to be implemented more in hardware devices. This guideline is not absolute, and there are variety of operational reasons to choose one method over the other. It is symmetric encryption algorithm and it is extremely faster. Rotor machines RC4 DES Cipher Feed Back (CFB) Link encryption Onetime pad (vernam cipher) -- it is possible to generate ciphertext that is random and therefore unbreakable even by brute-force attacks. Output feedback mode Linear feedback shift register (LFSR) : this is one of the simplest finite state machines. This is used for generation of key stream from the key generation. Shifts in a block of 4 last by one but 3rd and 4th bit before shift Xord and assigned as last. Some of the features that a cryptographer will design in to the algorithm for a stream cipher include: 1) Long periods without a repetition. 2) Functional complexity – each keystreambit should depend on most or all of the cryptovariable bits. 3) Statistically unpredictable – given n successive bits from the keystream it is not possible to predict the n+1st bit with a probability different from ½. 4) The keystream should be statistically unbiased – there should be as many 0s as 1s, as many 00s as 10s, 01s and 11s etc., 5) The keystream should not be linearly related to the cryptovariable. The first condition is trivial to satisfy. The second condition, ensuring that the two machines have the same crypto variable is an administrative problem (key management). We can ensure that the two machines start in the same state by several means. One way is to include initial state as part of the crypto variable. Another way is to send the initial state to the receiver at the beginning of each message. (This is sometimes called a message indicator or initial vector) Common Asymmetric Algorithms: RSA and other public key systems is as key distribution systems: Algorithm RSA Developed by Rivest, Shamir and Addleman . Introduced in 1976. Suitable for High Speed Chips and compact coprocessor on smart cards Diffie-Hellman Whitfield Diffie & Martin Hellman “came up with whole public key/private key concept”. El Gamal Dr. T.E. El Gamal Provides Provide confidentiality, authentication and nonrepudiation. Encryption, key exchange, and digital signatures For key distribution only Characteristic Based on difficulty of factoring a number which is the product of two large prime numbers, may be 200 digits each. Is insecure, 768 moderately secure, and 1024 bits is good. Suitable for High Speed Chips and compact co-processor on smart cards Two possible approach of defeating RSA: brute force approach: try all possible private keys. finding out the large prime numbers. 1) Invented in 1976-first public key algorithm 2) Key agreement protocol 3) Security stems from difficulty of calculating discrete logarithms in a finite field. While it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms. For large primes, the latter task is considered infeasible. 4) Used for key distribution of a shared key but not for message encryption/decryption 5) Vulnerable to ‘man in the middle’ attacks ( since peers are not authenticated) – result : station to station protocol. For digital signature And encryption Merkle-Hellman Knapsack ECC Neil Koblitz 160 bit key Digital signatures, 6) Patent expired in 1997 Extended Diffie-Hellman to include signatures and encryption. First key for digital signature un-patented public key crypto system that involves discrete logrithm problem. Having set of items with fixed weights Determining which items can be added in order to obtain a given total weight Illustrated using Super increasing weights (all weights greater than sum of previous) Elliptic curve discrete logarithm are hard to compute than general Suitable for High Speed Chips and compact coprocessor on smart cards First proposed by Victor Miller (IBM/CRD) 1985 & Neal koblitz ( Washington univ) encryption and key management Suited to smart cards and wireless devices (less memory and processing) discrete logarithm Smaller key size same level of security like RSA : higher strength per key. No other advantage than speed over RSA Computational power limited Integrated circuit space limited High speed required Intensive signing, verifying, authenticating required Signed messages stored or transmitted Bandwidth limited Wireless communications/some networks Asymmetric and Symmetric Key Comparisons Asymmetric Key 512 bits 1024 bits 1729 bits 2304 bits Symmetric Key 64 bits 80 bits 112 bits 128 bits Like symmetric algorithms, public key encryption implementations do not rely on the obscurity of their algorithm, but use key lengths that are so long that a brute-force attack is impossible. Asymmetric encryption keys are based on prime numbers, which limits the population of numbers that can be used as keys. Comparison of DES and RSA: CHARACTERISTIC Relative Speed Functions Used Key Length Least Cost Attack Cost of Attack Time to generate a key Key Type DES Fast Transportation and Substitution 56 bits Exhaustion Centuries Microseconds Symmetric RSA Slow Multiplication 400-800 bits Factoring Centuries Tens of Seconds Assymmetric Note: Most products use symmetric key cryptography to encrypt files, messages, sessions and objects, but use asymmetric key cryptography to exchange and protect keys. Preferred Crypto algorithms should have the following properties: No reliance on algorithm secrecy Explicitly designed for encryption Available for analysis Subject to analysis No practical weaknesses PKC systems are based on problems that are difficult to solve (Hard problems): Factoring large prime integers RSA Discrete logarithm problem (difficulty of taking logarithms in finite fields) Diffie-Hellman El Gamal encryption schemes & signature algorithms Schnorr's signature algorithm Nybergrueppel's signature algorithm Station-to-station protocol for key agreement (STS) Digital Signature Algorithm (DSA) Elliptic Curve Crypto (ECC) ( only speed is a factor) – higher key strength compared to the RSA. DSS (Digital Signature Standard) - NIST & NSA proposed in 1991 LUC Mathematical Problems Factoring Given P, Q, easy to compute P*Q Given product N = P*Q, not easy to compute P and Q Pick E (encrypt number) Compute D so that D*E=1, MOD(P-1)*(Q-1) But there are better than exhaustion attacks against factoring This is why parameters have to be large (512, 1024, 2048) Discrete Logs Based on two facts Exponentiation is easy: if you have G and X, it is easy to compute S=G to the power of X Logarithms are hard: if you have S and G, it is hard to find X such that G to the power of X=S Usage of public key cryptography 1) For encryption and decryption: encrypts the message with receiver’s public key 2) For digital signatures: encrypting the message digest or MAC value 3) Two sides co-operate to exchange session keys. Algorithm Encryption/Decryption Digital signature key exchange RSA ECC Diffie DSS Yes Yes - Yes Yes Yes Yes Yes Yes - Hash algorithms: A hash algorithm is a one-way cryptographic function. When applied to a data object, it outputs a fixedsize output, often called a message digest (fingerprint). It is conceptually similar to a checksum, but is much more difficult to corrupt. One way hash function Reversible by trap door Provide confidentiality and Authentication One way hash algorithm Irreversible Provides only integrity. Purpose of Digital Signatures To Detect unauthorized modifications and to authenticate identity and non-repudiation. Generates block of data smaller than the original data One way hash functions One way has produces fixed size output (digest) Has the following good hash function characteristics After message digest is calculated it is encrypted with senders private key. Receiver decrypts using senders public key, if it opens then it is from the sender. Then receiver computes message digest of sent file if hash is the same it has not been modified. Hash functions are much faster than encryption processes and can be utilized to enhance performance while maintaining integrity. Good hash function characteristics 1. hash should be computed on the entire message 2. hash should be a one way hash function so that messages are not disclosed by their signatures. (original message should not be found out). – one way property. 3. It should be impossible given a message and its hash value to compute another message with the same hash value. Collision resistance. 4. It should be resistant to birthday attacks meaning an attacker should not be able to find two messages with the same hash value. – larger output is stronger and less vulnerable to brute force attacks like birthday attack. One way Hash with or without encryption can be used. Encryption is discouraged some times due to higher hardware cost, export regulations, slow in software and not suitable for small data values such as hash. Hash MD2 Blocks and hash size 128 bit hash value Ron Rivest MD4 Ron Rivest 128 bit hash value Haval Variable length one way hash Blocks of 1024 bits. Developed by Ronald Rivest in 1991 Produces 128 bit message digest from arbitrary length of data 512 blocks of in four distinct rounds MD 5 Other characteristics Slower than MD5 & MD4 MD2 is a hash function that has collision vulnerability. Used for high speed computation in software implementations and is optimized for microprocessors. Problem: Hash function’s poor one-way property. Modification of MD5 Message Digest (MD) is the most common hash function today. Developed by Ron Rivest Commonly used as a data integrity checking tool, such as in Tripwire and other products 64 (4 of 16) rounds infinite input size. SHA - 1 4 primitive logical function and 64 additive constants used. 160 bit hash if < 2(64) bit as input. Integrity of the message. 512 blocks of data. 80 (4 rounds of 20) 4 primitive logical function and 4 additive constants used. Applying the process of Developed by NSA It is relatively easy to computer Hash for a given value given hardware and software implementations practical. Algorithm is used to input the message and get the hash ( called as cryptographic hash) Used in PGP Used for generating digest for digital signatures It is computationally infeasible to computing the SHA1 and then processed by the DSA to either generate or verify the signature for a shorter message is more efficient than applying it to the longer message. Message Authentication Code (MAC) Last 16 bit or 32 bit code from the cipher text generated by DES algorithm on the message. Provides authentication but not confidentiality ; has proper sequence number hence sequence of the message is ensured. HMAC Available hash function must be used Allow replaceability of the hash function Preserve performance of the hash function Use and handle keys in a simple way Have well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on the embedded hash function. Uses key to generate a Message Authentication Code which is used as a checksum. The hash function is either MD5 or SHA1 which is incorporated with a secret key in to existing hash algorithm find a message that corresponds to a given message digest It is computationally infeasible to find two different messages that produce the same message digest. It is computationally impractical to find any pair which will have same pair of hash. Padding bits are added to message to make it a multiple of 512. The length of the message is the number of bits in a message Equivalent to factoring (RSA) Input into DSA to get digital signture Resistant to “birthday” attack and brute force attacks . Combination of encryption and hashing; key depended one way hash – requires symmetric key in the process – hash encrypted with symmetric key. DES is recommended for the encryption of the message and the last 16 bit or 32 bit cyper text code is taken / used as the code. Similar to encryption, however the authentication algorithm need not be reversible. Smaller fixed length that is not designed for decryption hence need not be reversible HMAC can be used with any iterative cryptographic hash function (MD5, SHA1) in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of underlying hash function. It is now mandatory to use HMAC in IP security. And is used in TLS & SET. Digital Signature Standard (DSS) & Secure Hash Standard Digital Signature Algorithm Others signature algorithm include: Condenses message to 160 bits Key size 512-1024 bits Enables use of RSA digital signature algorithm or DSA – Digital Signature Algorithm (based on El Gamal) Both use The Secure Hash Algorithm to compute message digest then processed by DSA to verify the signature. Message digest is used instead of the longer message because faster. Generate and verify signatures. Provides authentication and integrity i.e identify the signatory and integrity of data. •Nyberg-Rueppel •Schnorr Only for digital signature and not for encryption (unlike RSA which does both), Ripemd –160 160 bits 512 block of size 160 ( 5 paired rounds of 16) 5 primitive logical function and 9 additive constants used. Infinite input length. NIST proposed in 1991 Uses secure hash algorithm (SHA 1) – 160 bit. Modular arithmetic exponentiations of large numbers Difficult to invert exponentiations (security) Equivalent to factoring (RSA) Digital Signature Algorithm Integrity FIPS 186: This Standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. Provides authentication, integrity and non-repudiation. Public Key Certification Systems A source could post a public key under the name of another individual Digital certificates counter this attack, a certificate can bind individuals to their key A Certificate Authority (CA) acts as a notary to bind the key to the person CA must be cross-certified by another CA Public Key Infrastructure - (PKI) Integration of digital signatures and certificates. Digital Certificates Certificate Authorities (CA) Registrations Authorities Policies and procedures Certificate Revocation Non-repudiation support Time stamping Lightweight Directory Access Protocol Security Enabled Applications Cross Certification Provides Access control, authentication, confidentiality, integrity, non-repudiation Assumes, that receiver’s public identity can be positively ensured through certificates and that the DH exchange will automatically negotiate the process of key exchange. Identifies users, create and distribute certificates, maintain and revoke certificates, distribute and maintain encryption keys, and enable all technologies to communicate and work together for the purpose of encrypted communication. Digital Certificate binds that certificate to its particular owner with a unique serial number within the CA. Popular certificate is the x.509 v3 certificate. Separate keys can be used for digital signature and encryption. Layers of necessary protection. Cryptographic Attacks Cipher text only Encryption algorithm attacks Ciphertext to be decoded Known plaintext Encryption algorithm Ciphertext to be decoded One or more pair of plain text cipher text pairs formed with the secret key. Chosen Plaintext Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Chosen Ciphertext Encryption algorithm Ciphertext to be decoded Purported cipher text chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key. Portions of the cipher text are selected for trial decryption while having access to plain text; goal is to figure out the key. Attacker has some plain text, can capture an encrypted message and therefore capture the cipher text. Once few pieces of puzzle discovered, rest is accomplished by reverse-engineering and trial-anderror attempts. Chosen text Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Purported cipher text chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key. Birthday Attack You in a room with better than 50/50 chance of another person having your birthday? Need 253 people You in a room with better than 50/50 chance of two people having the same birthday? Need 23 people Two different messages having same message digest or finding two different messages that have the same message diges Brute Force - Attack try every possible combination Adaptive Chosen Plain Text – selection of plain text is altered based on previous results Adaptive Chosen Ciphertext - Chosen cipher text are selected for trial decryption where selection is based on previous results Meet in the Middle – For attacking double encryption from each end and comparing in the middle Differential Cryptanalysis – Private key cryptography looking at text pairs after encryption looking for differences Linear Cryptanalysis – using plain text and cipher text to generate a linear approximation of a portion of the key Differential Linear Cryptanalysis – using both linear and differential approaches; S-boxes are used to minimize the danger from an attack called differential cryptanalysis. Factoring – using mathematics to determine the prime factors of large numbers Statistical – exploiting the lack of randomness in key generation Dictionary attack – with a database of one-way function password, dictionary program and a captured password file, this attack can be accomplished. Replay attack – attacker able to intercept an encrypted secret message but not able to readily decrypt the message… OS flaws, memory residue, temporary files, differential power analysis, distributed computing… Time stamping and sequence numbering are two measures to counter this. Active attacks include: Replay – countered by timestamping & block chaining Substitution – countered by block chaining Modification of messages Denial of service Statistical attacks: in the design based on statistical weakness – more1s than 0s in the key stream. Analytic attacks: Use algorithm and algebraic manipulation to reduce complexity - RSA factoring and Double DES are examples. Implementaion attacks: weak implementation Even when an algorithm is correctly implemented, the overall system security posture may be weakened by some other factor. Key generation is a weak spot. If an attacker discovers a pattern in key generation, it effectively reduces the total population of possible keys and greatly reduces the strength of implementation. A recent example was the failure of one of the original implementations of Netscape’s SSL, which used a predictable time-based technique for random number generation. When subjected to statistical analysis, few man-made devices can provide sufficiently random output. Man in the middle: changing the public key of B by C as his key…. Prevented by PKI/digital certificates: Intercepting messages and forwarding on modified versions by replacing the public key that are kept on public server and acts as a middle man Clear text attack & cipher text only attack – can’t work on key encrypting key. Passive attacks involve the listening-in, eavesdropping, or monitoring of information, which may lead to interception of unintended information or traffic analysis where information is inferred. Traffic analysis - inference of information from analysis of traffic (presence, absence, frequency, etc.): Traffic padding - generation of spurious data units & padding are the counters. Dictionary attacks has proved immensely successful in attacking and compromising UNIX systems and Windows NT systems. UNIX systems generally use the crypt () function to generate theoretically irreversible encrypted password hashes. The problem is some users choose weak passwords based on real words. It is possible to use dictionary of words and to use this well known function until there is a match with the encoded password. In Windows NT, it is possible by obtaining a copy of the NT SAM file, which contains the encrypted passwords. Cryptographically secure digital timestamps (CSDTs) have been used for a variety of purposes, including variety of document archiving, digital notary services, etc. By adding a CSDT to every digital certificate issued within a PKI, one now has a method for ensuring not only that the certificate is valid, but also at what point in time that validity was declared. Time stamps: Primary component of a CSDT is the timestamp itself and a time source is required. To allow high volume transactions, a 16-bit sequence no is appended to the timestamp to ensure that there can be no 2 CSDTs with the identical time If the time resolution is 0.0001 sec, it is possible to issue 65,536 CSDT’s that all happen within that same 0.0001 sec. Hash of the certificate: For a CSDT to be bound to a particular certificate, some data must be included to tie it to the certificate in question. A hash generated by a known and trusted algorithm, such as SHA-1 or MD5, is used to provide this connection. This is the same hash that is calculated and encrypted during the Certificate Authority signing process. To resist cipher-text only attacks, good practice requires that all such patterns as format, e.g., file or email message, language (e.g English) alphabet (e.g Roman), and public code (e.g., ASCII or EBCDIC) in the clear text object must be disguised before the object is encrypted. (pg 376 vol 1) In a brute force attack, one tries keys one after another until one finds the key in use. here are 2 waysclear-and cipher-text attacks, and cipher-text-only attacks. Neither of these attacks will work on a keyencrypting key, if principles of key management are adhered to. Note: On average, the correct key will be found once half of the total key space has been tried in a brute force attack. It is not always practical to provide a digital certificate with every signed object, and high –assurance CA’s need a CRL server. Directory service is a distributed database optimized for reading that can make both CRL’s and certificates available on a wide area network (WAN) or the Internet. Most directory services are based on the X.500 standard and use the extensible format X.509 to store digital certificates. Point: Encryption rarely improves availability, but if mission-critical encryption services fail, then availability requirements probably will not meet. Use of cryptographically based strong authentication system to prevent denial-of-service attacks would be an example of using encryption to increase availability. Boomerang Attack: Recently, a means of improving the flexibility of differential cryptanalysis was discovered by David A. Wagner. Called the boomerang attack, it allows the use of two unrelated characteristics for attacking two halves of a block cipher. A technique called the boomerang amplifier attack works like this: instead of considering the pairs of inputs, differing by the XOR required for the characteristic of the first few rounds, as completely independent, one could note that it would be quite likely that somehow, taking two such pairs at a time, one could obtain any desired XOR difference between two such pairs by the birthday paradox. This allows a boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen ciphertext as well. Email Security Non-repudiation Confidentiality of messages Authentication of Source Verification of delivery Labeling of sensitive material Control Access E-mail Security Characterics/ features PEM (Privacy Enhanced Mail) Internet Standard to provide secure email over the internet. A standard proposed by IETF to be compliant with the Public Key Cryptography Standards DES in CBC mode Compliant with Public Key Cryptography Standards (PKCS) Developed by consortium of Microsoft, Sun, and Novell Triple DES-EDE – Symmetric Encryption MD2 and MD5 Message Provides what In which layer Confidentiality, Authentication, message integrity, key management Non-repudiation application level protocol. Digest RSA Public Key – signatures and key distribution X.509 Certificates and formal CA Is a public domain implementation of PEM protocol although not in its entirely. RIPEM Message Security Protocol PGP (Pretty Good Privacy) – Internet Security HTTP Secure Telnet Remote terminal access Secure Telnet Secure RPC authentication (SRA) Military PEM x.400 compatible Phil Zimmerman No CA uses “web of trust” Users can certify each other Uses passphrases User keeps collection signed public keys he has received from other users in a file referred to as a Key ring. It provides a number of mechanisms for ensuring that one is using the correct and intended public key for a correspondent. One of these is called the “key fingerprint”. Public domain software Not endorsed by the NSA. Bound by federal export laws due to its usage of the RSA, IDEA, DiffieHellman, 3DES and CAST algorithms. Stateless protocol For development of web pages HTTP is a stateless protocol because each command is executed independently without any knowledge of the commands that came before it. The shortcoming of HTTP to implement Web sites that react intelligently to user input is being addressed in a number of new technologies including ActiveX, Java, Javascript and cookies. Secure RPC: Uses DiffieHellman public key to deter the shared key for encryption with 192 bit key. Even if the packet is sniffed and captured, it cannot be application level protocol. Confidentiality through IDEA ( with 128 bit) - Block cipher key Integrity through MD5 hashing; (or) SHA to generate digital signatures. Authentication by using PKC Non-repudiation by use of cryptographically signed messages Encryption (confidentiality) Application layer S-HTTP SSL /TLS Developed by Netscape in 1994 Uses public key to authenticate server to the client Also provides option client to sever authentication Supports RSA public Key Algorithms, IDEA, DES, and 3DES Supports MD5 Hashing HTTPS header Resides between the application and TCP layer Can be used by telnet, FTP, HTTP and e-mail protocols. Based on X.509 Transaction Layer Security SKIP - Simple Key Management for Internet Protocol necessarily decrypted. Designed to send individual messages securely. Stateful protocol Does not get disconnected like HTTP. Can be used to secure individual WWW Documents SSL is session based Computes hash value of the message and the value can be digitally signed. Can use public key technology, symmetric, PEM etc., - shows flexibility Designed to establish a secure connection between two computers. Requires SSL enabled webbrowser. SSL is both an API and a protocol intended for end-to-end encryption to client-server application across an arbitrary network. This protocol was developed by Netscape. Navigator browser is its reference implementation It uses public key certificates to authenticate the server to the client and optionally the client to the server. It uses the server’s public key to negotiate a session key to be used for the session. It manifests this key by setting a solid key icon in the lower lefthand corner of the screen. Refer below for connectivity. Successor to SSL: Similar to SSL – however no prior communication required Requires no prior communication in order to establish or exchange keys on a session-by-session basis Enables TCP/IP host to send encrypted IP packet to another host without requiring a prior message Well suited for Internet, Data integrity and sender authentication capability Application Layer SSL lies beneath the application layer and above the transport layer. (precisely transport layer) Man in the middle attack possible. Using digital signature during session key exchange can circumvent this attack. Heavily used for internet transaction. Provides authentication, compression, confidentiality, and integrity Can use with Kerberos and with PPP for authentication Uses Diffie-Hellman to generate a shared secret, which in turn provides IP packetbased encryption and authentication High availability MIME (Multipurpose Internet Mail Extensions) MOSS (MIME Object Security Services) S/MIME (Secure Multipurpose Internet Mail Extensions) MONDEX system IOTP is Internet open trading protocol. SET SSH 2 since both are stateless protocols SKIP does not continually generate new key values as SSH does was standardized with RFC 822 and RFC 1521. defines the mail header and type of mail content designed to provide facilities to include multiple objects in a single message, to represent body text in character sets other than US-ASCII, to represent formatted multi-font text messages, to represent nontextual material such as images and audio fragments and generally to facilitate later extensions defining new types of internet mail for use by cooperating mail agents. Provides flexibility by supporting different trust models Permits identification outside of the X.509 Standard Adds secure services to messages in MIME format Follows Public Key Cryptography Standards (PKCS) Uses X.509 Signatures Smart cash card application Proprietary encryption algorithm Card is same as cash Aimed at consumer to business transaction Flexible and future focused Visa and Mastercard developed in 1997 Encrypts the payment information DES – Symmetric Encryption RSA Public Key – signatures and key distribution Taken over by SSL Remote access via encrypted tunnel Client to server authentication Comprised of: Uses MD5, RSA Public Key and DES Encryption and hashing Provides authentication through digital signatures Application layer protocol Internet transaction and Authentication of sender and receiver Application layer protocol Host and user authentication, data compression, data confidentiality and integrity Key exchange and encryption RSA & Triple DES IPSEC S/WAN – Secure WAN – defines IPSec based widespread use of VPNs on the internet Transport Layer protocol User Authentication protocol Connection Protocol IPSec adds per-packet authentication, payload verification, and encryption mechanisms to traditional IP. Two Main Protocols are Authentication Header Encapsulating Security Payload Can operate with single protocol ( with or without encryption – confidentiality) Security Association is required between two parties – one way connection Comprised of Security Parameter Index – (SPI) – 32 bit identifier Bi-directional communication requires two Security Associations In VPN implementation IPSec can operate in transport or tunnel mode Transport mode – data encrypted, header not Tunnel mode – data and original IP header encrypted, new header is added New header has address of VPN gateway MD5 and SHA are used for integrity Security Associations can be combined into bundles using either Transport Adjacency Iterated Tunneling IKE – Internet Key Exchange is used for key management with IPSEC IKE is set of three protocols Internet Security and Key Management Protocol (ISAKMP) –phases for establishing relationship Secure Key Exchange Mechanism – SKEME – secure exchange mechanism Oakley – modes of operation needed to establish secure accordingly. Heavily used for internet transaction. Operates in Transport layer. Provides encryption, access control, and non-repudiation over IP. Operates in Network Layer ESP: provides authenticity, integrity and confidentiality. Authentication Header – integrity, authentication and non-repudiation connection Kerberos Authentication Server: Knows all the passwords of the user and stores in a centralized database. It also shares a unique secret key with each server, which is pre-distributed in some manner. Minimize the number of time the user has to enter a password & requirement multiple tickets for every different service: Plaintext transmission of the password: TGS is introduced. TGS issues tickets to users who have been authenticated to AS. Hence user requires TGT from AS, then using that TGS grants a service granting ticket. Ticket can be used b the client to request multiple service-granting ticket. TGT is reusable. To counter the replay attack, timestamp is included as to till when the ticket is valid. : this satisfies both the problem above. Capturing the TGT and the service granting ticket and using it before it expires within the time frame: AS to provide a secret piece of information in a secure manner for both the user and the client. : referred as session key in kerberos. Service / server needing to authenticate to the client so that the user is sure of the correct server / service he is looking for: for mutual authentication is required the server can reply as shown in message. The server returns the value of the timestamp from the authenticator incremented by 1, and encrypted in the session key. Set of servers with a kerberos are reffered to realm and there needs to certification with cross realms. Kerberos 5 came up with avoiding environmental short comings and technical deficiencies 1. encryption system dependence: allowing same key to be used in different algorithm and different variation on a given algorithm 2. IP dependence is not there. 3. ticket life time is flexible 4. authentication forwarding: client to access a server and have that service access another server on behalf of the client 5. interrealm authentication reduced relationships; Double encryption is removed; explicit integrity and not PCBC , standard CBC Session key; sub session key to prevent replay Password attack: cant prevent but system of pre-authentication thus making password attacks ore difficult. Includes nonce – random value to be repeated in message to assure that the response is fresh and has not been replayed by an opponent. 1. The basic Kerberos 5 protocol defines the syntax and semantics for authentication, secure messaging, limited syntax and semantics for authorization, and the application of various cryptographic algorithms within those elements. 2. Kerberos is often described as an “application-layer” protocol. 3. Kerberos is used very effectively at all layers of the network, as well as in middleware. Kerberos is used for authentication and key management in a virtual Private network (VPN). 4. Organizational models: Autocracy : All control flows from a central authority. Anarchy : All authority flows from individuals. 5. In Kerberos, the entities that authenticate with one another are referred to as ‘Principals’, as in ‘principals to a transaction”. 6. Kerberos credentials are refered to as ‘tickets’ (pg 401 vol 1). A ticket is a part of a cryptographically sealed credential issued by the KDC to a client. (Pg 410 vol1) 7. The KDC logically consists of a set of services and a database that contains information about principals. In Kerberos that collective is referred to as a “realm”. Principals in different realms can interact using ‘cross-realm’ (sometimes referred to as ‘inter-realm’) 8. In Kerberos, the trusted third party is known as the Key Distribution Center (KDC). In public key systems, the trusted third party is referred to as a Certificate Authority (CA) 9. In typical operation, a cryptovariable is inserted prior to encrypting a message and the same key is used for some period of time. This period of time is known as ‘cryptoperiod’. For reasons having to do with cryptanalysis, the key should be changed on a regular basis. 10. The AS generates a random key, referred to as the ‘session key’ 11. While we can formulate solutions to authentication, confidentiality, integrity and access control that are useful and that are independent of a broad range of applications, the same cannot be said of delegation and authorization. 12. The combined ability to provide both efficient and secure access to services, and the ability to serve as the basis for a collective security mechanism is one of Kerberos’s major strengths. 13. Replay Protection : Time-Stamps: Replay protection using timestamps is most suited to datagram ot transaction otrientd protocols and requires loosely synchronized clocks based on a secure time service and the use of a replay ‘cache’ by the receiver. A replay cache is simply a cache of messages previously seen by the receiver, or more likely, a hash of each of those messages. The receiver must check each received message against the replay cache to determine if the message is a replay. Time-stamps help to limit the size of the replay cache. 14. Challenge-Response: Replay protection using a challenge-response exchange is most suited to session-oriented protocols, such as TCP/IP. (Please refer Pg 422 Vol 1 there is a lot about it, that I didn’t understand. Read it and delete this) 15. Multiple security functions including authentication, authorization, access control, and key management – can be provided by or built from Kerberos. While the concept of aggregate enterprise security service is not native to Kerberos, the union of the two is very natural. 16. Security Services – Kerberos Authentication : The Kerberos authentication protocol implicitly provides the cryptogphic material or session keys needed fir establishing a secure channel that continues to protect he principal’s conversation after authentication that occurred. Secure Channels: A secure channel provides integrity and confidentiality services to communicating principals. Kerberos provides these services either directly through the use of Kerberos protocol messages, or indirectly by providing the cryptographic material needed by other protocols or applications to implement their own form of secure channel. Integrity: Kerberos provides message integrity through the use of signed message checksums or oneway hashes using a choice of algorithms. Confidentiality: Kerberos provides message confidentiality by encrypting messages using a choice of encryption algorithm. Access Control: Kerberos does not directly provide access control for persistent data, such as disk files. However, the Kerberos protocol provides for the inclusion and protection of authorization information needed by applications and operating systems in making access control decisions Authorization: An authorization service provides information that is used to make access control decisions. Common mechanisms used to represent authorization information include access control lists (ACLs) and capabilities. An ACL based system uses access control lists to make access decisions. Capability based systems require the encapsulation of authorization information in a tamper-proof package that is bound to an identity. 17. Non-repudiation: Kerberos does not offer the arbitration services that are requited for the complete implementation of such a service (non-repudiation). 18. Availability: Distributed security systems generally do not offer availability services. So Kerberos can give Authentication, Secure Channel, Integrity, Confidentiality, Access Control and Authorization, but does not provide non-repudiation and availability. 19. Additional layer is built in now namely ticket granting service. Ie. Now AS gives ticket to TGS which is called as TGT and TGS gives out sessions tickets to the users. Kerberos related technologies OSF DCE – open software foundation, distributed computing environment uses kerberos 5 as the underlying security mechanism. GSS-API- generic security service applications programming interface (GSS-API). Sengo : simple and protected GSS-API negotiation mechanism SSPI Microsoft Security service provider interface SSL – Secure socket layer. SASL – simple authentication and security layer (SASL) IPSEC – key management by kerberos Radius- to surrogate radius clients – integrated with kerberos Common data security architecture, token cards etc., where kerberos can be implemented. Wireless Security WAP – Wireless Application Protocol Designed for mobile devices (PDA, Phones) Set of protocols covering layers 7 to 3 of the OSI model Less overhead than TCP/IP Wireless Markup language (WML) Wireless Application Environment (WAE) Wireless Session Protocol (WSP) Wireless Transport Security Protocol (WTLS) Wireless Datagram Protocol (WDP) For security WAP uses Wireless Transport Security Protocol (WTLS) Three classes of security Class 1 – Anonymous Authentication Class 2- Sever Authentication Class 3 – Two way client and server authentication Authentication and Authorisation can be performed through smart cards/tokens Security vulnerability of WAP WAP GAP – where WTLS is decrypted and re-encrypted to SSL at the WAP gateway C-HTML is competing with WML from Japan C-HTML is stripped down HTML, C-HTML can be displayed on standard browser Mobile PKI – relates to the possible time lapse between the expiration of a public key and the reissue of the certificates to them. IEEE – 802.11 Standards Active mode (can transmit and receive) and power save mode (does not enable the user to transmit or receive) Interface between clients and base station 802.11 Layers The physical layer PHY can use: DSSS - Direct Sequence Spread Spectrum FH – Frequency Hoping Spread Spectrum IR – Infrared pulse modulation : more secure for data capturing since it requires line of sight path MAC Layer – Medium Access Control Specifies CSMA/CA Carrier Sense Multiple Access Collision Avoidance Provides: Data Transfer Association Re-association Authentication - WEP Privacy – WEP Power Management Notes to remember Private key is 1000 or more times faster than public key Time stamps can be used to prevent replay attacks. One time pad is usually implemented as a stream cipher using XOR function Security of cryptosystem should only depend on security of keys, not the algorithm. Unix systems use a substitution cipher called ROT 13 Lightweight Directory Access Protocol (LDAP) appears to be the chosen method for distributing keys. Keep in mind that the server storing the certificates and the delivery of the certificates containing the keys do not have to be secure. The signature from the CA with the certificate vouches for the authenticity of the key pair. Availability and integrity are the main concerns of the LDAP server and if attacked by DOS, then CRL cannot be processed and thus permit the use of the revoked certificate for transactions. Protecting the Private key of the CA & the software used for signing and the private key of users will be important. Users secure – by encrypted passphrase and / or smart cards with CPU and RAM and unlocked by the PIN when inserted in a card reader. The Data Criticality Matrix is helpful in comprehending and prioritizing an organization’s information asset security categories. This matrix includes 5 security requirements. The widely used CIA requirements of Confidentiality, Integrity and Availability are supplemented with the two additional requirements: Non-repudiation and Time. RSA Secure PC This is just a hint. The object of encryption is always the individual file rather than the drive or the directory. When a file is initially encrypted, the system generates a 64-bit block cipher key to be used to encrypt the file. This file key is then encrypted using the public key of the system and is stored with the file. Cryptography requirements Secrecy requirements If ciphertext and plaintext are known, it should be computationally infeasible to determine the deciphering algorithm It should be computationally infeasible to systematically determine plaintext from intercepted ciphertext (Even if you decrypt ciphertext once, it should require the same amount of work to do it again.) Note: “systematically” allows for a lucky guess Note: “Computationally infeasible” means great effort, doesn’t account for advances in computing, mathematics Authentication requirements If ciphertext and plaintext are known, it should be computationally infeasible to determine the enciphering algorithm It should be computationally infeasible to find valid ciphertext (Even if you encrypt plaintext so that it can be decrypted once, it should require the same amount of work to do it again.) Identify applications of cryptography Data Storage Prevent disclosure Password files Backup tapes Bulk Telecommunications Prevent disclosure Data transmission STU Message authentication Detect fraudulent insertion Detect fraudulent deletion Detect fraudulent modification Detect replay Digital Signature Source Verification Non-Repudiation Uses EFT systems Protecting stored data E-mail Communication links VPNs E-Commerce (Secure WWW Connections) SSL, S-HTTP Digital Signatures MD5, SHA Encryption laws: The Electronic Data Security Act states it’s goals as: To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access. IEEE P1363a, will cover additional public-key techniques Standards Activities Involving ECC IEEE, P1363 (public-key crypto) Covers main public key techniques RSA, ECC, El Gamal, Diffie-Hellman ANSI X9 Elliptic Curve Digital Signature Algorithm (ECDSA) proposed work item ANSI ASC X9 Elliptic curve key agreement & key management proposed work item ISO/IEC CD 148883 “digital signatures with appendix” Variety of digital signature mechanisms ISO/IEC (International Electrotechnical Commission) is the joint technical committee developing the standards for information technology. There is four type of modules: inline, offline, enbedded, stand-alone Inline Front end configuration Module capable of accepting plaintext from source o Performing crypto processing o Passing processed data directly to communications equipment o Without passing back to source May also decrypt reverse process Data cannot leave host without passing through module Comm equip in module or external to host Offline Back end configuration Module capable of accepting data from source o Performing crypto processing o Passing processed data back to source Source responsible for storage and further transmission o Maintaining separation between protected and unprotected data Ideal for local file encryption Comm boards may be internal to host Embedded Module physically enclosed within and interfaces with computer Either inline or offline Less expensive Physical security (temper protection and detection) questionable Standalone Module contained in own physical enclosure Outside host computer Either inline or offline Describe the principle of key management Must be fully automated Key length should be long enough to provide the necessary level of protection Should be stored and transmitted by secure for key discipline and secrecy No key in clear outside of crypto device for secrecy and known plaintext attack resistance Choose keys randomly from entire key space to prevent pattern can be exploited by attacker to reduce work Key encrypting keys must be separate from data keys : Nothing appearing in clear is encrypted with key-encrypting-key Keep KEK invulnerable to brute force attack Disguise all pattern in cleartext object before encryption Format, language, alphabet, public code to resist ciphertext only attacks Infrequently use keys with long life More key is used, more likely a successful attack and greater the consequences – shorter should be life time. Backed by escrow in case of emergencies. Lifetime should correspond with the sensitivity of data it is processing Emergency key recovery can be possible by multiparty control. Member from management, individual from auditing, IT department to require collusion for fraudulent activities to take place-key escrow. Key Management Activities Key control Key recovery Key storage Key retirement/destruction Key Change Key Generation Key theft Frequency of key use Describe Bitstream Authentication Generate new MAC Compare with original Mac Algorithm qualities Sensitive to bit changes Creates MAC unable to be duplicated In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or CCEP: Commercial communications security endorsement program ( NSA and industry relationship Combine government crypto knowledge with industry product-development expertise Type 1 or type 2 high-grade crypto products. Type 1 encrypt classified and SUI o STU Secure telephone unit Type 2 encrypts SUI o Authentication devices, transmission security devices, secure LAN’s Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes or even as a weapon of war. During wartime, the ability to intercept and decipher enemy communications is crucial. Hence protected. Cryptography is just one of many technologies which is covered by the ITAR (International Traffic in Arms Regulations). In the United States, government agencies consider strong encryption to be systems that use RSA with key sizes over 512-bits or symmetric algorithms (like DES, IDEA, or RC5) with key sizes over 40-bits. Since government encryption policy is heavily influenced by the agencies responsible for gathering domestic and international intelligence (the FBI and NSA, respectively) the government is compelled to balance the conflicting requirements of making strong cryptography available for commercial purposes while still making it possible for those agencies to break those codes, if need be. The US government does, however, allow 56-bit block ciphers to be exported for financial cryptography. Cryptographic Protocols & Standards Domain Name Server Security (DNSSEC) o Secure Distributed Name Services Generic Security Services API (GSSAPI) o Provides generic authentication, key exchange & encryption interface for different systems & authentication methods Secure Socket Layer (SSL) o Secure WWW connections Secure Hypertext Transfer Protocol (SHTTP) o Secure WWW connections o More flexible than SSL, but not as widely used E-mail security and related service o S/MIME (Secure MIME) Secure Multipurpose Internet Mail Extensions Specs for secure electronic messaging Developed to fix interception & forgery of e-mail Easily integrated into e-mail & messaging products Provides privacy, data integrity, authentication MSP (Message Security Protocol) Offers confidentiality, authentication, non-repudiation, return-receipt, signature Public Key Cryptography Standards (PKCS) Provides an agreed upon format for Public Key Cryptography Extension to PEM SSH2 Protocol Used to secure terminal sessions, developed by IETF Provides 3 components Transport Layer Protocol server authentication, confidentiality, and integrity User Authentication Protocol authenticates the client to the server Connection Protocol: multiplexes encrypted tunnel into several logical channels multiplexes encrypted tunnel into several logical channels X.509 1) Framework for the provision of authentication services by the X.500 directory to its users. 2) Directory is a repository of public key certificates 3) Certificate contains the public key of user and is signed by private key of trusted certification authority 4) X.509 defines alternative authentication protocols as well. 5) Certificate structure and authentication protocols defined hence very important and used in variety of content Ex; SSL, SET., SMIME etc., 6) Based on public key cryptography and digital signatures and the recommended algorithm is RSA. 7) Certificate issues is associated with each user. Certificate contains, version, serial number, signature algorithm identifier, issue name, period of validity, subject name, subject’s public key information, issuer unique identifier, subject unique identifier, extensions & signature. 8) Cross certificate between CAs 9) Suggest that Cas be arranged in a hierarchy so that navigation is straightforward. 10) Forward certificates: certificates of X generated by other CAs 11) Reverse certificates: certificates generated by X that are the certificates of other Cas 12) Revocation of certificates and that must be maintained as CRL Authentication One way authentication: initiating entity is authenticated, message is from A, and is for B & integrity and originality is assured. Two way authentication: all three plus the reverse is also done. Three way authentication: Final message from A to B is included, which contains the signed copy of the Nonce. X.509 version 3: all that are needed for recent design and implementation is not available which were added up to include key and policy information, certificate and issuer identification and certificate path constraints. Cracking of Symmetric and Asymmetric – History DES Cracker In 1998, the DES message was cracked in 39 days. In July 1998 EFF(Electronic Freedom Foundation) announced that it had easily won the RSA Security ‘DES challenge II’, taking less than 3 days to recover the original message. In January 1999, EFF announced in collaboration with Distributed.Net, it had won the RSA Security ‘DES Challenge III’), taking 22 hours to recover the plain-text. In 1977, Whitfield Diffie and Martin Hellman proposed the construction of DES-cracking machine that could crack 56-bit DES keys in 20 hours. In 1994, Micheal Weiner proposed a design built from existing technology which could crack 56bit DES in under 4 hours for a cost of US $1 million Contests held in 1997 and 1998 to crack DES-encrypted messages, were won by distributed computing efforts. RSA-155 (512bit) factorization: In August 1999 factorization of 155-digit (512 bit) RSA Challenge Number was completed in around five to seven months without dedicating hardware. RSA-140 was solved in 9 weeks. In summer 1999, Adi Shamir presented a design for the Weizmann Institute Key Locating Engine (TWINKLE) cost: US $5000, provides processing equivalent to 100 to 1000 PCs. This device is targeted at 512-bit RSA keys. In January 1997, it was announced that a Berkeley student using the idle time on a network of 250 computers was able to break the RSA challenge message, encrypted using a 40-bit key, in three and one-half hours. Data/Session: This is often negotiated using standard protocols or sent in a protected manner using secret public and private keys. Key Encrypting Split keys Strength Comparison: Moore’s law: Processing speeds seem to double (or costs halved) every 18 months. MIPS year (M.Y) is the number of instructions a million-instruction-per-second can execute in one year. One M.Y is approximately 10 13.5 instructions. Based on exhaustive key search, a triple-DES (112-bit) key is approximately equal to a 1792bit RSA key (i.e., key modulus) and a 1024-bit RSA key is approximately equal to a 160-bit ECC key. EC Key Size RSA Key Size MIPs Year 160 1,024 1012 320 5,120 1036 600 21,000 1079 1,200 120,000 10168