UNIT-1 - Vel Tech University
advertisement
UNIT-1
1
Computer Security - generic name for the collection of tools designed to protect data
and to thwart hackers
2
Network Security - measures to protect data during their transmission
3
Internet Security - measures to protect data during their transmission over a collection
of interconnected networks
1. SERVICES , MECHANISM AND ATTACKS
To assess the security needs of an organization effectively and to evaluate and choose
various security products ad policies the manager responsible for security needs some
systematic way of defining the requirements for security and characterizing the approaches to
satisfying those requirements.
3 aspects of Information security
security attack
security mechanism
security service
a. Security attack
Any action that compromises the security of information owned by an
organization.
b. Security Mechanism
A mechanism that is designed to
2 Detect,
3 Prevent or
4 Recove from a security attack.
1
no single mechanism that will support all services required however one
particular element underlies many of the security mechanisms in
use:-cryptographic techniques
c. Security Service
enhance security of data processing systems and information transfers of an
organization
intended to counter security attacks
using one or more security mechanisms
often replicates functions normally associated with physical documents
for example, have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized or
witnessed; be recorded or licensed
2. OSI SECURITY ARCHITECTURE
ITU-T X.800 Security Architecture for OSI
defines a systematic way of defining and providing security requirements
for us it provides a useful, if abstract, overview of concepts we will study
Security Services
X.800 defines it as: a service provided by a protocol layer of communicating open
systems, which ensures adequate security of the systems or of data transfers
RFC 2828 defines it as: a processing or communication service provided by a
system to give a specific kind of protection to system resources
X.800 defines it in 5 major categories
o Authentication
- assurance that the communicating entity is the
one claimed
o Access Control
- prevention of the unauthorized use of a
resource
o Data Confidentiality - protection of data from unauthorized
disclosure
o Data Integrity
- assurance that data received is as sent by an
authorized entity
o Non-Repudiation
- protection against denial by one of the parties
in a communication
Security Mechanisms
1
2
specific security mechanisms:
encipherment, digital signatures, access controls, data integrity,
authentication exchange, traffic padding, routing control,
notarization
pervasive security mechanisms:
trusted functionality, security labels, event detection, security audit
trails, security recovery
Security Attack specific security mechanisms:
– encipherment,
–
–
–
–
–
–
–
digital signatures,
access controls,
data integrity,
authentication exchange,
traffic padding,
routing control,
notarization
Security Attacks
any action that compromises the security of information owned by an organization
information security is about how to prevent attacks, or failing that, to detect attacks
on information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus of generic types of attacks
passive
active
Classify Security Attacks as
1
Passive attacks - eavesdropping on, or monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
2
Active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
3. MODEL FOR NETWORK SECURITY
All the techniques for providing security have 2 aspects
6
A security – related transformation on the information to be sent.
7
Some secret information shared by the two principles and it is hoped unknown
to the opponent.
This general model shows that there are 4 Basic tasks in designing a particular security service.
1.
2.
3.
4.
Design a suitable algorithm for the security transformation
Generate the secret information (keys) used by the algorithm
develop methods to distribute and share the secret information
Specify a protocol enabling the principals to use the transformation and secret
information for a security service
Model for Network Access Security
The hacker can be someone who with no malign intent simply gets satisfaction
from breaking and entering a computer system.
The Intruder can be a disgruntled employee who wishes to do damage or a
Criminal who seeks to exploit computer assets for financial gain.
Another type of unwanted access is the placement in a computer system of logic
that exploits vulnerabilities in the system and that can affect application
programs such as editors & Compilers
Two kinds of threats can be presented by programs.
Information access threats intercepts or modify data on behalf of users who should not
have access to that data.
Service Threats exploit service flaws in computers to inhibit use by legitimate users.
1
Using this model requires us to:
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorised users access
designated information or resources
2
Trusted computer systems may be useful to help implement this model
4. SYMMETRIC ENCRYPTION
or conventional / private-key / single-key
sender and recipient share a common key
all classical encryption algorithms are private-key
was only type prior to invention of public-key in 1970’s
and by far most widely used
BASIC TERMINOLOGY
1
plaintext - original message
2
cipher text - coded message
3
cipher - algorithm for transforming plaintext to ciphertext
4
key - info used in cipher known only to sender/receiver
5
encipher (encrypt) - converting plaintext to ciphertext
6
decipher (decrypt) - recovering ciphertext from plaintext
7
cryptography - study of encryption principles/methods
8
cryptanalysis (codebreaking) - study of principles/ methods of deciphering
Ciphertext without knowing key
9
cryptology - field of both cryptography and cryptanalysis
5. SYMMETRIC CIPHER MODEL
A symmetric encryption scheme has 5 ingredients
Plaintext: - This is the original intelligence may or data that is fed into the
algorithm as input
Encryption algorithm: - The encryption algorithm performs various substitution
and transformation on the plaintext.
Secret key: The secret key is also input to the encryption algorithm
The key is a value independent of the plaintext
The algorithm will produce a different output depending on the specific key
beig used at the time.
Cipher Text: Scrambled message produced as output.
It depends on the plaintext and the secret key.
For a given message 2 different keys will produce 2 different cipher texts.
The cipher text is apparently random streams of Data.
Decryption Algorithm: This is essentially the encryption algorithm run in reverse.
It takes the cipher text and the secret key and produces the original plaintext.
Requirements
two requirements for secure use of symmetric encryption:
a strong encryption algorithm
a secret key known only to sender / receiver
CONVENTIONAL CRYPTOSYSTEM MODEL
1
A source produces a message in plaintext
X=[ X1,X2…………Xn]
A key of the form K=[ K1,K2……….Kj] is generated.
If the key is generated at the message source then it must also be provided to the
destination by means of some Secure Channel.
2
With the message X and the encryption key K as input the encryption algorithm forms
the cipher text Y=[ Y1,Y2……..Yn ]
3
We can write as
Encryption :Decryption :-
Y=Ek(X)
X=Dk(Y)
Cryptography
1 Characterize cryptographic system by
type of encryption operations used
• substitution / transposition / product
number of keys used
• single-key or private / two-key or public
way in which plaintext is processed
• block / stream
Cryptanalysis
Objective to recover key not just message
General approaches:
Cryptanalytic attack
Cryptanalytic attacks rely on
The nature of the algorithm + some knowledge of the general
characteristics of the plaintext.
This type of attack exploits
The characteristics of the algorithm to attempt to deduce a
specific plaintext.
Deduce the key being used
If the attack succeeds in deducing the key the effect is Catastrophic.
Brute-force attack
The attacker tries every possible key on a piece of cipher text until an
intelligible translation into plaintext is obtained.
Types of Cryptanalytic Attacks
More Definitions
1 unconditional security
no matter how much computer power or time is available, the cipher cannot be
broken since the ciphertext provides insufficient information to uniquely
determine the corresponding plaintext
2 computational security
given limited computing resources (eg time needed for calculations is greater
than age of universe), the cipher cannot be broken
5. ENCRYPTION TECHNIQUES
The two basic building blocks of all encryption techniques are
Substitution Techniques
Transposition
SUBSTITUTION TECHNIQUES
a. Caesar Cipher
Earliest known substitution cipher by Julius Caesar.
Replace each letter of the alphabet with the letter 3 places after that alphabet.
Alphabets are assumed to be wrapped around ( Z is followed by A )
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Plain : - a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher : - D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plaintext :- H A P P Y N E W Y E A R
Cipher text : - K D S S B Q H Z B H D U
The algorithm can be expressed as for each plaintext letter P substitute the cipher text letter
C3
The general Caesar algorithm is
Encryption :- C=E(P) = (P+K) mod 26
Decryption :- P=D(C) = (C-K) mod 26
Example :Plaintext :- H A I
Ciphertext :- K D L
C = E(P) = (P+K) mod 26
= ( 7 + 3 ) % 26
= 10 % 26
H= K
C = E(P) = (P+K) mod 26
= ( 0 + 3 ) % 26
= 3 % 26
A= D
C = E(P) = (P+K) mod 26
= ( 8 + 3 ) % 26
= 11 % 26
I= L
Drawbacks
Brute force attack is easily performed.
Simply try all the 25 possible keys
3 important characteristics of this problem enabled us to use.
Brute – Force cryptanalysis
The encryption & Decryption algorithm are known
There are only 25 keys to try.
The language of the Plaintext is known and easily recognizable.
b. Mono-alphabetic Cipher
Further generalization of the Caesar Cipher.
Rather than just shifting the alphabet could shuffle the letters arbitrarily.
Each plaintext letter maps to a different random cipher text letter.
Key size = 26
Key space = 26! ~ 4 X 1026
Unique mapping of plaintext alphabet to cipher text alphabet.
Plain: a b c d e f g h I j k l m n o p q r s t u v w x y z
Cipher: D K V Q F I B J W P E S C X H T M Y A U O L R G Z N
Plaintext : I f w e w I s h t o r e p l a c e l e t t e r s
Ciphertext: W I R F R W A J U H Y F T S D V F S F U U F Y A
Language Redundancy and Cryptanalysis
Human languages are redundant
eg "th lrd s m shphrd shll nt wnt"
letters are not equally commonly used
In English E is by far the most common letter
followed by T,R,N,I,O,A,S
Other letters like Z,J,K,Q,X are fairly rare
Have tables of single, double & triple letter frequencies for various languages
Use in Cryptanalysis
Key concept - monoalphabetic substitution ciphers do not change relative letter
frequencies
Discovered by Arabian scientists in 9th century
Calculate letter frequencies for ciphertext
Compare counts/plots against known values
If Caesar cipher look for common peaks/troughs
peaks at: A-E-I triple, NO pair, RST triple
troughs at: JK, X-Z
For monoalphabetic must identify each letter
tables of common double/triple letters help
C. Playfair Cipher
One approach to improving security was to encrypt multiple letters
The Playfair Cipher is an example
Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair
Playfair Key Matrix
A 5X5 matrix of letters based on a keyword
Fill in letters of keyword (sans duplicates)
Fill rest of matrix with other letters
eg. using the keyword MONARCHY
M
C
E
L
O
H
F
P
N
Y
G
Q
A
B
I/J
S
R
D
K
T
U
V
W
X
Z
Encrypting and Decrypting
plaintext is encrypted two letters at a time
1. if a pair is a repeated letter, insert filler like 'X’
2. if both letters fall in the same row, replace each with letter to right
(Wrapping back to start from end)
3. if both letters fall in the same column, replace each with the letter below it
(again wrapping to top from bottom)
4. otherwise each letter is replaced by the letter in the same row and in the column
of the other letter of the pair
Security of Playfair Cipher
Security much improved over monoalphabetic
Since have 26 x 26 = 676 diagrams
Would need a 676 entry frequency table to analyse (verses 26 for a monoalphabetic)
and correspondingly more ciphertext.
It can be broken, given a few hundred letters
Since still has much of plaintext structure
Relative Frequency of Occurrence of Letters
Example:-
M
O
N
A
R
C
H
Y
B
D
E
F
G
I/J K
L
P
Q
S
T
U
V
W X
Z
Keyword = monarchy
Plaintext: H S E A A R M U
Ciphertext: B P I M R M C M
Letters fall in Same row
Letter to Right
Letters fall in Same Column Letter below it
e.Polyalphabetic Ciphers
Polyalphabetic substitution ciphers
Improve security using multiple cipher alphabets
Make cryptanalysis harder with more alphabets to guess and flatter frequency
distribution
Use a key to select which alphabet is used for each letter of the message
Use each alphabet in turn
Repeat from start after end of key is reached .
Vigenère Cipher
simplest polyalphabetic substitution cipher
effectively multiple caesar ciphers
key is multiple letters long K = k1 k2 ... kd
ith letter specifies ith alphabet to use
use each alphabet in turn
repeat from start after d letters in message
decryption simply works in reverse
Example of Vigenère Cipher
Write the plaintext out
Write the keyword repeated above it
Use each key letter as a caesar cipher key
Encrypt the corresponding plaintext letter
eg using keyword deceptive
key
:
deceptivedeceptivedeceptive
plaintext :
wearediscoveredsaveyourself
ciphertext : ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Drawback
• Key and the plaintext share the same frequency distribution of letters.
• The best thing would have been to use a keyword which is as large as the plaintext,
and has no statistical relationship to it.
f. One-Time Pad
•
Perfect substitution cipher
•
Use a random key (pad) which is as long as the message, with no repetitions.
– Key distribution is a problem
– Or, random key stream generation is a problem
•
With such key, plaintext and cipher text are statistically independent Unconditionally
secure
if a truly random key as long as the message is used, the cipher will be secure
called a One-Time pad
is unbreakable since cipher text bears no statistical relationship to the plaintext
since for any plaintext & any cipher text there exists a key mapping one to other
can only use the key once though
problems in generation & safe distribution of key
TRANSPOSITION TECHNIQUES
a. Transposition Cipher
Classical transposition or permutation ciphers
These hide the message by rearranging the letter order without altering the actual letters
used
Can recognise these since have the same frequency distribution as the original text
• A simple scheme:
–
Write out the plaintext in a rectangle, row by row, and read the message
Column by column, by permuting the order of the columns.
–
Order of the column becomes the key.
• An example
P: we have enjoyed the works
Key:
C:
4
w
n
h
3 1 2 5 6 7
e h a v e e
j o y e d t
e w o r k s
how ayo eje wnh ver edk ets
Drawback
• The cipher text has the same letter frequency as the original plaintext.
• Guessing the number of columns and some probable words in the plaintext holds the
Key.
ROTOR MACHINES
•
Each rotor corresponds to a substitution cipher
•
A one-rotor machine produces a polyalphabetic cipher with period 26
•
Output of each rotor is input to next rotor
•
After each symbol, the “fast” rotor is rotated
•
After a full rotation, the adjacent rotor is rotated (like odometer)
- An n rotor machine produces a polyalphabetic cipher with period 26n
STEGANOGRAPHY
An alternative to encryption
Hides existence of message
Using only a subset of letters/words in a longer message marked in some way
Using invisible ink
Hiding in LSB in graphic image or sound file.
Other Techniques
Character Marking: Selected letters of printed or typewritten text are overwritten in
pencil.
The marks are ordinarily not visible unless the paper is held at an
angle to bright light.
Invisible Ink: A number of substances can be used for writing but leave no
visible trace until heat or some chemical is applied to the paper.
Pin Punctures: Small pin punctures on selected letters are ordinarily not visible
unless the paper is held up in front of a light.
Typewriter Correction Ribber:
Used between lines typed with a black ribbon the results of
typing with the correction tape are visible only under a strong
light.
Drawback
• We can make guesses by observing the relative frequency of letters in the text.
• Compare it with standard frequency distribution charts in English (say).
• Also look at the frequency of diagrams and trigrams, for which tables are also
available.
• Easy to break in general.
6.SIMPLIFIED DES
Simplified DES (S-DES)
An educational algorithm
A product cipher
– two identical sub-ciphers
Each sub-cipher
– Permutation
– Substitution
S-DES
1
2
Encryption
– Input: 8-bit plaintext
– Input: 10-bit key K
– Output: 8-bit ciphertext
Decryption
– Input: 8-bit ciphertext
– Input: 10-bit key K
– Output: 8-bit plaintext
The encryption algorithm involves 5 functions
Initial permutation (IP)
Complex function labeled fk
Which involves both permutation & Substitution operation and depends on a
key input
A Simple permutation function that switches (SW) the two halves of the data.
The function fk again.
A Permutation function that is the inverse of the Initial permutation (IP-1)
Overview of S-DES
Subkey generation
o K1=P8 shift P10 (K)
o K2=P8 shift shift P10 (K)
Encryption
o C= IP-1 fK2 SW fK1 IP (P)
Decryption
o P= IP-1 fK1 SW fK2 IP (C)
Sub-key generation
Key generation
– P10: a permutation of 10 bits shared betw’n Sender and Receiver
– shift: shift (rotate) the input
– P8: a permutation of 8-bit
S-DES Encryption
–
–
–
–
IP: initial permutation
fK: a complex function (substitution+permutation)
SW: a simple permutation (swapping)
IP-1: the inverse of IP
Initial and Final Permutations
1
The input to the algorithm is an 8-bit block of plaintext which we first permute using
the IP function.
IP-1 (IP(X))=X
Function fK
–
–
Permutation + substitution.
fK(L, R)=(LF(R,SK), R)
• SK: A subkey Ki (i = 1, 2)
• L: Leftmost 4 bits
• R: Rightmost 4 bits
• F: A mapping from 4-bit strings to 4-bit strings.
• : bit-wise XOR
Example:The input is a 4-bit number (n1,n2,n3,n4) the first operation is as expansion / Permutation
operation.
n4
n2
n1
n3
n2
n4
n3
n1
The 8-bit subkey k1=(k11,k12,k13.k14,k15,k16,k17,k18)
n4+ k11
n1+ k12
n2+ k13
n3+ k14
n2+ k15
n3+ k16
n4+ k17
n1+ k18
Let us rename these 8-bit
P0,0
P0,1
P0,2
P0,3
P1,0
P1,1
P1,2
P1,3
The Switch Function
The function fK only alters the leftmost 4-bits of the input.
The switch function (SW) interchanges the left & right 4- bits.
So that the second instance of fK operates on a different 4-bits.
7. DATA ENCRYPTION STANDARD (DES)
Most widely used encryption scheme based on Data Encryption Standard (DES)
adopted in 1977 by National Bureau Standard (now National Institute of Standard
Technology)
Encrypts 64-bit data using 56-bit key
IBM developed Lucifer cipher by team led by Feistel
– used 64-bit data blocks with 128-bit key
DES Encryption
There are two inputs to the encryption function
The plaintext to be encrypted and the key.
In this case the plaintext must be 64 bits in length and the key is 56 bits in length.
Left hand side & Right hand side:
The 64 bit plaintext passes through an Initial Permutation (IP) that rearranges the bits to
produce the permuted input.
This is followed by a phase consisting of 16 rounds of the same function which
involves both permutation & Substitution Functions.
The output of the last (16 th) round consists of 64 bits that are a function of the input
plaintext and the key.
The left and right halves of the output are swapped to produce the Preoutput
The Preoutput is passed through a permutation (IP-1) that is the inverse of the initial
permutation function to produce the 64-bit cipher text.
With the exception of the initial and Final Permutations DES has the exact structure of
a Feistel Cipher.
Initial Permutation IP
First step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
Two permutation functions are indeed the inverse of each other consider the following
64-bit input M
Where Mi is a binary digit
Then the permutation X = IP(M)
The Inverse permutation Y=IP-1(X)=IP-1(IP(M))
DES Round Structure
uses two 32-bit L & R halves
As for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
takes 32-bit R half and 48-bit sub key and:
– expands R to 48-bits using perm E
– adds to sub key
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit perm P
Substitution Boxes S
Have eight S-boxes which map 6 to 4 bits
Each S-box is actually 4 little 4 bit boxes
o Outer bits 1 & 6 (row bits) select one rows
o Inner bits 2-5 (col bits) are substituted
o Result is 8 lots of 4 bits, or 32 bits
Row selection depends on both data & key
– feature known as autoclaving (auto keying)
Key Generation
A 64-bit key used as input to the algorithm
The bits of the key are numbered from 1 through 64 every eighth bi is ignored as
indicated by the lack of shading.
The resulting 56-bit key is then treated as two 28-bit quantities labled C0 and D0.
At each round Ci-1 and Di-1 are separately subjected to a circular left shift or rotation of
1 or 2 bits.
These shifted values serve as input to the next round.
They also serve as input to permuted choice two which produces a 48-bit out that serves
as input to the function F(Ri-1,ki).
DES Decryption
Decrypt must unwind steps of data computation with Feistel design, do encryption steps
again
Using sub keys in reverse order (SK16 … SK1) note that IP undoes final FP step of
encryption
1st round with SK16 undoes 16th encrypt round ….
16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption
IP thus recovering original data value
Avalanche Effect
A desirable property of encryption algorithm
Where a change of one input or key bit results in changing approx half output bits
Is the change were small this might provide a way to reduce the size of the plaintext or
key space to be searched.
DES exhibits strong avalanche
THE STRENGTH OF DES
a. Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values
Brute force search looks hard recent advances have shown is possible
o in 1997 on Internet in a few months
o in 1998 on dedicated h/w (EFF) in a few days
o in 1999 above combined in 22hrs!
Still must be able to recognize plaintext now considering alternatives to DES
b. Strength of DES – Timing Attacks
Attacks actual implementation of cipher
Use knowledge of consequences of implementation to derive knowledge of some/all
sub key bits
Specifically use fact that calculations can take varying times depending on the value of
the inputs to it Particularly problematic on smartcards
c. Strength of DES – Analytic Attacks
Now have several analytic attacks on DES
These utilise some deep structure of the cipher
o by gathering information about encryptions
o can eventually recover some/all of the sub-key bits
o if necessary then exhaustively search for the rest
Generally these are statistical attacks include
o differential cryptanalysis
o linear cryptanalysis
o related key attacks
8. BLOCK CIPHER DESIGN PRINCIPLES
DES Design Criteria :-
The criteria for the S-boxes
1. No output bit of any S-box should be too close a linear function of the input bits.
Specially if we select any output bit and any subset of the six input bits, the fraction of
inputs for which this output bit equals the XOR of these input bit should not be close to
0 or 1, but rather should be near ½.
2. Each row of an S-box (determined by a fixed value of the left most and right most input
bits) should include all 16 possible output bit combinations.
3. If two inputs to an S-box differ in exactly one bit the outputs must differ in at least two
bits.
4. If two inputs to an S-box differ in their first two bits and are identical in their last two
bits, the two outputs must not be the same.
5. If two inputs to an S-box differ in their first two bits and are identical in their last two
bits, the two outputs must not be the same.
6. For any nonzero 6-bit difference between inputs no more than 8 of the 32 pairs of
inputs exhibiting that difference may result in the same output difference.
7. This is a criterion similar to the previous one but for the case of three S-boxes.
The criteria for the permutation P
1. The four output bits from each S-box at round I are distributed so that two of them
(provide input for) “middle bits” of round (i+1) and the other two affect end bits. The
two middle bits of input to an S-box are not shared with adjacent S-boxes. The end bits
are the two left-hand bits and the two right-hand bits, which are shared with adjacent Sboxes.
2. The four output bits from each S-box affect six different S-boxes on the next round and
no two affect the same S-box.
3. For two S-boxes j, if an output bit from Sj cannot affects a middle bit of Sk on the next
round then an output bit from Sk cannot affect a middle bit of Sj must not affect a
middle bit of Sj.
The cryptographic strength of a Feistel Cipher derives from 3 aspects of the design
The Number of Rounds
The Function F
The Key schedule algorithm.
a. Number of Rounds
The greater the number of rounds the more difficult it is to perform cryptanalysis, even
for a relatively weak F.
In general the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack.
b. Design of Function F
The Heart of a Feistel block cipher is the function F.
Design criteria for F
The Function F provides the element of confusion in a Feistel Cipher.
It is more difficult to “unscramble” the substitution performed by F.
Strict Avalanche Criterion (SAC)
A more stringent version of this is the strict avalanche criterion (SAC) which states
that any output bit j of-an S-box should change with probability ½ when any single
input bit I is inverted for all i,j.
Although SAC is expressed in terms of S-boxes a similar criterion could be applied to
Fas a whole. This is important when considering designs that do not include S-boxes.
Bit Independence criterion (BIC)
BIC which states that output bits j and k should change independently when any single
input bit I is inverted for all i,j and k.
SAC & BIC strengthens the effectiveness of the confusion Function.
S-Box Design
One of the most intense areas of research in the field of symmetric block ciphers is that
of S-box design.
General principles:
An n x m S-box has n input bits and m output bits. DES has 6 x 4 S-boxes.
S-boxes are typically organized in a different manner than used in DES. An n x m Sbox typically consists of 2n rows of m bits each. The n bits of input select one of the
rows of the S-box if the m bits in that row are the output.
An S-box satisfies GA(Guaranteed avalanche ) of order if, for a 1-bit input change at
least output bits change.
The authors conclude that a GA in the range of order 2 to order 5 provides strong
diffusion characteristics for the overall encryption algorithm.
Random: Use some pseudorandom number generation or some table of
random digits to generate the entries in the S-boxes. This may
lead to boxes with undesirable characteristics for small sizes
(e.g.6 x 4) but should be acceptable for large S-boxes
(e.g., 6 x 4) but should be acceptable for large S-boxes (e.g., 8 x 32)
Random with testing: Choose S-box entries randomly then test the results
against various criteria, and throw away those that do
not pass.
Human-made: This is a more or les manual approach with only simple
mathematics to support it. It is apparently the technique used
in the DES design. This approach is difficult to carry through
for large S-boxes.
Math-made: Generate S-boxes according to mathematical principles., by using
mathematical construction,S-boxes can be constructed offer
proven security against linear and differential cryptanalysis
together with good diffusion.
c. Key Schedule Algorithm
With any Feistel block cipher the key is used to generate the one sub key for each
round.
To select sub keys to maximize the difficulty of deducing individual sub keys and the
difficulty of working back to the main key.
9. BLOCK CIPER MODES OF OPERATION
Block ciphers encrypt fixed size blocks
o eg. DES encrypts 64-bit blocks, with 56-bit key
Need way to use in practise, given usually have arbitrary amount of information to
encrypt four were defined for DES in ANSI standard ANSI X3.106-1983
Modes of Uses subsequently now have 5 for DES and AES
Have block and stream modes
a. Electronic Codebook Book (ECB)
Plaintext is handled 64 bits at a time .
Each block of plaintext is encrypted using the same key.
The term Code book is used because for a given key there is a unique ciphertext for
every 64-bit block of plaintext.
A message longer than 64 bits the procedure is simply to break the message into 64-bit
blocks padding the last block if necessary
Ci = DESK1 (Pi)
Decryption is performed one block ata time always using the same key.
In figure the plaintext consists of a sequence of 64-bit blocks p1,p2…….pn the
corresponding sequence of ciphertext is c1,c2……….cn.
uses: secure transmission of single values
Advantages and Limitations of ECB
Repetitions in message may show in ciphertext
o if aligned with message block
o particularly with data such graphics
o or with messages that change very little, which become a code-book analysis
problem
weakness due to encrypted message blocks being independent
main use is sending a few blocks of data
b. Cipher Block Chaining (CBC)
To overcome the security deficiencies of ECB .
The input to the encryption algorithm is the XOR of the current plaintext block and
preceding ciphertext block.
The same key is used for each block.
Each previous cipher blocks is chained with current plaintext blocks use Initial Vector
(IV) to start process.
For Decryption each cipher block is passed through the decryption algorithm.
The result is XOR-ed with the preceding ciphertext block to produce the plaintext
block.
Cj = Ek [ Cj Pj ]
Then
Dk[Cj] = (Cj-1 Pj )
Cj-1 Dk[Cj] = Cj-1 Cj-1 Pj= Pj.
The IV must be known to both sender & Receiver.
For maximum security the IV should be protected as well as the key Could be done
by sending the IV using ECB encryption.
C1=Ek( IV Pi)
P1=IV Dk(Ci)
uses: bulk data encryption, authentication
Advantages and Limitations of CBC
Each ciphertext block depends on all message blocks
Thus a change in the message affects all ciphertext blocks after the change as well as
the original block
Need Initial Value (IV) known to sender & receiver
At end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
c. Cipher FeedBack (CFB)
1
IT is possible to convert DES into a Stream cipher using either CFB (Or) OFB(Output
Feedback Mode)
CFB scheme
–
The unit of transmission is S bits a common value is S = 8.
–
The units of plaintext are claimed together so that the ciphertext of any plaintext
is a function of all the preceding plaintext.
–
The units of 64-bits the plaintext is divided into segments of s bits.
Encryption:
The input to the encryption function is a 64-bit shift register that is initially
set to some Initialization Vector(IV).
The left (most significant) S bits of the output of the encryption function are
XORed with the first segment of plaintext p1 to produce the3 first unit of
Ciphertext C1 which is then transmitted.
In addition the contents of the shift register are shifted by s bits and C1 is
placed in the rightmost ( Least Significant ) S bits of the shift register.
This process continues until all plaintext units have been encrypted.
Decryption:• Received ciphertext unit is XORed with the output of the encryption function
to produce the plaintext unit.
Let Ss(X) be defined as the most significant s bits of X then
C1 = P1 Ss(Ek(IV))
Therefore
P1=C1 Ss(Ek(IV))
uses: stream data encryption, authentication
Advantages and Limitations of CFB
Appropriate when data arrives in bits/bytes
Most common stream mode
Limitation is need to stall while do block encryption after every n-bits
Note that the block cipher is used in encryption mode at both ends
Errors propagate for several blocks after the error
UNIT-2
1. KEY MANAGEMENT
Public-key encryption helps address key distribution problems
Have two aspects of this:
Distribution of public keys
Use of public-key encryption to distribute secret keys
Distribution of Public Keys
Distribution of Public keys can be considered as using one of:
public announcement
publicly available directory
public-key authority
public-key certificates
a. Public Announcement
Users distribute public keys to recipients or broadcast to community at large
eg. append PGP keys to email messages or post to news groups or email list
Major weakness is forgery
Anyone can create a key claiming to be someone else and broadcast it
until forgery is discovered can masquerade as claimed user
b..Publicly Available Directory
Can obtain greater security by registering keys with a public directory
Directory must be trusted with properties:
contains {name,public-key} entries
participants register securely with directory
participants can replace key at any time
directory is periodically published
directory can be accessed electronically
Still vulnerable to tampering or forgery
c.
Public-Key Authority
Improve security by tightening control over distribution of keys from directory
It has properties of directory and requires users to know public key for the directory
Then users interact with directory to obtain any desired public key securely
does require real-time access to directory when keys are needed
Steps
o A sends request-for-key(B) to authority with time-stamp Request || Time
o Authority replies with key(B) (encrypted by its private key), that is
EKRauth(Time || IDA || KUb)
o A initiates a message to B, including a random number N1, its IDA
o B then ask authority to get key(A)
o Authority replies with key(A) EKRauth[time|| IDB || KUA)
o B sends A (encrypted by A’s public key) N1 and N2
o A then replies B N2 encrypted by B’s public key
d. Public-Key Certificates
Certificates allow key exchange without real-time access to public-key authority
A certificate binds identity to public key
usually with other info such as period of validity, rights of use etc
With all contents signed by a trusted Public-Key or Certificate Authority (CA)
Can be verified by anyone who knows the public-key authorities public-key
Public-Key Distribution of Secret Keys
Use for secrecy or authentication
Public-key algorithms are slow
usually want to use private-key encryption to protect message contents hence need a
session key
Have several alternatives for negotiating a suitable session
Simple Secret Key Distribution
proposed by Merkle in 1979
A generates a new temporary public key pair[ KUa,KRa] and transmits a
message to B consisting of KUa and an identified of A, IDA
B generates a secret key Ks and transmits it to A encrypted with A’s Public
Key.
A computes DKRa [EKUA[Ks]] to recover the secret key because only A can
decrypt the message only A and B will know the Identity of Ks.
A discards KUa and ,KRa and B discards KUa
Public-Key Distribution of Secret Keys
If have securely exchanged public-keys
Hybrid Key Distribution
Retain use of private-key KDC
Shares secret master key with each user
Distributes session key using master key
Public-key used to distribute master keys
especially useful with widely distributed users
Rationale
performance
backward compatibility
2. PUBLIC-KEY CRYPTOGRAPHY
Uses two keys – a public & a private key
Asymmetric since parties are not equal
Uses clever application of number theoretic concepts to function
Complements rather than replaces private key crypto
Principles Of Public-Key Cryptosystems
Developed to address two key issues:
Key distribution – how to have secure communications in general without
having to trust a KDC with your key
Digital signatures – how to verify a message comes intact from the claimed
sender
Public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
PUBLIC-KEY CRYPTOSYSTEMS
Public – key algorithm rely on one key for encryption and a different but related key for
decryption.
Public-key / Two-Key / Asymmetric Key.
RSA exhibits the following characteristics :- Two related keys can be used for the
encryption with the other used for
Decryption
Public-key encryption has 6 Ingredients
Plaintext
:- Readable message (or) data that is fed into the algorithm as
input.
Encryption algorithm :- The encryption algorithm performs various transformations
on the plaintext.
Public & Private Keys :-
Pair of keys that have been selected so that if one key encryption
Other key Decryption
The exact transformations performed by the encryption algorithm depend on
the Public or Private key that is provided as Input.
Ciphertext :
Scrambled message produced as output.
It depends on plaintext and the key .
For a given message 2 different keys will produce 2 different ciphertexts.
Decryption algorithms :Algorithm accepts the ciphertext and the matching key and produces the
original plaintext.
Essential Steps
Each user generates a pair of keys to be used for the Encryption and Decryption of
messages.
Each user places one of the 2 keys in a public register or other accessible file. This is
the public key the companion key is kept Private.
Public – Key Cryptosystem Encryption: If BOB wishes to send a confidential message to ALICE , BOB encrypts the
message using ALICE’s public key.
When ALICE receives the message she decrypts it using her private key.
No other recipient can decrypt the message because only ALICE knows
ALICE’s Private key.
CONVENTIONAL AND PUBLIC – KEY ENCRYPTION
CONVENTIONAL ENCRYPTION
PUBLIC-KEY ENCRYPTION
•
Same algorithm and key used
for encryption and decryption
•
Same algorithm but different keys
used for encryption and decryption
•
Parties share algorithm and key
•
Parties share algorithm but each has
one key from a matched pair
•
Key must be kept secret
•
One key must be kept secret
•
Cipher must be strong
•
Cipher must be strong
•
Plaintext/ciphertext pairs must
not weaken the security of the key
•
Plaintext/ciphertext pairs plus one of
the keys must not weaken the other
key
Public – Key Cryptosystem :- Secrecy
2 keys used for public key encryption are referred to as the public key and the private
key.
The Private key is kept secret.
Y = EKUb(X)
X = DKRb(Y)
Public – Key Cryptosystem :- Authentifation
Y = EKRa(X)
X = DKUa(Y)
PKC: Secrecy and Authentication
Z = EKUb[EKRa(X)]
X = DKUa[DKRb(Z)]
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
It is computationally infeasible to find decryption key knowing only algorithm
& encryption key
It is computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known
Either of the two related keys can be used for encryption, with the other used for
decryption (for some algorithms)
Public-Key Applications
Can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
Some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes
Like private key schemes brute force exhaustive search attack is always theoretically
possible
But keys used are too large (>512bits)
Security relies on a large enough difference in difficulty between easy (en/decrypt)
and hard (cryptanalyse) problems
More generally the hard problem is known, but is made hard enough to be impractical
to break
Requires the use of very large numbers
Hence is slow compared to private key schemes
3. DIFFIE-HELLMAN KEY EXCHANGE
First public-key type scheme proposed
By Diffie & Hellman in 1976 along with the exposition of public key concepts
Is a practical method for public exchange of a secret key
Used in a number of commercial products
A public-key distribution scheme
cannot be used to exchange an arbitrary message
rather it can establish a common key
known only to the two participants
Value of key depends on the participants (and their private and public key information)
Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) –
easy
Security relies on the difficulty of computing discrete logarithms (similar to factoring)
– hard
All users agree on global parameters:
large prime integer or polynomial q
a being a primitive root mod q
Each user (eg. A) generates their key
Chooses a secret key (number): XA < q
Compute their public key
Similarly user B independently selects a random integer Each user makes public that
key XB < q and computes
Shared session key for users A & B is KAB:
KAB = αxA.xB mod q
YA = α X mod q (which B can compute)
YB = α X mod q. (which A can compute)
Example:- 1
Key exchange is based on the use of the Prime number q=353 and primitive root of
353 in this case α = 3.
A and B select secret keys XA = 97 and XB = 233 respectively
Each computes its public keys
A computes YA = 397 mod 353 = 40
B computes YB=3233 mod 353 = 248
After they exchange public keys each can compute the common secret key
A Computes K= (YB)XA mod 353 =248 97 mod 353 = 160
B Computes K= (YA)XB mod 353 = 40 253 mod 353 = 160
We assume an attacker would have available the following information.
q=353 α = 3 , YA=40 , YB=248
Example 2
q = 97, primitive root of q, in this case, = 5
A and B selects secret keys XA = 36 and XB = 58
Each computes public key YA = 536 = 50 mod 97,
YB = 558 = 44 mod 97
After exchanging public keys, each compute the common secret key
K = (YB)XA mod 97 = 4436 = 75 mod 97
K = (YA)XB mod 97 = 5058 = 75 mod 97
4. RSA ALGORITHM
•
Devised by Rivest, Shamir & Adleman of MIT in 1977
•
RSA widely used public-key scheme
•
RSA based on exponentiation of integers in a finite (Galois) field
– Defined over integers modulo a prime
– Exponentiation takes O((log n)3) operations (easy)
•
Uses large integers (eg. 1024 bits)
•
Security due to cost of factoring large numbers
– factorization takes O(e log n log log n) operations (hard)
Description of the Algorithm
Block size of RSA
•
Each block is represented as an integer number
•
Each block has a value M less than N
•
The block size is ≤ log2(n) bits
•
If the block size is k bits then
2k <n ≤ 2K+1
Encryption and Decryption are of the following form for some plaintext block M and
Ciphertext block C.
C=Me mod n
M=Cd mod n= (Me)d mod n = Med mod n
Both sender and receiver must know the value of n.
The sender knows the value of e, and only the receiver knows the value of d. thus is a
public-key encryption algorithm with a public key of KU={e,n} and a private key of
KR={d,n}.
For this algorithm to be satisfactory for public-key encryption the following
requirements must be me:
It is possible to find values of e,d,n such that Med = M mod n for all M<n.
It is relatively easy to calculate Me and Cd for all values of M < n.
It is infeasible to determine d given e and n.
To find a relationship of the form
Med = M mod n
A corollary to Euler’s theorem
Given two prime numbers p and q ad two integers n and m such that n=pq and 0<m<n
And arbitrary integers k.
The following relationship holds
M kФ(n)+1= M k(p-1)(q-1)+1 ≡ M mod n
Where Ф(n) is the Euler totient function, which is the number of positive integers less
than n and relatively prime to n.
For p,q prime Ф(pq) = (p-1)(q-1)
Thus we achieve the desired relationship
ed= kФ(n)+1
This is equivalent
ed≡ 1 mod Ф(n)
d ≡ e-1 mod Ф(n)
(i.e) e and d are multiplicative inverse mod Ф(n).
According to the rules of Modular arithmetic this is true only if d ( and therefore e) is relatively
prime to Ф(n). Equivalently gcd (Ф(n),d ) =1
RSA Scheme
The ingredients are the following
p,q two prime numbers
( private,chosen)
n = pd
( public,calculated )
e,with gcd (Ф(n),e ) = 1 ; 1 < e < Ф(n),
( public,chosen )
d ≡ e-1 mod Ф(n)
( private , calculated )
The private key consists of { d,n} and the public key consists of (e,n}.
Suppose that user A has published its public key and that user B wishes to send the
message M to A .
Then B calculates C = M e (mod n ) and transmits C.
On receipt of this cipher text user A decrypts by calculating M = C d ( mod n )
We have chosen e and d such that
d ≡ e-1 mod Ф(n)
Therefore
ed≡ 1 mod Ф(n)
Therefore ed is of the form K Ф(n) + 1.
The corollary to Euler’s theorem for given 2 prime numbers p and q and integers n=pq and M
with 0< M < n
M kФ(n)+1= M k(p-1)(q-1)+1 ≡ M mod n
So Med ≡ M mod n Now
C= Me mod n
M=Cd mod n ≡ (Me)d mod n ≡ Med mod n ≡ M mod n.
RSA Key Setup
Each user generates a public/private key pair by:
Selecting two large primes at random - p, q (secret)
Computing their system modulus n=p.q (public)
o Calculate ø(n)=(p-1)(q-1) (secret)
Selecting at random the encryption key e (public)
o where 1<e<ø(N), gcd(e,ø(N))=1
solve following equation to find decryption key d (secret)
– de =1 mod ø(N) and 0≤d≤N
– Use the extended Euclid’s algorithm to find the multiplicative inverse of e (mod
ø(N))
•
publish their public encryption key: KU={e,N}
•
keep secret private decryption key: KR={d,p,q}
Encryption and Decryption
–
–
–
Both require modular exponentiation
Can use the following efficient algorithm to compute ab mod n
Repeated squaring
[(a mod n) x (b mod n)] mod n = (a x b) mod n
RSA Key Generation
•
Users of RSA must
– determine two primes at random - p, q
– select either e or d and compute the other
•
•
Primes p,q must not be easily derived from modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
Exponents e, d are inverses, so use Inverse algorithm to compute the other
RSA Security
•
•
•
Brute force (Key space search)
– Try all possible private keys
– Use large keys
Attacks on mathematical foundation
– Several approaches, all equivalent to factoring
Timing attacks
– Based on the running time of the decryption algorithm
The Factoring Problem
•
•
•
Factor n into p and q
– Allows calculation of (n), which allows determination of d = e-1 (mod (n))
Determine (n) directly from n
– Equivalent to factoring
Determine d = e-1 (mod (n)) directly
– Seems to be as hard as factoring
Timing Attacks
•
•
•
Developed in mid-1990’s
Exploit timing variations in operations
– infer bits of d based on time taken
Countermeasures
– use constant exponentiation time
– add random delays
–
blind values used in calculations
• C’ = (Mr)e, M’ = (C’)d, M=M’r-1
UNIT – 3 AUTHENTICATION AND HASH FUNCTION
1. AUTHENTICATION REQUIREMENTS
•
Kind of attacks (threats) in the context of communications across a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
1. Disclosure: Release of message contents to any person or process not possessing
the appropriate cryptographic key.
2. Traffic analysis
Discovery of the pattern of traffic between parties.
In a connection-oriented application, the frequency and duration of connections
could be determined.
In either a connection-oriented or connectionless environment, the number and
length of messages between parties could be determined.
3. Masquerade
Insertion of messages into the network from a fraudulent source.
Includes the creation of messages by an opponent that are purported to come
from an authorized entity.
Also included are fraudulent acknowledgments of messages receipt or non
receipt by someone other than the message recipient.
4. Content modification
Changes to the contents of a message, including insertion, deletion,
transportation and modification.
5. Sequence modification
Any modification to a sequence of message between parties, including insertion,
deletion and reordering.
6. Timing modification
Delay or replay of messages.
In a connection-oriented application, an entire session or sequence of messages
could be a replay of some previous valid session, or individual messages in the
sequence could be delayed or replayed.
In a connectionless application, an individual message (e.g., datagram) could be
delayed or replayed.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.
•
Measures to deal with first two attacks:
In the realm of message confidentiality, and are addressed with encryption
•
Measures to deal with items 3 through 6
Message authentication
•
Measures to deal with items 7
Digital signature
•
Message authentication
A procedure to verify that messages come from the alleged source and
have not been altered
Message authentication may also verify sequencing and timeliness
•
Digital signature
An authentication technique that also includes measures to counter repudiation
by either source or destination
2. AUTHENTICATION FUNCTIONS
•
•
Message authentication or digital signature mechanism can be viewed as having two
levels
–
At lower level: there must be some sort of functions producing an authenticator
– a value to be used to authenticate a message
–
This lower level functions is used as primitive in a higher level authentication
protocol
Three classes of functions that may be used to produce an authenticator
–
Message encryption
» Ciphertext itself serves as authenticator.
–
Message authentication code (MAC)
» A public function of the message and a secret key that produces a fixedlength value that serves as the authenticator.
–
Hash function
» A public function that maps a message of any length into a fixed-length
hash value, which serves as the authenticator.
a. Message Encryption
•
Conventional encryption can serve as authenticator
–
Conventional encryption provides authentication as well as confidentiality
–
Requires recognizable plaintext or other structure to distinguish between wellformed legitimate plaintext and meaningless random bits
» e.g., ASCII text, an appended checksum, or use of layered protocols
Symmetric Encryption / Conventional Encryption
A message M transmitted from source A to destination B is encrypted using
a secret key K shared by A and B.
If no other party knows the key then confidentiality is provided:- No other
party can recover the plaintext of the message.
Given a decryption function D and a secret key K, the destination will
accept any input Y and produce output X =Dk(Y)
If Y is the ciphertext then X is some plaintext message M
Public-key
Encryption
i). public-key encryption : Confidentiality
The source (A) uses the public key KUb of the destination (B) to encrypt M. Because
only B has the corresponding private key KRb, only B can decrypt the message.
This scheme provides no authentication because any opponent could also use B’s
public key to encrypt a message, claiming to be A.
ii). Public – key encryption : Authentication and Signature
A uses it private key to encrypt the message, and B uses A’s public key to decrypt.
This provides authentication using the same type of reasoning as in the symmetric
encryption case : The message must have come from A because A is the only party that
possesses KRa and therefore the only party with the information
necessary to construct ciphertext that can be decrypted with KUa.
It also provides what is known as digital signature. Only A could
have constructed the ciphertext because only A possesses KRa. Not
even B, the recipient, could have constructed the ciphertext.
iii). Public – key encryption : Confidentiality , Authentication and Signature
To provide both confidentiality and authentication, A can encrypt M first using its
private key, which provides the digital signature, and then using B’s public key, which
provides confidentiality.
Internal and External Error control
A prepares a plaintext message M and then provides this input to a function F
that produces an FCS (Frame Check Sequence) or Checksum.
The FCS is appended to M and the entire block is then encrypted.
At the Destination B decrypts the incoming block and treats the results as a
message with an appended FCS.
B applies the same function F to attempt to produce the FCS.
If the calculated FCS is equal to the incoming FCS then the message is
considered authentic.
With internal error control, authentication is provided because an opponent
would have difficulty generating ciphertext, when decrypted would have valid
error control bits.
If instead the FCS is the outer code an opponent can construct messages with
valid error-control codes.
Although the opponent cannot know what the decrypted plaintext will be , he or
she can still hope to create confusion and disrupt operations.
TCP Segment
An error contol code added to the transmitted message serves to strengthen the
authentication capability.
Such structure is provided by the use of a communications architecture
consisting of layered protocols.
The structured message is transmitted using TCP/IP protocol architecture.
The TCP Header :- Each pair of hosts shared a unique secret key so that all
exchanges between a pair of hosts used the same key.
Then one could simply encrypt all of the datagram except the IP Header.
If an opponent substituted some arbitrary bit pattern for the encrypted TCP
segment the resulting plaintext would not a meaningful Header.
In this case the Header includes not only a check-sum but other useful
information (such as the sequence number).
Confidentiality and Authentication Implications of Message Encryption
b. Message Authentication Code
•
Uses a shared secret key to generate a fixed-size block of data (known as a
cryptographic checksum or MAC) that is appended to the message.
•
MAC = Ck(M)
M
= input message
C
= MAC function
K
= shared secret key
MAC = message authentication code
Assurances:– Message has not been altered
– Message is from alleged sender
– Message sequence is unaltered (requires internal sequencing)
•
•
Similar to encryption but MAC algorithm needs not be reversible
Confidentiality and Authentication Implications of Message Encryption.
A B: EK[M]
Provides confidentiality
- Only A and B share K
Provides a degree of authentication
- Could come only from A
- Has not been altered in transit
- Requires some formatting/redundancy
Does not provide signature
- Receiver could forge message
- Sender could deny message
(a) Symmetric encryption
A B: EKUb[M]
Provides confidentiality
- Only B has KRb to decrypt
Provides no authentication
- Any party could use KUb to encrypt message and claim to be A
(b) Public-Key (asymmetric) Encryption
AB:EKRa[M]
Provides authentication and signature
- Only A has KRa to encrypt
- Has not been altered in transit
- Requires some formatting/redundancy
- Any party can use KUa to verify signature
(c) Public-key encryption: authentication and signature
AB:EKUb [EKRa(M)]
Provides confidentiality because of KUb
Provides authentication and signature because of KRa
(d) Public-key encryption: confidentiality, authentication, and signature
Basic Uses of MAC
Why Use MACs?
•
•
•
Cleartext stays clear
MAC might be cheaper
Broadcast
•
•
•
Authentication of executable codes
Architectural flexibility
Separation of authentication check from message use
c.
Hash Function
•
Converts a variable size message M into fixed size hash code H(M) (Sometimes called
a message digest)
•
Can be used with encryption for authentication
– E(M || H)
– M || E(H)
– M || signed H
– E( M || signed H ) gives confidentiality
– M || H( M || K )
– E( M || H( M || K ) )
A (Message +Concatenated Hash code ) is encrypted using
symmetric encryption.
Only the Hash code is encrypted using symmetric encryption. This
reduces the processing burden for those applications that do nor
require confidentiality.
Only the Hash code is encrypted using Public-key encryption and
using the sender’s private key.
If confidentiality as well as a digital signature is desired then the
(message + the public-key-encrypted Hash code) can be encrypted
using a symmetric secret key.
This technique uses a Hash function but no encryption for message
authentication.The technique assumes that the two communicating
parties share a common secret value S.
Confidentiality can be added to the approach by encrypting the
entire (Message + the Hash Table.)
Basic Uses of Hash Function
3. MESSAGE AUTHENTICATION CODES ( MAC )
A MAC also known as a Cryptographic checksum is generated by a function C of the form.
• MAC= CK(M)
Where
M Variable – length message
K Secret key shared only by sender and receiver
CK(M) Fixed-length authenticator.
• Key length requirements
– Sufficient key length to thwart brute force attack
Requirements for MACs
a. Brute-force Attacks on MACs
• Let k = key length, n = MAC length
• Suppose confidentiality is not employed . (i.e., the opponent has access to plaintext
messages and their associated MCs).
• If k > n
– Brute force gives 2(k-n) candidate keys
» Given known M1 and MAC1, with MAC1=CK1(M1), the
cryptanalyst can perform MACi = CKi(M1) for all possible key
values Ki.
»
Atleast one key is guaranteed to produce a match.
»
On average, a total of 2k/2n = 2(k-n) keys will produce a match
–
Second round (new M and MAC) reduces this to 2(k-2n) candidate keys
–
On average, this requires k/n rounds
• If k n, one round should suffice.
b. Attacks on MACs
• Other attacks are possible, depending on the MAC algorithm
• E.g., consider the following MAC algorithm
– Let M = (X1 || X2 || … || Xm) be a message that is treated as a concatenation
of 64-bit blocks Xi
–
Define (M) = X1 X2 ... Xm; Ck(M) = DESK[(M)]
• The opponent can attack the system as follows
–
Replace Xi by Yi for i = 1 to m-1
–
Calculate Ym to produce the right checksum, and replace Xm by Ym
» Ym = Y1 Y2 ... Ym-1 (M)
– The new message, Y1 thru Ym, with the original MAC will be accepted
as authentic by the receiver.
– With this tactic, any message of length 64 (m-1) bits can be
fraudulently inserted
MACs Function Properties
•
Assume that an opponent knows the MAC function C but does not know K. Then the
MAC function should have the following properties
1. Given M and Ck(M), it must be computationally infeasible to construct M’ Such
that Ck(M’) = Ck(M)
2. CK(M) should be uniformly distributed in the sense that for any M and M’,
Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC.
3. Let M’ be equal to some known transformation on M. That is, M’ = f(M). In that
case, Pr[Ck(M) = Ck(M’)] = 2-n,
MAC Based on DES
•
Last block of DES CBC, with IV = 0
•
The Data to be authenticated are grouped into contiguous 64-bit blocks D1,D2….DN.
•
The final block is padded on the right with zeroes to form a full 64-bit Block.
•
Using the DES encryption algorithm E and a secret key K a data authentication code
(DAC) is calculated as follows
O1=Ek(D1)
O2=Ek(D2 O1)
O3=Ek(D3 O2 )
:
:
ON = Ek(DN ON-1 )
4 . HASH FUNCTIONS
A Hash value h is generated by a function H of the form
h = H(M)
where
M is a variable-length message
h is a fixed-length hash value
H is a hash function
•
The hash value is appended at the source
•
The receiver authenticates the message by recomputing the hash value
•
Because the hash function itself is not considered to be secret, some means is required
to protect the hash value
Hash Function Requirements
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is computationally infeasible to find any y
x s.t. H(x) = H(y)
6. H is strongly collision resistant: it is computationally infeasible to find any x and y s.t.
H(x) = H(y)
•
•
•
4th property One-way property is essential for authentication
5th Property Weak collision resistance is necessary to prevent forgery
6th Property Strong collision resistance is important for resistance to
birthday Attack.
Simple Hash Functions
•
Operation of hash functions
–
–
•
The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion to produce an
n-bit hash function
Simplest hash function: Bitwise XOR of every block
– Ci = bi1 bi2 … bim
» Ci = i-th bit of the hash code, 1 i n
» m = number of n-bit blocks in the input
» bij = i-th bit in j-th block
» = XOR operation
Longitudinal Redundancy Check
Each n-bit hash value is equally
The probability that a data error will result in an unchanged hash value is 2-n
To perform a one-bit circular shift or rotation on the hash value after each block is processed.
The procedure
Initially set the n-bit hash value to zero.
Process each successive n-bit block of data as follows.
Rotate the current hash value to the left by one-bit.
XOR the block into the Hash value.
Bit1
Bit2
….
Bit n
Block1
b11
b22
bn1
Block1
b12
.
.
.
b22
.
.
.
bn2
.
.
.
b1m
b2m
bnm
C1
C2
Cn
Block m
Hash code
.
.
.
Two simple Hash Functions
The two types of Hash Functions for 16-bit hash values.
A message it is an easy matter to produce a new message and then appened an n-bit
block that forces the new message + block to yield the desired Hash code.
A simple XOR or rotated XOR(RXOR) is insufficient if only the Hash code is
encrypted .
A simple function is useful when the message as well as the Hash code are
encrypted.
The simple XOR applied to 64-bit blocks of the message and then an encryption of
the entire message that used the cipher block chaining (CBC) mode.
We define the scheme :- Given a message consisting of a sequence of 64 – bit
blocks X1,X2,X3…..XN.
Define the hash code C as the block-by-block XOR of all blocks and append the
hash code as the final block.
C = XN+1 = X1 X2 ………… XN.
Next , encrypt the entire message plus hash code using CBC mode to produce
the encrypted message Y1,Y2……..YN+1 points out several ways in which the
ciphertext of this message can be manipulated in such a way that it is not
detectable by the Hash Code.
X1=IV Dk(Y1)
Xi=Yi-1 Dk(Yi)
XN+1 = YN Dk(YN+1)
But XN+1 is the Hash code
XN+1 = X1 X2 ….. XN
= (IV Dk(Y1)) ( Y1 Dk(Y2)) ….. (IVN-1 Dk(YN))
Birthday Attack
The Opponent can generate 2m/2 variants of a valid message and an equal number
of fraudulent messages
The two sets are compared to find one message from each set with a common hash
value
The valid message is offered for signature. The fraudulent message with the same
hash value is inserted in its place
If a 64-bit hash code is used, the level of effort is only on the order of 232.
Conclusion: The length of the hash code must be substantial.
Block Chaining Technique Hash Function
•
A number of proposals for hash functions based on using a cipher block chaining
technique but without the secret key.
•
Rabin’s proposal:
–
Divide a message M into fixed-size blocks M1, M2, …, MN and use a Symmetric
encryption system such as DES to compute the hash code G as follows.
»
»
»
H0 = initial value
Hi = EMi[Hi-1]
G = HN
–
Similar to CBC technique, but no secret key.
–
As with any hash code, subject to the birthday attack
»
–
If DES is used, and only a 64-bit hash code is produced, then the system
is vulnerable
Another version of birthday attack is possible
Birthday Attack to Block Chaining Techniques
•
Assume the opponent intercepts a message with a signature in the form
of an encrypted hash code and the unencrypted hash code is m bits long
1. se the algorithm (Rabin’s) to calculate the unencrypted hash code G
2. Construct any desired message in the form Q1, Q2, …, QN-2
3. Compute Hi = EQi[Hi-1] for 1 i (N-2)
4. Generate 2m/2 random blocks; for each block X, compute EX[HN-2]. Generate
an additional 2m/2 random blocks; for each block Y, compute DY[G] , where D
is the Decryption function corresponding to E.
5. Based on birthday paradox, with high probability there will be an X and Y Such
that EX[HN-2] = DY[G]
6. Form the message Q1, Q2, …, QN-2, X, Y. This message has the hash code G and
therefore can be used with the intercepted encrypted signature
Meet – in the middle “ Attack
A number of researchers have proposed refinements intended to strengthen the basic
block chaining approach.
Hi=EMi[Hi-1 ] Hi-1
Another variation proposed in {MEYE88]
Hi=EHi-1 [ Mi] Mi
5. SECURITY OF HASH FUNCTIONS AND MACS
A Group attacks on Hash functions and MACs in to two categories.
Brute-force attacks
Cryptanalysis.
Brute-Force Attack of Hash Functions
The nature of Brute-force attacks differs somewhat for Hash functions and MACs.
Hash Functions
•
Three desirable properties of hash functions
–
One-way: For any given code h, it is computationally infeasible to find x Such
that H(x) = h
–
Weak collision resistance: For any given block x, it is computationally
infeasible to find y x Such that H(y) = H(x)
–
Strong collision resistance: It is computationally infeasible to find any pair (x,
y) Such that H(y) = H(x)
Brute-force attack on n-bit hash code
–
One way
2n
Weak collision resistance
2n
Strong collision resistance
2n/2
Currently, two most popular hash codes, SHA-1 and RIPEMD-160, provide a
160-bit hash code length
Message Authentication Codes
Brute-Force Attack of MACs
•
Desired security property of a MAC algorithm
– Computation resistance: Given one or more text-MAC pairs
(xi, CK(xi)), it is computationally infeasible to compute any textMAC pair (x, CK(x)) for any new input x xi
•
Brute-force attack on key space or MAC space
•
Brute-force key space search for k-bit key
– Overall effort is roughly 2k
•
Brute-force MAC space search for n-bit MAC value
– Overall effort is roughly 2n
•
The level of effort for brute-force attack on a MAC algorithm is min(2k, 2n)
•
It is required min(k, n) N, where N 128
Cryptanalysis
Cryptanalytic attacks in Hash functions and MAC algorithms seek to exploit some
property of the algorithm to perform some attack other than an exhaustive search.
14. DIGITAL SIGNATURE STANDARD (DSS)
US Govt approved signature scheme designed by NIST & NSA in early 90's
Published as FIPS-186 in 1991
Revised in 1993, 1996 & then 2000
Uses the SHA hash algorithm
DSS is the standard, DSA is the algorithm
•
The DSS makes use of the secure hash algorithm (SHA) .
•
The DSS uses an algorithm that is designed to provide only the digital signature
function.
a. RSA approach
b .DSS approach
a. RSA
Approach
•
The message to be signed is input to a hash function that produce a secure hash code of
fixed length. This hash code is then encrypted using the sender’s private key to form
the signature
•
Both the message and the signature are then transmitted.
•
The recipient takes the message and produces a hash code.
•
If the calculated hash code matches the decrypted signature, the signature is accepted as
valid.
b. DSS Approach
•
The DSS approach make use of a hash function. The hash code is provided as input to a
signature function along with a random number k generated for this particular
signature.
•
The signature function also depends on the sender’s private key (PRa) and a set of
parameters known to a group of communicating principals. We can consider this set to
constitute a global public key (PUG).
•
have shared global public key values (p,q,g):
•
The result is a signature consisting of two components, labeled s and r.
•
At the receiving end, the hash code of the incoming message is generated. This plus the
signature is input to a verification function.
•
The verification function also depends on the global public key as well the sender’s
public key (PUa), which is paired with sender’s private key.
•
The output of the verification function is a value that is equal to the signature
component r if the signature is valid
15. AUTHENTICATION PROTOCOLS
Two general areas are
Mutual authentication and
One-way authentication.
a. Mutual Authentication
An important application area is that of mutual authentication protocols.
Such protocols enable communicating parties to satisfy themselves mutually about ach
other’s identity and to exchange session keys.
Central to the problem of authenticated key exchange are two issues:
Confidentiality &
Timeliness.
To prevent masquerade and to prevent compromise of session keys, essential
identification and session key information must be communicated in encrypted form.
At minimum a successful replay can disrupt operations by presenting parties with
messages that appear genuine but are not.
The following examples of replay attacks:
* Simple replay : The opponent simply copies a message and replays it later.
* Repetition that can be logged: An opponent can replay a time stamped
message within the valid time window.
* Repetition that cannot be detected: This situation could arise because the
original message could have been
suppressed and thus did not arrive at its
destination; onlythe replay message arrives.
* Backward replay without : This is a replay back to the message sender.
modification
This attack is possible if symmetric encryption is used
and the sender cannot easily recognize the difference
between messages sent and messages received on the
basis of content.
UNIT 4 - NETWORK SECURITY
1. KERBEROS
•
Environment
– Open distributed Environment
– Server needs
» To restrict access to authorized user
» To authenticate requests for services
•
Following threats
–
–
–
Motivation
•
A user may gain access and pretend to be another user
Alter network address of workstation and use as impersonated workstation
Eavesdrop on exchanges and use a replay attack
Kerberos protocol assumes distributed client/server architecture.
•
In each architecture, one or more Kerberos servers employed
•
Requirements for Kerberos
– Secure
» Eavesdropper cannot have information to impersonate a user
» Strong enough not to find potential weak link.
–
–
–
Reliable
» All services rely on Kerberos for access control
» Lack of Availability of Kerberos service means lack of availability of
the supported service
» For reliable, employ distributed server architecture for one’s backing up
another
Transparent
Scalable
Implemented using an authentication protocol based on Needham-Schroeder.
Provides a centralized authentication server to authenticate users to servers and servers
to users.
Relies on conventional encryption, making no use of public-key encryption.
Two versions: version 4 and 5
Version 4 makes use of DES
1.1 KERBEROS V4 OVERVIEW
Version 4 of the Kerberos uses DES, in a rather elaborate protocol, to provide the
authentication service.
Each successive dialogue adds additional complexity to counter security vulnerabilities
revealed in the preceding dialogue.
A basic third-party authentication scheme
Have an Authentication Server (AS)
o Users initially negotiate with AS to identify self
o AS provides a non-corruptible authentication credential (ticket granting ticket
TGT)
Have a Ticket Granting server (TGS)
o users subsequently request access to other services from TGS on basis of users
TGT
A Simple Authentication Dialogue
•
Assume authenticate server knows
– ids and passwords of all users
– Service permission of all users
•
Problems
– Password is revealed on the network
– Entering password needed at each service
1. obtain ticket granting ticket from AS
• once per session
2. obtain service granting ticket from TGT
• for each distinct service required
3. client/server exchange to obtain service
• on every service request
(1) C AS:
IDc || Pc || IDv
(2) AS C:
Ticket
(3) C V:
IDc || Ticket
Ticket = EKv[IDc || Pc || IDv]
Where
C = Client
AS = authentication server
V = server
IDc = identifier of user on C
IDv = identifier of V
Pc = password of user on C
ADc = network address of C
Kv = secret encryption key shared by AS an V
TS = timestamp
|| = concatenation
A more secure Authentication Dialogue
Once pe r user log on Sessions
(1) C AS :
ID C || ID tgs
( 2) AS C :
E K C [Ticket
tgs
Once per type of services
(3) C TGS :
ID C || ID V || Ticket
( 4)TGS C :
Ticket
Once per Service Session
V
tgs
]
(5)C V :
( Ticket
Ticket
tgs
V
IDC || Ticket V
E K tg s [ ID C || AD C || ID tgs || TS1 || lifetime
E K V [ ID C || AD C || ID V || TS 2 || lifetime
2
1
]
])
( where C client,
AS authentica tion server,
V server,
PC Password of user on C
ID C identifier of user on C ,
ID V identifier of V,
ID tgs identifier of ticket
granting server
AD C network address of C
K V secret encryption key
shared by AS and V
TS i Time Stamps)
Problems
–
–
Tickets are revealed in network
» If spoofing is possible then replay attack
User must authenticate servers to service
Version 4 Authentication Dialogue
Problems
Lifetime associated with the ticket-granting ticket
If too short repeatedly asked for password
If too long greater opportunity to replay
The threat is that an opponent will steal the ticket and use it before it expires
* Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1)
C AS:
IDc || IDtgs ||TS1
(2)
AS C:
EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
* Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS:
IDv ||Tickettgs ||Authenticatorc
(4) TGS C:
EKc [Kc,¨v|| IDv || TS4 || Ticketv]
* Client/Server Authentication Exhange: To Obtain Service
(5) C V:
Ticketv || Authenticatorc
(6) V C:
EKc,v[TS5 +1]
Kerberos Realms
A Kerberos environment consists of:
A Kerberos server
A number of clients, all registered with server
Application servers, sharing keys with server
This is termed a realm
typically a single administrative domain
If have multiple realms, their Kerberos servers must share keys and trust
1.2 KERBEROS VERSION 5
Developed in mid 1990’s
Specified as Internet standard RFC 1510
Provides improvements over v4
Addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket lifetime,
authentication forwarding, interrealm auth
And technical deficiencies
• double encryption, non-std mode of use, session keys, password attacks
Difference Between Version 4 and 5
•
•
Environmental shortcomings
–
Encryption system dependence
» Any encryption algorithms can be used in v5 but only DES is possible in
v4
–
Internet protocol dependence
» Only IP is possible → to use any internet protocol
–
Message byte ordering
» Own choosing → use Abstract Syntax Notation one (ASN.1) and Basic
Encoding Rules (BER)
–
Ticket Life Time
» 1280 minitues(8bit) → any length of time(any length of bits)
–
Authentication Forwarding
» (eg. client → print server and print server → file server to use the file of
client)
–
Inter-realm authentication
» Less complexity than v4
Technical deficiencies
–
Double encryption
–
PCBC encryption
» In v5, Standard CBC is used
–
Session keys
» In v5, subsession key for only one connection can be used
–
Password attacks
(1)C AS :
ID C || ID tgs || TS1
( 2) AS C :
E K C [ K C, tgs || ID tgs ||
TS 2 || Lifetime
|| Ticket
(3)C TGS :
tgs
2
]
ID tgsrem || Ticket
tgs
|| Authentica torC
( 4)TGS C :
E K C ,tg s [ K C, tgsrem || ID tgsrem
|| TS 4 || Ticket
tgsrem
(5)C TGS rem : ID vrem || Ticket
]
tgsrem
|| Authentica torC
(6)TGS C :
E K C ,tg srem [ K C, vrem || ID vrem
|| TS b || Ticket
(7)C Vrem :
Ticket
vrem
]
vrem
|| Authentica torC
Version 5 authentication dialogue
a. Authentication Service Exchange
The following new elements are added:
1. Realm: Indicates realm of users.
2. Options: Used the request that certain flags be set the returned ticket.
3. Times: Used by the client to request the following time settings in the
ticket.
4. Nonce: A random value to be repeated in message(2) to assure that the
response is fresh and has not been replayed by the opponent.
–
Adds Nonce to refresh message and Flags field to have new functionality
b. Ticket-Granting Service Exchange
–
–
V5 Adds request time and options for ticket and nonces in comparison to v4
Other contents are similar to v4
c. Client/Server Authentication Exchange
–
New fields
»
Subkey : client’s choice for an encryption key to protect specified
session if omitted ticket session key is used
»
Sequence number
• Counting messages sent to detect replays
Ticket flag
The flag field included in ticket in version 5 supports expanded functionality
compared to that available.
2. X.509 AUTHENTICATION SERVICE
Part of CCITT X.500 directory service standards
distributed servers maintaining user info database
Defines framework for authentication services
Directory may store public-key certificates
With public key of user signed by certification authority
It also defines authentication protocols
It uses public-key crypto & digital signatures
algorithms not standardised, but RSA recommended
X.509 certificates are widely used
X.509 Certificates
The Heart of the X.509 scheme is the public-key certificate associated with each user
These user certificates are assumed to be created by some trusted certification
authority(CA) and placed in the directory by the CA or by the user
The directory server itself is not responsible for the creation of public keys or for the
certification function
General format of a certificate
Issued by a Certification Authority (CA), containing the following elements
Version (1, 2, or 3)
Serial number (unique within CA) identifying certificate
Signature algorithm identifier :- The Algorithm used to sign Certificate
together with any associated parameters
Issuer X.500 name (CA)
Period of validity (from - to dates)
Subject X.500 name (name of owner)
Subject public-key info (algorithm, parameters, key)
Issuer unique identifier:- used to identify the issuing CA in the event the X.500
Subject unique identifier:- used to identify uniquely the subject in the event the
X.500
name
Extension fields:- Extensions are added in V3
Signature :- It contains the hash code of the other fields, encrypted with the CA’s
private key
Notation
CA<<A>> =CA{V,SN,AI,CA,TA,A,AP}
This denotes certificate for A signed by CA
Where
Y<<X>>= the certificate of user X issued by certification authority Y
Y[I]= the signing of I by Y. It consists of I with an encrypted hash code
appended.
Obtaining a User’s Certificate
Any user with access to the public key CA can verify the user public key that was
certificated.
Only the CA can modify a certificate because cannot be forged, certificates can be
placed in a public directory
The following procedure will enable A to obtain B’s public key:
1. A obtains from the directory the certificate of X2,signed by X1.
Because A securely knows X1’s public key
A can obtain X2’s public key from its certificate and verify it by means of
X1’s signature on the certificate.
2. A then goes back to the directory and obtains the certificate of B signed by X2.
Because A now has a trusted copy of X2’s public key.
A can verify the signature and securely obtain B’s public key.
A has used a chain of certificates to obtain B’s public key.
In the notation of X.509 this chain is expressed as
X1<<X2>>X2<<B>>
In the same fashion B can obtain’s A’s public key with the reverse chain
X2<<X1>>X1<<A>>
A chain with N elements would be expressed as
X1<<X2>>X2<<X3>>…………….XN<<B>>
CA Hierarchy
If both users share a common CA then they are assumed to know its public key
otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to validate other CA's
Each CA has certificates for
clients (forward certificate:- Certificates of X generated by other CAs)
and
Parent (Backward / Reverse Certificate :- Certificated generated by X
that are the certificates of other CAs)
Each client trusts parents certificates
Enable verification of any certificate from one CA by users of all other CAs in
hierarchy
Certificate Revocation
Certificates have a period of validity
May need to revoke before expiry eg:o user's private key is compromised
o user is no longer certified by this CA
o CA's certificate is compromised
CA’s maintain list of revoked certificates
The Certificate Revocation List (CRL)
Users should check certificates with CA’s CRL
Authentication Procedures
X.509 includes three alternative authentication procedures:
One-Way Authentication
Two-Way Authentication
Three-Way Authentication
All use public-key signatures
a. One-Way Authentication
A single transfer of information from one user(A) to another(B) and establishes the
following
o The identity of A and that message is from A
o The message was intended for B
o The integrity & originality of message
Message must include timestamp, nonce, B's identity and is signed by A may include
additional info for B
o Eg. session key
b. Two-Way Authentication
2 messages (A->B, B->A) which also establishes in addition:
o the identity of B and that reply is from B
o that reply is intended for A
o integrity & originality of reply
Reply includes original nonce from A, also timestamp and nonce from B may include
additional info for A
c. Three-Way Authentication
3 messages (A->B, B->A, A->B) which enables above authentication without
synchronized clocks
Has reply from A back to B containing signed copy of nonce from B means that
timestamps need not be checked or relied upon
2.1 X.509 VERSION 3
Key and Policy Information
The area includes the following
a. Authority key identifier:o Identifies the public key to be used to verify the signature on this certificate or
CRL
o Enables distinct keys of the same CA to be differentiated.
o One use of this field to handle CA key pair updating
b. Subject key identifier:o Identifies the public key being certified.
o Useful for subject key pair updating
o A subject may have multiple key pairs and correspondingly different certificates
for different purposes ( E.g digital Signature and Encryption key agreement)
c. Key Usage:Indicates a restriction imposed as to the purposes for which and the policies under
which the certifies public key may be used.
May indicate one or more of the following
Digital signature
Nonrepudiation
Key encryption
Data encryption
Key agreement
CA signature verification on certificates
CA signature verification on CRLs.
d. Private – key usage period:o Indicates the period of use of the private key corresponding to the public key.
o The private key is used over a different period from the validity of the public
key.
e. Certificate policies :o Certificates may be used in environments where multiple policies apply.
o This extension lists policies that the certificate is recognized as supporting,
together with optional qualifier information.
f. Policy Mappings :o Used only in certificates for CAs issued by other CAs.
o Policy mappings allow an issuing CA to indicate that one or more of that
issuer’s policies can be considered equivalent to another policy used in the
subject CA’s domain.
Certificate Subject and Issuer Attributes
The extension fields in this area include the following
a. Subject alternative name:o Contains one or more alternative names using any of variety of forms.
o This field is important for supporting certain applications such as
Electronic Mail
EDI &
IPSec which may employ their own name forms.
b. Issuer alternative name :o Contains one or more alternative names using any of a variety of forms.
c. Subject directory attributes:o Conveys any desired X.500 directory attribute values for the subject of this
certificate.
Certification Path Constraints
These extensions allow constraint specifications to be included in certificates issued
for CAs by other CAs
The extension fields in this area include the following
a. Basic constraints:
o Indicates if the subject may act as a CA.
o If so a certification path length constraint may be specified.
b. Name Constraints:
o Indicates a name space within which all subject names in subsequent
certificates in a
certification path must be located.
c. Policy Constraints :
o Specifies constraints that may require explicit certificate policy
identification or inhibit policy mapping for the remainder of the
certification path.
3. ELECTRONIC MAIL SECURITY
Email Security
Email is one of the most widely used and regarded network services
Currently message contents are not secure
may be inspected either in transit
or by suitably privileged users on destination system
Email Security Enhancements
Confidentiality
protection from disclosure
Authentication
of sender of message
Message integrity
protection from modification
Non-repudiation of origin
protection from denial by sender
EMAIL Security methods are
PGP PRETTY GOOD PRIVACY
S/MIME Secure / Multipurpose Internet Mail Extensions
3.1 PRETTY GOOD PRIVACY (PGP)
Pretty Good Privacy provides a confidentiality and authentication service
Electronic mail and file storage applications
Developed by Phil Zimmermann
Selected best available crypto algorithms to use
Integrated into a single program on Unix, PC, Macintosh and other systems
The steps involved in PGP are
Select the best available cryptographic algorithms as building blocks.
Integrate these algorithms into a general-purpose application that is independent of
operating system and processor and that is based on a small set of easy-to-use
commands.
Make the package and its documentation, including the source code, freely
available via the internet, bulletin boards, and commercial networks such as
AOL(America OnLine).
Enter into an agreement with a company to provide a fully compatible, low-cost
commercial version of PGP.
PGP has grown explosively and is now widely used. A number of reasons can be
cited for its growth
It is available free worldwide in versions that run on a variety of platforms.
It is based on algorithms that have survived extensive public review and are
considered extremely secure.
Example: RSA,DSS and Diffiehellman for public key encryption.
CAST-128,IDEA and 3DES for conventional encryption.
SHA-1 for hash coding.
It has a wide range of applicability.
It was not developed by, nor is it controlled by, any governmental or standards
organization.
Notation
The following symbols are used:KsSession key used in symmetric encryption scheme.
KRa Private key of user A,used in public-key encryption scheme.
KUa Public key of user A,used in public – key encryption scheme.
EPPublic-key Encryption
DP Public-key Decryption
ECSymmetric Encryption
HHash Function
|| Concatenation
Z Compression using ZIP algorithm
R64 Conversion to radix 64 ASCII format.
PGP documentation often uses the term Secret Key to refer to a key paired with a public key in
a public-key encryption scheme.
PGP Operational Description
a. Authentication
o Sender creates message
o SHA-1 is used to generate 160-bit hash of message
o The Hash code is encrypted with RSA using the Sender’s Private key and the result
is prepended to the message.
o The receiver uses RSA with sender's public key to decrypt and recover hash code
o The receiver verifies received message using hash of it and compares with
decrypted hash code
b. Confidentiality
o Sender generates message and 128-bit random number as session key for this
message.
o The message is encrypted using CAST-128 / IDEA / 3DES in CBC mode with
session key
o The Session key encrypted using RSA with recipient's public key, & attached to
message.
o The Receiver uses RSA with private key to decrypt and recover session key
o The session key is used to decrypt message
c. Confidentiality & Authentication
Can use both services on same message
o Create signature & attach to message
o Encrypt both message & signature
o Attach RSA/ElGamal encrypted session key
d. Compression
By default PGP compresses message after signing but before encrypting
so can store uncompressed message & signature for later verification &
because compression is non deterministic
uses ZIP compression algorithm
The signature is generated before compression for two reason:
Message encryption is applied after compression to strengthen cryptographic
security.
If one signed a compressed version of the message, then it is necessary either
to store compressed version of the message for the later verification.
e. Email Compatibility
when using PGP will have binary data to send (encrypted message etc)
However email was designed only for text
Hence PGP must encode raw binary data into printable ASCII characters.
Uses radix-64 algorithm
o Maps 3 bytes to 4 printable chars and also appends a CRC
PGP also segments messages if too big
f. Segmentation and Reassembly:
E-mail facilities often are restricted to a maximum length.eg., many of the facilities
accessible through the internet impose a maximum length of 50000 octets.
Any message longer than that must be broken up into smaller segments, each of
which is mailed separately.
To accommodate this restriction, PGP automatically subdivides a message that is
too large into segments that are small enough to send via e-mail.
The segmentation is done after all the other processing, including the radix-64
conversion.
At the receiving end, PGP must strip off all e-mail headers and reassemble the
entire original block before performing the other steps.
Cryptographic Keys and Key Rings
PGP makes used of four types of keys :
One-time session symmetric keys
Public Keys
Private Keys &
Passpharse-based symmetric keys
3 Separate requirements can be identified with respect to these keys.
A means of generating unpredictable session keys is needed.
To allow a user to have multiple public-key/private-key pairs
Each PGP entity must maintain a file of its own public/private key pairs as well as a file
of public keys of correspondents.
Session key Generation
Need a session key for each message
of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES
Generated using ANSI X12.17 mode.
Uses random inputs taken from previous uses and from keystroke timing of user
Key Identifiers
Since many public/private keys may be in use, need to identify which is actually used
to encrypt session key in a message
could send full public-key with every message
but this is inefficient
Rather use a key identifier based on key
is least significant 64-bits of the key
will very likely be unique
Also use key ID in signatures.
In this Figure A message consists of 3 components : The Message Component
A Signature (Optional)
A Session key component(optional)
Message Component: Includes the actual data to be stored or transmitted as well as a
filename and a timestamp that specifies the time of creation.
Signature Component: include s the following
Timestamp:- The time at which the signature was made.
Message Digest:o The 160-bit AHA-1 digest encrypted with the sender’s private signature key.
o The digest is calculated over the signature timestamp concatenated with the data
portion of the message component.
o The inclusion of the filename and timestamp in the digest assures against types
of attacks.
o The exclusion that detached signatures are exactly the same as attached
signatures prefixed to the message.
o Detached signatures are calculated on a separate file that has none of the
message component header fields.
Leading two octets of message digest:o To enable the recipient to determine if the correct public key was used to
decrypt the message digest for authentication by comparing this plaintext copy
of the first two octects with the first two octects of the decrypted digest.
o These octects also serve as a 16-bit frame check sequence for the message.
Key ID of Sender’s public key:o Identifies the public key that should be used to decrypt the message digest and
hence identifies the private key that was used to encrypt the message digest.
Key Rings
Each PGP user has a pair of key rings: Public-key ring contains all the public-keys of other PGP users known to this
user, indexed by key ID
Private-key ring contains the public/private key pair(s) for this user, indexed by
key ID & encrypted keyed from a hashed pass phrase
Security of private keys thus depends on the pass-phrase security.
The ring as a table in which row represents one of the public/private key pairs owned by this
user. Each row contains the following entries.
Public-key :
public-key ring contains all the public-keys of other PGP users known to this user
Time stamp:- The Date/Time when this key pair was generated.
Key ID:- The least significant 64-bits of the public key for this entry.
Public key:- The public key portion
Private Key:- The private-key portion of the pair this field is encrypted.
User Id:- User’s E-mail address.
Private -key :
Time stamp:- The Date/Time when this entry was generated.
Key ID:- The least significant 64-bits of the public key for this entry.
Public key:- The public key for this entry.
User Id: Identifies the owner of this key.
Multiple user IDs may be associated with a single public key.
UNIT-5
1. INTRUDERS
One of the publicized threats to security is the intruders generally referred to as hackers or
crackers.
There are three classes of intruders
Significant issue for networked systems is hostile or unwanted access either via
network or local.
Can identify classes of intruders
Masquerader: - An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a
legitimate user’s account.
Misfeasor: - A legitimate user who accesses data, program, or resources for
which such access is not authorized, or who is authorized for
such access but misuse his or her privileges.
Clandestine user: - An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls
or to suppress audit collection
Intrusion Techniques
Aim to increase privileges on system
Basic attack methodology
–
–
–
–
Target acquisition and information gathering
Initial access
Privilege escalation
Covering tracks
Key goal often is to acquire passwords so then exercise access rights of owner
Intrusion Detection
Inevitably will have security failures
So need also to detect intrusions so can
– Block if detected quickly act as deterrent
– Collect info to improve security
Assume intruder will behave differently to a legitimate user
– But will have imperfect distinction between
Approaches to Intrusion Detection
a. Statistical Anomaly Detection
Threshold detection
–
–
Count occurrences of specific event over time
If exceed reasonable value assume intrusion alone is a crude &
ineffective detector
Profile based
–
–
Characterize past behavior of users
Detect significant deviations from this profile usually multiparameter.
b. Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if activity is
Suspicious or not.
Rule-based anomaly detection
–
Analyze historical audit records to identify usage patterns & autogenerate rules for them
–
Then observe current behavior & match against rules to see if
conforms.
–
Like statistical anomaly detection does not require prior knowledge
of security flaws
Audit Records
Fundamental tool for intrusion detection
Native audit records
–
–
Part of all common multi-users O/S already present for use.
May not have info wanted in desired form.
Detection-specific audit records
–
Created specifically to collect wanted info at cost of additional overhead on
system.
Audit Record Analysis
Foundation of statistical approaches
Analyze records to get metrics over time
– Counter, gauge, interval timer, resource use
Use various tests on these to determine if current behavior is acceptable
– Mean & standard deviation, multivariate, markov process, time
series, operational
Key advantage is no prior knowledge used.
Statistical Anomaly Detection
Threshold detection
–
Counting the number of occurrences of a specific event type over an
interval of time.
–
Threshold analysis is a crude and ineffective detector of even
moderately sophisticated attacks.
Profile based
– Characterize past behavior of users
–
Detect significant deviations from this
–
Profile usually multi-parameter.
Metrics are useful foe profile based intrusion detection are the following
Counter:o A non-negative integer that may be incremented.
o A count of certain event types is kept over a particular
period of time.
Gauge: - Gauge is used to measure the current value of
some entity.
Interval timer: - The length of time between two related
Events.
Resource utilization: - Quantity of resources consumed
during a specified period.
Various tests can be performed to determine whether current activity fits within acceptable
limits.
Mean and Standard Deviation:-
To measure the mean and SD of a parameter over some historical period.
The use of mean and SD is applicable to a
Wide variety of counters
Timers and
Resource measures
Multivariate:
Model is based on correlations between to or more variables.
Markov Process:
Used to establish transition probabilities among various states.
Time Series:
Model focuses on time intervals
looking for sequences of events that happen too rapidly or too slowly.
Operational: Is based on a judgment of what is considered abnormal rather than an
automated analysis of past automated analysis of past audit records.
Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if activity is suspicious or not
a.Rule-based anomaly detection
– Analyze historical audit records to identify usage patterns & autogenerate rules for them
– Then observe current behavior & match against rules to see if
conforms
– Like statistical anomaly detection does not require prior knowledge
of security flaws
b.Rule-based penetration identification
– Uses expert systems technology
– With rules identifying known penetration, weakness patterns, or
suspicious behavior.
– Rules usually machine & O/S specific
– Rules are generated by experts who interview & codify knowledge
of security admins.
– Quality depends on how well this is done.
–
Compare audit records or states against rules
Base-Rate Fallacy
Practically an intrusion detection system needs to detect a substantial percentage of
intrusions with few false alarms
–
–
If too few intrusions detected False security
If too many false alarms
Ignore / waste time
This is very hard to do existing systems seem not to have a good record
Distributed Intrusion Detection
Traditional focus is on single systems but typically have networked systems
More effective defense has these working together to detect intrusions
Issues
– Dealing with varying audit record formats
–
Integrity & Confidentiality of networked data
–
Centralized or Decentralized architecture.
Distributed Intrusion Detection - Architecture
The overall architecture which consists of three main components
Host agent Module:
An audit collection module operating as a background process on a monitored
system.
The purpose is to collect data on security related events on the host and transmit
these to the central manager.
LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyses
LAN
traffic and reports the results to the central manager.
Central manger module: Receives reports from LAN monitor and host agents and processes and
correlates
these reports to detect intrusion.
Distributed Intrusion Detection – Agent Implementation
Honey pots
Decoy systems to lure attackers
–
–
Away from accessing critical systems
To collect information of their activities
–
To encourage attacker to stay on system so administrator can respond
These system are filled with fabricated information
Instrumented to collect detailed information on attackers activities
may be single or multiple networked systems.
2. PASSWORD MANAGEMENT
Password Protection
•
Front-line defense against intruders is the password system.
•
Virtually all multi-user systems require that a user provide not only a name or identifier
(ID) but also a password.
•
The password serves to authenticate the ID of the individual logging on to the system
The ID provides security in the following ways
The ID determines whether the user is authorized to gain access to system.
The ID determines the privileges accorded to the user.
The ID is used in what is referred to as discretionary access control.
Managing Passwords
•
Need policies and good user education
•
Ensure every account has a default password
•
Ensure users change the default passwords to something they can remember
•
Protect password file from general access
•
Set technical policies to enforce good passwords
•
– Minimum length (>6)
– Require a mix of upper & lower case letters, numbers, punctuation
– Block know dictionary words
May reactively run password guessing tools
–
note that good dictionaries exist for almost any language/interest group
•
May enforce periodic changing of passwords
•
Have system monitor failed login attempts, & lockout account if see too many in a
short period.
•
Do need to educate users and get support
•
Balance requirements with user acceptance
•
Be aware of social engineering attacks
Password selection strategies
Many user shares password that is too short or too easy to guess.
At the other extreme, if the user is assigned password consisting of eight randomly
selected printable characters, password cracking is effectively impossible.
Four basic techniques are in use:
User education
Computer generated passwords
Reactive password checking
Proactive password checking.
a. User Education :
User can be told the important of using hard to guess password and can
be provided with the guidelines for selecting the strong passwords.
This user education strategy is likely to succeed at more installation,
particularly where there is large user population or lot of turnover.
b.Computer Generated Passwords :
Computer generated passwords also create problems.
If the password is quite random in nature user will not be able to
remember them.
Even if the password is pronounceable, the user may have difficult in
remembering it and so be tempted to write it down.
c.Reactive Password checking:
A reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords
. The system cancels any password that is guessed by the user.
d. Proactive Password Checking
The most promising approach to provide password security is proactive
password checker.
In this a user is allowed to select his/her own password.
The possible approaches to proactive password checking are
All passwords must be at least eight characters long.
In the first eight characters, the password must include atleast
one each of uppercase, lowercase, numeric digits and
punctuation marks.
Usually user password or password file is essential to intrude.
Protection of password file
–
One-way encryption: - The system stores an encrypted form of the
user’s password, and compares it with the encrypted output of
presented password.
–
Access control: - Access to the password file is limited to one or a
very few accounts.
UNIX Password Scheme
Techniques for learning passwords
Try default passwords used with standard accounts that are shipped with the
system.
Exhaustively try all short passwords ( 1~3 characters).
Try words in the system’s on-line dictionary of a list of likely passwords.
–
Collect information about users (names, books, hobbies, etc)
Try users’ phone numbers, Social Security numbers, and room numbers.
Try all legitimate license plate numbers.
Use a Trojan horse.
Tap the line between a remote user and the host system.
Crypt(3)
»
–
•
Salt
»
25 times DES encryptions
Related to time
»
Prevents duplicate passwords from being visible in the password file
»
Increase the length of the passwords ( 2 characters)
»
Prevent the use of a hardware implementation of DES, which would
ease the difficulty of a brute-force guessing attack
The vulnerability of Passwords
–
Two threat to the UNIX password scheme
»
Gaining access on a machine and then run a password guessing program
on that machine with little resource consumption
»
Obtaining a copy of the password file, then a cracker program can be run
on another machine
–
Not yet feasible to use a brute-force technique of trying all possible
combinations of characters
–
Passwords must NOT be too short, NOT be too easy to guess
•
Access Control
–
Denies the opponent access to the password file
–
Has several flaws
» Many systems are susceptible to unanticipated break-ins
» An accident of protection might render the password file readable
» Some users use the same password on other machines.
•
Eliminate guessable passwords, while allow memorable passwords.
•
Four basic techniques
–
User education
» Ignoring guidelines, misunderstanding what a strong password is
–
Computer-generated passwords
» Hard to remember even if they are pronounceable.
–
Reactive password checking
» The system periodically runs its password cracker to find guessable
passwords
» Resource intensive
» Unchecked passwords remains vulnerable.
–
Proactive password checking
» When a user selects his or her own password, the system checks to see if
the password is allowable.
Proactive Password Checking
•
Rule enforcement
– All passwords must be at least eight characters long
– In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.
•
Compiling a large dictionary of “bad” passwords
– When a user selects a password, the system checks
– Large space (storage) and time consumption.
•
Two techniques for developing an effective and efficient password checker
–
–
–
Markov model
Bloom filter
Based on rejecting words on a list show promise
Markov Model
•
[m, A, T, k]
where
m : number of states
A : state space
T : matrix of transition prob.
k : order of the model
2nd order Markov Model
•
Calculating transition matrix
– When a dictionary of guessable passwords is constructed.
–
Determine the freq. matrix f(i,j,k) which is the number of occurrences of the
trigram consisting of the ith, jth ,and kth character.
–
For each bigram ij, calculate f(i,j,¥) as the total number of trigrams
beginning with ij
–
Compute the entries of T
T(i,j,k) = f(i,j,k) / f(i,j,¥)
•
T reflects the structure of the words in the dictionary.
•
“Is this a bad password?”
“Was this password generated by this model?”
•
Passwords likely to be generated by the model are rejected.
3. VIRUSES AND RELATED THREATS
Malicious Programs
An overall of software threats or malicious programs
These threats can be divided into 2 categories
a. Needs host program
b. Independent
Taxonomy of Malicious Programs
a. Backdoor or Trapdoor
•
Secret entry point into a program allows those who know access bypassing
usual security procedures.
•
Have been commonly used by developers.
•
A threat when left in production programs allowing exploited by attackers very
hard to block in OS
b. Logic Bomb
•
One of oldest types of malicious software
•
Code embedded in legitimate program
•
Activated when specified conditions met
– E.g. Presence/absence of some file
– Particular date/time
– Particular user
•
When triggered typically damage system.
– Modify/delete files/disks, halt machine, etc.
c. Trojan Horse
•
Program with hidden side-effects
•
When invoked it performs some unwanted or harmful function.
•
Which is usually superficially attractive
– E.g., game, s/w upgrade, etc.
•
When run performs some additional tasks
– allows attacker to indirectly gain access they do not have directly
•
Often used to propagate a virus/worm or install a backdoor or simply to destroy
data.
•
Mail the password file.
d. Zombie
•
Program which secretly takes over another networked computer
•
Then uses it to indirectly launch attacks (difficult to trace zombie’s creator)
•
Often used to launch distributed denial of service (DDoS) attacks
•
Exploits known flaws in network systems.
•
A piece of self-replicating code attached to some other code
•
Attaches itself to another program and executes secretly when the host program
is executed.
•
Propagates itself & carries a payload
e.Viruses
– Carries code to make copies of itself.
– As well as code to perform some covert task.
Virus Operation
Virus phases
Dormant Phase:
The virus is idle.
The virus will eventually be activated by some event
Such as
Date
Presence of another program or file and or
The capacity of the disk exceeding some limit Waiting on
trigger event.
Propagation Phase:
The virus places an identical coy of itself into other programs or
into certain system areas on the disk.
Each infected program will now contain a clone of the virus
which will itself propagation phase.
Triggering Phase :
The virus is activated to perform the function for which it was
intended.
It can be caused by a variety of system events including a count
of the number of times that this copy of the virus has made
copies of itself.
Execution Phase:
The function is performed
The function may be harmless Such as Message on the screen or
Damaging such as the destruction of programs and data files.
Virus Structure
Program V :=
{
goto main;
1234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :=
{return true if condition holds}
main: main-program :=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
Types of Viruses
Can classify on basis of how they attack
•
Parasitic virus
-- attaches itself to executable files and replicates
•
Memory-resident virus
-- Lodges in the main memory and infects every
program
that executes.
•
Boot sector virus
-- Infects a boot record and spreads when the system is
booted from the disk.
•
Stealth
-- Designed to hide itself from antivirus software.
•
Polymorphic virus
-- A virus that mutates with every infection, making
detection very difficult.
•
Metamorphic virus
-- Mutates with every infection, making detection by
the
“signature” of the virus impossible..
f. Email Virus
•
Spread using email with attachment containing a macro virus
•
Triggered when user opens attachment
•
or worse even when mail viewed by using scripting features in mail agent
•
Hence propagates very quickly
•
Usually targeted at Microsoft Outlook mail agent & Word/Excel documents
•
Replicating but not infecting program (does not attach itself to a program)
•
Typically spreads over a network
g.Worms
–
Morris Internet Worm in 1988
•
Using users distributed privileges or by exploiting system vulnerabilities
•
Worms perform unwanted functions
•
Widely used by hackers to create zombie PC's, subsequently used for
further attacks, esp DoS.
•
Major issue is lack of security of permanently connected systems, esp PC's
To replicate itself a network worms uses some sort of network vehicles
Electronic mail facility : A worm mails a copy of itself to other
programs.
Remote execution capability: - A worm executes a copy of itself
on
another system.
Remote Login capability :- A worm logs onto a remote system as
a
user and then uses commands to copy
itself from one system to the other
Worm Operation
•
Worm has phases like those of viruses
–
Dormant
–
Propagation
•
•
•
–
–
Search for other systems to infect
Establish connection to target remote system
Replicate self onto remote system.
Triggering
Execution
h.Morris Worm
•
Best known classic worm
•
Released by Robert Morris in 1988
•
Targeted Unix systems
•
Using several propagation techniques
–
–
–
•
Simple password cracking of local pw file
Exploit bug in finger daemon
Exploit debug trapdoor in send mail daemon
If any attack succeeds then replicated self
4. VIRUS COUNTERMEASURES
•
•
Best countermeasure is prevention (Do not allow a virus to get into the system in
the
first place.)
But in general not possible Hence need to do one or more of
– Detection - of viruses in infected system
– Identification - of specific infecting virus
– Removal - restoring system to clean state
Anti-Virus Software
•
First-generation:- Simple Scanners
– Scanner requires a virus signature to identify a virus.
– The virus may contain “wildcards” but essentially the same
structure
and bit pattern in all copies such Signature-specific scanners are
limited to the detection of known viruses.
– Another type scanner maintain a record maintains a record of the
length of programs and looks for changes in length.
•
Second-generation :- Heuristic Scanners
– Scanner does not rely on a specific signature.
– The scanner uses heuristic rules to search for probable virus
infection.
– Such as scanners looks for fragments of code that are often
associated with viruses.
•
Third-generation :- Activity Traps
– Programs are memory-resident programs that identify a virus by
its
actions rather than its structures in an infected program.
•
Fourth-generation :- Full-Featured protection
– Packages with a variety of antivirus techniques
– These include scanning and activity trap components.
– In addition it includes access control capability
•
Which limits the ability of viruses to penetrate a system
and
•
Then limits the ability of a virus to update files in order to
pass on the infection.
Advanced Anti-Virus Techniques
Generic decryption
Generic Decryption (GD) Technology:
Enables the antivirus program to detect easily even the most complex polymorphic
viruses while maintaining fast scanning speeds.
When a file containing a polymorphic virus is executed the virus must decrypt itself
to activate.
To detect such a structure, executable files are run through a GD scanner which
contains the following elements.
CPU Emulator: A software-based virtual computer.
Instructions in an executable file are interpreted by the emulator rather
than executed on the underlying processor.
The emulator includes
Software versions of all registers and other processor hardware so
that the underlying processor is unaffected by programs interpreted
on the emulator.
Virus Signature Scanner:
A module that scans the target code looking for known virus
signatures.
Emulation Control Module:
Controls the execution of the target code.
Digital immune system (IBM)
The Digital immune system is a comprehensive approach to virus protection
developed by IBM.
The motivation for this development has been the rising threat of InternetBased virus propagation.
Two major trends in Internet Technology have had an increasing impact on
the rate of virus propagation in recent years
Integrated mail Systems :- Systems such as Lotus Notes and Microsoft
Outlook make it very simple to send anything
to
anyone and to work with objects that are
received.
Mobile-program systems:- Capabilities such as Java and ActiveX allow
programs to move on their own from one
system to another.
A monitoring program on each PC uses a variety of heuristics based on system
behaviour, suspicious changes to programs, or family signature to infer that a virus
may
be present.
The monitoring program forwards a copy of any program thought to be infected
to
an administrative machine within the organization.
The administrative machine encrypts the sample and sends it to a central virus
analysis machine.
This machine creates an environment in which the infected program can be safely
run for analysis.
Techniques used for this purpose include
Emulation or the creation of a protected environment within which the
suspect program can be executed and monitored.
The virus analysis machine then produces a prescription for identifying and
removing the virus.
The resulting prescription is sent back to the administrative machine.
The administrative machine forwards the prescription to the infected client.
The prescription is also forwarded to other clients in the organization.
Subscribers around the world receive regular antivirus updates that protect them
from the new virus.
Behavior-Blocking Software
•
Integrated with host OS
•
Monitors program behavior in real-time
Attempts to open, view, delete and /or modify files.
Attempts to format disk drives and other unrecoverable disk operations
Modifications to the logic executable files, scripts of macros.
Modifications of critical system settings such as start-up settings
Scripting of e-mail and instant messaging clients to send executable content.
Initiation of network communications.
•
For possibly malicious actions
–
•
If detected can block, terminate, or seek ok
Has advantage over scanners but malicious code runs before detection
