Cryptographic Lecture
advertisement
ECE4112 Internetwork Security LabXX Cryptography Techniques Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: Date Due: Last Edited: Lab Authored by: Chulwoo Chu, Nicholas Gibbs, Yu-Kung Ke, Chukwuemeka Okonkwo Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal This lab assignment is served as an introduction of cryptography techniques. Although cryptography in general is heavily involved with rigorous mathematical theories, which are missing in this lab, you would still gain some fundamental knowledge and concepts of various cryptography mechanisms after completing this assignment. Summary In this assignment, first we are going to introduce some general methodologies, which are the fundamental operations of implementing cryptography. With the understanding of those methodologies, we are going to examine some commonly used cryptography techniques, which are employed to ensure the confidentiality, integrity and availability of data communications in a public network such as the Internet. The techniques included in the assignment are message digest, private key (a.k.a. symmetric-key) encryption, and public key (a.k.a. asymmetric-key) encryption. For the message digest, the MD5 is going to be our example. For the private key encryption, the RC4 scheme employed in WEP (wired equivalent privacy) of 802.11 wireless networks, and the AES (advance encryption standard) will be discussed and you will have chances to observe the encrypted and decrypted data using the provided programs for RC4 and AES. Finally, two well-known public key encryption schemes, RSA and Diffie-Hellman, will be introduced, and the PGP (pretty good privacy), a secure email protocol, will be used as an application example of public key encryption schemes. (You will only need your HD, which contains two WinXP, one RH7.2 virtual machines, and a floppy disk to perform all the tasks.) 1 SECTION 1 Background and Theory What is Cryptography? Cryptography comes from 2 Greek words which when translated mean “secret” and “writing”, hence, cryptography is the art of secret writing. [1] Cryptography is based on higher mathematics including the areas of group and field theory, computational complexity, real analysis and probability and statistics. [2] Why is it needed? Cryptography is used to send information between people in such a way that no one else can read it. [1] Terminology and Concepts The original message is known as plaintext or cleartext. The encrypted (scrambled) form of the message is known as ciphertext. Encryption is the process of encoding a message so that its meaning is not obvious (i.e. it is the process of producing ciphertext from plaintext.) Decryption is the reverse of encryption i.e. the process of converting an encrypted message back to its original plaintext. Alternative terms such as encode and decode or encipher and decipher could be used in place of encrypt and decrypt. A system for encryption and decryption is known as a cryptosystem. [2] The relationship is shown in Figure 1 below: Plaintext Encryption n Ciphertext Original Plaintext Decryption n Figure1. Encryption and Decryption. The transformation between plaintext and ciphertext can be described using formal notations. We write: C = E(P) and P = D(C), where C = ciphtertext, P = plaintext E = encryption rule, D = decryption rule We want a cryptosystem for which P = D(E(P)) i.e. we want the ability to convert plaintext to ciphertext to ensure confidentiality against intruders but also for the receiver to recover the original plaintext. Sometimes the algorithms for encryption and decryption use a secret value or key, denoted by K and so the ciphertext depends on the 2 plaintext message, the algorithm and the key value. This is written as C = E(K,P). If the encryption and decryption keys are the same, then P = D(K, E(K,P)). This is known as symmetric encryption because D and E are mirror-image processes. Sometimes, encryption and decryption use different keys. In such cases, the decryption key KD undoes the encryption of key KE, so that P = D(KD, E(KE,P)). This is known as asymmetric encryption because the steps involved in decryption, along with the key used are different from the steps involved in encryption and the key used for that. Symmetric and Asymmetric encryption are shown in Figure 2 below. Key Plaintext Encryption n Original Plaintext Ciphertext Decryption n a) Symmetric Cryptosystem Encryption Key Ke Plaintext Encryption n Decryption Key Ke Ciphertext Original Plaintext Decryption n b) Asymmetric Cryptosystem Figure 2. Encryption with Keys. An encryption scheme that does not require a key is called a keyless cipher. [2] A cryptographer invents secret codes while a cryptanalysts attempts to break these codes. These two disciplines try to keep ahead of each other. The success of cryptographers relies on the Fundamental Tenet of Cryptography: - If lots of smart people have failed to solve a problem, then it probably won’t be solved (soon). Cryptology is the research and study of encryption and decryption. It includes both cryptography and cryptanalysis. [1] A stream cipher immediately converts one symbol of plaintext into a symbol of ciphertext. A block cipher encrypts a group of plaintext symbols as one block. Figures 3 and 4 demonstrates stream and block ciphers. [2] 3 Key (Optional) ISSOPMI Plaintext wdhuw… Y Ciphertext Encryption n Figure 3. Stream Cipher Encryption XN OI TP YR CN Decryption n ba qc kd em mc Figure 4. Block Cipher Encryption An encryption algorithm should have the characteristics of confusion and diffusion. Confusion: It should be able to transform the plaintext in such a way that it would be practically impossible to be able to predict what would change in the ciphertext by changing a character in the plaintext. An algorithm with good confusion has a complex functional relationship between the plaintext/key pair and the ciphertext; therefore it will take a long time for the interceptor to break the code. Diffusion: It should be able to spread the characters of the plaintext over the entire ciphertext thereby causing any changes in the plaintext to affect many parts of ciphertext. If an encryption algorithm has good diffusion, then it means that the interceptor needs access to a lot of the ciphertext in order to infer the algorithm. [2] Examples of Symmetric Stream and Block Ciphers A stream cipher can easily be created by substitution of each character in the plaintext with another character or symbol. There are two types of substitution: monoalphabetic and polyalphabetic. As its name suggests, monoalphabetic (or simple) substitution encrypts and decrypts via a single alphabet. The relationship between alphabets (encryption/decryption scheme) is a 1 to 1 function that maps characters from plaintext to ciphertext. 4 The Caesar Cipher, used by none other than Julius Caesar himself, employs monoalphabetic substitution. Caesar encrypted a plaintext letter by shifting it 3 places, so that plaintext character A (the 1st letter) would become ciphertext character D (the 4th letter). Pre-lab Question 1: Decrypt the following ciphertext using the Caesar Cipher: ZHOFRPH WR WKH UHDO ZRUOG Note that the Caesar Cipher is a keyless cipher, and uses a very elementary substitution scheme. It is desirable to create more complicated mappings. One option is to use a key, followed by the rest of the alphabet in an easy to remember format: plaintext: ciphertext: ABCDEFGHIJKLMNOPQRSTUVWXYZ keywordabcfghijlmnpqrstuvz Obviously, it is better to have a longer key. Another option [2] is to map letters in multiples of three: plaintext: ciphertext: ABCDEFGHIJKLMNOPQRSTUVWXYZ adgjmpsvybehknqtwzcfilorux If it helps, think of the cipher as this function: π(λ) = (3 * λ) mod 26, where λ is plaintext letter number, A being 0, Z being 25. Anyway, you get the picture: the more complex the mapping the better the confusion characteristic. Although substitution can be rather quickly encrypted and decrypted, one of the major disadvantages is easy recognition of letter frequency (and word length). Understanding which plaintext letters appear most can allow for faster cryptanalysis (and higher scores on “Wheel of Fortune”). Polyalphabetic substitution mitigates this frequency distribution problem by employing multiple alphabets for encryption and decryption. For example, one alphabet is used to encipher the odd characters in the plaintext, while another alphabet is used for the even characters [2]. One famous example, the Vigenère Tableau, uses 26 alphabets, all combinations of the plaintext alphabet. Ideally, the perfect substitution cipher would use infinitely many, non-repeating alphabets. This cipher would have the benefit of preventing a repeated plaintext phrase from having the same corresponding ciphertext [2]. A one-time pad (OTP) is a long random string, divided into keys and XOR’d to a plaintext message to create the ciphertext [1]. Think of each key as being written on a sheet, glued to a pad, and discarded once used. An OTP effectively creates a key as long as the plaintext. 5 Transposition (a.k.a. permutation) rearranges plaintext characters to create the ciphertext. Columnar transposition is a good example of a block cipher. This technique amounts to taking multi-line plaintext characters and reorganizing them by columns (left to right) to create the ciphertext. See Figure CT-1. Figure CT-1. ciphertext c1 c6 c11 c2 c7 c12 c3 c8 c13 c4 c9 c14 c5 c10 c15 c1 c6 c11 c2 c7 c12 c3 c8 c13 c4 c9 c14 c5 c10 c15 ... Source: [2] Here’s an example of columnar transposition: AN EXAMPLE MESSAGE (plaintext) A A E S N M M A E P E G X L S E AAES NMMA EPEG XLSE (ciphertext) If you apply another transposition on the above ciphertext, you would have a double transposition cipher. This added transposition (assuming it uses a different number of columns than the first) allows for greater diffusion [2]. Pre-lab Question 2: Decrypt the following ciphertext using columnar transposition: (hint: the plaintext is in 6 columns) UUYCOT TYEIOF NNNALT ROTTUX FAONDH IUOFRX OTOBWE XHSOSX RENEHM IAEREX TLETAA SVEYLX 6 SECTION 2 Message Digests 2.1 MD5 A message digest (also known as hash) in a one-way function, which takes an input message and produce an output. It is considered one-way because it is not practical to figure out what input correspond to a given output. For a message digest function to be considered cryptographically secure, it is must be computationally infeasible to find a message that has a given pre-specified message digest, it similarly should be impossible to find two messages that have the same message digest (a mathematical term, collision, is referred to such a situation). An example use of a message digest is to fingerprint a program or document to detect any modification of it (Recall, during the Lab 8 Firewall, a new MD5 message digest was generated each time after you save the change that you made on the content of configuration files; and a careful network administrator should save such message digest as an integrity check of configuration files.) Another use of message digest is that message digiest is in practicce combined with digital signature. In section 4.1, we will describe how we could generate a digital signature using a publicprivate key encryptiong scheme. Instead of signing the whole mesaage, one could first generate the meaage digest of a message and only sign the resulting message digest. It is efficient because a message digest algorithm is in general faster than an encryption scheme, and the message digest of a (lengthy) message is always 128-bits long. MD5 is one of a series of message digest algorithms designed by Ronald Rivest of MIT (Rivest, 1994). When analytic work indicated that MD5's predecessor — MD4— was likely to be insecure, MD5 was designed in 1991 to be a secure replacement; weaknesses were indeed subsequently found in MD4 by Hans Dobbertin. In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). This was not quite an attack on the full MD5 hash function, but it was close enough for cryptographers to recommend switching to a replacement, such as secure hash algorithm (SHA-1) proposed by National Institute of Standards and Technology (NIST) . In August 2004, Chinese researchers found collisions for MD5. It is still unknown how this discovery will affect the widespread use of MD5. MD5 processes a variable length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message. The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialised to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of sixteen similar operations based on four primitive functions F, G, H, I, modular addition, and left rotation. Figure 5 shows the main loop of MD5 proceedings. Figure 6 shows the example of one operation in a round. In this example, F 7 takes B, C, D as the inpuut; M i is one of sixteen 32-bit words taken from the current message block; s<<< performs s-time left rotation of a 32-bit string, K i is a constant; finally this operation outputs a new message digest “B” The complete MD5 message digest algorithm, which illustrats the 64 operations in detail, could be found in IETF RFC1321 (http://www.ietf.org/rfc/rfc1321.txt ). Figure 5. The main loop of MD5 proceeding. Figure 6. Example of one operation within a round.1 The 128-bit MD5 message digests are typically represented as 32-digit hexadecimal numbers. 1 http://en.wikipedia.org/wiki/Md5 8 2.2 Exercise – Using MD5 Copy the md5.c file from /mnt/nas4112/Lab<XX> and compile it under your RH 8.0 (You could download md5.c from http://theory.lcs.mit.edu/~rivest/md5.c ) # mount /mnt/nas4112/ # password: secure_class # cp /mnt/nas4112/LabXX/md5.c (Note, you will probably see some warning while compiling the code, but it is OK.) # gcc –o md5 md5.c –lm Try the following, (Note, there is no space between s and quotation mark.) # ./md5 –s”The Phantom of the Opera” 015696972454b3c760fdac5ef28657b4 “The Phantom of the Opera” (Note, 015696972454b3c760fdac5ef28657b4 is the message digest of “The Phantom of the Opera”) # ./md5 –s”The Phantom of the Oprah” e237627a09bd4f62b3b15ef9b9129587 “The Phantom of the Oprah” As you observe, even a small change (Opera to Oprah) in the message will result in a completely different message digests. Now, make up two similar phrases to generate two message digests at the same way as the above. Take a screen shot (Screenshot 1). SECTION 3 Private Key Encryption (a.k.a. Symmetric Encryption) 3.1 RC4 RC4 is a proprietary stream cipher created by Ron Rivest of RSA Security in 1987. Supposedly equivalent source code, known as alleged RC4 (ARC4 or ARCFOUR), was leaked onto a newsgroup in 1994 [3]. RC4 has been adapted for use in WEP (wired equivalent privacy) as well as SSL. The RC4 algorithm uses an OTP called the Vernam Cipher. To ensure that no key is reused, RC4 implementations combine a randomly generated initialization vector (IV) with a user-defined key in order to create the actual key. Although RC4 can have a key size up to 256 bits, it is more secure to have a smaller user-defined key and larger IV. 9 There are several security concerns with RC4’s implementation in WEP1 and OpenSSL: 1) non-randomness of first bytes of ciphertext 2) reuse of IVs or user-defined keys. For more information on RC4 see: RC4 Guide, Meaning , Facts, Information and Description http://www.e-paranoids.com/r/rc/rc4.html 3.2 Exercise - Using RC4 via CipherSaber We’ll be using the CipherSaber-1 implementation of RC4 to encrypt and decrypt files. For more information on CipherSaber, see http://ciphersaber.gurus.com/ A cryptanalysis of the implementation can be found at: http://ciphersaber.gurus.com/cryptanalysis.html The CipherSaber-1 implementation uses a 10 byte IV and recommends a user-defined key of 54 characters or less. (Since we’re dealing with ASCII text, bytes, instead of bits, are used for the actual key.) A different IV is generated and appended to the beginning of each encrypted file, and must be read-in for decryption of the file. The user-defined key for the files should be securely shared (e.g. via face-to-face or PGP) between the communicating parties. Because of security concerns about RC4, no more than 1000 messages should be sent using the same user-defined key. CipherSaber-2 addresses these issues, but is not needed for this exercise. Since CipherSaber takes pride in its simplistic design, we could ask you to code it. But, isn’t it easier to use somebody else’s (freely distributed) work? First, on the WinXP machine, Select Start->Run Type \\57.35.10.10\secure_class The username and password are both secure_class. Copy the /LabXX/ ciphersaber.exe (CipherSaber v.6) to your WinXP machine. You could also download it from: http://xorksplace.port5.com/windows.html Second, copy and untar the Linux version on your RedHat 8.0 machine: (You could also download it from: http://xorksplace.port5.com/linux.html) On your RedHat 8.0 machine # # # # # Create a text file and copy/paste your favorite paragraph of text. Run the CipherSaber program on the text file mount /mnt/nas4112/ password: secure_class cp /mnt/nas4112/LabXX/ciphersaber.tar.gz tar xvfz ciphersaber.tar.gz cd ciphersaber o # ./cs file.txt Enter a pass phrase of your liking View your text file o # more file.txt 10 Take Screenshot 2 of the console Notice your encrypted file now has the “.cs” extension appended to it Copy the encrypted file onto a disk o o o # mount /mnt/floppy # cp file.txt.cs /mnt/floppy # umount /mnt/floppy Tell your fellow team member the pass phrase. On your WinXP machine: Double-click on ciphersaber.exe and install the program Double-click on the CipherSaber desktop shortcut Click the Browse button and select file.txt.cs from the floppy drive Let your fellow team member enter the passphrase Select the Decrypt radio button and click on the Decrypt button The decrypted file “file.txt” will be written onto the floppy disk Take Screenshot 3 of the decrypted file Question 1: In the procedure you just followed, what is the primary weakness of this confidential transfer of information? 3.3 Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the US government, and is expected to be used worldwide and analysed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). It was adopted by National Institute of Standards and Technology (NIST) as US Federal Information Processing Standard (FIPS) PUB 197 (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf) in November 2001 after a 5year standardisation proces. AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). For encryption, each round of AES (except the last round) consists of four stages: SubBytes — A non-linear substitution step where each byte is replaced with another according to a lookup table call S-box. S-box was derived from the calculations of binary polynomials based on some mathmetical theories. ShiftRows — A transposition step where each row of the state is shifted cyclically a certain number of steps. MixColumns — A mixing operation, which operates on each column of the state, combining the four bytes in each column using a linear transformation, outputs a new 11 column of the state. A lookup talbe, derived from the calculations of binary polynomials based on some mathmetical theories, is available. AddRoundKey — Each byte of the state is combined with the round key; each round key is derived from the original key (specified by a user) using a key expandsion algorithm. The key is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR. The final round omits the MixColumns stage. Since each operation is invertible, decryption can be done by performing the inverse of each operation in the opposite order from that for encryption, and using the round keys in the reverse order. 3.4 Exercise – Using AES and MD5 to send a secure message across a network In this exercise, we will use AES to transfer a message securely across a network. We will also use MD5 to ensure the integrity of the message. We will be using a WinXP machine, RedHat 8.0 and RedHat 7.2 machine. The WinXP will transfer data to the RedHat 7.2 machine, and the RedHat 8.0 machine will monitor the traffic using ethereal. We shall transfer a message in plaintext and then in ciphertext and see if we can determine the contents of the message in both situations. The file we will use is called aescrypt2-rc1.tgz and can be downloaded from http://www.cr0.net:8040/code/crypto/aes/ It uses AES to encrypt the message and MD5 to ensure the integrity of the message. It does this by creating a hash of the message and appending that to the message, then encrypting the whole thing (message + hash). 1. Copy the aescrypt2-rc1.tgz file from mnt/nas4112/LabXX to your Window XP machine and theRedHat 7.2 machine. You may need to mount nas4112 in order to do so. On Windows START->RUN Type \\57.35.10.10\secure_class The username and password are both secure_class. Copy/Drag it to your desktop Open up a terminal (Start->Run->Cmd) and navigate to the location where you placed the file. On RH 7.2 # mount /mnt/nas4112/ # password: secure_class # cp /mnt/nas4112/LabXX/aescrypt2-rc1.tgz . On both WindowsXP and R.H 7.2 machines: 12 2. untar aescrypt2-rc1.tgz on RH 7.2 # tar xvfz aescrypt2-rc1.tgz. On Windows, you can use WinZIP. 3. This will create a directory called aescrypt2-rc1 with md5 and aes files in it.(I know it was called aescrypt2-rc1 but it really is aes and md5). 4. cd into the directory # cd aescrypt2-rc1 5. To compile, type “make” (without the quotes) 6. # ./aescrypt2 to see the command line options it takes. It requires: o o o o mode (0 – encrypt, 1 – decrypt) infile (file to encrypt i.e. plaintext) outfile (file to store ciphertext) a key file or key string (which contains the 128, 192, or 256 bit key required for AES) On WindowsXP: 7. Create a file “input.txt” and fill it with the text to encrypt for example: # emacs input.txt type “This is a test which is for AES ece 4112” (without the quotes) 8. The algorithm creates the key by copying up to 256 chars. So we will just create a “key file” and fill it with random characters. Create two key files (key1.txt, key2.txt). Fill free to use whatever random chars you want to fill the 2 key files, as long as they are different. If you have less than 256 chars, the algorithm compensates for you. Create these keys on both machines (in other words, we are assuming that somehow or the other, we were able to distribute the keys before hand). key1.txt fill with 1234567890ABCDEF key2.txt fill with l;ijdsgjlksdajgsadjlgdsljkgdslgsdagsdlsgdagsdlkgdsljkgdsaljslgaj 9. Encrypt the input.txt file (pass in a name for the output/encrypted file. Here we call it output.txt) # ./aescrypt2 0 input.txt output.txt key1.txt 13 10. Start Ethereal on the RedHat 8.0 Machine Set it to promiscuous mode, update packets in real time, and automatic scrolling 11. Run ftp from WinXP1 First, make sure that the ftp server is running on the RH 7.2 machine On RH 7.2 o Use ntsysv and ensure that ftp has a “*” next to it. If not, press spacebar. TAB and OK. Restart ftp by typing /etc/rc.d/init.d/ftpd restart On WindowsXP, # ftp R.H 7.2_IP login with a username/password you had created . ( If not you need to add a user to R.H 7.2 using “useradd” and “passwd” i.e., # useradd ece4112 # passwd ece4112 ) Transfer the plaintext file to the R.H 7.2 machine # put input.txt 12. On RH 8.0, observer the traffic in Ethereal. Can you see the data? Take a screenshot (Screenshot 4) 13. Now transfer the ciphertext file to the R.H 7.2 machine put output.txt 14. On RH 8.0, observe the traffic in Ethereal. Can you see the data? Take a screenshot (Screenshot 5) 15. On R.H 7.2 machine, decrypt the ciphertext (output.txt) # ./aescrypt2 1 output.txt result.txt key1.txt 16. Compare the resulting plaintext file and plain.txt diff plain.txt result.txt If should take you to the next command line prompt indicating that there were no differences. If there were, then it would have shown what line numbers were different as well as what exactly where those differences. If you by chance had diff output lines showing any difference, then perform steps 7 – 16 again. Theoretically, when the algorithm, decrypts a file with a key, it recomputes the hash and sees if it matches the hash that came with the plaintext message, if they are different, then either the keys used for encryption and decryption weren’t the same or the plaintext has been altered with. Now, we shall try and decrypt with a different key and see what happens. On R.H 7.2 machine 17. Decrypt the ciphertext using the second key (key2.txt) # ./aescrypt 2 1 output.txt result.txt key2.txt 14 It should give you an error message saying HMAC check failed (wrong key ?). Now, we shall try and modify the ciphertext and see if it notices On R.H 7.2 machine 18. Open the ciphertext # emacs output.txt 19. Copy all the text in the output.txt and paste it immediately at the end of the text. e.g. if output.txt was “hello” it will now be “hellohello” # cat output.txt output.txt > output.txt 20. Decrypt the ciphertext using the first key (key1.txt – which was the key used during encryption). # ./aescrypt 2 1 output.txt result.txt key1.txt It should give you an error message saying HMAC check failed (wrong key ?). SECTION 4 Public Key Encryption (a.k.a. Asymmetric Encryption) 4.1 More Background In this scheme, each person has two keys; a private key and a public key. The private key is kept secret whereas the public key may be publicly known. Messages are encrypted with the public key and decrypted using the private key (see figure 2 above). Encryption and decryption are thus, two mathematical functions that are inverses of each other. Public key cryptography can also be used to generate a digital signature on a message. A digital signature is a like a checksum or hash on a message, and can only be generated by someone that knows the private key. See Figure PK 1 below. [1] 15 Private Key Plaintext Public Key Signed Message Signing Verification Plaintext Figure PK 1. Digital Signature Why would we need public key signatures? What is wrong with a secret key MAC (a MAC generated using secret key cryptography, and not a Hash)? The reason is because in order for a recipient to verify a MAC they would need to know the same secret that was used to create it. Hence, anyone who can verify a MAC can also generate one. Not only that, they could even substitute a totally different message and corresponding MAC. In the case of public key signatures, one only needs to know the public key in order to verify the signature. So ‘Alice’ can sign a message by generating a signature only she can generate (using her private key), and other people can verify that it is Alice’s signature (with her public key), but no one can forge her signature since only Alice knows her private key. [1] 4.1.1 Uses of Public Key Cryptography Public key cryptography can do anything secret key cryptography can, but is much slower. As a result, it is normally used together with secret key algorithms. Public key cryptography could be used at the beginning of communication for authentication and to establish a temporary shared secret key (a.k.a. a session key). The secret key is then used to encrypt the remainder of the conversation using secret key technology (which is much faster than public key technology). [1] Transmitting Over an Insecure Channel Let Alice’s <public key, private key> pair be <eA, dA> and Bob’s key pair be <eB, dB>. Assume that Alice knows Bob’s public key and Bob knows Alice’s public key. Messages can be transmitted between them as follows: Alice encrypt mA using eB decrypt to mB using dA Bob decrypt to mA using dB encrypt mB using eB Figure PK 2 16 Authentication Public key cryptography can also be used to provide authentication. If Alice knows Bob’s public key, she can verify Bob’s identity by choosing a random number r, encrypting it using Bob’s public key eB, and sending the result to Bob. Bob proves he knows dB by decrypting the message and sending r back to Alice. [1] Alice encrypt r using eB Bob decrypt to r using dB r Figure PK 3. Digital Signatures Public key technology can be used to prove that a message was generated by a particular individual. Bob’s signature for a message m can only be generated by someone with knowledge of Bob’s private key and the signature depends on the contents of m. If m is modified in any way, the signature no longer matches. Digital signatures thus provide two important functionalities: 1. They prove who generated the message, 2. They prove that the message has not been modified in any way by anyone since the message and the matching signature were generated. [1] See Figure PK 1 above for an example. Most public key algorithms are based on modular arithmetic. As a result, we shall study some modular arithmetic in order to understand and appreciate them more. 4.1.2 Modular Arithmetic Modular arithmetic uses integers which are non-negative and less than some n (n > 0), and performs ordinary arithmetic operations (e.g. add, multiply), replacing the result with its remainder divided by n. Such a result is to be modulo n or mod n. “x mod n” means the remainder of x when divided by n. Using mod n, means that the answer would always be between 0 and n-1 e.g. mod 5, means .the answer will always be between 0 and 4. Modular Addition Example using mod 10 addition. 3+5=8 5+5=0 3+9=2 2+3=5 17 An additive inverse of x is the number you add to x to get 0. E.g. the additive inverse of 2 is 8 since in mod 10 arithmetic, 2+8 = 0. So if the secret key were 2, then to encrypt, we add 2 (mod 10) and to decrypt we’d add 8 (mod 10). [1] Modular Multiplication Example using mod 10 multiplication. Some numbers could be considered good ciphers (e.g. 1,3,7,9) because they perform 1-to-1 substitutions of the digits. But other numbers won’t work e.g. 5 (note that 5*2 and 5*4 both map to 0 mod 10, and are thus not unique). In ordinary maths, the multiplicative inverse of x is 1/x. However, mod arithmetic can only have integers (no fractions). As a result, in mod arithmetic, the multiplicative inverse of x (written as x-1) is the number by which you’d multiply x to get 1. In mod 10, only 1,3,7,9 have multiplicative inverses e.g (7 is the multiplicative inverse of 3, 1 and 9 are, there own inverses respectively). Multiplication mod n can be used as a cipher in that we can scramble the digits by multiplying by x and get back the original digits by multiplying by x-1. The Euclid’s Algorithm can be used to efficiently find inverses mod n. Given x and n, it finds y such that x * y mod n = 1 (if such a y exists). A number x has a multiplicative inverse if it is relatively prime to n. If a number x is relatively prime to n, it means that it shares no common factors with n other than 1. That is why in mod 10 arithmetic, 1,3,7, and 9 have multiplicative inverses as they are relatively prime to n. The totient function (from total and quotient), with symbol Ф, is the amount of numbers less than n that are relatively prime to n. If n is a prime, then all the integers >=1 and < n are relatively prime to n i.e. Ф(n) = n-1. If n is a product of 2 distinct primes p and q, then Ф(n) = (p-1)(q-1). [1] Modular Exponentiation Example using mod 10 exponentiation. 56 = 5 mod 10 since 56 = 15625. Sometimes, one might have an exponentiative inverse just like we have a multiplicative inverse. An interesting fact is that xy mod n is equal to x(y mod Ф(n)) mod n. Note: If y = 1 mod Ф(n), then for any number x, xy = x mod n. [1] We shall now talk about two public key schemes: RSA and Diffie-Hellman. 4.2 RSA (Rivest, Shamir and Adleman) RSA does encryption as well as decryption and uses a variable key length (512 bits being the most common). The size of the plaintext block must be smaller than the key length. The process produces a ciphertext block which is the same length as the key. RSA is slower than secret key algorithms and is thus not used for encrypting long messages but rather is used to encrypt a secret key which is then used to encrypt the message via secret key cryptography. [1] RSA Algorithm First of all, one would need to generate a public key and a private key. In order to do this, two large primes p and q would need to be chosen (each 256 bits long), and multiplied to get n. The factors of n (p and q) are kept secret. 18 To generate the public key, choose a number that is relatively prime to Ф(n). Call this number e. Since you know p and q, you know Ф(n) = (p-1)(q-1). Your public key is <e,n>. The private key is generated by finding the number d that is the multiplicative inverse of e mod Ф(n). <d,n> is your private key. To encrypt message m (< n): Ciphertext c = me mod n //done by someone using your public key To decrypt Plaintext m = cd mod n //only done by you Signing: Signature s = md mod n //done by you Verifying Plaintext m = se mod n. //done by someone using your public key Why RSA Works Recall n = pq. Ф(n) = (p-1)(q-1). d and e are chosen such that de = 1 mod Ф(n), since e and d are multiplicative inverses of each other (recall the definition of multiplicative inverse in mod n arithmetic). Therefore for any x, xde = x mod n (recall the Note: under modular exponentiation). Encryption performs xe. Decryption takes that and raises it by d i.e. (xe)d which is the same as x. Similar reasoning can be done for signatures. [1] Why is RSA Secure? The reason is based on the Fundamental Tenet of Cryptography – many smart people have tried, all have failed. The real premise of its security is due to the fact that factoring large numbers is hard. The best-known factoring methods are very slow. Factoring a 512bit number would take pretty much forever right now (~ 30 thousand MIP-years, where MIP – Million Instructions Per second). A better technique would be to wait a few years and then use the best known technique of that time. In other words, if you can factor quickly, you can break RSA. [1] 4.3 Diffie-Hellman This is the oldest public key scheme still in use today. It does neither encryption nor signatures. What it does is allow two individuals to agree on a shared key, by exchanging messages in public. No one else can figure out the secret based on the messages they overhear between the two participants. Neither participant has any secrets to begin with, yet at the end of the exchange (which consists of only 2 messages), they both will know a secret number. Such a secret number can then be used with secret key cryptography like DES for encryption. Diffie-Hellman is therefore used for key establishment. To begin, there are two numbers p and g. p is a large prime number and g < p. Both numbers could be publicly known. Once Alice and Bob agree on p and g, both choose a random 512-bit number and keep it secret. Alice choose random number SA and Bob chooses random number SB. Alice computes TA = gSA and Bob computes TB = gSB i.e. 19 both raise g to their secret number. They exchange Ts. Finally both raise the received T to their secret number. The algorithm is shown below: Alice picks SA at random. Bob picks SB at random Alice computes TA = gSA mod p. Bob computes TB = gSB mod p. They exchange Ts. TA TB. Alice computes TBSA mod p. Bob computes TASB mod p Both come up with the same number because TBSA = (gSB)SA = gSBSA = gSASB = (gSA)SB = TASB mod p It works as a result of the Fundamental Tenet of Cryptography. It is difficult to compute discrete logarithms i.e. figure out SA and SB from seeing only gSA and gSB. Hence no one can calculate gSASB even though they know gSA and gSB. Recall: gSASB is NOT gSA*gSB which would have been gSA+SB. [1] The Bucket Brigade/Man-in-the-Middle Attack Due to the fact that the Diffie-Hellman protocol does not perform authentication, it is susceptible to the bucket brigade/man-in-the-middle attack. In this case, Eve impersonates Alice to Bob and Bob to Alice. Since there is no authentication, Alice and Bob do not know if they are really talking to each other. Assume Eve’s secret is SE and Alice’s and Bob’s keys are SA and SB respectively as described above. The diagram is shown below. Alice gSA Alice sends gSA to “Bob” Eve Bob gSE gSB Eve sends gSE to Alice and Bob sends gSB to “Alice” Bob i.e. both ways Alice and Eve now have shared key KAE Bob and Eve now have shared key KBE i.e. i.e. gSASE = gSESA gSBSE = gSESB Eve can now receive messages from Alice to Bob, decrypt and view them using KAE and then send them to Bob, encrypting the message with KBE. The name bucket brigade attack comes from the way firefighters of old formed a line of people between a water source and a fire, passing buckets of water towards the fire and empty buckets back. However, the term man-in-the-middle has become more common. [1] Q. What are some defenses against Man-in-the-Middle Attack? (hint: think of how you can use another public key scheme to protect this exchange). 4.4 Exercise – Using PGP to transfer secure mail across a network PGP – pretty good privacy, uses public key encryption to securely transmit email across a network. We shall use it to demonstrate the difference between encrypted and unencrypted mail. We shall be using the two WinXP machines to send emails to each other. 20 Do the following for both your WinXP machines. 1. Select Start->Run Type \\57.35.10.10\secure_class The username and password are both secure_class. Copy the /LabXX/ PGP810-PF-W.zip to your WinXP machine. (You could download the zip file from http://www.pgp.com/downloads/freeware/index.html ) 2. Unzip PGP810-PF-W.zip to any folder as you wish. Go to that folder. 3. Double click on the PGP8 .exe file to extract files to a folder as you wish. Go to that folder, double click PGP8 .exe to install PGP software. 4. Choose “ No, I’m a new user”. 5. Accept the destination folder. 6. Select PGPdisk Volume Security and PGPmail for Microsoft Outlook Express. 7. You will be asked to restart your WinXP machine. Please proceed. Now, you need to set up a pair of private and public keys for each WinXP machine; we assume that each WinXP machine is for a user, who has an email address. Do the following for both your WinXP machines. 1. Click the “PGPtray” (an icon of a lock) located at the right bottom corner, select PGPkeys. You shall see the PGPkeys window appearing. 2. Under the file, you shall see a key icon (“Generate new keypair”); click it and the PGP Key Generation Wizard would appear. Click “Next”. 3. Use your group name (e.g, Group 34) as the name and type in the email address group34@crypto.com, where xx is your group number. (Use your group name plus100 (e.g, Group 134) as the name and type in the email address group134@crypto.com for the second WinXP machine.) 4. Uncheck the “Hide Typing”. Make up a phrase in “Pssphrase” and “Confirmation. Use a different phrase for another WinXP machine. Please remember the phrases. 5. Now, a pair of keys should be generated. (You should see the created keys in the PGPkeys window) 6. Now, you need to configure your Outlook Express as an email client. Please see the Appendix for instructions and use the email addresses described in Step 3 accordingly 7. Now, we need to exchange the public keys. In practice, a Certificate Authority (CA) defined in a Public Key Infrastructure (PKI) should handle the exchange of public keys. Here, we will use the most straightforward way; each user (WinXP machine) sends via emails his/her public key to another user (WinXP machine) Now, in the PGPkeys window, click “Server”, choose “Sendto” then “Mail Recipient”. An outgoing email should be created, and your public key is 21 automatically attached as an attachment (Groupxx.asc file). Just fill in the recipient email address (the email address of another WinXP machine). Then send that email. 8. Now, you will need to import the public key that you received to the PGP software on each WinXP machine. Once you receive the email sent from another WinXP machine; save the attachment (*.asc file) anywhere as you wish. In PGPkeys window, click “Keys” then “Import”, find the key that you just saved then click “Import”. By now, each WinXP machine should have the public key of another WinXP machine. 9. Now you can send an email, which will be signed by your private key and encrypted by the recipient’s public key. 10. Now, create an outgoing email. Just make up something in the message body and use the email address of another WinXP machine as the recipient address. Click “ the “PGPtray” now and choose “Current Window” (Note, you need to leave the cursor inside the window of message body) then choose “Encrypt&Sign”. First the “PGPtray-Krey Selection Dialog” window will appear. Drag the user (actually the user’s public key that you like to use for encryption) to the recipient lists. Second, you will be asked to select the signing key and its corresponding passphrase (You were asked to remember it). Once you are done, you should see the encrypted and signed message. Then send it. Take a ScreenShot that shows the encrypted and signed messages. (Screenshot 6). Now, after WinXP should receive that message. You will need to decrypt and verify it. Click “ the “PGPtray” now and choose “Current Window” (Note, you need to leave the cursor inside the window of message body) then choose “Decrypt&Verify”. Take a ScreenShot that shows the encrypted and signed message. (Screenshot 7). References 1. Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security PRIVATE communication in a PUBLIC world. Upper Saddle River, NJ: Prentice Hall PTR, 2002. 2. Pfleeger, Shari L., and Charles P. Pfleeger. Security in Computing. Upper Saddle River, NJ: Prentice HALL PTR, 2003. 3. Original 1994 USENET post of alleged RC4 source: http://groups.google.com/groups?selm=sternCvKL4B.Hyy%40netcom.com 22 Answer Sheet Lab XX Group Number: _______________ Member Names: _________________________ _________________________ Prelab Questions Pre-lab Question 1: Decrypt the following ciphertext using the Caesar Cipher: ZHOFRPH WR WKH UHDO ZRUOG Pre-lab Question 2: Decrypt the following ciphertext using columnar transposition: (hint: the plaintext is in 6 columns) UUYCOT TYEIOF NNNALT ROTTUX FAONDH IUOFRX OTOBWE XHSOSX RENEHM IAEREX TLETAA SVEYLX 23 Section 3: Private Key Encryption (a.k.a. Symmetric Encryption) Question 1: In the procedure you just followed, what is the primary weakness of this confidential transfer of information? Section 4: Public Key Encryption (a.k.a. Asymmetric Encryption) Q. What are some defenses against Man-in-the-Middle Attack? (hint: think of how you can use another public key scheme to protect this exchange). 24 How long did it take you to complete this lab? Was it an appropriate length lab? What corrections and or improvements do you suggest for this lab? You may cross out and edit the text of the lab on previous pages to make corrections. What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You need to be very specific and provide details. You need to actually do the suggested additions in the lab and provide solutions to your suggested additions. Caution as usual: only extract and use the tools you downloaded in the safe and approved environment of the network security laboratory. 25 Turn-in Checklist You need to turn in. Screenshot 1~7 Answer Sheet Any corrections or additions to the lab. 26 Appendix Configuring MS Outlook Express to use the Mail Server Start your XP machine (XP1) and click on Email from the start menu. If the setup wizard comes up continue from below, otherwise start it by selecting Tools->Accounts->Mail and clicking on the Add->Mail button. Type in your group number as the name. (e.g. Group 34) Type in the email address as groupxx@crypto.com where xx is your group number. Set both the incoming and outgoing servers as mail.crypto.com You username should be “groupxx”, where xx is your group number. The password is “secure_class”. You can keep the “Remember password” button selected. Click Next and then Finish. Before you can use the mail server, you need to specify a DNS server so that it can resolve mail.crypto.com. To do this follow the steps below. Click Start -> Control Panel -> Network and Internet Connections Click on Network Connections at the bottom. Right Click on local area connections Properties Select TCP/IP Properties For the DNS server, type in “57.35.7.254”. This is the address of the DNS server for your domain. Click OK and exit Now go back to Outlook Express and click on Send/Receive. The server might be quite slow, so it will take some time to download your mail. Download the mail and follow the instructions. 27
