crypto_pres

advertisement
Introduction to
Security
Attacks
Interception (eavesdropping):
unauthorized party gains access to service
or data
 Interruption (denial of service attack):
services or data become unavailable
 Modification: unauthorized party changes
the data or tampers with the service
 Fabrication: unauthorized party generates
additional data or activity

Cryptography
Given credit where it is due

Most slides are from B. A. Miller at Mount Allison
University, Kenneth Chiu at SUNY Binghamton,
and Daniel M. Zimmerman at CALTECH

Some slides are from Scott Shenker and Ion
Stoica at University of California, Berkeley and
Ariel J. Frank at Bar-Ilan University

I modified and added some slides
What is cryptography?
kryptos – “hidden”
 grafo – “write”


Keeping messages secret
 Usually
by making the message unintelligible
to anyone that intercepts it
The Problem
Private Message
Bob
Alice
Eavesdropping
Eve
The Solution
Private Message
Private Message
Encryption
Decryption
Scrambled Message
Bob
Alice
Eavesdropping
Eve
What do we need?
Bob and Alice want to be able to
encrypt/decrypt easily
 But no one else should be able to decrypt
 How do we do this?

 Keys!
Using Keys
Nonsense
Encryption
Plaintext
Ciphertext
Decryption
Plaintext
The Shift Cipher

We “shift” each letter over by a certain
amount
Plaintext
five red balloons
Key = 3
f+3=I
i+3=L
v+3=Y
…
Encryption
ILYH UHG EDOORRQV Ciphertext
The Shift Cipher cont.

To decrypt, we just subtract the key
ILYH UHG EDOORRQV Ciphertext
Key = 3
I-3=f
L-3=i
Y-3=v
…
five red balloons
Decryption
Plaintext
What’s wrong with the shift cipher?
Not enough keys!
 If we shift a letter 26 times, we get the
same letter back

A
shift of 27 is the same as a shift of 1, etc.
 So we only have 25 keys (1 to 25)

Eve just tries every key until she finds the
right one
The Substitution Cipher
Plaintext

Rather than having a
fixed shift, change
every plaintext letter
to an arbitrary
ciphertext letter
a
b
c
d
e
…
z
Ciphertext
G
X
N
S
D
…
Q
The Substitution Cipher cont.
Key =
a
G
n
B
b
X
o
Y
c
N
p
Z
d
S
q
P
e
D
r
H
f
A
s
W
g
F
t
I
h
V
u
J
i
L
v
R
j
M
w
U
k
C
x
K
l
O
y
T
m
E
z
Q
five red balloons
f =A
i =L
v =R
…
Plaintext
Encryption
ALRD HDS XGOOYYBW Ciphertext
The Substitution Cipher cont.

To decrypt we just look up the ciphertext letter in
the table and then write down the matching
plaintext letter

How many keys do we have now?
A
key is just a permutation of the letters of the
alphabet
 There are 26! permutations

403291461126605635584000000
Frequency Analysis

In English (or any language) certain letters are
used more often than others

If we look at a ciphertext, certain ciphertext
letters are going to appear more often than
others

It would be a good guess that the letters that
occur most often in the ciphertext are actually
the most common English letters
Letter Frequency



This is the letter
frequency in
English
The most
common letter
is ‘e’ by a large
margin,
followed by ‘t’,
‘a’, and ‘o’
‘J’, ‘q’, ‘x’, and
‘z’ hardly occur
at all
Frequency Analysis in Practice

Suppose this is our ciphertext
 dq
lqwurgxfwlrq wr frpsxwlqj surylglqj d eurdg vxuyhb
ri wkh glvflsolqh dqg dq lqwurgxfwlrq wr surjudpplqj.
vxuyhb wrslfv zloo eh fkrvhq iurp: ruljlqv ri frpsxwhuv,
gdwd uhsuhvhqwdwlrq dqg vwrudjh, errohdq dojheud,
gljlwdo orjlf jdwhv, frpsxwhu dufklwhfwxuh,
dvvhpeohuv dqg frpslohuv, rshudwlqj vbvwhpv,
qhwzrunv dqg wkh lqwhuqhw, wkhrulhv ri
frpsxwdwlrq, dqg duwlilfldo lqwhooljhqfh.
0.12
Relative Frequency
0.1
0.08
0.06
0.04
0.02
0
a b c d e f g h i j k l m n o p q r s t u v w x y z
Letter
Ciphertext distribution
English distribution
In our ciphertext we have one letter that occurs more often than any other (h), and
6 that occur a good deal more than any others (d, l, q, r, u, and w)
There is a good chance that h corresponds to e, and d, l, q, r, u, and w correspond
to the 6 next most common English letters
Frequency Analysis cont.

If we replace ‘e’ with ‘h’ and the 6 next most
common letters with their matches, the
ciphertext becomes
 an
intro???tion to ?o?p?tin? pro?i?in? a ?roa? ??r?e?
o? t?e ?i??ip?ine an? an intro???tion to pro?ra??in?.
??r?e? topi?? ?i?? ?e ??o?en ?ro?: ori?in? o?
?o?p?ter?, ?ata repre?entation an? ?tora?e, ?oo?ean
a??e?ra, ?i?ita? ?o?i? ?ate?, ?o?p?ter ar??ite?t?re,
a??e???er? an? ?o?pi?er?, operatin? ???te??,
net?or?? an? t?e internet, t?eorie? o? ?o?p?tation,
an? arti?i?ia? inte??i?en?e.
Classical to Modern Cryptography

Classical cryptography
 Encryption/decryption

done by hand
Modern cryptography
 Computers
to encrypt and decrypt
 Same principles, but automation allows
ciphers to become much more complex
The Enigma Machine


German
encryption and
decryption
machine used in
WWII
Essentially a
complex,
automated
substitution cipher
How did Enigma work?

Rotors have different
wiring connecting input
to output

Rotors move after each
keypress

The key is the initial
position of the three
rotors
Breaking the Enigma



Britain set up its cryptanalysis team in
Bletchley Park
They consistently broke German codes
throughout the war
Important location in the history of computing


Alan Turing
COLOSSUS
Cryptography in the Computer Age

Working with binary instead of letters

We can do things many, many times
of an Enigma machine that has 2128 pairs of
symbols on each rotor, and 20 rotors
 Think

Other than that, the basic principles are the
same as classical cryptography
Modern Ciphers

We design one relatively simple scrambling method
(called a round) and repeat it many times



Think of each round as a rotor on the Enigma
One round may be easy to break, but when you put them all
together it becomes very hard
Almost all ciphers follow one of two structures



SPN (Substitution Permutation Network)
Feistel Network (basis for DES)
These describe the basic structure of a round
Modern Ciphers in Practice

Follow SPN/Feistel structure in general,
but with added twists for security

There are two important ciphers in the
history of modern cryptography
 DES
(Data Encryption Standard)
 AES (Advanced Encryption Standard)
DES
U.S. Government recognized the need to
have a standardized cipher for secret
documents
 DES was developed by IBM in 1976
 Analysis of DES was the beginning of
modern cryptographic research

Breaking DES

The key length of DES was too short
 If
a key is 56 bits long, that means there are
256 possible keys
 “DES Cracker” machines were designed to
simply try all possible keys
Increase key length to 128 bit
 Triple DES

Breaking DES cont.

DES was further weakened by the discovery of
differential cryptanalysis
 Biham
and Shamir in 1990; The most significant
advance in cryptanalysis since frequency analysis

Ideally a ciphertext should be completely random,
there should be no connection to its matching
plaintext
 Differential
analysis exploits the fact that this is never
actually the case; Uses patterns between plaintext and
ciphertext to discover the key
Developing the AES

With DES effectively broken, a new standard
was needed

In 2001, the Rijndael cipher was selected to
become the Advanced Encryption Standard
The Problem of Symmetric Key
Cryptography

Up until now we’ve been talking about symmetric
key cryptography
 Alice
and Bob are using the same key to
encrypt/decrypt

Problem: How does Bob get the key to Alice
when Eve is eavesdropping?

Up until 1976 the only solution was to physically
give Alice the key in a secure environment
Public Key Cryptography



Diffie and Hellman published a paper in 1976
providing a solution
We use one key for encryption (the public key),
and a different key for decryption (the private
key)
Everyone knows Alice’s public key, so they can
encrypt messages and send them to her
 But

only Alice has the key to decrypt those messages
No one can figure out Alice’s private key even if
they know her public key
Using Public Keys
Nonsense
Encryption
Plaintext
Ciphertext
Decryption
Plaintext
Public Key Cryptography in
Practice

The problem is that public key algorithms are too
slow to encrypt large messages
 Instead
Bob uses a public key algorithm to send Alice
the symmetric key, and then uses a symmetric key
algorithm to send the message

The best of both worlds!
 Security
of public key cryptography
 Speed of symmetric key cryptography
Sending a Message
What’s your public key?
Bob picks a
symmetric key and
encrypts it using
Alice’s public key
Alice decrypts the
symmetric key using her
private key
Then sends the
key to Alice
Bob encrypts his
message using
the symmetric
key
Then sends the
message to
Alice
hi
Alice decrypts the
message using the
symmetric key
The RSA Public Key Cipher

The most popular public key cipher is RSA, developed in
1977


Named after its creators: Rivest, Shamir, and Adleman
Uses the idea that it is really hard to factor large
numbers




Create public and private keys using two large prime numbers
Then forget about the prime numbers and just tell people their
product
Anyone can encrypt using the product, but they can’t decrypt
unless they know the factors
If Eve could factor the large number efficiently she could get the
private key, but there is no known way to do this
Public-Key Cryptography: RSA (Rivest,
Shamir, and Adleman)

Sender uses a public key
- Advertised to everyone

Receiver uses a private key
Plaintext
Plaintext
Encrypt with
public key
Internet
Decrypt with
private key
Ciphertext
38
Generating Public and Private Keys





Choose two large prime numbers p and q (~ 256 bit
long) and multiply them: n = p*q
Chose encryption key e such that e and (p-1)*(q-1)
are relatively prime
Compute decryption key d, where
d = e-1 mod ((p-1)*(q-1))
(equivalent to d*e = 1 mod ((p-1)*(q-1)))
Public key consist of pair (n, e)
Private key consists of pair (n, d)
39
RSA Encryption and Decryption

Encryption of message block m:
- c = me mod n

Decryption of ciphertext c:
- m = cd mod n
40
Example (1/2)

Choose p = 7 and q = 11  n = p*q = 77

Compute encryption key e: (p-1)*(q-1) = 6*10 = 60 
chose e = 13 (13 and 60 are relatively prime numbers)

Compute decryption key d such that 13*d = 1 mod 60 
d = 37 (37*13 = 481)
41
Example (2/2)

n = 77; e = 13; d = 37

Send message block m = 7

Encryption: c = me mod n = 713 mod 77 = 35

Decryption: m = cd mod n = 3537 mod 77 = 7
42
Properties


Confidentiality
A receiver B computes n, e, d, and sends out (n, e)
- Everyone who wants to send a message to B uses (n, e) to
encrypt it



How difficult is to recover d ? (Someone that can do
this can decrypt any message sent to B!)
Recall that
d = e-1 mod ((p-1)*(q-1))
So to find d, you need to find primes factors p and q
- This is provable very difficult
43
RSA Factoring Challenge

RSA-768 has 232 decimal digits and was factored on
December 12, 2009. It’s the largest factored RSA
number to date.

RSA-2048 may not be factorizable for many years to
come, unless considerable advances are made in
integer factorization or computational power in the
near future.
44
RSA Factoring Challenge

Suppose, for example, that in the year 2020 a
factorization of RSA-1024 is announced that requires 6
months of effort on 100,000 workstations. In this
hypothetical situation, would all 1024-bit RSA keys
need to be replaced?
- The answer is no. If the data being protected needs security
for significantly less than six months, and its value is
considerably less than the cost of running 100,000
workstations for that period, then 1024-bit keys may continue
to be used.
45
So Far: The Problem
Private Message
Bob
Alice
Eavesdropping
Eve
46
Private Message
So Far: The Solution
Encryption
Private Message
Decryption
Scrambled Message
Bob
Alice
Eavesdropping
Eve
47
Other Security Problems
- Are you who you say you are?
• Authentication
- How does Bob know that he’s really talking to Alice?
- How does Alice know the message was sent by Bob?
• Mutual authentication
- How does Alice know that the message she receives
hasn’t been tampered with?
• Message Integrity
48
Secure Channels

Can you have authentication without message integrity?
- I know that Bob sent the message, but someone may have
tampered with it.
- I know that no one tampered with it, but I don’t know whether or
not it was really Bob who sent it.
- Authentication & message integrity cannot do without each other !
• Set-up phase precedes message exchange
• Session keys to ensure message integrity
49
Notation for Cryptography
Notation Description
KA, B
Secret key shared by A and B
K A
Public key of A
K A
Private key of A
50
Authentication Using Public-Key
Cryptography
- How does Bob know that he’s really talking to Alice?
- How does Alice know the message was sent by Bob?
• Mutual authentication
KA+, KB+: public keys
KB
+(A,
RA)
2 KA+(RA, RB,KA,B)
3
?
Bob
1
Alice

KA,B(RB)
51
Authentication Using Public-Key
Cryptography
KA+, KB+: public keys
Alice
1
KB+(A, RA)
2 KA+(RA, RB,KA,B)
3

Bob

KA,B(RB)
What if KB+ is faked?
52
Security Management

Problem: how do you get keys in the first place?

Key distribution: securely associate an entity with a key
- Example: Public Key Infrastructure (PKI), a system that manages
public key distribution on a wide-scale

Key establishment: establish session keys
- Use public key cryptography (we already know how to do it)
53
Components of a PKI
54
Digital Certificate

Signed data structure that binds an entity (E) with its
corresponding public key (KE+)
- Signed by a recognized and trusted authority, i.e.,
Certification Authority (CA)
- Provide assurance that a particular public key belongs to a
specific entity

How?
- CA generates KCA-(E, KE+)
- Everyone can verify signature using KCA+
55
Certification Authority (CA)


People, processes responsible for creation, delivery
and management of digital certificates
Organized in a hierarchy (use delegation – see
next)
Root CA
CA-1
CA-2
56
Registration Authority

People, processes and/or tools that are responsible
for
- Authenticating the identity of new entities (users or
computing devices)
- Requiring certificates from CA’s.
57
Certificate Repository

A database which is accessible to all users of a PKI,
contains:
- Digital certificates,
- Certificate revocation information
- Policy information
58
Example

Alice generates her own key pair.
private key
Alice
public key
Alice
 Bob generates his own key pair.
private key
Bob
public key
Bob
 Both sent their public key to a CA and receive a digital
certificate
59
Example

Alice gets Bob’s public key from the CA
private key
Alice

Bob gets Alice’s public key from the CA
private key
Bob
60
Certificate Revocation


Process of publicly announcing that a certificate has been
revoked and should no longer be used.
Approaches:
- Use certificates that automatically time out
- Use certificate revocation list
61
More on Secure Channels

In addition to authentication, a secure channel also
requires that messages are confidential, and that they
maintain their integrity.
62
More on Secure Channels

For example: Alice needs to be sure that Bob cannot
change a received message and claim it came from her.
And Bob needs to be sure that he can prove the message
was sent by/from Alice, just in case she decides to deny
ever having sent it in the first place.

Solution: Digital Signing.
?
63
Digital Signatures



Digital signing a message using public-key
cryptography.
This is implemented in the RSA technology.
Note: the entire document is encrypted/signed this can sometimes be a costly overkill.
64
Message Digest (MD) 5

Can provide data integrity and non-repudiation
- Used to verify the authentication of a message


Idea: compute a hash on the message and send it along
with the message
Receiver can apply the same hash function on the message
and see whether the result coincides with the received hash
65
Message Digest Operation

Transformation contains complex operations
Initial digest
(constant)
Message (padded)
512 bits 512 bits
512 bits
Transformation
Transformation
..
.
Transformation
Message digest
66
Digital Signature

In practice someone cannot alter the message without modifying the
digest
- Digest operation very hard to invert


Encrypt digest with sender’s private key
KA-, KA+: private and public keys of A
67
Access Control
Access Control



Once a client and a server have established a secure
channel, the client can issue requests to the server
Requests can only be carried out if the client has
sufficient access rights
The verification of access rights is access control, and
the granting of access rights is authorization

These two terms are often used interchangeably
The Basic Model for Access Control


This model is generally used to help understand the
various issues involved in access control
The subject issues requests to access the object, and
protection is enforced by a reference monitor that
knows which subjects are allowed to issue which
requests
Access Control Matrix



The access control matrix is a matrix with each
subject represented by a row, and each object
represented by a column
The entry M[s, o] lists the operations that subject s
may carry out on object o
?
Of course, we don’t really want to implement it as
a matrix in any system of reasonable size, because
there would be a whole lot of wasted space…
71
Access Control Matrix

There are two main approaches that are used
instead of an actual matrix:


Each object can maintain a list, the access control list, of
the access rights of subjects that want to access that
object - this effectively distributes the matrix columnwise, leaving out empty entries
Each subject can maintain a list of capabilities for each
object - this effectively distributes the matrix row-wise,
leaving out empty entries

Of course, capabilities can’t be totally maintained by the
subjects - they must be given to the subjects by some other
trusted entity (like the reference monitor)
72
Access Control Lists vs. Capabilities
73
Access Matrix
Access Control List
Capability Lists
Protection Domains



ACLs and capabilities help to efficiently implement
the access control matrix, but can still become
quite cumbersome
A protection domain is a set of (object, access
rights) pairs, where each pair specifies for a given
object exactly what operations can be carried out
By associating a protection domain with each
request, we can cut down on redundant
information in access control lists
77
Protection Domains


One approach to using protection domains is to
construct groups of users
Another approach is to use roles instead of groups

Roles: head of a department, manager of a project,
member of a personnel search committee
78
Authorization Management
79
Authorization Management

Granting authorization rights

Related with access control which verifies access rights
80
Capabilities (1)

How to grant a capability?

How to verify a capability?
81
Capabilities (2)

Capability:
- Unforgeable data structure for a specific resource R
- Specify access right the holder has with respect to R

An example:
48 bits
24 bits
8 bits
48 bits
Server port
Object
Rights
Check
82
Capabilities (3)
Owner

Generation of a restricted capability from an owner capability
83
Delegation: Motivation Example

A user Alice has read-only access rights on a large file F

Alice wants to print F on printer P no earlier than 2am
- Method A: Alice sends the entire file F to the printer P;
- Method B: Alice passes the file name to P and printer P copies the
file F to its spooling directory when F is actually needed.
- For method B, Alice needs to delegate her read-only access rights
on F to printer P
84
Delegation: Neuman Scheme

The general structure of a proxy as used for delegation:
85
Delegation: Neuman Scheme

Using a proxy to delegate and prove ownership of access
rights

In practice S+proxy, S-proxy can be a public-private key pair
and N can be a nonce
86
Appendix
87
Shared Secret Key
Authentication

Suppose Alice and Bob share a secret key (KA, B). How can
they setup a secure channel over an insecure medium?
88
1.
2.
3.
4.
5.
Alice sends her identity to Bob.
Bob sends a challenge (random number).
Alice must encrypt and return.
Alice then sends a challenge to Bob.
Bob must encrypt and return.
An Optimization

Authentication based on a shared secret key, but
using three instead of five messages.
Chuck…er…Alice
Attack Attempt




?
Chuck tries to pretend to be Alice.
He sends the initial message to Bob.
Bob responds with the encrypted challenge, but then his own challenge.
Chuck cannot properly respond to the challenge because he doesn’t have
the key.
Reflection Attack

Lesson: never encrypt anything without knowing
who you are encrypting it for.
92
Key Distribution Centers

If there are N parties using shared secret keys, how many
keys are needed?

Alternative is to use a trusted KDC. It has a shared key with
every host.
93
Key Distribution Centers

Disadvantage is that Bob has to get into the loop first.
94
Tickets


Using a ticket and letting Alice set up a connection
to Bob.
Vulnerable to replay attacks if Chuck gets hold on
KB,KDCold
95
Authentication using KDC
(Needham-Schroeder Protocol)
- Nonce: random number used only once to relate two messages
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC

Relate messages 1 and 2: use challenge response mechanism
RA1, RA2, RB: nonces
Alice

96
What if RA1 is Missing?
Assume Chuck intercepted
KA,KDC(B,KA,B, KB,KDCold(A,KA,B))
(replayed message)
3
KA,B(RA2), KB,KDCold(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Here Chuck
gets KA,B !
Bob (KB,KDC)
2
A,B
Chuck (KB,KDCold)
1
KDC
- KA,KDC(B,KA,B, KB,KDCold(A,KA,B))
- Knows KB,KDCold
Alice

97
Authentication using KDC
(Needham-Schroeder Protocol)
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC
Why do we need to include B in message 2?
Alice

98
What if B is Missing from Message 2?
RA1,A,B
2
KA,KDC(RA1,KA,C, KC,KDC(A,KA,C))
3
KA,C(RA2), KC,KDC(A, KA,C)
4
KA,C(RA2-1, RB)
5
KA,C(RB-1)
RA1,A,C
Bob (KB,KDC)
Alice
1
KDC
Assume Chuck intercepts message 1
Chuck

Here Chuck
gets KA,C !
99
Authentication using KDC
(Needham-Schroeder Protocol)
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC
Vulnerable to replay attacks if Chuck gets hold on KA,B
Alice

100
What if Chuck gets KA,B?
Assume Chuck intercepted
RA1,A,B
Chuck (KA,B)
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
Bob
1
KDC
- KA,B(RA2), KB,KDC,(A,KA,B)
- Knows KA,B
Alice

(replayed message)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
101
Defend Against leaking of KA,B
A
2
KB,KDC(RB1)
3
RA1,A,B, KB,KDC(RB1)
4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1))
5
KA,B(RA2), KB,KDC(A, KA,B,RB1)
6
KA,B(RA2-1, RB2)
7
KA,B(RB2-1)
Bob
1
KDC

Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided
by Bob.
Chuck can no longer simply replay message 5 (former 3) to fool Bob,
cause message 5 is now related to message 2 by including nonce RB1.
Alice

102
Related documents
Download