advertisement

Introduction to Security Attacks Interception (eavesdropping): unauthorized party gains access to service or data Interruption (denial of service attack): services or data become unavailable Modification: unauthorized party changes the data or tampers with the service Fabrication: unauthorized party generates additional data or activity Cryptography Given credit where it is due Most slides are from B. A. Miller at Mount Allison University, Kenneth Chiu at SUNY Binghamton, and Daniel M. Zimmerman at CALTECH Some slides are from Scott Shenker and Ion Stoica at University of California, Berkeley and Ariel J. Frank at Bar-Ilan University I modified and added some slides What is cryptography? kryptos – “hidden” grafo – “write” Keeping messages secret Usually by making the message unintelligible to anyone that intercepts it The Problem Private Message Bob Alice Eavesdropping Eve The Solution Private Message Private Message Encryption Decryption Scrambled Message Bob Alice Eavesdropping Eve What do we need? Bob and Alice want to be able to encrypt/decrypt easily But no one else should be able to decrypt How do we do this? Keys! Using Keys Nonsense Encryption Plaintext Ciphertext Decryption Plaintext The Shift Cipher We “shift” each letter over by a certain amount Plaintext five red balloons Key = 3 f+3=I i+3=L v+3=Y … Encryption ILYH UHG EDOORRQV Ciphertext The Shift Cipher cont. To decrypt, we just subtract the key ILYH UHG EDOORRQV Ciphertext Key = 3 I-3=f L-3=i Y-3=v … five red balloons Decryption Plaintext What’s wrong with the shift cipher? Not enough keys! If we shift a letter 26 times, we get the same letter back A shift of 27 is the same as a shift of 1, etc. So we only have 25 keys (1 to 25) Eve just tries every key until she finds the right one The Substitution Cipher Plaintext Rather than having a fixed shift, change every plaintext letter to an arbitrary ciphertext letter a b c d e … z Ciphertext G X N S D … Q The Substitution Cipher cont. Key = a G n B b X o Y c N p Z d S q P e D r H f A s W g F t I h V u J i L v R j M w U k C x K l O y T m E z Q five red balloons f =A i =L v =R … Plaintext Encryption ALRD HDS XGOOYYBW Ciphertext The Substitution Cipher cont. To decrypt we just look up the ciphertext letter in the table and then write down the matching plaintext letter How many keys do we have now? A key is just a permutation of the letters of the alphabet There are 26! permutations 403291461126605635584000000 Frequency Analysis In English (or any language) certain letters are used more often than others If we look at a ciphertext, certain ciphertext letters are going to appear more often than others It would be a good guess that the letters that occur most often in the ciphertext are actually the most common English letters Letter Frequency This is the letter frequency in English The most common letter is ‘e’ by a large margin, followed by ‘t’, ‘a’, and ‘o’ ‘J’, ‘q’, ‘x’, and ‘z’ hardly occur at all Frequency Analysis in Practice Suppose this is our ciphertext dq lqwurgxfwlrq wr frpsxwlqj surylglqj d eurdg vxuyhb ri wkh glvflsolqh dqg dq lqwurgxfwlrq wr surjudpplqj. vxuyhb wrslfv zloo eh fkrvhq iurp: ruljlqv ri frpsxwhuv, gdwd uhsuhvhqwdwlrq dqg vwrudjh, errohdq dojheud, gljlwdo orjlf jdwhv, frpsxwhu dufklwhfwxuh, dvvhpeohuv dqg frpslohuv, rshudwlqj vbvwhpv, qhwzrunv dqg wkh lqwhuqhw, wkhrulhv ri frpsxwdwlrq, dqg duwlilfldo lqwhooljhqfh. 0.12 Relative Frequency 0.1 0.08 0.06 0.04 0.02 0 a b c d e f g h i j k l m n o p q r s t u v w x y z Letter Ciphertext distribution English distribution In our ciphertext we have one letter that occurs more often than any other (h), and 6 that occur a good deal more than any others (d, l, q, r, u, and w) There is a good chance that h corresponds to e, and d, l, q, r, u, and w correspond to the 6 next most common English letters Frequency Analysis cont. If we replace ‘e’ with ‘h’ and the 6 next most common letters with their matches, the ciphertext becomes an intro???tion to ?o?p?tin? pro?i?in? a ?roa? ??r?e? o? t?e ?i??ip?ine an? an intro???tion to pro?ra??in?. ??r?e? topi?? ?i?? ?e ??o?en ?ro?: ori?in? o? ?o?p?ter?, ?ata repre?entation an? ?tora?e, ?oo?ean a??e?ra, ?i?ita? ?o?i? ?ate?, ?o?p?ter ar??ite?t?re, a??e???er? an? ?o?pi?er?, operatin? ???te??, net?or?? an? t?e internet, t?eorie? o? ?o?p?tation, an? arti?i?ia? inte??i?en?e. Classical to Modern Cryptography Classical cryptography Encryption/decryption done by hand Modern cryptography Computers to encrypt and decrypt Same principles, but automation allows ciphers to become much more complex The Enigma Machine German encryption and decryption machine used in WWII Essentially a complex, automated substitution cipher How did Enigma work? Rotors have different wiring connecting input to output Rotors move after each keypress The key is the initial position of the three rotors Breaking the Enigma Britain set up its cryptanalysis team in Bletchley Park They consistently broke German codes throughout the war Important location in the history of computing Alan Turing COLOSSUS Cryptography in the Computer Age Working with binary instead of letters We can do things many, many times of an Enigma machine that has 2128 pairs of symbols on each rotor, and 20 rotors Think Other than that, the basic principles are the same as classical cryptography Modern Ciphers We design one relatively simple scrambling method (called a round) and repeat it many times Think of each round as a rotor on the Enigma One round may be easy to break, but when you put them all together it becomes very hard Almost all ciphers follow one of two structures SPN (Substitution Permutation Network) Feistel Network (basis for DES) These describe the basic structure of a round Modern Ciphers in Practice Follow SPN/Feistel structure in general, but with added twists for security There are two important ciphers in the history of modern cryptography DES (Data Encryption Standard) AES (Advanced Encryption Standard) DES U.S. Government recognized the need to have a standardized cipher for secret documents DES was developed by IBM in 1976 Analysis of DES was the beginning of modern cryptographic research Breaking DES The key length of DES was too short If a key is 56 bits long, that means there are 256 possible keys “DES Cracker” machines were designed to simply try all possible keys Increase key length to 128 bit Triple DES Breaking DES cont. DES was further weakened by the discovery of differential cryptanalysis Biham and Shamir in 1990; The most significant advance in cryptanalysis since frequency analysis Ideally a ciphertext should be completely random, there should be no connection to its matching plaintext Differential analysis exploits the fact that this is never actually the case; Uses patterns between plaintext and ciphertext to discover the key Developing the AES With DES effectively broken, a new standard was needed In 2001, the Rijndael cipher was selected to become the Advanced Encryption Standard The Problem of Symmetric Key Cryptography Up until now we’ve been talking about symmetric key cryptography Alice and Bob are using the same key to encrypt/decrypt Problem: How does Bob get the key to Alice when Eve is eavesdropping? Up until 1976 the only solution was to physically give Alice the key in a secure environment Public Key Cryptography Diffie and Hellman published a paper in 1976 providing a solution We use one key for encryption (the public key), and a different key for decryption (the private key) Everyone knows Alice’s public key, so they can encrypt messages and send them to her But only Alice has the key to decrypt those messages No one can figure out Alice’s private key even if they know her public key Using Public Keys Nonsense Encryption Plaintext Ciphertext Decryption Plaintext Public Key Cryptography in Practice The problem is that public key algorithms are too slow to encrypt large messages Instead Bob uses a public key algorithm to send Alice the symmetric key, and then uses a symmetric key algorithm to send the message The best of both worlds! Security of public key cryptography Speed of symmetric key cryptography Sending a Message What’s your public key? Bob picks a symmetric key and encrypts it using Alice’s public key Alice decrypts the symmetric key using her private key Then sends the key to Alice Bob encrypts his message using the symmetric key Then sends the message to Alice hi Alice decrypts the message using the symmetric key The RSA Public Key Cipher The most popular public key cipher is RSA, developed in 1977 Named after its creators: Rivest, Shamir, and Adleman Uses the idea that it is really hard to factor large numbers Create public and private keys using two large prime numbers Then forget about the prime numbers and just tell people their product Anyone can encrypt using the product, but they can’t decrypt unless they know the factors If Eve could factor the large number efficiently she could get the private key, but there is no known way to do this Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman) Sender uses a public key - Advertised to everyone Receiver uses a private key Plaintext Plaintext Encrypt with public key Internet Decrypt with private key Ciphertext 38 Generating Public and Private Keys Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q Chose encryption key e such that e and (p-1)*(q-1) are relatively prime Compute decryption key d, where d = e-1 mod ((p-1)*(q-1)) (equivalent to d*e = 1 mod ((p-1)*(q-1))) Public key consist of pair (n, e) Private key consists of pair (n, d) 39 RSA Encryption and Decryption Encryption of message block m: - c = me mod n Decryption of ciphertext c: - m = cd mod n 40 Example (1/2) Choose p = 7 and q = 11 n = p*q = 77 Compute encryption key e: (p-1)*(q-1) = 6*10 = 60 chose e = 13 (13 and 60 are relatively prime numbers) Compute decryption key d such that 13*d = 1 mod 60 d = 37 (37*13 = 481) 41 Example (2/2) n = 77; e = 13; d = 37 Send message block m = 7 Encryption: c = me mod n = 713 mod 77 = 35 Decryption: m = cd mod n = 3537 mod 77 = 7 42 Properties Confidentiality A receiver B computes n, e, d, and sends out (n, e) - Everyone who wants to send a message to B uses (n, e) to encrypt it How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B!) Recall that d = e-1 mod ((p-1)*(q-1)) So to find d, you need to find primes factors p and q - This is provable very difficult 43 RSA Factoring Challenge RSA-768 has 232 decimal digits and was factored on December 12, 2009. It’s the largest factored RSA number to date. RSA-2048 may not be factorizable for many years to come, unless considerable advances are made in integer factorization or computational power in the near future. 44 RSA Factoring Challenge Suppose, for example, that in the year 2020 a factorization of RSA-1024 is announced that requires 6 months of effort on 100,000 workstations. In this hypothetical situation, would all 1024-bit RSA keys need to be replaced? - The answer is no. If the data being protected needs security for significantly less than six months, and its value is considerably less than the cost of running 100,000 workstations for that period, then 1024-bit keys may continue to be used. 45 So Far: The Problem Private Message Bob Alice Eavesdropping Eve 46 Private Message So Far: The Solution Encryption Private Message Decryption Scrambled Message Bob Alice Eavesdropping Eve 47 Other Security Problems - Are you who you say you are? • Authentication - How does Bob know that he’s really talking to Alice? - How does Alice know the message was sent by Bob? • Mutual authentication - How does Alice know that the message she receives hasn’t been tampered with? • Message Integrity 48 Secure Channels Can you have authentication without message integrity? - I know that Bob sent the message, but someone may have tampered with it. - I know that no one tampered with it, but I don’t know whether or not it was really Bob who sent it. - Authentication & message integrity cannot do without each other ! • Set-up phase precedes message exchange • Session keys to ensure message integrity 49 Notation for Cryptography Notation Description KA, B Secret key shared by A and B K A Public key of A K A Private key of A 50 Authentication Using Public-Key Cryptography - How does Bob know that he’s really talking to Alice? - How does Alice know the message was sent by Bob? • Mutual authentication KA+, KB+: public keys KB +(A, RA) 2 KA+(RA, RB,KA,B) 3 ? Bob 1 Alice KA,B(RB) 51 Authentication Using Public-Key Cryptography KA+, KB+: public keys Alice 1 KB+(A, RA) 2 KA+(RA, RB,KA,B) 3 Bob KA,B(RB) What if KB+ is faked? 52 Security Management Problem: how do you get keys in the first place? Key distribution: securely associate an entity with a key - Example: Public Key Infrastructure (PKI), a system that manages public key distribution on a wide-scale Key establishment: establish session keys - Use public key cryptography (we already know how to do it) 53 Components of a PKI 54 Digital Certificate Signed data structure that binds an entity (E) with its corresponding public key (KE+) - Signed by a recognized and trusted authority, i.e., Certification Authority (CA) - Provide assurance that a particular public key belongs to a specific entity How? - CA generates KCA-(E, KE+) - Everyone can verify signature using KCA+ 55 Certification Authority (CA) People, processes responsible for creation, delivery and management of digital certificates Organized in a hierarchy (use delegation – see next) Root CA CA-1 CA-2 56 Registration Authority People, processes and/or tools that are responsible for - Authenticating the identity of new entities (users or computing devices) - Requiring certificates from CA’s. 57 Certificate Repository A database which is accessible to all users of a PKI, contains: - Digital certificates, - Certificate revocation information - Policy information 58 Example Alice generates her own key pair. private key Alice public key Alice Bob generates his own key pair. private key Bob public key Bob Both sent their public key to a CA and receive a digital certificate 59 Example Alice gets Bob’s public key from the CA private key Alice Bob gets Alice’s public key from the CA private key Bob 60 Certificate Revocation Process of publicly announcing that a certificate has been revoked and should no longer be used. Approaches: - Use certificates that automatically time out - Use certificate revocation list 61 More on Secure Channels In addition to authentication, a secure channel also requires that messages are confidential, and that they maintain their integrity. 62 More on Secure Channels For example: Alice needs to be sure that Bob cannot change a received message and claim it came from her. And Bob needs to be sure that he can prove the message was sent by/from Alice, just in case she decides to deny ever having sent it in the first place. Solution: Digital Signing. ? 63 Digital Signatures Digital signing a message using public-key cryptography. This is implemented in the RSA technology. Note: the entire document is encrypted/signed this can sometimes be a costly overkill. 64 Message Digest (MD) 5 Can provide data integrity and non-repudiation - Used to verify the authentication of a message Idea: compute a hash on the message and send it along with the message Receiver can apply the same hash function on the message and see whether the result coincides with the received hash 65 Message Digest Operation Transformation contains complex operations Initial digest (constant) Message (padded) 512 bits 512 bits 512 bits Transformation Transformation .. . Transformation Message digest 66 Digital Signature In practice someone cannot alter the message without modifying the digest - Digest operation very hard to invert Encrypt digest with sender’s private key KA-, KA+: private and public keys of A 67 Access Control Access Control Once a client and a server have established a secure channel, the client can issue requests to the server Requests can only be carried out if the client has sufficient access rights The verification of access rights is access control, and the granting of access rights is authorization These two terms are often used interchangeably The Basic Model for Access Control This model is generally used to help understand the various issues involved in access control The subject issues requests to access the object, and protection is enforced by a reference monitor that knows which subjects are allowed to issue which requests Access Control Matrix The access control matrix is a matrix with each subject represented by a row, and each object represented by a column The entry M[s, o] lists the operations that subject s may carry out on object o ? Of course, we don’t really want to implement it as a matrix in any system of reasonable size, because there would be a whole lot of wasted space… 71 Access Control Matrix There are two main approaches that are used instead of an actual matrix: Each object can maintain a list, the access control list, of the access rights of subjects that want to access that object - this effectively distributes the matrix columnwise, leaving out empty entries Each subject can maintain a list of capabilities for each object - this effectively distributes the matrix row-wise, leaving out empty entries Of course, capabilities can’t be totally maintained by the subjects - they must be given to the subjects by some other trusted entity (like the reference monitor) 72 Access Control Lists vs. Capabilities 73 Access Matrix Access Control List Capability Lists Protection Domains ACLs and capabilities help to efficiently implement the access control matrix, but can still become quite cumbersome A protection domain is a set of (object, access rights) pairs, where each pair specifies for a given object exactly what operations can be carried out By associating a protection domain with each request, we can cut down on redundant information in access control lists 77 Protection Domains One approach to using protection domains is to construct groups of users Another approach is to use roles instead of groups Roles: head of a department, manager of a project, member of a personnel search committee 78 Authorization Management 79 Authorization Management Granting authorization rights Related with access control which verifies access rights 80 Capabilities (1) How to grant a capability? How to verify a capability? 81 Capabilities (2) Capability: - Unforgeable data structure for a specific resource R - Specify access right the holder has with respect to R An example: 48 bits 24 bits 8 bits 48 bits Server port Object Rights Check 82 Capabilities (3) Owner Generation of a restricted capability from an owner capability 83 Delegation: Motivation Example A user Alice has read-only access rights on a large file F Alice wants to print F on printer P no earlier than 2am - Method A: Alice sends the entire file F to the printer P; - Method B: Alice passes the file name to P and printer P copies the file F to its spooling directory when F is actually needed. - For method B, Alice needs to delegate her read-only access rights on F to printer P 84 Delegation: Neuman Scheme The general structure of a proxy as used for delegation: 85 Delegation: Neuman Scheme Using a proxy to delegate and prove ownership of access rights In practice S+proxy, S-proxy can be a public-private key pair and N can be a nonce 86 Appendix 87 Shared Secret Key Authentication Suppose Alice and Bob share a secret key (KA, B). How can they setup a secure channel over an insecure medium? 88 1. 2. 3. 4. 5. Alice sends her identity to Bob. Bob sends a challenge (random number). Alice must encrypt and return. Alice then sends a challenge to Bob. Bob must encrypt and return. An Optimization Authentication based on a shared secret key, but using three instead of five messages. Chuck…er…Alice Attack Attempt ? Chuck tries to pretend to be Alice. He sends the initial message to Bob. Bob responds with the encrypted challenge, but then his own challenge. Chuck cannot properly respond to the challenge because he doesn’t have the key. Reflection Attack Lesson: never encrypt anything without knowing who you are encrypting it for. 92 Key Distribution Centers If there are N parties using shared secret keys, how many keys are needed? Alternative is to use a trusted KDC. It has a shared key with every host. 93 Key Distribution Centers Disadvantage is that Bob has to get into the loop first. 94 Tickets Using a ticket and letting Alice set up a connection to Bob. Vulnerable to replay attacks if Chuck gets hold on KB,KDCold 95 Authentication using KDC (Needham-Schroeder Protocol) - Nonce: random number used only once to relate two messages RA1,A,B 2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B)) 3 KA,B(RA2), KB,KDC(A, KA,B) 4 KA,B(RA2-1, RB) 5 KA,B(RB-1) Bob 1 KDC Relate messages 1 and 2: use challenge response mechanism RA1, RA2, RB: nonces Alice 96 What if RA1 is Missing? Assume Chuck intercepted KA,KDC(B,KA,B, KB,KDCold(A,KA,B)) (replayed message) 3 KA,B(RA2), KB,KDCold(A, KA,B) 4 KA,B(RA2-1, RB) 5 KA,B(RB-1) Here Chuck gets KA,B ! Bob (KB,KDC) 2 A,B Chuck (KB,KDCold) 1 KDC - KA,KDC(B,KA,B, KB,KDCold(A,KA,B)) - Knows KB,KDCold Alice 97 Authentication using KDC (Needham-Schroeder Protocol) RA1,A,B 2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B)) 3 KA,B(RA2), KB,KDC(A, KA,B) 4 KA,B(RA2-1, RB) 5 KA,B(RB-1) Bob 1 KDC Why do we need to include B in message 2? Alice 98 What if B is Missing from Message 2? RA1,A,B 2 KA,KDC(RA1,KA,C, KC,KDC(A,KA,C)) 3 KA,C(RA2), KC,KDC(A, KA,C) 4 KA,C(RA2-1, RB) 5 KA,C(RB-1) RA1,A,C Bob (KB,KDC) Alice 1 KDC Assume Chuck intercepts message 1 Chuck Here Chuck gets KA,C ! 99 Authentication using KDC (Needham-Schroeder Protocol) RA1,A,B 2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B)) 3 KA,B(RA2), KB,KDC(A, KA,B) 4 KA,B(RA2-1, RB) 5 KA,B(RB-1) Bob 1 KDC Vulnerable to replay attacks if Chuck gets hold on KA,B Alice 100 What if Chuck gets KA,B? Assume Chuck intercepted RA1,A,B Chuck (KA,B) 2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B)) 3 KA,B(RA2), KB,KDC(A, KA,B) Bob 1 KDC - KA,B(RA2), KB,KDC,(A,KA,B) - Knows KA,B Alice (replayed message) 4 KA,B(RA2-1, RB) 5 KA,B(RB-1) 101 Defend Against leaking of KA,B A 2 KB,KDC(RB1) 3 RA1,A,B, KB,KDC(RB1) 4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1)) 5 KA,B(RA2), KB,KDC(A, KA,B,RB1) 6 KA,B(RA2-1, RB2) 7 KA,B(RB2-1) Bob 1 KDC Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided by Bob. Chuck can no longer simply replay message 5 (former 3) to fool Bob, cause message 5 is now related to message 2 by including nonce RB1. Alice 102