Add to collection(s) Add to saved
  1. Business
  2. Finance

PPT

advertisement 
CS120: Lecture 16
MP Johnson
Hunter
mpjohnson@gmail.com
Acknowledgement: some material from Greg Whalen
1
Agenda
• Security: “Only the paranoid survive” (Andy Grove)
• Crypto:
– Idea of Crypto
– Private-key
– Public-key
• Security tips
– On web
– In public machines
– Crypto on the web
2
Crypto: definitions
• Convert to unintelligible form
– Reversible
– But only by intended recipient
• Original msg: “plaintext”
• Encrypted message: “ciphertext”
• Other services:
– Integrity checking: no tampering
– Authentication/digital signatures: not an imposter
3
Types of crypto schemes
• Secret-key: one secret key
– Also called private-key
• Public-key: two keys
– Public and private
• Related: hash functions
4
Simple private-key schemes
• Caesar cipher (shift):
–
–
–
–
A  D, B  E
“key” = shift distance
Only 26 possible codes
Can beak easily (how?)
• General substitution
–
–
–
–
Each letter  some other letter
“key” = mapping function
26! Possible schemes
Can break with stats – letter frequencies
• One-time pad
– First convert message to bits
– Random bitstring xor-ed to text
5
Simple private-key schemes
• Book of one-time pads
– Used in World War II, Cold War
– Two agents have a book of codes
– Each code used once, in order
• Messages intercepted when people used
same code multiple times
– Got lazy
– Frequencies of letters
6
Computational Difficulty
• What’s secret is just a finite bitstring
• Most schemes can be broken
– Brute force: try all possible keys
• The longer the key, the more secure
– n+1 bits  brute force search is twice as hard
(why?)
7
Brute-force attacks
• Common key lengths: 56 bits, 64 bits, 128
• Recall time for 2^100
– Through with millions of processors, may be able to
break in parallel
• For this reason, export restrictions on long-key
crypto
• Some systems come in “US” and “International”
(crippled) versions
– Long keys v. short keys
8
Secret-key crypto algs
• Same key is used for encryption and
decryption
• Eg: Substitution codes, DES, AES, IDEA
• Procedure:
– Agree on key (but how?)
– Communicate over insecure channel
9
Secret key v. secret algorithm
• Natural idea: use a secret algorithm
• Hard to keep secret if used widely:
– Reverse engineering, “social engineering”
• Also: publishing, criticism gives confidence
that algorithm is computationally secure
– Crypto-design as science
10
New topic: Public-key crypto
• Invented/published in 1975
– RSA, Diffie-Hellman, British intel
• Two keys: private (d), public (e)
– Encryption: public key; Decryption: private key
– Signing: private key; Verification: public key
• Much slower than secret key cryptography
11
Public-key crypto
• Data transmission:
– A encrypts msg using e_B
– Sends to B
– B decrypts with d_B
• In practice, public keys are called
certificate, available to browser
automatically over web
• But public-key is slow…
12
Public-key crypto: dig sig
• Given your private key, you can sign msg
• When I receive, I verify with your pubic key
• Since only you have your private key, this
convinces me that:
– You’re really you
– The message is the one you wrote
– Eg: “Sell IBM”
– Eg: “Sell Imclone at 60”
13
Why is RSA secure?
• One way is easy one way is hard
• Private key = two primes p,q
• Public key = n = p*q
• n is used in encryption alg
• To decrypt, need p and q
• But factoring a (large) number into primes is hard
14
Hybrid algs
•
•
But public-key is very slow compared to
private key
In practice, people use hybrid algs
•
Procedure:
1.
2.
3.
4.
5.
I pick random number
Encrypt with your public key and send to you
You decrypt
Now we share secret info – a “session key”
Now we can use this for private-key crypto 15
Security: browser
•
Many webpages have active parts
– Flash, Java applets, ActiveX, Scripting
•
 opportunities for hacking
– Viruses, spyware, etc.
1. Rec: turn security to medium or high
2. Rec: get a toolbar/popup-blocker
3. Rec: get virus, spyware software
– Microsoft Anti-Spyware is free
16
Security: public machines
• Safe: don’t use pub machines for anything that reqs login
• Or at least: not for anything sensitive (financial)
• Machines could have keyloggers
– Record each key pressed
– Save to file or email to address
– http://yro.slashdot.org/yro/05/11/18/1356205.shtml?tid=158&tid=172
– http://www.theregister.co.uk/2003/07/19/guilty_plea_in_kinkos_keystroke/
– 2003: Queens guy installed keylogger on machines at Kinkos
– got 450 people’s banking passwords
• Somewhat safe: don’t type your passwords in order
17
Security: other devices
• Most wireless routers come with a default name
and password
• Many people don’t change these
–  can get wifi access through them
• Also with OSs, databases, etc.
– Blank root password on Linux…
• Same thing with web-based security cams
– Default/no passwords
– Also: urls all have same form
– Can do an “in-url” search to find unsecured security
cams
18
Security: deleting files
• When you delete a file, it’s not really
deleted from disk
• It’s space is just set to “available”
– It may now be overwritten in the future
• Can get tools that physically overwrite info
– Overwrite with all 0s
– Overwrite with random numbers, many times
19
New topic: security on the web
• Authentication
– If you want to pay Amazon with your credit
card, how does the site know it’s really you?
– If you enter your credit card, how do you know
it’s really Amazon?
• Maybe it’s a phishing site…
• Secrecy
– When you enter your credit card, will an
eavesdropper be able to see it?
20
Security on the web
• Obvious soln: passwords
– What’s the problem?
• Slightly less obvious soln: passwords + encryption
• Traditional encryption: “symmetric” / “private key”
– DES, AES – fast – solves problem?
• “Newer” kind: “asymmetric” / “public key”
– Public key is published somewhere
– Private key is top secret
– RSA – slow – solves problem?
21
Authentication on the web
•
•
Neither private- nor public-key suffices
But together they do!
– “hybrid” protocol“ for authentication
•
SSL(HTTPS)-style algorithm:
1.
2.
3.
–
You pick a random number
Encrypt with Amazon’s cert, send to them
Amazon decrypts it, and sends it back to you
Since Amazon figured it out, it must be them22
Authentication on the web
• Now you trust that it’s really Amazon
– Assuming Amazon’s private key is secure…
• But: What if, say, someone else guessed
your password?
– Another way: What if you claim someone
guessed yours?
• Soln: same process, but in reverse
– But now you need to get your own cert…
23
Encryption on the web
• What about secrecy?
• Again, a (related) hybrid protocol:
– Amazon just sent you their public-key cert
– When you log in to Amazon,
1.
2.
3.
•
•
You pick another random number (“session key”)
You encrypt it (with their cert) and send it to them
They decrypt it (with their private key)
Now, you both share a secret key
can now encrypt passwords, credit cards, etc. 24
ssh
• This is what ssh gives you
• Like telnet
– Command-prompt log-in across Internet
• But secure
– Encryption
– Two-way pub-key authentication
– Or just one-way pub-key + password
25
Review: hybrid algs online
• Used for encryption & authentication
• Used in https/ssl & ssh
• Hybrid protocol:
– Amazon just sent you their public-key cert
– When you log in to Amazon,
1.
2.
3.
•
•
You pick another random number (“session key”)
You encrypt it (with their cert) and send it to them
They decrypt it (with their private key)
Now, you both share a secret key
can now encrypt passwords, credit cards, etc. 26
New topic: Hash functions
•
Function that hashes the message
–
•
•
f(x) is easy to compute
f^-1(y) is impossible
–
•
Can’t recover the message from the hash
Popular hash functions:
–
•
Creates a “digest”
MD5, SHA-1
Applications:
1. Authentication
•
Send a message and its hash
27
Hash apps
2. Hashing passwords
–
–
–
Website doesn’t need to know pass to verify it
On choosing pass, website stores its hash
On login, compares hash of entered pass to hash
on file
3. RFID for car keys
–
–
–
–
Key remote has unique hash ftn inside
On req, car sends key a number
Key hashes and returns
If correct result, car opens
28
Simple protocol: rot13
• To encrypt letter:
– Advance letter forward 13 places
– Wrap if necessary
• To decrypt letter:
– Same protocol!
• To code: pull out each char, treat as
number, build output string
29
Review: hybrid algs
• Combine public-key and private-key
• Used for encryption & authentication
• Used in https/ssl & ssh
• Hybrid protocol:
– Amazon just sent you their public-key cert
– When you log in to Amazon,
1.
2.
3.
•
•
You pick another random number (“session key”)
You encrypt it (with their cert) and send it to them
They decrypt it (with their private key)
Now, you both share a secret key
30
can now encrypt passwords, credit cards, etc.
New topic: Hash functions
•
Function that hashes the message
– Creates a “digest”
•
•
f(x) is easy to compute
f^-1(y) is impossible
– Can’t recover the message from the hash
•
Popular hash functions:
– MD5, SHA-1
31
Hash apps
1. Authentication
–
Send a message and its hash
2. Hashing passwords
–
–
–
Website doesn’t need to know pass to verify it
On choosing pass, website stores its hash
On login, compares hash of entered pass to hash
on file
3. RFID for car keys
–
–
–
–
Key remote has unique hash ftn inside
On req, car sends key a number
Key hashes and returns
If correct result, car opens
32
Related documents
Mash
Mash
Hash table
Hash table
Cryptography Homework #7: Hash function Search
Cryptography Homework #7: Hash function Search
Self-evaluation 21-5-2013
Self-evaluation 21-5-2013
HashQuiz
HashQuiz
Final Exam Review
Final Exam Review
Download
advertisement