CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security II 1 Announcements Paper assignments are nearly done See website Assignment: See website Due September 25 By email Please send all emails containing reviews, assignment solutions,.. to uhengart+cs854@cs.uwaterloo.ca Omit +cs854 if you have a question, want to set up an appointment,… 2 System Model Alice and Bob want to communicate “securely” Trudy may intercept, delete, add, or modify messages Alice data channel secure sender Bob data, control messages secure receiver data Trudy 3 Threat Model Q: What can a “bad guy” do? A: a lot! eavesdrop: passively intercept messages actively insert, modify, or delete messages into connection impersonation: can fake (spoof) source address in network packet (or any field in packet) hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place denial of service: prevent service from being used by others (e.g., by overloading resources) but (typically) not drop a nuclear bomb on Alice and Bob 4 The language of cryptography Alice’s K encryption A key plaintext encryption algorithm ciphertext Bob’s K decryption B key decryption plaintext algorithm symmetric-key crypto: sender and receiver keys identical and secret public-key crypto: encryption key public, decryption key secret (private) 5 Block and Stream Ciphers Block cipher: operates on fix-sixed blocks at a time • today’s ciphers: 128 bits reversible plaintext and ciphertext have same size common key sizes: 128 or 256 bit Kerckhofs’ principle: structure of cipher is publicly known Stream cipher: operates on single bit (byte) at a time 6 Public key cryptography + Bob’s public B key K K plaintext message, m encryption ciphertext algorithm + K (m) B - Bob’s private B key decryption plaintext algorithm message + m = K B(K (m)) B 7 RSA: another important property The following property will be very useful later: - + B B K (K (m)) + = m = K (K (m)) B B use public key first, followed by private key use private key first, followed by public key Result is the same! 8 Overview Network security Symmetric-key encryption Public-key encryption Message integrity and authentication Entity authentication Key distribution Computer security 9 Digital Signatures Cryptographic technique analogous to handwritten signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, nonforgeable, nonrepudiable: recipient (Alice) can prove to third party that Bob, and no one else (including Alice), must have signed document message integrity does not always require nonrepudiation See later 10 Digital Signatures Bob signs m by applying his private key KB-, creating signature KB-(m) - Bob’s private KB key Bob’s message, m Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Signing algorithm Bob Algorithms: RSA - - m, K B (m) Bob’s message, m, and its digital signature + + ( K (m)) = m = K (K (m)) B B B B DSA (“Digital Signature Algorithm”) Remember K 11 Digital Signatures (more) - Suppose Alice receives msg m, digital signature KB(m) Alice verifies m signed by Bob by applying Bob’s + - + - public key KB to KB(m) then checks KB(KB(m) ) = m. + - If KB(KB(m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m’. Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob signed m. 12 (Cryptographic) Hash Functions Computationally expensive to sign long messages m Goal: fixed-length, easyto-compute digital “fingerprint” H(m) message digest, cryptographic hash function can compute KB(H(m)) instead of KB(m) large message m H: Hash Function H(m) 13 Digital signature = signed message digest Alice verifies signature and integrity of digitally signed message: Bob sends digitally signed message: large message m H: Hash function Bob’s private key - KB Signing algorithm signature + signature H(m) KB(H(m)) large message m H: Hash function KB(H(m)) Bob’s public key + KB Remove signature H(m) H(m) equal ? 14 Properties of H(m) Input: arbitrarily long string of bits Output: fixed-size (i.e., H() is many to one) Given m, easy to compute H(m) One-way property/pre-image resistant For any given value x, it is computationally infeasible to find m such that H(m) = x Weak-collision resistance/2nd pre-image resistant For any given message m1, it is computationally infeasible to find m2 such that H(m1) = H(m2) Strong-collision resistance/collision resistance It is computationally infeasible to find a pair (m1,m2) such that H(m1) = H(m2) 15 Brute-Force Attacks Given: hash function with n-bit output Brute-force pre-image attack requires about 2n attempts Brute-force collision attack requires only 2n/2 attempts! Birthday paradox • If 23 people in a room, chance that two of them will have same birthday exceeds 50% • In general: approximately square root of #possible values 16 Hash Function Algorithms MD5 (RFC 1321) designed by Rivest in 1991, based on MD4, widely used 128-bit message digest MD5 is no longer strong-collision resistant but strong-collision resistance is only of theoretical interest? See assignment. stay away from MD5 SHA-1 ( NIST, FIPS PUB 180-1) designed by NSA, based on MD4 160-bit message digest security against collision-resistance has been weakened to (at most) 263 (brute force: 280) (maybe?) use SHA-256 17 (Other) Weaknesses of MD5/SHA-x Length extension: Given messages m1 and m2, where m2 = m1 || x, H(m2) can be computed based only on H(m1) and x (|| denotes concatenation) • don’t need m1 Attacker could add content Partial-message collision: If H(m1) = H(m2), then H(m1||r) = H(m2||r) 18 Message Authentication Code (MAC) MAC allows Alice and Bob to communicate such that each of them can be sure that received messages were not tampered with no non-repudiation Keyed hash function can be used for implementing MAC e.g., x = SHA-1(k||m), transmit m and x only Alice and Bob know k not secure against length-extension attack HMAC = H(k XOR a || H(k XOR b || m)) a,b: specified constants H: preferably SHA-256 19 Random Oracle Model Invented by Bellare and Rogaway in 1995 Build provably secure protocols based on random oracles Black box with state that responds to every query with a random response, except for already seen queries Actual protocol approximates random oracle with (efficient) real primitive In practice, random oracles typically model cryptographic hash functions Today it is standard to prove a cryptographic protocol secure (at least) in the random oracle model Caveat: (contrived) protocols have been constructed that are provably secure in random oracle model, but insecure in real implementation 20 Random Oracle Model Real primitive is “good” if indistinguishable from random function of certain type Pseudorandom Types of random oracles Random hash function models cryptographic hash • Unlimited input to fixed output Random generator models stream cipher • Fixed input to unlimited output Random permutation models block cipher • Fixed input to fixed output 21 Overview Network security Symmetric-key encryption Public-key encryption Message integrity and authentication Entity authentication Key distribution Computer security 22 Entity Authentication Prove that you are who you claim to be Based on what you know • password what you own • badge what you are • fingerprint 23 Passwords User enters password, computer compares it with password in file Bad if file gets stolen Store only password hashes in file Use salt to avoid dictionary attacks due to weak passwords E.g., UNIX Susceptible to replay attacks if attacker can sniff traffic exchanged between user and computer Use secure channel (e.g., SSL, see later) Challenge-response protocols Zero-knowledge protocols 24 Challenge-Response Symmetric-key techniques Assume that both parties know secret k B -> A: r A -> B: Ek(r) In practice, we want mutual authentication and agreement on session key Kerberos, Needham-Schroeder • Require third party with whom each of A and B shares a secret • Does not require shared secret between A and B 25 Needham-Schroeder Protocol A: Alice B: Bob T: Trent 1. A -> T: A || B || NA 2. T -> A: KAT ( NA || K || B || KBT ( K || A ) ) 3. A -> B: KBT ( K || A ) 4. B -> A: K ( NB ) 5. A -> B: K ( NB - 1) vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A modifications to address this require: timestamps (Denning 81) or extra nonce (Neuman 93) 26 Challenge-Response Public-key techniques Prove that other party owns private key corresponding to a public key Either by decrypting ciphertext or signing challenges • Be careful about messages whose (seemingly random) content is (entirely) determined by somebody else Used in SSL (see later) Assumes that both parties have each other’s (authentic) public key 27 Signing “Random” Challenges Alice encrypts m with RSA and sends c = me to Bob Eve captures c, wants m Eve opens authenticated connection to Alice, authentication based on signing of “random” challenges Eve computes c’ = rc, where r is random Eve asks Alice to sign c’ Alice returns c’d = rcd = rmed = rm to Eve, since rm looks random Eve computes rm/r = m 28 Broken Challenge-Response Protocol “I am Alice” R Bob computes + - - K A (R) “send me your public key” + KA KA(KA (R)) = R + K (K (R)) = R A A and knows only Alice could have the private key, that encrypted R such that 29 Man (woman) in the middle attack Trudy poses as Alice (to Bob) and as Bob (to Alice) I am Alice R I am Alice R K (R) T K (R) A Send me your public key + K T Send me your public key + K A - + m = K (K (m)) A A + K (m) A Trudy gets - + m = K (K (m)) T Alice sends T m to + K (m) T encrypted with Alice’s public key 30 Man (woman) in the middle attack Trudy poses as Alice (to Bob) and as Bob (to Alice) Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well! 31 Zero-knowledge Techniques E.g., Secure Remote Password Protocol (SRP) User proves to server that he knows password without revealing any information about password to server (and eavesdropper) Server knows only (exponentiated) salted password hash 32 Alternatives to Passwords Weak password -> Dictionary attack Strong password -> Users forget it/write it down Alternatives: One-time passwords • Typically requires hardware/software support Passphrases Biometrics Graphical passwords • Also susceptible to dictionary attacks • What if my digitized fingerprint gets stolen? • See later in course Client authentication is not sufficient, also require server authentication to avoid MITM or Phishing attacks 33 Good Cryptographic Practices Don’t use encryption for message integrity Don’t sign “random” messages Use session keys Don’t use same key for multiple cryptographic algorithms in a protocol Order of authentication and encryption authenticate-first can be (theoretically) insecure encrypt-first discards bogus messages earlier encrypt-first exposes authentication function to attacker encrypt-first authenticates ciphertext, not plaintext 34 Good Cryptographic Practices Use publicly reviewed cryptographic software packages if possible E.g., OpenSSL Use a good random number generator Design your own cryptographic protocol only if really necessary Consult experts, have it publicly reviewed Might still not be sufficient… 35 Needham-Schroeder Public Key Authentication Protocol Provides public key retrieval and authentication T distributes public keys, A and B have T’s public key 1. A -> T: A, B 2. T -> A: KT- ( KB+, B ) 3. A -> B: KB+ ( NA, A ) 4. B -> T: B, A 5. T -> B: KT- ( KA+, A ) 6. B -> A: KA+ ( NA, NB ) 7. A -> B: KB+ ( NB ) 36 Needham-Schroeder Public Key Authentication Protocol Designed in 1978, serious flaw found in 1995 Concentrate on messages exchanging nonces 3. A -> B: KB+ ( NA, A ) 6. B -> A: KA+ ( NA, NB ) 7. A -> B: KB+ ( NB ) Mallory, M, while communicating with A, can impersonate A to B 3. A -> M: KM+ ( NA, A ) M -> B: KB+ ( NA, A ) Fix: include identity of + 6. B -> M: KA ( NA, NB ) sender in 6 + M -> A: KA ( NA, NB ) 7. A -> M: KM+ ( NB ) M -> B: KB+ ( NB ) Another flaw: encryption is used for nonce integrity 37