Advanced Internet Technologies
advertisement
“He, who wants to defend everything, defends
nothing.”
--- Frederick, the Great
1
Focus of a Security Plan
Reference: Thomas Calabrese,”Information Security Intelligence,”
Thomson Delmar learning, 2004, pp 4
Scope: restricting the scope as much as
possible
Prioritization
Practicability
Some Examples of Attacks
and a Hint about technologies
2
Example of a Security Incident:
Phishing
Phishing (mis)uses the following rule:
If ASCII 00 and 01 characters are used just
prior to @ character, IE would not display the
rest of the URL.
Example:
http://www.whitehouse.gov%01%00@www.
hacker.com/......
will show up as http://www.whitehouse.gov in
the status bar, indicating as if the message is
from the White House. However the
response will go to the Hacker.
3
Anti-Phishing.org
A Web site www.antiphishing.org, for reporting
incidents,
set up by a group of global banks and technology
companies, led by Secure-messaging firm
Tumbleweed Communications Corp
Fast Response required;
The phishing Web sites: often only in place for a day.
Example: Dec 2003: Phishing e-mail appeared to
come from the U.K. bank NatWest.
Anti-Phishing.org tracked the IP address to a spoofed
home computer in San Francisco. "The owner of the
computer probably had no idea he'd been hijacked,"
says Dave Jevans, Tumbleweed's senior vice
president of marketing.
4
Common attacks on Financial Institutions like Banks
through Internet
Common attacks:
phishing (attempts to trick account holders to give
their account authentication details away),
fraudulent association with the bank as part of
investment scams, and
trademark violation
Losses due to attacks:
"The major banks don't want to divulge the amount of
losses. But just to give one example, a major
Australian bank has put several million dollars in
reserve since August 2003 to cover damages due to
Internet frauds.“– Dave Jevans, eWeek, Dec 2003
5
An Example:
time-to-market for Internet Security products
16 December, 2003: Discovery of the
problem of Phishing
5 January 2004: Announcement of
development of a new Anti-phishing
service by Netcraft, of Bath, England.
Netcraft says that the service is mainly for
banks and other financial organizations
6
General Strategies for security
Continuous vigilance by monitoring and
analysis
reduce size of target:
disable unneeded services
limit access of attacker to target systems
hardening the OS and applications
Use technologies, which cannot be hacked
easily
7
General Strategies for security: Technologies
Confidentiality: encrypting sensitive
data
Integrity: Hashing, Digital Signatures
Authentication: Digital certificates
Non-repudiation: Trusted Digital 3rd part
signatures
8
“Using encryption on the Internet is the
equivalent of using an armored car to deliver
credit card information from someone living
in a cardboard box to someone living on a
park bench.“
--- Professor Eugene Spafford
Purdue University
9
CRYPTOGRAPHY
Cryptography (from two words in Greek):
means secret writing.
Cryptoanalysis: breaking of a cryptographic
code
CRYPTOGRAPHY: process data into unintelligible
form,
reversibly/irreversibly
without data loss
usually one-to-one in size /compression
10
Cryptography
Services, provided by cryptographic tools:
Encoding information into a form which makes the
information unintelligible to an unauthorized person
integrity checking: no tampering
authentication: not an impostor
Encryption or Enciphering
Plaintext
Encryption
Algorithm
Ciphertext
Key
11
Why encrypt?
A few valid reasons for (reversibly)
encrypting data are:
To prevent casual browsers from viewing
sensitive data files
To prevent accidental disclosure of sensitive
data
To prevent privileged users (e.g., system
administrators) from viewing private data files
To complicate matters for intruders who
attempt to search through a system's files
12
Kerckhoff’s principle
The security of an encryption scheme
should depend upon only the secrecy of
the key, and NOT on the secrecy of the
algorithm.
13
Classification
Two types of Encryption Algorithms
Reversible
Irreversible
Two types of Keys
Symmetric
Asymmetric
14
Types of Cryptographic Algorithms:
Cryptographic Algorithms:
• Secret Key
• Example: DES, AES (Rijndael)
• Public Key
• Example: RSA, Rabin, El Gamal
• Message Digest (Hash or cryptographic checksum)
Example : SHA 256
• Message Authentication Codes
15
Reversible Encryption
Reversible ENCRYPTION:
cleartext
ENCRYPTION DEVICE
Decryption key
cleartext
ciphertext
encryption key
Decryption Device
can be used only when the same type
of encryption software/equipment is
available at both the ends
16
Decryption
Decryption or Deciphering
Ciphertext
Decryption
Algorithm
Plaintext
Key
17
Fingerprinting Data
Irreversible Encryption
Hash Functions
Plaintext
Encryption
Algorithm
Hash
Collisions in the
output?
18
Cryptographic Hash Functions (H)
H : A transformation
m = variable size input
h = hash value : a fixed size string,
also known as message digest or fingerprint
or compression function.
m
H(m)
h
19
Message Digest
Variable
Length
Message
Hashing
Algorithm
Fixed Length
Digest
20
Uses of Hash Functions
Integrity check
for getting a document time- stamped
without revealing its contents to the time
stamp service
Authentication through Digital Signatures
For generation of pseudo-random numbers to
generate several keys from a single shared
secret
Typical output of a Hash: 128 to 512 bits
21
A Cryptographic Hash function
Properties of Cryptographic Hash functions :
One-way functions
‘Hard’ to invert : Computationally infeasible to
find some input m such that H(m) = h.
Collision-resistant: a very large number of
collisions exist. But these cannot be found.
Should be a random mapping from all
possible input values to the set of possible
output values
22
Message Digest (MD)
• Consider an algorithm that generates outputs
which are randomly distributed.
• Let the MD (output) be of n bits
• 2n No of possible outputs.
• Since these are randomly distributed, the
probability is that after 1.2 (2n )1/2 digests are
computed, we may find the same value.
•
( Reference: statistical ideas of Birthday Paradox; Please see the last
set of slides on Cryptoanalysis for a statement of the Paradox.)
Thus for n = 128, it would be (1.2)264 .
23
Definitions
WEAKLY COLLISION FREE HASH FUNCTION:
Given a message m1.
It is computationally infeasible to find m2
such that
m1 is not equal to m2, and,
H(m1) = H(m2).
STRONGLY COLLISION FREE HASH FUNCTION:
It is computationally infeasible to find any two
messages m1 and m2 such that
H(m1) = H(m2).
24
Hash Functions: Collision-free Example
Example: Consider a Hash of 128 bits.
Weak: The probability of finding a
message m2 corresponding to a given
hash value H(m1) is
2-128.
Strong:The probability of finding two
messages with the same hash value
(with no constraint on any of the two
messages) is 2-64.
25
Properties of Cryptographic Hash
functions
(continued)
H(m) is easy to compute.
The input can be of any length.
The output has a fixed length.
Notes 1: Consider a transformation of a sequence of
length n1 to a sequence of length n2, where n1 >
n2.
In such a case, there must exist multiple input
sequences that map to the same fixed-length hash
value.
26
Notes on hash functions (continued)
In the definitions of hash functions, it is only
required that ‘to find x’ should be
computationally infeasible, even though we
know that x exists.
2. Computationally Infeasible (CI) means that
the time complexity of the algorithm should
grow faster than any polynomial.
So CI means that it may take an extremely long
time to compute x on even the fastest
machine of the day.
27
Popular Hash Functions
Iterative functions:
Split the message to equal sized blocks m1,
m2,…… mk(padding for the last block)
Hi = h(Hi-1, mi), with H0 as a fixed value
MD2 , MD4 and MD5 developed by Rivest.
MD2 (1989 ): Optimized for 8 bit machine;
MD4 (1990) , MD5 (1991) : Optimized for
32-bit machines .
MD4 and MD5 :
Both produce a 128-bit
hash value.
28
Popular Hash Function: MD5
MD4:
Den Boer and Bosselaers ( in a paper in 1991)
discovered weaknesses.
was cracked by Dobbertin. He devised a method
to generate collisions in MD4.
MD5 (Ref: RFC 1321) was supposed to be
more secure.
probability of MD5
collision 1/3x1038
1994: A non-fatal flaw discovered.
SHA1 (Secure Hash Algorithm) :
Produces a
160 bit hash value from a message of less than 264
bits;
29
Popular Hash Function: SHA 1
SHA 1: designed by NSA and standardized by NIST
as a part of the Capstone project. (based on MD5
and 2 to 3 times slower than MD5)
(Ref: RFC 3174
and FIPS 180-1)
Aug 2004: reported generating collisions in
MD4 using "hand calculation", and in the
family of MD4/MD5/SHA/RIPEMD. So its
usage is now not recommended.*
*Reference: Xiaoyun Wang and Dengguo Feng and Xuejia Lai and
Hongbo Yu,” Collisions for Hash Functions MD4, MD5, HAVAL128 and RIPEMD,” Cryptology ePrint Archive: Report 2004/199,
http://eprint.iacr.org/2004/199.pdf
30
Popular Hash Functions: To be used today
SHA 256, SHA 384 and SHA 512 (Ref: FIPS 1802)
designed for use with AES with 128, 196 and 256 bits.
Slower than SHA1; may take nearly as much time as
encryption by AES.
SHA384 uses SHA 512 method and discards the
remaining bits. So though it takes the same time as
SHA 512, it is less secure.
Others: Snerfu: generates 128 bit or 256 bit hash;
Haval: produces 128, 160, 192, 224 or 256 bit hash.
31
Secret Key/ Symmetric Cryptography
Simpler and faster (than asymmetric by a factor
of 1000)
For Integrity check, a fixed-length checksum for
the message may have to be used; CRC* not
sufficient
*Cyclic Redundancy Check
32
Symmetric Key Encryption
Also called Private/Secret key Encryption
Message
by sender
Sender-end
Pr-key
Encrypted
Message
Internet
Message
at receiver
Pr-key
Encrypted
Message
Receiver-end
33
Symmetric Key Cipher Standards
Data Encryption Standard:
the initial version developed by IBM
as a US standard from 1975 to 1999
Advanced Encryption Standard
The proposal from two belgian professor
accepted in Sept 2000
Declared in Nov 2001
34
Theoretical Basis of DES
Claude Shannon’s theories:
Recapitulation
1945: Introduce diffusion and confusion through
cryptographic algorithms.
• Diffusion: Use permutation followed by some
functional transformation.
• So that one ‘character’ in ciphertext
= function of a large number of ‘characters’ in the plaintext.
• Thus if e is the most commonly used character in
English plaintext, it may not be so in the ciphertext.
In ciphertext all the characters should have ideally an
equal frequency of occurrence.
35
Diffusion & Confusion : Recapitulation
• Diffusion: seeks to make statistical relationship
between the plaintext and ciphertext as complex as
possible. Diffuses the structure of the plaintext over
a large part of the ciphertext.
• Confusion: makes the relationship between the
statistics of the ciphertext and the encryption key
as complex as possible.
• Achieved by using a complex substitution algorithm.
36
Substitution and permutation
Substitution or Permutation: easy to break by
using statistical analysis
For every language: frequency of characters,
digrams ( two letter sequences) and trigrams
are known. statistical analysis to decipher
encrypted information.
English: e: the character with highest
frequency
C: #define and #include in the beginning
Protocols and tcpdump: repetitive, fixed sized
37
fields
Kerckhoff’s Rule
The strength of an encryption algorithm depends upon:
1.
Design of the algorithm
2.
Key length
3.
Secrecy of the key ( requires proper
management of key distribution)
1883: Jean Guillaumen Hubert Victor Fransois Alexandre
Auguste Kerckhoff von Nieuwenhof: “ Cryptosystems should
rely on the secrecy of the key, but not of algorithm.”
Advantages of Openness: 1994: A hacker published the
source code of RC4, a secret encryption algorithm,
designed by RSA Data security Inc. attacks, that
exposed several weaknesses of RC4
38
Types of Cipher Algorithms
Streaming Cipher: encrypts data bit by
bit
Block cipher: encrypts a fixed- sized
block of data at a timeBlock ciphers:
For a 64 bit block of plaintext, for
encryption to a 64-bit ciphertext, may need
a table of 264 = 150 million terabytes.
For a block size of 128 bits, the table
would require a memory of 5x1039 bytes.
39
DES Encryption:
DES a public standard. But its design criterion has not
been published.
64 bit plaintext goes through
• an Initial Permutation (IP).
• 16 Rounds of a complex function fk as follows:
• Round 1 of a complex function fk with sub key K1 .
• Round 2 of a complex function fk with sub key K2.
• Round 16 of a complex function fk with sub key K16
Every round ends with a swap of Left-half and Right-half.
• an Inverse Initial Permutation (IP-1 )
to produce 64 bit ciphertext.
40
DES Round
x: block of plaintext
let x0 = IP (x) = L0:R0
16 rounds with f: cipher function
Ki: sub-key for the ith round
While i ≤ 16,
xi = Li:Ri
Li = Ri-1
Ri = Li: f(Ri-1 , Ki)
41
Function
Expansion permutation to get 48 bits from 32 bits of
Ri : each input block of 4 bits contributes 2 bits to
each output block Avalanche Effect: A small
difference in plaintext causes quite different
ciphertext
E(Ri-1) Ki
S-boxes for converting 48 bits to 32 bits
output: Non-linear; provide major part of the
strength of the cipher
Straight permutation
XOR with left half
Switch the left half and the right half
42
Key Schedule Algorithm
Each sub-key Ki : 48 bits: obtained from a 56
bit key K
Fixed Permutation: PC1(K) = C0:D0
A left circular shift (of 1 or 2 bits) on the Lefthalf (C0 ) and Right-half (D0) separately
(Output: C1 of 28 bits and D1 of 28 bits)
2 bits: for rounds 3-8 and 10-15
Compression permutation PC2 to get 48 bit
key Ki from Ci:Di
Round-dependent left shifts different parts
of initial key create each sub-key
43
Sub Key Generation
The input key: 56 bits
Hardware Design: the 8, 16, 24, 32, 40, 48, 56
and 64th bit is always the odd parity bit.
64 bit key
Software design: the key is stated in ASCII
code. Each character of 8 bits, with the first
bit being zero plus 7 bits of code. (!)
Since DES was designed with the viewpoint of
hardware implementation, the conversion to 56
bits is done by neglecting every 8th bit.
PC1 converts to 56 bits and permutes.
44
Key Schedule
K: 64 bit key
C0: D0 =PC1(K) , 56 bit key
16 steps for i = 1-15: A left circular
shift (of 1 or 2 bits) on the Left-half (Ci-1)
and Right-half (Di-1) separately (Output:
Ci of 28 bits and Di of 28 bits)
16 Subkeys for i = 1-15: Ki = PC2(Ci : Di )
of 48 bits each
45
PC1: Obtaining C0 and D0
PC1 generates C0 and D0, the left and the right
halves respectively.
C0 Read the first column of the input 64-bit key from
bottom up. Write it row-wise from left to right.
Repeat for the second, the third and the lower-half of
the fourth column respectively.
D0 Read the seventh column of the input 64-bit key
from bottom up. Write it row-wise from left to right.
Repeat for the sixth, the fifth and the upper-half of
the fourth column respectively.
Probably the conversion to the two halves was done
due to the limitation of the hardware of seventies.
46
Sub Key Generation: continued
Thus DES has a 56 bit key K consisting of C0 and D0.
All the sub keys K1 to K16 are of 48 bits.
To generate these keys, K goes through
• A Permuted Choice (PC-1) (output C0 of 28 bits
and D0 of 28 bits).
• A left circular shift (of 1 or 2 bits) on the Left-half (C0 )
and Right-half (D0) separately (Output: C1 of 28 bits and
D1 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes
as well as ‘contracts’ to produce a sub-key K1 of 48 bits.
47
Sub Key Generation (continued)
• A left circular shift (of 1 or 2 bits) on the Left-half (C1 )
and Right-half (D1) separately (Output: C2 of 28 bits and
D2 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as
well as ‘contracts’ to produce a sub-key K2 of 48 bits.
• .
• .
• .
• A left circular shift (of 1 or 2 bits) on the Left-half (C15 )
and Right-half (D15) separately (Output: C16 of 28 bits
and D16 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as
well as ‘contracts’ to produce a sub-key K16 of 48 bits.
48
Key Schedule
KA = PC1(K)
KB1 = LS-j(KA);
LS-j is left circular shift by j bits, on the two halves of
the 56 bits separately. j is given by Table 5.
KB2 = LS-j(KB1)
KB3 = LS-j(KB2)
.
KBi = LS-j(Kbi-1)
.
KB16 = LS-j(KB15)
Ki = PC2(KBi)
49
i-th Round
The part in yellow, in the previous slide, shows the sub
key generation. After PC1, the circular rotations are
independent for the left half and the right-half.
ENCRYPTION: In the i-th round,
Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
= Li-1 P(S( E(Ri-1) Ki ))
Where E: expansion from 32 bits to 48
S: Using 8 S-boxes to convert 48 bits to 32 bits – each S
box converts 6 bits to 4 bits
P: permutation
50
Expansion-Permutation (E/P):
• In figure 2, the E-table generates 48-bit output
from 32 bit input by expansion-permutation by
using table T6.
Table T6: E/P
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
3
7
11
15
19
23
27
31
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
51
DES Decryption:
Decryption uses the same algorithm as encryption
except that the application of the sub-keys is
reversed.:
•
•
•
•
•
In the first round of decryption, sub-key K16 is used.
.
.
.
In the 16th round of decryption, sub-key K1 is used .
52
Decryption Relations
ENCRYPTION: (from slide 49)
Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
= Li-1 P(S( E(Ri-1) Ki ))
Rewriting: DECRYPTION relations are:
Ri-1= Li
Li-1 = Ri F(Ri-1, Ki)
On substituting the value of Ri-1 from the first
decryption relation,
Li-1 = Ri F(Li, Ki)
53
Decryption Process
First: IP on ciphertext: undoes the final IP-1
step of encryption
16 Rounds: First round with subkey 16
undoes 16th round of encryption
.
.
Sixteenth round with subkey 1 undoes 1st
encryption round
Last: IP-1 undoes the initial encryption IP
54
AES
AES: designed by Joan Daemen and Vincent
Rijmen
Initially known as Rijndael Cipher
55
Rijndael Cipher
Three steps:
initial XOR of the block with the sub-key 1
has 9/11/13 rounds in which state undergoes:
byte substitution (The same S-box used on every
byte)
shift rows(permute bytes between columns)
mix columns (subs using matrix multiply of
groups)
add round key (XOR state with separate sub-keys
for each round)
Incomplete last (i.e. 10/12/14th) round (without mix
columns operation)
56
Rijandael Cipher
continued
The Rijndael cipher has a variable block
length and key length.
currently keys with a length of 128, 192, or 256 bits
to encrypt blocks with a length of 128, 192 or 256
bits (all nine combinations of key length and block
length are possible). Both block length and key
length can be extended very easily by multiples of 32
bits.
Rijndael can be implemented efficiently on a
wide range of processors and in hardware.
all operations can be combined into XOR and
table lookups - hence very fast & efficient
57
Rijandael Cipher
continued
for 128 bit block: processes data as 4 groups
of 4 bytes each.
Each group is shown as a column in a matrix
of four columns.
Each column has 4 rows.
Each cell of the 4x4 matrix contains one byte.
The output in every round creates a new
state of 128 bits or of 4 columns of 4bytes
each.
The ciphertext is the final output generated
by the cipher system.
58
Steps of a Round Function
Round function: uniform and parallel,
composed of 4 steps (except for the
incomplete– without MixColumn-- last round)
Each step has its own particular function:
ByteSub: non-linearity
ShiftRow: inter-column diffusion
Mix Column: inter-byte diffusion within columns
Round key addition
Figure on slide 20: shows both encryption
and decryption processes; STATE at
corresponding levels for encryption and
decryption is the same.
59
Pseudo Code for Encryption
for the earlier rounds, and, for the last round
Round(State, RoundKey)
{
Bytesub(State);
ShiftRow(State);
MixColumn(State);
AddRoundKey(State, Roundkey);
}
For the last round, it is a little different:
Round(State, RoundKey)
{
Bytesub(State);
ShiftRow(State);
AddRoundKey(State, Roundkey);
}
60
Rijandael Cipher
continued
61
Three Steps of Decryption
initial XOR of the ciphertext with the sub-key
has 9/11/13 rounds in which state undergoes:
InvByte substitution (The same Inverse S-box
used on every byte)
InvShift rows(permute bytes between columns)
InvMix columns (subs using matrix multiply of
groups)
add round key (XOR state with separate sub-keys
for each round)
Incomplete last (i.e. 10/12/14th) round (without
InvMix columns operation)
62
Pseudo Code for Decryption
for the earlier rounds, and, for the last round
Round(State, RoundKey) {
InvByteSub(State);
InvShiftRow(State);
InvMixColumn(State);
AddRoundKey(State, Roundkey);
}
For the last round, it is a little different:
Round(State, RoundKey)
{
InvBytesub(State);
InvShiftRow(State);
AddRoundKey(State, Roundkey);
63
Public Key/ Asymmetric Cryptography
invented in 1976 by Whitfield Diffie and Martin
Hellman
two keys: private (d), public (e)
Both are mathematically related.
REQUIREMENTS: Computationally infeasible
to derive one key from the other;
to find out the private key from a chosen
plaintext attack
much slower (about 1000 times) than secret key
cryptography
64
public-key cryptography (continued)
public-key cryptography system requires
a trusted system for distributing public keys
RSA (Rivest, Shamir and Adelman) Algorithm is
well known for the public key system.
APPLICATIONS
a digital signature system to authenticate
that a message is really from whom it
purports to be from
Pretty Good Privacy system, an e-mail
system, uses the public key system for
65
security.
public-key cryptography
(continued)
66
Asymmetric/Public Key Encryption
A
B’s public Encrypted
Message
Message
key
Internet
Message B’s private Encrypted
Message
key
B
67
public-key cryptography
(continued)
Data transmission: private key(d), public
key (e)
68
public-key cryptography
(continued)
Applications and Advantages:
Storage: for safety: use public key of trusted
person
Secret vs. Public Key system:
secret key system: needs secret key for every pair
of persons, that wish to communicate
n users n(n-1)/2 keys
public key system: needs two keys for every
person, who wants to communicate.
n users 2n keys
69
Digital certificate
for getting Public Key reliably
A digital certificate from a trusted party may
contain:
The name of a person
His e-mail address
His public key
The recipient of the encrypted certificate uses
the public key of the Certification Authority to
decode the certificate.
Examples of CAs: www.verisign.com or
www.thawte.com (Verisign’s liability limited to
$100 only!)
Standard for certificate: X.509
70
Digital signatures
Digital Signatures: A is to sign a Msg and send
it to B
A
Msg
Digest
Algorithm
Msg +
Encoded
Digest
Encoding using
Private key of A
Msg +
Encoded
Digest
Decode digest using
Public key of A
Digest
Msg
Digest
Algorithm
Digest
Compare
71
B
Key management issues
Distribution of keys for both symmetric and
asymmetric cases is a challenge, when the
two communicating parties are located at a
distance.
Certifying authorities, as mentioned earlier,
help. But in view of the very limited liability,
that the certifying authorities are ready to
shoulder, it is not a complete solution.
72
Message/data Encryption
Combines conventional and public-key encryption
Recipient’s
Session key
Public key
Encrypted session
key
Encrypt
Encrypt
data
Encrypted data
73
Message/data Encryption
Combines conventional and public-key encryption
Recipient’s
Private key
Session key
Encrypted session
key
Decrypt
Decrypt
Encrypted data
data
Public-key encryption provides a secure channel to exchange symmetric encryption keys
74
Message Authentication Codes
MAC: A sort of Hash function, which uses a key
m: message (can be of any size)
K: fixed-size symmetric key
known to both the sender and receiver only
MAC: of fixed size
m
MAC Function
MAC
Key
75
MAC’s
for integrity
Message Authentication code, adds a password/key to a hash
data
data
Mac
Message MAC
Password/key
Only the password holder(s) can generate the MAC
76
MAC
A MAC function (also called a cryptographic
checksum)
continued
Need not be reversible.
Many-to-one function
MAC provides
Authentication and
integrity
If one more symmetric key is used, confidentiality can be
provided.
This separates authentication and confidentiality
functionalities.
77
MAC
continued
Separation of Authentication and Confidentiality:
This may be required in a system wherein
authentication may be at the application layer,
whereas confidentiality may be required at a
lower layer (like at transport layer.)
Or the recipient organisation may check for
authentication at the entry system. The
confidentiality may be required up to the final
host within the recipient organization.
Does not provide signatures
The recipient can forge the message.
The sender can repudiate it.
78
HMAC:
keyed Hashing for Message Authentication
HMAC: An algorithm which uses a keyless hash function
and a cryptographic key to develop a MAC
Advantages: Hash functions are faster;
no export controls on keyless hash functions.
H: a keyless hash function
Input: a block of b bytes
Output: a hash of l bytes
K: key no longer than b bytes
K’:pad K, if required, so that K’ becomes b bytes long
79
HMAC
(continued)
ipad: a sequence of b bytes obtained by repeating the byte 0011
0110
opad: a sequence of b bytes obtained by repeating the byte 0101
1100
Definition of a HMAC-H function with a key K and
message m:
H(K,m) =
H( (K’ XOR opad) ll H( (K’ XOR ipad) ll m) )
Reference: 1. M. Bellare, R. Kaneti and H.Krawczyk, ‘Keyed Hash
Functions and Message Authentication,’ Advances in
Cryptology- Proceedings of CRYPTO ’96, PP. 1-15 (1996)
2.H.Krawczyk, M. Bellare and R. Kaneti, ‘RFC 2104’, Feb 1997
80
Function for MAC
HMAC:
MD5 or an SHA function may be used.
Recommendation for a 128 bit security: SHA-256
MAC may also be obtained by using a block
cipher and by throwing away all the blocks
except the last block. This is called CBC-MAC.
CBC: cipher block chaining method
However if it is used, the key for encryption
and the key for message authentication must
be different.
Secondly it would be slower than HMAC.
81
Authentication issues
If only the message between Alice and Bob is
authenticated,
Eve could store the message and send it later again. Or
Eve could send the message from Alice -- back to Alice at
some later time, spoofing it as a message from Bob.
To avoid it, d = information like message number,
sender address and receiver address etc may be
concatenated with m before creating a MAC.
If a protocol for time synchronization is being used by
both the sender and the receiver, time in seconds
after midnight at Greenwich may also be used.
Alternatively a random number, called a nonce may
also be usedfor the purpose.
82
Authentication issues
….2
Further problem: Version problem,
which may increase the size of fields.
Example: Alice sends the older version.
Eve adds data to make it look to Bob as
if Alice sent the new version. So version
number has also to be added to d.
RULE: Authentication at a higher layer
only.
83
Cryptanalysis
continued
Cryptanalysis : It tries to locate the structures and
patterns of the plaintext in the ciphertext.
None of the cryptological methods can completely
eliminate the patterns and structures of the plaintext in
the ciphertext.
Polyalphabetic cipher where the substitution
differs from character to character in response
to a key, which is
as long as the message, and which is,
truly random
can eliminate such patterns. But the key?
84
Cryptanalysis Methods:
Finding the Key
Assumption: The hacker always knows the ciphertext
and the encryption algorithm.
More is the information available to a hacker
Easier is the analysis for finding the Key
TYPES OF ATTACKS: The type is dependent on the
amount of INFORMATION available to a Hacker:
1.ciphertext only
Analysis for key: Most difficult
2.Known plaintext-ciphertext pairs
3.Chosen plaintext-ciphertext pairs
4.Chosen ciphertext-plaintext pairs
5.Chosen text (both 3 and 4) Analysis for key: Easiest
85
Two Definitions
UNCONDITIONALLY SECURE: An encryption
algorithm for which no amount of ciphertext
can make it possible for one to determine
uniquely the corresponding plaintext.
There is no such algorithm available.
COMPUTATIONALLY SECURE: An encryption
algorithm is said to be computationally secure
if
The cost of breaking the cipher is more than the intrinsic
value of the information, or,
the time required to break the cipher is more than the
time over which the information is required to be
86
confidential.
Exhaustive Key Search
Key Size
32
56
128
26P
No. of
Possible keys
232 =4.3x109
256 = 7.2x1016
2128 = 3.4 x1038
26!=4x1026
Average Time
at 1 decryption
per
microsecond
231= 35.8m
1142 y
5.4x1024 y
4x1026 =6.4x1012y
87
Large numbers and computational security -as worked out by Dr Lawrie Brown
It can be shown from energy consumption
considerations that the maximum number of possible
elementary operations in 1000 years is about:
3 x 1048.
Similarly if 10 atoms are needed to store a bit of
information, the greatest possible number of bits
storable in a volume of say the moon is: 1045.
If for deciphering a cipher requires more operations
than 3 x 1048, or needs more storage than 1045, it is
pretty reasonable to say it is computationally secure.
Reference: Notes of Dr Lawrie Brown, Australian Defence Force
Academy available at
http://www.williamstallings.com/Crypto3e.html
88
Exhaustive Key Search
(continued)
A calculation in 1995 showed that:
56-bit key broken in 1 week with 120,000 processors
($6.7M);
56-bit key broken in 1 month with 28,000 processors
($1.6M);
64-bit key broken in 1 week with 3.1x 107 processors
($1.7B);
128-bit key broken in 1week with 5.6x 1026 processors
89
Brute Force Cryptoanalysis
1999: 56-bit key broken in 22.5 h with 1,800 chips
($250,000) (245 109 keys/s, or 4.08 microsecond
for one key -- see eff.org); helped by distributed.net
1998: 56-bit key broken, on dedicated h/w, in
a few days
1997: 56-bit key broken, by using a large number
of machines in parallel on the Internet, in a few
months
90
Birthday paradox
A result from probability theory: Consider an element
that has an equal probability of assuming any one of
the N values. The probability of a collision is more
than 50% after choosing 1.2√N values.
Random input
Function
One of k equally
likely values
The same output can be expected after 1.2k1/2
inputs. Thus in a group of 23, two or more
persons are likely to share the same birthday.
(Put k = 365) Birthday attacks are used to find
collisions of Hash functions
91
Birthday Bound
A 64 bit key has 264 = 18x1018 different
key values. But 232 = 4.3x109
A Key is selected at random.
So after seeing 1.2x 232 transactions, a
hacker can expect the same key to be
used.
For an n-bit case, 2n/2 is called the
Birthday Bound
92
Example of a Birthday Attack
Assume
A 64 bit key
The first statement in a message is always the same.
A hacker
listens to and stores all encrypted messages.
When the FIRST encrypted sentence turns out to be
the same, he replaces the rest of the new message
by the old message, that he has in his memory.
By Birthday Paradox, this is likely to happen after 232
transactions.
93
Example of a
“Meet in the Middle” attack
Generate 232 keys.
Store encrypted messages of the first
sentence.
Compare the first sentence of every
encrypted message on the net with each of
the stored messages.
On getting a match, the Hacker knows the
key. So he can now replace the remaining
message by whatever he wants.
94
