BA Patel
advertisement
Network Security Network Security By : B A Patel Narmada College Of computer Application Zadeshwar, Bharuch 1 B A Patel Network Security Outline 2 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures B A Patel Network Security Why To have Computer Network? 3 B A Patel Network Security Why To have Computer Network? For Communication For resource sharing 4 B A Patel Network Security The OSI model 5 B A Patel Network Security 6 B A Patel Network Security 7 B A Patel Network Security Why To have Security? 8 B A Patel Network Security The world before computers was in some ways much simpler Signing, legalizing a paper would authenticate it Photocopying easily detected Erasing, inserting, modifying words on a paper document easily detectable Secure transmission of a document: seal it and use a reasonable mail carrier (hoping the mail train does not get robbed) One can recognize each other’s face, voice, hand signature, etc. 9 B A Patel Network Security Electronic world: the ability to copy and alter information has changed dramatically No difference between an “original” file and copies of it Removing a word from a file or inserting others is undetectable Adding a signature to the end of a file/email: one can impersonate it –add it to other files as well, modify it, etc. Electronic traffic can be (and is!) monitored, altered, often without noticing How to authenticate communicating with you 10 the person electronically B A Patel Network Security Some people who cause security problem and why • Student: to have fun snooping on other people’s email • Cracker: to test out someone’s security system, to steal data • Businessman: to discover a competitor’s strategic marketing plan • Ex-employee: to get revenge for being fired • Accountant: to embezzle money from a company • Stockbroker: to deny a promise made to a customer by email • Convict: to steal credit card numbers for sale • Spy: to learn an enemy’s military or industrial secrets 11 B A Patel Network Security Some people who cause security problem and why • Terrorist: to steal germ warfare secrets Point to make: making a network or a communication secure involves more than just keeping it free of programming errors It involves outsmarting often intelligent, dedicated and often well-funded adversaries 12 B A Patel Network Security Security issues: some practical situations A sends a file to B: E intercepts it and reads it How to send a file that looks garbage to all but the intended receiver? A send a file to B: E intercepts it, modifies it, and then forwards it to B How to make sure that the document has been received in exactly the form it has been sent E sends a file to B pretending it is from A How to make sure your communication partner is really who (s) he claims to be 13 B A Patel Network Security Security issues: some practical situations A sends a message to B: E is able to delay the message for a while How to detect old messages A sends a message to B. Later A (or B) denies having sent (received) the message How to deal with electronic contracts E learns which user accesses which information although the information itself remains secure E prevents communication between A and B: B will reject any message from A because they look unauthentic 14 B A Patel Network Security Security Attack • generic types of attacks – passive – active 15 B A Patel Network Security Passive Attacks 16 B A Patel Network Security Active Attacks 17 B A Patel Network Security Classes of network security problems Secrecy (or confidentiality) Keep the information out of the hands of unauthorized users, even if it has to travel over insecure links Authentication Determine whom you are talking to before revealing sensitive information 18 B A Patel Network Security Classes of network security problems Non-repudiation (or signatures) Prove that the order was to buy X liters of alcohol at the price before the taxes fell down and not the price after. Prove also that the order indeed existed Data integrity (or message authentication) Make sure that the message received was exactly the message you sent (not necessarily interested here in the confidentiality of the document) 19 B A Patel Cryptography Network Security Cryptography What does it say? 20 B A Patel Cryptography Network Security Cryptography comes from the Greek words for ''secret writing.'‘ Cryptography is the study of secret (crypto) writing (graphy) concerned with developing algorithms which may be used to Conceal the context of some message from all except the sender and recipient (privacy of secrecy), and /or Verify the correctness of a message to the recipient (authentication) Form the basis of many technological solutions to computer and communications security problems 21 B A Patel Cryptography Network Security History Cryptography was already used in ancient times, essentially in three kinds of contexts: private communications art and religion military and diplomatic use Cryptology could be considered as one of humanity's oldest professions. It have a history of at least 4000 years Ancient Egyptians enciphered some of their hieroglyphic writing on monuments. 22 B A Patel Cryptography Network Security STEGANOGRAPHY Methods of concealing text. Character marking: Selected letters of text are overwitten in pencil. The marks are not visible unless the paper is held at an angle to bright light. Invisible ink: Substances can be used that leave no visible trace until heat or some chemical is applied. Pin punctures : Small pin punctures on selected letters are not ordinarily visible unless paper is held in front of light. 23 B A Patel Cryptography Network Security Some Basic Terminology • Cryptography : The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and the retransforming that message back to its original form. • plaintext – the original message • ciphertext – the coded/transformed message • cipher – an algorithm for transforming an intelligible (plain) message into one that is unintelligible (ciphertext) by transposition and/or substitution methods • key – some information used in cipher known only to sender/receiver 24 B A Patel Cryptography Network Security Some Basic Terminology • encipher (encrypt) - the process of converting plaintext to ciphertext using cipher and a key. • decipher (decrypt) – the process of converting ciphertext to plaintext using cipher and a key. • cryptanalysis (codebreaking) – the study of principles and methods of transforming (deciphering) an ciphertext back into plaintext without knowing key. Also called codebreaking. • cryptology - field of both cryptography and cryptanalysis 25 B A Patel Cryptography Network Security Some Basic Terminology • Code - an algorithm for transforming an intelligible message into an unintelligible one using a code-book • Keyspace – Total number of possible values of keys in a crypto algorithm • Cryptosystem – The combination of algorithm, key, and key management functions used to perform cryptographic operations 26 B A Patel Network Security Symmetric Cipher Model 27 B A Patel Network Security Requirements • two requirements for secure use of symmetric encryption: – a strong encryption algorithm – a secret key known only to sender / receiver • mathematically have: Y = EK(X) X = DK(Y) DK(EK(X)) = X • assume encryption algorithm is known • implies a secure channel to distribute key 28 B A Patel Network Security The encryption model (for a symmetric-key cipher). 29 B A Patel Network Security A fundamental rule of cryptography is that one must assume that the cryptanalyst knows the methods used for encryption and decryption. The idea that the cryptanalyst knows the algorithms and that the secrecy lies exclusively in the keys is called Kerckhoff's principle. Kerckhoff's principle: All algorithms must be public; only the keys are secret. 30 B A Patel Network Security Types of Cryptanalytic Attacks • ciphertext only – • known plaintext – • know/suspect plaintext & ciphertext to attack cipher chosen plaintext – • select plaintext and obtain ciphertext to attack cipher chosen ciphertext – • select ciphertext and obtain plaintext to attack cipher chosen text – 31 only know algorithm / ciphertext, statistical, can identify plaintext select either plaintext or ciphertext to en/decrypt to attack cipher B A Patel Network Security Cryptography • can be characterized by: – type of encryption operations used • substitution / transposition / product – number of keys used • single-key or private / two-key or public – way in which plaintext is processed • 32 block / stream B A Patel Network Security Types of Cryptography • Stream-based Ciphers – One at a time, please – Mixes plaintext with key stream – Good for real-time services • Block Ciphers – Amusement Park Ride – Substitution and transposition 33 33 B A Patel Network Security Encryption Systems • Substitution Cipher – Convert one letter to another – Cryptoquip • Transposition Cipher – Change position of letter in text – Word Jumble • Monoalphabetic Cipher – Caesar 34 34 B A Patel Network Security Encryption Systems • Polyalphabetic Cipher – Vigenère • Modular Mathematics – Running Key Cipher • One-time Pads – Randomly generated keys 35 35 B A Patel Network Security Steganography • Hiding a message within another medium, such as an image • No key is required • Example – Modify color map of JPEG image 36 36 B A Patel Network Security Cryptographic Methods • Symmetric – Same key for encryption and decryption – Key distribution problem • Asymmetric – Mathematically related key pairs for encryption and decryption – Public and private keys 37 37 B A Patel Network Security Cryptographic Methods • Hybrid – Combines strengths of both methods – Asymmetric distributes symmetric key • Also known as a session key – Symmetric provides bulk encryption – Example: • SSL negotiates a hybrid method 38 38 B A Patel Network Security • “A little knowledge is a dangerous thing” – Very true in cryptography 39 B A Patel Network Security Classical Substitution Ciphers • where letters of plaintext are replaced by other letters or by numbers or symbols • or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns 40 B A Patel Cryptography Network Security Secrecy • Scenario: Alice wants to send a message (plaintext p) to Bob. The communication channel is insecure and can be eavesdropped by Trudy. If Alice and Bob have previously agreed on an encryption scheme (cipher), the message can be sent encrypted (ciphertext c) Alice Bob p encrypt c c decrypt p Issues: Trudy What is a good cipher? What is the complexity of encrypting/decrypting? What is the size of the ciphertext, relative to the plaintext? If Alice and Bob have never interacted before, how can they agree on a cipher? 41 B A Patel Cryptography Network Security Traditional Cryptography • Ciphers were already studied in ancient times • Caesar’s cipher: replace a with d replace b with e ... replace z with c • A more general monoalphabetic substitution cipher maps each letter to some other letter. 42 B A Patel Network Security Caesar Cipher • • • • • earliest known substitution cipher by Julius Caesar first attested use in military affairs replaces each letter by 3rd letter on example: meet me after the party PHHW PH DIWHU WKH SDUWB 43 B A Patel Network Security Caesar Cipher • More formally: – Encrypt(Letter, Key) = (Letter + Key) (mod 26) – Decrypt(Letter, Key) = (Letter - Key) (mod 26) • Encrypt(“NIKITA”, 3) = “QLNLWD” • Decrypt(“QLNLWD”, 3) = “NIKITA” 44 B A Patel Network Security Cryptanalysis of Caesar Cipher • only have 26 possible ciphers – • • • • 45 A maps to A,B,..Z could simply try each in turn a brute force search given ciphertext, just try all shifts of letters do need to recognize when have plaintext B A Patel Cryptography Network Security Breaking Traditional Cryptography • Armed with simple statistcal knowledge, Trudy can easily break a monalphabetic substitution cypher – most frequent letters in English: e, t, o, a, n, i, ... – most frequent digrams: th, in, er, re, an, ... – most frequent trigrams: the, ing, and, ion, ... • The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-Kindi 46 B A Patel Cryptography Network Security • Ciphertext • PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: 'DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?' OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK Any Guesses??? 47 B A Patel Cryptography Network Security Frequency Analysis • Identyfying comon letters, digrams and trigrams... • PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: 'DJOXL EYPD, X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?' OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK • First guess: LBO is THE 48 B A Patel Cryptography Network Security Frequency Analysis • Assuming LBO represents THE we replace L with T, B with H, and O with E and get • PCQ VMJYPD THYK TYSE KHXHJXWXV HXV ZCJPE EYPD KHXHJYUXJ THJEE KCPK. CP THE THCMKXPV XPV IYJKT PYDHT, QHEP KHO HXV EPVEV THE LXRE CI SX'XJMI, KHE JCKE XPV EYKKOV THE DJCMPV ZEICJE HYS, KXUYPD: 'DJEXT EYPD, ICJ X LHCMKXPV XPV CPE PYDHLK Y HXNE ZEEP JEACMPTYPD TC UCM THE IXZREK CI FXKL XDEK XPV THE REDEPVK CI XPAYEPT EYPDK. SXU Y SXEE KC ZCRV XK TC AJXNE X IXNCMJ CI UCMJ SXGEKTU?' EFYRCDME, TXREK IJCS THE LHCMKXPV XPV CPE PYDBTK • More guesses…? 49 B A Patel Cryptography Network Security • Code X Z A V O I D B Y G E R S P C F H J K L M N Q T U W A B C D E F G H I J K L M N O P Q R S T U V W X Y Z • Plaintext Now during this time Shahrazad had borne King Shahriyar three sons. On the thousand and first night, when she had ended the tale of Ma'aruf, she rose and kissed the ground before him, saying: 'Great King, for a thousand and one nights I have been recounting to you the fables of past ages and the legends of ancient kings. May I make so bold as to crave a favour of your majesty?’ Epilogue, Tales from the Thousand and One Nights 50 B A Patel Network Security Substitution cipher • Each letter gets mapped to another letter – E.g. A -> E, B -> R, C -> Q, ... • What’s the key space? – 26! • Cryptogram puzzles in newspapers – How do you solve them? 51 B A Patel Network Security Polyalphabetic Ciphers • • • • • • 52 another approach to improving security is to use multiple cipher alphabets called polyalphabetic substitution ciphers makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution use a key to select which alphabet is used for each letter of the message use each alphabet in turn repeat from start after end of key is reached B A Patel Network Security Vigenère Cipher • • • • • • • 53 simplest polyalphabetic substitution cipher effectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse B A Patel Network Security Example of Vigenère Cipher • • • • • write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ 54 B A Patel Network Security Transposition Ciphers • • • • 55 now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used can recognise these since have the same frequency distribution as the original text B A Patel Network Security Permutation Cipher • Rearrange letters instead of substituting them • E.g. – Plaintext = “HELLO WORLD” H W E O L R L L O D – Ciphertext = “HWEOLRLLOD” 56 B A Patel Network Security Row Transposition Ciphers • • • a more complex scheme write letters of message out in rows over a specified number of columns then reorder the columns according to some key before reading off the rows Key: Plaintext: 3421 5 6 7 a t t a c k p o st p o n e d unt i l t woamx y z Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ 57 B A Patel Network Security Transposition Ciphers • A transposition cipher. 58 B A Patel Network Security Product Ciphers • ciphers using substitutions or transpositions are not secure because of language characteristics • hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition – but a substitution followed by a transposition makes a new much harder cipher • this is bridge from classical to modern ciphers 59 B A Patel Network Security One-Time Pad • • • • • • 60 if a truly random key as long as the message is used, the cipher will be secure called a One-Time pad is unbreakable since ciphertext bears no statistical relationship to the plaintext since for any plaintext & any ciphertext there exists a key mapping one to other can only use the key once though have problem of safe distribution of key B A Patel Network Security One-Time Pads The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad. 61 B A Patel Cryptography Network Security Quantum Cryptography Quantum cryptography is based on the fact that light comes in little packets called photons. Light can be polarized by being passed through a polarizing filter. If a beam of light (photons) is passed through a polarizing filter, all the photons emerging from it will be polarized in the direction of the filter's axis (e.g., vertical). If the beam is now passed through a second polarizing filter, the intensity of the light emerging from the second filter is proportional to the square of the cosine of the angle between the axes. 62 B A Patel Cryptography Network Security Quantum Cryptography If the two axes are perpendicular, no photons get through. The absolute orientation of the two filters does not matter; only the angle between their axes counts. To generate a one-time pad, one needs two sets of polarizing filters. Set one consists of a vertical filter and a horizontal filter. This choice is called a rectilinear basis. The second set of filters is the same, except rotated 45 degrees, so one filter runs from the lower left to the upper right and the other filter runs from the upper left to the lower right. This choice is called a diagonal basis. 63 B A Patel Cryptography 64 Network Security B A Patel Cryptography Network Security Secret-Key Ciphers • A secret-key cipher uses a key to encrypt and decrypt • Caesar’s generalized cypher uses modular addition of each character (viewed as an integer) with the key: ci = pi + k mod m pi = ci-k mod m • A more secure scheme is to use modular exponentiation to encrypt blocks of characters (viewed as integers): c [i,j] = p [i,j]k mod m where m is a large prime. 65 B A Patel Cryptography Network Security Secret-Key Ciphers made more secure • Unlike modular addition, modular exponentiation is considered computationally infeasible (exponential) to invert. Thus, even if Trudy guesses a pair: (c [i,j] ,p [i,j]), (for example, she knows the plaintext starts with the words “Dear Bob”) she still cannot compute the key k. • Alice and Bob need to share only key k. Bob decrypts using Euler’s Theorem from number theory: p[i,j] = c [i,j] d mod m where d can be easily computed from k and m using Euclid’s gcd algorithm. 66 B A Patel Cryptography Network Security How to Establish a Shared Key? • What if Alice and Bob have never met and did not agree on a key? • The Diffie-Hellman key exchange protocol (1976) allows strangers to establish a secret shared key while communicating over an insecure channel 67 B A Patel Cryptography Network Security The Diffie-Hellman key exchange • Alice picks her secret “ half-key” x (a large integer) and two large primes m and g. She sends to Bob: (n, g, gx mod m) • Even if Trudy intercepts (n, g, gx mod m), she cannot figure out x because modular logarithms are hard to compute. • Bob picks his secret half-key y and sends to Alice: (gy mod m) • Again, Trudy cannot figure out y. • The shared key is: gxy mod m – Bob computes it as (gx mod n)y mod m – Alice computes it as (gy mod m)x mod m 68 B A Patel Cryptography Network Security Two Fundamental Cryptographic Principles Redundancy The first principle is that all encrypted messages must contain some redundancy, that is, information not needed to understand the message. Cryptographic principle 1: Messages must contain some redundancy In other words, upon decrypting a message, the recipient must be able to tell whether it is valid by simply inspecting it and perhaps performing a simple computation. This redundancy is needed to prevent active intruders from sending garbage and tricking the receiver into decrypting the garbage and acting on the ''plaintext.'' 69 B A Patel Cryptography Network Security Two Fundamental Cryptographic Principles Freshness The second cryptographic principle is that some measures must be taken to ensure that each message received can be verified as being fresh, that is, sent very recently. This measure is needed to prevent active intruders from playing back old messages. Cryptographic principle 2: Some method is needed to foil replay attacks One such measure is including in every message a timestamp valid only for, say, 10 seconds. The receiver can then just keep messages around for 10 seconds, to compare newly arrived messages to previous ones to filter out duplicates. Messages older than 10 seconds can be thrown out, since any replays sent more than 10 seconds later will be rejected as too old.B A Patel 70 Network Security Symmetric-Key Algorithms • DES – The Data Encryption Standard • AES – The Advanced Encryption Standard • Cipher Modes • Other Ciphers • Cryptanalysis 71 B A Patel Network Security Symmetric & Public Key Algorithms Symmetric Key Algorithms Encryption and decryption keys are known to both communicating parties (Alice and Bob). They are usually related and it is easy to derive the decryption key once one knows the encryption key. In most cases, they are identical. All of the classical (pre-1970) cryptosystems are symmetric. Examples : DES and AES (Rijndael) A Secret should be shared (or agreed) btw the communicating parties. 72 B A Patel Cryptography Network Security Cryptographic algorithms can be implemented in either hardware (for speed) or in software (for flexibility). Transpositions and substitutions can be implemented with simple electrical circuits. • Basic elements of product ciphers. (a) P-box. (b) S-box. (c) Product. 73 B A Patel Cryptography Network Security If the 8 bits are designated from top to bottom as 01234567, the output of this particular P-box is 36071245. Substitutions are performed by S-boxes. A 3-bit plaintext is entered and a 3-bit ciphertext is output. The 3-bit input selects one of the eight lines exiting from the first stage and sets it to 1; all the other lines are 0. The second stage is a P-box. The third stage encodes the selected input line in binary again. We cascade a whole series of boxes to form a product cipher. Theoretically, it would be possible to have the second stage be an S-box that mapped a 12-bit number onto another 12-bit number. However, such a device would need 212 = 4096 crossed wires in its middle stage. 74 B A Patel Cryptography Network Security Instead, the input is broken up into four groups of 3 bits, each of which is substituted independently of the others. Product ciphers that operate on k-bit inputs to produce k-bit outputs are very common. Typically, k is 64 to 256. 75 B A Patel Network Security DES History • IBM developed Lucifer cipher – by team led by Feistel in late 60’s – used 64-bit data blocks with 128-bit key • then redeveloped as a commercial cipher with input from NSA and others • in 1973 NBS issued request for proposals for a national cipher standard • IBM submitted their revised Lucifer which was eventually accepted as the DES 76 B A Patel Network Security DES Design Controversy • although DES standard is public • was considerable controversy over design – in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified • subsequent events and public analysis show in fact design was appropriate • use of DES has flourished – especially in financial applications – still standardised for legacy application use 77 B A Patel Network Security DES Encryption Overview 78 B A Patel Cryptography Network Security DES—The Data Encryption Standard DES encryption scheme The plaintext (64 bits) passes through an initial permutation IP(on 64 bits) Then follow 16 identical rounds –in each round a different subkey is used; each subkey is generated from the key After round 16, swap the left half with the right half Apply the inverse of the initial permutation IP-1(on 64 bits) 79 B A Patel Cryptography Network Security Details of a single round of DES Consider L the left half of the input to the round and R its right half –each of them have 32 bits As in any Feistelcipher the overall processing is Li=Ri-1, Ri=Li-1⊕F(Ri-1,Ki) The round subkey Ki has 48 bits R is expanded from 32 to 48 bits using an “expansion permutation” E –this is a table that defines a permutation, duplicating in the same time 16 of the bits in R These 48 bits are XORED with the subkey Ki The 48-bit result passes through a substitution function that produces a 32-bit output Apply then a permutation P 80 B A Patel Network Security Details of a single round of DES 81 B A Patel Network Security The substitutions in the DES rounds: S-boxes There are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit output The S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows: The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3) The middle four bits select the column of the S-box (columns are from 0 to 15) The decimal value in the selected entry of the S-box is converted to its 4-bit binary representation to produce the output 82 B A Patel Network Security Definition of S-boxes Example: consider the input 011001to Sbox S1 The row is 011001:01(i.e. 1) The column is 011001: 1100 (i.e. 12) The value in the selected cell is 9 Output is 1001 Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15) Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext 83 B A Patel Network Security Data Encryption Standard • The data encryption standard. (a) General outline. (b) Detail of one iteration. The circled + means exclusive OR. 84 B A Patel Cryptography Network Security Triple DES As early as 1979, IBM realized that the DES key length was too short and devised a way to effectively increase it, using triple encryption. The method chosen, here two keys and three stages are used. In the first stage, the plaintext is encrypted using DES in the usual way with K1. In the second stage, DES is run in decryption mode, using K2 as the key. Finally, another DES encryption is done with K1. • (a) Triple encryption using DES. (b) Decryption. 85 B A Patel Network Security Analysis of DES Avalanche effect: this is a desirable property of any encryption algorithm A small change (even 1 bit) in the plaintext should produce significant change in the ciphertext Example: consider two blocks of 64 zeros and in the second blockrewrite 1 on the first position. Encrypt them both with DES: depending on the key, the result may have 34 different bits! A small change (even 1 bit) in the key should produce significant change in the ciphertext Example: a change of one bit in the DES key may produce 35 different bits in the encryption of the same plaintext 86 B A Patel Network Security Strength of DES Two main concerns with DES: the length of the keyand the nature of the algorithm The key is rather short: 56 bits –there are 256possible keys, around 7.2 x 1016 In average, only half of the keys have to be tried to break the system In principle it should take long time to break the system Things are quicker with dedicated hardware: 1998 –a special machine was built for less than 250 000 $ breaking DES in less than 3 days, 2006 –estimates are that a hardware costing around 20.000$ may break DES within a day 87 B A Patel Network Security Strength of DES DES has no export restrictions from NSA! 40-bit RC4 key is also insecure 128-but keys seem to be secure Important difficulty in breaking any system: unless the plaintext is known, we have to recognize when we have broken the system: we have to recognize the plaintext when we find it This is not trivial if the file is binary, compressed, etc. Automated procedures to do that are needed (and indeed some exist) 88 B A Patel Network Security AES – The Advanced Encryption Standard • 1. 2. 3. 4. Rules for AES proposals The algorithm must be a symmetric block cipher. The full design must be public. Key lengths of 128, 192, and 256 bits supported. Both software and hardware implementations required 5. The algorithm must be public or licensed on nondiscriminatory terms. 89 B A Patel Network Security AES Evaluation Criteria Initial criteria: security –effort to practically cryptanalyze cost –computational efficiency, so as to be used in highspeed applications, such as broadband links algorithm and implementation characteristics: should be suitablefor a variety of soft/hard implementations, simple enough to make analysis straightforward Final criteria general security: this was conducted by the public (academic) cryptographic community: people published various attacks and weaknesses of the candidates 90 B A Patel Network Security AES Evaluation Criteria Final criteria software and hardware implementation ease: execution speed, performance on various platforms, variation of speed with key size Attacks on implementation: timing attacks and power analysis Multiplication consumes more power and takes more time than addition Writing 1s consumes more power and takes more time than writing 0s Flexibility (in encryption/decryption, key change, other factors) 91 B A Patel Cryptography Network Security AES Shortlist After testing and evaluation, shortlist in Aug-99: MARS (IBM) -complex, fast, high security margin RC6 (USA) -v. simple, v. fast, low security margin Rijndael(Belgium) -clean, fast, good security margin Serpent (Euro) -slow, clean, v. high security margin Twofish(USA) -complex, v. fast, high security margin Then subject to further analysis & comment Analysed contrast between algorithms with few complex rounds vs. many simple rounds which refined existing ciphers vs. new proposals 92 B A Patel Cryptography Network Security The AES Cipher –Rijndael Designed by Rijmen-Daemenin Belgium 128/192/256-bit keys, 128 bit data Does not have the structure of a classical feistelcipher treats data in 4 groups of 4 bytes operates an entire block in every round Designed to be: resistant against known attacks speed and code compactness on many platforms design simplicity Decryption algorithm different than the encryption 93 B A Patel Cryptography Network Security Rijndael Processes data as 4 groups of 4 bytes –128-bit block Input block copied into Statearray, modified at each stage of encryption or decryption and copied to the output matrix after the final round has 9/11/13 rounds (depending on which variant is used) in whichStateundergoes: •byte substitution (one S-box used on every byte) •shift rows: a simple permutation •mix columns: substitution using arithmetic in GF(28) •add round key (XOR Statewith the round key) 94 B A Patel Cryptography Network Security Rijndael initial XOR of the plaintext with a round key There is an incomplete last round (the 10th/12th/14th) Note: all operations can be combined into XOR and table lookups -hence very fast and efficient 95 B A Patel Network Security AES (2) • An outline of Rijndael. 96 B A Patel Network Security AES (3) • Creating of the state and rk arrays. 97 B A Patel Cryptography Network Security Cipher Modes Despite all this complexity, AES (or DES or any block cipher ) is basically a monoalphabetic substitution cipher using big characters (128-bit characters for AES and 64-bit characters for DES). Whenever the same plaintext block goes in the front end, the same ciphertext block comes out the back end. If you encrypt the plaintext abcdefgh 100 times with the same DES key, you get the same ciphertext 100 times. An intruder can exploit this property to help subvert the cipher. 98 B A Patel Cryptography Network Security Electronic Code Book Mode To see how this monoalphabetic substitution cipher property can be used to partially defeat the cipher, we will use (triple) DES because it is easier to depict 64-bit blocks than 128-bit blocks, but AES has exactly the same problem. The straightforward way to use DES to encrypt a long piece of plaintext is to break it up into consecutive 8-byte (64-bit) blocks and encrypt them one after another with the same key. The last piece of plaintext is padded out to 64 bits, if need be. This technique is known as ECB mode (Electronic Code Book mode) in analogy with old-fashioned code books where each plaintext word was listed, followed by its ciphertext (usually a five-digit decimal number). 99 B A Patel Network Security Electronic Code Book Mode • The plaintext of a file encrypted as 16 DES blocks. 100 B A Patel Cryptography Network Security Cipher Block Chaining Mode Each plaintext block is XORed with the previous ciphertext block before being encrypted. Consequently, the same plaintext block no longer maps onto the same ciphertext block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is XORed with a randomly chosen IV (Initialization Vector), which is transmitted (in plaintext) along with the ciphertext. 101 B A Patel Network Security Cipher Block Chaining Mode • Cipher block chaining. (a) Encryption. (b) Decryption. 102 B A Patel Cryptography Network Security Cipher Feedback Mode Cipher block chaining has the disadvantage of requiring an entire 64-bit block to arrive before decryption can begin. For byte-by-byte encryption, cipher feedback mode, using (triple) DES is used, as shown in Fig. 8-13. For AES the idea is exactly the same, only a 128-bit shift register is used. In this figure, the state of the encryption machine is shown after bytes 0 through 9 have been encrypted and sent. When plaintext byte 10 arrives, as illustrated in Fig. 8-13(a), the DES algorithm operates on the 64-bit shift register to generate a 64-bit ciphertext. The leftmost byte of that ciphertext is extracted and XORed with P10. That byte is transmitted on the transmission line. In addition, the shift register is shifted left 8 bits, causing C2 to fall off the left end, and C10 is inserted in the position just vacated at the right end by C9. 103 B A Patel Network Security Cipher Feedback Mode • (a) Encryption. (c) Decryption. 104 B A Patel Cryptography Network Security Stream Cipher Mode Nevertheless, applications exist in which having a 1-bit transmission error mess up 64 bits of plaintext is too large an effect. It works by encrypting an initialization vector, using a key to get an output block. The output block is then encrypted, using the key to get a second output block. This block is then encrypted to get a third block, and so on. The (arbitrarily large) sequence of output blocks, called the keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext, as shown in Fig. 105 B A Patel Network Security Stream Cipher Mode • A stream cipher. (a) Encryption. (b) Decryption. 106 B A Patel Cryptography Network Security Stream Cipher Mode Decryption occurs by generating the same keystream at the receiving side. Since the keystream depends only on the IV and the key, it is not affected by transmission errors in the ciphertext. Thus, a 1-bit error in the transmitted ciphertext generates only a 1-bit error in the decrypted plaintext. 107 B A Patel Cryptography Network Security Counter Mode One problem that all the modes except electronic code book mode have is that random access to encrypted data is impossible. For example, suppose a file is transmitted over a network and then stored on disk in encrypted form. This might be a reasonable way to operate if the receiving computer is a notebook computer that might be stolen. Storing all critical files in encrypted form greatly reduces the damage due to secret information leaking out in the event that the computer falls into the wrong hands. 108 B A Patel Cryptography Network Security Counter Mode However, disk files are often accessed in nonsequential order, especially files in databases. With a file encrypted using cipher block chaining, accessing a random block requires first decrypting all the blocks ahead of it, an expensive proposition. For this reason, yet another mode has been invented, counter mode,as illustrated in Fig. 8-15. Here the plaintext is not encrypted directly. Instead, the initialization vector plus a constant is encrypted, and the resulting ciphertext XORed with the plaintext. By stepping the initialization vector by 1 for each new block, it is easy to decrypt a block anywhere in the file without first having to decrypt all of its predecessors. 109 B A Patel Network Security Counter Mode • Encryption using counter mode. 110 B A Patel Network Security Suppose that the same key, K, is used again in the future (with a different plaintext but the same IV) and an attacker acquires all the ciphertext from both runs. The keystreams are the same in both cases, exposing the cipher to a keystream reuse attack of the same kind we saw with stream ciphers. All the cryptanalyst has to do is to XOR the two ciphertexts together to eliminate all the cryptographic protection and just get the XOR of the plaintexts. This weakness does not mean counter mode is a bad idea. It just means that both keys and initialization vectors should be chosen independently and at random. Even if the same key is accidentally used twice, if the IV is different each time, the plaintext is safe. 111 B A Patel Network Security Public-Key Algorithms Historically, distributing the keys has always been the weakest link in most cryptosystems. No matter how strong a cryptosystem was, if an intruder could steal the key, the system was worthless. Cryptologists always took for granted that the encryption key and decryption key were the same (or easily derived from one another). But the key had to be distributed to all users of the system. Thus, it seemed as if there was an inherent built-in problem. Keys had to be protected from theft, but they also had to be distributed, so they could not just be locked up in a bank vault. 112 B A Patel Network Security Public-Key Algorithms In 1976, two researchers at Stanford University, Diffie and Hellman (1976), proposed a radically new kind of cryptosystem, one in which the encryption and decryption keys were different, and the decryption key could not feasibly be derived from the encryption key. In their proposal, the (keyed) encryption algorithm, E, and the (keyed) decryption algorithm, D, had to meet three requirements. These requirements can be stated simply as follows: D(E(P)) = P. It is exceedingly difficult to deduce D from E. E cannot be broken by a chosen plaintext attack. 113 B A Patel Network Security Public-Key Algorithms The method works like this. A person, say, Alice, wanting to receive secret messages, first devises two algorithms meeting the above requirements. The encryption algorithm and Alice's key are then made public, hence the name public-key cryptography. Now let us see if we can solve the problem of establishing a secure channel between Alice and Bob, who have never had any previous contact. Both Alice's encryption key, EA, and Bob's encryption key, EB, are assumed to be in publicly readable files. Now Alice takes her first message, P, computes EB(P), and sends it to Bob. Bob then decrypts it by applying his secret key DB [i.e., he computes DB(EB(P)) = P]. 114 B A Patel Network Security Public Key Ciphers: how to • • • • A pair of keys is used (e,d) Key e is made public and is used to encrypt Key d is kept private and is used to decrypt RSA, by Rivest, Shamir, Adleman (1978) is the most popular pubkic key cipher – – – – – – – – 115 select a pair of large primes, p and q let e = pq be the public key define (e ) = (p-1)(q-1) let d be the private key, where 3dmod (e) = 1 d is the inverse of 3 mod (e ) encrypt x with c = x3mod e decrypt c with x = cdmod e we have x = x3d mod e B A Patel Cryptography Network Security RSA The only catch is that we need to find algorithms that indeed satisfy all three requirements. One good method was discovered by a group at M.I.T. It is known by the initials of the three discoverers (Rivest, Shamir, Adleman): RSA. It has survived all attempts to break it for more than a quarter of a century and is considered very strong. Much practical security is based on it. Its major disadvantage is that it requires keys of at least 1024 bits for good security (versus 128 bits for symmetric-key algorithms), which makes it quite slow. The RSA method is based on some principles from number theory. 116 B A Patel Cryptography Network Security RSA Choose two large primes, p and q (typically 1024 bits). Compute n = p x q and z = (p - 1) x (q - 1). Choose a number relatively prime to z and call it d. Find e such that e x d = 1 mod z. With these parameters computed in advance, we are ready to begin encryption. Divide the plaintext (regarded as a bit string) into blocks, so that each plaintext message, P, falls in the interval 0 P < n. Do that by grouping the plaintext into blocks of k bits, where k is the largest integer for which 2k < n is true. To encrypt a message, P, compute C = Pe (mod n). To decrypt C, compute P = Cd (mod n). 117 B A Patel Cryptography Network Security RSA It can be proven that for all P in the specified range, the encryption and decryption functions are inverses. To perform the encryption, you need e and n. To perform the decryption, you need d and n. Therefore, the public key consists of the pair (e, n), and the private key consists of (d, n). According to Rivest and colleagues, factoring a 500-digit number requires 1025 years using brute force. In both cases, they assume the best known algorithm and a computer with a 1µsec instruction time. Even if computers continue to get faster by an order of magnitude per decade, it will be centuries before factoring a 500-digit number becomes feasible, at which time our descendants can simply choose p and q still larger. 118 B A Patel Network Security RSA • An example of the RSA algorithm. 119 B A Patel Network Security Public Key Ciphers: Conclusions • RSA is considered secure because the only known way to find d from e is to factor e into p and q, a problem believed to be computationally hard 120 B A Patel Network Security Digital Signatures • Alice sends a message to Bob encrypting it with Bob’s public key. • Bob decrypts the message using his private key. • How can Bob determine that the message received was indeed sent by Alice? After all, Trudy also knows Bob’s public key. 121 B A Patel Cryptography Network Security Basically, what is needed is a system by which one party can send a signed message to another party in such a way that the following conditions hold: The receiver can verify the claimed identity of the sender. The sender cannot later repudiate the contents of the message. The receiver cannot possibly have concocted the message himself. The first requirement is needed, for example, in financial systems. When a customer's computer orders a bank's computer to buy a ton of gold, the bank's computer needs to be able to make sure that the computer giving the order really belongs to the company whose account is to be debited. In other words, the bank has to authenticate the customer (and the customer has to authenticate the bank). 122 B A Patel Cryptography Network Security The second requirement is needed to protect the bank against fraud. Suppose that the bank buys the ton of gold, and immediately thereafter the price of gold drops sharply. A dishonest customer might sue the bank, claiming that he never issued any order to buy gold. When the bank produces the message in court, the customer denies having sent it. The third requirement is needed to protect the customer in the event that the price of gold shoots up and the bank tries to construct a signed message in which the customer asked for one bar of gold instead of one ton. 123 B A Patel Network Security Digital Signatures • Alice can provide a digital signature for the message: s = xd mod e • If Bob receives both x and s, he computes: – y = s3 mod e = xd3 mod e = x • Thus, if y = x, Bob knows that Alice indeed sent x, since she is the only person who can compute s from x. • Also, Alice cannot cheat and deny to have sent message x (nonrepudiation). • Using digital signatures, Alice and Bob can authenticate each other and prevent Trudy’s woman-in-the-middle attacks • Validating a signed message requires knowledge of the other party’s public key. 124 B A Patel Network Security Digital Signatures • Symmetric-Key Signatures • Public-Key Signatures • Message Digests • The Birthday Attack 125 B A Patel Cryptography Network Security Symmetric-Key Signatures One approach to digital signatures is to have a central authority that knows everything and whom everyone trusts, say Big Brother (BB). Each user then chooses a secret key and carries it by hand to BB's office. Thus, only Alice and BB know Alice's secret key, KA, and so on. When Alice wants to send a signed plaintext message, P, to her banker, Bob, she generates KA(B, RA, t, P), where B is Bob's identity, RA is a random number chosen by Alice, t is a timestamp to ensure freshness, and KA(B, RA, t, P) is the message encrypted with her key, KA. 126 B A Patel Cryptography Network Security Symmetric-Key Signatures Then she sends it as depicted in Fig. • Digital signatures with Big Brother. 127 B A Patel Network Security Public-Key Signatures • Digital signatures using public-key cryptography. 128 B A Patel Network Security Message Digests • Digital signatures using message digests. 129 B A Patel Network Security SHA-1 • Use of SHA-1 and RSA for signing nonsecret messages. 130 B A Patel Cryptography Network Security AES—The Advanced Encryption Standard 131 B A Patel Cryptography Network Security AES—The Advanced Encryption Standard 132 B A Patel Network Security This is test 133 B A Patel Network Security This is test 134 B A Patel Network Security SHA-1 (2) • (a) A message padded out to a multiple of 512 bits. • (b) The output variables. (c) The word array. 135 B A Patel Network Security This is test 136 B A Patel Network Security This is test 137 B A Patel Network Security This is test 138 B A Patel Network Security This is test 139 B A Patel Network Security This is test 140 B A Patel Network Security This is test 141 B A Patel Network Security This is test 142 B A Patel Network Security This is test 143 B A Patel Network Security This is test 144 B A Patel Network Security This is test 145 B A Patel Network Security This is test 146 B A Patel Network Security This is test 147 B A Patel Network Security This is test 148 B A Patel Network Security This is test 149 B A Patel Network Security This is test 150 B A Patel Network Security This is test 151 B A Patel Network Security This is test 152 B A Patel Network Security This is test 153 B A Patel Network Security This is test 154 B A Patel Network Security This is test 155 B A Patel
