Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Open Environments. Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure.

Similar presentations


Presentation on theme: "Security in Open Environments. Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure."— Presentation transcript:

1 Security in Open Environments

2 Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure

3 Security Models Unconditional Security: an attacker can do no better than guessing. (one-time pad). Complexity-theoretic security: Attacks are shown to be NP-complete. Provable security: Attacks are as difficult as a problem thats suspected to be hard (like factoring.) Computational security: resources needed for an attack are beyond the capabilities of the attacker. Ad hoc security/heuristic security: Practically, an attacker is unable to successfully break a system.

4 Man-in-the-Middle Cryptographic Protocol attacks are often analyzed in terms of a man-in-the-middle This is an agent who is able to listen to and potentially add, delete, or change messages being sent over an open channel.

5 Classes of Attacks We can divide attacks roughly into two classes: A passive attack is one in which the attacker is only able to monitor the communications channel. –Threatens confidentiality An active attack is one in which the attacker attempts to add, delete, or modify messages. –Threatens both confidentiality and data integrity.

6 Attacks on encryption schemes Passive attacks can be further subdivided Ciphertext-only attacks attempt to deduce the plaintext from only the ciphertext. –Low chance of succeeding against strong encryption. Known plaintext attacks: the attacker has access to a collection of plaintext messages and their corresponding ciphertext. –If same key is used to encrypt multiple blocks, frequency analysis is possible.

7 Attacks on encryption schemes Chosen plaintext attack: the attacker gets to choose a message to be encrypted. –Goal: learn something about other ciphertexts. –This can be used to acquire a signed message. Please authenticate me. –Adaptive chosen plaintext attack: attacker can iteratively choose plaintexts to be encrypted. Chosen ciphertext attack: attacker chooses ciphertext and sees the corresponding plaintext. –Adaptive chosen ciphertext attack: attacker iteratively chooses ciphertexts and sees the corresponding plaintexts.

8 Active Attacks Known-key attack: The attacker obtains previously-used keys and uses this to deduce information about new keys. –Tracks generation of pseudorandom numbers. Replay: an attacker records a communication session and replays part of it at a later time. – Login, key exchange

9 Active Attacks Impersonation: Attacker assumes the identity of one or more members of the network. –Reflection attack: A & B want to synchronize with secret keys – A sends a challenge to B A -> m1 -> B B -> E(m1, m2) -> A A -> m2 -> B –Intruder intercepts, pretends to be B initiating the same protocol –Catches As response, pretends this is Bs response to the original challenge.

10 Active Attacks Dictionary: Attacker uses a large list of words to deduce a password. –UNIX password attacks Forward search: brute-force search of keyspace.

11 Active Attacks Consider this authentication protocol: –A sends random number m1 to B. –B returns random numbers m1 and m2, signed, plus an identifier. –A returns signed random numbers m2 and m3, plus an identifier. A -> m1 -> B A <- m2, S B (m2, m1, A) <- B A -> m3, S A (m3, m2, B) -> B Intent: random numbers plus signatures will verify identity.

12 Active Attacks An enemy E can initiate two separate protocols with A and B: E -> m1 -> B E <- m2, S_B(m2, m1, A) <- B A <- m2 <- E A -> m3, S_A(m3, m2, B) -> E E -> m3, S_A(m3, m2, B) -> B Insecurity due to symmetry of messages Could vary structure or require m1 to be included in final message

13 Attacking Key Exchange Key exchange is one of the most common places for a man-in-the-middle attack. A sends B its public key. Man-in-the-middle replaces As public key with a false one. Man-in-the-middle is now able to intercept and decrypt secret messages from B to A.

14 Defeating Man-in-the-Middle Interlock protocol: –A and B want to send messages to each other. –A sends first half to B. –B sends first half to A. –A sends second half to B. –B sends second half to A. Since the man-in-the-middle cannot decrypt half of a message, it must pass something on. Secure if the attacker cannot intelligibly mimic A or B.

15 Zero-knowledge Protocols One application of public-key cryptography is zero-knowledge protocols. Often, one party might want to prove or verify something to another without revealing any information –Nuclear treaties –Bank balances –Sensitive information What are some real-world ways of solving this problem?

16 Zero-knowledge Protocols Real-world solutions –Trusted third party –Random cups/phone numbers –Airline reservation –Passwords –Deck of cards

17 Zero-knowledge protocols Alice wants to prove to Bob that she is Alice. –If she sends identification, Bob (or an eavesdropper) can use it. Example: Authority chooses a number N=77, known by all. Alices public ID: (58, 67) Alices private ID: (9,10) –These are multiplicative inverses mod 77

18 Zero-knowledge protocols Alice chooses some random numbers and computes their square mod N. –{19, 24, 51} -> 19 2 (mod 77) = 53, 24 2 (mod 77) = 37, 51 2 (mod 77) = 60 –Alice sends {53,37,60} to Bob. –Bob sends back a random 2x3 matrix of 1s and 0s. –0 1 –1 0 –1 1

19 Zero-knowledge protocols Alice uses this grid, plus her original random numbers and her secret numbers, to compute: 19 * 9 0 * 10 1 (mod 77) = * 9 1 * 10 0 (mod 77) = * 9 1 * 10 1 (mod 77) = 47 She sends {36,62,47} to Bob.

20 Zero-knowledge protocols Bob verifies Alices identity by computing: –{58,67} are Alices public numbers 36 2 *58 0 *67 1 (mod 77)= *58 1 * 67 0 (mod 77) = * 58 1 * 67 1 (mod 77) = 60 Alices original numbers reappear! –(Actually, an attacker would have a 1 in 64 chance of guessing correctly …)

21 Zero-knowledge protocols In a real system, N would be very large –160 digits. Many more numbers would be generated. This works because Alices secret numbers are multiplicative inverses of her public numbers mod N. Also, Bob learns nothing that he didnt know before.

22 Public-key Infrastructure For real-world applications, a complex web of software systems is required to ensure security. This is referred to as a Public Key Infrastructure (PKI). Focus shifts from provable protocol properties to system design.

23 Some PKI Needs We would like a PKI to ensure: –Data Integrity –Price Integrity –Scalable Identification and Authentication –Confidentiality –Non-repuduation –Interoperability

24 Trust Hierarchies One of the primary functions of a PKI is the establishment of trust between users with no prior history. A certificate authority can provide this, serving as a trusted third party.

25 Certificate Authority A certificate authority has a number of functions within a PKI –Authentication –Key generation –Key revocation Many commercial entities serve as CAs

26 Certificate Authorities A Certificate Authority will wrap a users public key in a certificate. –X.509 is most common standard. –Contains the users identity and public key. –Signed with the CAs private key. –Risk is shifted: Previously: could unknown user A be compromised? Now: could the CA be compromised?

27 Trust Models Hierarchical –One root CA Considered able to vouch for itself. –Scalable and fast –Tradeoff: More levels of hierarchy requires more work to design and maintain, but provides increased reliability/redundancy.

28 Example Encrypting: –Alice generates a hash of her plaintext data. –Alice concatenates hash and plaintext. –Alice signs this with her private key. –Alice obtains Bobs public key from a CA and uses this to encrypt the signed message.

29 Example Decrypting: –Bob uses his private key to decrypt the message. –Bob then gets Alices public key from the CA. –Bob decrypts the message with Alices public key to get plaintext plus hash. –Bob computes the hash of the plaintext, verifying the integrity of the plaintext.

30 Trust Models Distributed (Web of Trust) –No root CA –Users are able to authenticate each other –Same approach as P2P software –Highly redundant, but not very efficient. –Awkward fit for e-commerce.

31 Trust Models Direct –Used with symmetric-key encryption –No CA is involved –Possession of secret key is sufficient for trust. –Also not appropriate for e-commerce.

32 Trust Models Cross Certification –CAs in different hierarchies sign each others public keys. –User A is trusted by Verisign, User B by Surety. –Surety signs Verisigns public key with its own, allowing B to trust A. –Allows for scalable, dynamic trust networks.

33 Summary Encryption provides a technique for hiding and sharing secrets. To be effective, users must consider the system in which encryption is used. Subtle flaws in a protocol can make it insecure. A public key infrastructure is needed to provide secure communications


Download ppt "Security in Open Environments. Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure."

Similar presentations


Ads by Google