Download presentation

Presentation is loading. Please wait.

Published byJoaquin Bellew Modified over 2 years ago

1
Inaugural Lecture - February 19th 2008 1 From Fish to Phishing Kenny Paterson Information Security Group Mathematics Department Royal Holloway, University of London

2
Inaugural Lecture - February 19th 2008 2 CINS/F1-01 Overview 1. What is Cryptography? 2. Fish and Colossus 3. WEP and GSM 4. IPsec 5. Phishing 6. Concluding remarks

3
Inaugural Lecture - February 19th 2008 3 1. What is Cryptography? Historically: making (and breaking) codes and ciphers. –Designed to scramble messages so they cannot be read by an enemy. –The preserve of emperors and generals. –Archetypes: the Caesar cipher; Kama Sutra code. Today: a range of techniques for ensuring the confidentiality, integrity and origin of data. –Mobile phones, chip and pin cards, Internet e- commerce. –Industrial cryptography.

4
Inaugural Lecture - February 19th 2008 4 What is Cryptography? And a thriving academic discipline involving a blend of mathematics, statistics and computer science. –Advanced encryption, signature, key exchange primitives. –Secure multi-party computation. –Private information retrieval from databases. –Anonymous handshake protocols. –Electronic elections and auctions. –….

5
Inaugural Lecture - February 19th 2008 5 This Talk Cryptography is a powerful tool. –Instrumental in increasing security and confidence in the digital age. But cryptography has many limitations. –Human involvement. –Changing adversaries. –Difficulties of key management. –Widening chasm between theory and practice. Our aim: –To illustrate some of these problems using a mixture of historical and current examples.

6
Inaugural Lecture - February 19th 2008 6 2. Fish and Colossus Usual assumption: interceptor knows everything about the system. So security depends entirely on the secrecy of the key K. Kerckhoffs’ Principle. Ciphertext C Key K Encryption Algorithm Message M Decryption Algorithm Message M Interceptor Key K

7
Inaugural Lecture - February 19th 2008 7 Fish 1941: Germans begin to build pan-European wireless communications network. –Linking Wehrmacht commands with general staff in Berlin. –Using directional antennae and high-speed, non-Morse signalling for teleprinter traffic. –Encrypted using Geheimschreiber machine. Lorenz SZ40/42 teletype attachment. –Careful traffic analysis indicated possible high value of traffic. Traffic named “Fish” by Bletchley Park staff. –Each link named after a different species: Bream, Codfish,… 1942: British start to systematically intercept Fish signals. –And Bletchley Park begins to analyse ciphertext. –But with virtually no information about the encryption method being used! Jan-May 1945: British decrypt 22 million characters of Fish traffic. –Without ever having seen a Lorenz machine!

8
8,21 Breaking Fish 7 12 19 7 12,21,8,3,8 Initial analysis suggested Fish traffic was being encrypted using a stream cipher. –Message converted into numbers, A=0, B=1,…, Z=25. –Message added character-by-character to keystream. Message M Message M Key K + Keystream Generator Key K Key K - Keystream Generator Ciphertext C=K+M mod 26 Encryption Decryption

9
Inaugural Lecture - February 19th 2008 9 Breaking Fish In theory: stream cipher known to be unbreakable if keystream is a truly random sequence of characters. –Shannon (1949): H(M|C)=H(M). –Ciphertext reveals nothing (statistically) about the message. In practice: sender and receiver have to generate a pseudo-random keystream using a deterministic algorithm and a short key. –Introducing statistical imperfections exploitable by cryptanalyst…

10
Inaugural Lecture - February 19th 2008 10 Fishing at a Depth Fish message indicators preceding encrypted data were presumed to indicate initial setting of keystream generator. Equality of indicators would imply equality of keystreams. –Known as a depth at Bletchley Park. So what if a depth occurred for two closely related messages? –Should never be permitted because known to introduce security weakness. –But operators make mistakes…. With some inspired guess-work, this could allow the two related messages to be recovered…

11
Inaugural Lecture - February 19th 2008 11 Fishing at a Depth K C1 532023 7116145123014121423617 M1 Text1 Text2 M2 C2 532023 7317191018622247142921 K

12
Inaugural Lecture - February 19th 2008 12 Fishing at a Depth K C1 532023 7116145123014121423617 M1 Text1 Text2 M2 C2 532023 7317191018622247142921 K

13
Inaugural Lecture - February 19th 2008 13 Fishing at a Depth K C1 532023 7116145123014121423617 M1 Text1 CRYPTO Text2 CRYPTO M2 C2 532023 7317191018622247142921 K

14
Inaugural Lecture - February 19th 2008 14 Fishing at a Depth K C1 532023 7116145123014121423617 M1 21724151914 Text1 CRYPTO Text2 CRYPTO M2 21724151914 C2 532023 7317191018622247142921 K

15
Inaugural Lecture - February 19th 2008 15 Fishing at a Depth K 312228419 C1 532023 7116145123014121423617 M1 21724151914 Text1 CRYPTO Text2 CRYPTO M2 21724151914 C2 532023 7317191018622247142921 K 312228419 C=K+M mod 26

16
Inaugural Lecture - February 19th 2008 16 Fishing at a Depth K 312228419 C1 532023 7116145123014121423617 M1 21724151914 Text1 CRYPTOGRAPHY Text2 CRYPTO M2 21724151914 C2 532023 7317191018622247142921 K 312228419

17
Inaugural Lecture - February 19th 2008 17 Fishing at a Depth K 312228419 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHY Text2 CRYPTO M2 21724151914 C2 81516517317191018622247142921 K 312228419

18
Inaugural Lecture - February 19th 2008 18 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHY Text2 CRYPTO M2 21724151914 C2 81516517317191018622247142921 K 312228419 C=K+M mod 26

19
Inaugural Lecture - February 19th 2008 19 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHY Text2 CRYPTO M2 21724151914 C2 81516517317191018622247142921 K 3122284192125141655 Equality of Keysteams

20
Inaugural Lecture - February 19th 2008 20 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHY Text2 CRYPTO M2 21724151914818520131 C2 81516517317191018622247142921 K 3122284192125141655 C=K+M mod 26

21
Inaugural Lecture - February 19th 2008 21 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHY Text2 CRYPTOISFUNB M2 21724151914818520131 C2 81516517317191018622247142921 K 3122284192125141655

22
Inaugural Lecture - February 19th 2008 22 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNB M2 21724151914818520131 C2 81516517317191018622247142921 K 3122284192125141655

23
Inaugural Lecture - February 19th 2008 23 Fishing at a Depth K 3122284192125141655 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNB M2 21724151914818520131 C2 81516517317191018622247142921 K 3122284192125141655 Related messages

24
Inaugural Lecture - February 19th 2008 24 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNB M2 21724151914818520131 C2 81516517317191018622247142921 K 3122284192125141655 C=K+M mod 26

25
Inaugural Lecture - February 19th 2008 25 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNB M2 21724151914818520131 C2 81516517317191018622247142921 K 31222841921251416551822720105 Equality of Keysteams

26
Inaugural Lecture - February 19th 2008 26 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNB M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 31222841921251416551822720105 C=K+M mod 26

27
Inaugural Lecture - February 19th 2008 27 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNB Text2 CRYPTOISFUNBECAUSE M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 31222841921251416551822720105

28
Inaugural Lecture - February 19th 2008 28 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 21724151914617015724818529131 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSE M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 31222841921251416551822720105 Related messages

29
Inaugural Lecture - February 19th 2008 29 Fishing at a Depth K 31222841921251416551822720105 C1 532023 7116145123014121423617 M1 217241519146170157248185291314 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSE M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 31222841921251416551822720105

30
Inaugural Lecture - February 19th 2008 30 Fishing at a Depth K 3122284192125141655182272010513 C1 532023 7116145123014121423617 M1 217241519146170157248185291314 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSE M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 31222841921251416551822720105 C=K+M mod 26

31
Inaugural Lecture - February 19th 2008 31 Fishing at a Depth K 3122284192125141655182272010513 C1 532023 7116145123014121423617 M1 217241519146170157248185291314 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSE M2 2172415191481852013142020184 C2 81516517317191018622247142921 K 3122284192125141655182272010513 Equality of Keysteams

32
Inaugural Lecture - February 19th 2008 32 Fishing at a Depth K 3122284192125141655182272010513 C1 532023 7116145123014121423617 M1 217241519146170157248185291314 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSE M2 21724151914818520131420201848 C2 81516517317191018622247142921 K 3122284192125141655182272010513 C=K+M mod 26

33
Inaugural Lecture - February 19th 2008 33 Fishing at a Depth K 3122284192125141655182272010513 C1 532023 7116145123014121423617 M1 217241519146170157248185291314 Text1 CRYPTOGRAPHYISFUNBE Text2 CRYPTOISFUNBECAUSEI M2 21724151914818520131420201848 C2 81516517317191018622247142921 K 3122284192125141655182272010513

34
Inaugural Lecture - February 19th 2008 34 Deducing Fish’s Structure Just such a depth was intercepted on 30 th August 1941. –Two messages with same indicator HQIBPEXEZMUG. –Abbreviations, misspellings and corrections were inserted by wireless operator when forced to retransmit a long message. –Operator should have chosen new message indicator, but did not. Analysis by Tiltman then recovered the two messages. More importantly a sequence of nearly 4000 keystream letters was obtained. From this sequence, Tutte (later assisted by others) determined the entire structure of the Lorenz machine.

35
Inaugural Lecture - February 19th 2008 35 Lorenz SZ40 Structure 43 61 37 47535159 Motor Wheels Chi Wheels Psi Wheels Clock 41 3129 23 26 Keystream bits

36
Inaugural Lecture - February 19th 2008 36 Lorenz SZ40 Structure 5 parallel bits of keystream produced per clock pulse. –Bit-by-bit combined with message in Baudot coded form. 12 pinwheels, arranged in two groups of five (chi and psi) plus two motor wheels, M1 and M2. –Output bits taken from XOR sums of chi and psi wheels. –Chi wheels of lengths 41, 31, 29, 26, 23, clocked regularly. –Psi wheels of lengths 43, 47, 51, 53, 59, clocked irregularly, according to output of M1. –M1 of length 37 clocked irregularly according to output of M2. –M2 of length 61 clocked regularly. Modern interpretation: irregularly clocked circulating shift registers. 2 501 possible keys. –Monthly (later daily) setting of pins on each wheel. –Per message key: initial rotational offset of each wheel.

37
Inaugural Lecture - February 19th 2008 37 Lorenz SZ40 Size:51cm × 46cm × 46cm (20in × 18in × 18in)

38
Inaugural Lecture - February 19th 2008 38 Fish and Colossus In 1943, Max Newman raised the possibility of using a machine to automate the breaking of Fish. –Ideally suited to repetitive calculations involved in statistical analysis developed by Tutte, Turing, and many others. –But initial all-mechanical machines were slow and unreliable. Tommy Flowers proposed and led the build of a rival electro-mechanical design, Colossus. –Based at Post Office Research Station, Dollis Hill, London. –Using 1500 state-of-the-art thermionic valves, thyratrons, and photomultipliers. –Implementing shift registers, systolic arrays, configurable Boolean operations on data,… –But not a Turing-complete machine.

39
Inaugural Lecture - February 19th 2008 39 Mechanised Cryptanalysis of Fish Colossus Mark I delivered 18 th January 1944. Rapidly followed by first Colossus Mark II (2400 valves and 5 times as fast). Eventually 10 Colossi in 24-hour operation at Bletchley Park, with 11 th in production.

40
Inaugural Lecture - February 19th 2008 40 The Value of Fish Traffic By 8 th May 1945, Bletchley Park had broken 13508 messages on 718 keys, obtaining 63 million plaintext characters. Fish yielded information of great strategic value: –Strategic appreciations, order of battle, strength of individual Wehermacht divisions. –German situation reports for the entire Russian front. –German strategic plans to hold on to Italy. –Information about likely success of D-Day landings: 8 th May 1944, Field Marshall von Rundstedt to general staff, Berlin: an Allied assault on Normandy would “be the enemy’s pre-requisite condition for a subsequent descent on the Channel coast’’. –Revelation of plans for counter-attack at Anzio beach-head. –Insight into Hitler’s mental state.

41
Inaugural Lecture - February 19th 2008 41 Other Aspects of the Fish Story Destruction of Colossi at the war’s end. –Colossus re-build project recently completed. Wartime work gave British scientists and engineers a head-start in the fledgling computer industry. Fish/Colossus story only began to emerge in the mid-1970s. –Several key documents only recently declassified. Including “General report on Tunny”. –Whole story masterfully told in Paul Gannon’s “Colossus – Bletchley Park’s Greatest Secret” (Atlantic Press, 2006). Tommy Flowers MBE 1905-1998

42
Inaugural Lecture - February 19th 2008 42 Fishing Lessons Kerckhoffs’ Principle not applicable, but lack of system knowledge only delayed the breaking of Fish. A single human error provided the key to unlocking Fish. –Keystream repetition for two closely related messages. At least three major intellectual achievements: –Initial decryption from a depth (Tiltman). –Deriving the Lorenz machine’s structure from keystream alone (Tutte et al.). –Development of mechanised cryptanalysis (Newman, Flowers).

43
Inaugural Lecture - February 19th 2008 43 3. WEP and GSM In the late 1990’s, wireless equipment became cheap enough to be used in mass-market networking equipment. IEEE developed 802.11 family of WirelessLAN standards. –Operating in “free for all” unregulated frequencies. Recognition that encryption is needed because of broadcast nature of signals. IEEE 802.11b&g included WEP (Wired Equivalent Privacy) mechanisms. –Encryption. –Integrity protection for data. –Authentication of network nodes.

44
Inaugural Lecture - February 19th 2008 44 WEP (In)security World War Drive 2004 –Survey of 228,537 networks –140,890 (60%) configured to use Open System Authentication. –Meaning no encryption or authentication enabled. Demonstration of vulnerability. Legality of demo doubtful!

45
Inaugural Lecture - February 19th 2008 45 WEP (In)security WEP requires end-user to configure a shared key in every communicating device. –Easy in a small home network of 2 or 3 devices. –More difficult in a corporate environment with many devices. –Updating keys a major headache. –A classic key management problem. Worse still, the entire WEP design is seriously flawed. –Authentication is trivial to defeat. –Encryption shown to be weak by Fluhrer, Mantin and Shamir. –Cracking tools (Airsnort, WEPcrack) are widely available on Internet. Can recover WEP key in a matter on minutes. What went wrong?

46
Inaugural Lecture - February 19th 2008 46 GSM Security GSM = second generation mobile phone system. –1.9 billion customers. –GSM networks in over 210 countries. Cryptography integrated as part of GSM from the start. –Algorithms and architecture designed by experts. –Security almost entirely hidden from end-users. –This security (especially key management) is not cost-free. Operators had a strong economic incentive to get the GSM security design right. –Protect revenue stream so as to recoup investment in licences purchased from national governments. –Desire to avoid embarrassing breaches of personal privacy occurring in first generation networks.

47
Inaugural Lecture - February 19th 2008 47 Lessons from WEP Economic incentives are often a major driver for adoption of security measures. –GSM using paid-for frequencies, 802.11 using free- for-all frequencies. –Lack of incentive led to sloppy design in WEP. Employ security experts to design security systems, not enthusiasts. Good key management is hard and best not left to end-users.

48
Inaugural Lecture - February 19th 2008 48 Lessons from WEP But: designers of WiMAX have recently repeated most of the same errors made in WEP design… Those who cannot learn from history are doomed to repeat it. George Santayana, Reason in Common Sense, The Life of Reason, Vol. 1. You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself. Sam Levenson

49
Inaugural Lecture - February 19th 2008 49 4. IPsec IPsec provides cryptographic protection for IP packets. –Encryption and integrity protection. An important system for protecting Internet traffic. –e.g. widely used in Virtual Private Networking applications. Specified in IETF RFCs 4301-4309 and related documents. –RFCs are (essentially) standards for the Internet. –Very complex set of documents with many options. –300+ pages of very technical text.

50
Inaugural Lecture - February 19th 2008 50 IPsec IPsec uses industrial-strength cryptography. Yet we still managed to break IPsec in certain encryption-only configurations. –Ciphertext-only attacks. –Attacks demonstrated in the lab. –Paterson and Yau (Eurocrypt 2006), Degabriele and Paterson (IEEE Security and Privacy 2007).

51
Inaugural Lecture - February 19th 2008 51 Breaking IPsec Capture ciphertexts from the network. Modify ciphertexts so as to produce predictable changes to underlying messages. –Bit flipping weakness of CBC mode encryption. –Messages now have small, attacker-induced faults. Inject modified ciphertexts into the network. IPsec decryption results in faulty IP packets. –IP produces ICMP error messages when these faulty packets are further processed. –ICMP messages are not encrypted and carry portions of faulty IP packets. –These can be intercepted.

52
Inaugural Lecture - February 19th 2008 52 Breaking IPsec Ciphertext C Key K Encryption Algorithm Message M Decryption Algorithm Message M Key K InterceptorActive attackerReactive System

53
Inaugural Lecture - February 19th 2008 53 Breaking IPsec The encryption-only configurations that we broke were already known to have theoretical weaknesses. –Bellovin (1995, 1996), using ideas of Wagner. So why were they still allowed in the standards?

54
Inaugural Lecture - February 19th 2008 54 Breaking IPsec RFC 4303: “Using encryption-only for confidentiality is allowed by ESP. However, it should be noted that in general, this will provide defense only against passive attackers.” “ESP allows encryption-only … because this may offer considerably better performance and still provide adequate security, e.g., when higher layer authentication/integrity protection is offered independently.”

55
Inaugural Lecture - February 19th 2008 55 Breaking IPsec From the IPsec administrator's guide of a well- known vendor: “If you require data confidentiality only in your IPSec tunnel implementation, you should use ESP without authentication. By leaving off the authentication service, you gain some performance speed but lose the authentication service.” http://www.cisco.com/en/US/docs/security/security_ma nagement/vms/router_mc/1.3.x/user/guide/U13_bldg.html#wp1068306 (last accessed 16/2/2008).

56
Inaugural Lecture - February 19th 2008 56 IPsec Lessons Cryptography is only ever a component in a secure system and should not be viewed in isolation. Encryption on its own is not sufficient to provide confidentiality. Be aware of shifts in the adversary’s capabilities. Complexity and flexibility are the enemies of security. Sacrifice backward compatibility if security is the primary objective. Gulf in understanding between theoreticians, standards writers, implementers, and users. –Security message gets lost in translation.

57
Inaugural Lecture - February 19th 2008 57 5. Phishing Demonstration: let’s take an on-line test. http://www.sonicwall.com/phishing/ An attack of this general type is known as a phishing attack. 6 Billion phishing e-mails are sent world-wide each month. Average loss per successful attack is estimated at $1200 (Federal Trade Commission). –Junk e-mail is a lot cheaper to send than junk mail. –So even if only a tiny fraction are successful, it’s still economically viable for the attacker.

58
Inaugural Lecture - February 19th 2008 58 Phishing Phishing exploits a mixture of human gullibility, technological naivety, fear, and sometimes greed. –Users trust that “From” address in e-mail is a guarantee of origin, and that link in e-mail is a guarantee of destination for their sensitive data. Arguably, cryptography is of no use at all in preventing this form of attack. –Unless we had a global authentication infrastructure that is used universally to prove the origin of all e- mails.

59
Inaugural Lecture - February 19th 2008 59 Phishing Lessons Cryptography has its limitations. Don’t rely on a technology to do a job for which it was never designed. –Smart banks never use e-mail to ask their customers to do anything sensitive. –Unfortunately, their customers don’t all know this yet. Much more research is needed in the area of humans and security. –How humans take security-sensitive decisions, and how they can be guided towards making better ones.

60
Inaugural Lecture - February 19th 2008 60 6. Concluding Remarks Cryptography is one of the most powerful tools we have in our security armoury. Implementing, deploying and managing effective cryptography is difficult and expensive. –Key management may be hardest of all. In theory, theory and practice are the same. In practice, they are not. Eliminate humans (and human error). Watch out for changing adversaries. Recognise the limitations of cryptography. Learn from history.

61
Inaugural Lecture - February 19th 2008 61 Thanks Thanks to Marta Baker and her staff. Many thanks to colleagues and students for making the ISG such a special place to work. Many, many thanks to Fred Piper for his immeasurable and constant support over the years. And thank you all for coming.

Similar presentations

OK

Numerical Analysis 1 EE, NCKU Tien-Hao Chang (Darby Chang)

Numerical Analysis 1 EE, NCKU Tien-Hao Chang (Darby Chang)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on electricity and circuits Php tutorial free download ppt on pollution Ppt on horizontal axis windmill Ppt on p&g products india Ppt on business environment nature concept and significance of colors Ppt on holographic data storage system technology Download ppt on computer vs books essays Ppt on acid base titration Download ppt on indus valley civilization government Ppt on social etiquettes of israel