# Network Security (N. Dulay & M. Huth) Classical Cryptography (2.1) Detecting Eavesdropping A Solution.

## Presentation on theme: "Network Security (N. Dulay & M. Huth) Classical Cryptography (2.1) Detecting Eavesdropping A Solution."— Presentation transcript:

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.1) Detecting Eavesdropping A Solution

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.2) Quantum Cryptography  Quantum Computing Quantum Cryptography  Algorithms for key distribution, coin flipping, bit commitment, oblivious transfer, etc  In 1994 Peter Schor devised a quantum computing algorithm to factorise large numbers in polynomial time!  (Un)fortunately no-one is yet able how to build a suitable quantum computer.  Can we use quantum effects to detect passive eavesdropping?  Particles (e.g. Photons) exist in N places at once with different probabilities.  We can measure position or velocity but not both  Quantum world is uncertain.  But we can use this uncertainty to generate a key!

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.3) Polarisation: Noddy's guide  Photons vibrate in some direction e.g.  Polarised when many photons vibrate in the same direction  Polarisation filters only allow photons polarised in a defined direction (angle) through, e.g 100% 0% 50%  Up and down  Left and right  At some angle

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.4) Wiesner's Quantum Money  Each note has a printed serial number and a set of "photon-stores" that hold differently polarised photons.  Only the Bank knows the polarisations for any serial number.  We can produce counterfeit notes if we can measure the correct polarisations. But to do this we need to guess the correct orientations. DoC Bank £100 22AC320FR00

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.5) Wiesner's Quantum Money  Filter Result 100% 0% 50% ? ?

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.6) Basis  Polarisation measured in a basis.  Basis consists of 2 orthogonal directions, e.g.  If polarisation is read in a matching basis -> we learn polarisation  If read in wrong basis -> we learn a random polarisation!  Rectilinear  Diagonal Okay Random

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.7) Bennett & Brassard Protocol  Alice sends pulses to Bob. Bob uses polarisation detectors with randomly set basis  Bob tells Alice his settings. Alice tells Bob which settings were correct.  Settings map to 0 and 1’s, e.g. — and / map to 0, while | and \ map to 1.  Alice and Bob only use those settings as a secret key (or 1-time pad key) 110001110 111 0 0/1

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.8) Protocol Continued  Eavesdropper Eve also does not know correct polarisations, so like Bob will pick wrong basis 50% of the time. Knowing Bob's settings after the event does not help, because she will have measured half of them incorrectly.  Worse still, Eve will introduce errors, which Alice & Bob can detect, since Eve’s wrong guesses will change polarisation of pulses  To detect Eve, Alice and Bob only need to compare a few bits in their message.  If errors found then we have an Eavesdropper.  If no errors: Use rest of message

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.9) Reading  Simon Singh, The Code Book, Chapter 8  Quantum Computing Course (482), Next term

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.10) Classical Cryptography Michael Huth M.Huth@doc.ic.ac.uk www.doc.ic.ac.uk/~mrh/430/

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.11) Why Cryptography?  CONFIDENTIALITY Keep information secret  AUTHENTICATION Receiver can verify who sender was  INTEGRITY Detect modified messages  NON-REPUDIATION Sender cannot later falsely deny sending a message. Receiver cannot falsely deny receiving it.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.12) Encryption Encrypt (E) Plaintext (P) hello world Ciphertext (C) JHN+K9[ C = E (P) Decrypt (D) Ciphertext (C)Plaintext (P) P = D (C) P = D (E (P))

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.13) Encryption with a Secret Key Encrypt (E) Plaintext (P)Ciphertext (C) C = E k (P) P = D k (E k (P)) Key (k) Decrypt (D) Ciphertext (C)Plaintext (P) P = D k (C) Key (k)  Kerchoff’s Principle - Secrecy should lie in keeping a key secret. Assume algorithm is known.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.14) Encryption with 2 Keys P = D k2 (E k1 (P)) Encrypt (E) Plaintext (P)Ciphertext (C) C = E k1 (P) Key1 (k1) Decrypt (D) Ciphertext (C)Plaintext (P) P = D k2 (C) Key2 (k2)

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.15) Steganography Dear George, 3rd March Greetings to all at Oxford. Many thanks for your letter and for the Summer examination package. All Entry Forms and Fees Forms should be ready for final dispatch to the Syndicate by Friday 20th or at the very least, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos.  Conceal existence of message, e.g. 1st letter of each word, least sig. bit of graphic image  Useless once method discovered  Peter Wayner, Disappearing Cryptography, 2nd ed, Morgan Kaufmann, 2002

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.16) Steganography ** Dear George, 3rd March Greetings to all at Oxford. Many thanks for your letter and for the Summer examination package. All Entry Forms and Fees Forms should be ready for final dispatch to the Syndicate by Friday 20th or at the very least, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.17) Codes  Pre-arranged set of secret codes/meanings.  BEST if used once only. Security weakens with each use if intercepted  Only small set of pre-arranged messages. What if we wanted to communicate “Launch half the missiles” or “Disarm missiles”?  EXAMPLE Mobius -> Launch missiles Zebra-> Don’t Launch

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.18) One-time Pad  Use a random key as long as the message. Must not reuse the key sequence ever again.  Both parties must have key sequence  Hotline between USA and USSR was rumoured to use a one-time pad.  Destroy key sequence after use  Advantages?  Disadvantages?  EXAMPLE Key is number of places to shift letter K321424 Plaunch COCVREL  Suggest a good 1-time pad function for binary data?

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.19) Substitution Ciphers  Each letter (or group) is replaced by another letter (group) MONOALPHABETIC CIPHER Each character is replaced by a corresponding character CAESAR CIPHER Circularly shift each letter three positions along in the alphabet, e.g. zebra -> CHEUD ROT13 Like Caesar but rotate 13 places. Used to hide offensive jokes, solutions to puzzles etc  BRUTE FORCE ATTACK CHEUD 1bgdtc 2afcsb 3zebra 4ydapz... 25digve  Algorithm known  Only 25 keys  What if Plaintext language is not easily recognisable?

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.20) Substitution Ciphers  GENERAL MONOALPHABETIC CIPHERS Use a random mapping, e.g: abcedfghijklmnopqrstuvwxyz ESFNCRTBZLMVAYXUPKDJOWQGIH increases no of keys to 26! > 4*10^26  HOMOPHONIC CIPHERS Each character has several ciphertext mappings, as many as its relative frequency  POLYGRAM CIPHERS Map groups of characters, e.g. aly -> RTQ  POLYALPHABETIC CIPHERS Vary monoalphabetic cipher during ciphering/deciphering procedure ATTACKING GENERAL MONOALPHABETIC CIPHERS  Consider nature of Plaintext, e.g. statistical properties.  Frequency of letters e12.75% t 9.25% r 8.50% n 7.75%  Frequency of common words  Repeating letters  2-letter combinations (digrams): th, in, er, re, an  3-letter combinations (trigrams): the, ing, and, ion

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.21) Rotor Machine  E.g. ENIGMA MACHINE. Polyalphabetic Cipher  Several interconnected substitution rotating cylinders.  Example: Input Rotor1Rotor2Rotor3Output AA->FF->XX->NN Rotor 3 now shifts (its substitutions change) AA->FF->XX->WW Rotor 3 now shifts (its substitutions change)... After 26 shifts by Rotor 3, it will be back to its original, substitution Rotor 2 now shifts. AA->FF->BB->SS  With 3 rotors and 26 letters we have a period = 26^3 = 17,576 substitution alphabets

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.22) Transposition Ciphers  Rearrange order of characters (permutation)  SIMPLE COLUMNAR CIPHER Using a grid, write plaintext horizontally, read ciphertext. vertically. Plaunchmissilesnow launch missil esnow CLMEAISUSNNSOCIWHL  ATTACK ON COLUMNAR CIPHER Ciphertext has same letter frequencies as plaintext -> Easy  MULTIPLE TRANSPOSITION CIPHERS Pass a plaintext through two or more transposition ciphers -> Much harder to attack.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.23) Cryptanalysis  CIPHERTEXT ONLY ATTACK  KNOWN PLAINTEXT ATTACK  CHOSEN PLAINTEXT ATTACK  CHOSEN CIPHERTEXT ATTACK E C known E P known E C generated P chosen C chosengenerated D Discover” key, and/or plaintext if not known We assume algorithm is known (Kerckoff’s principle)

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.24) Cryptanalysis EXAMPLES OF ATTACK  Passive Attacks  Active Attacks  Brute Force  Birthday  Man-in-the-Middle  Replay  Cut & Paste  Time Resetting  Many more... PRACTICAL CRYPTANALYSIS Acquire a key by any means, e.g.  Theft  Bribery (“Purchase-Key” attack)  Blackmail  Torture  Hypnosis

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.25) Cryptographic Strength  UNCONDITIONALLY SECURE No matter how much ciphertext is available, it is still not enough to infer the plaintext (even with infinite computational power). Only ONE- TIME PADS with random keys are unconditionally secure. Known as PERFECT SECRECY for encryption systems.  PROVABLY SECURE Cryptosystem shown to be as difficult to defeat as some supposedly difficult (number-theoretic) problem, e.g. factorisation of large primes. Has an equivalence proof.  COMPUTATIONALLY INFEASIBLE (PRACTICALLY SECURE) Belief that cryptosystem cannot be broken with “available” resources; formalizations thereof exist already, e.g. “secure for any adversary with computational power in randomized polynomial time”

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.26) Cost & Timeliness £ COST TO BREAK > £ VALUE OF INFORMATION TIME TO BREAK > USEFUL LIFETIME OF INFORMATION

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.27) Reading  Stallings. Chapter 2.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.28) Cryptographic Design Vulnerabilities Bruce Schneier IEEE Computer, Sept 98, p29-33

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.29) Security, ha ha ha  Lock with 4 pins, each with 10 positions  Burglar may need to try 10,000 combinations to guarantee success (brute-force attack)  What if 10 pins? -> 10 billion positions  Great, but....

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.30) A burglar could....  Smash the windows  Kick in the doors  Masquerade as a policeman  Threaten owner with violence  etc....  Better locks can’t help with these attacks  Same is true for cryptography. Good/strong cryptography is important but not a panacea

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.31) Marketing hype  “128-bit keys mean strong security”  “40-bit keys are weak”  “triple-DES is much stronger than single DES”  Be wary of products making such statements/claims.  Many products are buzzword-compliant, they use strong cryptography but aren’t particularly secure

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.32) Attacks against Design  Cryptosystems use algorithms for encryption, digital signatures, one-way hash functions, random-numbers etc.  Break any one and you can usually break the whole system!  Cryptographic functions often have very narrow usage  It’s very difficult to design a secure cryptosystem, even with good software engineers, e.g. Microsoft’s Point-to- Point-Tunneling Protocol (PPTP) used an inappropriate mode for the RC4 encryption algorithm rendering it insecure

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.33) Attacks against Implementation  Many cryptosystems fail because of mistakes in implementation, e.g. don’t securely destroy unencrypted text after encryption, have code that allows buffer overflow, are poor error checking and recovery,  “Trivial” code-optimisations can break security  Implementation trade-offs e.g. to enhance usability at the expense of security  Systems that allow old keys to be recovered in an emergency

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.34) Attacks against Hardware  Highly secure environments deploy tamper-resistant hardware, e.g. tokencards, smartcards  Techniques/hardware to defeat them are also being developed, e.g. timing attack on RSA private keys measured relative times of cryptographic operations. Attacks that measure power consumption, radiation emissions, introduce faults and analyse effects  Cost to Defeat Tamper Resistance >> Value of Data

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.35) Attacks against Trust Models  Who or what in the system is trusted, in what way, and to what extend?  Some commerce systems can be broken by a merchant and a customer colluding or two different customers colluding  Many systems make poor assumptions, eg, desktop is secure, network is secure, employees are trusted  Design choices are sometimes ignored when it comes time to sell a product/system.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.36) Attacks “on” Users  Pass on password to colleagues  Use same password on different systems  Write random passwords on paper  Don’t report missing smartcard  Don’t change (weak) default settings  Users need to be educated

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.37) Attacks against Failure Recovery  Recovering the key for one file, should not allow every file to be read  Reverse-engineering one smart card should not reveal secret info in others  Options which switch off security, or make it less secure  Version rollback attack to insecure version

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.38) Attacks against Cryptography  Proprietary algorithms/protocols -> invariably weak. Cryptanalysts are very good at breaking published algorithms, even better against proprietary ones!  Keeping the algorithm secret doesn’t make much difference against determined opponents, algorithms can be reverse- engineered

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.39) Conclusion  A good security product must defend against every possible attack, even attacks that haven’t been invented yet!  Attackers often only need find one flaw in order to defeat a system.  In addition, they can collude & conspire.  They can wait for technology to give them the edge.  But don’t worry - Cryptography is a lot fun !!

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.40) Optional but Recommended Reading Links to these papers and documents are provided on the 430 course home page.  PriceWaterHouseCoopers’ 2010 Survey on the Global State of Information Security  Ciphertext-only Crytanalysis of the Enigma, by James J. Gillogly

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.41) Notes on Tutorial for Classical Cryptography Michael Huth M.Huth@doc.ic.ac.uk www.doc.ic.ac.uk/~mrh/430/

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.42) Why is Keyless Encryption bad?  Every group has own algorithm  Can’t use Off-the-Shelf algorithm, no implementation choices  Change group - change algorithm  Key comprise - change algorithm  Poor quality control - little or no peer review  No standards  Easy to reverse-engineer algorithm  Kerchoff’s principle - Assume algorithm is known, Secrecy should lie in keeping key secret.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.43) What Encryption doesn’t handle **  Destructive Attacks, Replay attacks  Unencrypted documents, e.g. before encryption or after decryption  Modification of encryption program  Lost or Stolen keys or passwords  Traitors  Interception incl. Traffic Analysis  Successful cryptanalysis

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.44) Steganography The supply of game for London is going steadily up. Head keep Hudson, we believe, has been now told to receive all orders for fly paper and for preservations of your hen-pheasant's life. "The Gloria Scott" Arthur Conan Doyle.

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.45) DECRYPT  C=E(P)=  P=D(C)= BRUTE FORCE ATTACK Determine key for: E Q V  WKXPEVXS

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.46) Freemason Cipher ABCJDEFKLGHIMABCJDEFKLGHIM N O P W Q R S XY T U V Z

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.47) Decipher ????

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.48) SNPLTDFKAUOS Transposition Ciphers

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.49) End-to-End Encryption EkEk DkDk P P Node1 (Host) Node2Node3Node4 (Host) CC

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.50) Link-to-Link Encryption D k1 E k2 D k2 E k3 E k1 D k3 P P Node1 (Host) Node2Node3Node4 (Host) C1C2C3

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.51) Link-to-Link vs End-to-End  Msg exposed in sending host & intermediate nodes  Applied by sending host, host responsible for encryption  Transparent to processes  All messages usually encrypted  Can be done in hardware  Requires one key per link pair  Provides host/node authentication  More ciphertext  Can hide more IP headers  Msg encrypted in sending host & rec eiving nodes  Applied by sending process, process responsible for encryption  Process applies encryption  Process decides when to encrypt  Usually done in software  Requires one key per process pair  Provides application/user authenticat ion  Traffic analysis easier

Network Security (N. Dulay & M. Huth) Classical Cryptography (2.52) P1 P3 P2 Link-to-Link & End-to-End Encryption N N N N Host End-to-End Link-to-Link Encryption/decryption devices

Download ppt "Network Security (N. Dulay & M. Huth) Classical Cryptography (2.1) Detecting Eavesdropping A Solution."

Similar presentations