Presentation on theme: "Computer Security Set of slides 5 Dr Alexei Vernitski."— Presentation transcript:
Computer Security Set of slides 5 Dr Alexei Vernitski
Man-in-the-middle attack Alice and Bob work in the same company. They want to use the RSA cipher to communicate privately AliceBob
Man-in-the-middle attack Bob sends to Alice his public key by AliceBob
Man-in-the-middle attack Alice encrypts her message using the key that she has received from Bob and sends an encrypted message to Bob by AliceBob
Man-in-the-middle attack But after that, the system administrator Eve will be able to decrypt Alice’s message. How did Eve break the cipher? AliceBob Eve
Man-in-the-middle attack Bob sends to Alice his public key by , and he thinks that she has received this key. Alice thinks that she receives a message from Bob. But in reality… AliceBob
Man-in-the-middle attack Eve intercepts Bob’s message with his public key and replaces Bob’s public key by Eve’s public key. AliceBob Eve
Man-in-the-middle attack Alice thinks that she sends a message encrypted with Bob’s public key, but this is Eve’s public key. Therefore, Eve can read this message AliceBob Eve
Man-in-the-middle attack Guess what else Eve should do if she wants to continue reading Alice’s secret messages to Bob? AliceBob Eve
Man-in-the-middle attack Eve should decrypt Alice’s message using Eve’s key, encrypt it using Bob’s key and forward it to Bob AliceBob Eve
Man-in-the-middle attack The “man-in-the-middle” attack (or “the Mig-in- the-middle” attack, or password spoofing) can also be used in user authentication Authenticator Valid user Attacker
Message authentication Suppose I am sending a message to a remote correspondent. How can I prove that this message comes from me? Public key cryptography can be applied
Public-key cryptography (as used for encryption) Plain text Encrypted text Public key Private key
Public-key cryptography (as used for message authentication) signature message Public key Private key
Message authentication Alice publishes her public key (remember about the man-in-the-middle attack!) Alice sends a message to Bob Alice applies her private key to the message and sends the result (the signature) to Bob Bob applies Alice’s public key to the signature and sees that it coincides with the message Because only Alice knows her private key, only she could have generated the signature.
PGP Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. It includes public-key ciphers Also, it includes a possibility to create signatures (hashes, digests)
Many names of checksums Depending on the applications and on the algorithms used, names differ: cryptographic checksums, hash functions, electronic digests, commitment protocols, data integrity assurance, one-way functions.
Checksum-calculating algorithm Data … bits Checksum up to 100 bits
Integrity Checksums are used to check the integrity of the data, that is, that the data have not been changed (by accident or by an intruder).
Protection against noise Data Checksum Data? Checksum Suppose we are sending data to a remote computer noise
Error detection People studying codes would say that the data with their checksum is an error-detecting code for the data.
Example: parity bit in ASCII (why there are 8 bits in a byte?) These 7 bits encode a character This bit is a XOR of all others
Protection against an intruder Checksum algorithm Data Checksum On Friday, we calculate the checksum of our data and store it separately from the data
Protection against an intruder Checksum algorithm Checksum On Sunday, an intruder changes the data Changed data
Protection against an intruder Checksum algorithm Changed data Checksum is different On Monday, we calculate the checksum of the data and, thanks to this, notice that the data has been tampered with
Simple checksums The sum of all bytes of the data is a checksum. In fact, this is the original checksum (hence comes the word checksum). The size of the data is a checksum (For example, computer viruses often change the size of infected files)
A cryptographic checksum We do not want the checksum to reveal any useful information about the original data On the contrary, we want the checksum to reveal as little as possible about the original data In particular, when the data is changed, we do not want the checksum to reveal any details of what has changed
Example: an application of cryptographic checksums “The star of Saturn is not a single star, but is a composite of three, which almost touch each other” Galileo
Galileo planned to publish this new discovery in his next book But in the meantime, how could he preserve his priority? He has published an anagram: smaismrmilmepoetaleumibunenugttauiras An application of cryptographic checksums
Galileo has published an anagram: smaismrmilmepoetaleumibunenugttauiras Later, he has published the original message: Altissimum planetam tergeminum observavi Everyone could check that the first published message is an anagram of the second.
An application of cryptographic checksums In the meantime, Kepler had spent much time trying to guess the original message, because he was sure it would be something like “I have discovered two moons of Mars”. In fact, they have been discovered only 250 years later.
A cryptographic checksum Altissimum planetam… smaismrm… Easy direction Difficult direction
Checksums Studying checksums is an important part of computer science. As we have seen, it has applications in data transmission and computer security. Especially, we are interested in cryptographic (that is, ‘one-way’) checksums.
Cryptographic checksums message checksum Easy Hard
Cryptographic checksums With cryptographic checksums, it is difficult for the attacker to guess what message corresponds to a given checksum With cryptographic checksums, it is more difficult for the attacker to experiment and counterfeit a message
MD5 MD5 is the most frequently used cryptographic checksum For any given file, the algorithm MD5 calculates the file’s 128-bit checksum. The type of calculations involved in calculating the checksum are more or less of the same nature as in DES. So-called ‘sponge construction’ is used
MD5 weaknesses The most popular algorithm for computing checksums is MD5. New successful attacks against it have been reported in the last two years. They are versions of the so-called ‘birthday attack’ What new cryptographic checksum algorithms can one use instead of MD5?
Birthday attack: a simple example Suppose I want to write a message “I shall come” and confirm this with checksum At the same time, I want to be able to claim that what I have said was “I shall not come”, with the same checksum
Birthday attack: a simple example Write many versions of ‘yes’: I shall come I shall come soon Arriving any minute Get your computer to help you with more versions… Write many versions of ‘no’: I shall not come I shall never come Don’t wait for me Get your computer to help you with more versions…
Birthday attack ‘yes’ ‘no’ The checksum space
User authentication Suppose a user logs into a client computer, and his/her password is stored on the server How can we compare securely the password entered by the user and the stored password? How can we protect the user from someone who steals his/her password from the server?
User authentication The password must not be sent from the client computer to the server The password must not be sent from the server to the client computer The password should not be stored on the server
User authentication Secure solution: we store cryptographic checksums of user passwords on the server The client computer calculates the checksum of the password entered by the user, and sends it to the server (or vice versa)
client server Login and password Login and a checksum of the password The attacker will not obtain the password by analysing the traffic
3. Compare them with the checksums on the server The server stores checksums of all users’ passwords The checksum of one of the artificial passwords might coincide with the checksum of one of the real passwords Birthday attack 2. Generate their checksums 1. Generate many random passwords
Birthday attack Real passwords Artificial passwords The checksum space
client server Login and a wrong password Login and a checksum of the password, which corresponds to that of a real password The attacker does not know the real password, but can use the artificial password to log in as a valid user
Rainbow attack (against passwords stored as hashes)
Passwords stored as hashes password hash Hash algorithm (a complicated function)
A simplified model: the format of hash is the same as the format of password Password (for example, 8 letters) Hash (for example, 8 letters) Hash algorithm
Exhaustive search attack It is possible to spend some time and calculate hashes of all possible passwords How many passwords are there? 26 8 =2·10 11 If we process 10 6 password per second, we can finish the search in three days
Time/memory trade off How many passwords are there? 26 8 =2·10 11 If we process 10 6 passwords per second, we can finish the search in three days However, it might be expensive to store that much information For comparison, all servers of Google store approximately bytes.
Time/memory trade off Thus, we might store some passwords and hashes instead of all. This storage must be organised in such a way that we can find reasonably quickly if we have a particular password stored.
A chain passwordhash/password Hash algorithm Start with a password Generate its hash Treat this hash as a password Generate its hash Repeat a number of times (for instance, a million times)
A chain password hash Instead of storing a million passwords and hashes, we only need to store one pair of password and hash All passwords/hashes between them don’t need to be stored chains are prepared in advance
Rainbow attack Now suppose that we want to find what password corresponds to a given hash This hash belongs to one of our rainbow chains By hashing this hash sufficiently many times, we find out in which of our chains it is contained Then we only need to re-calculate this one chain
Hash the given hash repeatedly until you obtain one of stored hashes password hash password hash password hash
Find a password matching the hash password hash password hash password hash
Sample exam questions Explain why a checksum is called a checksum. Name three other names of checksums. State the defining features of a cryptographic checksum Explain briefly the statistical principles behind the birthday attack and give a simplified example of how the birthday attack can be organised