Previous lecture – smart-cards

Slides:



Advertisements
Similar presentations
“Advanced Encryption Standard” & “Modes of Operation”
Advertisements

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Feb 17, 2003Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
Lecture 23 Symmetric Encryption
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Encryption Encryption: Transforms Message so that Interceptor Cannot Read it –Plaintext (original message) Not necessarily text; Can be graphics, etc.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.
Modes of Operation block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts.
Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.
CS480 Cryptography and Information Security
Web Applications Security Cryptography 1
Attacks on Public Key Encryption Algorithms
Algorithm Modes ECB, CBC, CFB, OFB.
Computer and Network Security
Applied Cryptography Main goal
IT443 – Network Security Administration Instructor: Bo Sheng
Cryptography Why Cryptography Symmetric Encryption
Cryptographic Hash Function
e-Health Platform End 2 End encryption
Security.
Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Outline Desirable characteristics of ciphers Stream and block ciphers
Presented by: Dr. Munam Ali Shah
Lecture 3: Symmetric Key Encryption
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 4.
Security through Encryption
PART VII Security.
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Security.
Algorithm Types & Algorithm Modes
csci5233 computer security & integrity (Chap. 4)
The Secure Sockets Layer (SSL) Protocol
Block vs Stream Ciphers
One time pad & Many Time pad
Block Ciphers (Crypto 2)
DISSERTATION ON CRYPTOGRAPHY.
Padding Oracle Attacks
Encryption Basics Types of ciphers Algorithms Modes Key Length
Fluency with Information Technology Lawrence Snyder
Stream Cipher Structure
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Secret-Key Encryption
Presentation transcript:

Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication Mar 25, 2003 Mårten Trolin

Today’s program – key generation and distribution About previous assignment New assignment Generating keys Distributing keys Key splitting Master key and derived keys Key lengths Symmetric keys Asymmetric keys Mar 25, 2003 Mårten Trolin

Assignment Completely solved assignment gives 20 points Six points deducted if chaining not implemented Penalty for delay – one point per day Common problems Static Initialization Vector (IV) Padding not bijectional Encryption algorithm used Mar 25, 2003 Mårten Trolin

Initialization Vector (IV) In CBC mode, the IV is used for the first XOR Using a constant IV always gives the same ciphertext for a certain clear text. A good system should generate the IV dynamically From some random generator From the system time, etc. Since the IV is necessary for decryption, the IV must be given in clear in the output The IV itself is not secret, and giving it in clear does not create a security problem. Mar 25, 2003 Mårten Trolin

Padding If the clear text is not a multiple of the block length, some padding must be used. The padding must be bijectional, i.e., the extra characters added must be removed after decryption Padding by adding spaces to the clear text does not work, since you can’t know if the spaces were added during padding, or if they were in the clear text from the beginning How to create a bijectional padding? Mar 25, 2003 Mårten Trolin

Bijectional padding schemes A padding scheme is bijectional if depad(pad(s)) = s. If there are certain characters that for some reason cannot appear in the clear text, they can be used for padding. In general, this is not a good solution, since such conditions may change. Example: Let l be the length of the original clear text, and let b be the block length. Set l´ the smallest multiple of b such that l´ > l. Create a string of length l´ whose first l bytes are the clear text. Set the last byte to l´ - l. This is reversible, since when decrypting, it is possible to read the last byte and remove the corresponding number of padding characters. Mar 25, 2003 Mårten Trolin

Encryption algorithm used In the assignment, you need the “basic” DES encryption. Since ECB (Electronic Code Book) provides encryption without any further processing, this is what we want. In Java, use “DES/ECB/NoPadding” In other libraries, either call DES directly, or ECB without padding Mar 25, 2003 Mårten Trolin

New assignment Create signature according to EMV specifications (15 p) Create issuer certificate according to EMV specifications (5 p) Mar 25, 2003 Mårten Trolin

Generating keys Key generation requires a good source of random bits Bad key material makes system vulnerable to attacks. Has been done in practice. Hardware generators provide the best source. For end-user applications - some user interaction can be used (mouse movement, key strokes, etc.) Using system time for high security requirements is a bad idea! For high-security applications, key generation should take place in a closed environment. Mar 25, 2003 Mårten Trolin

Distributing symmetric keys Symmetric keys are very sensitive and must be distributed with great care. Depending on how valueable the key is, different approaches are possible. Send the key to recipient by physically secure means, e.g., by courier, by registered mail etc. If a common key exists, send the new key encrypted under the common key. Split the key into components and send the key components with different security officers. Mar 25, 2003 Mårten Trolin

Key splitting One option for distributing keys with lower risk is to split the key into components and send the parts separately. After generation, the key is split into n parts. To recreate the key, all n parts must be available. Knowledge of less than n parts should give as little help as possible for recreating of keys. How do we do this? Mar 25, 2003 Mårten Trolin

Splitting into parts of equal length When splitting into parts of equal length, the key of length l is split into n components, each of length l / n. First part consists of bits 1 through (l / n) – 1, second part of bits l / n though 2(l / n) – 1, etc. A disadvantage of this method is that knowledge of several parts reveals parts of the key, and leaves fewer bits for guessing. Mar 25, 2003 Mårten Trolin

Exclusive-or with random bit strings If we want to distribute an l-bit key k as n components, we first generate (n – 1) l-bit strings u1, u2, …, un – 1. The n’th component is computed as un = k  u1  u2  …  un – 1, where  denotes bitwise XOR. The basic properties of XOR gives that u1  u2  …  un = k. This method gives higher security, since knowledge of either n – 1 components reveals nothing about the key. Recall that with the previous method, this knowledge revealed several key bits, making a brute-force attack on the rest easier. Mar 25, 2003 Mårten Trolin

Distributing keys for asymmetric keys Distributing the public part of asymmetric keys is simple – no special security measures are needed. Distributing keys in certificates makes it easier to prove the owner of the key. If the private part is to be distributed, the same techniques as for symmetric keys can be used. Mar 25, 2003 Mårten Trolin

Key Derivation Key derivation is a technique to assign individual keys without having to store a key per user. The key information is concentrated into a single master key. Every key is derived from this master key. The individual keys are computed on-the-fly from the master key and user information. User information Encryption Master key Individual key Mar 25, 2003 Mårten Trolin

Session Keys For security reasons it is often a good idea to use different keys for each transaction. Keys used only for one transaction are called session keys. Session information Encryption Individual key Session key Mar 25, 2003 Mårten Trolin

Key Management – Setup System A System B If two systems need to share a common symmetric key, there are several possiblities. Can be created by system A and transferred to system B. Can be created by a third party and transferred both to system A and system B. Master Key Master Key Master Key Master Key Key generation Mar 25, 2003 Mårten Trolin

Zone Master Key – ZMK If the two systems have one common symmetric key, this key can be used to encrypt other keys that are sent between the systems. This key is often called Zone Master Key, ZMK. Once this common key has been established, exchanging further keys is simple. Mar 25, 2003 Mårten Trolin

Symmetric Key Management – Zone Master Key Host system Configuration system ZMK Component 1 ZMK Component 2 ZMK Component 3 Components reassembled as the host to give the same key Generation of Zone Master Key Zone Master Key sent as components to host by security officers Mar 25, 2003 Mårten Trolin

Transfer of Zone Master Key When transferring the Zone Master Key, no single person will see the key. Key components are given out only one at the time, so that no one person sees all components. When combining the components, each component is first encrypted. Only when all components are encrypted do the security officers meet and give all components. Mar 25, 2003 Mårten Trolin

Symmetric Key Management – Key Export System A System B Key ZMK ZMK Key System A and system B shares ZMK Symmetric key encrypted under ZMK and sent Symmetric key generated Symmetric key decrypted at system B Mar 25, 2003 Mårten Trolin

Key length Apart from selecting a good algorithm, the key length to be used must be chosen. When selecting the key length, you need to take into account security requirements and hardware costs. Longer keys are more secure, but encryption and decryption takes longer time. How sensitive is the data? Do we need to protect it for twenty seconds, twenty days or twenty years? Who do we want to protect ourselves against? The causal eaves-dropper, a competing company or a foreign government? Mar 25, 2003 Mårten Trolin

Symmetric key lengths If the symmetric cipher is good, the only way to break the key is to do exhaustive search. For an n-bit key, this requires 2n iterations. As of today, 64-bit keys take a few years to crack for someone with enough resources. 128-bit keys are virtually impossible to break, and are likely to stay that way for the foreseeable future. Since encryption and decryption is fast, there is usually no reason to use less than 128 bits. Mar 25, 2003 Mårten Trolin

Symmetric key lengths The graph below demonstrates how the time necessary to break a key depends on the key length. Time to break Key length Mar 25, 2003 Mårten Trolin

Asymmetric key lengths For asymmetric systems, there are much more efficient ways than exhaustive search to retrieve the key. For RSA, factoring the modulus gives the private key. The longest RSA key that is publicly known to have been broken is 512 bits. Two years ago, this required 30 CPU-years. 1024 bit keys probably remain secure for the next years. Be very careful with comparisons between strength of symmetric and asymmetric keys! Mar 25, 2003 Mårten Trolin

Asymmetric keys Asymmetric keys often have a longer life-span than symmetric keys. Symmetric keys are used for session encryption, which often has to be kept secret only for a limited period. Asymmetric keys are used for signatures that may have to remain secure for several decades. Analyze the situation and choose the most appropriate solution! Mar 25, 2003 Mårten Trolin