Gene Itkis: BU CAS 558 - Network Security CS 558: Network Security Gene Itkis 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Overview 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Basic scenario 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Simplified Scenario Alice Network: Internet intranet LAN WAN … Eve Bob How to protect? Encrypt Key agreement Authenticate Issues: Protocols Protection (crypto) A solution: SSL/TLS 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security How to protect? 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Crypto Landscape overview 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Definitions and Concepts 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security What is Cryptography? It all started with Encryption / Decryption - plaintext “attack at midnight” - ciphertext “buubdl bu njeojhiu” 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Encryption / Decryption (cont.) bla-bla Shared Key ciphertext msg decoder (ciphertext in - plaintext out) encoder (plaintext in - ciphertext out) bla-bla cmb-cmb eavesdropper (should understand nothing about the msg) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Crypto tools Encryption/decryption – to hide info Key exchange - to establish shared key Authentication – to establish shared key with the party you really meant to public private Signatures Hashing Certificates, PKI 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Adversary types Bob Alice Alice and Bob want to communicate in presence of adversaries Adversaries: Passive – just looking Active – may change msgs 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Key exchange: man-in-the-middle Shared w/Alice Shared w/Bob Bob Alice Key exchange without Authentication Subject to Man-in-the-Middle attack Attacker translates between the keys, reading and/or modifying the messages Authentication afterwards will not help! 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Authentication Alice Bob M Alice sends a msg M to Bob Bob wants to be sure M is really from Alice 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Signatures Alice Bob (M, SigM) SAlice SigM= Sign(M, SAlice ) Verify(M, SigM, …) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Authentication: “public” Alice Bob checks contracts … 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Public Key Signatures Alice Bob SAlice SigM= Sign(M, SAlice ) = (M, SigM) PAlice Public Key Secret Key Verify(M, SigM, PAlice ) Problem: How to authenticate PAlice ? 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Certificates Alice Charlie, CA PAlice SAlice PAlice CA Public Key Secret Key “This public key PAlice really belongs to Alice. Signed by Charlie, Certification Authority” Certificates can be public! Who’s Charlie?!? 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Public Key Infrastructures (PKI) Root CA public key Obtained out-of-band Certifies other Public Keys (of CAs, or users) Certification Chains Grain of salt: so, you have a certificate… To be continued… 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Back to Signatures Alice = (M, SigM) Bob SAlice SigM= Sign(M, SAlice ) Verify(M, SigM, …) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Authentication: “private” Alice Bob SAlice SigM= Sign(M, SAlice ) = (M, SigM) Message Authentication Code (MAC) Sign(M, SAlice )=Hash(M, SAlice ) SAlice Verify(M, SigM, SAlice ) : Check SigM= Sign(M, SAlice ) MAC = “Shared Secret Sig” = Symmetric Sig (Sign=Verify) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
collisions may exist, but Hashing Hash x1 y x2 collision Crypto Hash: collisions may exist, but are hard to find Given y hard to find x, s.t. Hash(x)=y Used for: Symmetric signatures “Fingerprint” for Public Key signatures 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Another setting Alice Bob 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Dynamics Secrets get stolen/exposed Limit (or even avoid) the damage Recover Revoke etc. Some approaches Secret sharing & distributed computation Forward-security, intrusion-resilience, … Threshold, proactive crypto 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Real Life: e-thieves E-thieves (pirates/hackers) Recreational (do it “for fun” - e-hooligans) Professionals Defense Cost & time aspects Periodic renewals Multiple defense lines Obscurity vs. security (or security by obscurity) Recovery from security breaches 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Details and constructions 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Outline Block vs. Stream ciphers Symmetrical vs. Asymmetrical (public key) Tool: Pseudo-Random Number Generators Complexity (what is hard?) Public Key Crypto Diffie-Hellman Rabin’s encryption RSA 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Block vs. Stream Ciphers Cipher = Encoder; or Encryption/Decryption scheme Stream cipher encodes/decodes char by char Block cipher encodes/decodes block by block Stream cipher ~ Block cipher with block size of 1 char (+state) Chaining (Modes of Operation) – make block encryption depend on the past blocks “make block ciphers more like stream ciphers” 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Symmetric & Asymmetric schemes decryption as easy as encryption (and vice versa) i.e. if you can encrypt then you can decrypt (and vice versa) (DES, AES/Rijndael are symmetric block ciphers) Asymmetric: may not be able to decrypt even if can encrypt e.g. RSA 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Symmetric cipher - example Caesar's cipher the letters of the alphabet are shifted (*) e.g. “a” is replaced with “b”, “b” with “c”, etc. so msg “attack at midnight” is encrypted as “buubdl bu njeojhiu” (*) the shift can be by one (as in our example) or more encryption and decryption are equally easy (too easy, in fact) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security One-time pad For each character of the future msg indicate the shift: pad (key) msg (plaintext) ciphertext (encrypted msg) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
One-time random pad (cont.) Symmetric Pad is selected at random Perfectly secure, but... One time only so sending the pad is just as hard as sending the msg 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Pseudo-random pad Pseudo-random bit string (PRBS) generator: PRBS = Hard to guess a bit (after seeing many others) seed (short) PRBS (long) 01101 1010010110.... 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Complexity: what is “hard”? measure hardness in terms of size of input easy = polynomial; hard = exponential Easy problems: Finding max of n numbers - O(n) Sorting n elements - O(n lg n) Hard problems: Factoring N=pq (n bits long) current best (?) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Other hard problems Let N=pq, where p,q are large primes Square root mod N given x,N find y= mod N, i.e. y2=x mod N (equivalent to factoring N) Discrete log given b,N and x, find y = How hard are these problems really? One-way functions: easy to compute hard to invert Trap-door: a secret making inverting a owf easy 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Public-Key Crypto Key exchange - Diffie-Hellman PK Encryption - Rabin, RSA e-Signatures - Rabin, RSA; ElGamal (a la DH); DSA; Fiat-Shamir 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Diffie-Hellman: key exchange p, g Alice Bob a b mb gbmod p ma gamod p ma mb mbamod p mabmod p = gabmod p = shared secret key! 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Rabin’s scheme to encrypt msg m simply square it mod N=pq if p,q (such that pq=N) are known, then decryption (finding m given x) is easy (using Chinese Reminder Theorem) mod N plaintext ciphertext 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security RSA Let N=pq, and find e,d such that Encryption: Decryption: plaintext ciphertext 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Public Key Cryptography Encryption and Decryption are different i.e. use different keys (asymmetric): RSA Public: N,e (needed to encrypt) Private: N,d (needed to decrypt, can be computed from p,q) Rabin’s Public: N Private: p,q 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Identification, Authentication, Signature schemes Signature s=SI(m) of a msg m only I can sign, i.e. compute s, for I and m given s,I, and m, everyone can verify that s=SI(m) Message Authentication like Signature, but only the receiver of the msg is required to be able to verify it Identification only I can prove that he is I 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Identification, Authentication, Signature schemes (cont.) Signature can be used for Authentication Signature and Authentication can be used for Identification use interaction: two players Prover P - e.g. user, who wants to prove that he is I Verifier V - e.g. wants to verify that P is really I 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Identification (cont.) must consider all the scenarios: both P and V are honest both P and V are dishonest V is honest but P is dishonest P is honest, but V is dishonest note: an eavesdropper (observer) should learn little from witnessing the P-V dialog usual password scheme - bad! 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Fiat-Shamir Identification scheme (simplified) Let N=pq, where p,q are large primes; using p,q, compute s, such that s2 I = 1 (mod N) public (P,V have): N (and I) private (only I has): s also, production center has p,q 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Fiat-Shamir (cont.) P (user) V (e.g., system) N, I, s N pick random r; set x=r2 mod N I,x query = 0 1 check: r2=x mod N (rs)2I=x mod N r rs modN 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Gene Itkis: BU CAS 558 - Network Security Fiat-Shamir (cont.) Proof (of P knowing s) after k rounds the probability of mistake (i.e. P cheating without being caught) is (1/2)k Zero-Knowledge if query is known in advance: for query=0, select r, and x=r2 mod N for query=1, select z, and x=z2I mod N (z “pretends” to be rs mod N) 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Security of Fiat-Shamir Relies on hardness of factoring: an algorithm “cracking” Fiat-Shamir yields an algorithm for factoring N randomness: of r for Zero-Knowledge of query - to prevent P from cheating 4/16/2017 Gene Itkis: BU CAS 558 - Network Security
Identification and Signatures Identification scheme can be turned into Signature: Replace Verifier with a hash function 4/16/2017 Gene Itkis: BU CAS 558 - Network Security