Chap. 7: Confidentiality using symmetric encryption & Introduction to public-key cryptosystems Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown

Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of the group. The secret name is never mentioned … The native thinks that a stranger knowing his secret name would have special power to work him ill by means of magic. -The Golden Bough, Sir James George Frazer

Motivation and outline symmetric encryption is used to provide message confidentiality Q: Where to put the encryption mechanism? How to distribute the secret key? Placement of encryption function Traffic confidentiality Key distribution

Confidentiality using Symmetric Encryption 機密性 What to encrypt and where the encryption function should be located consider typical scenario: (1)Eavesdropping by members (2) dial-in, then intrude (3) Tap into wire (4) Monitor traffic

Typical scenario and attacks consider typical scenario workstations on LANs access other workstations & servers on LAN LANs interconnected using switches/routers with external lines or radio/satellite links consider attacks and placement in this scenario snooping from another workstation use dial-in to LAN or server to snoop use external router link to enter & snoop monitor and/or modify traffic one external links

Placement of encryption have two major placement alternatives link encryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys for all links end-to-end encryption encryption occurs between original source and final destination need devices at each end with shared keys

Placement of encryption (cont.) One shared key One key for each link

Problems with routing In a packet-switching network, we need packet header to route packets Link encryption: so packet must be decrypted before routing Vulnerable at each switch node End-to-end encryption: must leave headers in clear, so network can correctly route information hence although contents protected, traffic pattern is not protected ideally want both at once end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring

Placement of encryption over OSI model can place encryption function at various layers in OSI Reference Model

OSI model and packetization Application level encryption TCP level encryption Link level encryption

Placement of encryption over OSI model (cont.)

Outline Placement of encryption function Traffic confidentiality Key distribution

Traffic Analysis In packet-switching network, the packet header cannot be encrypted Traffic analysis is monitoring of communications flows between parties Ex. know who is talking to whom in military usage Traffic analysis reveals Identities of partners How frequently the partners are communicating Message pattern, message length, quantity of messages, …

Defense against traffic analysis link encryption obscures header details but overall traffic volumes in networks and at end-points is still visible Traffic padding

Outline Placement of encryption function Traffic confidentiality Key distribution

Model for Network Security

Key Distribution symmetric schemes require both parties to share a common secret key issue is how to securely distribute this key often secure system failure due to a break in the key distribution scheme

Key Distribution methods given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & physically deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B Not suitable for large systems Initial distribution?

Scale of key distribution problem A network with N hosts => N(N-1)/2 pairs Node-level encryption N(N-1)/2 Application-level encryption 10 applications/node

Key distribution center (KDC) KDC shares a unique key (master key) with each user to distribute secret key (session key) between a pair of users: scale of key distribution problem reduces to N E MK1 (Secret key) Secret key E MK2 (Secret key)

Key Distribution Scenario nonce: an identifier that differs for each request Session keyIdentifier for A (ex. address) Master key K a Master key K b (avoid replay attack) 1.Verify the original request 2.Avoid replay attack

Hierarchical key control … KDC … ab

Session key lifetime Short session key lifetime Key exchanges frequently => more secure Long session key lifetime Reduce key exchange time, and network capacity Two connection protocol (session<connection) Connectionless protocol (ex. UDP, HTTP) Not to use a new key for each session, use a given session key for a fixed period of time Connection-oriented protocol (ex. TCP) The same key for the connection; or update the key periodically if the connection has long lifetime

Transparent key control scheme End-to-end encrypt at network (transport) layer, which is transparent to users ? No authentication

Front-end processor (FEP) data header

Decentralized key control KDC trusted? Decentralized: assume there is one master key for each pair of end systems shared master key session key Master key are used for a short time, cryptanalysis is difficult Nonce for authentication

Introduction to public-key cryptosystems

Recall: symmetric ciphers One secret key, shared by sender and receivers (symmetric) Based on substitution and permutation Problem: Key distribution Digital signature: a kind of signature used in paper document Deffie and Hellman proposed the public-key cryptosystem to address the above two problems in 1976

Preview of public-key systems Features of public-key system Asymmetric: a public key and a private key Algorithm based on mathematical functions Fallacies Public-key is more secure than symmetric encryption Public-key encryption is a general-purpose technique that will make symm. encrypt. obsolete Key distribution is trivial is easier for public-key encryption than symmetric encryption

Public-key encryption One-key for encryption A different but related key for decryption It is computational infeasible to determine the decryption key given the crypto. algorithm and the encryption key

Steps in public-key encryption 1. Each user generates a pair of keys for encryption and decryption (In RSA, these two keys can exchange 加解密皆可 ) 2. One key (public key) is announced publicly. The other key is kept private. Q: key distribution problem? (Chap. 10) 3. Bob sends encrypted message to Alice using Alice’s public key. 4. Only Alice can decrypt the message using her private key.

Comparison between symmetric and public-key encryption

Math. formulation of public-key system Y = E KU (X) b X = D KR (Y) b What E and D can achieve this?

Requirement for public-key cryptography Diffie and Hellman (1976) proposed the system without the algorithm for E and D. They laid out the requirement: It is computationally easy to generate a pair of keys It is computationally easy for a sender to encrypt It is computationally easy for a receiver to decrypt It is computationally infeasible for an opponent, knowing the public key, to determine the private key It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext Y = E KU (X) b X = D KR (Y) b

The algorithms that satisfy public-key requirement RSA (Rivest-Shamir-Adleman) 1978 Number theory Elliptic curve cryptography

Trap-door one-way function Public-key encryption is a one-way function Every function value has a unique inverse domain target Y=f(X): easy X=f -1 (Y): infeasible ( > polynomial time) It is hard to determine the complexity to compute the inverse Not a traditionally complexity problem, which focuses on the worst-case or average-case complexity

Trap-door one-way function (cont.) Open a trap-door using the private key … domain target Y=f(X): easy X=f -1 (Y): infeasible ( > polynomial time) X=f K -1 (Y): easy if trap-door K is known ( ~ polynomial time)

Public-key system for authentication 身份認證 Recall: the problem of digital signature Only Bob has the private key to encrypt !!! (server as digital signature)

Authentication issues (Chap. 13) Encrypt entire message? No necessary. Encrypt the authenticator: a small block of bits that is a function of the document Change of document will change the authenticator Digital signature is confidential? No. Any one who has the public-key can decrypt What to do? => double use of the public-key system

Public-key system for both confidentiality and authentication

Public-key cryptanalysis Brute-force attack: search the private key Solution: use large keys Tradeoffs: complexity of encrypt/decrypt using large keys  security using large keys Public-key system are currently too slow for general-purpose use, only used for key management and signature application Compute private key given the public key Not proved to be infeasible

Public-key cryptanalysis (cont.) Probable-message attack Ex. encrypt 56-bit DES key Public-key encryption 56-bit DES key C Public-key Attack: Public-key encryption C1C1 Public-key 000 … … … … 011 …. 111 … 111 Try all DES Key C2C2 C3C3 … C k = C Solution: append things in the plaintext