Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Similar presentations


Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Public Key Cryptography, Hashes, PRNGs, and More

2 Topics Key Exchange Protocols Public Key Cryptography
Diffie-Hellman Key Exchange RSA Cipher Public Key Infrastructure Secure Hash Functions Hash Attacks: Birthdays and Pre-Images HMAC

3 Key Exchange Algorithms
Goal: Alice, Bob obtain shared secret key. Requirements: Key cannot be sent in clear: Attacker can intercept key. Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper. Alice, Bob may trust third party (Cathy.) All cryptosystems, protocols publicly known Only secret data is keys or data used to derive keys. Anything transmitted is assumed known to attacker.

4 Classical Key Exchange
Bootstrap problem: how do Alice, Bob begin? Alice can’t send key to Bob in the clear! Assume trusted third party, Cathy Alice and Cathy share secret key kA. Bob and Cathy share secret key kB. Let Cathy generate shared key ks. Cathy can send key securely to either A or B.

5 Simple Key Exchange Protocol
Cathy { request for session key to Bob } kA { ks } kA || { ks } kB Alice Bob { ks } kB

6 Key Exchange Protocol Threats
{ request for session key to Bob } kA { ks } kA || { ks } kB { ks } kB Bob Alice Sniffing Replay attacks Modifications Eve

7 Simple Key Exchange Vulnerabilities
How does Bob know he is talking to Alice? Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t. While Eve can’t read message, replay may be enough to become authentication or cause another action. Session key reuse: Eve replays key exchange message from Alice to Bob, so Bob re-uses session key. If Eve knows old key, then she can decrypt communication. If Eve does not, she can collect more data for cryptanalysis.

8 Protocol Notation X sends Y a message Z encrypted with key k.
X  Y : {Z} k Concatenation of bit sequences A and B A || B Key subscripts indicate ownership kA is the key belonging to user A(lice) kA,B is a key shared by A(lice) and B(ob) Nonces (nonrepeating random numbers) r1, r2

9 Needham-Schroeder + Denning-Sacco Mod
Bob will reject message if timestamp T is too old. Alice Cathy Alice || Bob || r1 { Alice || Bob || r1 || ks || { Alice || T || ks } kB } kA Bob { Alice || T || ks } kB { r2 } ks { r2 – 1 } ks

10 Public Key Cryptography
Two keys Private key known only to owner. Public key available to anyone. Applications Confidentiality: Sender enciphers using recipient’s public key, Receiver deciphers using their private key. Integrity/authentication: Sender enciphers using own private key, Recipient deciphers using sender’s public key.

11 Requirements It must be computationally easy to encipher or decipher a message given the appropriate key. It must be computationally infeasible to derive the private key from the public key. It must be computationally infeasible to determine the private key from a chosen plaintext attack.

12 One-Way Trapdoor Functions
Trapdoor one-way Function: One-way function whose inverse is easy to calculate only if given a special piece of information. Example: Prime factoring Easy to calculate product. Difficult to calculate prime factors from product. Easy to calculate one prime factor, given others. Note: Better attacks than brute force exist. While prime factoring is hard, it’s not as hard as a brute force search of all keys. 128-bit keys are not sufficient for public keys! Key size required depends on which trapdoor fn used.

13 Diffie-Hellman Key Exchange
Compute shared key w/o trusted 3rd party. Based on discrete logarithm problem Given integers n and g and prime number p, compute k such that n = gk mod p. Solutions known for small p. Computationally infeasible for large p. Shared Constants prime modulus p, integer base g ≠ {0, 1, p–1}

14 Algorithm Alice chooses a random private key k
Computes public key A = gk mod p and sends to Bob. Bob chooses a random private key k’ Computes public key B = gk’ mod p and sends to Alice. Alice computes secret key K1 = Bk mod p Bob computes secret key K2 = Ak’ mod p Encrypt messages w/ symmetric cipher using K1=K2 as the shared secret key.

15 Example Assume p = 53 and g = 17 Alice chooses kAlice = 5
Then KAlice = 175 mod 53 = 40 Bob chooses kBob = 7 Then KBob = 177 mod 53 = 6 Shared key: Alice computation: KBobkAlice mod p = 65 mod 53 = 38 Bob computation: KAlicekBob mod p = 407 mod 53 = 38

16 Diffie-Hellman Activity
Assume p = 51 and g = 19. Find a student to pair with. Each student picks a random private key. Compute public key with irb. irb(main):001:0> (19**7).modulo(51) => 43 Share your public key with your partner. Compute shared, secret key using irb. Compare shared key with partner. If they match, congratulations! If they don’t, find out what went wrong.

17 RSA Modular exponentiation cipher.
Treat message blocks as large numbers. Based on the difficulty of factoring large numbers into primes.

18 RSA Algorithm Choose two large prime numbers p, q Public key: (e, n)
Let the modular base n = pq. Choose e < n such that e relatively prime to (n). Compute inverse of e, d to use as private key. Public key: (e, n) Private key: d Encipher: c = me mod n Decipher: m = cd mod n

19 Digital Signatures Construct that authenticates origin & contents of message in a manner provable to a disinterested third party (“judge.”) Nonrepudiatable Sender cannot deny having sent message. Proves that sender’s key was used to sign message. What if you claim key was stolen/compromised? Court would have to decide.

20 Signing and Verification

21 Cryptographic Key Infrastructure
Problem: how to bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier.) Public key: bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key. Digital signatures require association of key with identity. Assume principal identified by an acceptable name.

22 Certificates Create a token (message) containing:
Identity of principal (here, Alice) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) signed by trusted authority (Cathy.) CA = { eA || Alice || T } dC

23 Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms. Store encrypted key in local system. Can store in file, database, registry, etc. Decrypted key resident in memory while in use. Use physical devices like “smart card.” Smart card performs encryption. Computer transfers plaintext to card. Card transfers ciphertext to computer. Card can be stolen, analyzed to find key.

24 Hash Functions Hash Function h: MMD
Input M: variable length message M Output MD: fixed length “Message Digest” of input Many inputs produce same output (called a hash collision) Limited number of outputs; infinite number of inputs Avalanche effect: small input change -> big output change Example Hash Function Sum 32-bit words of message mod 232 M h MD=h(M)

25 Avalanche Effect The avalanche effect is shown when a small change to the input of a block cipher or hash function makes a large change in the output. Hashing “Cryptography”: MD5 (128-bit) = 64ef07ce3e4b420c334227eecb3b3f4c SHA1 (160-bit) = b804ec5a0d83d19d8db908572f d09f98 Hashing “Cryptography1”: MD5 (128-bit) = 443d4fb1fedeb86b c2719c24 SHA1 (160-bit) = e a64c523ddfe11bd07a5eac

26 Applications of Hash Functions
Verifying file integrity How do you know that a file you downloaded was not corrupted during download? Storing passwords (confidentiality) To avoid compromise of all passwords by an attacker who has gained admin access, store hash of passwords. Additional features needed for secure passwords. Digital signatures (authentication) Cryptographic verification that data was downloaded from the intended source and not modified. Used for operating system patches and packages.

27 Why attack hash functions?
Create forged security certificate to Make phishing site appear legitimate. Bypass code signing checks on updates. Distribute malware Replace legitimate app with malware app. Ensure both apps have legitimate hash value, so victims cannot distinguish between them. Forge digital signatures Replace contract where victim pays $50 to attacker with one where victim pays $5,000.

28 Flame Malware Cyber espionage tool discovered in 2012
Records audio, screenshots, bluetooth, and file data. Exfiltrates data via SSL encrypted channel. Bypassed code signing security in MS Windows Used hash collision to create a certificate apparently signed by Microsoft Certificate Authority. Malware digitally signed with forged certificate. Code signing accepted that malware was valid as certificate apparently signed by MS CA. Attack could be used as MITM attack on MS Update Attacker substitutes Windows patch with malware.

29 Secure Hash Function A function h = hash(m) must have 3 properties to be secure: Pre-image resistance: Given a hash h it should be difficult to find any message m such that h = hash(m). Functions that lack this property are vulnerable to preimage attacks. Second pre-image resistance: Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). Functions that lack this property are vulnerable to second-preimage attacks. Collision resistance: It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2). Such a pair is called a cryptographic hash collision. This property is sometimes referred to as strong collision resistance. It requires a hash value at least twice as long as that required for preimage-resistance; otherwise collisions may be found by a birthday attack.

30 Pre-image Attacks A pre-image attack attempts to find a message m that has a specific hash value h, such that h=hash(m). Would allow attacker to substitute a malicious document matching hash of valid document, allowing SSL certificate or digitally signed contract forgeries. Brute force attack is possible with 2n operations, where n is the length of the hash value. For n >= 64, brute force considered infeasible. A one-way function is pre-image resistant. No practical pre-image attacks exist against widely used hash functions. An MD5 collision can be found in operations.

31 Collision Attacks A collision attack attempts to find two different messages m1 and m2 such that hash(m1) = hash(m2). Collisions must exist because there are more inputs than fixed-sized outputs for hash functions. Pigeonhole principle: if there are n containers for n+1 objects, then at least 1 container will have 2 objects in it. Two types of collision attacks exist Birthday Attack Chosen Prefix Attack Collision attacks do not impact password hashing, but do allow for forged certificates and signatures.

32 The Birthday Paradox The birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. By the pigeonhole principle, the probability reaches 100% when the number of people reaches 367. However, 99% probability is reached with just 57 people, and 50% probability with 23 people. The birthday paradox is a violation of our intuition, not a true paradox. It arises because the chance of shared birthdays increases with the number of unique pairs of people, which is n(n-1)/2 for n people.

33 Birthday Attack A birthday attack exploits the mathematics behind the birthday problem to find hash collisions. Suppose a hash function h has a b-bit long output. Therefore there are 2b possible hash values. Attacker generates many random messages Computes hash of each one. Searches for pairs of messages with same hash value. By similar mathematics as in the birthday problem, attacker can find a collision with about 2b/2 messages.

34 Message-Digest Algorithm 5 (MD5)
Developed by Ron Rivest in 1991 Uses 128-bit hash values Merkle–Damgård construction Still widely used in legacy applications even though collision vulnerabilities allow forgery of digital signatures and SSL certificates.

35 MD5 Collision Attack History
Initial attacks (2004) could only find collisions in files that differed only in last few bytes. Early attacks (2008) used cluster of 200 PS3s for a couple of days. Current attacks can find a collision in seconds on single PC. Lesson: Cryptanalytic attacks always improve. Change algorithms before they do.

36 Secure Hash Algorithm (SHA-1)
Developed by NSA; approved as federal std by NIST SHA-0 (1993) and SHA-1 (1995) 160-bit hash values Merkle–Damgård construction SHA-1 developed to correct insecurity of SHA-0 SHA-1 still found in legacy applications Vulnerabilities less severe than those of MD5 Can find SHA-1 collision in 269 operations. Can find SHA-0 collision in 239 operations.

37 SHA-2 Developed by NSA; approved as federal std by NIST SHA-2 (2001)
224, 256, 384, or 512-bit hash values Merkle–Damgård construction Current recommended hash function for security applications like digital signatures or SSL certificates. Cryptanalysts making progress but no breaks Can only find collisions if modify hash algorithm by reducing number of rounds from 80 (SHA-512) to 46 or 64 (SHA-256) to 41.

38 SHA-3 Winner of open NIST competition (2007-2012) Keccak (2012)
Final standard expected by 2014 Q2. Keccak (2012) 224, 256, 384, or 512-bit hash values. Concerns about NIST changes to 128- and 256-bit values only. An alternative to SHA-2 Not a replacement as SHA-2 is not broken. Built on sponge-function instead of Merkle–Damgård construction like MD5, SHA-1, SHA-2 so that the same cryptanalytic techniques will not work against SHA-3.

39 HMAC A keyed hash message authentication code (HMAC) is the use of a hash function for calculating a message authentication code (MAC) based on a message in combination with a secret cryptographic key. HMAC protects against threat models in which attackers have the ability to modify hash values. If attacker could modify data, then he could change both the file and its hash value, causing the victim to think that the file was downloaded correctly when in fact the attacker substituted a different file. This threat model allows an attack on hashes without finding a collision or pre-image.

40 Why not use h(k ∥ m) as HMAC?
The Merkle–Damgård construction is vulnerable to length-extension attacks . Length extension attacks allow attacker to append data s to end of message m and create a valid HMAC for m ∥ s. Attacker intercepts message m and h(k ∥ m). Attacker inserts s and computes new HMAC. Attacker sends m ∥ s and h(k ∥ m ∥ s). Recipient computes HMAC on m ∥ s and verifies that it matches h(k ∥ m ∥ s), believing that m ∥ s is legitimate. Most widely used hashes vulnerable to this attack MD5, SHA-1, SHA-256, SHA-512

41 HMAC Algorithm HMAC-h(k, m) = h(k  opad || h(k  ipad || m)) k is the secret key m is the message h is a hash function like SHA-2 ipad (inner padding) is repeated. opad (outer padding) is repeated. Threat can’t generate HMAC for any message m without knowing key k. Algorithm prevents length extension attacks. Commonly used to protect authentication cookies.

42 Key Points: Public Key Key Exchange Protocol Public Key Cryptography
Can exchange keys using a trusted 3rd party. Must counter replay attacks. Public Key Cryptography Based on one-way trapdoor functions. Diffie-Hellman Key Exchange w/o trusted 3rd party. Confidentiality: encipher with public, decipher with private Integrity: encipher with private, decipher with public

43 Key Points: Hashes Hashes are 1-way functions h=hash(m) that
Produce same sized h for any input m. Avalanche effect: small change in m  big change in h. Threats attempt to forge certificates & signatures. Collision attacks Pre-image attacks Widely used hash functions Some widely used hashes (MD5,SHA-1) broken. Use SHA-2 with 256 or more bits now. Use SHA-3 along with SHA-2 in future. Keyed hash functions cannot be computed by attacker due to incorporation of secret k. HMAC-h(k, m) = h(k  opad || h(k  ipad || m))

44 References Steven Friedl, “An Illustrated Guide to Cryptographic Hashes,” Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Matthew Green, How do you know if an RNG is working?, Michael Hamburg, Understanding Intel’s Ivy Bridge Random Number Generator, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. NIST, FIPS-198a, “The Keyed-Hash Message Authentication Code (HMAC)”, Rogaway, P.; Shrimpton, T. "Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance.” Fast Software Encryption (2004) (Springer-Verlag). Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. Alexander Sotirov et. Al., MD5 considered harmful today: Creating a rogue CA certificate, December 30, 2008. Peter Selinger, MD5 Collision Demo,


Download ppt "CIT 480: Securing Computer Systems"

Similar presentations


Ads by Google