Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Principles and Practice

Similar presentations


Presentation on theme: "Computer Security: Principles and Practice"— Presentation transcript:

1 Computer Security: Principles and Practice
W Stallings, L Brown Some slides by Dr Lincke Chapter 2 Lecture slides prepared by Dr Lawrie Brown for “Computer Security: Principles and Practice”, 1/e, by William Stallings and Lawrie Brown, Chapter 2 “Cryptographic Tools”. Encryption

2 Encryption Text: Computer Security: Principles and Practice, W Stallings, L Brown Chapter 2 Objectives: The student should be able to: Define authentication, integrity, confidentiality and non-repudiation. Define plaintext, ciphertext, key, P-box, S-box, session key, digital signature, message digest, hash. Demonstrate operation of a simple substitution cipher, permutation cipher, stream cipher, block cipher, block chaining mode cipher. Describe why chaining is advantageous in block ciphers. Define symmetric versus asymmetric encryption algorithms and describe the differences between the two. Define the advantages of secret key and public key algorithms. Describe their functions in relation to authenticity, non-repudiation, integrity, confidentiality, and speed. Describe two methods of producing a hash. Define whether the following protocols support authentication, non-repudiation, integrity, and/or confidentiality via hashing or a type of encryption: AES, HMAC, DES, MD5, RCS, RSA.

3 Security is composed of:
Secrecy – Access Control Confidentiality Integrity Availability Accuracy - Incorruptibility Reliability - Survivability

4 Cryptographic Tools cryptographic algorithms important element in security services review various types of elements symmetric encryption public-key (asymmetric) encryption digital signatures and key management secure hash functions example is use to encrypt stored data An important element in many computer security services and applications is the use of cryptographic algorithms. This chapter provides an overview of the various types of algorithms, together with a discussion of their applicability. For each type of algorithm, we introduce the most important standardized algorithms in common use. We begin with symmetric encryption, which is used in the widest variety of contexts,primarily to provide confidentiality. Next, we examine secure hash functions and discuss their use in message authentication. The next section examines public-key encryption, also known as asymmetric encryption. We then look in at the two most important applications of public-key encryption, namely digital signatures and key management. In the case of digital signatures, asymmetric encryption and secure hash functions are combined to produce an extremely useful tool. Finally, in this chapter we provide an example of an application area for cryptographic algorithms by looking at the encryption of stored data.

5 Data Privacy Bill Confidentiality: Unauthorized parties cannot access information (->Secret Key Encryption Authenticity: Ensuring that the actual sender is the claimed sender. (->Public Key Encryption) Integrity: Ensuring that the message was not modified in transmission. (->Hashing) Nonrepudiation: Ensuring that sender cannot deny sending a message at a later time. (->Digital Signature) Confidentiality Joe Bill Authenticity Joe (Actually Bill) Ann Ann Integrity Joe Non-Repudiation Joe Bill Ann Ann

6 Secret Key Encryption Symmetric Encryption
We share a secret Secret Key Encryption Symmetric Encryption

7 Encryption – Secret Key
Ksecret Decrypt Ksecret plaintext plaintext ciphertext Notice that the same key is used to encrypt and decrypt. How do you get that key to the endpoints without everyone else hearing? P = D(Ksecret, E(Ksecret,P))

8 Symmetric Encryption The universal technique for providing confidentiality for transmitted data is symmetric encryption. Symmetric encryption, also referred to as conventional encryption or single-key encryption, was the only type of encryption in use prior to the introduction of public-key encryption in the late 1970s. Countless individuals and groups, from Julius Caesar to the German U-boat force to present-day diplomatic, military, and commercial users, use symmetric encryption for secret communication. It remains by far the more widely used of the two types of encryption. A symmetric encryption scheme has five ingredients, as shown here in Figure 2.1 from the text. • Plaintext: This is the original message or data that is fed into the algorithm as input. • Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. • Secret key: The secret key is also input to the encryption algorithm. The exact substitutions and transformations performed by the algorithm depend on the key. • Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts. • Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext. There are two requirements for secure use of symmetric encryption: 1. We need a strong encryption algorithm. 2. Sender and receiver must have secure obtained, & keep secure, the secret key.

9 Encryption Stages Substitution Permutation
G s v h r a v l u g s v v m x r k s v i v w g v c g h s l f o w y v m l o z i t v i g s z m g s v g v c g l u g s v l i r t r m z o n v h h z t v. M Y K E T H C A S I O R D N U 1 2 5 9 6 L CSECT6A EIRAN9E TSTIO2A HHONU5M ASDC1NL

10 Block Cipher Example Plaintext: 1 1 1 1 0 0 0 0 1 0 1 0 S-Box 0 1 0 1
S-Box S-Box Replace key Substitute Transform Or P-Box X-OR Truth Table 0 x 0 = 0 0 x 1 = 1 1 x 0 = 1 1 x 1 = 0 This shows S-Box: Substitution and P-Box: Permutation for Transformation. There are 3 stages or rounds above. S-Box S-Box Substitute Ciphertext:

11 Electronic Codebook (ECB)
simplest mode split plaintext into blocks encrypt each block using the same key “codebook” because have unique ciphertext value for each plaintext block not secure for long messages since repeated plaintext is seen in repeated ciphertext The simplest way to proceed is what is known as Electronic Codebook Mode (ECB) mode, in which plaintext is handled b bits at a time and each block of plaintext is encrypted using the same key. The term codebook is used because, for a given key, there is a unique ciphertext for every b-bit block of plaintext. Therefore, one can imagine a gigantic codebook in which there is an entry for every possible b-bit plaintext pattern showing its corresponding ciphertext. With ECB, if the same b-bit block of plaintext appears more than once in the message, it always produces the same ciphertext. Because of this, for lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. For example, if it is known that the message always starts out with certain predefined fields, then the cryptanalyst may have a number of known plaintext-ciphertext pairs to work with. If the message has repetitive elements, with a period of repetition a multiple of b bits, then these elements can be identified by the analyst. This may help in the analysis or may provide an opportunity for substituting or rearranging blocks. To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. The chaining modes we discuss next provide this.

12 Block Cipher Structure
have a general iterative block cipher structure with a sequence of rounds with substitutions / permutations controlled by key parameters and design features: block size key size number of rounds subkey generation algorithm round function complexity also: fast software en/decrypt, ease of analysis The Feistel structure is particular example of the more general iterative structure used by all symmetric block ciphers, that consists of a sequence of rounds, with each round performing substitutions and permutations conditioned by a secret key value. The exact realization of a symmetric block cipher depends on the choice of the following parameters and design features: • Block size: Larger block sizes mean greater security but reduced encryption/ decryption speed. A block size of 128 bits is currently a reasonable tradeoff. • Key size: Larger key size means greater security but may decrease encryption/ decryption speed. The most common key length in modern algorithms is 128 bits. • Number of rounds: note that a single round offers inadequate security but that multiple rounds offer increasing security. A typical size is 16 rounds. • Subkey generation algorithm: Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis. • Round function: greater complexity means greater resistance to cryptanalysis. There are two other considerations in the design of a symmetric block cipher: • Fast software encryption/decryption: for use in programs • Ease of analysis: want algorithm as difficult as possible to cryptanalyze, but have great benefit in making the algorithm easy to analyze. If the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength.

13 Cipher Block Chaining (CBC)
In the cipher block chaining (CBC) mode (Figure 19.6), the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. In effect, we have chained together the processing of the sequence of plaintext blocks. The input to the encryption function for each plaintext block bears no fixed relationship to the plaintext block. Therefore, repeating patterns of b bits are not exposed. CBC is widely used in security applications. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block. To see that this works, we can write: Cj = E(K, [Cj–1  Pj]) where E[K, X] is the encryption of plaintext X using key K, and  is the exclusive-OR operation. To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block of plaintext. On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext. The IV must be known to both the sender and receiver. For maximum security, the IV should be protected as well as the key. This could be done by sending the IV using ECB encryption. One reason for protecting the IV is as follows: If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext.

14 Block Chaining Mode: Implementing Diffusion
Plaintext: S-Box S-Box Replace key: Substitute Transform X-OR Truth Table 0 x 0 = 0 0 x 1 = 1 1 x 0 = 1 1 x 1 = 0 S-Box S-Box Substitute Ciphertext: To decrypt one segment requires decrypting > 1 section

15 Feistel Encryption: Implementing Confusion
Plaintext: S-Box S-Box Substitute Key X-OR Truth Table 0 x 0 = 0 0 x 1 = 1 1 x 0 = 1 1 x 1 = 0 S-Box Substitute Ciphertext: A change in one bit affects multiple bits

16 Symmetric Encryption Algorithms
The most commonly used symmetric encryption algorithms are block ciphers. A block cipher processes the plaintext input in fixed-size blocks and produces a block of ciphertext of equal size for each plaintext block. The algorithm processes longer plaintext amounts as a series of fixed-size blocks. The most important symmetric algorithms, all of which are block ciphers, are the Data Encryption Standard (DES), triple DES, and the Advanced Encryption Standard (AES); as summarized here in Table 2.2 from the text.

17 Commercial Block Ciphers
Key Size #Functions Block Size Comments DES 64 bits (w. 8 bit parity) 16 64-bit 1999: Distributed net cracked DES key in 22 hours Triple DES 3DES 2 x 64 or 3 x 64 48 E.g.: DES-EEE3, DES-EDE2 Compared to DES: - 256 times stronger - 3 times more time-consuming IDEA 128 8 Uses: PGP encryption Blowfish to 448 bits Thought to be more reliable than AES (2001) RCS to 2048 bits Variable 32-, 64- or 128-bit Patented by RSA Data Security. AES 128*, 192, 256 Variable:10* 12, 14 128-bit* or variable Uses: HTTPS Current govt. standard for sensitive but unclassified info.

18 DES and Triple-DES Data Encryption Standard (DES) is the most widely used encryption scheme uses 64 bit plaintext block and 56 bit key to produce a 64 bit ciphertext block concerns about algorithm & use of 56-bit key Triple-DES repeats basic DES algorithm three times using either two or three unique keys much more secure but also much slower The most widely used encryption scheme is based on the Data Encryption Standard (DES) adopted in 1977 by the National Bureau of Standards, now the NIST, as FIPS PUB 46. The algorithm itself is referred to as the Data Encryption Algorithm (DEA). DES takes a plaintext block of 64 bits and a key of 56 bits, to produce a ciphertext block of 64 bits. Concerns about the strength of DES fall into two categories: concerns about the algorithm itself and concerns about the use of a 56-bit key. The first concern refers to the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. Over the years, there have been numerous attempts to find and exploit weaknesses in the algorithm, making DES the most-studied encryption algorithm in existence. A more serious concern is key length. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2  1016 keys. As noted on the previous slide, this can now be broken relatively easily. The life of DES was extended by the use of triple DES (3DES), which involves repeating the basic DES algorithm three times, using either two or three unique keys, for a key size of 112 or 168 bits. Triple DES (3DES) was first standardized for use in financial applications in ANSI standard X9.17 in DES was incorporated as part of the Data Encryption Standard in 1999, with the publication of FIPS PUB DES has two attractions that assure its widespread use over the next few years. First, with its 168-bit key length, it overcomes the vulnerability to brute-force attack of DEA. Second, the underlying encryption algorithm in 3DES is the same as in DEA. The principal drawback of 3DES is that the algorithm is relatively sluggish in software.

19 C = E(K1, D(K1, E(K1, P))) = E[K, P]
Triple DES (3DES) first used in financial applications in DES FIPS PUB 46-3 standard of 1999 uses three keys & three DES executions: C = E(K3, D(K2, E(K1, P))) decryption same with keys reversed use of decryption in second stage gives compatibility with original DES users effective 168-bit key length, slow, secure AES will eventually replace 3DES Triple DES (3DES) was first standardized for use in financial applications in ANSI standard X9.17 in DES was incorporated as part of the Data Encryption Standard in 1999, with the publication of FIPS PUB 46-3. 3DES uses three keys and three executions of the DES algorithm. The function follows an encrypt-decrypt-encrypt (EDE) sequence (see Figure 19.2a in text): C = E(K3, D(K2, E(K1, P))) where: C = ciphertext; P = plaintext; E[K, X] = encryption of X using key K, and D[K, Y] = decryption of Y using key K. Decryption is simply the same operation with the keys reversed (Figure 19.2b in text): P = D(K1, E(K2, D(K3, C))) There is no cryptographic significance to the use of decryption for the second stage of 3DES encryption. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES: C = E(K1, D(K1, E(K1, P))) = E[K, P] With three distinct keys, 3DES has an effective key length of 168 bits. FIPS 46-3 also allows for the use of two keys, with K1 = K3; this provides for a key length of 112 bits. 3DES is a formidable algorithm. Because the underlying cryptographic algorithm is DEA, 3DES can claim the same resistance to cryptanalysis based on the algorithm as is claimed for DEA. Further, with a 168-bit key length, brute-force attacks are effectively impossible. Ultimately, AES is intended to replace 3DES, but this process will take a number of years.

20 Advanced Encryption Standard (AES)
needed a better replacement for DES NIST called for proposals in 1997 selected Rijndael in Nov 2001 published as FIPS 197 symmetric block cipher uses 128 bit data & 128/192/256 bit keys now widely available commercially Because of its drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. Evaluation criteria included security, computational efficiency, memory requirements, hardware and software suitability, and flexibility. In 2001, AES was issued as a federal information processing standard (FIPS 197). In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of NIST selected Rijndael as the proposed AES algorithm. AES is now widely available in commercial products.

21 Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) was issued as a federal information processing standard (FIPS 197). AES uses a block length of 128 bits and a key length that can be 128, 192, or 256 bits. In the description of this section, we assume a key length of 128 bits, which is likely to be the one most commonly implemented. Figure 19.3 shows the overall structure of AES. The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. Similarly, the 128-bit key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words; each word is four bytes and the total key schedule is 44 words for the 128-bit key. The ordering of bytes within a matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the w matrix. The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (156 bytes). The key is copied into the first four words of the expanded key. The remainder of the expanded key is filled in four words at a time. Each added word w[i] depends on the immediately preceding word, w[i – 1], and the word four positions back, w[i – 4]. A complex finite-field algorithm is used in generating the expanded key.

22 Stream Cipher Input: Random: Ciphertext: Random: Plaintext: Example System: RC4 (SSL/TLS, WEP, WPA)

23 Block verses Stream Ciphers
A block cipher processes the plaintext input in fixed-size blocks and produces a block of ciphertext of equal size for each plaintext block. The algorithm processes longer plaintext amounts as a series of fixed-size blocks. Typically, symmetric encryption is applied to a unit of data larger than a single 64-bit or 128-bit block. Plaintext sources must be broken up into a series of fixed-length block for encryption by a symmetric block cipher. The simplest approach to multiple-block encryption is known as electronic codebook (ECB) mode, in which plaintext is handled b bits at a time and each block of plaintext is encrypted using the same key. Typically b=64 or b=128. Figure 2.3a here shows the ECB mode. A plaintext of length nb is divided into n b-bit blocks. Each block is encrypted using the same algorithm and the same encryption key, to produce a sequence of n b-bit blocks of ciphertext. To increase the security of symmetric block encryption for large sequences of data, a number of alternative techniques have been developed, called modes of operation (see chapter 19). A stream cipher processes the input elements continuously, producing output one element at a time. Although block ciphers are far more common, there are certain applications in which a stream cipher is more appropriate. A typical stream cipher encrypts plaintext one byte at a time, as shown in Figure 2.3b. The output of a pseudorandom number generator (the keystream), is combined one byte at a time with the plaintext stream using the bitwise exclusive-OR (XOR) operation. With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length.The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.The advantage of a block cipher is that you can reuse keys.

24 Stream Ciphers processes input elements continuously
key input to a pseudorandom bit generator produces stream of random like numbers unpredictable without knowing input key XOR keystream output with plaintext bytes are faster and use far less code design considerations: encryption sequence should have a large period keystream approximates random number properties uses a sufficiently long key A stream cipher processes the input elements continuously, often one byte at a time, producing output as it goes along. Although block ciphers are far more common, there are certain applications (e.g. a data communications channel or a browser/Web link) in which a stream cipher is more appropriate (as shown in Figure 2.3b in the text). In this structure a key is input to a pseudorandom bit generator that produces a stream of 8-bit numbers that are apparently random. A pseudorandom stream is one that is unpredictable without knowledge of the input key and which has an apparently random character. The output of the generator, called a keystream, is combined one byte at a time with the plaintext stream using the bitwise exclusive-OR (XOR) operation. With a properly designed pseudorandom number generator, a stream cipher can be as secure as block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers. Some important design considerations for a stream cipher are: 1. The encryption sequence should have a large period. 2. The keystream should approximate the properties of a true random number stream as close as possible. 3. Note from Figure 2.3b that the output of the pseudorandom number generator is conditioned by the input key. To guard against brute-force attacks, this key needs to be sufficiently long. The same considerations as apply for block ciphers are valid here. Thus, with current technology, a key length of at least 128 bits is desirable.

25 Attacking Symmetric Encryption
cryptanalysis rely on nature of the algorithm plus some knowledge of plaintext characteristics even some sample plaintext-ciphertext pairs exploits characteristics of algorithm to deduce specific plaintext or key brute-force attack try all possible keys on some ciphertext until get an intelligible translation into plaintext There are two general approaches to attacking a symmetric encryption scheme. The first attack is known as cryptanalysis. Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used. If the attack succeeds in deducing the key, the effect is catastrophic: All future and past messages encrypted with that key are compromised. The second method, known as the brute-force attack, is to try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success.

26 Exhaustive Key Search Table 2.1 from the text shows how much time is involved for various key sizes. The table shows results for each key size, assuming that it takes 1 µs to perform a single decryption, a reasonable order of magnitude for today's computers. With the use of massively parallel organizations of microprocessors, it may be possible to achieve processing rates many orders of magnitude greater. The final column of the table considers the results for a system that can process 1 million keys per microsecond. At this performance level, a 56-bit key is no longer computationally secure. The assumption of one encryption per microsecond is overly conservative. The widely used encryption scheme, the Data Encryption Standard (DES) was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. If the message is just plain text in English, then the result pops out easily. If the message is some more general type of data, such as a numerical file, and this has been compressed, the problem becomes even more difficult to automate. Thus, to supplement the brute-force approach, some degree of knowledge about the expected plaintext is needed, and some means of automatically distinguishing plaintext from garble is also needed. The EFF approach addresses this issue as well and introduces some automated techniques that would be effective in many contexts. Figure 2.2 shows how long it would take to crack a DES-style algorithm as a function of key size.

27 Public Key Encryption Asymmetric Encryption
You may know my Public Key Public Key Encryption Asymmetric Encryption

28 Public Key Encryption P = D(kPRIV, E(kPUB,P)) P = D(kPUB, E(kPRIV,P))
Decrypt (private) Key owner Joe Encryption Message, private key Digital Signature Key owner Authentication, Non-repudiation P = D(kPUB, E(kPRIV,P))

29 Public Key Encryption Public-key encryption, first publicly proposed by Diffie and Hellman in 1976 is the first truly revolutionary advance in encryption in literally thousands of years. Public-key algorithms are based on mathematical functions rather than on simple operations on bit patterns. More important, public-key cryptography is asymmetric, involving the use of two separate keys, in contrast to the symmetric conventional encryption, which uses only one key. The use of two keys has profound consequences in the areas of confidentiality, key distribution, and authentication. A public-key encryption scheme has six ingredients, as shown here in Figure 2.6a: • Plaintext: the readable message or data that is fed into the algorithm as input. • Encryption algorithm: performs various transformations on the plaintext. • Public and private key: a pair of keys selected so that if one is used for encryption, the other is used for decryption. The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input. • Ciphertext: the scrambled message produced as output that depends on the plaintext and key. For a given message, two different keys produce two different ciphertexts. • Decryption algorithm: takes ciphertext and key to produces the original plaintext. As the names suggest, the public key of the pair is made public for others to use, while the private key is known only to its owner. A public-key cryptographic algorithm relies on one key for encryption and a different but related key for decryption. All participants have access to public keys, and private keys are generated locally by each participant and therefore need never be distributed. As long as a user protects his or her private key, incoming communication is secure.

30 Public Key Authentication
Figure 2.7b shown here illustrates another mode of operation of public-key cryptography, where a user encrypts data using his or her own private key. Anyone who knows the corresponding public key will then be able to decrypt the message. This is directed toward providing authentication and/or data integrity. If a user is able to successfully recover the plaintext from Bob’s ciphertext using Bob’s public key, this indicates that only Bob could have encrypted the plaintext, thus providing authentication. Further, no one but Bob would be able to modify the plaintext because only Bob could encrypt the plaintext with Bob’s private key. This can be adapted to provide authentication or data integrity. Suppose that Bob wants to send a message to Alice and, although it is not important that the message be kept secret, he wants Alice to be certain that the message is indeed from him. In this case Bob could use his own private key to encrypt the message. Here the entire message is encrypted, which, although validating both author and contents, requires a great deal of storage and additional processing cost. A more efficient way of achieving the same results is to encrypt a small block of bits that is a function of the document. Such a block, called an authenticator, must have the property that it is infeasible to change the document without changing the authenticator. If the authenticator is encrypted with the sender's private key, it serves as a signature that verifies origin, content, and sequencing. A secure hash code such as SHA-1 can serve this function. It is important to emphasize that the digital signature does not provide confidentiality. That is, the message being sent is safe from alteration but not safe from eavesdropping.

31 Public Key Requirements
computationally easy to create key pairs computationally easy for sender knowing public key to encrypt messages computationally easy for receiver knowing private key to decrypt ciphertext computationally infeasible for opponent to determine private key from public key computationally infeasible for opponent to otherwise recover original message useful if either key can be used for each role The cryptosystem illustrated in Figure 2.7 depends on a cryptographic algorithm based on two related keys. Diffie and Hellman postulated this system without demonstrating that such algorithms exist.However,they did lay out the conditions that such algorithms must fulfill It is computationally easy for a party B to generate a pair (public key PUb, private key PRb). It is computationally easy for a sender A, knowing the public key and the message to be encrypted,M,to generate the corresponding ciphertext: C=E(PUb,M) It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key to recover the original message: M=D(PRb,C) It is computationally infeasible for an opponent,knowing the public key PUb to determine the private key, PRb. It is computationally infeasible for an opponent, knowing the public key, PUb, and a ciphertext C to recover the original message M. We can add a sixth requirement that, although useful, is not necessary for all public-key applications: Either of the two related keys can be used for encryption, with the other used for decryption.

32 Public Key Algorithms RSA (Rivest, Shamir, Adleman)
developed in 1977 only widely accepted public-key encryption alg given tech advances need bit keys Diffie-Hellman key exchange algorithm only allows exchange of a secret key Digital Signature Standard (DSS) provides only a digital signature function with SHA-1 Elliptic curve cryptography (ECC) new, security like RSA, but with much smaller keys Now briefly mention the most widely-used asymmetric encryption algorithms. One of the first public-key schemes was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT. The RSA scheme has since reigned supreme as the only widely accepted and implemented approach to public-key encryption. RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n – 1 for some n. The successful solution of the Scientific American RSA challenge, which used a public-key size (length of n) of 129 decimal digit, or around 428 bits, does not invalidate the use of RSA; but means that larger key sizes must be used. Currently, a 1024-bit key size (about 300 decimal digits) is considered strong enough. The the Diffie-Hellman key exchange algorithm appeared in their seminal 1976 paper. A number of commercial products employ it. Its purpose is to enable two users to exchange a secret key securely that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of the keys. NIST published FIPS PUB 186, the Digital Signature Standard (DSS), in 1991, with revisions in 1993 & 96. The DSS makes use of the SHA-1. The DSS uses an algorithm that is designed to provide only the digital signature function. A new alternative to RSA is elliptic curve cryptography (ECC). Its principal attraction compared to RSA is that it offers equal security for a far smaller bit size, thereby reducing processing overhead. Whilst the theory of ECC has been around for some time, only recently have products appeared and that there has been sustained cryptanalytic interest in probing for weaknesses. Thus, the confidence level in ECC is not yet as high as that in RSA. However it is appearing in new standards and products.

33 Encryption Comparison
Secret Key: Block Ciphers Stream Cipher Public Key Medium Processing Light Processing, Short code Intensive Processing Shared key Unshared key Block encryption improved with chained key Requires good pseudo-random # generator Keys pairs are related via complex math Uses: Confidentiality: Session Encryption Uses: Short encryption, Authentication, Non-repudiation Files, database, large blocks of data Data communications: streams Key management, Digital signature

34 Verify the data was not modified
Secure Hash Functions

35 Documents with Integrity
Questions Applications Can fraud occur if changes are made? Was this document modified? How can I be sure you sent it? Is encryption necessary? Integrity Contracts Financial data Non-Repudiation Digital Signature Data Check Sum

36 Message Authentication
protects against active attacks verifies received message is authentic contents unaltered from authentic source timely and in correct sequence may use conventional encryption only sender & receiver have key needed or separate authentication mechanisms append authentication tag to cleartext message Encryption protects against passive attack (eavesdropping). Message authentication protects against active attacks (falsification of data and transactions), by verifying that received messages are authentic, that is that the contents of the message have not been altered and that the source is authentic. We may also wish to verify a message's timeliness and sequence relative to other messages flowing between two parties. It is possible to perform authentication simply by the use of conventional encryption. If we assume that only the sender and receiver share a key (which is as it should be), then only the genuine sender would be able to encrypt a message successfully for the other participant. Furthermore, if the message includes an error-detection code and a sequence number, the receiver is assured that no alterations have been made and that sequencing is proper. If the message also includes a timestamp, the receiver is assured that the message has not been delayed beyond that normally expected for network transit. Alternatively there are several approaches to message authentication that do not rely on encryption. In all of these approaches, an authentication tag is generated and appended to each message for transmission. The message itself is not encrypted and can be read at the destination independent of the authentication function at the destination.

37 Secure Hash Functions An alternative to the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output (Figure 2.5). Unlike the MAC, a hash function does not also take a secret key as input. To authenticate a message, the message digest is sent with the message in such a way that the message digest is authentic.

38 Simple Hash Functions a one-way or secure hash function used in message authentication, digital signatures all hash functions process input a block at a time in an iterative fashion one of simplest hash functions is the bit-by-bit exclusive-OR (XOR) of each block Ci = bi1  bi2  bim effective data integrity check on random data less effective on more predictable data virtually useless for data security The one-way hash function, or secure hash function, is important not only in message authentication but in digital signatures. Here, we look at several hash functions, concentrating on perhaps the most widely used family of hash functions: SHA. All hash functions operate using the following general principles. The input (message, file, etc.) is viewed as a sequence of n-bit blocks. The input is processed one block at a time in an iterative fashion to produce an n-bit hash function. One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block. This produces a simple parity for each bit position and is known as a longitudinal redundancy check, and can be expressed as follows: Ci = bi1  bi2  bim It is reasonably effective for random data as a data integrity check. Each n-bit hash value is equally likely. With more predictably formatted data, the function is less effective. A simple way to improve matters is to perform a one-bit circular shift, or rotation, on the hash value after each block is processed. This has the effect of "randomizing" the input more completely and overcoming any regularities that appear in the input. Although the second procedure provides a good measure of data integrity, it is virtually useless for data security when an encrypted hash code is used with a plaintext message. Given a message, it is an easy matter to produce a new message that yields that hash code: Simply prepare the desired alternate message and then append an n-bit block that forces the new message plus block to yield the desired hash code.

39 Message Authentication Codes
One authentication technique involves the use of a secret key to generate a small block of data, known as a message authentication code, that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key KAB. When A has a message to send to B, it calculates the message authentication code as a function of the message and the key: MACM = F(KAB, M). The message plus code are transmitted to the intended recipient. The recipient performs the same calculation on the received message, using the same secret key, to generate a new message authentication code. The received code is compared to the calculated code, as shown here in Figure 2.4 from the text. If we assume that only the receiver and the sender know the identity of the secret key, and if the received code matches the calculated code, then: The receiver is assured that the message has not been altered. The receiver is assured that the message is from the alleged sender. If the message includes a sequence number, then the receiver can be assured of the proper sequence. A number of algorithms could be used to generate the code. The NIST specification, FIPS PUB 113, recommends the use of DES. DES is used to generate an encrypted version of the message, and the last number of bits of ciphertext are used as the code. A 16- or 32-bit code is typical.

40 Secure Hash Functions Message Message H Message H H Compare H H H K K
Message Authentication Code H H Message Message H Message H Compare Above, K is a secret key (symmetric or asymmetric). The data message is not encrypted here. The function of the hash is to validate than the message is in tact, without modification. A Message Authentication Code uses the secret key in the hash algorithm. The hash is appended to the message. For a one-way hash, a hash algorithm is used without a key. Thus a hash result is predictable by anyone who has the algorithm. Option 1: A One-Way Hash encrypts the hash result, providing security by using a secret key in the encryption. Option 2: A One-Way Hash prepends (and appends) the key to a message, and then uses the hash algorithm and appends the hash. The key is removed from the message before sending. H H E D H K K One Way Hash K Message Message H K Message H H Compare H H H

41 Public Key Certificates
One of the major roles of public-key encryption is to address the problem of key distribution. There are actually two distinct aspects to the use of public-key encryption in this regard: the distribution of public keys, and the use of public-key encryption to distribute secret keys. Whilst the public key is public, the problem is knowing if you actually have the public key of a specified user, and not a forgery. The solution to this problem is the public-key certificate, which consists of a public key plus a User ID of the key owner, with the whole block signed by a trusted third party. Typically, the third party is a certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institution. A user can present his or her public key to the authority in a secure manner and obtain a certificate. The user can then publish the certificate. Anyone needing this user's public key can obtain the certificate and verify that it is valid by way of the attached trusted signature. Figure 2.7from the text illustrates the process. One scheme has become universally accepted for formatting public-key certificates: the X.509 standard. X.509 certificates are used in most network security applications, including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME.

42 SHA-512 Structure Now examine the structure of SHA-512, noting that the other versions are quite similar. The algorithm takes as input a message with a maximum length of less than 2128 bits and produces as output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure 22.2 depicts the overall processing of a message to produce a digest. The processing consists of the following steps (see text for additional details): • Step 1: Append padding bits: so that message length is congruent to 896 modulo 1024 [length  896 (mod 1024)]. The padding consists of a single 1-bit followed by the necessary number of 0-bits. • Step 2: Append length: as a block of 128 bits being an unsigned 128-bit integer length of the original message (before padding). • Step 3: Initialize hash buffer: to the specified 64-bit integer values (see text). • Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the algorithm, being a module, labeled F in this figure, that consists of 80 rounds. The logic is described on the next slide • Step 5: Output the final hash buffer value as the resulting hash The SHA-512 algorithm has the property that every bit of the hash code is a function of every bit of the input. The complex repetition of the basic function F produces results that are well mixed; that is, it is unlikely that two messages chosen at random, even if they exhibit similar regularities, will have the same hash code. Unless there is some hidden weakness, the difficulty of coming up with two messages having the same message digest is on the order of 2256 operations, while the difficulty of finding a message with a given digest is on the order of 2512 operations.

43 Secure Hash Functions SHA-512 Rand Const Message Digest 5 (MD5) ->128 bit hash for 512-bit blocks Secure Hash Function (SHA) -> SHA-256, SHA-384, SHA-512-> 512 bit hash for1024 bit blocks Hashed Message Auth. Code (HMAC): System treats hash function as black box. Msg IV Round 0 Round 1 IV= Initial Vector. SHA-512 mans a 512 bit hash is used. Round 79 Round 80 Hash

44 Hash Function Requirements
applied to any size data H produces a fixed-length output. H(x) is relatively easy to compute for any given x one-way property computationally infeasible to find x such that H(x) = h weak collision resistance computationally infeasible to find y ≠ x such that H(y) = H(x) strong collision resistance computationally infeasible to find any pair (x, y) such that H(x) = H(y) The purpose of a hash function is to produce a "fingerprint" of a file, message, or other block of data. To be useful for message authentication, a hash function H must have the properties listed here. The first three properties are requirements for the practical application of a hash function to message authentication. The fourth property is the one-way property: it is easy to generate a code given a message, but virtually impossible to generate a message given a code. This property is important if the authentication technique involves the use of a secret value (such as shown in Figure 2.5c). The fifth property guarantees that it is impossible to find an alternative message with the same hash value as a given message. This prevents forgery when an encrypted hash code is used (as in Figures 2.5a and b). A hash function that satisfies the first five properties in the preceding list is referred to as a weak hash function. If the sixth property is also satisfied, then it is referred to as a strong hash function. The sixth property protects against a sophisticated class of attack known as the birthday attack. In addition to providing authentication, a message digest also provides data integrity. It performs the same function as a frame check sequence: if any bits in the message are accidentally altered in transit, the message digest will be in error.

45 Hash Functions two attack approaches
cryptanalysis exploit logical weakness in algorithm brute-force attack trial many inputs strength proportional to size of hash code (2n/2) SHA most widely used hash algorithm SHA-1 gives 160-bit hash more recent SHA-256, SHA-384, SHA-512 provide improved size and security As with symmetric encryption, there are two approaches to attacking a secure hash function: cryptanalysis and brute-force attack. As with symmetric encryption algorithms, cryptanalysis of a hash function involves exploiting logical weaknesses in the algorithm. The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. If strong collision resistance is required (and this is desirable for a general-purpose secure hash code), then the value 2n/2 determines the strength of the hash code against brute-force attacks. Oorschot and Wiener presented a design for a $10 million collision search machine for MD5, which has a 128-bit hash length, that could find a collision in 24 days. Thus a 128-bit code may be viewed as inadequate. With a hash length of 160 bits, the same search machine would require over four thousand years to find a collision. With today's technology, the time would be much shorter, so that 160 bits now appears suspect. In recent years, the most widely used hash function has been the Secure Hash Algorithm (SHA). SHA was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in When weaknesses were discovered in SHA, a revised version was issued as FIPS in 1995 and is generally referred to as SHA-1. SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. These new versions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by 2010.

46 Non-Repudiation: You signed it – it is a contract!!!
Digital Signature

47 Digital Envelopes Encrypt with symmetric key, Send symmetric key using Public Key
Another application in which public-key encryption is used to protect a symmetric key is the digital envelope, which can be used to protect a message without needing to first arrange for sender and receiver to have the same secret key. The technique is referred to as a digital envelope, which is the equivalent of a sealed envelope containing an unsigned letter. The general approach is shown here from Figure 2.9 in the text. Suppose Bob wishes to send a confidential message to Alice, but they do not share a symmetric secret key. Bob does the following: 1. Prepare a message 2. Encrypt that message using conventional encryption with a one-time conventional session key. 3. Encrypt the session key using public-key encryption with Alice's public key. 4. Attach the encrypted session key to the message and send it to Alice. Only Alice is capable of decrypting the session key and therefore of recovering the original message. If Bob obtained Alice's public key by means of Alice's public-key certificate, then Bob is assured that it is a valid key.

48 Message Auth Which of these offer Digital Signature?
Figure 2.6 illustrates three ways in which the message can be authenticated. The message digest can be encrypted using conventional encryption (part a); if it is assumed that only the sender and receiver share the encryption key, then authenticity is assured. The message can also be encrypted using public-key encryption (part b); this is explained later. The public-key approach has two advantages: it provides a digital signature as well as message authentication; and it does not require the distribution of keys to communicating parties. These two approaches have an advantage over approaches that encrypt the entire message in that less computation is required. Nevertheless, there has been interest in developing a technique that avoids encryption altogether. Part c shows a technique that uses a hash function but no encryption for message authentication. This technique assumes that two communicating parties, say A and B, share a common secret value SAB. When A has a message to send to B, it calculates the hash function over the concatenation of the secret value and the message: MDM = H(SAB||M). It then sends [M||MDM] to B. Because B possesses SAB, it can recompute H(SAB||M) and verify MDM. Because the secret value itself is not sent, it is not possible for an attacker to modify an intercepted message. As long as the secret value remains secret, it is also not possible for an attacker to generate a false message.

49 Digital Signature: Using Public Key Encryption Encode with Private Key Decode with Public Key

50 Are We Secure? Other Issues
Are We Secure? Other Issues

51 Random Numbers random numbers have a range of uses requirements:
randomness based on statistical tests for uniform distribution and independence unpredictability successive values not related to previous clearly true for truly random numbers but more commonly use generator Random numbers play an important role in the use of encryption for various network security applications, such as in the generation of: keys for public-key algorithms, stream keys in a stream cipher, for temporary session keys, and in key distribution scenarios. These applications give rise to two distinct and not necessarily compatible requirements for a sequence of random numbers: randomness and unpredictability. Traditionally, the concern in the generation of a sequence of allegedly random numbers has been that the sequence of numbers be random in some well-defined statistical sense (such as uniform distribution and independence). In applications such as reciprocal authentication and session key generation, the requirement is not so much that the sequence of numbers be statistically random but that the successive members of the sequence are unpredictable. With “true” random sequences, each number is statistically independent of other numbers in the sequence and therefore unpredictable. However, as is discussed shortly, true random numbers are not always used; rather, sequences of numbers that appear to be random are generated by some algorithm. In this latter case,care must be taken that an opponent not be able to predict future elements of the sequence on the basis of earlier elements.

52 Pseudorandom verses Random Numbers
often use algorithmic technique to create pseudorandom numbers which satisfy statistical randomness tests but likely to be predictable true random number generators use a nondeterministic source e.g. radiation, gas discharge, leaky capacitors increasingly provided on modern processors Cryptographic applications typically make use of algorithmic techniques for random number generation. These algorithms are deterministic and therefore produce sequences of numbers that are not statistically random. However, if the algorithm is good, the resulting sequences will pass many reasonable tests of randomness. Such numbers are referred to as pseudorandom numbers. A true random number generator (TRNG) uses a nondeterministic source to produce randomness. Most operate by measuring unpredictable natural processes, such as pulse detectors of ionizing radiation events, gas discharge tubes, and leaky capacitors. Increasingly have true random sources in modern computer chips.

53 Location of Encryption
The most powerful, and most common, approach to countering the threats to network security is encryption. In using encryption, we need to decide what to encrypt and where the encryption gear should be located. There are two fundamental alternatives: link encryption and end-to-end encryption; as illustrated in Figure 19.9. With link encryption, each vulnerable communications link is equipped on both ends with an encryption device. Thus, all traffic over all communications links is secured. Although this requires a lot of encryption devices in a large network, it provides a high level of security. One disadvantage of this approach is that the message must be decrypted each time it enters a frame switch; this is necessary because the switch must read the address (connection identifier) in the frame header to route the frame. Thus, the message is vulnerable at each switch. If this is a public frame-relay network, the user has no control over the security of the nodes. With end-to-end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data, in encrypted form, are then transmitted unaltered across the network to the destination terminal or host. The destination shares a key with the source and so is able to decrypt the data. This approach would seem to secure the transmission against attacks on the network links or switches. There is, however, still a weak spot, since the host may only encrypt the user data portion of the frame and must leave the header in the clear, so that it can be read by the network. To achieve greater security, both link and end-to-end encryption are needed, as is shown in Figure 19.9.

54 Encryption Types Source Destination End-to-End Encryption
Link Encryption Router

55 Link versus End-to-End Encryption
Use when LINK is vulnerable: Packet sniffers & eavesdroppers Use when Intermediate nodes may be compromised Link-Specific: All packets transmitted on the single link are encrypted Connection-Specific: A connection is encrypted across all its links Encrypted for all protocol layers (at or above encryption layer) Encrypted for upper layer protocols only Intermediate nodes decrypt Intermediate nodes cannot decrypt Provides node authentication Provides user authentication Transparent to user: One key per link Not user-transparent: One key per connection One algorithm for all users User selects encryption algorithm Encryption done in hardware Encryption done in hardware or software Virtual Private Network (VPN) Wireless: (WEP, WPA, WPA2) IP Security (IPsec)  Secure Shell (SSH) Secure Socket Layer (TSL, SSL) IP Security (IPsec)

56 Summary Confidentiality: Symmetric encryption: Secret Key
Asymmetric encryption: Public/Private keys Key management End-to-end versus local encryption Integrity: Message authentication & hash functions Non-Repudiation: Digital signatures Chapter 2 summary.


Download ppt "Computer Security: Principles and Practice"

Similar presentations


Ads by Google