Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University EMBA 2009 – Information Systems and Applications.

Published byBlanche Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University EMBA 2009 – Information Systems and Applications."— Presentation transcript:

1 1 Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University EMBA 2009 – Information Systems and Applications Lecture II

2 2 Information Security Secrecy: keep information unrevealed Authentication: determine the identity of whom you are talking to Nonrepudiation: make sure that someone cannot deny the things he/she had done Integrity control: make sure the message you received has not been modified Information security can be roughly divided into 4 areas:

3 3 Information Security (cont’d) Physical layer: protect transmission link from wire tapping Data link layer: link encryption Network layer: firewall, packet filter Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality) Information security functionality can be distributed across several protocol layers:

4 4 Information Security (cont’d) Risk management –threats, vulnerabilities, assets, damages and probabilities –balancing acts –all cryptosystems may be compromised Notion of chains (Achilles' heel) Notion of buckets (products, policies, processes and people) Defense in-depth Average vs. worst cases Backup, restoration and contingency plans A number of essential concepts to begin with:

5 5 Traditional Cryptography The model depends on a stable public algorithm and a key The work factor for breaking the system by exhaustive search of the key space is exponential in the key length Two categories: Substitution ciphers vs. transposition ciphers Encryption Plaintext P Decryption E K ( P) D K ( E K ( P)) = P Passive intruder (listens only) Active intruder (alters message) key K

6 6 Traditional Cryptography (cont’d) Simplified model of traditional cryptography

7 7 Traditional Cryptography (cont’d) Model of traditional cryptography

8 8 Substitution Cipher Caesar cipher –Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, … For example, “attack” becomes “DWDDFN” Mono-alphabetic substitution Plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM –The key space is 26!  4x10 26 –Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)

9 9 Substitution Cipher (cont’d) Relative frequency of letters in English text

10 10 Transposition Ciphers Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column To break the transposition cipher –guess a probable word or phrase (e.g., milliondollars) –try to determine the key length, then order the columns Another related example regarding Newton M E G A B U C K 7 4 5 1 2 8 3 6 p l e a s e t r a n s f e r o n e m i l l i o n d o l l a r s t o m y s w i s s b a n k a c c o u n t s i x t w o t w o a b c d Plaintext pleasetransferonemilliondollarsto myswissbankaccountsixtwotwo Ciphertext AFLLSKSOSELAWAIATOOSSCTCLNMOMANT ESILYNTWRNNTSOWDPAEDOBUOERIRICXB

11 11 Other Interesting Ciphers Chinese poems Clubs and leather stripes Invisible ink (steganography in general) Books Code books Enigma XOR Ej/vu3z8h96

12 12 Two Fundamental Cryptographic Principles First principle –All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message –However, the same redundancy makes it easier for passive intruders to break the system Second principle –Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to filter out duplicate messages within a certain time incoming messages that are too old are discarded

13 13 Secret-Key Algorithms Consists of sequence of transpositions and substitutions Decoder: 3 to 8 Encoder: 8 to 3 P1P1 S1S1 S2S2 S3S3 S4S4 P2P2 S5S5 S6S6 S7S7 S8S8 P3P3 P-box (Permutation) S-box (Substitution) Product cipher

14 14 Data Encryption Standard (DES) Plaintext is encrypted in blocks of 64 bits DES is basically a mono-alphabetic substitution cipher using a 64-bit character Initial transposition Iteration 1 Iteration 16 32 bit swap Inverse transposition 56-bit key K1K1 K 16 64 bit plaintext 64 bit ciphertext L i-1 R i-1 32 bits L i 32 bits R i L i-1  f(R i-1, K i )

15 15 DES Chaining DES may be vulnerable to active intruders Leslie Kimberly $0000010 $0100000 NameBonus 8 bytes Intruder may copy the block to one row above DES chaining P0P0 E C0C0 # P1P1 E C1C1 # P2P2 E C2C2 # P3P3 E C3C3 #IV Key P0P0 D C0C0 # P1P1 C1C1 P2P2 C2C2 P3P3 C3C3 D # D # D # Exclusive OR

16 16 Breaking DES Exhaustive search of key space = 2 56  7x10 16 –can use multiple computers to do search in parallel Running DES twice consecutively with two different 56-bit keys creates a key space of 2 112  5x10 33 –but it still can be broken by the “meet-in-the-middle” attack in  (2 57 ) time, because C i = E K2 (E K1 (P i )) D K2 (C i ) = E K1 (P i )

17 17 Triple DES Encryption Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K 1 = K 2 ) with single-stage DES system Using EEE with 3 different keys is basically unbreakable nowadays EDE K1K1 K2K2 K1K1 PC DED K1K1 K2K2 K1K1 CP EncryptionDecryption

18 18 Public-Key Algorithms Encryption (E) and Decryption (D) algorithms must meet the following requirements –E and D are different –D(E(P)) = P –It is exceedingly difficult to deduce D from E Everyone has a pair of keys: public key (E) and private key (D) –Public key is made known to the world –Private key is to be kept private all the time EBEB DADA A DBDB EAEA B E B (P 1 ) E A (P 2 ) P1P1 D B (E B (P 1 )) = P 1 P2P2 D A (E A (P 2 )) = P 2

19 19 Principles of Public-Key Cryptosystems

20 20 Principles of Public-Key Cryptosystems (cont’d) Requirements for PKC –easy for B (receiver) to generate KU b and KR b –easy for A (sender) to calculate C = E KUb (M) –easy for B to calculate M = D KRb (C) = D KRb (E KUb (M)) –infeasible for an opponent to calculate KR b from KU b –infeasible for an opponent to calculate M from C and KU b –(useful but not necessary) M = D KRb (E KUb (M)) = E KUb (D KRb (M)) (true for RSA and good for authentication)

21 21 Principles of Public-Key Cryptosystems (cont’d)

22 22 Principles of Public-Key Cryptosystems (cont’d) The idea of PKC was first proposed by Diffie and Hellman in 1976. Two keys (public and private) are needed. The difficulty of calculating f -1 is typically facilitated by –factorization of large numbers –resolution of NP-completeness –calculation of discrete logarithms High complexity confines PKC to key management and signature applications

23 23 Principles of Public-Key Cryptosystems (cont’d)

24 24 Principles of Public-Key Cryptosystems (cont’d)

25 25 Principles of Public-Key Cryptosystems (cont’d) Comparison between conventional and public-key encryption

26 26 Principles of Public-Key Cryptosystems (cont’d) Applications for PKC –encryption/decryption –digital signature –key exchange

27 27 Principles of Public-Key Cryptosystems (cont’d)

28 28 Principles of Public-Key Cryptosystems (cont’d)

29 29 Principles of Public-Key Cryptosystems (cont’d)

30 30 RSA Algorithms Developed by Rivest, Shamir, and Adleman at MIT in 1978 First compute the following parameters –Choose two large primes, p and q (typically > 10 100 ) –Compute n = pxq and z = (p-1)x(q-1) –Choose d, which is a number relatively prime to z –Find e such that (exd) mod z = 1 Divide the plaintext into blocks of k bits, where 2 k < n –To encrypt P, compute C = P e mod n –To decrypt C, compute P = C d mod n –Public key = (e, n), private key = (d, n)

31 31 The RSA Algorithm (cont’d) Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then a p-1  1 mod p. Example: a = 7, p = 19 7 2 = 49  11 mod 19 7 4 = 121  7 mod 19 7 8 = 49  11 mod 19 7 16 = 121  7 mod 19 a p-1 = 7 18 = 7 16+2  7  11  1 mod 19

32 32 The RSA Algorithm (cont’d)

33 33 The RSA Algorithm (cont’d)

34 34 The RSA Algorithm (cont’d) Example 1 –Select two prime numbers, p = 7 and q = 17. –Calculate n = p  q = 7  17 = 119. –Calculate Φ(n) = (p-1)(q-1) = 96. –Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5. –Determine d such that d  e = 1 mod 96 and d < 96.The correct value is d = 77, because 77  5 = 385 = 4  96+1.

35 35 The RSA Algorithm (cont’d)

36 36 The RSA Algorithm (cont’d) The security of RSA –brute force: This involves trying all possible private keys. –mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes. –timing attacks: These depend on the running time of the decryption algorithm.

37 37 The RSA Algorithm (cont’d) To avoid brute force attacks, a large key space is required. To make n difficult to factor –p and q should differ in length by only a few digits (both in the range of 10 75 to 10 100 ) –both (p-1) and (q-1) should contain a large prime factor –gcd(p-1,q-1) should be small –should avoid e < n and d < n 1/4

38 38 The RSA Algorithm (cont’d) To make n difficult to factor (cont’d) –p and q should best be strong primes, where p is a strong prime if there exist two large primes p 1 and p 2 such that p 1 |p-1 and p 2 |p+1 there exist four large primes r 1, s 1, r 2 and s 2 such that r 1 |p 1 - 1, s 1 |p 1 +1, r 2 |p 2 -1 and s 2 |p 2 +1 –e should not be too small, e.g. for e = 3 and C = M 3 mod n, if M 3 < n then M can be easily calculated

39 39 The RSA Algorithm (cont’d)

40 40 The RSA Algorithm (cont’d) Major threats –the continuing increase in computing power (100 or even 1000 MIPS machines are easily available) –continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)

41 41 The RSA Algorithm (cont’d)

42 42 The RSA Algorithm (cont’d)

43 43 RSA Algorithms (cont’d) The security of RSA is based on the difficulty of factoring large numbers –It takes 4x10 9 years for factoring a 200-digit number –It takes 10 25 years for factoring a 500-digit number RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms

44 44 The RSA Algorithm (cont’d)

45 45 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree of security, shorter keys are required than RSA Standardized in IEEE P1363 Confidence level not yet as high as that in RSA Much more difficult to explain than RSA

46 46 Elliptic Curve Cryptography (cont’d) Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA

47 47 Elliptic Curve Cryptography (cont’d)

48 48 Key Management The distribution of public keys –public announcement –publicly available directory –public-key authority –public-key certificates The use of public-key encryption to distribute secret keys –simple secret key distribution –secret key distribution with confidentiality and authentication

49 49 Key Management (cont’d) Public announcement

50 50 Key Management (cont’d) Public announcement (cont’d) –advantages: convenience –disadvantages: forgery of such a public announcement by anyone

51 51 Key Management (cont’d) Publicly available directory

52 52 Key Management (cont’d) Publicly available directory (cont’d) –elements of the scheme {name, public key} entry for each participant in the directory in-person or secure registration on-demand entry update periodic publication of the directory availability of secure electronic access from the directory to participants –advantages: greater degree of security

53 53 Key Management (cont’d) Publicly available directory (cont’d) –disadvantages need of a trusted entity or organization need of additional security mechanism from the directory authority to participants vulnerability of the private key of the directory authority (global- scaled disaster if the private key of the directory authority is compromised) vulnerability of the directory records

54 54 Key Management (cont’d) Public-key authority

55 55 Key Management (cont’d) Public-key authority (cont’d) –stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory –each participant can verify the identity of the authority –participants can verify identities of each other –disadvantages bottleneck effect of the public-key authority vulnerability of the directory records

56 56 Key Management (cont’d) Public-key certificates

57 57 Key Management (cont’d) Public-key certificates (cont’d) –to use certificates that can be used by participants to exchange keys without contacting a public-key authority –requirements on the scheme any participant can read a certificate to determine the name and public key of the certificate’s owner any participant can verify that the certificate originated from the certificate authority and is not counterfeit only the certificate authority can create & update certificates any participant can verify the currency of the certificate

58 58 Key Management (cont’d) Public-key certificates (cont’d) –advantages to use certificates that can be used by participants to exchange keys without contacting a public-key authority in a way that is as reliable as if the key were obtained directly from a public-key authority no on-line bottleneck effect –disadvantages: need of a certificate authority

59 59 Key Management (cont’d) Simple secret key distribution

60 60 Key Management (cont’d) Simple secret key distribution (cont’d) –advantages simplicity no keys stored before and after the communication security against eavesdropping –disadvantages lack of authentication mechanism between participants vulnerability to an active attack (opponent active only in the process of obtaining K s ) leak of the secret key upon such active attacks

61 61 Key Management (cont’d) Secret key distribution with confidentiality and authentication

62 62 Key Management (cont’d) Secret key distribution with confidentiality and authentication (cont’d) –provides protection against both active and passive attacks –ensures both confidentiality and authentication in the exchange of a secret key –public keys should be obtained a priori –more complicated

63 63 Diffie-Hellman Key Exchange First public-key algorithm published Limited to key exchange Dependent for its effectiveness on the difficulty of computing discrete logarithm

64 64 Diffie-Hellman Key Exchange (cont’d) Diffie-Hellman key exchange –n, g: large prime number with additional conditions n and g may be made public –x, y: large (say, 512-bit) numbers Alice Bob 2 1 g y mod n n, g, g x mod n Bob computes (g x mod n) y = g xy mod n Alice computes (g y mod n) x = g xy mod n –g xy mod n = the secret key –it is very difficult to find x given g x mod n

65 65 Diffie-Hellman Key Exchange (cont’d) Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers a mod p, a 2 mod p, …, a p-1 mod p are distinct and consists of the integers from 1 to p-1 in some permutation. Not every number has a primitive root.

66 66 Diffie-Hellman Key Exchange (cont’d) For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that b = a i mod p, where 0  i  (p-1). The exponent is referred to as the discrete algorithm, or index, of b for the base a, mod p. This value is denoted as ind a,p (b).

67 67 Diffie-Hellman Key Exchange (cont’d)

68 68 Diffie-Hellman Key Exchange (cont’d) Example: q = 97 and a primitive root a = 5 is selected. X A = 36 and X B = 58 (both  97). Y A = 5 36 = 50 mod 97 and Y B = 5 58 = 44 mod 97. K = (Y B ) X A mod 97 = 44 36 mod 97 = 75 mod 97. K = (Y A ) X B mod 97 = 50 58 mod 97 = 75 mod 97. 75 cannot easily be computed by the opponent.

69 69 Diffie-Hellman Key Exchange (cont’d) How the algorithm works

70 70 Diffie-Hellman Key Exchange (cont’d)

71 71 Diffie-Hellman Key Exchange (cont’d) q, a, Y A and Y B are public. To attack the secrete key of user B, the opponent must compute X B = ind a,q (Y B ). [Y B = a X B mod q.] The effectiveness of this algorithm therefore depends on the difficulty of solving discrete logarithm.

72 72 Attack on Diffie-Hellman Key Exchange Bucket brigade attack Alice Trudy 3 1 g z mod n n, g, g x mod n –(g xz mod n) becomes the secret key between Alice and Trudy, while (g yz mod n) becomes the secret key between Trudy and Bob Bob 4 2 g y mod n n, g, g z mod n Alice picks x Trudy picks z Bob picks y

73 73 Authentication Protocols Authorization –verifies what a process is permitted to do Authentication –verifies the identity of the process that you are talking to –public and private keys are used for authentication, and for establishing the session key (a secret key) –all data communicated is then encrypted using secret key cryptography

74 74 Authentication Based on a Shared Secret Key Challenge-response protocol Alice Bob K AB (R B ) RBRB A K AB (R A ) RARA 5 4 3 2 1 Challenge Response Challenge Response K AB (K S ) 6 Session keyif needed After step 3, Bob verifies Alice’s identity After step 5, Alice verifies Bob’s identity K AB = shared secret key between Alice and Bob

75 75 Authentication Based on a Shared Secret Key (cont’d) Can we reduce the number of messages exchanged, e.g., Alice Bob K AB (R B ) R B, K AB (R A ) A, R A 3 2 1 Challenge Response Response/Challenge –Only three, instead of five, messages are exchanged

76 76 Authentication Based on a Shared Secret Key (cont’d) The shortened protocol can be defeated by a reflection attack TrudyBob A, R B R B, K AB (R T ) A, R T K AB (R B ) 5 4 3 2 1 First session R B2, K AB (R B ) Second session First session

77 77 Authentication Using a Key Distribution Center Need a trusted Key Distribution Center (KDC) Wide-mouth frog: simplest KDC authentication protocol Alice KDC 1 A, K A (B, K S ) Bob 2 K B (A, K S ) Replay attack –an intruder can just replay message 2 (and any following messages) to Bob later, and Bob has no way to tell if it is a second connection from Alice

78 78 Authentication Using Public-Key Assume both sides already know each other’s public keys –This is not a trivial assumption as explained previously Alice Bob K s (R B ) E A (R A, R B, K S ) E B (A, R A ) 3 2 1 Bob verified Alice’s identity Alice verified Bob’s identity

79 79 Digital Signatures What is needed is a system by which one party can send a “signed” message to another party such that –The receiver can verify the claimed identity of the sender –The sender cannot later repudiate the contents of the message –The receiver cannot possibly have concocted the message itself

80 80 Secret-Key Signatures Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key Alice BB A, K A (B, R A, t, P) Bob K B (A, R A, t, P, K BB (A, t, P)) Bob has K BB (A, t, P), which is proof that Alice sent message P at time t To guard against replaying attack –A message is discarded if its timestamp is too old –For a recent message, it is discarded if R A is duplicate

81 81 Public-Key Signatures Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property) Alice’s private key D A Bob’s public key E B D A (P) P Alice’s computer Bob’s private key D B Alice’s public key E A D A (P)P Bob has P and D A (P), which is proof that Alice sent P E B (D A (P)) Bob’s computer Transmission line

82 82 Message Digests It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time Message Digest (MD): hash plaintext to a fixed-length bit string such that –Given P, it is easy to compute MD(P) –Given MD(P), it is effectively impossible to find P –No one can generate two messages that have the same message digest PMD(P) m bits

83 83 Message Digests (cont’d) Public-key message digest Alice Bob P, D A (MD(P)) Most widely used message digest functions –MD5 –SHA (Secure Hash Algorithm) An m-bit MD system may be possibly broken in  (2 m/2 ) time (referred as birthday attack in text)

84 84 Message Digests (cont’d)

85 85 Discussions What do you think are the major security threats in the Internet? What are possible measures and strategies to address such threats? What products, policies and processes of your company are worth recommending?

Download ppt "1 Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University EMBA 2009 – Information Systems and Applications."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.

Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Information Security -- Part II Asymmetric Ciphers Frank Yeong-Sung Lin Information Management Department National Taiwan University.

Information Security -- Part II Asymmetric Ciphers Frank Yeong-Sung Lin Information Management Department National Taiwan University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Chapter3 Public-Key Cryptography and Message Authentication.

Chapter3 Public-Key Cryptography and Message Authentication.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.

Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google