Confidentiality Using Conventional Encryption
description
Transcript of Confidentiality Using Conventional Encryption
1Confidentiality
Cryptography & Network Security H. Yoon
Confidentiality Using Conventional Encryption
• Where should cryptographic functionality be located?
• How can we make communications confidential?
• How do we distribute keys?
• What is the role of random numbers?
2Confidentiality
Cryptography & Network Security H. Yoon
Placement of Encryption Function• Networks are vulnerable to active and passive attacks
– Many potential locations for confidentiality attacks
» By network tapping or other means
» Passive inductive attacks on electrical signaling
» Phone and wiring closets may be accessible to outsiders
» Satellite links are easy to monitor
» etc
Placement of encryption function
Points of Vulnerability
3Confidentiality
Cryptography & Network Security H. Yoon
Link vs. End-to-End EncryptionPlacement of encryption function
• The most powerful and most common approach to securing the points of vulnerability is encryption
• If encryption is to be used to counter these attacks, need to decide what to encrypt and where the encryption should be located
• Two fundamental alternatives:– Link encryption– End-to-end encryption
4Confidentiality
Cryptography & Network Security H. Yoon
Link vs. End-to-End EncryptionPlacement of encryption function
5Confidentiality
Cryptography & Network Security H. Yoon
Logical Placement of E2E Encryption Function• Link encryption occurs at either the physical or link layers
• For end-to-end encryption, several choices are possible
• At the lowest practical layer, the encryption function could be performed at network layer
• All the user processes and applications within each end system would employ the same encryption scheme with the same key
• With this arrangement, front-end processor may be used to off-load the encryption function
Placement of encryption function
6Confidentiality
Cryptography & Network Security H. Yoon
Logical Placement of E2E Encryption Function
• X.25 or TCP provide end-to-end security for traffic within a fully integrated internetwork. However, such a scheme cannot deliver the necessary service for traffic that crosses internetwork boundaries, such as E-Mail, EDI, and file transfer
• In this case, the only place to achieve end-to-end encryption is at the application layer
• A drawback of application-layer encryption is that the number of entities to consider increases dramatically
• Many more secret keys need to be generated and distributed
Placement of encryption function
7Confidentiality
Cryptography & Network Security H. Yoon
Logical Placement of E2E Encryption FunctionPlacement of encryption function
8Confidentiality
Cryptography & Network Security H. Yoon
Logical Placement of E2E Encryption FunctionPlacement of encryption function
9Confidentiality
Cryptography & Network Security H. Yoon
Traffic Confidentiality
• Security from traffic analysis attack– Knowledge about the number and length of messages between nodes
may enable an opponent to determine who is talking to whom
• Types of information derivable from traffic analysis– Identities of communicating partners
– Frequency of communication
– Message patterns, e.g., length, quantity, (encrypted) content
– Correlation between messages and real world events
• Can (sometimes) be defeated through traffic padding
Traffic Confidentiality
10Confidentiality
Cryptography & Network Security H. Yoon
Countermeasure to Traffic Analysis• Link encryption approach
– Link encryption hides address information– Traffic padding is very effective
• End-to-End encryption approach – Leaves addresses in the clear– Measures available to the defender are more limited
» Pad out data units to a uniform length at either the transport or application level
» Null message can be inserted randomly into the stream
Traffic Confidentiality
11Confidentiality
Cryptography & Network Security H. Yoon
Covert Channel
• Essentially, the dual of traffic analysis
• A means of communication in a fashion unintended by the designers of the communication facility
• Usually intended to violate or defeat a security policy
• Examples– Message length
– Message content
– Message presence
Traffic Confidentiality
12Confidentiality
Cryptography & Network Security H. Yoon
Key Distribution
• For conventional encryption to work, the two parties must share the same key and that key must be protected from access by others
• Alice’s options in establishing a shared secret key with Bob include– Alice selects a key and physically delivers it to Bob
– Trusted third party key distribution center (T3P or KDC) selects a key and physically delivers it to Alice and Bob
– If Alice and Bob have previously and recently used a key, it can be used to distribute a new key
– If Alice and Bob have keys with the T3P, rekeying can be accomplished similarly
Key Distribution
13Confidentiality
Cryptography & Network Security H. Yoon
Key DistributionKey Distribution
• Manual delivery is a reasonable requirement with link encryption, challenging with E2E encryption– The number of keys grows
quadratically with the number of endpoints
• T3P key(s) constitute a rich target of opportunity
• Initial (master) key distribution remains a challenge
14Confidentiality
Cryptography & Network Security H. Yoon
Use of a Key Hierarchy
• Use of a key distribution center is based on the use of a hierarchy of keys– Session keys– Master keys
Key Distribution
15Confidentiality
Cryptography & Network Security H. Yoon
A Key Distribution Scenario
• Assume each principal shares a unique master key with the KDC
• Alice desires a one-time session key to communicate with Bob
• Alice issues a request to the KDC for a session key to be used with Bob. Alice’s request includes a nonce to prevent replay attack
• KDC responds with a message encrypted under Alice’s key. The message contains the session key, the nonce, and the session key along with Alice’s identity encrypted under Bob’s key
• Alice forwards the data encrypted under Bob’s Key to Bob
• Alice and Bob mutually authenticate under the session key– Alice sends a nonce to Bob encrypted under the session key
– Bob applies a transformation to the nonce and sends the result back to Alice
Key Distribution
16Confidentiality
Cryptography & Network Security H. Yoon
A Key Distribution ScenarioKey Distribution
17Confidentiality
Cryptography & Network Security H. Yoon
Hierarchical Key Control
• Instead of a single KDC, a hierarchy of KDCs can be established; local KDCs and a golbal KDC
• Local KDCs exchange keys through a global KDC
• Can be extended to three or more layers (hierarchy)
Key Distribution
18Confidentiality
Cryptography & Network Security H. Yoon
Session Key Lifetime
• Tradeoffs in the session key lifetime
• The more frequent session keys, the more secure, but the less performance (the more network load and delay)
• For connection-oriented protocols, one option is to associate a session with a connection
• For long-lived connections, must periodically rekey
• For connectionless protocols, rekey at intervals
Key Distribution
19Confidentiality
Cryptography & Network Security H. Yoon
A Transparent Key Control SchemeKey Distribution
20Confidentiality
Cryptography & Network Security H. Yoon
Decentralized Key DistributionKey Distribution
1. A issues a request to B for a session key and includes a nonce, N1
2. B responds with a message encrypted using the shared master key. Response includes the session key selected by B, an identifier of B, the value of f(N1), and another nonce, N2
3. Using the new session key, A returns f(N2) to B
21Confidentiality
Cryptography & Network Security H. Yoon
Controlling Key Usage
• It is desirable to impose some control on the way in which keys are used– e.g. we may wish to define different types of session keys on
the basis of use, such as
» Data-encrypting key
» PIN-encrypting key
» File-encrypting key
• One technique is to associate a tag with each key– Tag is a bit-vector representing the key’s usage or type
– e.g. the extra 8 bits in each 56-bit DES key can be used as a tag
– Limited flexibility and functionality due to the limited tag size
– Because the tag is not transmitted in clear form, it can be used only at the point of decryption, limiting the ways in which key use can be controlled
• A more flexible scheme is to use a control vector
Key Distribution
22Confidentiality
Cryptography & Network Security H. Yoon
Control Vector SchemeKey Distribution
– Each session key has an associated control vector
– Control vector consists of a number of fields that specify the uses and restrictions for that session key
– The length of control vector may vary
– Control vector is cryptographically coupled with the at the time of key generation at the KDC– Hash value = H = h(CV)
– Key input = Km H
– Encrypted session key = EKm H[Ks]
– When a session key is delivered to a user from the KDC, it is accompanied by the control vector in clear form
– The session key can be recovered only by using both the master key and the control vector– Ks = DKm H[EKm H [Ks]]
– Advantages (over the 8-bit tag)
– No restriction on length of control vector (arbitrarily complex controls to be imposed on key sue)
– Control vector is available in clear form at all stage of operation Key control can be exercised in multiple locations
CV: control vectorKm: master keyKs: session key
23Confidentiality
Cryptography & Network Security H. Yoon
Controlling Key UsageKey Distribution
24Confidentiality
Cryptography & Network Security H. Yoon
Random Number GenerationRandom Number Generation
• Use of random numbers (in cryptography)– As key stream for a one-time pad
– For session keys
– For public key
– For nonces (random numbers) in protocols to prevent replays
– Good cryptography requires good random numbers
• Random number requirements– Statistically random (uniform distribution, etc)
– Unpredictable (independent)
25Confidentiality
Cryptography & Network Security H. Yoon
Sources of Randomness• Natural random noise (Natural real randomness)
– Radiation counters, radio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes, etc
– Generally need special H/W for this– Starting to see this in new CPU’s (Pentium III)
• Almost random sources– Keystroke timing– Mouse tracking– Disk latency, etc
• Published lists– e.g., Rand Co. in 1955 published a book of 1 million numbers
generated using an electronic roulette wheel– Predictable
• In practice, pseudorandom numbers are algorithmically derived from a deterministic PRNG (Pseudorandom Number Generator)
Random Number Generation
26Confidentiality
Cryptography & Network Security H. Yoon
Lehmer’s algorithm
• Most widely used technique for PRNG
• Also known as linear congruential method
• Four parameters– m modulus m > 0
– a multiplier 0 a < m
– c increment 0 c < m
– X0 seed 0 X0 < m
• Xn+1 = (aXn + c) mod m
• Generates numbers in the range {0, …, m-1}
• “Good” and “bad” choices for m, a, and c– Lots of obvious bad choices
Random Number Generation
27Confidentiality
Cryptography & Network Security H. Yoon
Lehmer’s algorithm - 2• Choose a very large m, e.g., 231
– Provides for a long series
– Usually the maximum integer value for a given computer
• Criteria for good RNG:– Generate the entire range (full period)
– Pass statistical tests
– Efficient implementation
• Good choices – m = 231-1, a prime value
– a = 75 = 16807
– c = 0
• Useful for applications requiring statistical randomness (Monte Carlo simulation)
• Not so useful for cryptography (easy cryptanalysis)– Xi, Xi+1, Xi+2 gives solution for m, a, and c
Random Number Generation
28Confidentiality
Cryptography & Network Security H. Yoon
Cryptographically Generated RNs• Cyclic encryption
– Generate session keys from a master key
– A counter with period N is input to the encryption logic
– e.g. 56-bit counter for 56-bit DES– X0 X1 … Xn-1
– Xi’s can not be deduced since the master key is protected
– Full-period PRNG can be used instead of a simple counter
• DES OFB mode– Can be used as a PRNG (IV is the
seed)– Successive 64-bit outputs
constitute a sequence of pseudorandom numbers with good statistical properties
Random Number Generation
29Confidentiality
Cryptography & Network Security H. Yoon
ANSI X9.17 PRNGRandom Number Generation
• One of the (cryptographically) strongest PRNG
• Used in financial security applications and PGP
– DTi is date/time value at the beginning of ith stage
– Vi is seed value at the beginning of ith stage
– Ri is output (PRN) of ith stage
– K1, K2 are 3DES keys
– Ri = EDEK1,K2(Vi EDEK1,K2(DTi))
– Vi+1 = EDEK1,K2(Ri EDEK1,K2(DTi))
30Confidentiality
Cryptography & Network Security H. Yoon
Blum Blum Shub (BBS) PRNG
• Choose large primes p and q, s.t. p q 3 (mod 4)
• Let n = p q
• Choose s relatively prime to n
• BBS produces a sequence of bits Bi
• X0 = s2 mod n;for (i = 1; i++; ) { Xi = (Xi-1)2 mod n; Bi = Xi & 1;}
• BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG)
Random Number Generation
31Confidentiality
Cryptography & Network Security H. Yoon
Blum Blum Shub PRNG- ExampleRandom Number Generation
• N=383 x 503 = 192649, s = 101355
i i
32Confidentiality
Cryptography & Network Security H. Yoon
CSPRBG
• Cryptographically secure pseudorandom bit generator (CSPRBG) is defined as one that pass the next-bit test
• Next-bit test– Given k bits of output from a PRBG, there is no polynomial
time algorithm that can predict the k+1st bit with probability greater than ½ +
• For all practical purposes, the sequence is unpredictable
• The security of BBS is based on the difficulty of factoring n (i.e., given n, determining two prime factors p and q)
Random Number Generation
33Confidentiality
Cryptography & Network Security H. Yoon
HW
• P. 5.3
• P. 5.4
• P. 5.5
• P. 5.9
• P. 5.10
• (For P.5.3 and P. 5.10, please look up the errata sheet)
Random Number Generation