Detecting Eavesdropping A Solution - Imperial College Londonmrh/430/02.Cryptography.ppt.pdf ·...

Network Security (N. Dulay & M.Huth)

Classical Cryptography (2.1)

Detecting Eavesdropping

A Solution



Quantum Cryptography Quantum Computing

Quantum Cryptography

Algorithms for key distribution, coinflipping, bit commitment, oblivioustransfer, etc

In 1994 Peter Schor devised aquantum computing algorithm tofactorise large numbers in polynomialtime!

(Un)fortunately no-one is yet ablehow to build a suitable quantumcomputer.

Can we use quantum effects todetect passive eavesdropping?

Particles (e.g. Photons) exist in Nplaces at once with differentprobabilities.

We can measure position or velocitybut not both

Quantum world is uncertain.

But we can use this uncertainty togenerate a key!



Polarisation: Noddy's guide

Photons vibrate in some directione.g.

Polarised when many photonsvibrate in the same direction

Polarisation filters only allowphotons polarised in a defineddirection (angle) through, e.g

100%

0%

50%

Up and down

Left and right

At some angle



Wiesner's Quantum Money Each note has a printed serial number and a set of "photon-stores" that hold differently

polarised photons. Only the Bank knows the polarisations for any serial number. We can produce counterfeit notes if we can measure the correct polarisations. But to do

this we need to guess the correct orientations.

DoC Bank 100 22AC320FR00



Wiesner's Quantum Money Filter Result

100%

0%

50%

50%

?

?



Basis Polarisation measured in a basis.

Basis consists of 2 orthogonaldirections, e.g.

If polarisation is read in amatching basis -> we learnpolarisation

If read in wrong basis -> we learna random polarisation!

Rectilinear

Diagonal

Okay

Random



Bennett & Brassard Protocol Alice sends pulses to Bob. Bob uses polarisation detectors with randomly set basis Bob tells Alice his settings. Alice tells Bob which settings were correct. Settings map to 0 and 1s, e.g. and / map to 0, while | and \ map to 1. Alice and Bob only use those settings as a secret key (or 1-time pad key)

1 1 0 0 0 1 1 1 0

1 1 1 00/1 0/1 0/1 0/1 0/1



Protocol Continued

Eavesdropper Eve also does not knowcorrect polarisations, so like Bob willpick wrong basis 50% of the time.Knowing Bob's settings after theevent does not help, because she willhave measured half of themincorrectly.

Worse still, Eve will introduceerrors, which Alice & Bob can detect,since Eves wrong guesses will changepolarisation of pulses

To detect Eve, Alice and Bob onlyneed to compare a few bits intheir message.

If errors found then we have anEavesdropper.

If no errors: Use rest ofmessage



Reading

Simon Singh, The Code Book, Chapter 8

Quantum Computing Course (482), Next term



Classical CryptographyClassical Cryptography

Michael [email protected]

www.doc.ic.ac.uk/~mrh/430/



Why Cryptography? CONFIDENTIALITY

Keep information secret

AUTHENTICATIONReceiver can verify who senderwas

INTEGRITYDetect modified messages

NON-REPUDIATIONSender cannot later falsely denysending a message. Receivercannot falsely deny receiving it.



Encryption

Encrypt (E)Plaintext (P)hello world

Ciphertext (C)JHN+K9[

C = E (P)

Decrypt (D)Ciphertext (C) Plaintext (P)

P = D (C)

P = D (E (P))



Encryption with a Secret Key

Encrypt (E)Plaintext (P) Ciphertext (C)

C = Ek (P)

P = Dk (Ek (P))

Key (k)


P = Dk (C)

Key (k)

Kerchoffs Principle -Secrecy should lie inkeeping a key secret.Assume algorithm isknown.



Encryption with 2 Keys

P = Dk2 (Ek1 (P))

Encrypt (E)Plaintext (P) Ciphertext (C)

C = Ek1 (P)

Key1 (k1)


P = Dk2 (C)

Key2 (k2)



Steganography

Dear George, 3rd March

Greetings to all at Oxford. Many thanks for yourletter and for the Summer examination package.All Entry Forms and Fees Forms should be readyfor final dispatch to the Syndicate by Friday20th or at the very least, Im told, by the 21st.Admin has improved here, though theres roomfor improvement still; just give us all two or threemore years and well really show you! Pleasedont let these wretched 16+ proposals destroyyour basic O and A pattern. Certainly thissort of change, if implemented immediately,would bring chaos.

Conceal existence ofmessage, e.g. 1st letterof each word, least sig.bit of graphic image

Useless once methoddiscovered

Peter Wayner,DisappearingCryptography, 2nd ed,Morgan Kaufmann,2002



Steganography **

Dear George, 3rd March

Greetings to all at Oxford. Many thanks for yourletter and for the Summer examination package.All Entry Forms and Fees Forms should be readyfor final dispatch to the Syndicate by Friday20th or at the very least, Im told, by the 21st.Admin has improved here, though theres roomfor improvement still; just give us all two or threemore years and well really show you! Pleasedont let these wretched 16+ proposals destroyyour basic O and A pattern. Certainly thissort of change, if implemented immediately,would bring chaos.



Codes

Pre-arranged set of secretcodes/meanings.

BEST if used once only.Security weakens with each useif intercepted

Only small set of pre-arrangedmessages. What if we wanted tocommunicate Launch half themissiles or Disarm missiles?

EXAMPLE

Mobius -> Launch missiles

Zebra -> Dont Launch



One-time Pad Use a random key as long as the

message. Must not reuse the keysequence ever again.

Both parties must have key sequence

Hotline between USA and USSR wasrumoured to use a one-time pad.

Destroy key sequence after use

Advantages?

Disadvantages?

EXAMPLE

Key is number of places to shiftletter

K 321424P launchC OCVREL

Suggest a good 1-time padfunction for binary data?



Substitution Ciphers Each letter (or group) is replaced by

another letter (group)

MONOALPHABETIC CIPHEREach character is replaced by acorresponding character

CAESAR CIPHERCircularly shift each letter threepositions along in the alphabet,e.g. zebra -> CHEUD

ROT13Like Caesar but rotate 13 places.Used to hide offensive jokes,solutions to puzzles etc

BRUTE FORCE ATTACK

CHEUD1 bgdtc2 afcsb3 zebra4 ydapz...25 digve

Algorithm known Only 25 keys What if Plaintext language is not

easily recognisable?



Substitution Ciphers GENERAL MONOALPHABETIC

CIPHERSUse a random mapping, e.g:

abcedfghijklmnopqrstuvwxyz

ESFNCRTBZLMVAYXUPKDJOWQGIH

increases no of keys to 26! > 4*10^26

HOMOPHONIC CIPHERSEach character has several ciphertextmappings, as many as its relativefrequency

POLYGRAM CIPHERSMap groups of characters, e.g. aly -> RTQ

POLYALPHABETIC CIPHERSVary monoalphabetic cipher duringciphering/deciphering procedure

ATTACKING GENERALMONOALPHABETIC CIPHERS

Consider nature of Plaintext, e.g.statistical properties.

Frequency of letterse 12.75%t 9.25%r 8.50%n 7.75%

Frequency of common words Repeating letters

2-letter combinations (digrams): th, in,er, re, an

3-letter combinations (trigrams): the,ing, and, ion



Rotor Machine

E.g. ENIGMA MACHINE. Polyalphabetic Cipher

Several interconnected substitution rotating cylinders.

Example:Input Rotor1 Rotor2 Rotor3 Output

A A->F F->X X->N N Rotor 3 now shifts (its substitutions change)

A A->F F->X X->W WRotor 3 now shifts (its substitutions change)

... After 26 shifts by Rotor 3, it will be back to its original, substitution Rotor 2 now shifts.

A A->F F->B B->S S

With 3 rotors and 26 letters we have a period = 26^3 = 17,576 substitutionalphabets



Transposition Ciphers

Rearrange order of characters(permutation)

SIMPLE COLUMNAR CIPHERUsing a grid, write plaintexthorizontally, read ciphertext.vertically.

P launchmissilesnow

launchmissilesnow

C LMEAISUSNNSOCIWHL

ATTACK ON COLUMNARCIPHERCiphertext has same letterfrequencies as plaintext -> Easy

MULTIPLE TRANSPOSITIONCIPHERSPass a plaintext through two ormore transposition ciphers ->Much harder to attack.



Cryptanalysis

CIPHERTEXT ONLY ATTACK

KNOWN PLAINTEXT ATTACK

CHOSEN PLAINTEXT ATTACK

CHOSEN CIPHERTEXT ATTACK

E C known

E C knownP known

E C generatedP chosen

C chosengenerated D

Discover key, and/or plaintext if not known

We assume algorithm is known (Kerckoffs principle)



CryptanalysisEXAMPLES OF ATTACK

Passive Attacks

Active Attacks

Brute Force

Birthday

Man-in-the-Middle

Replay

Cut & Paste

Time Resetting

Many more...

PRACTICAL CRYPTANALYSISAcquire a key by any means, e.g.

Theft

Bribery (Purchase-Key attack)

Blackmail

Torture

Hypnosis



Cryptographic Strength UNCONDITIONALLY SECURE

No matter how much ciphertext is available, it is still not enough toinfer the plaintext (even with infinite computational power). Only ONE-TIME PADS with random keys are unconditionally secure. Known asPERFECT SECRECY for encryption systems.

PROVABLY SECURECryptosystem shown to be as difficult to defeat as some supposedlydifficult (number-theoretic) problem, e.g. factorisation of large primes.Has an equivalence proof.

COMPUTATIONALLY INFEASIBLE (PRACTICALLY SECURE)Belief that cryptosystem cannot be broken with available resources;formalizations thereof exist already, e.g. secure for any adversary withcomputational power in randomized polynomial time



Cost & Timeliness

COST TO BREAK > VALUE OF INFORMATION

TIME TO BREAK > USEFUL LIFETIME OF INFORMATION



Reading

Stallings. Chapter 2.



Cryptographic Design VulnerabilitiesBruce Schneier

IEEE Computer, Sept 98,p29-33



Security, ha ha ha

Lock with 4 pins, each with10 positions

Burglar may need to try10,000 combinations to guaranteesuccess (brute-force attack)

What if 10 pins?-> 10 billion positions

Great, but....



A burglar could....

Smash the windows Kick in the doors Masquerade as a policeman Threaten owner with violence etc....

Better locks cant help with these attacks

Same is true for cryptography. Good/strong cryptography isimportant but not a panacea



Marketing hype

128-bit keys mean strong security 40-bit keys are weak triple-DES is much stronger than single DES

Be wary of products making such statements/claims.

Many products are buzzword-compliant, they use strongcryptography but arent particularly secure



Attacks against Design

Cryptosystems use algorithms for encryption, digitalsignatures, one-way hash functions, random-numbers etc.

Break any one and you can usually break the whole system!

Cryptographic functions often have very narrow usage

Its very difficult to design a secure cryptosystem, evenwith good software engineers, e.g. Microsofts Point-to-Point-Tunneling Protocol (PPTP) used an inappropriate modefor the RC4 encryption algorithm rendering it insecure



Attacks against Implementation

Many cryptosystems fail because of mistakes inimplementation, e.g. dont securely destroy unencrypted textafter encryption, have code that allows buffer overflow, arepoor error checking and recovery,

Trivial code-optimisations can break security

Implementation trade-offs e.g. to enhance usability at theexpense of security

Systems that allow old keys to be recovered in anemergency



Attacks against Hardware

Highly secure environments deploy tamper-resistanthardware, e.g. tokencards, smartcards

Techniques/hardware to defeat them are also beingdeveloped, e.g. timing attack on RSA private keys measuredrelative times of cryptographic operations. Attacks thatmeasure power consumption, radiation emissions, introducefaults and analyse effects

Cost to Defeat Tamper Resistance >> Value of Data



Attacks against Trust Models

Who or what in the system is trusted, in what way, and towhat extend?

Some commerce systems can be broken by a merchant and acustomer colluding or two different customers colluding

Many systems make poor assumptions, eg, desktop is secure,network is secure, employees are trusted

Design choices are sometimes ignored when it comes time tosell a product/system.



Attacks on Users

Pass on password to colleagues

Use same password on different systems

Write random passwords on paper

Dont report missing smartcard

Dont change (weak) default settings

Users need to be educated



Attacks against Failure Recovery

Recovering the key for one file, should not allow every fileto be read

Reverse-engineering one smart card should not reveal secretinfo in others

Options which switch off security, or make it less secure

Version rollback attack to insecure version



Attacks against Cryptography

Proprietary algorithms/protocols -> invariably weak.Cryptanalysts are very good at breaking publishedalgorithms, even better against proprietary ones!

Keeping the algorithm secret doesnt make much differenceagainst determined opponents, algorithms can be reverse-engineered



Conclusion

A good security product must defend against every possibleattack, even attacks that havent been invented yet!

Attackers often only need find one flaw in order to defeat asystem.

In addition, they can collude & conspire.

They can wait for technology to give them the edge.

But dont worry - Cryptography is a lot fun !!



Optional but Recommended Reading

Links to these papers and documents are provided on the 430course home page.

PriceWaterHouseCoopers 2010 Survey on the Global Stateof Information Security

Ciphertext-only Crytanalysis of the Enigma, by James J.Gillogly



Notes on Tutorial forClassical Cryptography

Michael [email protected]

www.doc.ic.ac.uk/~mrh/430/



Why is Keyless Encryption bad?

Every group has own algorithm Cant use Off-the-Shelf algorithm, no implementation

choices Change group - change algorithm Key comprise - change algorithm Poor quality control - little or no peer review No standards Easy to reverse-engineer algorithm

Kerchoffs principle - Assume algorithm is known,Secrecy should lie in keeping key secret.



What Encryption doesnt handle **

Destructive Attacks, Replayattacks

Unencrypted documents, e.g.before encryption or afterdecryption

Modification of encryptionprogram

Lost or Stolen keys or passwords

Traitors

Interception incl. TrafficAnalysis

Successful cryptanalysis



Steganography

The supply of game for London is going steadilyup. Head keep Hudson, we believe, has been nowtold to receive all orders for fly paper and forpreservations of your hen-pheasant's life.

"The Gloria Scott"Arthur Conan Doyle.



DECRYPT

C=E(P)=

P=D(C)=

BRUTE FORCE ATTACKDetermine key for:

E Q VWKXPEVXS



Freemason Cipher

A B C J

D E F K L

G H I M

N O P W

Q R S X Y

T U V Z



Decipher

? ? ? ?



SNPLTDFKAUOS

Transposition Ciphers



End-to-End Encryption

Ek DkP P

Node1(Host)

Node2 Node3 Node4(Host)

C C



Link-to-Link Encryption

Dk1 Ek2 Dk2 Ek3Ek1 Dk3P P

Node1(Host)

Node2 Node3 Node4(Host)

C1 C2 C3



Link-to-Link vs End-to-End

Msg exposed in sending host &intermediate nodes

Applied by sending host, hostresponsible for encryption

Transparent to processes

All messages usually encrypted

Can be done in hardware

Requires one key per link pair

Provides host/node authentication

More ciphertext

Can hide more IP headers

Msg encrypted in sending host & receiving nodes

Applied by sending process, processresponsible for encryption

Process applies encryption

Process decides when to encrypt

Usually done in software

Requires one key per process pair

Provides application/user authentication

Traffic analysis easier



P1 P3

P2

Link-to-Link & End-to-End Encryption

N

N

N

N

Host Host

Host

End-to-End

Link-to-Link

Encryption/decryption devices

Detecting Eavesdropping A Solution - Imperial College Londonmrh/430/02.Cryptography.ppt.pdf ·...

Documents

Transcript of Detecting Eavesdropping A Solution - Imperial College Londonmrh/430/02.Cryptography.ppt.pdf ·...