Network Security Frank Yeong-Sung Lin Department of Information Management National Taiwan...

1

Network Security

Frank Yeong-Sung LinDepartment of Information Management

National Taiwan University

2

Network Security

• Secrecy: keep information unrevealed• Authentication: determine the identity of whom

you are talking to• Nonrepudiation: make sure that someone cannot

deny the things he/she had done• Integrity control: make sure the message you

received has not been modified

Network security can be roughly divided into 4 areas:

3

Network Security (cont’d)

• Physical layer: protect transmission link from wire tapping

• Data link layer: link encryption• Network layer: firewall, packet filter• Application layer: authentication, nonrepudiation,

integrity control, (and secrecy)

Network security functionality can be distributed across several protocol layers:

4

Traditional Cryptography

• The model depends on a stable public algorithm and a key• The work factor for breaking the system by exhaustive search of

the key space is exponential in the key length• Two categories: Substitution ciphers vs. transposition ciphers

EncryptionPlaintext P

DecryptionEK( P) DK( EK( P)) = P

Passive intruder (listens only)

Active intruder (alters message)

key K key K

5

Traditional Cryptography (cont’d)

• Simplified model of traditional cryptography

6

Traditional Cryptography (cont’d)

• Model of traditional cryptography

7

Substitution Cipher• Caesar cipher

– Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …

• For example, “attack” becomes “DWDDFN”

• Monoalphabetic substitutionPlaintext: abcdefghijklmnopqrstuvwxyzciphertext: QWERTYUIOPASDFGHJKLZXCVBNM

– The key space is 26! 4x1026

– Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)

8

Substitution Cipher (cont’d)

• Relative frequency of letters in English text

9

Transposition Ciphers

• Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column

• To break the transposition cipher– guess a probable word or phrase (e.g., milliondollars)– try to determine the key length, then order the columns

M E G A B U C K7 4 5 1 2 8 3 6p l e a s e t ra n s f e r o ne m i l l i o nd o l l a r s to m y s w i s sb a n k a c c ou n t s i x t wo t w o a b c d

Plaintext

pleasetransferonemilliondollarsto myswissbankaccountsixtwotwo

Ciphertext

AFLLSKSOSELAWAIATOOSSCTCLNMOMANT ESILYNTWRNNTSOWDPAEDOBUOERIRICXB

10

Two Fundamental Cryptographic Principles

• First principle– All encrypted messages must contain redundancy to

prevent active intruders from tricking the receiver into acting on a false message

– However, the same redundancy makes it easier for passive intruders to break the system

• Second principle– Some measures must be taken to prevent active

intruders from playing old messages, e.g., use time stamp to

• filter out duplicate messages within a certain time• incoming messages that are too old are discarded

11

Secret-Key Algorithms• Consists of sequence of transpositions and

substitutions

Dec

oder

: 3 to

8

Enc

oder

: 8 to

3

P1

S1

S2

S3

S4

P2

S5

S6

S7

S8

P3

P-box(Permutation)

S-box (Substitution)

Product cipher

12

Data Encryption Standard (DES)

• Plaintext is encrypted in blocks of 64 bits• DES is basically a monoalphabetic substitution cipher

using a 64-bit character

Initial transposition

Iteration 1

Iteration 16

32 bit swap

Inverse transposition

56-b

it ke

y K1

K16

64 bit plaintext

64 bit ciphertext

Li-1 Ri-1

32 bits Li 32 bits Ri

Li-1 f(Ri-1, Ki)

13

DES Chaining• DES may be vulnerable to active intruders

LeslieKimberly

$0000010$0100000

Name Bonus

8 bytes 8 bytes

Intruder may copy the block to one row above

• DES chainingP0

E

C0

#

P1

E

C1

#

P2

E

C2

#

P3

E

C3

#IV

Key

P0

D

C0

#

P1

C1

P2

C2

P3

C3

D

#

D

#

D

#ExclusiveOR

14

Breaking DES

• Exhaustive search of key space = 256 7x1016

– can use multiple computers to do search in parallel• Running DES twice consecutively with two

different 56-bit keys creates a key space of 2112 5x1033

– but it still can be broken by the “meet-in-the-middle” attack in (257) time, because

Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)

15

Triple DES Encryption

• Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system

• Using EEE with 3 different keys is basically unbreakable nowadays

E D E

K1 K2 K1

P CD E D

K1 K2 K1

C P

Encryption Decryption

16

Public-Key Algorithms• Encryption (E) and Decryption (D) algorithms must meet the

following requirements– E and D are different– D(E(P)) = P– It is exceedingly difficult to deduce D from E

• Everyone has a pair of keys: public key (E) and private key (D)– Public key is made known to the world– Private key is to be kept private all the time

EB

DA

A

DB

EA

BEB(P1)

EA(P2)

P1 DB(EB(P1)) = P1

P2DA(EA(P2)) = P2

17

Principles of Public-Key Cryptosystems

18

Principles of Public-Key Cryptosystems (cont’d)

• Requirements for PKC– easy for B (receiver) to generate KUb and KRb

– easy for A (sender) to calculate C = EKUb(M)

– easy for B to calculate M = DKRb(C) = DKRb(EKUb(M))

– infeasible for an opponent to calculate KRb from KUb

– infeasible for an opponent to calculate M from C and KUb

– (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)

19


20


• The idea of PKC was first proposed by Diffie and Hellman in 1976.

• Two keys (public and private) are needed. • The difficulty of calculating f -1 is typically

facilitated by– factorization of large numbers– resolution of NP-completeness– calculation of discrete logarithms

• High complexity confines PKC to key management and signature applications

21


22


23


• Comparison between conventional and public-key encryption

Conventional Encryption Public-Key EncryptionNeeded to Work: Needed to Work:1. The same algorithm with the same key

is used for encryption and decryption.

2. The sender and receiver must share thealgorithm and the key.

1. One algorithm is used for encryptionand decryption with a pair of keys, onefor encryption and one for decryption.

2. The sender and receiver must each haveone of the matched pair of keys (not thesame one).

Needed for Security: Needed for Security:1. The key must be kept secret.

2. It must be impossible or at leastimpractical to decipher a message if noother information is available.

3. Knowledge of the algorithm plussamples of ciphertext must beinsufficient to determine the key.

1. One of the two keys must be keptsecret.

2. It must be impossible or at leastimpractical to decipher a message if noother information is available.

3. Knowledge of the algorithm plus oneof the keys plus samples of ciphertextmust be insufficient to determine theother key.

24


• Applications for PKC– encryption/decryption– digital signature– key exchange

Algorithm Encryption/Decryption Digital Signature Key ExchangeRSA Yes Yes Yes

Diffie-Hellman No No YesDSS No Yes No

25


26


27


28

RSA Algorithms• Developed by Rivest, Shamir, and Adleman at MIT in

1978• First compute the following parameters

– Choose two large primes, p and q (typically > 10100)– Compute n = pxq and z = (p-1)x(q-1)– Choose d, which is a number relatively prime to z– Find e such that (exd) mod z = 1

• Divide the plaintext into blocks of k bits, where 2k < n– To encrypt P, compute C = Pe mod n– To decrypt C, compute P = Cd mod n– Public key = (e, n), private key = (d, n)

29

The RSA Algorithm (cont’d)

• Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then

a p-1 1 mod p. Example: a = 7, p = 19 72 = 49 11 mod 19 74 = 121 7 mod 19 78 = 49 11 mod 19 716 = 121 7 mod 19 a p-1 = 718 = 716+2 711 1 mod 19

30


31


32


• Example 1– Select two prime numbers, p = 7 and q = 17.– Calculate n = p q = 717 = 119.– Calculate Φ(n) = (p-1)(q-1) = 96.– Select e such that e is relatively prime to Φ(n) =

96 and less than Φ(n); in this case, e = 5.– Determine d such that d e = 1 mod 96 and d <

96.The correct value is d = 77, because 775 = 385 = 496+1.

33


•

34


• The security of RSA– brute force: This involves trying all possible private

keys.– mathematical attacks: There are several

approaches, all equivalent in effect to factoring the product of two primes.

– timing attacks: These depend on the running time of the decryption algorithm.

35


• To avoid brute force attacks, a large key space is required.

• To make n difficult to factor– p and q should differ in length by only a few digits

(both in the range of 1075 to 10100)– both (p-1) and (q-1) should contain a large prime

factor– gcd(p-1,q-1) should be small– should avoid e < n and d < n1/4

36


• To make n difficult to factor (cont’d)– p and q should best be strong primes, where p is a

strong prime if• there exist two large primes p1 and p2 such that p1|p-1 and

p2|p+1

• there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1

– e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated

37


38


• Major threats– the continuing increase in computing power (100

or even 1000 MIPS machines are easily available)– continuing refinement of factoring algorithms (from

QS to GNFS and to SNFS)

39


40


41

RSA Algorithms (cont’d)

• The security of RSA is based on the difficulty of factoring large numbers– It takes 4x109 years for factoring a 200-digit number– It takes 1025 years for factoring a 500-digit number

• RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms

42


43

Key Management

• The distribution of public keys– public announcement– publicly available directory– public-key authority– public-key certificates

• The use of public-key encryption to distribute secret keys– simple secret key distribution– secret key distribution with confidentiality and

authentication

44

Key Management (cont’d)

• Public announcement

45


• Public announcement (cont’d)– advantages: convenience– disadvantages: forgery of such a public

announcement by anyone

46


• Publicly available directory

47


• Publicly available directory (cont’d)– elements of the scheme

• {name, public key} entry for each participant in the directory• in-person or secure registration• on-demand entry update• periodic publication of the directory• availability of secure electronic access from the directory to

participants– advantages: greater degree of security

48


• Publicly available directory (cont’d)– disadvantages

• need of a trusted entity or organization• need of additional security mechanism from the directory

authority to participants• vulnerability of the private key of the directory authority

(global-scaled disaster if the private key of the directory authority is compromised)

• vulnerability of the directory records

49


• Public-key authority

50


• Public-key authority (cont’d)– stronger security for public-key distribution can be

achieved by providing tighter control over the distribution of public keys from the directory

– each participant can verify the identity of the authority– participants can verify identities of each other– disadvantages

• bottleneck effect of the public-key authority• vulnerability of the directory records

51


• Public-key certificates

52


• Public-key certificates (cont’d)– to use certificates that can be used by participants to

exchange keys without contacting a public-key authority– requirements on the scheme

• any participant can read a certificate to determine the name and public key of the certificate’s owner

• any participant can verify that the certificate originated from the certificate authority and is not counterfeit

• only the certificate authority can create & update certificates• any participant can verify the currency of the certificate

53


• Public-key certificates (cont’d)– advantages

• to use certificates that can be used by participants to exchange keys without contacting a public-key authority

• in a way that is as reliable as if the key were obtained directly from a public-key authority

• no on-line bottleneck effect– disadvantages: need of a certificate authority

54


• Simple secret key distribution

55


• Simple secret key distribution (cont’d)– advantages

• simplicity• no keys stored before and after the communication• security against eavesdropping

– disadvantages• lack of authentication mechanism between participants• vulnerability to an active attack (opponent active only in the

process of obtaining Ks)• leak of the secret key upon such active attacks

56


• Secret key distribution with confidentiality and authentication

57


• Secret key distribution with confidentiality and authentication (cont’d)– provides protection against both active and

passive attacks– ensures both confidentiality and authentication in

the exchange of a secret key– public keys should be obtained a priori– more complicated

58

Diffie-Hellman Key Exchange

• First public-key algorithm published• Limited to key exchange• Dependent for its effectiveness on the

difficulty of computing discrete logarithm

59

Diffie-Hellman Key Exchange (cont’d)

• Diffie-Hellman key exchange– n, g: large prime number with additional conditions

• n and g may be made public

– x, y: large (say, 512-bit) numbers

Alic

e Bo

b2

1

gy mod n

n, g, gx mod n Bob computes (gx mod n)y

= gxy mod nAlice computes (gy mod n)x

= gxy mod n

– gxy mod n = the secret key– it is very difficult to find x given gx mod n

60


• Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1.

• If a is a primitive root of the prime number p, then the numbers

a mod p, a2 mod p, …, ap-1 mod p are distinct and consists of the integers from 1

to p-1 in some permutation.• Not every number has a primitive root.

61


• For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that

b = ai mod p, where 0 i (p-1).• The exponent is referred to as the discrete

algorithm, or index, of b for the base a, mod p.• This value is denoted as inda,p(b).

62


63


• Example: q = 97 and a primitive root a = 5 is selected. XA = 36 and XB = 58 (both 97).

YA = 536 = 50 mod 97 and

YB = 558 = 44 mod 97.

K = (YB) XA mod 97 = 4436 mod 97 = 75 mod 97.

K = (YA) XB mod 97 = 5058 mod 97 = 75 mod 97.

75 cannot easily be computed by the opponent.

64


• How the algorithm works

qYK AXB mod)(

qq AB XX mod)mod(

qAB XX mod)(

qAB XX mod

qBA XX mod)(

qq BA XX mod)mod(

qY BXA mod)(

65


66


• q, a, YA and YB are public.• To attack the secrete key of user B, the opponent

must compute XB = inda,q(YB). [YB = aX

B mod q.]• The effectiveness of this algorithm therefore

depends on the difficulty of solving discrete logarithm.

67

Attack on Diffie-Hellman Key Exchange

• Bucket brigade attack

Alic

e Trud

y3

1

gz mod n

n, g, gx mod n

– (gxz mod n) becomes the secret key between Alice and Trudy, while (gyz mod n) becomes the secret key between Trudy and Bob

Bo

b

4

2

gy mod n

n, g, gz mod n

Alicepicks x

Trudypicks z

Bobpicks y

68

Authentication Protocols

• Authorization– verifies what a process is permitted to do

• Authentication– verifies the identity of the process that you are

talking to– public and private keys are used for

authentication, and for establishing the session key (a secret key)

– all data communicated is then encrypted using secret key cryptography

69

Authentication Based on a Shared Secret Key

• Challenge-response protocol

Alic

e Bo

b

K AB(RB)

RB

A

K AB(RA)

RA

5

4

3

2

1

Challenge

Response

Challenge

Response

K AB(KS)

6 Session key if needed

After step 3, Bob verifies Alice’s identity

After step 5, Alice verifies Bob’s identity

KAB = shared secret key between Alice and Bob

70

Authentication Based on a Shared Secret Key (cont’d)

• Can we reduce the number of messages exchanged, e.g.,

Alic

e Bo

b

K AB(RB)

R B, K AB(R A)

A, R A

3

2

1 Challenge

Response

Response/Challenge

– Only three, instead of five, messages are exchanged

71

Authentication Based on a Shared Secret Key (cont’d)

• The shortened protocol can be defeated by a reflection attackTr

udy B

ob

A, R B

R B, K AB(R T)

A, R T

K AB(RB)

5

4

3

2

1

First session

RB2, KAB(RB)Second session

First session

72

Authentication Using a Key Distribution Center

• Need a trusted Key Distribution Center (KDC)• Wide-mouth frog: simplest KDC authentication

protocol

Alic

e KD

C

1 A, KA(B, KS)

Bo

b

2 KB(A, KS)

• Replay attack– an intruder can just replay message 2 (and any following messages)

to Bob later, and Bob has no way to tell if it is a second connection from Alice

73

Authentication Using Public-Key• Assume both sides already know each other’s public keys

– This is not a trivial assumption as explained previously

Alic

e Bo

b

K s(RB)

E A(R A, R B, K S)

E B(A, R A)

3

2

1

Bob verified Alice’s identity

Alice verified Bob’s identity

74

Digital Signatures

• What is needed is a system by which one party can send a “signed” message to another party such that – The receiver can verify the claimed identity of the

sender– The sender cannot later repudiate the contents of

the message– The receiver cannot possibly have concocted the

message itself

75

Secret-Key Signatures

• Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key

Alic

e B B

A, KA(B, RA, t, P)

Bo

bKB(A, RA, t, P, KBB(A, t, P))

• Bob has KBB(A, t, P), which is proof that Alice sent message P at time t

• To guard against replaying attack– A message is discarded if its timestamp is too old– For a recent message, it is discarded if RA is duplicate

76

Public-Key Signatures

• Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property)

Alice’sprivate key

DA

Bob’spublic key

EB

DA(P)P

Alice’s computer

Bob’sprivate key

DB

Alice’spublic key

EA

DA(P) P

• Bob has P and DA(P), which is proof that Alice sent P

EB(DA(P))

Bob’s computerTransmissionline

77

Message Digests

• It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time

• Message Digest (MD): hash plaintext to a fixed-length bit string such that– Given P, it is easy to compute MD(P)– Given MD(P), it is effectively impossible to find P– No one can generate two messages that have the

same message digest

P MD(P)

m bits

78

Message Digests (cont’d)• Public-key message digest

Alic

e Bo

b

P, D A(MD(P))

• Most widely used message digest functions– MD5– SHA (Secure Hash Algorithm)

• An m-bit MD system may be possibly broken in (2m/2) time (referred as birthday attack in text)

Network Security Frank Yeong-Sung Lin Department of Information Management National Taiwan...

Documents

Transcript of Network Security Frank Yeong-Sung Lin Department of Information Management National Taiwan...