View
214
Download
0
Category
Tags:
Preview:
Citation preview
CPS110: Secure communication
Landon Cox
Physical reality
BobAlice
4 basic tools of the attacker: eavesdrop, modify, insert, deleteCorollary attacks: replay, identity spoofing, man-in-the-middle
Desired properties
1. Confidentiality Only receiver can understand message
2. Authentication Received message is from whom I expect
3. Freshness Replay effectiveness should be limited
4. No denial-of-service Attacker can’t deny me service indefinitely
Primary tool for providing these: encryption
Basic encryption
Encrypt(clear text, e-key) = cipher text
Decrypt(cipher text, d-key) = clear text
EncryptEncrypt
DecryptDecrypt
E
D
{msg}E
Basic encryption
Encrypt/decrypt are inverses Decrypt(encrypt(clear,e-key),d-
key)=clear Must have d-key to recover clear text Given arbitrary ‹clear, cipher› pairs
Shouldn’t be able to recover d-key Describe a bad encryption function
E.g. “add a number to each char”
Symmetric key encryption
Keys E-key = d-key (hence symmetric)
Sender and receiver know the key Nobody else knows it Sometimes called the “secret key”
Symmetric key algorithms are fast
E DS
Symmetric key encryption
Like having a box with a lock Only you and I have the key to the box
Let’s say that I put a thumb drive in the box Send the box to you via an untrusted carrier
When you open the box, what do you know?1.I put the message there (authentication)2.No one else read it (confidentiality)
Example
Say I’m sending grades to the registrar I send {“B”}s-key
Can someone modify the message? Yes, but they won’t know what the effect
is
Example
Say I’m sending grades to the registrar I send {“B”}s-key
How to detect a modification? Add a checksum to the message Random changes will invalidate the checksum Add known text to message Random changes will be wrong format
{“B,CS(B)”}s-key or {“grade is B”}s-key
Example
Say I’m sending grades to the registrar I send {“B”}s-key
This gives us authentication/confidentiality What is missing?
No denial-of-service How do I mount a denial-of-service attack?
Adversary removes all of my messages (no way to really stop this)
Example
Say I’m sending grades to the registrar I send {“B”}s-key
How to share s-key in the first place? I can’t send you the key without a private line!
Solution: use a trusted key server I don’t believe that you are who you say you
are I will trust a key server to tell me who you are
Symmetric key distribution
All hosts start sharing a key with key server
Key server then Sends out secret keys to communicate Vouches that only the right people have those
keys
SA SB
SA SB
server
Alice Bob
AB
ABAB{K-AB} K-SA
{K-AB}K-SB
Public key encryption
Keys E-key ≠ d-key Typically, encrypt() = decrypt () =
crypt ()E D
EncryptEncrypt DecryptDecryptCryptCrypt
Public key encryption
E
D
CryptCrypt
CryptCrypt
D
E
CryptCrypt
CryptCrypt
Public key encryption
Crypt(clear, e-key) = cipher1 Crypt(cipher1, d-key) = clear Crypt(clear, d-key) = cipher2 Crypt(cipher2, e-key) = clear Cipher1 ≠ cipher2
Public key encryption
One key is public (e.g. e-key) One key is private (e.g. d-key)1.The private key should be secret
Known only to the key-pair owner
2.The public key is known by all Published in some well-known place
3.Both keys must be hard to guess Even if you know other key, crypt(), many
encrypted pairs
Use 1: authentication
Can authenticate sender Send message {“from lpcox” {message}lpcox-
private} Anyone can read it Only lpcox could have sent it Anyone can verify by using lpcox-public
Why “from lpcox”? Need to know which public key to use Called a digital signature
Use 2: confidentiality
Send message to lpcox {message}lpcox-public
Anyone can send such a message Only lpcox can read it
Why? Everyone has access to lpcox-public Only lpcox can decrypt with lpcox-
private
Use 3: auth. and confident.
Send message {“from lpcox” {message}lpcox-private}chase-public
Only chase can read it Only lpcox can send it
Does the order of lpcox-private/chase-public matter? “from lpcox” { {message}chase-public }lpcox-private
Yes. Everyone could know lpcox sent the message. Though no one except chase could know the
message.
Use 3: auth. and confident.
Send message {“from lpcox” {message}lpcox-private}chase-public
Only chase can read it Only lpcox can send it
Another problem? “from lpcox” { {message}chase-public }lpcox-private
Attacker could pretend to have sent message Decrypt using lpcox-public Re-encrypt using villain-private
Public key encryption
Used a lot in practice SSL (secure socket layer, used in
https) Ssh (secure shell) Pgp (pretty-good-privacy secure
email) Not without its problems though
Problems with public key crypto
Public key algorithms are slow How do we get around this?
Use pub keys to establish symmetric keys
aka Short-lived “session keys” Encryption with session key is fast
SSL and ssh use session keys
Problems with public key crypto
What if I have to change my public key? Must notify everyone with old key
With symmetric key server Only have to notify server that K-AS changed
Why is this? All pair-wise communication starts at
server
Problems with public key crypto
What if I have to change my public key? Must notify everyone with old key
With symmetric key server Only have to notify server that K-AS changed
Partial solution Keys expire after a certain amount of
time E.g. really old Netscape binaries
Problems with public key crypto
How to trust authenticity of public keys? Say A wants to talk to B using public key crypto
A’s real public key is A-public B’s real public key is B-public Villain has two public keys: V-public1 and V-
public2
What if villain Convinces A that B’s public key is V-public1 and Convinces B that A’s public key is V-public2
Problems with public key crypto
How to trust authenticity of public keys?
{“from Alice” {message}Alice-
private}Bob-public
{“from Bob” {message}Bob-private}Alice-
public
Problems with public key crypto
How to trust authenticity of public keys?
{“from Alice” {message}Alice-
private}V-public1
{“from Alice” {message2}V-
private2}Bob-public
V can recover “message.”Why?
Why does Bob believe that Alice said “message2?”
Called the “man-in-the-middle” attack.
Authenticating public keys
PGP Verify “fingerprint“ of public key Use telephone or trusted web
server (something “out-of-band”)
SSL Telephone isn’t scalable
Authenticating SSL public keys
I want to send my CCN to e-trade No one but e-trade should see my
message E-trade wants to know it’s really me
Step 1: authenticate e-trade to you Step 2: authenticate you to e-trade
Step 1: authenticating e-trade
E-trade has a public key How do you learn this public key?
Web solution: someone else vouches for key
Often called a certification authority E.g. verisign
E-trade sends you their public key Public key is digitally signed by verisign{“e-trade’s public key is Etrade-public”}verisign-private
Step 1: authenticating e-trade
E-trade has a public key
Decrypt using verisign’s public key I see that verisign vouches for Etrade-
public
Once talking to e-trade Establish session key
{“e-trade’s public key is Etrade-public”}verisign-private
{“use session key K-sec”}Etrade-public
Step 1: authenticating e-trade
Once talking to e-trade, establish session key
Any problems with this? How do you know verisign’s public key? Hard-coded into Firefox/IE binary
How to trust Firefox binary? Arrives in sealed CD package or pre-installed Could download from the Internet
Why trust this? At some point you have to trust something
Step 2: authenticate you to e-trade
E-trade must know it is talking to you Use a password
Can be sent using session key from step 1 Only e-trade can see password
E-trade knows message came from session key sender
E-trade decrypts to check password
{“user lpcox, password pass”}K-sec
Replay attack
{“charge $100 to credit card”}AET-secret
{“charge $100 to credit card”}AET-secret
Alice’s balance = $100
{“charge $100 to credit card”}AET-secret
Alice’s balance = $200
Attacker doesn’t even have to know
any secret keys!
Replay attack
How to defend against? Use a unique identifier for each request ID ensures message is fresh Called a “nonce“
Client Picks a new nonce for each request
Server Remembers which nonces have been used Refuses to do anything with re-used nonces
Client and server maintain state about previous requests
Recommended