CS 336/536 Computer Network Security

1

CS 336/536 Computer Network Security

Welcome to

Please report to the professor.

“This book focuses on internet security, which consists of measures to deter, prevent, detect, and correct security

violations that involve transmission of information.”

2

Confidentiality

(Data) Integrity

Authentication (of participants)

Non-repudiation

?

Examples of Security Violations (page 3)

What services do we need to compensate?

3

1.1 Computer Security Concepts

4

Omit Section 1.2 OSI Security Architecture

1. Solutions not as simple as one-word labels suggest!

2. One must always consider potential attacks on security features.

3. Procedure used to provide particular services are often counterintuitive.

4. Having designed security mechanisms, where to use them?

5. Mechanisms require not only an algorithm, but also secret information.

The Challenge of Computer Security (page 7):

5

1.3 Security Attacks

passive attacks:

Reveals what Bob is saying to Alice

An MIT Technology Report in 1979 used “Alice” and “Bob.” It became a tradition.

6

Reveals the fact that Bob is talking to Alice

Passive attacks very difficult to detect – focus on prevention

7

Active attacks:

8

9

10

Active attacks difficult to prevent – focus on detection and recovery

(opposite of passive attacks).

11

How does Darth do some of these active attacks?

12IP source address spoofing –easy to do

13Simple replay will not work with TCP

14Relatively hard to do in TCP

15

TCP connection hijacking

16

“SYN FLOODING” – easy to do in TCP

17

1.4 Security Services

► Authentication (of participants)

► Access Control

► Data confidentiality

► Data integrity

► Non-repudiation

► Availability service

Footnote page 14: “There is no universal agreement about many of the terms used

in the security literature.

18

1.4 Security Services – continued

► Authentication

This service assures the recipient that the message is from the source that it claims to be from.

“Authentication of Participants”

Watch for “man in the middle”

► Access Control

This could be included under “Authentication of Participants”

19

1.4 Security Services – continued

► Data Confidentiality

Protection of transmitted data from “eavesdropping”

Expanded requirement: “traffic analysis”

Attacker must not be able to observe source, destination, frequency, length of message stream

20

1.4 Security Services – continued

► Data Integrity

Connectionless:

Protects individual messages against tampering

Connection-Oriented:

Protects a stream of messages against modification (duplication, deletion, insertion, modification, reordering)

21

1.4 Security Services – continued

► Non-Repudiation

not really an attack, but a desirable service

► Availability Service

defense against denial-of-service attacks

Omit section 1.5

22

1.6 A Model for Network Security

Figure 1.4 Model for Network Security

Alice Bob

Darth

23

“All the techniques for providing security have two components:

► a security-related transformation on the information to be sent;

► some secret information shared by the two principals.

Footnote page 19: In public-key cryptography only one of the two principals has the secret information

A trusted third party may be needed to make secret sharing possible.

24

“Four basic tasks in designing a particular security service”

1. Algorithm for performing the security-related transformation

2. Generate secret to be used with #1

3. Method of distributing #2 between principals

4. Protocol to be used by the principals

(protocol uses #1 and #2)

25

some threats do not fit into figure 1.4 –

protection against “unwanted access.”

► viruses and worms

► unauthorized use of equipment

Figure 1.5 Network Access Security Model

We will not get into this in this course – our interest is in figure 1.4

26

Omit section 1.7

End of Chapter 1

27

Part One – CRYPTOGRAPHY

Chapter 2 – Symmetric Encryption

and Message Confidentiality

2.1 Symmetric Encryption Principles

“Symmetric encryption, also referred to as conventional encryption, secret-key, or single-key encryption, was the only type of encryption in use prior to the development of public-key encryption in the late 1970s. It remains by far the most widely used of the two types of encryption.”

28

Recall Fig 1.4:

Alice Bob

Darth

29

1. Plaintext

2. Encryption algorithm

3. Secret key

4. ciphertext

5. Decryption algorithm (secret key)

Fig 2.1

“Five Ingredients”

30

Obviously, the encryption and decryption algorithms are inverse functions:

C = EK ( P ) P = DK ( C )

P = DK [ EK ( P ) ]

The decryption algorithm is often the encryption algorithm “run in reverse” (not true for the Advanced Encryption Standard)

31

1. Strong encryption algorithm

opponent who knows algorithm and has ciphertext (only) must be unable

to recover plaintext

extension: even if opponent has samplesof plaintext, unable to recover further plaintext

2. Key

Sender and receiver must have obtained copies of the secret key, and must keep it secret

Two requirements for secure use of symmetric encryption:

THE ALGORITHM IS NOT SECRET !!!

32

Cryptography

Three independent dimensions:

1. type of operation

* substitution

* transposition all operations must be reversible !

2. number of keys used

* 1 for “symmetric" cryptography

* 2 for "public-key" cryptography

3. way in which plaintext is processed

* block ciphers (processed one block at a time)

* stream ciphers (can be decrypted while being received)

Combinations used

33

Transposition cipher:

pad

key

Substitution cipher – replace letter with next letter in alphabet (Caesar).

34

Cryptanalysis

“The process of attempting to discover the plaintext or key is known as cryptanalysis.”

35

Ciphertext only:

- only ciphertext and algorithm known

- exhaustive search of all possible keys (“brute force”)

Types of attack on encrypted messages (continued):

How do you know when you’ve won?

36

Types of attack on encrypted messages (continued):

E-mail headers:

Hitler’s Birthday!

“Partially-known plaintext”

37

RSA challenges – known plaintext

With known plaintext, you know when you’ve won!

In 1999 a 56-bit key was cracked in 22 hours by EFF machine

38

Types of attack on encrypted messages (continued):

During WEP authentication in wireless networks the access point sends to the station a message;

The station encrypts the message and returns it to the access point;

Both unencrypted and encrypted forms are easily visible.

39

Types of attack on encrypted messages (continued):

Consider a wireless LAN, connected to the Internet and an attacker who can eavesdrop on the traffic within the LAN and who has access to an outside computer.

Attacker can send chosen message from outside machine to inside machine, and observe encrypted form on the wireless link.

Both unencrypted and encrypted forms are available to the attacker.

40

A B A OR B

0 0 0

0 1 1

1 0 1

1 1 1

A B A XOR B

0 0 0

0 1 1

1 0 1

1 1 0

OR

( “Inclusive OR” )

XOR

(“exclusive OR”)

Boolean Logic

41

A B A XOR B

0 0 0

0 1 1

1 0 1

1 1 0

XOR

(“exclusive OR”

Boolean Logic

A B A + B carry

0 0 0 0

0 1 1 0

1 0 1 0

1 1 0 1

Arithmetic ADD

42

Feistel Cipher Structure

+

43

Feistel Parameters:

Block size (2w)

Size of key K

Number of rounds (n)

Subkey generation algorithm

(K1, etc.)

Round function (F)

Key

Decryption: run in “reverse”

Insert ciphertext at top, use nth subkey in first round.

44

“Two other considerations in the design of a symmetric block cipher:”

► Fast software encryption/decryption

► Ease of analysis ( ! )

2.2 Symmetric Block Encryption Algorithms

Data Encryption Standard

45

Block size: 64 bits

Key length: 56 bits

Number of rounds: 16

Sixteen subkeys generated from original key.

Decryption: run in “reverse” – insert ciphertext at top, use sixteenth subkey in first round.

Data Encryption Standard (DES/DEA) is a minor variation on the Feistel structure.

46

Strength & Weakness of Data Encryption Standard

Strength: has been exhaustively studied – no known “holes”

Weakness: 56-bit key length too short

(in 1999 was cracked in 22 hours by EFF machine)

In ciphertext-only situation, exhaustive key search is the only way –

but how do you know when you’ve won?

47

Triple DES

If 56-bit key is too short, but DES is a “solid” algorithm, just apply it two or three times with different keys!

48

“There is no cryptographic significance to the use of decryption in the second stage” – gives compatibility with single-stage implementations.

Effective key length is 168 bits

“It is easy to see that 3DES is a formidable algorithm”

49

However, 3DES is not a reasonable candidate for long-term use.

The algorithm is relatively sluggish in software – the original DES was designed for mid-1970s hardware implementation.

The 64-bit block length is too short – larger block lengths give better efficiency and security.

On page 38, the heading “Advanced Encryption Standard” belongs 1/2 way down page.

50

Advanced Encryption Standard

History

In 1997 NIST issued a call for proposals for a new Advanced Encryption Standard AES), which should have a security strength the same as, or better than, 3DES and significantly improved efficiency.

The new AES is not a Feistel structure! Encryption and Decryption algorithms are different.

After extensive consideration of proposals, in 2001 the algorithm by Joan Daemen and Vincent Rijmen was chosen – known as “Rijndael.”

Parameters:block length: 128 bitskey length: 128, 192, or 256 bits (focus on 128)rounds: 10stages: 4

The 128-bit key and the 128-bit blocks are expressed as 4-byte x 4-byte matrices, processed by column.

51

Original key

W ( 0 – 3 )

Expanded key

W ( 4 – 43 )

Enough for 10 rounds.

There is an algorithm for expanding the key.

52

During execution of the algorithm work is done in the “state array.”

Input OutputState array

53

AES preliminary

(“round zero”)

Loads state array

54

“Round zero”

10 rounds: all except the last

have four phases

55

56

Phase 1: substitute bytes

State(t) State(t+1)

57

58

Row 0: unchanged

Row 1: rotate left 1 byte

Row 2: rotate left 2 bytes

Row 3: rotate left 3 bytes

I call this “rotate,” not “shift.” You may see the term “circular shift.”

Phase 2: shift rows

59

Phase 3: mix columns

60

Phase 3 - “Mix columns” is matrix multiplication for byte data elements

61

Phase 4 – “Add round key” is actually XOR

Phase 4 is the only phase that involves the key

62

Decryption is not just

encryption “run backwards” (as

Feistel) – the functions are

different (except XOR)

XOR its own inverse:

Data: 1 1 0 0

Key: 0 1 1 0

XOR: 1 0 1 0

Key: 0 1 1 0Data: 1 1 0 0

63

Row 0: unchanged

Row 1: rotate right 1 byte

…. etc.

64

Inverse sub bytes:

65

Multiplication by inverse matrix:

66

67

68

2.3 Random and Pseudorandom Numbers

In the field of security we often need to be able to generate random numbers for use as secrets.

Examples:

► encryption/decryption keys (this chapter)

► message integrity code keys (chapter 3)

Stallings: “ …two distinct and not necessarily compatible requirements for a sequence of random numbers”

► uniform distribution – easy to check

► independence/unpredictability – difficult to check

In a true random number sequence it is impossible to predict future elements of the sequence on the basis of earlier elements.

69

Generation of a Sequence of True Random Numbers

This is difficult to do entirely within a computer –

so combine inside and outside activity

► disk electrical activity

► instantaneous values of low-order bits of system clock

► random typing by user –

include both character struck and timing

► mouse movements

Use some combination of these and convert to binary string

70

Generation of PseudoRandom Numbers

It’s clearly more convenient to use an algorithm to generate the random material needed.

But algorithms are deterministic

– for the same input they produce the same output

Hence we need a random and unpredictable seed to get different outputs

Circular argument!

In practice PRNGs are usually “good enough.”

Feed back output to further randomize the input.

71

Stallings distinguishes between:

► Pseudorandom number generator -

produces open-ended sequence of bits (use in stream ciphers)

► Pseudorandom function -

produces string of bits of fixed length (use in block ciphers)

Figure 2.7 (b) and (c)

72

PRNG Algorithm Design

Stallings suggests two categories:

► Purpose-built algorithms –

developed specifically to produce a pseudorandom bit stream

(example: RC4, described in next section)

► Secondary use of existing encryption algorithms –

encryption itself must produce random-looking ciphertext,

so this can be put to use encrypting a seed.

These approaches can yield a cryptographically-strong PRNG

73

2.4 Stream Ciphers and RC4

Block ciphers process text one block at a time

Stream ciphers process text one byte at a time

Advantages of stream ciphers:

encryption and decryption can start when first byte received.

no padding of last (incomplete) block

faster than block ciphers

Disadvantage: not as secure as block ciphers

vulnerable to alteration of content

74

128 bits

Length of Message

Figure 2.8 Stream Cipher Diagram

Stream cipher operation

Given the key, a key-stream is generated as long as the plaintext.

75

Stream cipher operation – contd.

Decryption consists of forming the XOR of the ciphertext byte with the key-stream byte:

ciphertext 1 0 1 0 0 0 0 0

XOR key-stream 0 1 1 0 1 1 0 0

= plaintext 1 1 0 0 1 1 0 0

The XOR function is its own inverse

For each byte, encryption consists of forming the bit-by-bit XOR of the key-stream byte with the plaintext byte:

plaintext 1 1 0 0 1 1 0 0XOR key-stream 0 1 1 0 1 1 0 0 = ciphertext 1 0 1 0 0 0 0 0

76

Design considerations for a stream cipher:

1. The key-stream is generated from the key by a pseudo-random number generator, so the key-stream will ultimately repeat;

the period should be as long as possible.

2. The key-stream should approximate the properties of a true random number as closely as possible.

3. The key should be as long as possible (often 128 or 256 bits)

Caution: if two plaintexts are encrypted with the same key-stream, the XOR of the two ciphertexts gives the XOR of the two plaintexts (“factoring out the key-stream”). This is a great help in cryptanalysis.

“One-time pad” uses the key-stream just once!

It must be as long as the message.

77

Alteration of message:

Undetectable change in message!

1

1

1

78

Encryption with RC4 stream cipher

plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1

Detection of the keystream

C XOR P = (K XOR P) XOR P = K

plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0

Conclusion: If you can see the plaintext and the ciphertext of the same message, you can easily

compute the keystream.

This is the keystream, not the key itself.

79

The RC4 Algorithm

Key is 8 to 2048 bits (1 to 256 bytes).

RC4 uses 256-byte vectors S and T

Initialization of S and T

Initially the entries in S are set equal to the values from 0 to 255 in ascending order; the key is copied into T (if key is shorter than 256 bytes, copy several times)

for i = 0 to 255 do

S [ i ] = i ;

T[ i ] = K [ i mod keylen ] ;

80

Initial permutation of S:

Work incrementally through S, swapping each successive byte with a byte dictated by T:

j = 0;

for i = 0 to 255 do

j = ( j + S [ i ] + T [ i ] ) mod 256 ;

swap S [ i ], S [ j ] ;

After this we have no more use for T ( contains the key)

81

Stream Generation:

Copy specific bytes of S into the keystream K:

i, j = 0 ;

while ( true )

i = ( i + 1 ) mod 256 ;

j = ( j + S [ i ] ) mod 256 ;

swap ( S [ i ], S [ j ]) ;

t = ( S [ i ] + S [ j ] ) mod 256;

K = S [ t ] ;

Encryption: XOR K with next byte of plaintext.

Decryption: XOR K with next byte of ciphertext.

RSA recommends discarding the first 256 bytes of the generated key-stream.

K is the next byte of the keystream

82

253|254|255|

Figure 2.9 RC4

83

2.5 Block Cipher Modes of Operation

84

ECB:

85

Problems with using ECB:

► duplication in plaintext produces duplication in ciphertext, which makes cryptanalysis easier.

(basically, it’s just a monoalphabetic substitution)

► consequence: vulnerable to “cut and paste” attack (next slide)

86

ECB is vulnerable to a “cut-and-paste” attack:

$ 1 0 0 , 0 0 0

87

88

Cipher Block Chaining (CBC)

Before encryption of a plaintext block,

XOR it with the previous ciphertext block.

After decryption of a ciphertext block,

XOR the result with the previous ciphertext block.

Since XOR is its own inverse, this recovers the original plaintext block.

For first block, need an Initialization Vector.

(IV is part of secret – can be sent first using ECB)

89Figure 2.10 Cipher Block Chaining (CBC) Mode

90

Alternative description of CBC, from Smith’s book:

Repeat of the same plaintext does not give same ciphertext

91

92

repeat

CBC

CFB

CFB like stream

cipher with constantly changing

key

93Figure 2.11 Cipher Feedback Mode

94Figure 2.12 Counter (CTR) Mode

Counter Mode: counter initialized to random value, then incremented by 1 for each block

95

Properties of Counter Mode

► Opportunity for parallel processing of blocks

► Pre-computation of the key stream

► Can select any block of plaintext to be encrypted or decrypted

► As secure as CBC or CFB

► Simplicity – No separate decryption algorithm

(XOR its own inverse)

► Like stream cipher with constantly-changing key

96

End Chapter 2