View
215
Download
0
Category
Preview:
Citation preview
CS 5950/6030 Network SecurityClass 9 (W, 9/21/05)
Leszek LilienDepartment of Computer Science
Western Michigan University
[Using some slides prepared by:Prof. Aaron Striegel — at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. WashingtonProf. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The
Netherlands]
2
Review of Class 8
Class 8 started with
Correction of example from Class 7
(columnar transp. cipher as a block cipher)
3
Symmetric andAsymmetric Cryptosystems (2b)
Asymmetric encryption = public key encryption (PKE) KE ≠ KD — public and private keys
PKE systems eliminate symmetric encr. problems Need no secure key distribution channel
=> easy key distribution
4
2D. DES (Data Encryption Standard)
Outline
2D.1. Background and History of DES
2D.2. Overview of DES
2D.3. Double and Triple DES
2D.4. Security of DES
5
2E. The Clipper Story (1)
... Or: How not to set up a standard
A scenario Only a single electronic copy of a corporation’s
crucial (and sensitive) document To prevent espionage, strong encryption used to
protect that document Only CEO knows the key CEO gets hit by a truck Is the document lost forever?
Key escrow (a depository) facilitates recovery of the document if the key is lost
[cf. J. Leiwo]
6
2F. AES
... Or: How to set up a standard
AES = Advanced Encryption Standard
Outline2F.1. The AES Contest
2F.2. Overview of Rijndael
2F.3. Strength of AES
2F.4. Comparison of DES and AES
7
2F.1. The AES Contest (1)
1997 – NIST calls for proposals NIST Criteria:
Unclassifed code Publicly disclosed Royalty-free worldwide Symmetric block cipher for 128-bit blocks Usable with keys of 128, 192, and 256 bits
1998 – 15 algorithms selected
(Nat’l Institute of Standards and Technology)
8
Class 8 ended here
9
Section 2 – Class 9 2. Introduction to Cryptology
... 2C. Making „Good” Ciphers ...
2C.4. Symmetric and Asymm. Cryptosystems — PART 2
2D. The DES (Data Encryption Standard) Algorithm ... 2E. The Clipper Story
2F. The AES (Advanced Encryption Standard) Algorithm 2F.1. The AES Contest
2F.2. Overview of Rijndael 2F.3. Strength of AES 2F.4. Comparison of DES and AES 2H. The Uses of Encryption 2H.1. Cryptographic Hash Functions – PART1
Class8
Class9
10
2F.2. Overview of Rijndael/AES
Similar to DES – cyclic type of approach 128-bit blocks of P # of iterations based on key length
128-bit key => 9 “rounds” (called rounds, not cycles)
192-bit key => 11 rounds 256-bit key => 13 rounds
Basic ops for a round: Substitution – byte level (confusion) Shift row (transposition) – depends on key length
(diff.) Mix columns – LSH and XOR (confusion +diffusion) Add subkey – XOR used (confusion)
11
2F.3. Strengths of AES
Not much experience so far (since 2001)
But: Extensive cryptanalysis by US gov’t and
independent experts Dutch inventors have no ties to NSA or
other US gov’t bodies (less suspicion of trapdoor)
Solid math basis Despite seemingly simple steps within rounds
12
2F.4. Comparison of DES & AES (1)
DES AESDate 1976 1999Block size [bits] 64 128Key length [bits] 56 (effect.) 128, 192, 256, or
moreEncryption substitution, substitution, shift, bitPrimitives permutation mixingCryptographic confusion, confusion,Primitives diffusion diffusionDesign open openDesign closed openRationaleSelection secret secret, but acceptedprocess public commentsSource IBM, enhan- independent Dutch
ced by NSA cryptographers
13
Comparison of DES & AES (2)
Weaknesses in AES? 20+ yrs of experience with DES eliminated fears
of its weakness (intentional or not) Might be naïve…
Experts pored over AES for 2-year review period
14
Comparison of DES & AES (3)
Longevity of AES? DES is nearly 30 yrs old (1976)
DES-encrypted message can be cracked in days
Longevity of AES more difficult to answer Can extend key length to > 256 bits (DES: 56)
2 * key length => 4 * number of keys Can extend number of rounds (DES: 16)
Extensible AES seems to be significantly better than DES, but..
Human ingenuity is unpredicatble!=> Need to incessantly search for better and better
encryption algorithms
15
2G. Public Key Encryption (PKE)
Recall: Two main types of cryptosystems: Classical (= symmetric) Public key (= asymmetric)
Outline
2G.1. Motivation for PKE
2G.2. Characteristics of PKE
2G.3. RSA (Rivest-Shamir-Adelman) Encryption
16
2G.1. Motivation for PKE (1)
So far - cryptosystems with secret keys
Problems: A lot of keys
o(n2) keys for n users (n * (n-1) /2 keys)— if each must be able to communicate with each
Distributing so many keys securely Secure storage for the keys
User with n keys can’t just memorize them
Can have a system with significantly fewer keys?
Yes!
17
Motivation for PKE (2) 1976 — Diffie and Hellman — new kind of cryptosystem:
public key cryptosystem = asymmetric cryptosystem Key pairs: < kPRIVATE, kPUBLIC> Each user owns one private key Each user shares the corresponding public key with n-
1 remaining users => n users share each public key
Only 2n keys for n users 2n = n * (1 + n * 1/n) Forget the in-class „correction.” We go back to this original equation,
since public key is shared by n people: 1 „owner” + (n-1) others = n
Even if each communicates with each Reduction from o(n2) to o(n) ! n key pairs are:
<kPRIV-1, kPUB-1 >, <kPRIV-2, kPUB-2>, ..., <kPRIV-n, kPUB-n>
18
2G.2. Characteristics of PKE (1)
PKE requirements1. It must be computationally easy to encipher or
decipher a message given the appropriate key
2. It must be computationally infeasible to derive kPRIV from kPUB
3. It must be computationally infeasible to determine kPRIV from a chosen plaintext attack
[cf. Barbara Endicott-Popovsky, U. Washington]
19
Characteristics of PKE (2)
Key pair characteristics
One key is inverse of the other key of the pair i.e., it can undo encryption provided by the
other: D(kPRIV, E(kPUB, P)) = P D(kPUB, E(kPRIV, P)) = P
One of the keys can be public since each key does only half of E ”+” D
As shown above – need both E and D to get P back
20
Characteristics of PKE (3) Two E/D possibilities for key pair <kPRIV, kPUB >
P = D(kPRIV, E(kPUB, P)) User encrypts msg with kPUB (kPUB” ”locks”) Recipient decrypts msg with kPRIV (kPRIV ”unlocks”)
OR P = D(kPUB, E(kPRIV, P)) (e.g., in RSA)
User encrypts msg with kPRIV (kPRIV ”locks”) Recipient decrypts msg with key kPUB (kPUB
”unlocks”)
Do we still need symmetric encryption (SE) systems? Yes, PKEs are 10,000+ slower than SEs
PKEs use exponentiation – involves multiplication and division SEs use only bit operations (add, XOR< substitute, shift) – much
faster
21
2G.3. RSA Encryption (1)
RSA = Rivest, Shamir, and Adelman (MIT), 1978
Underlying hard problem: Number theory – determining prime factors of a
given (large) number (ex. factoring of small #: 5 5, 6 2 *3)
Arithmetic modulo n
How secure is RSA? So far remains secure (after all these years...) Will sb propose a quick algorithm to factor large
numbers? Will quantum computing break it? TBD
22
RSA Encryption (2)
In RSA:P = E (D(P)) = D(E(P)) (order of D/E does not matter) More precisely: P = E(kE, D(kD, P)) = D(kD, E(kE,
P))
Encryption: C = Pe mod n KE = e Given C, it is very difficult to find P without
knowing KD
Decryption: P = Cd mod n KD = d
23
2H. The Uses of Encryption
PKE is much slower than SE (symmetric E) PKEs only for specialized, infrequent tasks SEs – a real workhorse
Four applications of encryption (& outline) Cryptographic Hash Functions (subsec.
2H.1) Key Exchange (subsec. 2H.2) Digital Signatures (subsec. 2H.3) Certificates (subsec. 2H.4)
24
2H.1. Cryptographic Hash Functions (1)
Integrity: How can you be sure that a recived msg/doc was
not modified by an attacker or malfunction? Answer: use cryptography to ensure integrity
Idea: Wax seals on letters in Middle Ages
— easy to see if broken Cryptographic „seal” on doc/msg
— so that any change to it will be readily detected
25
Cryptographic Hash Fcns (2)
A technique:compute a hash fcn / checksum / msg digest
More formally: Problem: How to send n-bit msg so that R can
easily verify that it is intact
Solution: Send a msg of n+k bits n bits — original msg k bits — checksum = msg digest
Generated based on the n bits
26
Cryptographic Hash Fcns (3)
Simple Parity for Error Detection (1)
Simple (non-cryptographic) technique: parity Add a single parity bit to detect if a message is
correct Example 1: odd parity
Force the block of data to have an odd # of 1’s Data = 1011 — n = 4 Sent block = 10110 — n+k = 4+1
— looked at ‘1011’, added 0 to have odd # of 1’s Data = 0110 Sent block = 01101
— looked at ‘0110’, added 1 to have odd # of 1’s
Example 2: ASCII parity bit ASCII has 7 bits for data, 8th bit is single parity
bit Either odd or even parity used
[cf. A. Striegel, U. Notre Dame]
27
How parity enhances msg integrity? Can detect error in 1 bit (or in odd # of bits)
e,.g, if R gets 01001, R knows it’s wrong(S sent 01101)
Cannot detect error in 2 bits (or in even # of bits) Bec. parity stays OK -> undetectable integrity
violation e.g, if R gets 01011, R knows it’s wrong
(S sent 01101)
Cannot repair errors either E.g., R doesn’t know which bit in 01001 is wrong
[cf. A. Striegel, U. Notre Dame]
Cryptographic Hash Fcns (4)
Simple Parity for Error Detection (2)
28
Cryptographic Hash Fcns (5)
Better Checksums against Errors & Attacks
There are better checksums than simple odd/even parity Can detect multiple errors Can even repair multiple errors
These checksums are to fix errors, not deal with attacks
For attacks needcryptographic checksums / strong hash functions
29
Cryptographic Hash Fcns (6)
Strong Hash Function Formal definition:
strong hash function (cryptographic checksum) is h: A -> B such that:
1) For any x A, h(x) is easy to compute2) For any y B, it is computationally infeasible to
findinverse of y, i.e., x A such that h(x) = y
3) It is computationally infeasible to find a pair of colliding input values, i.e. x, x’ A such that x ≠ x’ and h(x) = h(x’)Alternate (stronger) form for (3):Given any x A, it is computationally infeasible to
findx’ A such that x ≠ x’ and h(x) = h(x’)
Due to (1) and (2), hash fcn is a one-way function[cf. A. Striegel, U. Notre Dame, Barbara Endicott-Popovsky, U. Washington]
30
Cryptographic Hash Fcns (7)
Collisions & Attacks on Msg Integrity (1)
Note: n bits of msg (x) mapped into k bits of its checksum
(y) k < n => collisions must exist But it is computationally infeasible to find collisions
for good hash fcns
Goal of a successful attack on msg integrity: Change msg1 in such a way that checksum remains
unchanged (so R doesn’t detect the forgery) I.e., find msg2 that collides with the original msg1
w.r.t. checksum value Finding msg2 is computationally infeasible (for good
hash)
=> forging msg1 undetectably is computationally infeasible
[cf. A. Striegel, U. Notre Dame]
31
Pigeonhole principle n containers for n+1 objects (n pigeonholes for n+1
pigeons)=> at least 1 container will hold two objects
Example: length(msg) = 5, length(hash)= 3 25=32 possible msgs vs. 23=8 possible hash values
=> at least 4 (= 32/8) different msgs hash into the same value (collisions!)
Real msgs and hash values are much longer than 5 or 3 bits!We know that collisions exist but:=> much tougher to find collisions=> much tougher to forge them
[cf. A. Striegel, U. Notre Dame]
Cryptographic Hash Fcns (8)
Collisions & Attacks on Msg Integrity (2)
32
Cryptographic Hash Fcns (9)
File Checksum File checksum
Calculated, a fcn defined on all bits of the file Result encrypted and stored with the file Each time file used by legitimate users,
checksum recalculated, encrypted, stored with the file
File sent to R When file received by R:
R decrypts checksum c1 received in the file R independently calculates file checksum c2 If c1 = c2 => file integrity is OK Otherwise – file integrity violated
33
End of Class 9
Recommended