Upload
leslie-gregory
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
1
CS 336/536 Computer Network Security
Welcome to
Please report to the professor.
“This book focuses on internet security, which consists of measures to deter, prevent, detect, and correct security
violations that involve transmission of information.”
2
Confidentiality
(Data) Integrity
Authentication (of participants)
Non-repudiation
?
Examples of Security Violations (page 3)
What services do we need to compensate?
3
1.1 Computer Security Concepts
4
Omit Section 1.2 OSI Security Architecture
1. Solutions not as simple as one-word labels suggest!
2. One must always consider potential attacks on security features.
3. Procedure used to provide particular services are often counterintuitive.
4. Having designed security mechanisms, where to use them?
5. Mechanisms require not only an algorithm, but also secret information.
The Challenge of Computer Security (page 7):
5
1.3 Security Attacks
passive attacks:
Reveals what Bob is saying to Alice
An MIT Technology Report in 1979 used “Alice” and “Bob.” It became a tradition.
6
Reveals the fact that Bob is talking to Alice
Passive attacks very difficult to detect – focus on prevention
7
Active attacks:
8
9
10
Active attacks difficult to prevent – focus on detection and recovery
(opposite of passive attacks).
11
How does Darth do some of these active attacks?
12IP source address spoofing –easy to do
13Simple replay will not work with TCP
14Relatively hard to do in TCP
15
TCP connection hijacking
16
“SYN FLOODING” – easy to do in TCP
17
1.4 Security Services
► Authentication (of participants)
► Access Control
► Data confidentiality
► Data integrity
► Non-repudiation
► Availability service
Footnote page 14: “There is no universal agreement about many of the terms used
in the security literature.
18
1.4 Security Services – continued
► Authentication
This service assures the recipient that the message is from the source that it claims to be from.
“Authentication of Participants”
Watch for “man in the middle”
► Access Control
This could be included under “Authentication of Participants”
19
1.4 Security Services – continued
► Data Confidentiality
Protection of transmitted data from “eavesdropping”
Expanded requirement: “traffic analysis”
Attacker must not be able to observe source, destination, frequency, length of message stream
20
1.4 Security Services – continued
► Data Integrity
Connectionless:
Protects individual messages against tampering
Connection-Oriented:
Protects a stream of messages against modification (duplication, deletion, insertion, modification, reordering)
21
1.4 Security Services – continued
► Non-Repudiation
not really an attack, but a desirable service
► Availability Service
defense against denial-of-service attacks
Omit section 1.5
22
1.6 A Model for Network Security
Figure 1.4 Model for Network Security
Alice Bob
Darth
23
“All the techniques for providing security have two components:
► a security-related transformation on the information to be sent;
► some secret information shared by the two principals.
Footnote page 19: In public-key cryptography only one of the two principals has the secret information
A trusted third party may be needed to make secret sharing possible.
24
“Four basic tasks in designing a particular security service”
1. Algorithm for performing the security-related transformation
2. Generate secret to be used with #1
3. Method of distributing #2 between principals
4. Protocol to be used by the principals
(protocol uses #1 and #2)
25
some threats do not fit into figure 1.4 –
protection against “unwanted access.”
► viruses and worms
► unauthorized use of equipment
Figure 1.5 Network Access Security Model
We will not get into this in this course – our interest is in figure 1.4
26
Omit section 1.7
End of Chapter 1
27
Part One – CRYPTOGRAPHY
Chapter 2 – Symmetric Encryption
and Message Confidentiality
2.1 Symmetric Encryption Principles
“Symmetric encryption, also referred to as conventional encryption, secret-key, or single-key encryption, was the only type of encryption in use prior to the development of public-key encryption in the late 1970s. It remains by far the most widely used of the two types of encryption.”
28
Recall Fig 1.4:
Alice Bob
Darth
29
1. Plaintext
2. Encryption algorithm
3. Secret key
4. ciphertext
5. Decryption algorithm (secret key)
Fig 2.1
“Five Ingredients”
30
Obviously, the encryption and decryption algorithms are inverse functions:
C = EK ( P ) P = DK ( C )
P = DK [ EK ( P ) ]
The decryption algorithm is often the encryption algorithm “run in reverse” (not true for the Advanced Encryption Standard)
31
1. Strong encryption algorithm
opponent who knows algorithm and has ciphertext (only) must be unable
to recover plaintext
extension: even if opponent has samplesof plaintext, unable to recover further plaintext
2. Key
Sender and receiver must have obtained copies of the secret key, and must keep it secret
Two requirements for secure use of symmetric encryption:
THE ALGORITHM IS NOT SECRET !!!
32
Cryptography
Three independent dimensions:
1. type of operation
* substitution
* transposition all operations must be reversible !
2. number of keys used
* 1 for “symmetric" cryptography
* 2 for "public-key" cryptography
3. way in which plaintext is processed
* block ciphers (processed one block at a time)
* stream ciphers (can be decrypted while being received)
Combinations used
33
Transposition cipher:
pad
key
Substitution cipher – replace letter with next letter in alphabet (Caesar).
34
Cryptanalysis
“The process of attempting to discover the plaintext or key is known as cryptanalysis.”
35
Ciphertext only:
- only ciphertext and algorithm known
- exhaustive search of all possible keys (“brute force”)
Types of attack on encrypted messages (continued):
How do you know when you’ve won?
36
Types of attack on encrypted messages (continued):
E-mail headers:
Hitler’s Birthday!
“Partially-known plaintext”
37
RSA challenges – known plaintext
With known plaintext, you know when you’ve won!
In 1999 a 56-bit key was cracked in 22 hours by EFF machine
38
Types of attack on encrypted messages (continued):
During WEP authentication in wireless networks the access point sends to the station a message;
The station encrypts the message and returns it to the access point;
Both unencrypted and encrypted forms are easily visible.
39
Types of attack on encrypted messages (continued):
Consider a wireless LAN, connected to the Internet and an attacker who can eavesdrop on the traffic within the LAN and who has access to an outside computer.
Attacker can send chosen message from outside machine to inside machine, and observe encrypted form on the wireless link.
Both unencrypted and encrypted forms are available to the attacker.
40
A B A OR B
0 0 0
0 1 1
1 0 1
1 1 1
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
OR
( “Inclusive OR” )
XOR
(“exclusive OR”)
Boolean Logic
41
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
XOR
(“exclusive OR”
Boolean Logic
A B A + B carry
0 0 0 0
0 1 1 0
1 0 1 0
1 1 0 1
Arithmetic ADD
42
Feistel Cipher Structure
+
43
Feistel Parameters:
Block size (2w)
Size of key K
Number of rounds (n)
Subkey generation algorithm
(K1, etc.)
Round function (F)
Key
Decryption: run in “reverse”
Insert ciphertext at top, use nth subkey in first round.
44
“Two other considerations in the design of a symmetric block cipher:”
► Fast software encryption/decryption
► Ease of analysis ( ! )
2.2 Symmetric Block Encryption Algorithms
Data Encryption Standard
45
Block size: 64 bits
Key length: 56 bits
Number of rounds: 16
Sixteen subkeys generated from original key.
Decryption: run in “reverse” – insert ciphertext at top, use sixteenth subkey in first round.
Data Encryption Standard (DES/DEA) is a minor variation on the Feistel structure.
46
Strength & Weakness of Data Encryption Standard
Strength: has been exhaustively studied – no known “holes”
Weakness: 56-bit key length too short
(in 1999 was cracked in 22 hours by EFF machine)
In ciphertext-only situation, exhaustive key search is the only way –
but how do you know when you’ve won?
47
Triple DES
If 56-bit key is too short, but DES is a “solid” algorithm, just apply it two or three times with different keys!
48
“There is no cryptographic significance to the use of decryption in the second stage” – gives compatibility with single-stage implementations.
Effective key length is 168 bits
“It is easy to see that 3DES is a formidable algorithm”
49
However, 3DES is not a reasonable candidate for long-term use.
The algorithm is relatively sluggish in software – the original DES was designed for mid-1970s hardware implementation.
The 64-bit block length is too short – larger block lengths give better efficiency and security.
On page 38, the heading “Advanced Encryption Standard” belongs 1/2 way down page.
50
Advanced Encryption Standard
History
In 1997 NIST issued a call for proposals for a new Advanced Encryption Standard AES), which should have a security strength the same as, or better than, 3DES and significantly improved efficiency.
The new AES is not a Feistel structure! Encryption and Decryption algorithms are different.
After extensive consideration of proposals, in 2001 the algorithm by Joan Daemen and Vincent Rijmen was chosen – known as “Rijndael.”
Parameters:block length: 128 bitskey length: 128, 192, or 256 bits (focus on 128)rounds: 10stages: 4
The 128-bit key and the 128-bit blocks are expressed as 4-byte x 4-byte matrices, processed by column.
51
Original key
W ( 0 – 3 )
Expanded key
W ( 4 – 43 )
Enough for 10 rounds.
There is an algorithm for expanding the key.
52
During execution of the algorithm work is done in the “state array.”
Input OutputState array
53
AES preliminary
(“round zero”)
Loads state array
54
“Round zero”
10 rounds: all except the last
have four phases
55
56
Phase 1: substitute bytes
State(t) State(t+1)
57
58
Row 0: unchanged
Row 1: rotate left 1 byte
Row 2: rotate left 2 bytes
Row 3: rotate left 3 bytes
I call this “rotate,” not “shift.” You may see the term “circular shift.”
Phase 2: shift rows
59
Phase 3: mix columns
60
Phase 3 - “Mix columns” is matrix multiplication for byte data elements
61
Phase 4 – “Add round key” is actually XOR
Phase 4 is the only phase that involves the key
62
Decryption is not just
encryption “run backwards” (as
Feistel) – the functions are
different (except XOR)
XOR its own inverse:
Data: 1 1 0 0
Key: 0 1 1 0
XOR: 1 0 1 0
Key: 0 1 1 0Data: 1 1 0 0
63
Row 0: unchanged
Row 1: rotate right 1 byte
…. etc.
64
Inverse sub bytes:
65
Multiplication by inverse matrix:
66
67
68
2.3 Random and Pseudorandom Numbers
In the field of security we often need to be able to generate random numbers for use as secrets.
Examples:
► encryption/decryption keys (this chapter)
► message integrity code keys (chapter 3)
Stallings: “ …two distinct and not necessarily compatible requirements for a sequence of random numbers”
► uniform distribution – easy to check
► independence/unpredictability – difficult to check
In a true random number sequence it is impossible to predict future elements of the sequence on the basis of earlier elements.
69
Generation of a Sequence of True Random Numbers
This is difficult to do entirely within a computer –
so combine inside and outside activity
► disk electrical activity
► instantaneous values of low-order bits of system clock
► random typing by user –
include both character struck and timing
► mouse movements
Use some combination of these and convert to binary string
70
Generation of PseudoRandom Numbers
It’s clearly more convenient to use an algorithm to generate the random material needed.
But algorithms are deterministic
– for the same input they produce the same output
Hence we need a random and unpredictable seed to get different outputs
Circular argument!
In practice PRNGs are usually “good enough.”
Feed back output to further randomize the input.
71
Stallings distinguishes between:
► Pseudorandom number generator -
produces open-ended sequence of bits (use in stream ciphers)
► Pseudorandom function -
produces string of bits of fixed length (use in block ciphers)
Figure 2.7 (b) and (c)
72
PRNG Algorithm Design
Stallings suggests two categories:
► Purpose-built algorithms –
developed specifically to produce a pseudorandom bit stream
(example: RC4, described in next section)
► Secondary use of existing encryption algorithms –
encryption itself must produce random-looking ciphertext,
so this can be put to use encrypting a seed.
These approaches can yield a cryptographically-strong PRNG
73
2.4 Stream Ciphers and RC4
Block ciphers process text one block at a time
Stream ciphers process text one byte at a time
Advantages of stream ciphers:
encryption and decryption can start when first byte received.
no padding of last (incomplete) block
faster than block ciphers
Disadvantage: not as secure as block ciphers
vulnerable to alteration of content
74
128 bits
Length of Message
Figure 2.8 Stream Cipher Diagram
Stream cipher operation
Given the key, a key-stream is generated as long as the plaintext.
75
Stream cipher operation – contd.
Decryption consists of forming the XOR of the ciphertext byte with the key-stream byte:
ciphertext 1 0 1 0 0 0 0 0
XOR key-stream 0 1 1 0 1 1 0 0
= plaintext 1 1 0 0 1 1 0 0
The XOR function is its own inverse
For each byte, encryption consists of forming the bit-by-bit XOR of the key-stream byte with the plaintext byte:
plaintext 1 1 0 0 1 1 0 0XOR key-stream 0 1 1 0 1 1 0 0 = ciphertext 1 0 1 0 0 0 0 0
76
Design considerations for a stream cipher:
1. The key-stream is generated from the key by a pseudo-random number generator, so the key-stream will ultimately repeat;
the period should be as long as possible.
2. The key-stream should approximate the properties of a true random number as closely as possible.
3. The key should be as long as possible (often 128 or 256 bits)
Caution: if two plaintexts are encrypted with the same key-stream, the XOR of the two ciphertexts gives the XOR of the two plaintexts (“factoring out the key-stream”). This is a great help in cryptanalysis.
“One-time pad” uses the key-stream just once!
It must be as long as the message.
77
Alteration of message:
Undetectable change in message!
1
1
1
78
Encryption with RC4 stream cipher
plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1
Detection of the keystream
C XOR P = (K XOR P) XOR P = K
plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0
Conclusion: If you can see the plaintext and the ciphertext of the same message, you can easily
compute the keystream.
This is the keystream, not the key itself.
79
The RC4 Algorithm
Key is 8 to 2048 bits (1 to 256 bytes).
RC4 uses 256-byte vectors S and T
Initialization of S and T
Initially the entries in S are set equal to the values from 0 to 255 in ascending order; the key is copied into T (if key is shorter than 256 bytes, copy several times)
for i = 0 to 255 do
S [ i ] = i ;
T[ i ] = K [ i mod keylen ] ;
80
Initial permutation of S:
Work incrementally through S, swapping each successive byte with a byte dictated by T:
j = 0;
for i = 0 to 255 do
j = ( j + S [ i ] + T [ i ] ) mod 256 ;
swap S [ i ], S [ j ] ;
After this we have no more use for T ( contains the key)
81
Stream Generation:
Copy specific bytes of S into the keystream K:
i, j = 0 ;
while ( true )
i = ( i + 1 ) mod 256 ;
j = ( j + S [ i ] ) mod 256 ;
swap ( S [ i ], S [ j ]) ;
t = ( S [ i ] + S [ j ] ) mod 256;
K = S [ t ] ;
Encryption: XOR K with next byte of plaintext.
Decryption: XOR K with next byte of ciphertext.
RSA recommends discarding the first 256 bytes of the generated key-stream.
K is the next byte of the keystream
82
253|254|255|
Figure 2.9 RC4
83
2.5 Block Cipher Modes of Operation
84
ECB:
85
Problems with using ECB:
► duplication in plaintext produces duplication in ciphertext, which makes cryptanalysis easier.
(basically, it’s just a monoalphabetic substitution)
► consequence: vulnerable to “cut and paste” attack (next slide)
86
ECB is vulnerable to a “cut-and-paste” attack:
$ 1 0 0 , 0 0 0
87
88
Cipher Block Chaining (CBC)
Before encryption of a plaintext block,
XOR it with the previous ciphertext block.
After decryption of a ciphertext block,
XOR the result with the previous ciphertext block.
Since XOR is its own inverse, this recovers the original plaintext block.
For first block, need an Initialization Vector.
(IV is part of secret – can be sent first using ECB)
89Figure 2.10 Cipher Block Chaining (CBC) Mode
90
Alternative description of CBC, from Smith’s book:
Repeat of the same plaintext does not give same ciphertext
91
92
repeat
CBC
CFB
CFB like stream
cipher with constantly changing
key
93Figure 2.11 Cipher Feedback Mode
94Figure 2.12 Counter (CTR) Mode
Counter Mode: counter initialized to random value, then incremented by 1 for each block
95
Properties of Counter Mode
► Opportunity for parallel processing of blocks
► Pre-computation of the key stream
► Can select any block of plaintext to be encrypted or decrypted
► As secure as CBC or CFB
► Simplicity – No separate decryption algorithm
(XOR its own inverse)
► Like stream cipher with constantly-changing key
96
End Chapter 2