15-441 Computer Networking
Lecture 21: Security and Cryptography
Thanks to various folks from 15-441, semester’s past and others
2
Security Threats
• Impersonation• Pretend to be someone else to gain access to information or
services
• Insecrecy• Eavesdrop on data over network
• Corruption• Modify data over network
• Repudiation• Deny sending a message
• Break-ins• Take advantage of implementation bugs
• Denial of Service• Flood resource to deny use from legitimate users
3
Three Levels of Defense
• Firewalls• Filtering “dangerous” traffic at a middle point in the network• Covered next lecture
• Network level security (e.g. IPsec)• Host-to-host encryption and authentication• Can provide security without application knowledge• Cannot always protect applications from each other
• Application level security• True end-to-end security• Requires extra effort per application• Libraries help, like SSL/TLS
4
Private Key Authentication
• Alice wants to talk to Bob• Needs to convince him of her identity• Both have private key k
• Naive scheme
Alice Bob
• Vulnerability?
“I am Alice”, x, E(x, k)
5
Replay Attack
• Eve can listen in and impersonate Alice later
Alice Bob
Eve
“I am Alice”, x, E(x, k)
“I am Alice”, x, E(x)
6
Preventing Replay Attacks
• Bob can issue a challenge phrase to Alice
Alice Bob
“I am Alice”
E(x, k)
x
7
Private Key Cryptosystems
• Finite message domain M, key domain K• Key k K
• Known by all parties• Must be secret
• Encrypt: E: M × K M• Plaintext mp to ciphertext mc as mc = E(mp, k)
• Decrypt: D: M × K K• mp = D(mc, k) = D(E(mp, k), k)
• Cryptographic security• Given mc, hard to determine mp or k
• Given mc and mp, hard to determine k
8
One Time Pad
• Messages• n-bit strings [b1,…,bn]
• Keys• Random n-bit strings [k1,…,kn]
• Encryption/Decryption• c = E(b, k) = b k = [b1 k1, …, bn kn]
denotes exclusive or• b = D(b, k) = c k = b k k = b [1, …, 1] = b
• Properties• Provably unbreakable if used properly• Keys must be truly random• Must not be used more than once• Key same size as message
9
Simple Permutation Cipher
• Messages• n-bit strings [b1,…,bn]
• Keys• Permutation of n• Let = -1
• Encryption/Decryption• E([b1,…,bn], ) = [b (1),…,b (n)]
• D([b1,…,bn], ) = [b (1),…,b (n)]
• Properties• Cryptanalysis possible• Only small part of plaintext and key used for each part of ciphertext
Data Encryption Standard (DES)
11
Overview
Initialization TerminationRound Round … Round
Plaintext
Cyphertext
Key Key Key Key
16 rounds of permutations and substitution
DES is a 64-bit block cipher. Both the plaintext and ciphertext are 64 bits wide.
The key is 64-bits wide, but every eighth bit is a parity bit yielding a 54-bit key.
12
Initialization
PlaintextInitial
Permutation
Right Half
Left Half
Round
Key
13
Termination
CiphertextReverse Initial Permutation
Right Half
Left Half
Round
Key
14
A Round
Right Half
Left Half
Transformed Key (48-bit)
Permutations and substitution XOR
Left Half
Right Half
15
Permutations and Substitutions
Right Half Transformed Key (48-bit)
S-Box Substitution
P-Box PermutationXOR
E-Box Permutation
8 S-Boxes are used by the P-Box
16
Key Transformation
64-bit Key
Remove parity bit
56-bit Key
split
28-bit left semikey
28-bit right semikey
shift
shift
28-bit shifted left semi-key
28-bit shifted right semi-key
Compression Permutation
48-bit semi-key
17
E-Box (Expansion Box)
1 2 3 4 5 6 7 8 .. .. .. .. 29 30 31 32
1 2 3 4 5 6 7 8 9 10 11 .. .. .. .. 44 45 46 47 48
32
48
1
1
18
S-Box (Substitution Box)
There are 8 different S-Boxes, each of which provides a different 6:4 mapping. Where’d they come from? Some combination of IBM and NSA.
The mappings are based on cryptanalysis and are ostensibly free of weaknesses, back-doors, &c.
19
P-Box (Permutation Box)
S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 6 S-Box 7 S-Box 8
48-bit input
32-bit output
20
Block Cipher Modes
• “How do we break a message down into blocks for encryption by DES or another block cipher?”
21
Electronic Code Book (ECB) Mode
Block 1 Block 2 Block 3 Block 4 Block 5 …
E(block) E(block) E(block) E(block) E(block) E(block)
Block 1 Block 2 Block 3 Block 4 Block 5 …
Plaintext
Ciphertext
• Pad last block, if necessary
Block Encryption
22
Cipher Block Chaining (CBC) Mode
Random Block 1 Block 2 Block 3 Block 4 …
E(block) E(block) E(block) E(block) E(block)
Block 2 Block 3 Block 4 Block 5 …
Plaintext
Ciphertext
• Pad last block, if necessary
• Random Block called IV can be sent in plain text. Not a secret – just prevents a codebook. Often times a timestamp.
XOR XOR XOR XOR XOR
Block Encryption
23
Leftmost
Cipher Feedback Mode (CFB) Mode
C I-6 C I-5 C I-4 C I-3 C I-2 C I-1 Shift Register (1 Block wide)
Next unit of Ciphertext
E(register)
1 unit is 1/N block
Block Encryption
Encrypted Register
XORNext unit of Plaintext
After each unit, shift input register and insert the most recently generated unit of ciphertextoutput
24
Leftmost
Output Feedback Mode (OFB) Mode
C I-6 C I-5 C I-4 C I-3 C I-2 C I-1 Shift Register (1 Block wide)
Next unit of Ciphertext
E(register)
1 unit is 1/N block
Block Encryption
Encrypted Register
XORNext unit of Plaintext
After each unit, shift input register and insert the leftmost unit of the encrypted register.output
25
Other Ciphers
• Triple-DES• DES three times
• mc = E(D(E(mp, k1), k2, k3)• Effectively 112 bits• Three times as slow as DES
• Blowfish• Developed by Bruce Schneier circa 1993• Variable key size from 32 to 448 bits• Very fast on large general purpose CPUs (modern PCs)• Not very easy to implement in small hardware
• Advanced Encryption Standard (AES)• Selected by NIST as replacement for DES in 2001• Uses the Rijndael algorithm• Keys of 128, 192 or 256 bits