CP5291 Security Practices UNIT IV

Counter (CTR) Mode - It can be considered as a counter-based version of CFB mode without
the feedback. In this mode, both the sender and receiver need to access to a reliable counter,
which computes a new shared value each time a ciphertext block is exchanged. This shared
counter is not necessarily a secret value, but challenge is that both sides must keep the counter
synchronized.

4.6 Satellite Encryption

For communications purposes, modern satellites can be classified into two categories:
those that communicate exclusively with the surface of the Earth and those that communicate not
only with the surface of the Earth, but also with other satellites or spacecraft. The distinction
between these two types of satellite communication is depicted in Figure 4.10 below

Figure 4.10 Comparison of Type 1 and Type 2 satellite communication capabilities

Classifying satellites as Type 1 or Type 2 provides us with a useful framework for
understanding and discussing basic satellite communications capabilities, and allows us to gain
insight into the sort of communications links that may need to be protected. In the case of Type 1
satellites, the spacecraft may support uplink capabilities, downlink capabilities, or both. An
uplink channel is a communications channel through which information is transmitted from the
surface of the Earth to an orbiting satellite or other spacecraft.
While Type 2 satellites may possess the uplink and downlink capabilities of a Type 1
satellite, they are also capable of establishing links with spacecraft or other Type 2 satellites for
purposes of extra planetary communication. Type 2 satellites that can act as an intermediary
between other spacecraft and the terrestrial surface can be classified as relay satellites

4.6.1 The Need For Satellite Encryption

44 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Depending on the type of satellite communications link that needs to be established,

substantially different technologies, frequencies, and data encryption techniques may be required
in order to secure a satellite-based communications channel.
Consider, for example, a Type 1 communications satellite that has been placed into orbit
above the equator of the Earth. Transmissions from the satellite to the terrestrial surface (the
downlink channel) would commonly be made by way of a parabolic antenna. Although such an
antenna facilitates focusing the signal, the signal nevertheless disperses in a conical fashion as it
departs the spacecraft and approaches the surface of the planet. The result is that the signal may
be made available over a wider geographic area than would be optimally desirable for security
purposes. As with terrestrial radio, in the absence of encryption, anyone within range of the
signal who possesses the requisite equipment could receive the message. In this particular
example, the geographic area over which the signal would be dispersed would depend both on
the focal precision of the parabolic antenna, and the altitude of the satellite above the Earth.
These concepts are illustrated in Figure 4.11 below.
Because the sender of a satellite message may have little or no control over to whom the
transmission is theoretically available, protecting the message requires that its contents be
encrypted. For similar reasons, extra planetary transmissions sent between Type 2 satellites must
also be protected. After all, with thousands of satellites orbiting the planet, the chances of an
inter-satellite communication being intercepted are quite good!

Figure 4.11 Effect of altitude and focal precision on satellite signal dispersion

45 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

4.6.2 Implementing Satellite Encryption

Information can be transmitted to or from satellites using three general types of
communication links:
 surface-to-satellite links (uplinks),
 satellite-to-surface links (downlinks), and
 inter-satellite or inter-spacecraft links (extraplanetary links).
As shown in Figure 4.12, any satellite-based communication can be classified into one of
six possible categories. Before considering the specific facets of encryption pertaining to satellite
uplink, extraplanetary, and downlink transmissions, however, an examination of several of the
more general issues associated with satellite encryption may be useful.

Figure 4.12 Satellite communications categories as a function of data value and type of link.

General Satellite Encryption Issues

One of the problems common to all forms of satellite encryption relates to signal
degradation. Satellite signals are typically sent over long distances using comparatively low-
power transmissions, and must frequently contend with many forms of interference, including
terrestrial weather, solar and cosmic radiation, and many other forms of electromagnetic noise.
Such disturbances can cause errors or gaps to emerge in the signal that carries a satellite
transmission from its source to its destination.
Depending on the encryption algorithm chosen, this situation can be particularly
problematic for encrypted satellite transmissions, since the entire encrypted message may be
irretrievably lost if even a single bit of data is out of place.
To resolve this problem, a checksum or cryptographic hash function may be applied to
the encrypted message to allow errors to be identified and reconciled upon receipt. This approach
comes at a cost however appending checksums or error-correcting code to an encrypted message
increases the length of the message, and by extension increases the time required for the message

46 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

to be transmitted. The result, of course, is that a satellite‘s actual overall communications

capacity is commonly lower than its theoretical capacity, due to the extra burden that is placed
on its limited resources by this communications overhead.
To establish the identity of the sender, the message needs to be encrypted in such a way
that from the recipient‘s perspective, only a legitimate sender could have encoded the message.
The sender, of course, also wants to ensure that the message is protected while in transit, and
thus desires that only an authorized recipient would be able to decode the message upon receipt.
Both parties to the communication must therefore agree to use an encryption algorithm
that serves to identify the authenticity of the sender while affording a sufficient level of
protection to the message while it is in transit to its destination. Although keyless encryption
algorithms may satisfy these two criteria, such algorithms are usually avoided in satellite
communications, since the satellite may become useless if the keyless encryption algorithm were
to be compromised, and satellites are expensive to replace.
This problem also extends to the terrestrial equipment used to encrypt satellite signals
prior to transmission and decrypt those signals after receipt.

An asymmetrically keyed encryption algorithm may be adopted, wherein the key used to
encrypt a message is different from the key used to decrypt the message. Such an approach
requires each party to maintain only two keys, one of which is kept private, and the other of
which is made publicly-available. If party A wants to send party B a secure transmission, A first
asks B for her public key, which can be transmitted over an unsecured connection. Party A then
encodes a secret message using B‘s public key. The message is secure because only B‘s private
key can decode the message.
To authenticate herself to B, party A needs only to re-encode the entire message using her
own private key before transmitting the message to B. Upon receiving the message, B can
establish whether it was sent by A, because only A‘s private key could have encoded a message
that can be decoded with A‘s public key. This process is depicted in Figure 4.13 below.

47 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Figure 4.13 Ensuring sender identity and message security with asynchronously keyed
encryption
Uplink Encryption
The reason for this is that the actual transmission of the encrypted message to the satellite
is but the final step in a long chain of custody that begins when the message is created and ends
when the message is successfully received by the satellite.
If one assumes that the confidentiality and integrity of the message have not been
compromised as the message has passed through all of these intermediaries, then but two
primary security concerns remain:
 the directional accuracy of the transmitting antenna, and
 the method used to encrypt the message.
In the case of the former, the transmitting antenna must be sufficiently well-focused to
allow the signal to be received by _ and ideally only by _ the target satellite.
When deciding upon which encryption method to use, the sender must simultaneously
consider the value of the data being transmitted, the purpose of the transmission, and the
technological and computational limitations of the target satellite. A satellite‘s computational and
technological capabilities are a function of its design specifications, its current workload, and
any degradation that has occurred since the satellite was placed into orbit. These properties of the
satellite can therefore be considered constraints _ any encrypted uplink communications must
work within the boundaries of these limitations.

48 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Extraplanetary Link Encryption

Before a signal is sent to the terrestrial surface, it may need to be transmitted across an
extraplanetary link.
For example, the very low power signals transmitted from a remote exploratory
spacecraft may not be detectable by a particular listening station on the planet‘s surface, or the
data rate or signal modulation with which an extraplanetary transmission is sent may not be
supported by the final recipient. In this scenario, the intermediary satellite through which the
signal is being routed must act as an interpreter or translator of sorts, a situation which is
illustrated in Figure 4.14 below.

Figure 4.14 In-transit translation of encrypted messages

in satellite communication.
From an encryption perspective, the situation illustrated above implies that the
intermediary satellite may need to decrypt the extraplanetary message, and reencrypt it using a
different encryption scheme prior to retransmission. A similar issue may arise for legal or
political reasons. Consider, for example, a message that is being transmitted from one country to
another by way of several intermediary satellites. The first country may have no standing
policies regarding the encryption of messages sent via satellite, while the second country may
have policies that strictly regulate the encryption standards of messages received via satellite. In
this case, one or more of the orbiting satellites may need to alter the encryption of a message in
transit in order to satisfy the legal and regulatory guidelines of both countries.

49 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Downlink Encryption
As with uplink encryption, the technological and computational capabilities of the
spacecraft may constrain the extent to which a particular message can be protected. Similarly, if
the utilization of a particular encryption scheme would reduce the efficiency or message-
handling capacity of a satellite to a level that is deemed unacceptable, then the satellite‘s
operators may choose to prioritize capacity over downlink security.
Unlike uplink signals, which can only originate from the surface of the planet, messages
to be transmitted over a downlink channel can come from one of three different sources: the
terrestrial surface, from another spacecraft, or from the satellite itself. The source of the message
to be broadcast to the planet‘s surface plays a critical role in determining the method of
protection for that message.
For example, a message that originates from the surface or from another spacecraft, there
exist two scenarios: First, the satellite transmitting the message to Earth may be serving only as a
simple signal repeater or amplifying transmitter; that is to say, the message is already encrypted
upon receipt, and the satellite is simply relaying the previously encrypted message to the surface.
In the second scenario, a satellite may need to filter a message or alter its encryption method
prior to downlink transmission.

4.6.3 Pirate Decryption Of Satellite Transmissions

In the world of encrypted satellite communications, this problem of pirate signal
decryption is compounded by two additional factors. First, the dispersive nature of satellite-to-
ground transmissions as illustrated in Figure 4.11 creates an environment in which many people
other than the intended recipient have access to the encrypted signal.
Second, equipment designed to receive satellite signals is, at least in the developed world,
both abundant and relatively inexpensive. As opposed to satellite transmitters or transceivers _
both of which can send messages to satellites the vast majority of the satellite communications
devices in use today are classified simply as receivers, which can receive satellite transmissions
but cannot send them. These differences are illustrated in Figure 4.15 below.

50 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Figure 4.15 Communications capabilities of satellite transmitters, receivers, and

transceivers.
Circuit-based Security
Since most satellite receivers are not capable of two-way communication, they are also
generally not capable of negotiating a new key with the sender of the encrypted message in real-
time.
The sender of the message must therefore find some other way of supplying its
authorized receivers with the proper key, and many different approaches have been developed
with this problem in mind.
From a security perspective, this early approach was plagued by several obvious flaws.
First, anyone able to clone the circuitry of the receiving device would have immediate access to
the encrypted message. Circuit components and circuit design knowledge were quite rare in the
early days of satellite communication, but it was not long until a would-be signal pirate with a
little knowledge could walk into his or her local electronics supply store and buy everything
needed to build a simple satellite receiver.

Removable Security Cards

The next major evolutionary step in secure satellite communications arrived with the
introduction of removable security cards. In this model, the receiving devices themselves were of
a generalist design inasmuch as they could receive satellite messages encrypted with any number

51 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

of algorithms or keys. Decoding the encrypted message, however, required that a proprietary
security card be inserted into the receiver.

4.6.4 Satellite Encryption Policy

Given the rapid adoption of satellite communications and the potential security
implications associated there with many governments and multinational coalitions are
increasingly establishing policy instruments with a view toward controlling and regulating the
availability and use of satellite encryption in both the public and private sectors. Such policy
instruments have wide-reaching economic, political, and cultural implications that commonly
extend well beyond national boundaries.
The establishment and maintenance of satellite encryption policy also needs to be
considered in the context of satellite systems of global import. Consider, for example, the
NAVSTAR Global Positioning System(GPS), whose constellation of satellites enables anyone
with a GPS receiver to accurately determine their current location, time, elevation, velocity, and
direction of travel anywhere on or near the surface of the Earth.

4.6.5 Satellite Encryption Service

Satellite Encryption Service can be used as dedicated transmission service for voice, data, and
video traffic transmission and wideband broadcast applications, suchas broadband distance
learning and broadcast of data/multimediafiles.
The service provides full-duplex, halfduplex, and simplex (broadcast) encrypted transmissions
using C-band, Ku-band, and Ka-band satellites.SES provides dedicated and ad-hoc
(reservationbased)encrypted satellite transmission.

4.7 Password based authenticated Key establishment Protocols

The Need for User-Friendly, Password-Based Solutions All of the methods described so far have
a common property:
Whether the long-term keying material is symmetric and shared by both users, or
asymmetric and certified using a PKI, keys are long and difficult to use in common applications.

52 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

One could argue that this information could be embedded in security tokens that users could
carry such as smartcards, USB security tokens, and so on. However, this requires additional
hardware that will certainly have a cost.
It may also introduce compatibility issues in cases when the tokens need to be plugged into
another device. Finally, such tokens can always be compromised through loss or theft.
Nowadays, the most common form of authentication in use is via knowledge of
passwords. Passwords are cheap and convenient. They are easy to choose, use, and change when
needed, and they are typically human memorable.
The pervasiveness of this method of authentication is the main motivation behind
research in Password-Authenticated Key Exchange (PAKE) However, convenience is often
accompanied by security degradation in cryptography; using passwords instead of strong
cryptographic keys is no exception and brings forth some important issues that we try to explain
in the following sections

New Security Threats

Using passwords rather than long, cryptographically strong keys to authenticate key
exchange protocol flows is not straightforward.
For instance, a password cannot just replace a strong symmetric key as input to a classical
key exchange protocol. There are mainly two reasons for this.
 First for all, passwords are low-entropy data. This makes them vulnerable to dictionary
attacks, which are essentially brute-force guessing attacks.
 Second, passwords are quite often mismanaged (e.g., written down or used across several
applications). This frequently leads to password compromise, which must be taken into
account in PAKE design.

Dictionary Attacks
In classical key exchange, exhaustively searching for the correct long-term key can
simply not be done feasibly by construction: It is completely random and very long.
A password on the other hand is likely to be short and produced with less-than-ideal
randomness from a small set of values, making exhaustive search possible. We illustrate the
effects of this phenomenon with a ―dummy‖ protocol

53 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

This kind of attack is arguably the most important one to prevent in PAKE design because an
attacker need not be online to perform it.

Offline attackers Offline attackers have more time and computational power for the simple
reason that they may be impossible to interrupt. Indeed, in the above example it was only
necessary for the adversary to record an exchange.
From then on, there is no way to interfere with the adversary‘s behavior. We call such attacks
offline dictionary attacks

Online dictionary attacks

Online dictionary attacks are active attacks in which the adversary tries to guess the password
through successive login attempts:
The adversary engages over and over in the protocol, trying out different passwords, and when
the opposing party stops aborting, the adversary knows it guessed the right password From that
point on, it is up to the application supporting the protocol to specify how many failed attempts
can be tolerated before, for instance, locking the targeted account

Forward Secrecy and Known Session Keys

A user‘s password in a PAKE protocol is viewed as a long-term key (i.e., it is expected to be
used many times to create random, independent session keys). It obviously plays a role in the
computations of session keys‘ exchange transcripts and may even appear as an argument to the
formula producing the session keys themselves.
These relationships cannot be ignored. On the one hand, passwords are notoriously mismanaged
data: They are routinely lost, shared (with unintended parties), and used across several
applications.
This very often leads to the password getting compromised. Once this occurs, there clearly is no
way of stopping an adversary with knowledge of the password from impersonating its rightful
owner, at least until the breach is discovered.

54 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Other Security Properties Dictionary attacks are specific to PAKE protocols. However, the
forward secrecy and known-session key security were actually first considered in classical key
exchange and subsequently carried over to the password based case.
It may be tempting to do this with all security properties that can be defined for key exchange in
general, but this is not always possible.
For instance, resistance to key compromise impersonation in which an adversary who
compromised a user‘s long-term key can then impersonate other parties to that user is not
satisfied by a PAKE: The other holder of the password can always be impersonated to the
attacked user

Key Confirmation and Authentication in PAKE

We mentioned earlier that resistance to offline dictionary attacks has an effect on authentication;
we return to this issue now. As explained earlier, a PAKE protocol transcript cannot be allowed
to leak a single bit of information on the password.
This implies that no mechanism can be in place to directly ensure at either end of the protocol
that the correct password is being used by the other party.
For instance, the password cannot satisfy any kind of efficiently verifiable equation, which
happens to be the flaw of the dummy protocol

4.7.1 Concrete Protocols

In this section we describe three concrete PAKEs. We give an overview of their properties,
security guarantees, and known flaws. All three protocols require the parties A and B to share
the description of a cyclic group G of large order n.
Such information can be directly hardcoded into the program specification running the protocol.
Of course, A and B also share a password pw. For each protocol, we begin by describing the
heart of the mechanism itself: the protocol flows that contain the information for computing the
shared key. We then go on to discuss the security properties and weaknesses. Finally, we give
full descriptions of the protocols, or variants there of, that have been proposed for
standardization. In particular, these descriptions also contain various examples of key
confirmation procedures

55 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

Encrypted Key Exchange

The first PAKE ever designed was proposed in 1992 byBellovin and Merrit and is known as
Encrypted KeyExchange, or EKE .
The authors were the first to tackle the problem of preventing offline dictionary attacks. To
describe the main protocol flow, we first need some notation. E will denote a symmetric
encryption algorithm, with D the associated decryption algorithm

Security and Efficiency

Security and Efficiency by Design
The main idea behind the dictionary attack resistance of this protocol is that if the data encrypted
using algorithm E under key pw is random enough, then verification of the password becomes
infeasible.
More concretely, ifpw‘ is some other password, the string D pw‘(cA) cannot be told apart from g x
because x, and therefore gx, is random.
In theory, this is a very elegant observation, but we shall see below that it is highly nontrivial to
implement in practice, an issue we address in the next sections
Online dictionary attacks are essentially prevented by the fact that if the algorithm E is indeed
suitable, it should yield different encryption functions for different passwords.
Forward secrecy is argued to hold for a very simple reason: The shared value gxy is completely
independent of the password.

Security in Theory
It should also be mentioned that the security of EKE‘s main protocol flows has been studied
from a purely theoretical point of view.
In this work, the protocol and several of its variants have been proven secure; that is, a very
precise mathematical proof of security was given assuming that the encryption function satisfies
some idealized properties

Flaws The protocol, as it is defined, can be made vulnerable to dictionary attacks. The main
issue is that even if it is a strictly random element of G, gx is not randomly distributed in E‘s
plaintext space. Concretely, this means that we cannot expect that for every possible candidate

56 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com

 CP5291 Security Practices UNIT IV

passwordpw0, the decryption will fall into Zp* therefore, every time such a test fails, a password
can be ruled out.

Proposed Standardization
In 2000, Bellare and Rogaway proposed a PAKE protocol based essentially on EKE for IEEE
standardization: AuthA . One of the main concerns the authors raise in their work involves
instantiating the encryption function.
The security flaws discussed above clearly show that this needs to be done very carefully. In
particular, there is no straightforward way to directly replace the ideal cipher with a concrete
symmetric encryption algorithm. The authors propose to replace the encrypting operation with
multiplying the group element by a hash of the password, allowing them to rely on idealizing a
hash function rather than an encryption function.

57 B.Shanmuga Sundari, AP/CSE csenotescorner.blogspot.com