Professional Documents
Culture Documents
2
Why Computer Security (cont’d)
• Virus and worms faster and powerful
– Cause over $28 billion in economic losses in 2003,
growing to over $75 billion in economic losses by 2007.
– Code Red (2001): 13 hours infected >360K machines -
$2.4 billion loss
– Slammer (2003): 15 minutes infected > 75K machines -
$1 billion loss
• Spams, phishing …
• New Internet security landscape emerging:
BOTNETS !
– Conficker/Downadup (2008): infected > 10M machines
• MSFT offering $250K reward 3
Outline
• History of Security and Definitions
• Overview of Cryptography
• Symmetric Cipher
– Classical Symmetric Cipher
– Modern Symmetric Ciphers (DES and AES)
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
4
Objectives
• Understand the four cornerstones of
information security
• Understand the three major classes of crypto
methods and their difference, pros and cons
• Be able to apply the latest crypto standards
5
The History of Computing
• For a long time, security was largely ignored in the
community
– The computer industry was in “survival mode”, struggling
to overcome technological and economic hurdles
– As a result, a lot of comers were cut and many
compromises made
– There was lots of theory, and even examples of systems
built with very good security, but were largely ignored
or unsuccessful
• E.g., ADA language vs. C (powerful and easy to use)
6
Computing Today is Very Different
• Computers today are far from “survival mode”
– Performance is abundant and the cost is very cheap
– As a result, computers now ubiquitous at every facet
of society
• Internet
– Computers are all connected and interdependent
– This codependency magnifies the effects of any
failures
7
Biological Analogy
• Computing today is very homogeneous.
– A single architecture and a handful of OS dominates
• In biology, homogeneous populations are in danger
– A single disease or virus can wipe them out overnight
because they all share the same weakness
– The disease only needs a vector to travel among hosts
• Computers are like the animals, the Internet
provides the vector.
– It is like having only one kind of cow in the world, and
having them drink from one single pool of water!
8
The Spread of Sapphire/Slammer
Worms
9
The Flash Worm
• Slammer worm infected 75,000 machines in <15
minutes
• A properly designed worm, flash worm, can take
less than 1 second to compromise 1 million
vulnerable machines in the Internet
– The Top Speed of Flash Worms. S. Staniford, D.
Moore, V. Paxson and N. Weaver, ACM WORM
Workshop 2004.
– Exploit many vectors such as P2P file sharing,
intelligent scanning, hitlists, etc.
10
The Definition of Computer Security
• Security is a state of well-being of information
and infrastructures in which the possibility of
successful yet undetected theft, tampering,
and disruption of information and services is
kept low or tolerable
• Security rests on confidentiality, authenticity,
integrity, and availability
11
The Basic Components
• Confidentiality is the concealment of information or
resources.
– E.g., only sender, intended receiver should “understand” message
contents
12
Security Threats and Attacks
• A threat/vulnerability is a potential violation of
security.
– Flaws in design, implementation, and operation.
• An attack is any action that violates security.
– Active adversary
• An attack has an implicit concept of “intent”
– Router mis-configuration or server crash can also
cause loss of availability, but they are not attacks
13
Friends and enemies: Alice, Bob, Trudy
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages
Alice Bob
data, control
channel
messages
Trudy
14
Eavesdropping - Message Interception
(Attack on Confidentiality)
• Unauthorized access to information
• Packet sniffers and wiretappers
• Illicit copying of files and programs
A B
Eavesdropper
15
Integrity Attack - Tampering
With Messages
• Stop the flow of the message
• Delay and optionally modify the message
• Release the message again
A B
Perpetrator
16
Authenticity Attack - Fabrication
• Unauthorized assumption of other’s identity
• Generate and distribute objects under this
identity
A B
Masquerader: from A
17
Attack on Availability
• Destroy hardware (cutting fiber) or software
• Modify software in a subtle way (alias commands)
• Corrupt packets in transit
A B
20
Outline
• Overview of Cryptography
• Symmetric Cipher
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
21
Basic Terminology
• plaintext - the original message
• ciphertext - the coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering ciphertext from plaintext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - the study of principles/
methods of deciphering ciphertext without knowing key
• cryptology - the field of both cryptography and
cryptanalysis
22
Classification of Cryptography
• Number of keys used
– Hash functions: no key
– Secret key cryptography: one key
– Public key cryptography: two keys - public, private
• Type of encryption operations used
– substitution / transposition / product
• Way in which plaintext is processed
– block / stream
23
Secret Key vs. Secret Algorithm
24
Unconditional vs. Computational Security
• Unconditional security
– No matter how much computer power is available, the
cipher cannot be broken
– The ciphertext provides insufficient information to
uniquely determine the corresponding plaintext
• Computational security
– The cost of breaking the cipher exceeds the value of
the encrypted info
– The time required to break the cipher exceeds the
useful lifetime of the info
25
Brute Force Search
• Always possible to simply try every key
• Most basic attack, proportional to key size
• Assume either know / recognise plaintext
Key Size (bits) Number of Time required at 1 Time required at 106
Alternative Keys decryption/µs decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 5.4 1018 years
years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 5.9 1030 years
years
26 characters 26! = 4 1026 2 1026 µs = 6.4 1012 6.4 106 years
(permutation) years 26
Outline
• Overview of Cryptography
• Symmetric Cipher
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
27
Symmetric Cipher Model
28
Requirements
• Two requirements for secure use of symmetric
encryption:
– a strong encryption algorithm
– a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
• Assume encryption algorithm is known
• Implies a secure channel to distribute key
29
Block vs Stream Ciphers
• Block ciphers process messages in into blocks,
each of which is then en/decrypted
• Stream ciphers process messages a bit or byte
at a time when en/decrypting
• Many current ciphers are block ciphers, one of
the most widely used types of cryptographic
algorithms
• Most symmetric block ciphers are based on a
Feistel Cipher Structure
30
Feistel Cipher
Structure
• Process through
multiple rounds which
– partitions input block
into two halves
– perform a substitution
on left data half
– based on round function
of right half & subkey
– then have permutation
swapping halves
31
Feistel
Cipher
Decryption
32
DES (Data Encryption Standard)
• Published in 1977, standardized in 1979.
• Key: 64 bit quantity=8-bit parity+56-bit key
– Every 8th bit is a parity bit.
• 64 bit input, 64 bit output.
64 bit M 64 bit C
DES
Encryption
56 bits 33
DES Top View
56-bit Key
64-bit
48-bitInput
K1
Generate keys
Permutation Initial Permutation
48-bit K1
Round 1
48-bit K2
Round 2
…... 48-bit K16
Round 16
64-bit Output 34
DES Summary
• Simple, easy to implement:
– Hardware/gigabits/second,
software/megabits/second
• 56-bit key DES may be acceptable for non-
critical applications but triple DES (DES3)
should be secure for most applications today
• Supports several operation modes (ECB CBC,
OFB, CFB) for different applications
35
Avalanche Effect
• Key desirable property of encryption alg
• Where a change of one input or key bit
results in changing more than half output bits
• DES exhibits strong avalanche
36
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• Brute force search looks hard
• Recent advances have shown is possible
– in 1997 on a huge cluster of computers over the
Internet in a few months
– in 1998 on dedicated hardware called “DES cracker”
by EFF in a few days ($220,000)
– in 1999 above combined in 22hrs!
• Still must be able to recognize plaintext
• No big flaw for DES algorithms 37
DES Replacement
• Triple-DES (3DES)
– 168-bit key, no brute force attacks
– Underlying encryption algorithm the same, no
effective analytic attacks
– Drawbacks
• Performance: no efficient software codes for DES/3DES
• Efficiency/security: bigger block size desirable
40
Outlines
• Symmetric Cipher
– Classical Symmetric Cipher
– Modern Symmetric Ciphers (DES and AES)
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
41
Private-Key Cryptography
• Private/secret/single key cryptography uses one
key
• Shared by both sender and receiver
• If this key is disclosed communications are
compromised
• Also is symmetric, parties are equal
• Hence does not protect sender from receiver
forging a message & claiming is sent by sender
42
Public-Key Cryptography
• Probably most significant advance in the 3000
year history of cryptography
• Uses two keys – a public & a private key
• Asymmetric since parties are not equal
• Uses clever application of number theoretic
concepts to function
• Complements rather than replaces private key
crypto
43
Public-Key Cryptography
• Public-key/two-key/asymmetric cryptography
involves the use of two keys:
– a public-key, which may be known by anybody, and can
be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• Asymmetric because
– those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
44
Public-Key Cryptography
45
Public-Key Characteristics
• Public-Key algorithms rely on two keys with the
characteristics that it is:
– computationally infeasible to find decryption key
knowing only algorithm & encryption key
– computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption (in
some schemes)
• Analogy to delivery w/ a padlocked box
46
Public-Key Cryptosystems
49
RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is
d=23 since 23×7=161= 10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
50
How Does RSA Work?
• Given pub = <e, n> and priv = <d, n>
– encryption: c = me mod n, m < n
– decryption: m = cd mod n
– signature: s = md mod n, m < n
– verification: m = se mod n
• decryption:
M = 1123 mod 187 = 88
51
Is RSA Secure?
• Factoring 1024-bit number is very hard!
• But if you can factor big number n then given public
key <e,n>, you can find d, hence the private key by:
– Knowing factors p, q, such that, n = p*q
– Then ø(n) =(p-1)(q-1)
– Then d such that e*d = 1 mod ø(n)
• Threat
– Moore’s law
– Refinement of factorizing algorithms
• For the near future, a key of 1024 or 2048 bits
needed 52
Symmetric (DES) vs. Public Key (RSA)
• Exponentiation of RSA is expensive !
• AES and DES are much faster
– 100 times faster in software
– 1,000 to 10,000 times faster in hardware
• RSA often used in combination in AES and DES
– Pass the session key with RSA
53
Outline
• History of Security and Definitions
• Overview of Cryptography
• Symmetric Cipher
– Classical Symmetric Cipher
– Modern Symmetric Ciphers (DES and AES)
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
54
Confidentiality => Authenticity ?
• Symmetric cipher ?
– Shared key problem
– Plaintext has to be intelligible/understandable
• Asymmetric cipher?
– Too expensive
– Plaintext has to be intelligible/understandable
– Desirable to cipher on a much smaller size of data
which uniquely represents the long message
55
Hash Functions
• Condenses arbitrary message to fixed size
h = H(M)
• Usually assume that the hash function is public
and not keyed
• Hash used to detect changes to message
• Can use in various ways with message
• Most often to create a digital signature
56
Hash Functions & Digital Signatures
57
Requirements for Hash Functions
60
General Structure of Secure Hash Code
63
MD5 Overview
1. Pad message so its length is 448 mod 512
2. Append a 64-bit original length value to message
3. Initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. Process message in 16-word (512-bit) blocks:
– Using 4 rounds of 16 bit operations on message block &
buffer
– Add output to buffer input to form new buffer value
5. Output hash value is the final buffer value
64
Secure Hash Algorithm
• SHA is specified as the hash algorithm in the
Digital Signature Standard (DSS), NIST, 1993
• Input message must be < 264 bits
– not really a problem
• Message is processed in 512-bit blocks
sequentially
• Message digest is 160 bits
65
SHA-1 verses MD5
• Brute force attack is harder (160 vs 128 bits for
MD5)
• A little slower than MD5 (80 vs 64 steps)
– Both work well on a 32-bit architecture
• Both designed as simple and compact for
implementation
• Cryptanalytic attacks
– MD4/5: vulnerability discovered since its design
– SHA-1: no until recent 2005 results raised concerns on
its use in future applications
66
Revised Secure Hash Standard
• NIST have issued a revision in 2002
• Adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
– Collectively called SHA-2
• Designed for compatibility with increased
security provided by the AES cipher
• Structure & detail are similar to SHA-1
• Hence analysis should be similar, but security
levels are rather higher
67
Backup Slides
68
Classical Substitution Ciphers
• Letters of plaintext are replaced by other
letters or by numbers or symbols
• Plaintext is viewed as a sequence of bits, then
substitution replaces plaintext bit patterns
with ciphertext bit patterns
69
Caesar Cipher
• Earliest known substitution cipher
• Replaces each letter by 3rd letter on
• Example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
70
Caesar Cipher
• Define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
72
Monoalphabetic Cipher
• Rather than just shifting the alphabet
• Could shuffle (jumble) the letters arbitrarily
• Each plaintext letter maps to a different random
ciphertext letter
• Key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
73
Monoalphabetic Cipher Security
• Now have a total of 26! = 4 x 1026 keys
• Is that secure?
• Problem is language characteristics
– Human languages are redundant
– Letters are not equally commonly used
74
English Letter Frequencies
Note that all human languages have varying letter frequencies, though the
number of letters and their frequencies varies. 75
Example Cryptanalysis
• Given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
76
Transposition Ciphers
• Now consider classical transposition or
permutation ciphers
• These hide the message by rearranging the
letter order, without altering the actual
letters used
• Any shortcut for breaking it?
• Can recognise these since have the same
frequency distribution as the original text
77
Rail Fence Cipher
• Write message letters out diagonally over a
number of rows
• Then read off cipher row by row
• E.g., write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
• Giving ciphertext
MEMATRHTGPRYETEFETEOAAT
78
Product Ciphers
• Ciphers using substitutions or transpositions are
not secure because of language characteristics
• Hence consider using several ciphers in succession
to make harder, but:
– Two substitutions make another substitution
– Two transpositions make a more complex transposition
– But a substitution followed by a transposition makes a
new much harder cipher
• This is bridge from classical to modern ciphers
79
Cryptanalysis Scheme
• Ciphertext only:
– Exhaustive search until “recognizable plaintext”
– Need enough ciphertext
• Known plaintext:
– Secret may be revealed (by spy, time), thus <ciphertext,
plaintext> pair is obtained
– Great for monoalphabetic ciphers
• Chosen plaintext:
– Choose text, get encrypted
– Pick patterns to reveal the structure of the key
80
One-Time Pad
• If a truly random key as long as the message is
used, the cipher will be secure - One-Time pad
• E.g., a random sequence of 0’s and 1’s XORed to
plaintext, no repetition of keys
• Unbreakable since ciphertext bears no
statistical relationship to the plaintext
• For any plaintext, it needs a random key of the
same length
– Hard to generate large amount of keys
• Have problem of safe distribution of key
81
Rotor Machines
• Before modern ciphers,
rotor machines were
most common complex
ciphers in use
• Widely used in WW2
– German Enigma, Allied
Hagelin, Japanese Purple
• Implemented a very
complex, varying
substitution cipher
82
Substitution-Permutation Ciphers
• Substitution-permutation (S-P) networks
[Shannon, 1949]
– modern substitution-transposition product cipher
• These form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations
– substitution (S-box)
– permutation (P-box)
• provide confusion and diffusion of message
83
Confusion and Diffusion
• Cipher needs to completely obscure statistical
properties of original message
• A one-time pad does this
• More practically Shannon suggested S-P networks
to obtain:
• Diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
• Confusion – makes relationship between
ciphertext and key as complex as possible
84
Bit Permutation (1-to-1)
1 2 3 4 32
Input: 0 0 1 0 ……. 1
1 bit
Output 1 0 1 1 …….. 1
22 6 13 32 3
85
Block Cipher Principles
• Block ciphers look like an extremely large
substitution
• Would need table of 264 entries for a 64-bit
block
• Instead create from smaller building blocks
• Using idea of a product cipher
86
Ideal Block Cipher
87
Per-Round Key Generation
Initial Permutation of DES key
E
One 48 bits
Mangler
Round Function 48 bits
Encryption S-Boxes Ki
32 bits
90
Using Hash for Authentication
Assuming share a key KAB
• Alice to Bob: challenge rA
• Bob to Alice: MD(KAB|rA)
• Bob to Alice: rB
• Alice to Bob: MD(KAB|rB)
• Only need to compare MD results
91
Using Hash to Encrypt
92
Basic Steps...
Step 4: the 80-step processing of 512-bit blocks
– 4 rounds, 20 steps each.
Each step t (0 <= t <= 79):
– Input:
• Wt – a 32-bit word from the message
• Kt – a constant.
• ABCDE: current MD.
– Output:
• ABCDE: new MD.
93