Are you sure?
This action might not be possible to undo. Are you sure you want to continue?
CS549:
Cryptography and Network
Security
© by XiangYang Li
Department of Computer Science,
IIT
Cryptography and Network Security 2
Notice©
This lecture note (Cryptography and Network Security) is prepared by
XiangYang Li. This lecture note has benefited from numerous
textbooks and online materials. Especially the “Cryptography and
Network Security” 2
nd
edition by William Stallings and the
“Cryptography: Theory and Practice” by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.
Cryptography and Network Security 3
About Instructor
×
Associate Professor IIT
×
PhD/MS UIUC 19972000
×
BS, BE Tsinghua University
×
Research Interests:
r
Algorithm design and analysis
r
Wireless networks
r
Game theory
r
Computational geometry
×
Contact Information
r
Phone 3125675207
r
Email: xli@cs.iit.edu
Cryptography and Network Security 4
Office and Office hours
×
Office
r
SB 237D
×
Office hours
r
Monday 3:10PM – 4:10PM.
r
Wednesday 3:10PM– 4:10PM.
r
Or by contact: email xli@cs.iit.edu,
r
phone 312 567 5207
Cryptography and Network Security 5
About This Course
×
Textbook
r
Cryptography: Theory and Practice
by Douglas R. Stinson CRC press
r
Cryptography and Network Security:
Principles and Practice; By William
Stallings Prentice Hall
r
Handbook of Applied Cryptography by
Alfred J. Menezes, Paul C. van Oorschot
and Scott A. Vanstone, CRC Press
º
I have electronic version!
Cryptography and Network Security 6
Grading and Others
×
Grading
r
Homework 30%
r
Mid Term 25%
r
Project 20% (select your own topic),
º
15 pages report
r
Final exam 25% (closed book)
×
Policy
r
Do it yourself
r
Can use library, Internet and so on, but you have to cite the
sources when you use this information
Cryptography and Network Security 7
Homeworks
×
Do it independently
r
No discussion
r
No copy
r
Can use reference books
×
Staple your solution
r
Write your name also, ©
×
For report,
r
you could discuss with
classmates then write your
own report (about 10 pages for
the topic you selected)
×
For project (presentation
and programming)
r
You SHOULD collaborate
with your group member and
you SHOULD make enough
contributions to get credit
×
HW1 (Due 2/14/08)
×
HW2 (Due 3/14/08)
×
HW3 (Due 4/11/08)
×
Report (Due 05/05/08)
Type your solution!
And print it then submit
Cryptography and Network Security 8
Topics
×
Introduction
×
Number Theory
×
Traditional Methods: secret key system
×
Modern Methods: Public Key System
×
Digital Signature and others
×
Internet Security: DoS, DDoS
×
Other topics:
r
secret sharing, zeroknowledge proof, bit commitment,
oblivious transfer,…
Cryptography and Network Security 9
Organization
×
Chapters
r
Introduction
r
Number Theory
r
Conventional Encryption
r
Block Ciphers
r
Public Key System
r
Key Management
r
Hash Function and Digital Signature
r
Identification
r
Secret Sharing
r
Pseudorandom number Generation
r
Email Security
r
Internet Security
r
Others
Cryptography and Network Security 10
Cryptography and Network Security
Introduction
XiangYang Li
Cryptography and Network Security 11
Introduction
The art of war teaches us not on the
likelihood of the enemy’s not coming, but on
our own readiness to receive him; not on the
chance of his not attacking, but rather on the
fact that we have made our position
unassailable.
The art of War, Sun Tzu
Cryptography and Network Security 12
Criteria for Desirable Cryptosystems
×
Confidence in Security established
r
Hard or intractable problems?
×
Practical Efficiency
r
Space, time and so on
×
Explicitness
r
About its environment assumptions, security service
offered, special cases in math assumptions,
×
Protection tuned to application needs
r
No less, no more
×
Openness
Cryptography and Network Security 13
Most important
×
Security first
×
Efficiency, resource utilization, and
security tradeoffs
r
This is especially the case for resource constrained
networks such as wireless sensor networks
º
Limited power supply (thus limited communication, and
computation), limited storage space
Cryptography and Network Security 14
Cryptography
×
Cryptography (from Greek kryptós, "hidden", and
gráphein, "to write") is, traditionally, the study of
means of converting information from its normal,
comprehensible form into an incomprehensible
format, rendering it unreadable without secret
knowledge — the art of encryption.
×
Past: Cryptography helped ensure secrecy in
important communications, such as those of spies,
military leaders, and diplomats.
×
In recent decades, cryptography has expanded its
remit in two ways
r
mechanisms for more than just keeping secrets: schemes like
digital signatures and digital cash, for example.
r
in widespread use by many civilians, and users are not aware of it.
Cryptography and Network Security 15
Cryptography, analysis, logy
×
The study of how to circumvent the use of cryptography is
called cryptanalysis, or codebreaking.
×
Cryptography and cryptanalysis are sometimes grouped
together under the umbrella term cryptology, encompassing
the entire subject.
×
In practice, "cryptography" is also often used to refer to
the field as a whole; crypto is an informal abbreviation.
×
Cryptography is an interdisciplinary subject,
r
linguistics
r
Mathematics: number theory, information theory, computational
complexity, statistics and combinatorics
r
engineering
Cryptography and Network Security 16
Close, but different fields
×
Steganography
r
the study of hiding the very existence of a message, and not
necessarily the contents of the message itself (for example,
microdots, or invisible ink)
r
http://en.wikipedia.org/wiki/Steganography
×
Traffic analysis
r
which is the analysis of patterns of communication in order
to learn secret information
º
The messages could be encrypted
r
http://en.wikipedia.org/wiki/Traffic_analysis
Cryptography and Network Security 17
Stenography Example
Last 2 bits
Cryptography and Network Security 18
Tools for Stenography
×
http://www.jjtc.com/Steganography/toolm
atrix.htm
Cryptography and Network Security 19
Network Security Model
Trusted Third Party
principal
principal
Security
transformation
Security
transformation
attacker
Cryptography and Network Security 20
Attacks, Services and Mechanisms
×
Security Attacks
r
Action compromises the information security
r
Could be passive or active attacks
×
Security Services
r
Actions that can prevent, detect such attacks.
r
Such as authentication, identification, encryption, signature, secret
sharing and so on.
×
Security mechanism
r
The ways to provide such services
r
Detect, prevent and recover from a security attack
Cryptography and Network Security 21
Attacks
×
Passive attacks
r
Interception
º
Release of message contents
º
Traffic analysis
×
Active attacks
r
Interruption, modification, fabrication
º
Masquerade
º
Replay
º
Modification
º
Denial of service
Cryptography and Network Security 22
Information Transferring
Cryptography and Network Security 23
Attack: Interruption
Cut wire lines,
Jam wireless
signals,
Drop packets,
Cryptography and Network Security 24
Attack: Interception
Wiring,
eavesdrop
Cryptography and Network Security 25
Attack: Modification
intercept
Replaced
info
Cryptography and Network Security 26
Attack: Fabrication
Also called impersonation
Cryptography and Network Security 27
Attacks, Services and Mechanisms
×
Security Attacks
r
Action compromises the information security
r
Could be passive or active attacks
×
Security Services
r
Actions that can prevent, detect such attacks.
r
Such as authentication, identification, encryption, signature, secret
sharing and so on.
×
Security mechanism
r
The ways to provide such services
r
Detect, prevent and recover from a security attack
Cryptography and Network Security 28
Important Services of Security
×
Confidentiality, also known as secrecy:
r
only an authorized recipient should be able to extract the
contents of the message from its encrypted form. Otherwise, it
should not be possible to obtain any significant information
about the message contents.
×
Integrity:
r
the recipient should be able to determine if the message has
been altered during transmission.
×
Authentication:
r
the recipient should be able to identify the sender, and verify
that the purported sender actually did send the message.
×
Nonrepudiation:
r
the sender should not be able to deny sending the message.
Cryptography and Network Security 29
Secure Communication
×
protecting data locally only solves a minor
part of the problem. The major challenge
that is introduced by the Web Service
security requirements is to secure data
transport between the different
components. Combining mechanisms at
different levels of the Web Services
protocol stack can help secure data
transport (see figure next page).
Cryptography and Network Security 30
Secure Communication
Cryptography and Network Security 31
Secure Communication
×
The combined protocol HTTP/TLS or SSL is often
referred to as HTTPS (see figure). SSL was
originally developed by Netscape for secure
communication on the Internet, and was built into
their browsers. SSL version 3 was then adopted
by IETF and standardized as the Transport Layer
Security (TLS) protocol.
×
Use of Public Key Infrastructure (PKI) for session
key exchange during the handshake phase of TLS
has been quite successful in enabling Web
commerce in recent years.
×
TLS also has some known vulnerabilities: it is
susceptible to maninthemiddle attacks and
denialofservice attacks.
Cryptography and Network Security 32
SOAP security
×
SOAP (Simple Object Access Protocol) is designed to pass
through firewalls as HTTP. This is disquieting from a
security point of view. Today, the only way we can recognize
a SOAP message is by parsing XML at the firewall. The
SOAP protocol makes no distinction between reads and
writes on a method level, making it impossible to filter away
potentially dangerous writes. This means that a method
either needs to be fully trusted or not trusted at all.
×
The SOAP specification does not address security issues
directly, but allows for them to be implemented as
extensions.
r
As an example, the extension SOAPDSIG defines the syntax and
processing rules for digitally signing SOAP messages and validating
signatures. Digital signatures in SOAP messages provide integrity and
nonrepudiation mechanisms.
Cryptography and Network Security 33
PKI
×
PKI key management provides a sophisticated framework for
securely exchanging and managing keys. The two main
technological features, which a PKI can provide to Web
Services, are:
r
Encryption of messages: by using the public key of the recipient
r
Digital signatures: nonrepudiation mechanisms provided by PKI and
defined in SOAP standards may provide Web Services applications with
legal protection mechanisms
×
Note that the features provided by PKI address the same
basic needs as those that are recognized by the
standardization organizations as being important in a Web
Services context.
×
In Web Services, PKI mainly intervenes at two levels:
r
At the SOAP level (nonrepudiation, integrity)
r
At the HTTPS level (TLS session negotiation, eventually assuring
authentication, integrity and privacy)
Cryptography and Network Security 34
Some basic Concepts
Cryptography and Network Security 35
Cryptography
×
Cryptography is the study of
r
Secret (crypto) writing (graphy)
×
Concerned with developing algorithms:
r
Conceal the context of some message from all except
the sender and recipient (privacy or secrecy), and/or
r
Verify the correctness of a message to the recipient
(authentication)
r
Form the basis of many technological solutions to
computer and communications security problems
Cryptography and Network Security 36
Basic Concepts
×
Cryptography
r
encompassing the principles and methods of transforming
an intelligible message into one that is unintelligible, and
then retransforming that message back to its original form
×
Plaintext
r
The original intelligible message
×
Ciphertext
r
The transformed message
×
Message
r
Is treated as a nonnegative integer hereafter
Cryptography and Network Security 37
Basic Concepts
×
Cipher
r
An algorithm for transforming an intelligible message
into unintelligible by transposition and/or substitution,
or some other techniques
×
Keys
r
Some critical information used by the cipher, known
only to the sender and/or receiver
×
Encipher (encode)
r
The process of converting plaintext to ciphertext
×
Decipher (decode)
r
The process of converting ciphertext back into plaintext
Cryptography and Network Security 38
Basic Concepts
×
cipher
r
an algorithm for encryption and decryption. The exact
operation of ciphers is normally controlled by a key — some
secret piece of information that customizes how the
ciphertext is produced
×
Protocols
r
specify the details of how ciphers (and other cryptographic
primitives) are to be used to achieve specific tasks.
r
A suite of protocols, ciphers, key management, user
prescribed actions implemented together as a system
constitute a cryptosystem;
r
this is what an enduser interacts with, e.g. PGP
Cryptography and Network Security 39
Encryption and Decryption
Plaintext
ciphertext
Encipher C = E
(K1)
(P)
Decipher P = D
(K2)
(C)
K1, K2: from keyspace
These two keys could be different;
could be difficult to get one from the other
Cryptography and Network Security 40
What is Security?
×
Two fundamentally different securities
r
Unconditional security
º
No matter how much computer power is available, the cipher
cannot be broken
º
Using Shannon’s information theory

The entropy of the message I(M) is same as the entropy of the
message I(MC) when known the ciphertext (and possible more)
r
Computational security
º
Given limited computing resources (e.g time needed for
calculations is greater than age of universe), the cipher
cannot be broken

What do we mean “broken”?
º
Proved by some complexity equivalence approach
Cryptography and Network Security 41
Cryptography and Network Security
Elementary Number Theory
XiangYang Li
Cryptography and Network Security 42
Number theory
×
Elementary number theory
r
Main topic of this course
r
divisibility, the Euclidean algorithm to compute
greatest common divisors, factorization
r
Fermat's little theorem and Euler's theorem, the Chinese
remainder theorem and Euler's φ function are
investigated;
×
Analytic number theory
×
Algebraic number theory
×
Geometric number theory
×
Computational number theory
Cryptography and Network Security 43
Introduction to Number Theory
×
Divisors
r
ba if a=mb for an integer m
r
ba and cb then ca
r
bg and bh then b(mg+nh) for any integer m,n
×
Prime number
r
P has only positive divisors 1 and p
×
Relatively prime numbers
r
No common divisors for p and q except 1
Cryptography and Network Security 44
Prime numbers
×
Upto 200
r
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97
101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181
191 193 197 199
×
Largest known so far (till 2008, Jan 22)
r
2
32582657
1 with 9808358 digits (found 2006 using proof code G9)
r
When 2
n
1is prime it is said to be a Mersenne prime (a French monk
15881648, conjecture 1644). Clearly n must be odd.
×
How many prime numbers are there?
r
Infinity  Euclid gave simple proof
º
Proof by contradiction
º
They were also irregularly placed (arbitrary gap)
r
How many in the range [0,n] ¬ Theta( n / log n)
º
Approximately, the nth prime n log n
r
How many primes with d bits approximately? ~ Theta(2
d
/d)
Cryptography and Network Security 45
Determining Primes?
×
How to determine if a given number n is
prime?
r
Deterministic Brute force testing
º
Testing whether a number a  n, for a in certain range
r
Random testing
º
A prime number should satisfy some properties
º
If a number x does NOT have any of such properties,
then this x is NOT a prime

Otherwise, it may be a prime number

Properties: for any number a, a does not divide x,
•
More properties will be studied and used to design
efficient methods
Cryptography and Network Security 46
Greatest Common Divisor (GCD)
×
Greatest common divisor gcd(a,b)
r
The largest number that divides both a and b
×
Euclid's algorithm
r
Find the GCD of two numbers a and b, a<b
×
Use fact if a and b have divisor d so does
ab, a2b …
d m a n b
d a b
d a b
d a b
d a q b
+
−
−
−
−
2
3
Cryptography and Network Security 47
Cont.
×
GCD (a,b) is given by:
r
let g
0
=b
r
g
1
=a
r
g
i+1
= g
i1
mod g
i
r
when g
i
=0 then gcd(a,b) = g
i1
×
The algorithm terminates in O(log b) rounds
r
Why?
r
Every round, the total number of bits of a and b is decreased by at
least one
What is a more precise
complexity bound?
Cryptography and Network Security 48
Properties
×
For any two integers a and b
r
Exist integers m and n: gcd(a,b) =ma+bn
r
Example:
º
a=2, b=3; we choose m=1, n=1 so –2+3=1
º
a=6, b=11; we choose m=2, n=1 so 2*611=1
r
Simple proof?
×
Integer n can be factored as
r
n=p
1
a
1 p
2
a
2 p
3
a
3…. p
n
a
n where p
i
is prime number
Cryptography and Network Security 49
Extended Euclidean Algorithm
×
input are two integers a and b, computes
r
their greatest common divisor (gcd) as well as
r
integers x and y such that ax + by = gcd(a, b).
×
It later can also be used to compute the
inverse of an integer
a n
− 1
m o d
Cryptography and Network Security 50
Proof
×
Assume we compute gcd(x
0
,y
0
), x
0
>y
0
r
Let X
i
=(x
i
,y
i
); 0≤x
i
q
i+1
y
i+1
<y
i

r
Then X
i
=M
i
X
i1
, where M
i
=(0,1; 1,q
i
)
r
Assume the gcd algorithm terminates in n steps
r
We have M
n
M
n1
…
M
1
X
0
=(gcd(x
0
,y
0
), 0)
T
r
Assume M
n
M
n1
…
M
1
=( )
r
Then ax
0
+by
0
=gcd(x
0
,y
0
)
r
The above algorithm is to keep track of a,b,c,d, and x
i
,y
i
values.
d c
b a
Cryptography and Network Security 51
Modular Arithmetic
×
Congruence
r
a ≡ b mod n says when divided by n that a and b have
the same remainder
r
It defines a relationship between all integers
º
a ≡ a
º
a ≡ b then b ≡ a
º
a ≡ b, b ≡ c then a ≡ c
Cryptography and Network Security 52
Cont.
×
addition
r
(a+b) mod n ≡(a mod n) + (b mod n)
×
subtraction
r
ab mod n ≡ a+(b) mod n
×
multiplication
r
a b mod n
r
derived from repeated addition
r
Possible: a*b ≡ 0 where neither a, b ≡ 0 mod n
º
Example: 2*3 =0 mod 6
Cryptography and Network Security 53
Addition and Multiplication
×
Integers modulo n with addition and
multiplication form a commutative ring with
the laws of
r
Associativity
º
(a+b)+c ≡ a+(b+c) mod n
r
Commutativity
º
a+b ≡ b+a mod n
r
Distributivity
º
(a+b)*c ≡ (a*c)+(b*c) mod n
Cryptography and Network Security 54
Cont.
×
Division
r
b/a mod n
r
multiplied by inverse of a: b/a = b*a
1
mod n
r
a
1*
a ≡ 1 mod n
r
3
1
≡7 mod 10 because 3*7 ≡ 1 mod 10
r
Inverse does not always exist!
º
Only when gcd(a,n)=1
Cryptography and Network Security 55
Euclid's Extended GCD Routine
×
If (a,n)=1 then the inverse always exists
×
Can extend Euclid's algorithm to find
inverse by keeping track of g
i
= u
i
.n + v
i
.a
×
Extended Euclid's (or binary GCD)
algorithm to find inverse of a number a
mod n (where (a,n)=1) is:
Cryptography and Network Security 56
Inverse
×
Inverse(a,n) is given by:
r
X=(x1,x2,x3)=(1,0,n); Y=(y1,y2,y3)=(0,1,a)
r
If y3=0 return x3=gcd(a,n); no inverse
r
If y3=1 return y3=gcd(a,n); y2=a
1
mod n
r
Q=[x3/y3]
r
T=XQ*Y
r
X=Y; Y=T
r
Goto 2
nd
step
Cryptography and Network Security 57
When inverse exists
×
If gcd(a,n)=1 ¬ inverse exists
r
We can find x, y such that ax+ny=1
r
Then x= a
1
mod n
×
If inverse exists¬ gcd(a,n)=1
r
Let x be the inverse of a, i.e., ax=1 mod n
r
Then x a=1+q n for some integer q
r
Let gcd(a,n)=d. Then d  (x aq n )
r
Obviously d=1 since x aq n =1
Cryptography and Network Security 58
Galois Field
×
If n is constrained to be a prime number p
then this forms a Galois field modulo p
denoted GF(p) and all the normal laws
associated with integer arithmetic work
×
Exponentiation
r
b = a
e
mod p
×
Discrete Logarithms
r
find x where a
x
= b mod p
Cryptography and Network Security 59
Relative primes
×
Two numbers a and n are relative primes if
r
gcd(a,n)=1
×
Consider all integers 0<a <n
r
How many are relative prime to n?
r
Equivalently, how many a such that a
1
mod n
exists
×
Typically
r
Z
n
={0,1,2,….,n1} : all integers 0<= a < n
r
Z
n
*
={a 0<= a < n, gcd(a,n)=1}
º All integers in Z
n
that are coprime with n
º
Also called reduced residue set mod n
Cryptography and Network Security 60
Euler Totient Function
×
If consider arithmetic modulo n, then a
reduced set of residues is a subset of the
complete set of residues modulo n which
are relatively prime to n
r
eg for n=10,
r
the complete set of residues is {0,1,2,3,4,5,6,7,8,9}
r
the reduced set of residues is {1,3,7,9}
×
The number of elements in the reduced set
of residues is called the Euler Totient
function φ(n)
Cryptography and Network Security 61
cont
×
Compute φ(n)
r
If factoring of n is known
º φ(n)=n Π(11/p
i
) where p
i
is its prime factor
r
Otherwise
º
It is expensive!
º
But not proved yet
×
computing φ(n) when knowing fact n =pq but
not the number p and q
r
Conjectured to be a hard question
r
But not proved yet.
r
Equivalent to find p and q
Cryptography and Network Security 62
cont
×
Equivalency: finding p,q+¬ computing φ(n)
×
Proof
r
¬If we found p and q, then φ(n)=(p1)(q1)
r
+if we found φ(n), then solve p, q from equations
n p q
n p q
· ×
· − −
¹
'
¹
ϕ ( ) ( ) ( ) 1 1
Cryptography and Network Security 63
Euler's Theorem
×
Let gcd(a,n)=1 then
r
a
φ(n)
mod n = 1
×
Proof:
r
consider all reduced residues x
i
in
º Z
n
*
={x 0<= x < n, gcd(x,n)=1}
r
Then ax
i
,1<=i <= φ(n) also form reduced residues set
r
Using Π ax
i
= Π x
i
mod n
º Using Z
n
*
and aZ
n
*
are same sets!
r
We have a
φ(n)
Π x
i
= Π x
i
mod n
r
Thus, a
φ(n)
=1 mod n
º Using the fact that Π x
i
has inverse
Cryptography and Network Security 64
Fermat's Little Theorem
×
Let p be a prime and gcd(a,p)=1 then
r
a
p1
mod p = 1
r
Proof: similar to the proof of Euler’s theorem
r
But consider all integers in Z
p
×
Generally, for any prime number p
r
a
p
mod p = a (true for any number a)
×
Generally, for any number n=pq
r
a
φ(n)
mod n = a (true for any number a)
º
Need to prove for the case gcd(a,n)>1
Do it
yourself
Cryptography and Network Security 65
Efficient computing of exponential
×
Compute a
b
mod n efficiently when b, n large?
r
Example: compute a
1024
mod 2
1024
+1
r
Simple approach: repetitively time a 1024 times?
r
Efficient computation:
º Write number b in binary format as x
k
x
k1
x
k2
….x
2
x
1
x
0
º Let t
1
=a mod n. Then compute t
i+1
= t
i
* t
i
mod n for i<k
º
Then
[ ]
a n a n
a n
t n
b x x x x x x
x
i k
i
x
i k
k k k
i
i
i
m o d m o d
[ ] m o d
m o d
. . . .
( )
·
·
·
− −
≤ ≤
≤ ≤
∏
∏
1 2 2 1 0
2
0
0
Time
complexity?
Cryptography and Network Security 66
Chinese Remainder Theorem
×
By Qin Jiushao
×
Let m
1
,m
2
,….m
k
be pairwise relative prime numbers
×
Assume integer x= a
i
mod m
i
for 1<= I <= k
×
Then x= Σ a
i
e
i
mod M
r
Where M=Π m
i
; M
i
=M/ m
i
r
e
i
= M
i
* (M
i
1
mod m
i
)
×
Proof
r For each i, the integers m
i
and M/m
i
are coprime, and using the
extended Euclidean algorithm we can find integers r and s such
that r m
i
+ s M/m
i
= 1. If we set e
i
= s M/m
i
, then we have
r e
i
=1 mod m
i
and e
i
=1 mod m
j
for j<>i.
Cryptography and Network Security 67
General CRT
×
Sometimes, the simultaneous congruences
can be solved even if the m
i
's are not
pairwise coprime.
r a solution x exists if and only if a
i
≡ a
j
(mod gcd(n
i
, n
j
))
for all i and j.
r
All solutions x are congruent modulo the least common
multiple of the n
i
.
r
Methods: successive substitution
Cryptography and Network Security 68
Example
×
consider the simultaneous congruences
×
x 3 (mod 4) ≡
×
x 5 (mod 6) ≡
×
Can be transformed to
×
x 3 (mod 4) ≡
×
x 5 (mod 2) ≡ ¬ x 1 (mod 2) ≡
×
x 5 (mod 3) ≡
×
Then transformed to
×
x 3 (mod 4) ≡
×
x 2 (mod 3) ≡
×
Using CRT
×
X=11 (mod 12)
Cryptography and Network Security 69
Primality Testing
×
To check if exists integer a such that an
r
Primary school method
º
Test a=2,3,4,5,6,….,n1
º
Test a=2,3,4,5,…, n
0.5
º
Test a=2,3,5,7,11,…., p, where prime number p<=n
0.5
r
Two slow!
º
Check almost n numbers
º
Check n
0.5
numbers
º
At least around (n/ln n)
0.5
numbers need be checked
×
Example
r
Number n~2
1024
, then
r
(n/ln n)
0.5
~(2
1024
/1024)
0.5
~ 2
507
r
Assume 2
30
numbers per second, takes about 2
50730*16
= 2
27
days
×
Any improvement?
Cryptography and Network Security 70
Classification of Testing Primes
×
The Quick Tests for Small Numbers and Probable
Primes
r
Finding Very Small Primes  trivial division
r
Fermat, ProbablePrimality and Pseudoprimes
r
Strong ProbablePrimality and a Practical Test
×
The Classical Tests
r
N1 Tests (and Pepin's Test for Fermats)
r
N+1 Tests (and the LucasLehmer Test for Mersennes)
r
A Combined Test  and more
×
The General Purpose Tests
r
Neoclassical Tests, especially APR and APRCL
r
Using Elliptic Curves, especially the ECPP Test
r
A Polynomial Time Algorithm
Cryptography and Network Security 71
Fermat Little Theorem Based
×
Fermat's theorem gives us a powerful test
for compositeness:
r
Given n > 1, choose a > 1 and calculate a
n1
modulo n
(there is a very easy way to do quickly by repeated
squaring)
r
If the result is not one modulo n, then n is composite.
r
If it is one modulo n, then n might be prime so n is
called a weak probable prime base a (or just an a
PRP).
r
Some early articles call all numbers satisfying this test
pseudoprimes, but now the term pseudoprime is
properly reserved for composite probableprimes.
Cryptography and Network Security 72
Carmichael number
×
There may be relatively few pseudoprimes,
but there are still infinitely many of them
for every base a>1, so we need a tougher
test.
×
One way to make this test more accurate is
to use multiple bases (check base 2, then 3,
then 5,...). But still we run into an
interesting obstacle called the Carmichael
numbers.
r
The composite integer n is a Carmichael number if
a
n1
=1 (mod n) for every integer a relatively prime to n.
Cryptography and Network Security 73
Strong probableprimality and a
practical test
×
A better way to make the Fermat test more
accurate is to realize that if an odd number n is
prime, then the number 1 has just two square
roots modulo n: 1 and 1.
r
So the square root of a
n1
, a
(n1)/2
(since n will be odd), is either 1 or
1.
×
Algorithm
r
Write n1 = 2
s
d where d is odd and s is nonnegative: n is a strong
probableprime base a (an aSPRP) if either a
d
= 1 (mod n) or
(a
d
)
2
r
= 1 (mod n) for some nonnegative r less than s.
r
It has been proven ([Monier80] and [Rabin80]) that the strong
probable primality test is wrong no more than 1/4th of the time (3
out of 4 numbers which pass it will be prime).
Cryptography and Network Security 74
Simple Fact
×
Equation x
2
≡1 mod p has only solutions 1,1
r
If p is prime number
r
Simple proof: (x+1)(x1) ≡ 0 mod p
×
So if we find another solution, then p can
not be prime number!
r
Miller and Rabin 1975,1980
×
Randomly chosen integer a
r
If a
2
≡1 mod p then p is not prime number
º
Integer a is called the witness
r
Otherwise p maybe, or maybe not a prime number
Cryptography and Network Security 75
Witness Algorithm
×
Witness(a,n)
r
Let b
k
b
k1
…b
1
b
0
be the binary code of n1
r
Let d=1
r
For i=k downto 0
r
x=d; d=d*d mod n
r
If d=1 and x≠1, and x≠ n1
r
return TRUE
r
If b
i
=1 then d=d*a mod n
r
Endfor
r
If d ≠ 1 then return TRUE
r
Return FALSE
Cryptography and Network Security 76
Facts
×
Analyze the result of witness
r
If returns TRUE, then n is not prime number
º
Find other solutions for x
2
≡1 mod n
r
Otherwise, n maybe prime number
×
Given odd n and random a
r
Witness fails with probability less than 0.5
×
Run witness algorithm s times
r
If one time, it is TRUE
º
Then n is not prime number
r
Otherwise, Pr(n is prime)>12
s
Cryptography and Network Security 77
Randomized Methods
×
Las Vegas Method
r
Always produces correct results
r
Runs in expected polynomial time
×
Monte Carlo Method
r
Runs in polynomial time
r
May produce incorrect results with bounded probability
r
NoBiased Monte Carlo Method
º
Answer yes is always correct, but the answer no may be
wrong
r
Yesbiased Monte Carlo Method
º
Answer no is always correct, but the answer yes may be
wrong
Cryptography and Network Security 78
Witness Algorithm
×
Witness Algorithm is based on Monte Carlo
Method
r
It actually test compositeness, not primality
º
When it reports yes, the number is always composite
º
When it reports no, input may be composite, prime
r
Probability Result
º
Pr(input=composite  ans=composite)= 1
º
Pr(ans=no  input=composite)<1/2
º
Pr(input=composite  ans=no) ≤ 1/4
Cryptography and Network Security 79
Time Complexity
×
Each round of witness cost O(log n)
r
Unit: integer multiplication and modular arithmetic
×
So the primality testing cost O(s log n)
r
The confidence is 12
s
if report prime
r
The confidence is 1 if report nonprime
×
Miller's Test [Miller76]: If the extended
Riemann hypothesis is true, then if n is an
aSPRP for all integers a with 1 < a < 2(log
n)2, then n is prime.
Cryptography and Network Security 80
More on proving primes (N1 test
×
Theorem 1: Let n > 1. If for every prime
factor q of n1 there is an integer a such
that
r
a
n1
= 1 (mod n), and
r
a
(n1)/q
is not 1 (mod n);
then n is prime.
Cryptography and Network Security 81
N1 test
×
Theorem 2: Suppose n1 = FR, where F>R,
gcd(F,R) is one and the factorization of F is
known. If for every prime factor q of F
there is an integer a>1 such that
r
a
n1
= 1 (mod n), and
r
gcd(a
(n1)/q1
,n) = 1;
then n is prime.
Cryptography and Network Security 82
N+1 test
×
LucasLehmer Test (1930): Let n be an
odd prime. The Mersenne number M(n) =
2
n
1 is prime if and only if
r
S(n2) = 0 (mod M(n)) where
S(0) = 4 and S(k+1) = S(k)
2
2.
Cryptography and Network Security 83
ECPP method
×
What is the next big leap in primality proving? To
switch from Galois groups to some other, perhaps
easier to work with groupsin this case the points
on Elliptic Curves modulo n.
r
An Elliptic curve is a curve of genus one, that is a curve that can
be written in the form
r
E(a,b) : y
2
= x
3
+ ax + b (with 4a
3
+ 27b
2
not zero)
r
http://www.lix.polytechnique.fr/~morain/Prgms/ecpp.english.html
for implementation
×
Heuristically, the best version of ECPP is
r
O((log n)
4
+eps) for some eps>0
Cryptography and Network Security 84
Deterministic PolyTime Method
×
In 2002 Agrawal, Kayal and Saxena found a
relatively simple deterministic algorithm
which relies on no unproved assumptions.
r
There has been a long list of research efforts devoted to
find deterministic polynomial time methods for testing
primes
Cryptography and Network Security 85
Basics
×
Theorem: Suppose that a and p are relatively
prime integers with p > 1. p is prime if and only if
r
(xa)
p
= (x
p
a) (mod p)
×
Proof.
r
If p is prime, then p divides the binomial coefficients pCr for r =
1, 2, ... p1. This shows that (xa)
p
= (x
p
a
p
) (mod p), and the
equation above follows via Fermat's Little Theorem.
r
On the other hand, if p > 1 is composite, then it has a prime divisor
q. Let q
k
be the greatest power of q that divides p. Then q
k
does
not divide pCq and is relatively prime to a
pq
, so the coefficient of
the term x
q
on the left of the equation in the theorem is not zero,
but it is on the right.
Cryptography and Network Security 86
AKS method
×
Input: Integer n > 1
if (n is has the form a
b
with b > 1) then output COMPOSITE
r := 2
while (r < n) {
if (gcd(n,r) is not 1) then output COMPOSITE
if (r is prime greater than 2) then {
let q be the largest factor of r1
if (q > 4sqrt(r)log n) and (n
(r1)/q
is not 1 (mod r)) then break
}
r := r+1
}
for a = 1 to 2sqrt(r)log n {
if ( (xa)
n
is not (x
n
a) (mod x
r
1,n) ) then output COMPOSITE
}
output PRIME;
Cryptography and Network Security 87
Time Complexity
×
they proved would run in at most
r
O((log n)
12
f(log log n)) time where f is a polynomial
×
AKS also showed that if Sophie Germain primes
have the expected distribution [HL23] (and they
certainly should!), then the exponent 12 in the
time estimate can be reduced to 6, bringing it
much closer to the (probabilistic) ECPP method.
r
But of course when actually finding primes it is the unlisted
constants1 that make all of the difference! We will have to wait
for efficient implementations of this algorithm (and hopefully
clever restatements of the painful for loop) to see how it compares
to the others for integers of a few thousand digits. Until then, at
least we have learned that there is a polynomialtime algorithm for
all integers that both is deterministic and relies on no unproved
conjectures!
Cryptography and Network Security 88
Primitive Root
×
Order of integer ord
n
(a)
r
The order of a modulo n is the smallest positive k such
that a
k
≡1 mod n
×
Primitive Root
r
Integer a is a primitive root of n if the order of a
modulo n is φ(n)
r
Not all integers have primitive root
º
Example n=pq for primes p and q
r
Prime p has φ(p1) primitive roots
Cryptography and Network Security 89
cont
×
When primitive root exists
r
Number n in format of p, 2p, p
k
, 2p
k
for some integer k
and prime number p
r
Otherwise the primitive root does not exist
×
Find a PR for p such that
r
Let a=2, i=1
r
If i>k, a is a PR, otherwise go to step 3
r
If let i=i+1 and go to step 2;
otherwise let i=1, and a=a+1 and repeat this step 3.
p q q
a
k
a
k
− · ⋅ 1
1
1
. . . .
a p
p q
i
( ) /
m o d
−
≠
1
1
Cryptography and Network Security 90
Some “hard” questions
×
Some questions that are assumed to be
hard, will be used as bases for
cryptography
r
Integer factorization
º
Given n, find all its prime factors
r
Discrete logarithm
º
Given g, y, and p, find x such that g
x
≡y mod p
r
Square root
º
Given b, find x such that x
2
≡b mod n. Here n is not a
prime number
Cryptography and Network Security 91
Integer Factorization
×
write an integer as product of prime numbers.
r
For example, given the number 45, the prime factorization would be 3
2
·5.
r
The factorization is always unique, according to the fundamental theorem
of arithmetic
r
Given two large prime numbers, it is easy to multiply them. However,
given their product, it appears to be difficult to find the factors.
r
This is relevant for many modern systems in cryptography. If a fast
method were found for solving the integer factorization problem, then
several important cryptographic systems would be broken.
r
Although fast factoring is one way to break these systems, there may be
other ways to break them that don't involve factoring. So it is possible
that the integer factorization problem is truly hard, yet these systems can
still be broken quickly.
r
A rare exception is the BBS generator. It has been proved to be exactly
as hard as integer factorization: if you can break the generator in
polynomial time then you can factorize integers in polynomial time, and
vice versa
Cryptography and Network Security 92
Current state of the art
×
If a large, nbit number is the product of
two primes that are roughly the same size,
r
no polynomial time factoring algorithm is known
r
the best known algorithms are subexponential, but
superpolynomial: asymptotic running time by the
general number field sieve (GNFS) algorithm, is
r
Polynomial methods known for quantum computer!
Cryptography and Network Security 93
Subexponential
×
There are published algorithms that are
faster than O((1+ε)
b
) for all positive ε, i.e.,
subexponential, where b is the number of
bits of the input
Cryptography and Network Security 94
Factoring algorithms
×
Special purpose
r
its running time depends on the properties of unknown factors:
size, special form, etc.
r
Examples
º
Trial division, Pollard's rho algorithm, Pollard's p1
algorithm, Lenstra elliptic curve factorization, Congruence
of squares, Special number field sieve
×
General purpose
r
running time depends solely on the size of the integer to be
factored. This is the type of algorithm used to factor RSA
numbers. Most generalpurpose algorithms are based on the
congruence of squares method.
r
Examples:
º
Quadratic sieve, General number field sieve
Cryptography and Network Security 95
Factorization for Quantum
Computers
×
For an ordinary computer, general number field
sieve (GNFS) is the best published algorithm for
large n (more than about 100 digits).
×
For a quantum computer, however, Peter Shor
discovered an algorithm in 1994 that solves it in
polynomial time. This will have significant
implications for cryptography if a large quantum
computer is ever built.
×
Shor's algorithm takes only O(b
3
) time and O(b)
space on bbit number inputs.
×
In 2001, the first 7qubit quantum computer
became the first to run Shor's algorithm. It
factored the number 15.
Cryptography and Network Security 96
List of Algorithms
×
Specialpurpose
×
A specialpurpose factoring algorithm's running time depends on the
properties of its unknown factors: size, special form, etc. Exactly what the
running time depends on varies between algorithms.
r
Trial division
r
Pollard's rho algorithm
r
Algebraicgroup factorisation algorithms amongst which are Pollard's p − 1 algorithm,
Williams' p+1 algorithm and Lenstra elliptic curve factorization
r
Fermat's factorization method
r
Special number field sieve
×
Generalpurpose
×
A generalpurpose factoring algorithm's running time depends solely on the
size of the integer to be factored. This is the type of algorithm used to
factor RSA numbers. Most generalpurpose factoring algorithms are based
on the congruence of squares method.
r
Dixon's algorithm
r
Continued fraction factorization (CFRAC)
r
Quadratic sieve
r
General number field sieve
r
Shanks' square forms factorization (SQUFOF)
Cryptography and Network Security 97
Discrete Logarithms
×
Y ≡ g
x
mod p
r
Given y, g, and p, compute x as log
g
(y)
r
Time complexity O(e
(ln p)
1/3
(ln ln p)
2/3
)
º
Best known until now
r
In other words, if p is large, then it is very hard to solve the
discrete logarithm problem
×
Several protocols are based on this
r
ElGamal discrete log cryptosystem, DiffieHellman key exchange
and the Digital Signature Algorithm.
×
Current methods:
r
the PohligHellman algorithm if p1 is a product of small primes,
r
so this should be avoided in those applications
Cryptography and Network Security 98
Methods
×
More sophisticated algorithms exist, usually
inspired by similar algorithms for integer
factorization. These algorithms run faster than
the naive algorithm, but none of them runs in
polynomial time.
r
Babystep giantstep (Also known as 'LittleStep BigStep')
r
Pollard's rho algorithm for logarithms
r
Pollard's lambda algorithm (aka Pollard's kangaroo algorithm)
r
PohligHellman algorithm
r
Index calculus algorithm
r
Number field sieve
Cryptography and Network Security 99
Quadratic Residue
×
Quadratic Residue
r
Integer b is a quadratic residue of modulo integer n if
and only if x
2
≡b mod n has a solution for x
r
Number x is called the square root of b
r
Otherwise b is called quadratic nonresidue
×
Given odd prime p,
r
b is quadratic residue, iff b
(p1)/2
≡1 mod p
r
b is quadratic nonresidue, iff b
(p1)/2
≡1 mod p
r
These facts can be used to test primes with probability
Cryptography and Network Security 100
Computing Square root mod p
×
Given number a, find number x, x
2
=a mod p
r
If p=3 mod 4, then x=a
(p+1)/4
mod p is a solution.
r
If p=5 mod 8, a
(p1)/4
=1 mod p then x= a
(p+3)/8
mod p
r
If p=5 mod 8, a
(p1)/4
=1 mod p then x= 2a(4a)
(p5)/8
mod p
r
If p=1 mod 8,
x a N
h
s
k
·
+ 1
2
p h
k
− · 1 2
Here h is an odd number
Cryptography and Network Security 101
Compute squareroot mod p
×
Find a solution to x
2
=a mod p if exists
r
Let r=0, s=p1; while s even, {r=r+1; s=s/2;}
r
Choose random n such that
r
Let z=n
s
mod p; x=a
(s+1)/2
mod p; b=a
s
mod p;
r
If b=1, return x as a solution
r
Let m=1, y=b
2
mod p; while y<>1 {y= y
2
mod p; m=m+1;}
r
If r=m then a is Quadratic nonresidue; exit;
r
Let x=xz
2
rm1
mod p and b=bz
2
rm
mod p and z=z
2
rm
mod p
r
Go to step 4
×
The expected running time is O(log
4
p)
n
p

.
`
,
· − 1
Cryptography and Network Security 102
Complexity Theory
×
The input length of a problem is the number n of
symbols used to characterize it
×
Complexity of a method
r
Function f(n) is order O(g(n)) if
º f(n)<=c*g(n), for all n>=N
0
, for some c
r
Function f(n) is order Ω(g(n)) if
º f(n)>=c*g(n), for all n>=N
0
, for some c
r
Function f(n) is order θ (g(n)) if
º c1*g(n)<=f(n)<=c2*g(n), for all n>=N
0
, for some c1 and c2
×
Polynomial time algorithm (P)
r
solves any instance of a particular problem with input length n in time
O(p(n)), where p is a polynomial
Cryptography and Network Security 103
Cont.
×
Nondeterministic polynomial time algorithm
(NP)
r
is one for which any guess at the solution of an instance of
the problem may be checked for validity in polynomial
time.
×
NPcomplete problems
r
are a subclass of NP problems for which it is known that if
any such problem has a polynomial time solution, then all
NP problems have polynomial solutions.
×
CoNP: the complements of NP problems.
Cryptography and Network Security 104
Cryptography and Network Security
Conventional Methods
XiangYang Li
Cryptography and Network Security 105
Roadmap of Cryptography
×
classical cryptography ( 1920s)
r
secret writing required only pen and paper
r
Mostly: transposition, substitution ciphers
r
Easily broken by statistics analysis (e.g., frequency)
×
mechanical devices invented for encryption
r
Rotor machines (e.g. Enigma cipher) 1930s1950s
r
featured in films, such as in the James Bond adventure From
Russia with Love
×
specification of DES and the invention of RSA
(1970s)  modern ciphers
r
Public key system, most notably
×
Quantum Cryptography (future?)
Cryptography and Network Security 106
Quantum Cryptography
×
Quantum cryptography currently has two aspects.
r
quantum key exchange (also known as quantum key distribution), a
method for secure communications based on quantum mechanics
r
conjectured effect of quantum computing on cryptanalysis, although it is
currently, like quantum computing itself, only a theoretical concept.
×
Basic idea of quantum key exchange is to use the
"noisy" properties of light to render incoherent an
image that acts to complement a secret key.
r
This image can be represented in a number of ways, but the ability to
decode that image rests upon an understanding of how it was made. No
way to intercept the transmission without changing it is possible, so key
information can be exchanged with great confidence it has been
transmitted secretly.
r
quantum computing will considerably extend the reach of cryptanalysis,
making brute force key space searches much more effective  if such
computers ever become possible in actual practice
Cryptography and Network Security 107
History
×
Ancient ciphers
r
Have a history of at least 4000 years
r
Ancient Egyptians enciphered some of their
hieroglyphic writing on monuments
r
Ancient Hebrews enciphered certain words in the
scriptures
r
2000 years ago Julius Caesar used a simple substitution
cipher, now known as the Caesar cipher
r
Roger bacon described several methods in 1200s
Cryptography and Network Security 108
History
×
Ancient ciphers
r
Geoffrey Chaucer included several ciphers in his works
r
Leon Alberti devised a cipher wheel, and described the
principles of frequency analysis in the 1460s
r
Blaise de Vigenère published a book on cryptology in
1585, & described the polyalphabetic substitution
cipher
r
Increasing use, esp in diplomacy & war over centuries
Cryptography and Network Security 109
Classical Cryptographic Techniques
×
Two basic components of classical ciphers:
r
Substitution: letters are replaced by other letters
r
Transposition: letters are arranged in a different order
×
These ciphers may be:
r
Monoalphabetic: only one substitution/ transposition
is used, or
r
Polyalphabetic:where several substitutions/
transpositions are used
×
Product cipher:
r
several ciphers concatenated together
Cryptography and Network Security 110
Encryption and Decryption
Plaintext
ciphertext
Encipher C = E
(K)
(P)
Decipher P = D
(K)
(C)
Key source
Cryptography and Network Security 111
Key Management
×
Using secret channel
×
Encrypt the key
×
Third trusted party
×
The sender and the receiver generate key
r
The key must be same
r
We will talk more about how we can generate keys for
two parties who are “unknown” of each other before,
and want secure communication
Cryptography and Network Security 112
Attacks
×
Recover the message
×
Recover the secret key
r
Thus also the message
×
Thus the number of keys possible must be
large!
Cryptography and Network Security 113
Possible Attacks
×
Ciphertext only
r
Algorithm, ciphertext
×
Known plaintext
r
Algorithm, ciphertext, plaintextciphertext pair
×
Chosen plaintext
r
Algorithm, ciphertext, chosen plaintext and its ciphertext
×
Chosen ciphertext
r
Algorithm, ciphertext, chosen ciphertext and its plaintext
×
Chosen text
r
Algorithm, ciphertext, chosen plaintext and ciphertext
Cryptography and Network Security 114
Steganography
×
Conceal the existence of message
r
Character marking
r
Invisible ink
r
Pin punctures
r
Typewriter correction ribbon
×
Cryptography renders message
unintelligible!
Cryptography and Network Security 115
Contemporary Equiv.
×
Least significant bits of picture frames
r
2048x3072 pixels with 24bits RGB info
r
Able to hide 2.3M message
×
Drawbacks
r
Large overhead
r
Virtually useless if system is known
×
Improvement
r
Using some “random” sequence of the last bit for storing the data
r
Challenge: produce such random sequence such that the attacker
cannot figure out the sequence!
Cryptography and Network Security 116
Caesar Cipher
×
Replace each letter of message
by a letter a fixed distance away
r
Reputedly used by Julius Caesar
×
Example:
L FDPH L VDZ L FRQTXHUHG
I CAME I SAW I CONGUERED
r
The mapping is
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
Cryptography and Network Security 117
Mathematical Model
×
Description
×
Assume all letters are mapped to integers [0,25]
×
A:¬0, B¬1, ….., Z¬25
r
Encryption E
(k)
: i → i + k mod 26
r
Decryption D
(k)
: i → i  k mod 26
Cryptography and Network Security 118
Cryptanalysis: Caesar Cipher
×
Key space: 26
r
Exhaustive key search
×
Example
r
GDUCUGQFRMPCNJYACJCRRCPQ
HEVDVHRGSNQDOKZBDKDSSDQR
r
Plaintext:
JGXFXJTIUPSFQMBDFMFUUFSTKHYGYKUJVGR
NCEGNGVVGTU
r
Ciphertext:
LIZHZLVKWRUHSODFHOHWWHUVMJAIAMW
XSVITPEGIPIXXIVW
Cryptography and Network Security 119
Character Frequencies
×
In most languages letters are not equally
common
r
in English e is by far the most common letter
×
Have tables of single, double & triple letter
frequencies
×
Use these tables to compare with letter
frequencies in ciphertext,
r
a monoalphabetic substitution does not change relative
letter frequencies
r
do need a moderate amount of ciphertext (100+ letters)
Cryptography and Network Security 120
Letter Frequency Analysis
×
Single Letter
r
A,B,C,D,E,…..
×
Double Letter
r
TH,HE,IN,ER,RE,ON,AN,EN,….
×
Triple Letter
r
THE,AND,TIO,ATI,FOR,THA,TER,RES,…
Cryptography and Network Security 121
Letter Frequencies
Cryptography and Network Security 122
Letter Frequencies
Cryptography and Network Security 123
Ngram Frequencies
×
Digraph Frequency
r
th he an in er on re ed nd ha at en es of nt ea ti to io
le is ou ar as de rt ve
×
Trigraph Frequency
r
the and tha ent ion tio for nde has nce tis oft men
r
For more, see http://www.letterfrequency.org
Cryptography and Network Security 124
Modular Arithmetic Cipher
×
Use a more complex equation to calculate
the ciphertext letter for each plaintext
letter
×
E
(a,b)
: i →a∗i + b mod 26
r
Need gcd(a,26) = 1
r
Otherwise, not reversible
r
So, a≠2, 13, 26
r
Caesar cipher: a=1, b=3
Cryptography and Network Security 125
Cryptanalysis
×
Key space:12*26
r
Brute force search
×
Use letter frequency counts to guess a
couple of possible letter mappings
r
frequency pattern not produced just by a shift
º
But it is still a substitution, thus we can use
frequency analysis
r
use these mappings to solve 2 simultaneous equations
to derive above parameters
Cryptography and Network Security 126
Playfair Cipher
×
The Playfair cipher or Playfair square is a
manual symmetric encryption technique and
was the first literal digraph substitution
cipher.
r
The scheme was invented in 1854 by Charles
Wheatstone, but bears the name of Lord Playfair who
promoted the use of the cipher.
Cryptography and Network Security 127
Playfair Cipher
z y x w v
u t r q o
n k h g f
d c b a e
l p m i/j s
Key: simple
Used in WWI and WWII
Cryptography and Network Security 128
Playfair Cipher
×
Use filler letter to separate repeated
letters
×
Encrypt two letters together
r
Same row– followed letters
º
acbd
r
Same column– letters under
º
qwwi
r
Otherwise—square’s corner at same row
º
arbq
Cryptography and Network Security 129
Analysis
×
Size of diagrams: 25!
r
But the actual different diagrams are not 25!
r
Two diagrams are the same if they derive the same
encryption and decryption method
r
Then what is the number of difference diagrams in
playfair cipher?
º
25!/25=24!
×
Difficult using frequency analysis
r
But it still reveals the frequency information
º
Frequency of 2gram (bigram, twoletters)
Cryptography and Network Security 130
Playfair Cryptanalysis
×
Like most premodern era ciphers, the
Playfair cipher can be easily cracked if
there is enough text.
r
Obtaining the key is relatively straightforward if both
plaintext and ciphertext are known.
r
When only the ciphertext is known, brute force
cryptanalysis of the cipher involves searching through
the key space for matches between the frequency of
occurrence of digrams (pairs of letters) and the known
frequency of occurrence of digrams in the assumed
language of the original message.
Cryptography and Network Security 131
Playfair, cont
×
A different approach to tackling a Playfair cipher
is the shotgun hill climbing method.
r
This starts with a random square of letters. Then minor changes
are introduced (i.e. switching letters, rows, or reflecting the entire
square) to see if the candidate plaintext is more like standard
plaintext than before the change (perhaps by comparing the
trigrams to a known frequency chart).
r
If the new square is deemed to be an improvement, then it is
adopted and then further mutated to find an even better candidate.
r
Eventually, the plaintext or something very close is found to
achieve a maximal score by whatever grading method is chosen.
r
Computers can adopt this algorithm to crack Playfair ciphers with
a relatively small amount of text.
Cryptography and Network Security 132
Hill Cipher
×
Hill cipher is a polygraphic substitution cipher
based on linear algebra.
r
Invented by Lester S. Hill in 1929, it was the first polygraphic
cipher in which it was practical (though barely) to operate on more
than three symbols at once.
r
Each letter is treated as a digit in base 26: A = 0, B =1, and so on.
A block of n letters is then considered as a vector of n dimensions,
and multiplied by a n × n matrix, modulo 26. The components of
the matrix are the key, and should be random provided that the
matrix is invertible in (to ensure decryption is possible).
r
The Hill cipher has achieved Shannon's diffusion, and an n
dimensional Hill cipher can diffuse fully across n symbols at once.
Cryptography and Network Security 133
Hill Cipher Machine
Cryptography and Network Security 134
Hill Cipher Machine
×
With fixed Key and patented
×
Triple encryption was recommended for
security:
r
a secret nonlinear step, followed by the wide diffusive
step from the machine, followed by a third secret
nonlinear step.
r
Such a combination was actually very powerful for
1929, and indicates that Hill apparently understood the
concepts of a meetinthemiddle attack as well as
confusion and diffusion.
r
Unfortunately, his machine did not sell.
Cryptography and Network Security 135
Hill Cipher
×
Encryption
r
Assign each letter an index
r
C=KP mod 26
r
Matrix K is the key
×
Decryption
r
P=K
1
C mod 26
r
Thus, we can decrypt iff gcd(det(K), 26) =1.
Cryptography and Network Security 136
How to Decrypt?
×
Compute K
1
r
Compute det(K)
r
Check if gcd(det(K), 26) =1
r
If not, then K
1
do not exist
r
Else K
1
is
( ) ( )
( ) ( )
− −
− −

.
`
,
+ +
+
−
1 1
1 1
1 1
1 1
1
1
1
1
2
1
K K
K K
K
n
n
n
n
n
n n
, ,
, ,
d e t ( )
.
` ` `
·
Cryptography and Network Security 137
cont
K
k k k k
k k k k
k k k k
k k k k
i j
j j n
i i j i j i n
i i i i
n n j n j n n
,
, , , ,
, , , ,
, , , ,
, , , ,
·
− +
− − − − + −
+ + + +
− +
1 1 1 1 1 1 1
1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1
· ·
` ` ` ` ` `
· ·
· ·
` ` ` ` ` `
· ·
Cryptography and Network Security 138
Hill Cipher Cryptanalysis
×
Difficult to use frequency analysis
×
But vulnerable to knownplaintext attack
r
Give simple method to attack hill cipher under the
knownplaintext assumption?
r
How to attack under the chosen plaintext assumption?
r
The security could be greatly enhanced by combining
with some nonlinear step to defeat this attack.
Cryptography and Network Security 139
Key Sizes
×
How may good keys?
r
One might naïvely think that the key size, in bits, is n
2
log
2
26 or
about 4.7n
2
.
º
In fact, it is slightly less than this because not all randomly
selected matrices are usable.
r
A slightly less naïve view might guess that 1/2 + 1/26 of candidate
keys would be unusable, reducing the keyspace by about 54%.
º
In fact, determinants are not uniformly distributed, and
the key space reduction is closer to 70%.
r
Additionally it seems to be prudent to avoid too many zeroes in the
key matrix, since they reduce diffusion.
º
The net effect is that the effective keyspace of a basic
Hill cipher is about 4.64n
2
.
º
For a 5 × 5 Hill cipher, that is about 114 bits. Of course, key
search is not the most efficient known attack
Cryptography and Network Security 140
Polyalphabetic Substitution
×
Use more than one substitution alphabet
×
Makes cryptanalysis harder
r
since have more alphabets to guess
r
and flattens frequency distribution
º
same plaintext letter gets replaced by several
ciphertext letter, depending on which alphabet is
used
Cryptography and Network Security 141
Vigenère Cipher
×
Basically multiple Caesar ciphers
×
key is multiple letters long
r
K = k
1
k
2
... k
d
r
ith letter specifies ith alphabet to use
r
use each alphabet in turn, repeating from start after d
letters in message
×
Plaintext THISPROCESSCANALSOBEEXPRESSED
Keyword CIPHERCIPHERCIPHERCIPHERCIPHE
Ciphertext VPXZTIQKTZWTCVPSWFDMTETIGAHLH
Cryptography and Network Security 142
Enigma Machine
×
Enigma was a portable cipher machine used
to encrypt and decrypt secret messages.
r
a family of related electromechanical rotor machines
German military
Japan commercial
Cryptography and Network Security 143
Enigma Machine
Enigma encryption for two
consecutive letters —
current is passed into set of
rotors, around the reflector, and
back out through the rotors
again.
Letter A encrypts differently
with consecutive key presses,
first to G, and then to C. This is
because the right hand rotor has
stepped, sending the signal on a
completely different route.
Cryptography and Network Security 144
Enigma
×
the actual encipherment of a letter is performed
electrically.
r
When a key is pressed, the circuit is completed; current flows
through the various components and ultimately lights one of many
lamps, indicating the output letter.
r
Current flows from a battery through the switch controlled by the
depressed key into a fixed entry wheel. This leads into the rotor
assembly (or scrambler), where the complex internal wiring of
each rotor results in the current passing from one rotor to the next
along a convoluted path. After passing through all the rotors,
current enters the reflector, which relays the signal back out again
through the rotors and the entry wheel — this time via a different
path — and, finally, to one of the lamps (the earliest Enigma
models do not have the reflector).
Cryptography and Network Security 145
Rotors
×
performs a very simple type of encryption
r
a simple substitution cipher
Cryptography and Network Security 146
World War II Era Encryption
Devices
×
A few here
r
Sigaba (United States)
r
Typex (Britain)
r
Lorenz cipher (Germany)
r
Geheimfernschreiber (Germany)
×
For more, see
r
http://w1tp.com/enigma/
Cryptography and Network Security 147
Onetime Pad
×
theoretically unbreakable (Claude Shannon)
r
the plaintext is combined with a random "pad" the same length as
the plaintext.
×
Patent by
r
Gilbert Vernam (AT&T) and Joseph Mauborgne
×
Encryption
r
C=P⊕K
×
Decryption
r
P=C⊕K
×
Claude Shannon's work can be interpreted as
r
that any informationtheoretically secure cipher will be effectively
equivalent to the onetime pad algorithm. Hence onetime pads
offer the best possible mathematical security of any encryption
scheme, anywhere and anytime.
Cryptography and Network Security 148
Onetime padcont
×
Drawbacks
r
it requires secure exchange of the onetime pad material, which
must be as long as the message
r
pad disposed of correctly and never reused
×
In practice
r
Generate a large number of random bits,
r
Exchange the key material securely between the users before
sending an onetime enciphered message,
r
Keep both copies of the key material for each message securely
until they are used, and
r
Securely dispose of the key material after use, thereby ensuring
the key material is never reused.
It requires a perfect random numbers as key
º
We will learn how to generate pseudorandom numbers
Cryptography and Network Security 149
Random numbers needed
×
If the key material is generated by a
deterministic program then it is not
actually random
r
should never be used in an onetime pad cipher.
r
If so used, the method becomes a stream cipher; these
usually employ a short key that is used to generate a
long pseudorandom stream, which is then combined
with the message using some such mechanism as those
used in onetime pads. Stream ciphers can be secure in
practice, but they cannot be absolutely secure in the
same provable sense as the onetime pad
Cryptography and Network Security 150
Stream ciphers
×
Stream ciphers
r
The most famous: Vernam cipher
r
Invented by Vernam, ( AT&T, in 1917)
r
Process the message bit by bit (as a stream)
r
different from the onetime pad– some call same
r
Simply add bits of message to random key bits
×
Examples
r
A wellknown stream cipher is RC4;
r
others include: A5/1, A5/2, Chameleon, FISH, Helix. ISAAC,
Panama, Pike, SEAL, SOBER, SOBER128 and WAKE.
×
Usage
r
Stream ciphers are used in applications where plaintext comes in
quantities of unknowable length  for example, a secure wireless
connection
Cryptography and Network Security 151
Simplest Stream Cipher
Plaintext
Key
Ciphertext
Ciphertext
Key
Plaintext
Cryptography and Network Security 152
Pros and Cons
×
Drawbacks
r
Need as many key bits as message, difficult in practice
r
(ie distribute on a magtape or CDROM)
×
Strength
r
Is unconditionally secure provided key is truly random
Cryptography and Network Security 153
Key Generation
×
Why not to generate keystream from a
smaller (base) key?
r
Use some pseudorandom function to do this
r
Although this looks very attractive, it proves to be very
very difficult in practice to find a good pseudorandom
function that is cryptographically strong
×
This is still an area of much research
Cryptography and Network Security 154
Transposition Methods
×
Permutation of plaintext
×
Example
r
Write in a square in row, then read in column order
specified by the key
×
Enhance: double or triple transposition
r
Can reapply the encryption on ciphertext
Cryptography and Network Security 155
Cryptography and Network Security
Block Ciphers
XiangYang Li
Cryptography and Network Security 156
Block Ciphers
×
The message is broken into blocks,
r
Each of which is then encrypted
r
(Like a substitution on very big characters  64bits or
more)
Cryptography and Network Security 157
Substitution and Permutation
×
In his 1949 paper Shannon also introduced
the idea of substitutionpermutation (SP)
networks, which now form the basis of
modern block ciphers
r
An SP network is the modern form of a substitution
transposition product cipher
r
SP networks are based on the two primitive
cryptographic operations we have seen before
Cryptography and Network Security 158
Substitution
×
A binary word is replaced by some other
binary word
×
The whole substitution function forms the
key
×
If use n bit words,
r
The key space is 2
n
!
×
Can also think of this as a large lookup
table, with n address lines (hence 2
n
addresses), each n bits wide being the
output value
×
Will call them sboxes
Cryptography and Network Security 159
Cont.
Cryptography and Network Security 160
Permutation
×
A binary word has its bits reordered
(permuted)
×
The reordering forms the key
×
If use n bit words,
r
The key space is n! (Less secure than substitution)
×
This is equivalent to a wirecrossing in
practice
r
(Though is much harder to do in software)
×
Will call these pboxes
Cryptography and Network Security 161
Cont.
Cryptography and Network Security 162
Substitutionpermutation
Network
×
Shannon combined these two primitives
×
He called these mixing transformations
×
A special form of product ciphers where
r
Sboxes
º
Provide confusion of input bits
r
Pboxes
º
Provide diffusion across sbox inputs
Cryptography and Network Security 163
Confusion and Diffusion
×
Confusion
r
A technique that seeks to make the relationship
between the statistics of the ciphertext and the value of
the encryption keys as complex as possible. Cipher uses
key and plaintext.
×
Diffusion
r
A technique that seeks to obscure the statistical
structure of the plaintext by spreading out the influence
of each individual plaintext digit over many ciphertext
digits.
Cryptography and Network Security 164
Desired Effect
×
Avalanche effect
r
A characteristic of an encryption algorithm in which a
small change in the plaintext gives rise to a large
change in the ciphertext
r
Best: changing one input bit results in changes of
approx half the output bits
×
Completeness effect
r
where each output bit is a complex function of all the
input bits
Cryptography and Network Security 165
Practical Substitution
permutation Networks
×
In practice we need to be able to decrypt
messages, as well as to encrypt them,
hence either:
r
Have to define inverses for each of our S & Pboxes,
but this doubles the code/hardware needed, or
r
Define a structure that is easy to reverse, so can use
basically the same code or hardware for both
encryption and decryption
Cryptography and Network Security 166
Feistel Cipher
×
Invented by Horst Feistel,
r
working at IBM Thomas J Watson research labs in
early 70's,
×
The idea is to partition the input block into
two halves, l(i1) and r(i1),
r
use only r(i1) in each round i (part) of the cipher
×
The function f incorporates one stage of
the SP network, controlled by part of the
key k(i) known as the ith subkey
Cryptography and Network Security 167
Cont.
Cryptography and Network Security 168
Cont.
×
This can be described functionally as:
r
L(i) = R(i1)
r
R(i) = L(i1) ⊕ f(k(i), R(i1))
×
This can easily be reversed as seen in the
above diagram, working backwards through
the rounds
×
In practice link a number of these stages
together (typically 16 rounds) to form the
full cipher
Cryptography and Network Security 169
Data Encryption Standard
×
Adopted in 1977 by the National Bureau of
Standards, now the National Institute of
Standards and Technology
×
Data are encrypted in 64bit blocks using a
56bit key
×
The same algorithm is used for decryption.
×
Subject to much controversy
Cryptography and Network Security 170
History
×
IBM LUCIFER 60’s
r
Uses 128 bits key
×
Proposal for NBS, 1973
×
Adopted by NBS, 1977
r
Uses only 56 bits key
º
Possible brute force attack
r
Design of Sboxes was classified
º
Hidden weak points in in SBoxes?
r
Wiener (93) claim to be able to build a machine at
$100,00 and break DES in 1.5 days
Cryptography and Network Security 171
DES
×
DES encrypts 64bit blocks of data, using a
56bit key
×
the basic process consists of:
r
an initial permutation (IP)
r
16 rounds of a complex key dependent calculation f
r
a final permutation, being the inverse of IP
Q
Function f can be described as
r
L(i) = R(i1)
r
R(i) = L(i1) ⊕ P(S( E(R(i1)) ⊕ K(i) ))
Cryptography and Network Security 172
DES
Cryptography and Network Security 173
Initial and Final Permutations
×
Inverse Permutations
25 57 17 49 9 41 1 33
26 58 18 50 10 42 2 34
27 59 19 51 11 43 3 35
28 60 20 52 12 44 4 36
29 61 21 53 13 45 5 37
30 62 22 54 14 46 6 38
31 63 23 55 15 47 7 39
32 64 24 56 16 48 8 40
Cryptography and Network Security 174
Function f
Cryptography and Network Security 175
Expansion Table
×
Expands the 32 bit data to 48 bits
r
Result(i)=input( array(i))
1 32 31 30 29 28
29 28 27 26 25 24
25 24 23 22 21 20
21 20 19 18 17 16
17 16 15 14 13 12
13 12 11 10 9 8
9 8 7 6 5 4
5 4 3 2 1 32
Cryptography and Network Security 176
SBoxes
×
SBox is a fixed 4 by 16 array
×
Given 6bits B=b
1
b
2
b
3
b
4
b
5
b
6
,
r
Row r=b
1
b
6
r
Column c=b
2
b
3
b
4
b
5
r
S(B)=S(r,c) written in binary of length 4
Cryptography and Network Security 177
Example
×
SBox S
1
13 6 0 10 14 3 11 5 7 1 9 4 2 8 12 15
0 5 10 3 7 9 12 15 11 2 6 13 8 14 1 4
8 3 5 9 11 12 6 10 1 13 2 14 4 7 15 0
7 0 9 5 12 6 10 3 8 11 15 2 1 13 4 14
Cryptography and Network Security 178
Permutation Table
×
The permutation after each round
25 4 11 22
6 30 13 19
9 3 27 32
14 24 8 2
10 31 18 5
26 23 15 1
17 28 12 29
21 20 7 16
Cryptography and Network Security 179
Subkey Generation
×
Given a 64 bits key (with paritycheck bit)
r
Discard the paritycheck bits
r
Permute the remaining bits using fixed table P1
r
Let C
0
D
0
be the result (total 56 bits)
×
Let C
i
=Shift
i
(C
i1
); D
i
=Shift
i
(D
i1
) and K
i
be
another permutation P2 of C
i
D
i
(total 56
bits)
r
Where cyclic shift one position left if i=1,2,9,16
r
Else cyclic shift two positions left
Cryptography and Network Security 180
Permutation Tables
18 26 34 42 50 58 1
4 12 20 28 5 13 21
29 37 45 53 61 6 14
22 30 38 47 54 62 7
15 23 31 39 47 55 63
36 44 52 60 3 11 19
27 35 43 51 59 2 10
9 17 25 33 41 49 57
10 21 6 15 28 3
32 29 36 50 42 46
53 34 56 39 49 44
48 33 45 51 40 30
55 47 37 31 52 41
2 13 20 27 7 16
8 26 4 12 19 23
5 1 24 11 17 14
Permutation table P1 Permutation table P2
Cryptography and Network Security 181
DES in Practice
×
DEC (Digital Equipment Corp. 1992) built a
chip with 50k transistors
r
Encrypt at the rate of 1G/second
r
Clock rate 250 Mhz
r
Cost about $300
×
Applications
r
ATM transactions (encrypting PIN and so on)
Cryptography and Network Security 182
Model
×
Mode of use
r
The way we use a block cipher
r
Four have been defined for the DES by ANSI in the
standard: ANSI X3.1061983 modes of use)
×
Block modes
r
Splits messages in blocks (ECB, CBC)
×
Stream modes
r
On bit stream messages (CFB, OFB)
Cryptography and Network Security 183
Block Modes
×
Electronic Codebook Book (ECB)
r
where the message is broken into independent 64bit
blocks which are encrypted
r
C
i
= DES
K1
(P
i
)
×
Cipher Block Chaining (CBC)
r
again the message is broken into 64bit blocks, but they
are linked together in the encryption operation with an
IV
r
C
i
= DES
K1
(P
i
⊕C
i1
)
r
C
1
=IV (initial value)
Cryptography and Network Security 184
Stream Model
×
Cipher FeedBack (CFB)
r
where the message is treated as a stream of bits, added
to the output of the DES, with the result being feed
back for the next stage
r
C
i
= P
i
⊕ DES
K1
(C
i1
)
r
C
1
=IV (initial value)
Cryptography and Network Security 185
Cont.
×
Output FeedBack (OFB)
r
where the message is treated as a stream of bits, added
to the message, but with the feedback being
independent of the message
r
C
i
= P
i
⊕ O
i
r
O
i
= DES
K1
(O
i1
)
r
O
1
=IV (initial value)
Cryptography and Network Security 186
DES Weak Keys
×
With many block ciphers there are some
keys that should be avoided, because of
reduced cipher complexity
×
These keys are such that the same subkey
is generated in more than one round, and
they include:
Cryptography and Network Security 187
Cont.
×
Weak keys
r
The same subkey is generated for every round
r
DES has 4 weak keys
×
Semiweak keys
r
Only two subkeys are generated on alternate rounds
r
DES has 12 of these (in 6 pairs)
×
Demisemi weak keys
r
Have four subkeys generated
Cryptography and Network Security 188
Cont.
×
None of these causes a problem since they
are a tiny fraction of all available keys
×
However they MUST be avoided by any key
generation program
Cryptography and Network Security 189
DES Attacks
1998:
The EFF's US$250,000
DES cracking machine
contained 1,536 custom chips
and could brute force a DES key in a
matter of days —
the photo shows a DES Cracker
circuit board fitted
with several Deep Crack chips.
Cryptography and Network Security 190
DES Attacks:
The COPACOBANA
machine, built for
US$10,000 by the
Universities of Bochum and
Kiel, contains 120 lowcost
FPGAs and can perform an
exhaustive key search on
DES in 9 days on average.
The photo shows the
backplane of the machine
with the FPGAs
Cryptography and Network Security 191
Attack Faster than Brute Force
×
Differential cryptanalysis
r
was discovered in the late 1980s by Eli Biham and Adi Shamir,
although it was known earlier to both IBM and the NSA and kept
secret. To break the full 16 rounds, differential cryptanalysis
requires 2
47
chosen plaintexts. DES was designed to be resistant to
DC.
×
Linear cryptanalysis
r
was discovered by Mitsuru Matsui, and needs 2
43
known plaintexts
(Matsui, 1993); the method was implemented (Matsui, 1994), and
was the first experimental cryptanalysis of DES to be reported.
There is no evidence that DES was tailored to be resistant to this
type of attack.
Cryptography and Network Security 192
Possible Techniques for
Improving DES
×
Multiple enciphering with DES
×
Extending DES to 128bit data paths and
112bit keys
×
Extending the key expansion calculation
Cryptography and Network Security 193
Double DES?
×
Using two encryption stages and two keys
r
C=E
k2
(E
k1
(P))
r
P=D
k1
(D
k2
(C))
×
It is proved that there is no key k3 such
that
r
C=E
k2
(E
k1
(P))=E
k3
(P)
×
But Meetinthemiddle attack
Cryptography and Network Security 194
MeetintheMiddle Attack
×
Assume C=E
k2
(E
k1
(P))
×
Given the plaintext P and ciphertext C
×
Encrypt P using all possible keys k
1
×
Decrypt C using all possible keys k
2
r
Check the result with the encrypted plaintext lists
r
If found match, they test the found keys again for
another plaintext and ciphertext pair
r
If it turns correct, then find the keys
r
Otherwise keep decrypting C
Cryptography and Network Security 195
Triple DES
×
DES variant
×
Standardized in ANSI X9.17 & ISO 8732
and in PEM for key management
×
Proposed for general EFT standard by
ANSI X9
×
Backwards compatible with many DES
schemes
×
Uses 2 or 3 keys
Cryptography and Network Security 196
Cont.
×
No known practical attacks
×
Brute force search impossible (very hard)
×
Meetinthemiddle attacks need 2
56
PlaintextCiphertext pairs per key
×
Popular current alternative
Cryptography and Network Security 197
IDEA:
×
Developed by James Massey & Xuejia Lai at
ETH originally in Zurich in 1990, then
called IPES:
r
X Lai, J L Massey, "A Proposal for a New Block
Encryption Standard"
º
in Advances in Cryptology  Eurocrypt '90, Lecture
Notes in Computer Science, vol 473, pp 389404,
r
X Lai, J L Massey, S Murphy, "Markov Ciphers and
Differential Cryptanalysis"
º
in Advances in Cryptology  Eurocrypt '91, Lecture
Notes in Computer Science, vol 547, pp 1738,
r
name changed to IDEA in 1992
Cryptography and Network Security 198
Basic Features
×
Encrypts 64bit blocks using a 128bit key
×
Based on mixing operations from different
(incompatible) algebraic groups
r
XOR, + mod 2^(16) , X mod 2^(16) +1)
r
On 16bit subblocks, with no permutations used
×
IDEA is patented in Europe & US, however
noncommercial use is freely permitted
r
used in the public domain PGP (with agreement)
r
currently no attack against IDEA is known
º
Seem secure against differential cryptanalysis, brute
force
Cryptography and Network Security 199
Operations
×
Operations
r
XOR, Addition mod 2
16
, multiplication mod 2
16
+1
º
Why these special mod for addition, multiplication
r
They do not satisfy the distributive law
r
They do not satisfy the associative law
Cryptography and Network Security 200
MA: multiplication/addition
×
Multiplication/addition
r
Basic block to provide diffusion
r
Input of MA
º
Two subblocks derived from 4 input subblocks, 4
subkeys
º
Two other subkeys
r
Output
º
Two subblocks
r
Needs four operations
º
Four operations are the minimum to provide full
diffusion
Cryptography and Network Security 201
Overview
Cryptography and Network Security 202
Cont.
×
IDEA encryption works as follows:
r
Use 8rounds
r
The 64bit data is divided into: X
1
, X
2
, X
3
, X
4
r
Each round
º
The subblocks are added (2,3), multiplied (1,4) with sub
keys
º
The results are XORed [1,3] and [2,4] to 2 subblocks
º
The XOR results set as input of MA structure,

It outputs two subblocks

Results are then XORed with 2,4 and 1,3 subblocks respectively
º
The second and third subblocks are swapped
r
Finally new subkeys are combined with the subblocks
Cryptography and Network Security 203
SubKeys
×
Total need 52=6*8+4 subkeys
r
First are directly from key in order
r
Left shift of 25 bits, and then next 8 subkeys
r
Each subkey is a subblock of the original key
×
Decryption
r
Much more complicated
r
It needs the inverse of the encryption key
º
For addition, multiplication
Cryptography and Network Security 204
Decryption
×
The process of decryption is essentially
the same as encryption
r
But with different selection of subkeys
r
Basic Operations
º
K1.1^(1 ) is the multiplicative inverse mod 2^(16) +1
º
K1.2 is the additive inverse mod 2^(16)
º
The original operations are:

(+) bitbybit XOR

+ additional mod 2^(16) of 16bit integers

* multiplication mod 2^(16) +1 (where 0 means 2^(16) )
Cryptography and Network Security 205
Decryption SubKeys
Round Encryption Keys Decryption Keys
2 K1.1 K1.2 K1.3 K1.4 K1.5 K1.6 K9.11 K9.2 K9.3 K9.41
K8.5 K8.6
3 K2.1 K2.2 K2.3 K2.4 K2.5 K2.6 K8.11 K8.3 K8.2 K8.41
K7.5 K7.6
4 K3.1 K3.2 K3.3 K3.4 K3.5 K3.6 K7.11 K7.3 K7.2 K7.41
K6.5 K6.6
5 K4.1 K4.2 K4.3 K4.4 K4.5 K4.6 K6.11 K6.3 K6.2 K6.41
K5.5 K5.6
6 K5.1 K5.2 K5.3 K5.4 K5.5 K5.6 K5.11 K5.3 K5.2 K5.41
K4.5 K4.6
7 K6.1 K6.2 K6.3 K6.4 K6.5 K6.6 K4.11 K4.3 K4.2 K4.41
K3.5 K3.6
8 K7.1 K7.2 K7.3 K7.4 K7.5 K7.6 K3.11 K3.3 K3.2 K3.41
K2.5 K2.6
9 K8.1 K8.2 K8.3 K8.4 K8.5 K8.6 K2.11 K2.3 K2.2 K2.41
K1.5 K1.6 Output K9.1 K9.2 K9.3 K9.4 K1.11 K1.2
K1.3 K1.41
Cryptography and Network Security 206
Important Feature
×
The size of the subblock
r
Need 2
16
+1 be prime number
º
To compute the inverse for each possible subkey
r
So subblock size 8 is also possible
º
2
8
+1=257 is prime number
Cryptography and Network Security 207
CAST128
×
By Carlisle Adams, Stafford Tavares
r
Defined in RFC 2144
r
Use key size varying from 40 to 128 bits
r
Structure of Feistel network
r
16 rounds on 64bits data block
r
Four primitive operations
º
Addition, substration (mod 2
32
)
º
Bitwise exclusiveOR
º
Leftcircular rotation
Cryptography and Network Security 208
Skipjack and Clipper
×
Skipjack
r
used in Clipper escrowed encryption scheme(US govt)
r
Skipjack is a block cipher, 64bit data
r
hardware only implementation
r
80bit key (escrowed in 2 halves)
r
32 round
r
all design details and descriptions are classified
r
has been very considerable debate over its use
r
attack by Matt Blaze (ATT) on the LEAF component of
the Clipper protocol for secure phone communications
Cryptography and Network Security 209
Blowfish Scheme
×
Developed by Bruce Schneier
r
Fast, compact, simple and variably secure
r
Two basic operations: addition, XOR
r
Key ranges from 32 bits to 448 bits
r
Similar to Feistel scheme
r
The subkey and sboxes are complicated
r
So not suitable when key changes often
r
Function g is very simple, unlike DES
Cryptography and Network Security 210
RC5
×
Developed by R. Rivest
r
Suitable for hardware or software
r
Fast, simple, low memory, datadependent rotations
r
Adaptable to processors of different word length
º
A family of algorithms determined by word length,
number of rounds, size of secret key
r
Decryption and encryption are not the same
º
With little variations
r
Primitive operations
º
Addition, XOR, left circular rotation
Cryptography and Network Security 211
Characteristics
×
Key features of advanced sym block cipher
r
Variable key length
r
Mixed operators
r
Data dependent rotation
r
Key dependent rotation
r
Key dependent Sboxes
r
Lengthy key schedule algorithm
r
Variable function F
r
Variable of number of rounds
r
Operation on both halved data each round
Cryptography and Network Security 212
AES
×
Advanced Encryption Standard (Rijndael)
r
key size and the block size may be chosen to be any of 128, 192, or
256 bits (later only key, block fixed 128)
r
Rijndael has a variable number of rounds. Not counting an extra round
performed at the end of encipherment with one step omitted, the
number of rounds in Rijndael is:
º
9 if both the block and the key are 128 bits long.
º
11 if either the block or the key is 192 bits long, and neither of
them is longer than that.
º
13 if either the block or the key is 256 bits long.
r
Three big blocks
º
first perform an Add Round Key step (XORing a subkey with the
block) by itself,
º
then regular rounds noted above,
º
the final round with the Mix Column step
Cryptography and Network Security 213
Advanced Encryption
Standard
a.k.a
Lab #1
Not “American”
Encryption Standard
Cryptography and Network Security 214
How was AES created?
×
AES competition
r
Started in January 1997 by NIST
r
4year cooperation between
º
U.S. Government
º
Private Industry
º
Academia
×
Why?
r
Replace 3DES
r
Provide an unclassified, publicly disclosed encryption algorithm,
available royaltyfree, worldwide
Cryptography and Network Security 215
The Finalists
×
MARS
r
IBM
×
RC6
r
RSA Laboratories
×
Rijndael
r
Joan Daemen (Proton World International) and
r
Vincent Rijmen (Katholieke Universiteit Leuven)
×
Serpent
r
Ross Anderson (University of Cambridge),
r
Eli Biham (Technion), and
r
Lars Knudsen (University of California San Diego)
×
Twofish
r
Bruce Schneier, John Kelsey, and Niels Ferguson (Counterpane, Inc.),
r
Doug Whiting (Hi/fn, Inc.),
r
David Wagner (University of California Berkeley), and
r
Chris Hall (Princeton University)
Wrote the book
on crypto
Cryptography and Network Security 216
Evaluation Criteria (in order of importance)
×
Security
º
Resistance to cryptanalysis, soundness of math,
randomness of output, etc.
×
Cost
º
Computational efficiency (speed)
º
Memory requirements
×
Algorithm / Implementation Characteristics
º
Flexibility, hardware and software suitability, algorithm
simplicity
Cryptography and Network Security 217
Results
Cryptography and Network Security 218
Results
Cryptography and Network Security 219
The winner: Rijndael
×
AES adopted a subset of Rijndael
r
Rijndael supports more block and key sizes
Cryptography and Network Security 220
Finite Fields
×
AES uses the finite field GF(2
8
)
r
b
7
x
7
+ b
6
x
6
+ b
5
x
5
+ b
4
x
4
+ b
3
x
3
+ b
2
x
2
+ b
1
x + b
0
º {b
7
, b
6
, b
5
, b
4
, b
3
, b
2
, b
1
, b
0
}
×
Byte notation for the element: x
6
+ x
5
+ x + 1
r
{01100011} – binary
r
{63} – hex
×
Has its own arithmetic operations
r
Addition
r
Multiplication
Cryptography and Network Security 221
Finite Field Arithmetic
×
Addition (XOR)
º
(x
6
+ x
4
+ x
2
+ x + 1) + (x
7
+ x + 1) = x
7
+ x
6
+ x
4
+ x
2
º
{01010111} ⊕ {10000011} = {11010100}
º
{57} ⊕ {83} = {d4}
×
Multiplication is tricky
Cryptography and Network Security 222
Finite Field Multiplication (•)
(x
6
+ x
4
+ x
2
+ x +1) (x
7
+ x +1) =
x
13
+ x
11
+ x
9
+ x
8
+ x
7
+ x
7
+ x
5
+ x
3
+ x
2
+ x + x
6
+ x
4
+ x
2
+ x +1
= x
13
+ x
11
+ x
9
+ x
8
+ x
6
+ x
5
+ x
4
+ x
3
+1
and
x
13
+ x
11
+ x
9
+ x
8
+ x
6
+ x
5
+ x
4
+ x
3
+1 modulo ( x
8
+ x
4
+ x
3
+ x +1)
= x
7
+ x
6
+1.
Irreducible Polynomial
These cancel
Cryptography and Network Security 223
Efficient Finite field Multiply
×
There’s a better way
r
xtime() – very efficiently multiplies its input by {02}
×
Multiplication by higher powers can be
accomplished through repeat application
of xtime()
Cryptography and Network Security 224
Efficient Finite field Multiply
Example: {57} • {13}
{57} • {02} = xtime({57}) = {ae}
{57} • {04} = xtime({ae}) = {47}
{57} • {08} = xtime({47}) = {8e}
{57} • {10} = xtime({8e}) = {07}
{57} • {13} = {57} • ({01} ⊕ {02} ⊕ {10})
= ({57} • {01}) ⊕ ({57} • {02}) ⊕ ({57} • {10})
= {57} ⊕ {ae} ⊕ {07}
= {fe}
Cryptography and Network Security 225
AES parameters
×
Nb – Number of columns in the State
r
For AES, Nb = 4
×
Nk – Number of 32bit words in the Key
r
For AES, Nk = 4, 6, or 8
×
Nr – Number of rounds (function of Nb and Nk)
r
For AES, Nr = 10, 12, or 14
Cryptography and Network Security 226
AES methods
×
Convert to state array
×
Transformations (and their inverses)
º
AddRoundKey
º
SubBytes
º
ShiftRows
º
MixColumns
×
Key Expansion
Cryptography and Network Security 227
Convert to State Array
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Input block:
15 11 7 3
14 10 6 2
13 9 5 1
12 8 4 0
S
3,3
S
2,3
S
1,3
S
0,3
S
3,2
S
2,2
S
1,2
S
0,2
S
3,1
S
2,1
S
1,1
S
0,1
S
3,0
S
2,0
S
1,0
S
0,0
=
Cryptography and Network Security 228
AddRoundKey
×
XOR each byte of the round key with its
corresponding byte in the state array
S
3,3
S
2,3
S
1,3
S
0,3
S
3,2
S
2,2
S
1,2
S
0,2
S
3,1
S
2,1
S
1,1
S
0,1
S
3,0
S
2,0
S
1,0
S
0,0
S’
3,3
S’
2,3
S’
1,3
S’
0,3
S’
3,2
S’
2,2
S’
1,2
S’
0,2
S’
3,1
S’
2,1
S’
1,1
S’
0,1
S’
3,0
S’
2,0
S’
1,0
S’
0,0
S
0,1
S
1,1
S
2,1
S
3,1
S’
0,1
S’
1,1
S’
2,1
S’
3,1
R
3,3
R
2,3
R
1,3
R
0,3
R
3,2
R
2,2
R
1,2
R
0,2
R
3,1
R
2,1
R
1,1
R
0,1
R
3,0
R
2,0
R
1,0
R
0,0
R
0,1
R
1,1
R
2,1
R
3,1
XOR
Cryptography and Network Security 229
SubBytes
×
Replace each byte in the state array with
its corresponding value from the SBox
FF
EE
DD
CC
BB
AA
99
88
77
66
55
44
33
22
11
00
55
Cryptography and Network Security 230
ShiftRows
×
Last three rows are cyclically shifted
S
0,0
S
0,1
S
0,2
S
0,3
S
1,0
S
1,1
S
1,2
S
1,3
S
2,0
S
2,1
S
2,2
S
2,3
S
3,0
S
3,1
S
3,2
S
3,3
S
1,0
S
3,0
S
3,1
S
3,2
S
2,0
S
2,1
Cryptography and Network Security 231
MixColumns
×
Apply MixColumn transformation to each
column
S
3,3
S
2,3
S
1,3
S
0,3
S
3,2
S
2,2
S
1,2
S
0,2
S
3,1
S
2,1
S
1,1
S
0,1
S
3,0
S
2,0
S
1,0
S
0,0
S’
3,3
S’
2,3
S’
1,3
S’
0,3
S’
3,2
S’
2,2
S’
1,2
S’
0,2
S’
3,1
S’
2,1
S’
1,1
S’
0,1
S’
3,0
S’
2,0
S’
1,0
S’
0,0
S
0,1
S
1,1
S
2,1
S
3,1
S’
0,1
S’
1,1
S’
2,1
S’
3,1
MixColumns()
S’
0,c
= ({02} • S
0,c
) ⊕ ({03} • S
1,c
) ⊕ S
2,c
⊕ S
3,c
S’
1,c
= S
0,c
⊕ ({02} • S
1,c
) ⊕ ({03} • S
2,c
)
⊕ S
3,c
S’
2,c
= S
0,c
⊕ S
1,c
⊕ ({02} • S
2,c
)
⊕ ({03} • S
3,c
)
S’
3,c
= ({03} • S
0,c
) ⊕ S
1,c
⊕ S
2,c
⊕ ({02} • S
3,c
Cryptography and Network Security 232
Key Expansion
×
Expands the key material so that each
round uses a unique round key
r
Generates Nb(Nr+1) words
Filled with just
the key
Filled with a combination
of the previous work and
the one Nk positions
earlier
Cryptography and Network Security 233
Encryption
byte state[4,Nb]
state = in
AddRoundKey(state, keySchedule[0, Nb1])
for round = 1 step 1 to Nr–1 {
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, keySchedule[round*Nb, (round+1)*Nb1])
}
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, keySchedule[Nr*Nb, (Nr+1)*Nb1])
out = state
First and last operations
involve the key
Prevents an attacker from
even beginning to encrypt or
decrypt without the key
Cryptography and Network Security 234
Decryption
byte state[4,Nb]
state = in
AddRoundKey(state, keySchedule[Nr*Nb, (Nr+1)*Nb1])
for round = Nr1 step 1 downto 1 {
InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, keySchedule[round*Nb, (round+1)*Nb1])
InvMixColumns(state)
}
InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, keySchedule[0, Nb1])
out = state
Cryptography and Network Security 235
Encrypt and Decrypt
Decryption
AddRoundKey
InvShiftRows
InvSubBytes
AddRoundKey
InvMixColumns
InvShiftRows
InvSubBytes
AddRoundKey
Encryption
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
Cryptography and Network Security 236
Cryptography and Network
Security
Public key system
XiangYang Li
Cryptography and Network Security 237
Public Key Encryption
×
Two difficult problems
r
Key distribution under conventional encryption
r
Digital signature
×
Diffie and Hellman, 1976
r
Astonishing breakthrough
r
One key for encryption and the other related key for
decryption
r
It is computationally infeasible to determine the
decryption key using only the encryption key and the
algorithm
Cryptography and Network Security 238
Public Key Cryptosystem
×
Essential steps of public key cryptosystem
r
Each end generates a pair of keys
º
One for encryption and one for decryption
r
Each system publishes one key, called public key, and
the companion key is kept secret
r
It A wants to send message to B
º
Encrypt it using B’s public key
r
When B receives the encrypted message
º
It decrypt it using its own private key
Cryptography and Network Security 239
Applications of PKC
×
Encryption/Decryption
r
The sender encrypts the message using the receiver’s
public key
º
Q: Why not use the sender’s secret key?
×
Digital signature
r
The sender signs a message by encrypt the message or
a transformation of the message using its own private
key
×
Key exchange
r
Two sides cooperate to exchange a session key,
typically for conventional encryption
Cryptography and Network Security 240
Conditions of PKC
×
Computationally easy
r
To generate public and private key pair
r
To encrypt the message using encryption key
r
To decrypt the message using decryption key
×
Computational infeasible
r
To compute the private key using public key
r
To recover the plaintext using ciphertext and public key
×
The encryption and decryption can be
applied in either order
Cryptography and Network Security 241
One Way Function
×
PKC boils down to one way function
r
Maps a domain into a range with unique inverse
r
The calculation of the function is easy
r
The calculation of the inverse is infeasible
×
Easy
r
The problem can be solved in polynomial time
×
Infeasible
r
The effort to solve it grows faster than polynomial time
r
For example: 2
n
r
It requires infeasible for all inputs, not just worst case
Cryptography and Network Security 242
Trapdoor Oneway Function
×
Trapdoor one way function
r
Maps a domain into a range with unique inverse
º Y=f
k
(X)
r
The calculation of the function is easy
r
The calculation of the inverse is infeasible if the key is
not known
r
The calculation of the inverse is easy if the key is
known
Cryptography and Network Security 243
Possible Attacks
×
Brute force
r
Use large keys
º
Tradeoff: speed (not linearly depend on key size)
º
Confined to small data encryption: signature, key
management
×
Compute the private key from public key
r
Not proven that is not feasible for most protocols!
×
Probable message attack
r
Encrypt all possible messages using encryption key
r
Compare with the ciphertext to find the matched one!
r
If data is small, feasible, regardless of key size of PKC
Cryptography and Network Security 244
History
×
http://www.research.att.com/~smb/nsam
160/
×
British
×
National Security Action Memorandum
160
r
Kennedy Nuclear Weapon
r
http://www.research.att.com/~smb/nsam160/pg1.html
Cryptography and Network Security 245
RSA Algorithm
×
R. Rivest, A. Shamir, L. Adleman (1977)
r
James Ellis came up with the idea in 1970, and proved that it was
theoretically possible. In 1973, Clifford Cocks a British
mathematician invented a variant on RSA; a few months later,
Malcom Williamson invented a DiffieHellman analog
r
Only revealed till 1997
×
Patent expired on September 20, 2000.
×
Block cipher using integers 0~n1
r
Thus block size k is less than log
2
n
×
Algorithm:
r
Encryption: C=M
e
mod n
r
Decryption: M=C
d
mod n
×
Both sender and the receiver know n
Cryptography and Network Security 246
RSA (public key encryption)
×
Alice wants Bob to send her a message. She:
º
selects two (large) primes p, q, TOP SECRET,
º
computes n = pq and φ(n) = (p1)(q1),
φ(n) also TOP SECRET,
º
selects an integer e, 1 < e < φ(n), such that
gcd(e, φ(n)) = 1,
º
computes d, such that de ≡ 1 (mod φ(n)),
d also TOP SECRET,
º
gives public key (e, n), keeps private key (d, n).
Cryptography and Network Security 247
Requirements
×
Possible to find e and d such that
r
M=M
de
mod n for all message M
×
Easy to conduct encryption and decryption
×
Infeasible to compute d
r
Given n and e
Cryptography and Network Security 248
RSA Example
•
Select primes: p=17 & q=11
•
Compute n = pq =17×11=187
•
Compute ø(n)=(p–1)(q1)=16×10=160
•
Select e : gcd(e,160)=1; choose e=7
•
Determine d: de=1 mod 160 and d <
160 Value is d=23 since 23×7=161=
10×160+1
•
Publish public key KU={7,187}
•
Keep secret private key KR={23,17,11}
Cryptography and Network Security 249
RSA Example cont
×
sample RSA encryption/decryption is:
×
given message M = 88 (nb. 88<187)
×
encryption:
C = 88
7
mod 187 = 11
×
decryption:
M = 11
23
mod 187 = 88
Cryptography and Network Security 250
Key Generation
×
Recall Euler Theorem
r
a
φ(n)+1
=a mod n for all 0<a<n and gcd(a,n)=1
r
Then ed=1 mod φ(n) is sufficient to make algorithm
correct (need more proofs)
×
RSA chooses the following
r
Integer n=pq for two primes p and q
r
Select e, such that gcd(e, φ(n))=1
r
Compute the inverse of e mod φ(n)
º
The result is set as d
Cryptography and Network Security 251
Key Generation
×
The prime numbers p and q must be
sufficiently large
r
They are chosen by applying primality testing of
randomly chosen large numbers
r
About n/ln n prime numbers less than n
º
Implies needs to check about 2ln n random numbers
to find 2 primes numbers around n
º
Compute n=pq, keep p and q secret!
×
Select random number e
r
Test gcd(e, φ(n))=1, and get d if equation holds
Cryptography and Network Security 252
Exponentiation
×
can use the Square and Multiply Algorithm
×
a fast, efficient algorithm for exponentiation
×
concept is based on repeatedly squaring base
×
and multiplying in the ones that are needed to
compute the result
×
look at binary representation of exponent
×
only takes O(log
2
n) multiples for number n
r
eg. 7
5
= 7
4
.7
1
= 3.7 = 10 mod 11
r
eg. 3
129
= 3
128
.3
1
= 5.3 = 4 mod 11
Cryptography and Network Security 253
Exponentiation
Cryptography and Network Security 254
More on Exponention (PGP)
×
To compute C
d
mod n, we compute
r
C
d
mod p and
r
C
d
mod q
×
Remember that the receiver could keep p,q
×
Then Chinese Remainder Theorem to find
r
C
d
mod n
Cryptography and Network Security 255
Security of RSA
×
Brute force: try all possible private keys
×
Factoring integer n, then know φ(n)
r
Not proven to be NPC
×
Determine φ(n) directly without factoring
r
Equivalent to factoring! (1996)
×
Determine d directly without knowing φ(n)
r
Currently appears as hard as factoring
º
But not proven, so it may be easier!
Cryptography and Network Security 256
Practical Considerations
×
Testing p, q using probability first, then
deterministic methods
×
A good random number generator is needed for p,q
r
'random' and 'unpredictable'
×
Primes p and q should be in similar scale
×
Both p1 and q1 should have large prime factor
×
The gcd(p1,q1) should be small
×
The encryption key e = 2 should not be used
×
The decryption key d should larger then n
1/4
×
RSA is much slower than symmetric cryptosystems.
r
In practice, typically encrypts a secret message with a symmetric
algorithm, encrypts the (comparatively short) symmetric key with
RSA, and transmits both the RSAencrypted symmetric key and the
symmetricallyencrypted message to Alice.
Cryptography and Network Security 257
Fixed point of RSA
×
How many m such that
r
m
e
=m mod n assume that gcd(m, n)=1
r
It is same as m
e1
=1 mod n
r
Thus, m
e1
=1 mod p and m
e1
=1 mod q
r
Solutions gcd(e1,p1)*gcd(e1,q1)
º
Need more proofs.
Cryptography and Network Security 258
Cyclic Attack
×
Compute m
e
mod n, m
e
2
mod n, m
e
3
mod n…till it
reaches some message readable.
×
Need period large
×
Let r be the largest prime of p1, L be the largest
prime of r1
×
Then period is at least L with high probability
r
Implies that we often need find a large prime x
r
Based on this, find a large prime of y=kx+1 format (by trying
k=2,3,…)
r
Based on y, then find a large prime p=t y+1 format
º
Try difference values for t=2,3,4…
Cryptography and Network Security 259
How to deal with p, q
×
Delete them securely
×
Or used for speedup calculation from CRT
r
Compute M
e
mod p and M
e
mod q
r
Then find using M
e
mod n based on CRT
Cryptography and Network Security 260
Timing Attacks
×
Keep track of how long a computer takes to
decrypt a message!
r
Paul Kocher, 1995, Dec7
r
Stunning attack strategy and cipher only attack!
r
Guessing the key bit by bit
×
Countermeasures (Rivest 11 Dec 1995)
r
Constant exponentiation time
r
Random delay
r
Blinding (add a random number for encryption and
decryption)
Cryptography and Network Security 261
Chosen Ciphertext Attack
×
Collect ciphertext c (send to Alice), want to find m=c
d
mod n
×
Attacker chooses random r
×
Compute x= r
e
mod n; y=xc mod n; and t= r
1
mod n
×
Attacker gets Alice to sign y with private key using
RSA: y
d
mod n
r
That is why not use the same key for encryption and digital signature
×
Alice sends u= y
d
mod n to Attacker
×
Attacker then computes tu mod n¬m
Cryptography and Network Security 262
Other attacks on RSA
×
Comprised decryption key
r
If the private key d (for decryption of received
ciphertext) of a user is comprised, then the user has to
reselect n and e and d
r
It cannot use the old number n to produce the key
pairs!
r
Otherwise attacker already can factor n almost surely!
×
The number n can only be used by one
person
r
If two user uses the same n, even they do not know the
factoring of n, they still could figure out the factoring
of n with probability almost one.
º
Similar as above
Cryptography and Network Security 263
Bit security of RSA
×
Given ciphertext C,
r
We may want to find the last bit of M, denoted by
parity(C)
r
We may want to find if M>n/2, denoted by half(C)
r
We may want to find all bits of M
×
The above three attacks are the same!
r
If we can solve one, we can solve the other two!
Cryptography and Network Security 264
Other Public Key Systems
×
Rabin Cryptosystem
r
Decryption is not unique
×
Elgamal Cryptosystem
r
Expansion of the plaintext (double)
×
Knapsack System
r
Already broken
×
Elliptic Curve System
r
If directly implement Elgamal on elliptic curve
º
Expansion of plaintext by 4; Restricted plaintext
r
MenezesVanston system is more efficient
Cryptography and Network Security 265
Rabin Cryptosystem
×
Procedure
r
Let n=pq and p=3 mod 4, q=3 mod 4
r
Publish n, and a number b<n
r
For message m
º
C=m(m+b) mod n
r
The receiver decrypts ciphertext C
º
(b
2
/4+C)
1/2
b/2
Cryptography and Network Security 266
Analysis
×
For receiver, need solve equation
r
x
2
+xb=C mod n
r
Let x
1
=x+b/2, c=b
2
/4+C, then need
º Solve x
1
2
=c mod n
r
Chinese Remainder Theorem implies that
º x
1
2
=c mod p
º x
1
2
=c mod q
r
When p=3 and q=3 mod 4
º Solution x
1
=c
(p+1)/4
mod p and x
1
=c
(q+1)/4
mod q
º
Then Chinese Remainder Theorem again to combine
solution
Cryptography and Network Security 267
Security
×
Breaking it <¬ factoring n
×
Secure against
r
Chosen plaintext attack
×
Not secure against
r
Chosen ciphertext attack
r
Decoding produces three false results in addition to the correct
one, so that the correct result must be guessed. This is the major
disadvantage of the Rabin cryptosystem and one of the factors
which have prevented it from finding widespread practical use.
r
It has been proven that decoding the Rabin cryptosystem is
equivalent to the integer factorization problem, which is rather
different than for RSA.
Cryptography and Network Security 268
Dealing with 4 solutions
×
By adding redundancies, for example, the
repetition of the last 64 bits, the system
can be made to produce a single root.
×
If this technique is applied, the proof of
the equivalence with the factorization
problem fails.
Cryptography and Network Security 269
ElGamal Cryptosystem
×
Based on Discrete Logarithm
r
Find unique integer a such that g
x
=y mod p
º Here x is a primitive element in Z
p
, p is prime
×
Procedure
r
Make p, g, y public, keep x secret
r
Encryption:
º E
k
(m)=(g
k
mod p, m y
k
mod p)
r
Decryption
º D
k
(y
1
,y
2
)=y
2
(y
1
x
)
1
mod p
Cryptography and Network Security 270
Security of ElGamal
×
ElGamal is a simple example of a semantically
secure asymmetric key encryption algorithm
(under reasonable assumptions).
×
ElGamal's security rests, in part, on the difficulty
of solving the discrete logarithm problem in G.
r
Specifically, if the discrete logarithm problem could be solved
efficiently, then ElGamal would be broken. However, the security
of ElGamal actually relies on the socalled Decisional Diffie
Hellman (DDH) assumption. This assumption is often stronger
than the discrete log assumption, but is still believed to be true for
many classes of groups.
Cryptography and Network Security 271
Semantic Security
×
Semantic security is a widelyused definition for security
in an PKS.
r
For a cryptosystem to be semantically secure, it must be infeasible
for a computationallybounded adversary to derive significant
information about a message (plaintext) when given only its
ciphertext and the corresponding public encryption key.
×
Semantic security considers only the case of a "passive"
attacker, i.e., one who observes ciphertexts and generates
chosen ciphertexts using the public key
×
Indistinguishability definition is used more
commonly than the original definition of semantic
security.
Cryptography and Network Security 272
Indistinguishability: semantic
security.
×
Indistinguishability under Chosen Plaintext Attack (INDCPA) is
commonly defined by the following game:
r
A probabilistic polynomial timebounded adversary is given a public key, which it
may use to generate any number of ciphertexts (within polynomial bounds).
r
The adversary generates two equallength messages m0 and m1, and transmits them
to a challenge oracle along with the public key.
r
The challenge oracle selects one of the messages by flipping a uniformlyweighted
coin, encrypts the message under the public key, and returns the resulting ciphertext
c to the adversary.
×
The underlying cryptosystem is INDCPA (and thus semantically
secure under chosen plaintext attack) if
r
the adversary cannot determine which of the two messages was chosen by the
oracle, with probability significantly greater than 1 / 2 (the success rate of random
guessing).
×
a semantically secure encryption scheme must by definition be
probabilistic, possessing a component of randomness; if this were
not the case, the adversary could simply compute the deterministic
encryption of m0 and m1 and compare these encryptions with the
returned ciphertext c to successfully guess the oracle's choice.
Cryptography and Network Security 273
Deal with deterministic PKS
×
RSA, can be made semantically secure
(under stronger assumptions) through the
use of random encryption padding schemes
such as Optimal Asymmetric Encryption
Padding (OAEP).
×
ElGamal scheme is semantically secure
Cryptography and Network Security 274
Bit security of Discrete Log
×
Given g
x
=y mod p
r
We may want to find the value of x
r
Find some bits of x
×
Assume that p1 = 2
s
t
r
We can find the last s bits of x for sure
r
But to find the other bits of x is same as to find all bits
of x!
×
Example, the last bit of x is
r
0 +¬ y is QR iff y
(p1)/2
=1 mod p
r
1+¬ y is NQR iff y
(p1)/2
=1 mod p
Cryptography and Network Security 275
DH Assumption
×
Consider a cyclic group G of order q. The DDH
assumption states that,
r
given (g,g
a
,g
b
) for a randomlychosen generator g and random ,
the value g
ab
"looks like" a perfectly random element of G.
×
This intuitive notion is formally stated by saying
that the following two ensembles are
computationally indistinguishable:
r
(g,g
a
,g
b
,g
ab
), where g,a,b are chosen at random as
described above (this input is called a "DDH tuple");
r
(g,g
a
,g
b
,g
c
), where g,a,b are chosen at random and c is
chosen at random.
×
DiffieHellman problem
r
computing g
ab
from (g,g
a
,g
b
)
Cryptography and Network Security 276
Knapsack Cryptosystem
×
Based on subset sum problem
r
Given a set, find a subset with half summation value
r
It is NPC problem generally
×
Superincreasing set if s
i
>Σ
j<i
s
j
×
The subset problem over superincreasing
set can be solved in polynomial time!
×
Been broken by Shamir, 1984
r
Using integer programming tech by Lenstra
Cryptography and Network Security 277
Solve Subset Problem
×
Let T be the half summation, t=T;
×
For i=n downto 1 do
r
If t≥s
i
then
º t=ts
i
º Set x
i
=1
r
Else x
i
=0
×
If Σx
i
s
i
=T then (x
1
, x
2
,… x
n
) is the solution
r
Else, there is no solution
Cryptography and Network Security 278
Knapsack System
×
Procedure
r
Select a superincreasing set s
r
Let p be prime larger than set summation of s,
r
Select integer a, keep s, a, p secret
r
Make t=(as
1
, as
2
,…as
n
) mod p public
r
Encryption
º Ciphertext C = E(x
1
,x
2
,…x
n
)=Σx
i
t
i
mod p
r
Decryption
º
Solve the subset summation problem (s, a
1
C mod p)
Cryptography and Network Security 279
Elliptic Curve Cryptography
×
majority of publickey crypto (RSA, DH)
use either integer or polynomial arithmetic
with very large numbers/polynomials
×
imposes a significant load in storing and
processing keys and messages
×
an alternative is to use elliptic curves
×
offers same security with smaller bit sizes
Cryptography and Network Security 280
Real Elliptic Curves
×
an elliptic curve is defined by an equation in
two variables x & y, with coefficients
×
consider a cubic elliptic curve of form
r
y
2
= x
3
+ ax + b
r
where x,y,a,b are all real numbers
r
also define zero point O
×
have addition operation for elliptic curve
r
geometrically sum of Q+R is reflection of intersection
R
Cryptography and Network Security 281
Real Elliptic Curve Example
Cryptography and Network Security 282
Finite Elliptic Curves
×
Elliptic curve cryptography uses curves
whose variables & coefficients are finite
×
have two families commonly used:
r
prime curves E
p
(a,b) defined over Z
p
º
use integers modulo a prime p
º
best in software
r
binary curves E
2
m
(a,b) defined over GF(2
n
)
º
use polynomials with binary coefficients
º
best in hardware
Cryptography and Network Security 283
Elliptic Curve Cryptography
×
ECC addition is analog of modulo multiply
×
ECC repeated addition is analog of modulo
exponentiation
×
need “hard” problem equiv to discrete log
r
Q=kP, where Q,P belong to a prime curve
r
is “easy” to compute Q given k,P
r
but “hard” to find k given Q,P
r
known as the elliptic curve logarithm problem
×
Certicom example: E
23
(9,17)
Cryptography and Network Security 284
ECC DiffieHellman
×
can do key exchange analogous to DH
×
users select a suitable curve E
p
(a,b)
×
select base point G=(x
1
,y
1
) with large order
n s.t. n*G=O
×
A & B select private keys n
A
<n, n
B
<n
×
compute public keys: P
A
=n
A
×G, P
B
=n
B
×G
×
compute shared key: K=n
A
×P
B
,
K=n
B
×P
A
r
same since K=n
A
×n
B
×G
Cryptography and Network Security 285
ECC Encryption/Decryption
×
several alternatives, will consider simplest
×
must first encode any message M as a point
on the elliptic curve P
m
×
select suitable curve & point G as in DH
×
each user chooses private key n
A
<n
×
and computes public key P
A
=n
A
×G
×
to encrypt P
m
: C
m
={kG, P
m
+k P
A
}, k
random
×
decrypt C
m
compute:
P
m
+kP
A
–n
A
(kG) = P
m
+k(n
A
G)–n
A
(kG) = P
m
Cryptography and Network Security 286
ECC Security
×
relies on elliptic curve logarithm problem
×
fastest method is “Pollard rho method”
×
compared to factoring, can use much
smaller key sizes than with RSA etc
×
for equivalent key lengths computations
are roughly equivalent
×
hence for similar security ECC offers
significant computational advantages
Cryptography and Network Security 287
Cryptography and Network
Key Management and generation
XiangYang Li
Cryptography and Network Security 288
Key Exchange
×
Public key systems are much slower than
private key system
r
Public key system is then often for short data
º
Signature, key distribution
×
Key distribution
r
One party chooses the key and transmits it to other user
×
Key agreement
r
Protocol such two parties jointly establish secret key
over public communication channel
r
Key is the function of inputs of two users
Cryptography and Network Security 289
Distribution of Public Keys
×
can be considered as using one of:
r
Public announcement
r
Publicly available directory
r
Publickey authority
r
Publickey certificates
Cryptography and Network Security 290
Public Key Management
×
Simple one: publish the public key
r
Such as newsgroups, yellowbook, etc.
r
But it is not secure, although it is convenient
º
Anyone can forge such a announcement
º
Ex: user B pretends to be A, and publish a key for A
º
Then all messages sent to A, readable by B!
×
Let trusted authority maintain the keys
r
Need to verify the identity, when register keys
r
User can replace old keys, or void old keys
Cryptography and Network Security 291
Possible Attacks
×
Observe all messages over the channel
r
So assume that all plaintext messages are available to
all
×
Save messages for reuse later
r
So have to avoid replay attack
×
Masquerade various users in the network
r
So have to be able to verify the source of the message
Cryptography and Network Security 292
Public Announcement
×
users distribute public keys to recipients
or broadcast to community at large
r
eg. append PGP keys to email messages or post to news
groups or email list
×
major weakness is forgery
r
anyone can create a key claiming to be someone else
and broadcast it
r
until forgery is discovered can masquerade as claimed
user
Cryptography and Network Security 293
Publicly Available Directory
×
can obtain greater security by registering
keys with a public directory
×
directory must be trusted with properties:
r
contains {name,publickey} entries
r
participants register securely with directory
r
participants can replace key at any time
r
directory is periodically published
r
directory can be accessed electronically
×
still vulnerable to tampering or forgery
Cryptography and Network Security 294
PublicKey Authority
×
improve security by tightening control over
distribution of keys from directory
×
has properties of directory
×
and requires users to know public key for
the directory
×
then users interact with directory to
obtain any desired public key securely
r
does require realtime access to directory when keys
are needed
Cryptography and Network Security 295
PublicKey Authority
Cryptography and Network Security 296
Cont.
×
More advanced distribution
r
A sends requestforkey(B) to authority with time
stamp, that is, IdaIdbTime
r
Authority replies with key(B) (encrypted by its private
key), that is E
KTta
(KUb IdaIdbTime)
r
A initiates a message to B, including a random number
N
a
, its ID
A
r
B then ask authority to get key(A)
r
B sends A (encrypted by A’s public key) N
a
and N
b
r
A then replies B N
b
encrypted by B’s public key
Cryptography and Network Security 297
Cont.
×
In above scheme, the authority is
bottleneck
×
New approach: certificate
r
Any user can read certificate, determine name and
public key of the certificate’s owner
r
Any user can verify the authority of certificate
r
Only the authority can create and update certificate
r
Any user can verify the timestamp of certificate
×
The certificate is
r C
A
=E
KR
auth
[T,ID
A
, KU
A
]
r
Timestamp is to avoid reuse of voided key
Cryptography and Network Security 298
PublicKey Certificates
×
certificates allow key exchange without realtime access to
publickey authority
×
a certificate binds identity to public key
r
usually with other info such as period of validity, rights of use etc
×
with all contents signed by a trusted PublicKey or
Certificate Authority (CA)
×
can be verified by anyone who knows the publickey
authorities publickey
×
To validate the certificate, we need another certificate, one
that matches the Issuer (of CA) in the first certificate.
Then we take the RSA public key from the second (CA)
certificate, use it to decode the signature on the first
certificate to obtain an MD5 hash, which must match an
actual MD5 hash computed over the rest of the certificate.
Cryptography and Network Security 299
X.509
× The structure of a X.509 v3 digital certificate is as follows:
×
Certificate
r
Version
r
Serial Number
r
Algorithm ID
r
Issuer
r
Validity
º
Not Before
º
Not After
r
Subject
r
Subject Public Key Info
º
Public Key Algorithm
º
Subject Public Key
r
Issuer Unique Identifier (Optional)
r
Subject Unique Identifier (Optional)
r
Extensions (Optional)
º
...
×
Certificate Signature Algorithm
×
Certificate Signature
Cryptography and Network Security 300
Sample Certificate
×
Certificate:
×
Data: Version: 1 (0x0)
×
Serial Number: 7829 (0x1e95)
×
Signature Algorithm: md5WithRSAEncryption
×
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services
Division, CN=Thawte Server CA/emailAddress=servercerts@thawte.com
×
Validity
r
Not Before: Jul 9 16:04:02 1998 GMT
r
Not After : Jul 9 16:04:02 1999 GMT
×
Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft,
CN=www.freesoft.org/emailAddress=baccala@freesoft.org
×
Subject Public Key Info: Public Key Algorithm: rsaEncryption
×
RSA Public Key: (1024 bit)
×
Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f
×
Exponent: 65537 (0x10001)
×
Signature Algorithm: md5WithRSAEncryption
93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f
Cryptography and Network Security 301
Security
×
In 2005, Arjen Lenstra and Benne de
Weger demonstrated "how to use hash
collisions to construct two X.509
certificates that contain identical
signatures and that differ only in the
public keys," achieved using a collision
attack on the MD5 hash function
×
See
×
http://www.win.tue.nl/~bdeweger/Colliding
Certificates/ddlfull.pdf
Cryptography and Network Security 302
PublicKey Certificates
Cryptography and Network Security 303
PublicKey Distribution of Secret Keys
×
use previous methods to obtain publickey
×
can use for secrecy or authentication
×
but publickey algorithms are slow
×
so usually want to use privatekey
encryption to protect message contents
×
hence need a session key
×
have several alternatives for negotiating a
suitable session
Cryptography and Network Security 304
Simple Secret Key Distribution
×
proposed by Merkle in 1979
r
A generates a new temporary public key pair
r
A sends B the public key and their identity
r
B generates a session key K sends it to A encrypted
using the supplied public key
r
A decrypts the session key and both use
×
problem is that an opponent can intercept
and impersonate both halves of protocol
Cryptography and Network Security 305
Secret key Distribution
×
Simple secret key distribution
r
A generates KU
A
and KR
A
, sends KU
A
to B
r
B generates a secret key k
s
r
B sends k
s
to A using A’s public key KU
A
r
A decrypts the message to get the secret key k
s
×
To get more security, the public/private
keys can be regenerated when needed
×
But vulnerable to the active attack!
r
Attacker E can compromise the communication
between A and B as follows
Cryptography and Network Security 306
Cont.
×
Attacking
r
A generates KU
A
and KR
A
, sends ID
A
, KU
A
to B
r
E intercepts the message, transmits ID
A
, KU
E
to B
r
B generates a secret key k
s
r
B sends k
s
to A using A’s “public key” KU
E
r
E intercepts the message, decrypt it and get k
s
r
E sends A the message K
s
, encrypted by KU
A
r
A decrypts the message to get the secret key k
s
×
Now E knows K
s
, but A, B are unaware of it
Cryptography and Network Security 307
Secret Key Distribution
×
So need confidentiality and authentication
r
A and B need to use a secure method to exchange their
public keys
×
Schemes
r
A initiates a message to B, E
KU
B
(N
a
,ID
a
)
r
B replies it with E
KU
A
(N
a
,N
b
)
r
A then replies it with E
KU
B
(N
b
)
r
A sends B the message E
KU
B
(E
KR
A
(Ks))
×
Security
r
The first 3 steps are used to assure that A is A, B is B
Cryptography and Network Security 308
PublicKey Distribution of Secret
Keys
×
if have securely exchanged publickeys:
Cryptography and Network Security 309
Key Predistribution
×
Trusted Authority (TA) generates keys for
all pair of users and transmits to them
r
Large overhead (for TA and user)
×
Blom Scheme
r
Keys are chosen from a finite field Z
p
r
P is public prime number
r
TA transmits k+1 elements of Z
p
to each user over
secure channel
r
Secure condition: any set of at most k users (not U,V)
can not determine any information about K
u,v
Cryptography and Network Security 310
Blom Scheme
×
Scheme (when k=1)
r
Each user u has distinct element r
u
from Z
p
r
TA choose a,b,c and defines
º
f(x,y)=a+b(x+y)+cxy mod p
r
For each u, TA computes
º g
u
(x)=f(x, r
u
) mod p
r
TA transmits g
u
(x) to user u
r
Two users u and v compute the common key
º f(r
u
, r
v
)= a+b(r
u
+ r
v
)+c r
u
r
v
mod p
º Here f(r
u
, r
v
)= g
v
(r
u
)= g
u
(r
v
)
Cryptography and Network Security 311
Security of Blom Scheme
×
Less than k users can not determine keys
×
However, more than k users can compute
any keys
r
Solving equations to get a,b,c for k=1
×
Generally
r
Function f(x,y)=Sum a
i,j
x
i
y
j
mod p
r
Here a
i,j
=a
j,i
Cryptography and Network Security 312
DiffieHellman Key Predist.
×
Computationally secure
r
if discrete logarithm is intractable
×
Scheme
r
Assume prime number p public and an integer c public
r
Each user u has secret component a
u
r
User u computes b
u
=c
a
u
mod p
r
TA certifies it by computing
º (ID(u), b
u
, sig
TA
(ID(u), b
u
))
r
The common key of two users u and v is
º K=c
a
u
a
v
mod p
Cryptography and Network Security 313
Diffie Hellman
×
Around September 1974, Diffie (Graduate
student) had been traveling USA with his
wife, Mary, discussing cryptography with
anyone who was available.
r
At the time, there was very little published
material about modern methods and much was
classified. Very few people were interested in the
topic and Marty Hellman even says that many of
his colleagues felt that it was "born classified,"
like secrets about the atomic bomb, because it
was so important to national security.
r
John Gill gave the idea of exponential
Cryptography and Network Security 314
DiffieHellman Problem
×
DiffieHellman problem definition
r
Given b
u
=g
a
u
mod p, b
v
=g
a
v
mod p, how to compute
g
a
v
a
u
mod p? Here g is a primitive element of mod p
r
The problem is not harder than the discrete log
arithmetic problem, because the later one can always be
used to solve it
r
It can be proved that it has the same difficulty as the
ElGamal encryption system
Cryptography and Network Security 315
DiffieHellman Key Exchange
×
Computationally secure
r
if discrete logarithm is intractable
×
Scheme
r
Assume prime number p public and an integer c public
r
Each user u chooses a secret component a
u
(new!)
r
User u computes b
u
=c
a
u
mod p
r
User v computes b
v
=c
a
v
mod p
r
The common key of two users u and v is
º K=c
a
u
a
v
mod p
Cryptography and Network Security 316
Middle Attack
×
Intruder w intercept the communications
r
Intruder w communications with u
r
Intruder w communications with v
r
The key computed by u is
º K=c
a
u
a
v’ mod p
u
w
v
c
a
u
c
a
u’
c
a
v’
c
a
v
Cryptography and Network Security 317
Authenticated Key Agreement
×
Introducing the identification scheme
before key exchange does not help
r
The attacker remains inactive until identification done
×
Simplified station to station protocol
r
Key agreement protocol itself authenticates the user’s
identity at the same time the key being defined
Cryptography and Network Security 318
Stationtostation Protocol
×
Scheme
r
Each user has a certificate
º C(v)=(Id
v
,ver
v
,sig
TA
(Id
v
,ver
v
))
r
User u selects a
u
and computes b
u
=c
a
u
mod p
r
User v selects a
v
and computes
º Value b
v
=c
a
v
mod p
º Key K=c
a
u
a
v
mod p
º Signature y
v
=sig
v
(b
u
,b
v
)
r
User v sends (C(V), b
v
, y
v
) to U
r
User u computes K=c
a
u
a
v
mod p, verifies y
v
, and C(V)
r
User u computes y
u
=sig
u
(b
u
,b
v
), sends (C(u),y
u
) to V
r
User v verifies y
u
, and C(u)
Cryptography and Network Security 319
MTI Agreement Protocol
×
Scheme
r
Assume prime number p public and an integer c public
r
Each user has certificate c(u)=(Id
u
,b
u
, sig
TA
(Id
u
,b
u
))
º Here b
u
= c
a
u
mod p
r
Each user u chooses a secret component r
u
(new!)
r
User u computes s
u
=c
r
u
mod p, sends (c(u),s
u
)
r
User v computes s
v
=c
r
v
mod p, sends (c(v),s
v
)
r
The common key of two users u and v is
º K=c
r
v
a
u
+
r
u
a
v
mod p= s
v
a
u
b
v
r
u
mod p= s
u
a
v
b
u
r
v
mod p
Cryptography and Network Security 320
Cryptography and Network
Security
Authentication
XiangYang Li
Cryptography and Network Security 321
Message Authentication
Digital Signature
×
Authentication
r
Authentication requirements
r
Authentication functions
×
Mechanisms
r
MAC: message authentication code
r
Hash functions, security in hash functions
r
Hash and MAC algorithms
º
MD5, SHA, RIPEMD160, HMAC
×
Digital signatures
Cryptography and Network Security 322
Message Attacks
×
Possible attacks
r
Disclosure
r
Traffic analysis
r
Masquerade
r
Content modification
r
Sequence modification
r
Time modification
r
Repudiation
º
Denial of the receipt of message by the destination
or
º
Denial of the transmitting by the source
Cryptography and Network Security 323
Authentication
×
Enables receiver to verify message
authenticity
r
Using some lower level functions as primitive
×
Three types of functions
r
Message encryption
r
Message authentication code (MAC)
r
Hash function
Cryptography and Network Security 324
Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario??
“I am Alice”
Cryptography and Network Security 325
Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”
in a network,
Bob can not “see”
Alice, so Trudy simply
declares
herself to be Alice
“I am Alice”
Cryptography and Network Security 326
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Failure scenario??
“I am Alice”
Alice’s
IP address
Cryptography and Network Security 327
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Trudy can create
a packet
“spoofing”
Alice’s address
“I am Alice”
Alice’s
IP address
Cryptography and Network Security 328
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Failure scenario??
“I’m Alice”
Alice’s
IP addr
Alice’s
password
OK
Alice’s
IP addr
Cryptography and Network Security 329
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
playback attack: Trudy
records Alice’s packet
and later
plays it back to Bob
“I’m Alice”
Alice’s
IP addr
Alice’s
password
OK
Alice’s
IP addr
“I’m Alice”
Alice’s
IP addr
Alice’s
password
Cryptography and Network Security 330
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Failure scenario??
“I’m Alice”
Alice’s
IP addr
encrypted
password
OK
Alice’s
IP addr
Cryptography and Network Security 331
Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
record
and
playback
still works!
“I’m Alice”
Alice’s
IP addr
encrypted
password
OK
Alice’s
IP addr
“I’m Alice”
Alice’s
IP addr
encrypted
password
Cryptography and Network Security 332
Authentication: yet another try
Goal: avoid playback attack
drawbacks?
Nonce: number (R) used only once –inalifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R.
Alice
must return R, encrypted with shared secret key
“I am Alice”
R
K (R)
AB
Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
Cryptography and Network Security 333
Authentication: ap5.0
ap4.0 requires shared symmetric key
×
can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
R
Bob computes
K (R)
A

“send me your public key”
K
A
+
(K (R)) = R
A

K
A
+
and knows only Alice
could have the private
key, that encrypted R
such that
(K (R)) = R
A

K
A
+
Cryptography and Network Security 334
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice
I am Alice
R
T
K (R)

Send me your public key
T
K
+
A
K (R)

Send me your public key
A
K
+
T
K (m)
+
T
m = K (K (m))
+
T

Trudy gets
sends m to Alice
encrypted with
Alice’s public key
A
K (m)
+
A
m = K (K (m))
+
A

R
Cryptography and Network Security 335
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:
Q
Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
Q
problem is that Trudy receives all messages as well!
Cryptography and Network Security 336
Message Encryption
×
Conventional Encryption
r
Authentication provided due to the secret key
r
But the message need to be meaningful
º
What happened it message is not readable?
º
How to determine intelligible automatically?
×
Approach
r
Checksum or frame check sequence(FCS) to message
r
Encrypt the message and the appending FCS
r
Receiver decrypt the ciphertext
r
Computes FCS of message, compare with received one
Cryptography and Network Security 337
Public Key Encryption
×
Direct encryption by receiver’s public key
r
Only confidentiality, no authentication
×
For authentication
r
Encrypt using sender’s private key
r
Assume the message is intelligible
r
No confidentiality: everyone can decrypt
×
Confidentiality and authentication
r
Encrypt by sender’s, then receiver’s public key
r
But too timeconsuming: 4 rounds RSA on large data
Cryptography and Network Security 338
Message Authentication Code
×
Assume both uses share secret key k
×
Procedure
r
Sender computes MAC=C
k
(M) for M
r
Sent M and MAC of it to receiver
r
Receiver computes the MAC on received M
r
Compare it with received MAC
r
If match, then accepts the message
×
MAC is similar to encryption, but not need
be reversible!
Cryptography and Network Security 339
MAC with Confidentiality
×
Two options
r
Using another key to encrypt M and MAC
r
Using another key to encrypt M only
×
Requirements of MAC
r
Size of MAC: n
r
Size of key: k
r
Need 2
n
computations of MAC and n/k pairs of M
i
and
MAC
i
Cryptography and Network Security 340
Why not Conventional Encrypt
×
Possible situations
r
Broadcast a message (one destination can verify)
r
Authentication is done selectively
r
Authentication of computer program
r
Authentication may be important than secrecy
r
Architecture flexibility
r
Authentication lasts longer than secret protection
Cryptography and Network Security 341
MAC Requirements
×
Computationally infeasible to construct M’
such that C
k
(M’)=C
k
(M)
×
C
k
(M) uniformly distributed
Cryptography and Network Security 342
Data Authentication Algorithm
×
ANSI standard X9.17
×
Based on DES
×
Using Cipher Block Chaining mode
r
Data is grouped into 64 bits blocks
º
Padding 0’s if necessary
r
Output
i
=E
k
(D
i
⊕Output
i1
)
º 0<i, and Output
0
=0’s
r
The data authentication code DAC consists of the
leftmost m bits of the last output, m≥16
Cryptography and Network Security 343
Authentication Protocols
×
Central issues
r
Confidentiality: prevent masqueraded and
compromised
r
Timeliness: prevent replay attacks
º
Simple replay, repetition within timestamp, replay
arrives but not the true messages,backward replay
attack to the sender
×
Mutual authentication
×
Oneway authentication
Cryptography and Network Security 344
Coping with Replay
×
Time stamps
r
Party A accepts a message only if has valid timestamp
within a valid time
r
Need synchronized clock
r
How to set the synchronized clock?
º
Network delay consideration?
×
Challenge/response
r
Party A, (receiver), sends B a nonce (challenge) and
requires the subsequent message contains it
Cryptography and Network Security 345
ChallengeResponse
×
To ensure a password is never sent in the
clear. Given a client and a server share a
key
r
server sends a random challenge vector
r
client encrypts it with private key and returns this
r
server verifies response with copy of private key
r
can repeat protocol in other direction to authenticate
server to client (2way authentication)
×
Secret key management
r
physically distributed before secure communications
r
keys are stored in a central trusted key server
Cryptography and Network Security 346
Conventional Encryption App.
×
Each user shares a secret master key with
KDC (Key Distribution Center)
r
Kerberos is an example
r
NeedhamSchroeder protocol
r
Party A¬ KDC IdaIdbNa
r
KDC¬A E
ka
(KsIdbNaE
kb
(KsIda))
r
A¬B E
kb
(KsIda)
r
B¬A E
ks
(Nb)
r
A¬B E
ks
(f(Nb))
Cryptography and Network Security 347
Analysis
×
Step 4 and 5 prevent the replay of step 3
r
Assume that Ks is not compromised
×
If Ks is compromised
r
Vulnerable to replay attack
r
Attacker can replay step 3
r
Unless B remembers all previous session keys with A,
it can not tell that it is a replay!
Cryptography and Network Security 348
Denning Protocol
×
Denning Protocol
r
Party A¬ KDC IdaIdb
r
KDC¬A E
ka
(KsIdbTE
kb
(KsIdaT))
r
A¬B E
kb
(KsIdaT)
r
B¬A E
ks
(Nb)
r
A¬B E
ks
(f(Nb))
×
Here T is timestamp assures the freshness
of the key Ks
r
Rely on synchronized clock
Cryptography and Network Security 349
Publickey Encryption App.
×
The simple one proposed by Denning
r
AS: authentication server
r
A¬AS IdaIdb
r AS¬A E
kr
as
(KUaIdaT)E
kr
as
(KubIdbT)
r A¬B E
kr
as
(KUaIdaT)E
kr
as
(KubIdbT)
r
E
kub
(E
kra
(KsT))
r
It needs clock synchronization
Cryptography and Network Security 350
Cont.
×
Protocol by Woo and Lam, using nonce
r
A¬KDC IdaIdb
r
KDC¬A E
KRau
(IdbKUb)
r
A¬B E
KUb
(NaIda)
r
B¬KDC IdbIdaE
KUau
(Na)
r
KDC¬B E
KRau
(IdaKUa)E
KUb
(E
kRau
(NaKsIdaIdb))
r
B¬A E
KUa
(E
kRau
(NaKsIdaIdb)  Nb)
r
A¬B E
ks
(Nb)
Cryptography and Network Security 351
Oneway Authentication
×
Using Public Key approach
r
If confidentiality is main concern
º A¬B: E
KUb
(Ks)  E
ks
(M)
r
If authentication is main concern
º A¬B: ME
KRa
(H(M))
º
This can not avoid the interception and replay attack
r
Sign the message then
º E
KUb
(ME
KRa
(H(M)) )
º Or E
KUb
(Ks)  E
ks
(ME
KRa
(H(M)) )
º Also A can sends the digital certificate E
KRau
(TIda
KUa)
Cryptography and Network Security 352
Authentication Applications
×
will consider authentication functions
×
developed to support applicationlevel
authentication & digital signatures
×
will consider Kerberos – a privatekey
authentication service
×
then X.509 directory authentication
service
Cryptography and Network Security 353
Kerberos
×
Trusted key server system developed by
MIT
r
Provides centralized thirdparty authentication in a
distributed network
r
access control may be provided for
º
each computing resource
º
in either a local or remote network (realm)
r
A Key Distribution Centre (KDC), containing database:
º
principles (customers and services)
º
encryption keys
r
KDC provides noncorruptible authentication
credentials (tickets or tokens)
Cryptography and Network Security 354
Kerberos
×
Two Kerberos versions
r
4 : restricted to a single realm
r
5 : allows interrealm authentication, in beta test
r
Kerberos v5 is an Internet standard specified in RFC1510
×
To use Kerberos
r
need to have a KDC on your network
r
need to have Kerberised applications running on all participating
systems
×
US export restrictions
r
Cannot be directly distributed outside US in source format
r
Crypto libraries must be reimplemented locally
Cryptography and Network Security 355
Kerberos Requirements
×
first published report identified its
requirements as:
r
security
r
reliability
r
transparency
r
scalability
×
implemented using an authentication
protocol based on NeedhamSchroeder
Cryptography and Network Security 356
Kerberos 4 Overview
×
a basic thirdparty authentication scheme
×
have an Authentication Server (AS)
r
users initially negotiate with AS to identify self
r
AS provides a noncorruptible authentication credential
(ticket granting ticket TGT)
×
have a Ticket Granting server (TGS)
r
users subsequently request access to other services
from TGS on basis of users TGT
Cryptography and Network Security 357
Kerberos 4 Overview
Cryptography and Network Security 358
Kerberos Realms
×
a Kerberos environment consists of:
r
a Kerberos server
r
a number of clients, all registered with server
r
application servers, sharing keys with server
×
this is termed a realm
r
typically a single administrative domain
×
if have multiple realms, their Kerberos
servers must share keys and trust
Cryptography and Network Security 359
Kerberos Version 5
×
developed in mid 1990’s
×
provides improvements over v4
r
addresses environmental shortcomings
º
encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
r
and technical deficiencies
º
double encryption, nonstd mode of use, session keys,
password attacks
×
specified as Internet standard RFC 1510
Cryptography and Network Security 360
Authentication Protocols
×
used to convince parties of each others
identity and to exchange session keys
×
may be oneway or mutual
×
key issues are
r
confidentiality – to protect session keys
r
timeliness – to prevent replay attacks
Cryptography and Network Security 361
Replay Attacks
×
where a valid signed message is copied and
later resent
r
simple replay
r
repetition that can be logged
r
repetition that cannot be detected
r
backward replay without modification
×
countermeasures include
r
use of sequence numbers (generally impractical)
r
timestamps (needs synchronized clocks)
r
challenge/response (using unique nonce)
Cryptography and Network Security 362
Using Symmetric Encryption
×
as discussed previously can use a twolevel
hierarchy of keys
×
usually with a trusted Key Distribution
Center (KDC)
r
each party shares own master key with KDC
r
KDC generates session keys used for connections
between parties
r
master keys used to distribute these to them
Cryptography and Network Security 363
NeedhamSchroeder Protocol
×
original thirdparty key distribution
protocol
×
for session between A B mediated by KDC
×
protocol overview is:
1. A→KDC: ID
A
 ID
B
 N
1
2. KDC→A: E
Ka
[Ks  ID
B
 N
1
 E
Kb
[KsID
A
] ]
3. A→B: E
Kb
[KsID
A
]
4. B→A: E
Ks
[N
2
]
5. A→B: E
Ks
[f(N
2
)]
Cryptography and Network Security 364
NeedhamSchroeder Protocol
×
used to securely distribute a new session
key for communications between A & B
×
but is vulnerable to a replay attack if an
old session key has been compromised
r
then message 3 can be resent convincing B that is
communicating with A
×
modifications to address this require:
r
timestamps (Denning 81)
r
using an extra nonce (Neuman 93)
Cryptography and Network Security 365
Using PublicKey Encryption
×
have a range of approaches based on the
use of publickey encryption
×
need to ensure have correct public keys
for other parties
×
using a central Authentication Server (AS)
×
various protocols exist using timestamps or
nonces
Cryptography and Network Security 366
Denning AS Protocol
×
Denning 81 presented the following:
1. A→AS: ID
A
 ID
B
2. AS→A: E
KRas
[ID
A
KU
a
T]  E
KRas
[ID
B
KU
b
T]
3. A→B: E
KRas
[ID
A
KU
a
T]  E
KRas
[ID
B
KU
b
T] 
E
KUb
[E
KRas
[K
s
T]]
×
note session key is chosen by A, hence AS
need not be trusted to protect it
×
timestamps prevent replay but require
synchronized clocks
Cryptography and Network Security 367
OneWay Authentication
×
required when sender & receiver are not in
communications at same time (eg. email)
×
have header in clear so can be delivered by
email system
×
may want contents of body protected &
sender authenticated
Cryptography and Network Security 368
Using Symmetric Encryption
×
can refine use of KDC but can’t have final
exchange of nonces, vis:
1. A→KDC: ID
A
 ID
B
 N
1
2. KDC→A: E
Ka
[Ks  ID
B
 N
1
 E
Kb
[KsID
A
] ]
3. A→B: E
Kb
[KsID
A
]  E
Ks
[M]
×
does not protect against replays
r
could rely on timestamp in message, though email
delays make this problematic
Cryptography and Network Security 369
PublicKey Approaches
×
have seen some publickey approaches
×
if confidentiality is major concern, can use:
A→B: E
KUb
[Ks]  E
Ks
[M]
r
has encrypted session key, encrypted message
×
if authentication needed use a digital signature
with a digital certificate:
A→B: M  E
KRa
[H(M)]  E
KRas
[TID
A
KU
a
]
r
with message, signature, certificate
Cryptography and Network Security 370
Differences between Authentication
and Digital Signature
×
Two authentications:
r
Data authentication is comparable to stamping a document in a way disallowing all
future modifications to it. Data authentication is usually accompanied with
r
data origin authentication that bounds a concrete person to this document
×
Digital signature is a cryptographic technique that enables to
protect digital information (represented as a bitstream) from
undesirable modification. Since signature cannot just be appended
to a digital bitstream, more sophisticated methods (also known as
signatures schemes) for signing have been elaborated.
×
Signature scheme is a function Sig of a key pair (SA,VA) and a
bitstring M, such that
r
for anyone who knows the secret key SA, it is easy to compute for any plaintext M
the signature C=Sig(PA,M).
r
for anyone who knows VA (the public key), C and M, it is easy to verify if
C=Sig(SA,M).
r
for a randomly chosen C, it is intractable for anyone who does not know SA to find
a value M for which C=Sig(SA,M).
Cryptography and Network Security 371
Cryptography and Network
Security
Hash Algorithms
XiangYang Li
Cryptography and Network Security 372
Hash Function
×
Map a message to a smaller value
×
Requirements
r
Be applied to a block of data of any size
r
Produced a fixed length output
r
H(x) is easy to compute (by hardware, software)
r
Oneway: given code h, it is computationally infeasible
to find x: H(x)=h
r
Weak collision resistance: given x, computationally
infeasible to find y so H(x)=H(y)
r
Strong collision resistance: Computationally
infeasible to find x, y so H(x)=H(y)
Cryptography and Network Security 373
Hash Algorithms
×
see similarities in the evolution of hash
functions & block ciphers
r
increasing power of bruteforce attacks
r
leading to evolution in algorithms
r
from DES to AES in block ciphers
r
from MD4 & MD5 to SHA1 & RIPEMD160 in hash
algorithms
×
likewise tend to use common iterative
structure as do block ciphers
Cryptography and Network Security 374
Basic Uses of Hash Function
×
Six basics usages
r
E
k
(MH(M))
º
Confidentiality and authentication
r
M E
k
(H(M))
º
Authentication
r
M E
KRa
(H(M))
º
Authentication and digital signature
r
E
k
(M E
KRa
(H(M)))
º
Authentication, digital signature and confidentiality
r
MH(MS)
º
Authentication (S shared by both sides)
r
E
k
(MH(MS))
º
Confidentiality and authentication
Cryptography and Network Security 375
Birthday Attacks
×
If 64bits hash code is used
r
On average, how many messages need to try to find one
match the intercepted hash code?
×
Birthday paradox
r
A will sign a message appended with mbits hash code
r
Attacker generates some variations of fraud message,
also variations of good message
r
Find pair of message each from the two sets messages
º
Such that they have the same hash code
r
Give good message to A to get signature
r
Replace good message with fraud message
Cryptography and Network Security 376
Analysis
×
Using birthday attack, given 64bits hash
code
r
How many message variations needed so the success
probability is large, say 90%?
Cryptography and Network Security 377
Examples
×
Simple hash functions
r
XOR of the input message
º H(M)=X
1
⊕ X
2
⊕ …⊕ X
m1
⊕ X
m
r
But not secure
º Y
m
=H(M) ⊕ Y
1
⊕ Y
2
⊕ …⊕ Y
m1
has same hash value as
(X
1
X
2
… X
m1
X
m
), where Y
i
is any value
Cryptography and Network Security 378
Cont.
×
Based on DES, block chaining technique
r
Rabin, 1978
r
Divide message M into fixsized blocks M
i
º
Assume total n data blocks
r
H
0
=initial value
r
H
i
=Em
i
[H
i1
]
r
H
n
is the hash value
×
Birthday attack still applies
r
If still 64bits code used
Cryptography and Network Security 379
More Attacks
×
Birthday attack applied if chosen plaintext
×
Meet in the middle attack if known
plaintext
r
Known signed hash code G
r
Construct n2 desired message block Q
i
r Compute H
i
=EQ
i
[H
i1
]
r
Generate 2
m/2
random blocks X
º For each X, Compute H
n1
=EX[H
n2
]
r
Generate 2
m/2
random blocks Y
º For each Y, Compute H’
n1
=D
Y
[G]
r
Find X, Y such that H
n1
= H’
n1
r
Then Q
1
, Q
2
,…Q
n2
, X,Y is a fraud message
Cryptography and Network Security 380
Security
×
The size of hash code determines security
r
128bits is not secure
r
Currently, most use 160 bits hash code
º
Now recommend 256 bits
×
Attack MAC
r
Objective is to find valid (x, C
k
(x)) pair
r
Attack the key space: roughly 2
k
, k =key size
r
Attack the MAC value
Cryptography and Network Security 381
More Hash Algorithms
×
Algorithms
r
Message Digest:MD5 (was mostly widely used)
r
Secure Hash Algorithm: SHA1 (from MD4)
r
RIPEMD160
r
HMAC
Cryptography and Network Security 382
MD5
×
designed by Ronald Rivest (the R in RSA)
×
latest in a series of MD2, MD4
×
produces a 128bit hash value
×
until recently was the most widely used
hash algorithm
r
in recent times have both bruteforce & cryptanalytic
concerns
×
specified as Internet standard RFC1321
Cryptography and Network Security 383
MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64bit length value to message
3. initialise 4word (128bit) MD buffer
(A,B,C,D)
4. process message in 16word (512bit)
blocks:
r
using 4 rounds of 16 bit operations on message block
& buffer
r
add output to buffer input to form new buffer value
5. output hash value is the final buffer value
Cryptography and Network Security 384
MD5 Overview
Cryptography and Network Security 385
MD5 Compression Function
×
each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
×
a,b,c,d refer to the 4 words of the buffer,
but used in varying permutations
r
note this updates 1 word only of the buffer
r
after 16 steps each word is updated 4 times
×
where g(b,c,d) is a different nonlinear
function in each round (F,G,H,I)
×
T[i] is a constant value derived from sin
Cryptography and Network Security 386
MD5 Compression Function
Cryptography and Network Security 387
MD4
×
precursor to MD5
×
also produces a 128bit hash of message
×
has 3 rounds of 16 steps vs 4 in MD5
×
design goals:
r
collision resistant (hard to find collisions)
r
direct security (no dependence on "hard" problems)
r
fast, simple, compact
r
favours littleendian systems (eg PCs)
Cryptography and Network Security 388
Strength of MD5
×
MD5 hash is dependent on all message bits
×
Rivest claims security is good as can be
×
known attacks are:
r
Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
r
Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
r
Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
×
conclusion is that MD5 looks vulnerable
soon
Cryptography and Network Security 389
Bad news
×
Chinese authors (Wang, Feng, Lai, and Yu) reported a
family of collisions in MD5
r
(fixing the previous bug in their analysis), and also reported
that their method can efficiently (2^40 hash steps) find a
collision in SHA0.
r
August Crypto 2004,
×
MD5 is fatally wounded; its use will be phased out.
SHA1 is still alive but the vultures are circling. A
gradual transition away from SHA1 will now start.
The first stage will be a debate about alternatives,
leading to a consensus among practicing
cryptographers about what the substitute will be.
Cryptography and Network Security 390
Why collisions are bad
×
An example of what you might do with this.
r
You could request an SSL certificate (for your real identity)
from a certificate authority. After the response comes back,
you can then use that response (which is based on the MD5
of your identity+key) to "authenticate" a carefully chosen
different certificate, one which claims that you are
LargeBankOrSoftwareCorp., but which has the same MD5 as
your real identity. You can then present this to other people
in order to convince them that you are someone whom you
are not.
×
Another example,
r
core internet routers use md5 to exchange passwords. I
simply sniff the md5sum, and if I can find a string that
generates the same sum, easily, I can send my own routing
update that takes down the internet. More examples, since a
LOT of applications use md5, but you get the idea.
Cryptography and Network Security 391
Further detail
×
Obviously the above attack isn't quite so simple, but
this research makes it *possible*. Before, it was
believed to be sufficiently difficult to find a collision,
that nobody worried about it. Now they are saying its
feasible to do it in hours.
×
The question hanging around right now is that these
researchers managed to find collisions easily, but not
for an artbitrary string. The questions is how long
before someone modifies this method to find any
colllision. That is how much time the world has to
move away.
×
More at
r
http://www.freedomtotinker.com/archives/000664.html
Cryptography and Network Security 392
What to do next
×
The U.S. National Institute of Standards
and Technology is having a competition for
a new cryptographic hash function.
×
The phrase "oneway hash function" might
sound arcane and geeky, but hash functions
are the workhorses of modern
cryptography.
×
Submissions will be due in fall 2008, and a
single standard is scheduled to be chosen
by the end of 2011.
×
we have an interim solution in SHA256.
Cryptography and Network Security 393
Secure Hash Algorithm (SHA1)
×
SHA was designed by NIST & NSA in
1993, revised 1995 as SHA1
×
US standard for use with DSA signature
scheme
r
standard is FIPS 1801 1995, also Internet RFC3174
r
nb. the algorithm is SHA, the standard is SHS
×
produces 160bit hash values
×
now the generally preferred hash algorithm
×
based on design of MD4 with key
differences
Cryptography and Network Security 394
SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64bit length value to message
3. initialise 5word (160bit) buffer (A,B,C,D,E)
to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16word (512bit)
chunks:
r
expand 16 words into 80 words by mixing & shifting
r
use 4 rounds of 20 bit operations on message block &
buffer
r
add output to input to form new buffer value
5. output hash value is the final buffer value
Cryptography and Network Security 395
SHA1 Compression Function
×
each round has 20 steps which replaces the
5 buffer words thus:
(A,B,C,D,E) <
(E+f(t,B,C,D)+(A<<5)+W
t
+K
t
),A,(B<<30),C,D)
×
a,b,c,d refer to the 4 words of the buffer
×
t is the step number
×
f(t,B,C,D) is nonlinear function for round
×
W
t
is derived from the message block
×
K
t
is a constant value derived from sin
Cryptography and Network Security 396
SHA1 Compression Function
Cryptography and Network Security 397
SHA1 verses MD5
×
brute force attack is harder (160 vs 128
bits for MD5)
×
not vulnerable to any known attacks
(compared to MD4/5)
×
a little slower than MD5 (80 vs 64 steps)
×
both designed as simple and compact
×
optimised for big endian CPU's (vs MD5
which is optimised for little endian CPU’s)
Cryptography and Network Security 398
Revised Secure Hash Standard
×
NIST have issued a revision FIPS 1802
×
adds 3 additional hash algorithms
×
SHA256, SHA384, SHA512
×
designed for compatibility with increased
security provided by the AES cipher
×
structure & detail is similar to SHA1
×
hence analysis should be similar
Cryptography and Network Security 399
RIPEMD160
×
RIPEMD160 was developed in Europe as part of
RIPE project in 96
×
by researchers involved in attacks on MD4/5
×
initial proposal strengthen following analysis to
become RIPEMD160
×
somewhat similar to MD5/SHA
×
uses 2 parallel lines of 5 rounds of 16 steps
×
creates a 160bit hash value
×
slower, but probably more secure, than SHA
Cryptography and Network Security 400
RIPEMD160 Overview
1. pad message so its length is 448 mod 512
2. append a 64bit length value to message
3. initialise 5word (160bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16word (512bit) chunks:
r
use 10 rounds of 16 bit operations on message block & buffer –
in 2 parallel lines of 5
r
add output to input to form new buffer value
5. output hash value is the final buffer value
Cryptography and Network Security 401
RIPEMD160 Round
Cryptography and Network Security 402
RIPEMD160 Compression Function
Cryptography and Network Security 403
RIPEMD160 Design Criteria
×
use 2 parallel lines of 5 rounds for
increased complexity
×
for simplicity the 2 lines are very similar
×
step operation very close to MD5
×
permutation varies parts of message used
×
circular shifts designed for best results
Cryptography and Network Security 404
RIPEMD160 verses MD5 & SHA1
×
brute force attack harder (160 like SHA1
vs 128 bits for MD5)
×
not vulnerable to known attacks, like SHA1
though stronger (compared to MD4/5)
×
slower than MD5 (more steps)
×
all designed as simple and compact
×
SHA1 optimised for big endian CPU's vs
RIPEMD160 & MD5 optimised for little
endian CPU’s
Cryptography and Network Security 405
Keyed Hash Functions as MACs
×
have desire to create a MAC using a hash
function rather than a block cipher
r
because hash functions are generally faster
r
not limited by export controls unlike block ciphers
×
hash includes a key along with the message
×
original proposal:
KeyedHash = Hash(KeyMessage)
r
some weaknesses were found with this
×
eventually led to development of HMAC
Cryptography and Network Security 406
HMAC
×
specified as Internet standard RFC2104
×
uses hash function on the message:
HMAC
K
= Hash[(K
+
XOR opad) 
Hash[(K
+
XOR ipad)M)]]
×
where K
+
is the key padded out to size
×
and opad, ipad are specified padding constants
×
overhead is just 3 more hash calculations than the
message needs alone
×
any of MD5, SHA1, RIPEMD160 can be used
Cryptography and Network Security 407
HMAC Overview
Cryptography and Network Security 408
HMAC Security
×
know that the security of HMAC relates to
that of the underlying hash algorithm
×
attacking HMAC requires either:
r
brute force attack on key used
r
birthday attack (but since keyed would need to observe
a very large number of messages)
×
choose hash function used based on speed
verses security constraints
Cryptography and Network Security 409
Summary
×
have considered:
r
some current hash algorithms: MD5, SHA1, RIPEMD
160
r
HMAC authentication using hash function
Cryptography and Network Security 410
Cryptography and Network
Security
Digital Signature
XiangYang Li
Cryptography and Network Security 411
Digital Signature
Cryptography and Network Security 412
Digital Signatures
×
have looked at message authentication
r
but does not address issues of lack of trust
×
digital signatures provide the ability to:
r
verify author, date & time of signature
r
authenticate message contents
r
be verified by third parties to resolve disputes
×
hence include authentication function with
additional capabilities
Cryptography and Network Security 413
Digital Signature Properties
×
must depend on the message signed
×
must use information unique to sender
r
to prevent both forgery and denial
×
must be relatively easy to produce
×
must be relatively easy to recognize & verify
×
be computationally infeasible to forge
r
with new message for existing digital signature
r
with fraudulent digital signature for given message
×
be practical save digital signature in storage
Cryptography and Network Security 414
Securities
×
A total break results in the recovery of
the signing key.
×
A universal forgery attack results in the
ability to forge signatures for any
message.
×
A selective forgery attack results in a
signature on a message of the
adversary's choice.
×
An existential forgery merely results in
some valid message/signature pair not
already known to the adversary.
Cryptography and Network Security 415
Classification of Digital Signature
×
Undeniable
×
FailStop
×
Blind
×
Onetime
×
Multiparty (group signature)
×
(n,k)multiparty
×
Oblivious
×
Multiundeniable
Cryptography and Network Security 416
Algorithm and legal concerns
×
several prior requirements
r
quality algorithms. Some public key algorithms are known to be
insecure, practicable attacks against them having been identified.
r
quality implementations. An implementation of a good algorithm with
mistake(s) will not work. (about 1 defect per 1,000 lines).
r
the private key must remain actually secret; if it becomes known to
some other party, that party can produce perfect digital signatures of
anything whatsoever.
r
distribution of public keys must be done in such a way that the public
key claimed to belong to Bob actually belongs to Bob, and vice versa.
This is commonly done using a public key infrastructure and the public
key user association is attested by the operator of the PKI (called a
certificate authority). For 'open' PKIs in which anyone can request
such an attestation, the possibility of mistake is non trivial.
r
users (and their software) must carry out the signature protocol
properly.
r
Legal concerns
Cryptography and Network Security 417
Direct Digital Signatures
×
involve only sender & receiver
×
assumed receiver has sender’s publickey
×
digital signature made by sender signing
entire message or hash with privatekey
×
can encrypt using receivers publickey
×
important that sign first then encrypt
message & signature
×
security depends on sender’s privatekey
Cryptography and Network Security 418
Arbitrated Digital Signatures
×
involves use of arbiter A
r
validates any signed message
r
then dated and sent to recipient
×
requires suitable level of trust in arbiter
×
can be implemented with either private or
publickey algorithms
×
arbiter may or may not see message
Cryptography and Network Security 419
RSA signature
×
N=p q,where p and q are large primes
×
Alice’s private key (e,n),
×
Alice’s public key (d,n)
×
Signature of message m by Alice
r
S=H(m)
e
mod n
×
Verification of signature by Bob
r
Check if h(m) = S
d
mod n
Cryptography and Network Security 420
From wikipedia
Cryptography and Network Security 421
Cont.
×
Typically d is chosen small (3 or 2
16
+1)
×
Problem:
r
Easy to create the signature of h(m
1
)h(m
2
)
×
RSAPSS
r
Use some more randomization to enhance security
r
It was added in version 2.1 of PKCS #1 (see RFC 3447
).
Cryptography and Network Security 422
ElGamal Signature
×
Global public components
r
Prime number p with 5121024 bits
r
Primitive element g in Z
p
×
Users private key
r
Random integer x less than p
×
Users public key
r
Integer y=g
x
mod p
Cryptography and Network Security 423
Elgamal
×
Signature
r
For each message M, generates random k
r
Computes r=g
k
mod p
r
Computes s=k
1
(H(M)xr) mod (p1)
r
Signature is (r,s)
×
Verifying
r
Computes v
1
=g
H(M)
mod p
r
Computes v
2
=y
r
r
s
mod p
r
Test if v
1
= v
2
Cryptography and Network Security 424
Proof of Correctness
×
Computes v
2
=y
r
r
s
mod q
r
So v
2
=y
r
r
s
mod q =g
xr
g
ks
mod p
r
= g
xr+k k
1
(H(M)xr) mod (p1)
mod p
r
=g
H(M)
mod p=v
1
r
Notice that here it uses Fermat theorem to show
º
That g
(H(M)xr) mod (p1)
mod p = g
(H(M)xr)
mod p
Cryptography and Network Security 425
Cont.
×
The main disadvantage of ElGamal is
r
the need for randomness (sometimes it is good), and
r
its slower speed (especially for signing).
r
Another potential disadvantage of the ElGamal system
is that message expansion by a factor of two takes place
during encryption. However, such message expansion
is negligible if the cryptosystem is used only for
exchange of secret keys.
Cryptography and Network Security 426
Digital Signature Standard
×
FIPS PUB 186 by NIST, 1991
×
Final announcement 1994
×
It uses
r
Secure Hashing Algorithm (SHA) for hashing
r
Digital Signature Algorithm (DSA) for signature
r
The hash code is set as input of DSA
r
The signature consists of two numbers
×
DSA
r
Based on the difficulty of discrete logarithm
r
Based on Elgamal and Schnorr system
Cryptography and Network Security 427
DSA
×
Global public components
r
Prime number p with 5121024 bits
r
Prime divisor q of (p1) with 160 bits
r
Integer g=h
(p1)/q
mod p
×
Users private key
r
Random integer x less than q
×
Users public key
r
Integer y=g
x
mod p
Cryptography and Network Security 428
DSA
×
Signature
r
For each message M, generates random k
r
Computes r=(g
k
mod p) mod q
r
Computes s=k
1
(H(M)+xr) mod q
r
Signature is (r,s)
×
Verifying
r
Computes w=s
1
mod q, u
1
=H(M)w mod q
r
Computes u
2
=rw mod q,v=(g
u
1
y
u
2
mod p) mod q
r
Test if v=r
Cryptography and Network Security 429
Proof of Correctness
×
Notice that v=(g
u
1
y
u
2
mod p) mod q
r
=(g
H(M)w mod q
y
rw mod q
mod p) mod q
r
=(g
H(M)w mod q
g
xrw mod q
mod p) mod q
r
=(g
H(M)w +xrw mod q
mod p) mod q
r
=(g
(H(M)+xr)w mod q
mod p) mod q
r
=(g
(H(M)+xr)k(H(M)+xr)
1
mod q
mod p) mod q
r
=(g
k
mod p) mod q
r
=r
Cryptography and Network Security 430
In practice (Sun Java Library)
r
g = F7E1A085D69B3DDE CBBCAB5C36B857B9
7994AFBBFA3AEA82 F9574C0B3D078267
5159578EBAD4594F E67107108180B449
167123E84C281613 B7CF09328CC8A6E1
3C167A8B547C8D28 E0A3AE1E2BB3A675
916EA37F0BFA2135 62F1FB627A01243B
CCA4F1BEA8519089 A883DFE15AE59F06
928B665E807B5525 64014C3BFECF492A
r
p = FD7F53811D751229 52DF4A9C2EECE4E7
F611B7523CEF4400 C31E3F80B6512669
455D402251FB593D 8D58FABFC5F5BA30
F6CB9B556CD7813B 801D346FF26660B7
6B9950A5A49F9FE8 047B1022C24FBBA9
D7FEB7C61BF83B57 E7C6A8A6150F04FB
83F6D3C51EC30235 54135A169132F675
F3AE2B61D72AEFF2 2203199DD14801C7
r
q = 9760508F15230BCC B292B982A2EB840B F0581CF5
r
Here g and p have 1024 bits, while q has 160 bits. They fulfill the
requirement that g
q
= 1 mod p,
Cryptography and Network Security 431
Note
×
Can we use the random number k twice?
r
What will happen if k used twice?
r
We have r=(g
k
mod p) mod q
r
s
1
=k
1
(H(M
1
)+xr) mod q and s
2
=k
1
(H(M
2
)+xr) mod q
r
We have s
1
 s
2
=k
1
(H(M
1
)H(M
2
)) mod q
×
Another attack (for OpenPGP)
r
Replace p and g
r
http://www.tigertools.net/board/?topic=topic4&msg=14
r
http://www.orlingrabbe.com/DSAflaw_OpenPGP.htm
Cryptography and Network Security 432
Cont.
×
We cannot use small k
Cryptography and Network Security 433
Nondeterministic
×
Nondetermined signatures
r
For each message, many valid signatures exist
r
DSA, Elgamal
×
Deterministic signatures
r
For each message, one valid signature exists
r
RSA
Cryptography and Network Security 434
Comparisons
×
Speed
r
DSS has faster signing than verifying
r
RSA could have faster verifying than signing
r
Message be signed once, but verified many times
º
This prefers the faster verification
r
But the signer may have limited computing power
º
Example: smart card
º
This prefers the faster siging
Cryptography and Network Security 435
Blind Signature (digital cash)
×
first introduced by Chaum, allow a person to get a
message signed by another party without revealing any
information about the message to the other party.
×
Suppose Alice has a message m that she wishes to have
signed by Bob, and she does not want Bob to learn
anything about m.
r
Let (n,e) be Bob's public key and (n,d) be his private key.
r
Alice generates a random value r such that gcd(r, n) = 1 and sends x = (r
e
m) mod n to Bob. The value x is ``blinded'' by the random value r; hence
Bob can derive no useful information from it.
r
Bob returns the signed value t = x
d
mod n to Alice.
r
Since x
d
≡ (r
e
m)
d
≡ r m
d
mod n,
r
Alice can obtain the true signature s of m by computing
s = r
1
t mod n.
Cryptography and Network Security 436
Security Concerns
×
GnuPG permits creating ElGamal keys
r
are usable for both encryption and signing.
r
It is even possible to have one key (the primary
one) used for both operations.
r
This is not considered good cryptographic
practice, but is permitted by the OpenPGP
standard.
×
signature is much larger than a RSA or DSA
signature
r
verification and creation takes far longer and
the use of ElGamal for signing has always been
problematic due to a couple of cryptographic
weaknesses when not done properly.
Cryptography and Network Security 437
Applications of Blind Signature
×
In an online context the blind signature works as
follows.
r
Voters encrypt their ballot with a secret key and then blinds it.
r
Then the voter signs the encrypted vote and sends it to the
validator.
r
The validator checks to see if the signature is valid (the signature
acts as a I.D. tag and will have to be registered with the voter
before the voting process has started) and if it is the validator signs
it and returns it to the voter.
r
The voter removes the blinding encryption layer, which then
leaves behind an encrypted ballot with the validator's signature.
Cryptography and Network Security 438
Cont.
×
This is then sent to the tallier who checks to make
sure the validator's signature is present on the
votes.
×
He then waits until all votes haven been collected and
then publishes all the encrypted votes so that the
voters can verify their votes have been received.
×
The voters then send their keys to the tallier to
decrypt their ballots.
×
Once the vote has been counted the tallier publishes
the encrypted votes and the decryption keys so that
voters can then verify the results.
×
Next we illustrate the transfer of ballots between
the various parties.
Cryptography and Network Security 439
Cont.
Cryptography and Network Security 440
Cont,
×
This protocol has been implemented used in reality
and has been found that the entire voting process
can be completed in a matter of minutes despite
the complex nature of the voting procedure.
×
Most of the tasks can be automated with the only
user interaction needed being the actual vote
casting.
×
Encryption, blinding and all the verification needed
can be performed by software in the background.
×
Of course we'd have to trust this software to
handle the voting procedures correctly and
accurately and to assume it has not been
compromised in some way.
Cryptography and Network Security 441
Cryptography and Network Security
Certificate
XiangYang Li
Cryptography and Network Security 442
Certificate
×
A publickey certificate is a digitally
signed statement from one entity, saying
that the public key (and some other
information) of another entity has some
specific value.
Cryptography and Network Security 443
More terms
×
Digitally Signed
r
If some data is digitally signed it has been stored with
the "identity" of an entity, and a signature that proves
that entity knows about the data. The data is rendered
unforgeable by signing with the entitys' private key.
×
Identity
r
A known way of addressing an entity. In some systems
the identity is the public key, in others it can be anything
from a Unix UID to an Email address to an X.509
Distinguished Name.
×
Entity
r
An entity is a person, organization, program, computer,
business, bank, or something else you are trusting to
some degree.
Cryptography and Network Security 444
More about CA
×
Why need it
r
In a largescale networked environment it is impossible to
guarantee that prior relationships between communicating entities
have been established or that a trusted repository exists with all
used public keys. Certificates were invented as a solution to this
public key distribution problem. Now a Certification Authority
(CA) can act as a Trusted Third Party. CAs are entities (e.g.,
businesses) that are trusted to sign (issue) certificates for other
entities. It is assumed that CAs will only create valid and reliable
certificates as they are bound by legal agreements. There are many
public Certification Authorities, such as VeriSign, Thawte, Entrust
, and so on. You can also run your own Certification Authority
using products such as the Netscape/Microsoft Certificate Servers
or the Entrust CA product for your organization.
Cryptography and Network Security 445
Who uses Certificate?
×
Probably the most widely visible application of
X.509 certificates today is in web browsers (such
as Netscape Navigator and Microsoft Internet
Explorer) that support the SSL protocol.
r
SSL (Secure Socket Layer) is a security protocol that provides
privacy and authentication for your network traffic. These
browsers can only use this protocol with web servers that support
SSL.
×
Other technologies that rely on X.509
certificates include:
r
Various codesigning schemes, such as signed Java Archives, and
Microsoft Authenticode.
r
Various secure EMail standards, such as PEM and S/MIME.
r
ECommerce protocols, such as SET.
Cryptography and Network Security 446
How to create certificate?
×
There are two basic techniques used to get
certificates:
r
you can create one yourself (using the right tools, such as keytool)
º
Not everyone will accept selfsigned certificates, ©
r
you can ask a Certification Authority to issue you one (either directly or
using a tool such as keytool to generate the request).
×
The main inputs to the certificate creation are:
r
Matched public and private keys, generated using some special tools
(such as keytool), or a browser.
r
information about the entity being certified (e.g., you). This normally
includes information such as your name and organizational address. If
you ask a CA to issue a certificate for you, you will normally need to
provide proof to show correctness of the information.
Cryptography and Network Security 447
business
×
Many companies sale the service of
creating the certificate (such as SSL
certificate)
r
Comodo
r
Verisign
r
Thawte
r
Entrust
r
Geotrust
Cryptography and Network Security 448
X.509 Authentication Service
×
Public key certificate associated with user
r
The certificates are created by Trusted Authority
r
Then placed in the directory by TA or user
r
Itself is not responsible for creating certificate
r
It includes
º
Version, serial number, signature algorithm identifier,
Issuer name, issuer identifier, validity period, the
user, user identifier, user’s public key, extensions,
signature by TA
r
The signature by TA guarantees the authority
r
Certificates can be used to certify other TAs
r
Y<<X>>: certificate of user X issued by TA Y
Cryptography and Network Security 449
What is inside X.509 certificate?
×
Version
r
Thus far, three versions are defined.
×
Serial Number
r
distinguish it from other certificates it issues. This
information is used in numerous ways, for example when a
certificate is revoked its serial number is placed in a
Certificate Revocation List (CRL).
×
Signature Algorithm Identifier
r
This identifies the algorithm used by the CA to sign the
certificate.
×
Issuer Name
r
The X.500 name of the entity that signed the certificate.
This is normally a CA. Using this certificate implies trusting
the entity that signed this certificate. root or toplevel CA
certificates, the issuer signs its own certificate.
Cryptography and Network Security 450
cont
×
Validity Period
r
This period is described by a start date and time and an end
date and time, and can be as short as a few seconds or
almost as long as a century. It depends on a number of
factors, such as the strength of the private key used to sign
the certificate or the amount one is willing to pay for a
certificate. This is the expected period that entities can
rely on the public value, if the associated private key has not
been compromised.
×
Subject Name
r
The name of the entity whose public key the certificate
identifies. This name uses the X.500 standard, so it is
intended to be unique across the Internet.
×
Subject Public Key Information
r
together with an algorithm identifier
Cryptography and Network Security 451
Certificate Revocation
×
Need the private key together with the
certificate to revoke it
×
The revocation is recorded at the
directory
×
Each time a certificate is arrived, check
the directory to see if it is revoked
Cryptography and Network Security 452
X.509 Authentication Service
×
part of CCITT X.500 directory service standards
r
distributed servers maintaining some info database
×
defines framework for authentication services
r
directory may store publickey certificates
r
with public key of user
r
signed by certification authority
×
also defines authentication protocols
×
uses publickey crypto & digital signatures
r
algorithms not standardised, but RSA recommended
Cryptography and Network Security 453
X.509 Certificates
×
issued by a Certification Authority (CA), containing:
r
version (1, 2, or 3)
r
serial number (unique within CA) identifying certificate
r
signature algorithm identifier
r
issuer X.500 name (CA)
r
period of validity (from  to dates)
r
subject X.500 name (name of owner)
r
subject publickey info (algorithm, parameters, key)
r
issuer unique identifier (v2+)
r
subject unique identifier (v2+)
r
extension fields (v3)
r
signature (of hash of all fields in certificate)
×
notation CA<<A>> denotes certificate for A signed by CA
Cryptography and Network Security 454
X.509 Certificates
Cryptography and Network Security 455
Obtaining a Certificate
×
any user with access to CA can get any
certificate from it
×
only the CA can modify a certificate
×
because cannot be forged, certificates can
be placed in a public directory
Cryptography and Network Security 456
CA Hierarchy
×
if both users share a common CA then they
are assumed to know its public key
×
otherwise CA's must form a hierarchy
×
use certificates linking members of
hierarchy to validate other CA's
r
each CA has certificates for clients (forward) and
parent (backward)
×
each client trusts parents certificates
×
enable verification of any certificate from
one CA by users of all other CAs in
hierarchy
Cryptography and Network Security 457
CA Hierarchy Use
Cryptography and Network Security 458
Certificate Revocation
×
certificates have a period of validity
×
may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
×
CA’s maintain list of revoked certificates
r
the Certificate Revocation List (CRL)
×
users should check certs with CA’s CRL
Cryptography and Network Security 459
Authentication Procedures
×
X.509 includes three alternative
authentication procedures:
×
OneWay Authentication
×
TwoWay Authentication
×
ThreeWay Authentication
×
all use publickey signatures
Cryptography and Network Security 460
OneWay Authentication
×
1 message ( A>B) used to establish
r
the identity of A and that message is from A
r
message was intended for B
r
integrity & originality of message
×
message must include timestamp, nonce,
B's identity and is signed by A
Cryptography and Network Security 461
TwoWay Authentication
×
2 messages (A>B, B>A) which also
establishes in addition:
r
the identity of B and that reply is from B
r
that reply is intended for A
r
integrity & originality of reply
×
reply includes original nonce from A, also
timestamp and nonce from B
Cryptography and Network Security 462
ThreeWay Authentication
×
3 messages (A>B, B>A, A>B) which
enables above authentication without
synchronized clocks
×
has reply from A back to B containing
signed copy of nonce from B
×
means that timestamps need not be
checked or relied upon
Cryptography and Network Security 463
X.509 Version 3
×
has been recognised that additional
information is needed in a certificate
r
email/URL, policy details, usage constraints
×
rather than explicitly naming new fields
defined a general extension method
×
extensions consist of:
r
extension identifier
r
criticality indicator
r
extension value
Cryptography and Network Security 464
Certificate Extensions
×
key and policy information
r
convey info about subject & issuer keys, plus indicators
of certificate policy
×
certificate subject and issuer attributes
r
support alternative names, in alternative formats for
certificate subject and/or issuer
×
certificate path constraints
r
allow constraints on use of certificates by other CA’s
Cryptography and Network Security 465
Cryptography and Network Security
Identification
XiangYang Li
Cryptography and Network Security 466
Identification
×
Identification: user authentication
r
convince system of your identity
r
before it can act on your behalf
r
sometimes also require that the computer verify its identity with
the user
×
Based on three methods
r
what you know
r
what you have
r
what you are
×
Verification
r
Validation of information supplied against a table of possible
values based on users claimed identity
Cryptography and Network Security 467
What you Know
×
Passwords or Passphrases
r
prompt user for a login name and password
r
verify identity by checking that password is correct
r
on some (older) systems, password was stored clear
r
more often use a oneway function, whose output
cannot easily be used to find the input value
r
either takes a fixed sized input (eg 8 chars)
r
or based on a hash function to accept a variable sized
input to create the value
r
important that passwords are selected with care to
reduce risk of exhaustive search
Cryptography and Network Security 468
Weakness
×
Traditional password scheme is vulnerable
to eavesdropping over an insecure network
Cryptography and Network Security 469
Solutions?
×
Onetime password
r
these are passwords used once only
r
future values cannot be predicted from older values
×
Password generation
r
either generate a printed list, and keep matching list on
system to be accessed
r
or use an algorithm based on a oneway function f (eg
MD5) to generate previous values in series (eg SKey)
º start with a secret password s, and number N , p
0
=
f
N
(s)
º ith password in series is p
i
= f
Ni
(s)
r
must reset password after N uses
Cryptography and Network Security 470
What you Have
×
Magnetic Card, Magnetic Key
r
possess item with required code value encoded
×
Smart Card or Calculator
r
may interact with system
r
may require information from user
r
could be used to actively calculate:
r
a time dependent password
r
a oneshot password
r
a challengeresponse verification
r
publickey based verification
Cryptography and Network Security 471
What you Are
×
Verify identity based on your physical
characteristics, known as biometrics
×
Characteristics used include:
r
Signature (usually dynamic)
r
Fingerprint, hand geometry
r
face or body profile
r
Speech, retina pattern
×
Tradeoff between
r
false rejection (type I error)
r
false acceptance (type II error)
Cryptography and Network Security 472
Cryptography and Network Security
Secret Sharing
XiangYang Li
Cryptography and Network Security 473
Threshold Scheme
×
A (t,w)threshold scheme
r
Sharing key K among a set of w users
r
Any t users can recover the key
r
Any t1 users can not do so
×
Schemes
r
Shamir’s scheme
r
Geometric techniques
r
Matroid theory
Cryptography and Network Security 474
Information Theory
×
The secret sharing is as large as the original
secret
r
This result is based in information theory, but can be understood
intuitively. Given t1 shares, no information whatsoever can be
determined about the secret. Thus, the final share must contain as
much information as the secret itself.
×
All secret sharing schemes use random bits.
r
To distribute a onebit secret among threshold t people, t1 random
bits are necessary. The final share contains as much information as
the secret, but the other t1 shares still provide relevant
information individually. This information cannot be the secret, so
it must be random.
Cryptography and Network Security 475
Shamir’s Scheme
×
Initialization phase
r
Dealer chooses a large prime number p
r
Dealer chooses w distinct x
i
from Z
p
r
Gives value x
i
to person p
i
×
Share distribution of key k from Z
p
r
Dealer choose t1 random number a
i
r
Dealer computes y
i
=f(x
i
)
º Here f(x)=k+Σa
j
x
j
mod p
r
Dealer gives share y
i
to person p
i
Cryptography and Network Security 476
Geometry View
Cryptography and Network Security 477
Simple (t,t) Sharing
×
Procedure
r
D secretly chooses t1 random elements y
i
from Z
n
r
D computes
º Value y
t
=K Σy
j
mod n
r
D distributes y
i
to person p
i
for all i
×
It is secure and easy
r
Number n can be any number
r
Easy to recover the key
r
Only t persons together can do so, assume y
i
random
Cryptography and Network Security 478
Blakley's Scheme
×
Secret is a point in an tdimensional space
×
Dealer gives each user a hyperplane
passing the secret point
×
Any t users can recover the common point
Cryptography and Network Security 479
Geometry View
Cryptography and Network Security 480
Avoid Cheating
×
Two major distinct weaknesses
r
Bogus values are undetectable.
r
Participants need not reveal their true share.
×
Even if a bogus value was detected, it
would not necessarily give any information
about the true value
×
One participant did not reveal its true
value after get the true values from other
one
Cryptography and Network Security 481
BenOr/Rabin Solution
×
Using Checking Vectors
×
For any two participants A and B
r
Dealer gives A (S
A
, Y
AB
)
r
Dealer gives B (B
AB
, C
AB
)
r
Here C
AB
= B
AB
Y
AB
+ S
A
mod p
r
S
A
is the secret share of A
r
A and B keep their values secret
r
B can use (B
AB
, C
AB
) to verify the value (S
A
, Y
AB
) of A
Cryptography and Network Security 482
Avoid Cheating
×
Participant B can send A bogus value after
receive A’s value
×
Solution: bit transfer
r
Dealer gives A (S
Ai
, Y
ABi
)
r
Dealer gives B (B
ABi
, C
ABi
)
r
Here C
ABi
= B
ABi
Y
ABi
+ S
Ai
mod p
r
S
Ai
is the ith bit of the secret share of A
Cryptography and Network Security 483
Cont.
×
Protocol
r
Participant A gives its value (S
Ai
, Y
ABi
) to B
r
B verifies: C
ABi
= B
ABi
Y
ABi
+ S
Ai
mod p
r
B then sends its value (S
Bi
, Y
BAi
) to A
r
A verifies: C
BAi
= B
BAi
Y
BAi
+ S
Bi
mod p
r
The protocol terminates whenever
º
One side detects cheating, or
º
All values transferred
Cryptography and Network Security 484
Chinese Remainder Theorem
×
Given a number m<n, and n=n
1
n
2
…n
k
,
r
Numbers n
i
and n
j
are coprimes
r
Let a
i
=m mod n
i
r
Number n is public
r
Dealer delivers a
i
and n
i
to the ith participant
r
Then all k users can recover the number m
×
Why it is not a good secret sharing
scheme?
r
Is it computationally for any k1 users to recover the
key if n is large?
Cryptography and Network Security 485
Recover method
×
Each user precomputes
r
N
i
=n/n
i
r
Inverse of N
i
: y
i
=N
i
mod n
i
r
Compute the product s
i
=a
i
N
i
y
i
mod n
×
Recover the secret m
r
Each user submits s
i
r
Computes s
1
+s
2
+….+s
k
mod n
Cryptography and Network Security 486
Access Structure
×
Threshold scheme allows any t users to
recover key!
×
Access structure allows some subsets to
recover the key!
r
Example: {{p
1
,p
2
,p
4
},{p
1
,p
3
,p
4
},{p
2
,p
3
}} among
p
1
,p
2
,p
3
,p
4
,p
5
able to recover the key
r
Assume the accessing subset is minimized
º
No subset of any accessing subset is able to recover
Cryptography and Network Security 487
Monotone Circuit
×
Assign sharing for each accessing subset
∧
∨
∧
∧
k
k
k k
p
1
p
2
p
3
p
4
a
1
a
2
b
1
b
2
kb
1
b
2
ka
1
a
2
c
1
kc
1
Cryptography and Network Security 488
Cont.
×
Distribution
r
(a
1
,b
1
) to p
1
r
(a
2
,c
1
) to p
2
r
(kc
1
,b
2
) to p
3
r
(ka
1
a
2
,kb
1
b
2
) to p
4
×
The sharer needs know
r
The circuit used by dealer
r
Which shares corresponding to which wires
º
The shared value is secret
Cryptography and Network Security 489
Visual Secret Sharing
×
There is a secret picture to be shared
among n participants.
r
The picture is divided into n transparencies (shares)
such that
r
if any m transparencies are placed together, the picture
becomes visible
r
but if fewer than m transparencies are placed together,
nothing can be seen.
Cryptography and Network Security 490
Visual Secret Sharing
×
Such a scheme is constructed by viewing
the secret picture as a set of black and
white pixels and handling each pixel
separately.
r
The schemes are perfectly secure and easily
implemented without any cryptographic computation.
×
A further improvement allows each
transparency (share) to be an innocent
picture
r
For example, a picture of a landscape or a picture of a
building
r
thus concealing the fact of secret sharing
Cryptography and Network Security 491
Interactive Proof
×
Interactive proof is a protocol between
two parties in which one party, called the
prover, tries to prove a certain fact to the
other party, called the verifier
×
Often takes the form of a challenge
response protocol
Cryptography and Network Security 492
cont
×
protocol in which one or more provers try
to convince another party, called the
verifier, that the prover(s) possess certain
true knowledge, such as the membership of
a string x in a given language, often with
the goal of revealing no further details
about this knowledge. The prover(s) and
verifier are formally defined as
probabilistic Turing machines with special
"interaction tapes" for exchanging
messages.
Cryptography and Network Security 493
Desired Properties
×
Desired properties of interactive proofs
r
Completeness: The verifier always accepts the proof if
the prover knows the fact and both the prover and the
verifier follow the protocol.
r
Soundness: Verifier always rejects the proof if prover
doesnot know the fact, and verifier follows protocol.
r
Zero knowledge: The verifier learns nothing about the
fact being proved (except that it is correct) from the
prover that he could not already learn without the
prover. In a zeroknowledge proof, the verifier cannot
even later prove the fact to anyone else.
Cryptography and Network Security 494
Typical Protocol
×
A typical round in a zeroknowledge proof
consists of a "commitment" message from the
prover, followed by a challenge from the
verifier, and then a response to the challenge
from the prover. The protocol may be
repeated for many rounds. Based on the
prover's responses in all the rounds, the
verifier decides whether to accept or reject
the proof.
Cryptography and Network Security 495
An example
×
Ali Baba’s Cave
Cryptography and Network Security 496
Cont.
×
Alice wants to prove to Bob that
r
she knows the secret words to open the portal at CD
r
but does not wish to reveal the secret to Bob.
r
In this scenario, Alice’s commitment is to go to C or D.
Cryptography and Network Security 497
Proof Protocol
×
A typical round in the proof proceeds as
follows:
r
Bob goes to A, waits there while Alice goes to C or D.
r
Bob then asks Alice to appear from either the right side
or the left side of the tunnel.
r
If Alice does not know the secret words
º
there is only a 50 percent chance that she will come
out from the right tunnel.
r
Bob will repeat this round as many times as he desires
until he is certain that Alice knows the secret words.
r
No matter how many times that the proof repeats, Bob
does not learn the secret words.
Cryptography and Network Security 498
Graph Isomorphism
×
Problem Instance
r
Two graphs G
1
=(V
1
,E
1
) and G
2
=(V
2
,E
2
)
×
Question
r
Is there a bijection f from V
1
to V
2
, so (u,v)∈E
1
implies
that (f(u),f(v))∈E
2
r
If such bijection exists, then graphs G
1
and G
2
are said
to be isomorphic
r
If such bijection does not exist, then graphs G
1
and G
2
are said to be nonisomorphic
Cryptography and Network Security 499
Graph Nonisomorphism
×
Input: graphs G
1
and G
2
over {1,2,…n}
×
Prover want to prove
r
G
1
and G
2
are not isomophic
×
Assumption
r
Prover has unbounded computational power
r
Verifier has limited computational power
Cryptography and Network Security 500
Proof Protocol
×
Protocol (repeated for n rounds)
r
Verifier
º
Randomly chooses i=1 or 2
º
Selects a random permutation f and compute H to be
the image of G
i
under f, sends H to prover
r
Prover
º Determines the value j such that G
j
is isomorphic to H
º
Sends j to verifier
r
Verifier checks if j=i
r
If equal for n rounds, then accepts the proof
Cryptography and Network Security 501
Correctness and Soundness
×
Correctness
r
If G
1
and G
2
are not isomorphic, then for any round,
there is only one graph of G
1
, G
2
that could produce H
under a permutation f
r
So if the verifier knows nonisomorphism, then each
round a correct j will be computed
×
Soundness
r
If the verifier does not know (G
1
and G
2
are
isomorphic), then each round two answers possible, and
it has half chance to get the correct i chosen by the
prover.
Cryptography and Network Security 502
Graph Isomorphism
×
Input: graphs G
1
and G
2
over {1,2,…n}
×
Prover want to prove
r
G
1
and G
2
are isomophic
×
Assumption
r
Prover has unbounded computational power
r
Verifier has limited computational power
Cryptography and Network Security 503
Proof Protocol
×
Protocol (repeated for n rounds)
r
Prover
º
Selects a random permutation f and compute H to be the
image of G
1
under f, sends H to prover
r
Verifier
º
Randomly chooses i=1 or 2, sends it to prover
r
Prover
º Computes the permutation g such that H is the image of G
j
under g, and sends g to verifier
r
Verifier
º checks if H is the image of G
j
under g
r
If yes for n rounds, then accepts the proof
Cryptography and Network Security 504
Correctness and Soundness
×
Correctness
r
If G
1
and G
2
are isomorphic, and the verifier knows
how to find the permutation between G
1
and G
2
, then
each round a correct g will be computed
×
Soundness
r
If the verifier does not know (G
1
and G
2
are non
isomorphic or the permutation between G
1
and G
2
),
then each round prover can deceive the verifier is to
guess the value i chosen by the verifier
Cryptography and Network Security 505
Perfect ZeroKnowledge
×
The graph isomorphism proof is ZKP
r
All information seen by the verifier is the same as
generated by a random simulator
r
Define transcript of the proof as
º t=(G
1
,G
2
,(H
1
,i,g
1
),(H
2
,i,g
2
),….(H
n
,i,g
n
))
r
Anyone can generate the transcript without knowing
which permutation carries G
1
to G
2
r
Hence the verifier gains nothing by knowing the
transcript (I.e., the proof history)
Cryptography and Network Security 506
ZKP for Verifier
×
Perfect Zeroknowledge for verifier
r
Suppose we have a polytime interactive proof system
and a polytime simulator S. Let T be all yesinstance
transcripts and let F be all transcripts generated by S.
For any transcript t if
º
Pr(t occurs in T)=Pr(t occurs in F)
r
We say the interactive proof system are perfect zero
knowledge for the verifier
Cryptography and Network Security 507
Isomorphism Proof: ZKPverifier
×
Graph isomorphism is a perfect zero
knowledge for verifier
r
A triple (H,i,g). There are 2n! valid triples.
r
All triples (H,i,g) occurs equiprobable in some
transcript
º
Here, assume that both the verifier and the prover
are honest
º
Both of them randomly chooses parameters that
supposed to be chosen randomly
Cryptography and Network Security 508
Cheating Verifier
×
What happened if verifier does not follow
the protocol (does not choose i randomly)
r
Transcript produced by ZKP is not same as that
produced by the random simulator anymore
r
The verifier may gain some information due to this
imbalance
r
But, there is another expected polytime simulator to
generate the same transcript
r
Hence, the verifier still gains nothing
Cryptography and Network Security 509
Perfect ZeroKnowledge
×
Definition
r
Suppose we have a polytime interactive proof system,
a polytime algorithm V to generate random numbers
by verifier, and a polytime simulator S. Let T be all
yesinstance transcripts (depending on V) and let F be
all transcripts generated by S and V. For any transcript
t if
º
Pr(t occurs in T)=Pr(t occurs in F)
r
We say the interactive proof system are perfect zero
knowledge
Cryptography and Network Security 510
Forging Simulator
×
Initial transcript t=(G
1
,G
2
), repeat n rounds
r
Let oldstate=state(V), repeat follows
º Chooses i
j
from {1,2} randomly
º Chooses g
j
to be a random permutation over {1,...n}
º Compute H
j
to be the image of G
i
under g
º Call V with input H
j
, obtaining a challenge i
j
’
º If i
j
=i
j
’, then concatenate (H
j
, i
j
, g
j
) onto the end of t
º
Else reset V by state(V)=oldstate
r
Until i
j
=i
j
’
Cryptography and Network Security 511
Perfect Zeroknowledge
×
The graph isomorphism is perfect ZKP
r
The expected running time of simulator is 2n
r
For the k
th
round of the interactive proof system
º Let p
k
be the probability that verifier chooses i=1
º Then (H,1,g) occurs in actual transcript with p
k
/n!,
(H,2,g) occurs in actual transcript with (1p
k
)/n!
º
For simulator, when it terminates the simulation for
the k
th
round, same probability distribution for (H,1,g)
and (H,2,g)
º
Therefore, all transcripts by simulator or actual has
the same probability distribution
Cryptography and Network Security 512
Quadratic Residue
×
FiatShamir Identification
×
Question
r
Given integer n=pq, here p, q are primes.
r
Prover wants to prove
º
Integer x is a quadratic residue mod n
º
In other words, knows u so x=u
2
mod n
r
Quadratic residue is hard to solve if do not knowing the
factoring of n
Cryptography and Network Security 513
Proof Protocol
×
Repeat the following for log
2
n times
r
Prover
º
Chooses random v less than n and computes y=v
2
mod
n. Sends y to verifier
r
Verifier
º
Chooses a random I from {0,1}, sends it to prover
r
Prover
º
Computes z=u
2
v mod n, sends z to verifier
r
Verifier
º
Checks if z
2
=x
i
y mod n
r
Accepts the proof if equation holds all log
2
n rounds
Cryptography and Network Security 514
Cont
×
Correctness
r
Show that verifier will accept the prover if indeed
knows
×
Soundness
r
Show that verifier will detect the prover if it does not
know with a good probability
×
Zeroknowledge
r
Show that verifier gets nothing from the protocol
Cryptography and Network Security 515
Guillou Quisquater Protocol
×
The GQ protocol is an extension of the Fiat
Shamir protocol that limits the number t of
rounds required.
×
One Time Setup:
×
A trusted authority T selects two random
primes p and q and forms a modulus n = p · q.
×
T defines a public exponent v > 4 with gcd(v,
(p1)(q 1) = 1 so that T can compute s = v
1
mod (p1) (q1).
×
T publishes parameters n and v.
Cryptography and Network Security 516
Cont.
×
Selection of peruser parameters:
×
Each entity A has a unique identification
Id(A). Everyone can calculate a value J(A) =
f(Id(A)) mod n (the redundant identity).
×
T gives to each entity A the secret data
secret(A) = J(A)
s
, which it can calculate.
Cryptography and Network Security 517
Cont.
×
Protocol: A proves her identity to B using t rounds, each
of which consists of:
×
A selects a random secret r and sends her identity Id(A)
and x = r
v
mod n to B.
×
B selects a random challenge e in {1, 2, ... , v}.
×
A computes and sends the following response to B: y = r ·
secret(A)
e
mod n.
×
B receives y, constructs J(A) = f(Id(A)) mod n, computes
z = J(A)
e
y
v
, and accepts this round if z = x mod n.
×
In this protocol, v determines the security level. In Fiat
Shamir, v = 2 and there are many rounds. A fraudulent
claimant can defeat the protocol by correctly guessing
the challenge e (with a 1 in v chance.) GQ seems secure,
because we need to extract vroots modulo n.
Cryptography and Network Security 518
Discrete Logarithm
×
Question:
r
Prover wants to prove to verifier that he knows x such
that y=g
x
mod p .
r
Here g, y, and p are public information
r
Prover does not want to publicize the value of x.
Cryptography and Network Security 519
Proof Protocol
×
Repeat the following for log
2
n times
r
Prover
º
Chooses random j < p1 and computes r=g
j
mod p.
Sends r to verifier
r
Verifier
º
Chooses a random i from {0,1}, sends it to prover
r
Prover
º
Computes h=i x +j mod p1, sends h to verifier
r
Verifier
º
Checks if g
h
=y
i
r mod n
r
Accepts the proof if equation holds all log
2
n rounds
Cryptography and Network Security 520
Cont
×
Correctness
r
Show that verifier will accept the prover if indeed
knows
×
Soundness
r
Show that verifier will detect the prover if it does not
know with a good probability
×
Zeroknowledge
r
Show that verifier gets nothing from the protocol
Cryptography and Network Security 521
Bit Commitments
×
Bit commitment
r
Sometimes, it is desirable to give someone a piece of
information, but not commit to it until a later date. It
may be desirable for the piece of information to be held
secret for a certain period of time.
r
Example: stock up and down
Cryptography and Network Security 522
Properties
×
Bit commitment scheme
r
The sender encrypts the b in some way
r
The encrypted form of b is called blob
r
Scheme f: (X,b)¬Y
×
Properties
r
Concealing: verifier cannot detect b from f(x,b)
r
Binding: sender can open the blob by revealing x
r
Hence, the sender must use random x to mask b
Cryptography and Network Security 523
Methods
×
One can choose any encryption method E
r
Function f((x
0
,k),b)=E
k
((x
0
,b))
º
Need supply decryption k to reveal b
º
Assume the decryption method D is known
×
Choose any integer n=pq, p and q are large
primes
r
Function f(x,b)=m
b
x
2
mod n
º
GoldwasserMicali Scheme
º
Here n=pq, m is not quadratic residule, m,n public
º mx
1
2
mod n ≠ x
2
2
mod n
º
So sender can not change mind after commitment
Cryptography and Network Security 524
Coin Flip
×
Even protocols
r
Alice has a coin flip result i or j
r
Bob wants to guess the result
r
Alice has a message M that is commitment
r
If bob guesses correct, Bob should have M received
r
Alice starts with 2 pairs of public keys (Ei,Di) and
(Ej,Dj)
r
Bob starts with a symmetric encryption S and a key k
Cryptography and Network Security 525
Protocol
×
Procedure
r
Alice sends Ei, Ej to Bob
r
Bob guess h and sends y=Eh(k) to Alice
r
Alice computes p=Dj(y) and sends the encryption z of
M by p using S to Bob
r
Bob decrypts the encryption z using S and key k
r
If the guess is correct, then Bob gets the commitment
Cryptography and Network Security 526
Oblivious Transfer
×
What is oblivious transfer
r
Alice wants to send Bob a secret in such a way that
Bob will know whether he gets it, but Alice won't.
Another version is where Alice has several secrets and
transfers one of them to Bob in such a way that Bob
knows what he got, but Alice doesn't. This kind of
transfer is said to be oblivious (to Alice).
Cryptography and Network Security 527
Transfer Factoring
×
By means of RSA, oblivious transfer of any
secret amounts to oblivious transfer of the
factorization of n=pq
r
Bob chooses x and sends x
2
mod n to Alice
r
Alice (who knows p,q) computes the square roots x,
x,y,y of x
2
mod n and sends one of them to Bob. Note
that Alice does not know x.
r
If Bob gets one of y or y, he can factor n. This means
that with probability 1/2, Bob gets the secret. Alice
doesn't know whether Bob got one of y or y because
she doesn't know x.
Cryptography and Network Security 528
Factoring
×
If one knows x and y such that
r
1) x
2
=y
2
mod n
r
2) 0<x,y<n, x≠y and x+y≠0 mod n
r
Number n is the production of two primes
×
Then n can be factored
r
First gcd(x+y,n) is a factor of n
r
And gcd(xy,n) is a factor of n
Cryptography and Network Security 529
Quadratic Solution
×
Given n=p, and a is a quadratic residue
r
Then there is two positive integers x less than n
r
Such that x
2
=a mod n
×
Given n=pq, and a is a quadratic residue
r
Then there is four positive integers x less than n
r
Such that x
2
=a mod n
Cryptography and Network Security 530
Oblivious Transfer of Message
×
Alice has a message M, bob wants to get M
through oblivious transfer
r
Alice does not know if Bob get M or not
r
Bob knows if he gets it or not
r
Bob gets M with probability ½
r
Coin flipping can be used to achieve this
Cryptography and Network Security 531
Contract Signing
×
It requires two things
r
Commitment: after certain point, both parties are bound
by the contract, until then, neither is
r
Unforgeability: it must be possible for either party to
prove the signature of the other party
×
With Pen and Paper
r
Two party together, face to face
r
Sign simultaneously (or one character by one)
Cryptography and Network Security 532
Remote Contract Signing
×
Simple one
r
Alice generate a signature, divided into SL, SR
r
Alice randomly select two keys KL, KR
r
Encrypt the signatures SL, SR
r
Transfer encrypted SL,SR to Bob
r
Obliviously transfer KL, KR to bob
º
Bob gets one, but Alice does not know which one
r
Bob decrypts the encrypted SL or SR
º
Verify the decrypted signature, if invalid, stop
r
Alice sends the ith bits of keys KL and KR to Bob
º
Here i=1 to the length of the keys
Cryptography and Network Security 533
Cont.
×
The protocol will be conducted by Bob also
r
What is the chance of Alice to cheat successfully?
º
Alice can guess which key will be transferred
obliviously (1/2 chance)
º
Then send wrong signature for the other half or send
the wrong key of the other half
º
Bob can not detect it if Alice can guess which key Bob
got
r
How about Alice stop prematurely?
º
One bit advance over Bob
×
Enhanced protocol
r
Use many pair of keys and signatures instead of one
Cryptography and Network Security 534
Cryptography and Network Security
Pseudorandom Number
XiangYang Li
Cryptography and Network Security 535
Random number, Pseudorandom
×
The outputs of pseudorandom number
generators are not truly random
r
they only approximate some of the properties of
random numbers.
r
"Anyone who considers arithmetical methods of
producing random digits is, of course, in a state of
sin.” John von Neumann
r
Truely random numbers can be generated using
hardware random number generators
Cryptography and Network Security 536
Randomness Definition
×
ChaitinKolmogorov randomness (also called
algorithmic randomness)
r
a string of bits is random if and only if it is shorter than
any computer program that can produce that string
º
this basically means that random strings are those
that cannot be compressed.
×
Statistical Randomness
r
A numeric sequence is said to be statistically random
when it contains no recognizable patterns or
regularities;
º sequences such as the results of an ideal die roll, or
the digits of Pi (as far as we can tell) exhibit
statistical randomness.
Cryptography and Network Security 537
Inherent nonrandomness
×
Because any PRNG run on a deterministic computer
(contrast quantum computer) is deterministic, its
output will inevitably have certain properties that
a true random sequence would not exhibit.
r
guaranteed periodicity—it is certain that if the generator uses only
a fixed amount of memory then, given a sufficient number of
iterations, the generator will revisit the same internal state twice,
after which it will repeat forever. A generator that isn't periodic
can be designed, but its memory requirements would grow as it
ran. In addition, a PRNG can be started from an arbitrary starting
point, or seed state, and will always produce an identical sequence
from that point on.
Cryptography and Network Security 538
cont
r
In practice, many PRNGs exhibit artifacts which can
cause them to fail statistically significant tests. These
include, but are certainly not limited to:
º
Shorter than expected periods for some seed states
(not full period)
º
Poor dimensional distribution
º
Successive values are not independent
º
Some bits may be 'more random' than others
º
Lack of uniformity
Cryptography and Network Security 539
Pseudorandom Bit Generator
×
Several applications
r
Key generation
r
Some encryption algorithms, or onetime pad
×
Let l>k be integers
r
Function f: Z
2
k
¬ Z
2
l
computable in polytime
r
Then f called (k,l)pseudorandom bit generator
r
The input s
0
∈ Z
2
k
is called the seed
r
Output f(s
0
) is called the pseudorandom string
Cryptography and Network Security 540
Desired Properties
×
Three important properties:
r
Unbiased (uniform distribution):
º
All values of whatever sample size is collected are
equiprobable
r
Unpredictable (independence):
º
It is impossible to predict what the next output will
be, given all the previous outputs, but not the internal
"hidden" state.
r
Irreproducible:
º
Two of the same generators, given the same starting
conditions, will produce different outputs.
Cryptography and Network Security 541
Desired Properties
×
Usually when a person says
r
A "good" pseudorandom number generator
º
they mean it is unbiased.
r
A "true" PRNG
º
they usually mean it's irreproducible
r
A "cryptographically strong" PRNG
º
they mean it's unpredictable
r
Very rarely they mean it's all threes
Cryptography and Network Security 542
More Properties
×
Long period
r
The generator should be of long period
×
Fast computation
r
The generator should be reasonably fast
×
Security
r
The generator should be secure
r
What is security level of PRNG?
Cryptography and Network Security 543
Security
×
A PRNG suitable for cryptographic applications is
called a cryptographically secure PRNG (CSPRNG).
r
Its output should not only pass all statistical tests for randomness
but satisfy some additional cryptographic requirements.
r
Used in many aspects of cryptography require random numbers,
for example:
º
Key generation
º
Nonces
º
Salts in certain signature schemes, (ECDSA, RSASSAPSS).
º
Onetime pads
Cryptography and Network Security 544
CSPRNG
×
CSPRNG requirements fall into two groups:
r
their statistical properties are good (passing tests of randomness),
r
they hold up well in case of attack, even when (part of) their secrets are
revealed.
×
A CSPRNG should satisfy the 'nextbit test'.
r
Given the first l bits of a random sequence there is no polynomialtime
algorithm that can predict the next bit with probability of success
significantly higher than 1/2.
r
It has been proven that a generator passing the nextbit test will pass all
other polynomialtime statistical tests for randomness.
×
should withstand state compromise extensions.
r
That is, in the unfortunate case that part or all of the state has been
revealed (or guessed correctly), it should be impossible to reconstruct
the stream of random numbers prior to the incident. Also if there is an
input of entropy, it should be infeasible to use knowledge of the state to
predict future conditions of the state.
Cryptography and Network Security 545
Example
×
the CSPRNG being considered produces
output by computing some function of the
next digit of pi (ie, 3.1415...),
×
it may well be random as pi appears to be a random
sequence.
×
However, this does not satisfy the nextbit test, and
×
thus is not cryptographically secure.
×
There exists an algorithm that will predict the next bit.
Cryptography and Network Security 546
Design
×
divide designs of CSPRNGs into classes:
r
those based on block ciphers;
r
those based upon hard mathematical problems, and
r
specialpurpose designs.
Cryptography and Network Security 547
Designs based on cryptographic
primitives
×
Designs based on cryptographic primitives
r
A secure block cipher can also be converted into a CSPRNG by
running it in counter mode.

This is done by choosing an arbitrary key and encrypting a zero, then
encrypting a 1, then encrypting a 2, etc. The counter can also be
started at an arbitrary number other than zero. Obviously, the period
will be 2
n
for an nbit block cipher; equally obviously, the initial
values (i.e. key and 'plaintext') must not become known to an attacker
lest, however good this CSPRNG construction might be otherwise, all
security be lost.
×
A cryptographically secure hash of a counter might
also act as a good CSPRNG in some cases.
r
it is necessary that the initial value of this counter is random and secret.
If the counter is a bignum, then CSPRNG could have an infinite period.
Cryptography and Network Security 548
DES Based Generator
×
ANSI X9.17 PRNG (used by PGP,..)
r
Inputs: two pseudorandom inputs
º
one is a 64bit representation of date and time
º
The other is 64bit seed values
r
Keys: three 3DES encryptions using same keys
r
Output:
º
a 64bit pseudorandom number and
º
A 64bit seed value for nextround use
Cryptography and Network Security 549
ANSI X9.17
EDE
EDE
EDE
DT
S
i
R
i
S
i+1
K
1
,K
2
Cryptography and Network Security 550
Linear Congruential Generator
×
Protocol
r
Let M be an integer and a, b less than M
r
Let k be number of bits of M
r
Integer l is between k+1 and M1
r
Let s
0
be a seed less than M
r
Define s
i
=as
i1
+b mod M
r
Then the ith random bit is s
i
mod 2
r
It is not proved to be secure
Cryptography and Network Security 551
Parameter Setting
×
Not all a, b are good and m should be large
×
For example, m is a large prime number
×
For fast computation, usually m=2
31
1
r
And b is set to 0 often
×
For this m, there are less than 100
integers a
r
It generates all numbers less than m
r
The generated sequences appear to be random
×
One such a=7
516807
r
Used in IBM 360 family of computers
Cryptography and Network Security 552
RSA Generator
×
Protocol
r
Let p, q be two k/2 bits primes and define n=pq
r
Integer b: gcd(b, ϕ(n))=1
r
Public: n, b; Private p,q
r
A seed s
0
with k bits
r
Sequence s
i+1
=s
i
b
mod n
r
Then the ith random bit is s
i
mod 2
r
It is proved to be secure!
Cryptography and Network Security 553
BBS Generator
×
BlumBlumShub Generator
r
Let p, q be two k/2 bits primes and define n=pq
r
Here p=q=3 mod 4
º
this guarantees that each quadratic residue has one
square root which is also a quadratic residue
r
gcd(φ(p1), φ(q1)) should be small
º
this makes the cycle length large.
r
Let QR(n) be all quadratic residues modulo n
r
Public: n; Private p,q
r
A seed s
0
with k bits from QR(n)
r
Sequence s
i+1
=s
i
2
mod n
r
Then the ith random bit is s
i
mod 2
Cryptography and Network Security 554
Cont on BBS
×
Provably “secure”
r
When the primes are chosen appropriately,
r and O(log log n) bits of each S
i
are output,
r
then in the limit as n grows large, distinguishing the
output bits from random will be at least as difficult as
factoring n.
×
However,
r
it's theoretically possible that a fast algorithm for
factoring will someday be found, so BBS is not yet
guaranteed to be secure.
Cryptography and Network Security 555
Discrete Logarithm Generator
×
Protocol
r
Let p be a kbit prime,
r
Let α be primitive element modulo p
r
A seed s
0
is any nonzero integer less than p
r
Define s
i+1
= α
s
i
mod p
r
Then the ith random bit is
º 1 if s
i
is larger than p/2
º 0 if s
i
is less than p/2
Cryptography and Network Security 556
Standards
×
A number of designs of CSPRNGs have
been standardized. They can be found in:
r
FIPS 1862
r
ANSI X9.171985 Appendix C
r
ANSI X9.311998 Appendix A.2.4
r
ANSI X9.621998 Annex A.4
Cryptography and Network Security 557
Network Security
Cryptography and Network Security 558
Topics to be covered
×
Applications
r
Email security
r
www security
r
Malicious software
×
Networks
r
Wireless LAN security 802.11
r
IPsec
r
Firewall
r
Intrusions
Cryptography and Network Security 559
Cryptography and Network Security
Email Security
XiangYang Li
Cryptography and Network Security 560
Electronic Mail Security
Despite the refusal of VADM Poindexter and LtCol North to
appear, the Board's access to other sources of information
filled much of this gap. The FBI provided documents taken from
the files of the National Security Advisor and relevant NSC
staff members, including messages from the PROF system
between VADM Poindexter and LtCol North. The PROF messages
were conversations by computer, written at the time events
occurred and presumed by the writers to be protected from
disclosure. In this sense, they provide a firsthand,
contemporaneous account of events.
—The Tower Commission Report to President Reagan on the
IranContra Affair, 1987
Cryptography and Network Security 561
Email Security
×
email is one of the most widely used and
regarded network services
×
currently message contents are not secure
r
may be inspected either in transit
r
or by suitably privileged users on destination system
Cryptography and Network Security 562
Email Security Enhancements
×
confidentiality
r
protection from disclosure
×
authentication
r
of sender of message
×
message integrity
r
protection from modification
×
nonrepudiation of origin
r
protection from denial by sender
Cryptography and Network Security 563
Pretty Good Privacy (PGP)
×
widely used de facto secure email
×
developed by Phil Zimmermann
×
selected best available crypto algs to use
×
integrated into a single program
×
available on Unix, PC, Macintosh and Amiga
systems
×
originally free, now have commercial
versions available also
Cryptography and Network Security 564
PGP
×
Five services
r
Authentication, confidentiality, compression, email
compatibility, segmentation
×
Functions
r
Digital signature
r
Message encryption
r
Compression
r
Email compatibility
r
segmentation
Cryptography and Network Security 565
PGP Operation – Authentication
1. sender creates a message
2. SHA1 used to generate 160bit hash code of
message
3. hash code is encrypted with RSA using the
sender's private key, and result is attached to
message
4. receiver uses RSA or DSS with sender's public
key to decrypt and recover hash code
5. receiver generates new hash code for message
and compares with decrypted hash code, if
match, message is accepted as authentic
Cryptography and Network Security 566
PGP Operation – Confidentiality
1. sender generates message and random 128bit
number to be used as session key for this
message only
2. message is encrypted, using CAST128 /
IDEA/3DES with session key
3. session key is encrypted using RSA with
recipient's public key, then attached to message
4. receiver uses RSA with its private key to decrypt
and recover session key
5. session key is used to decrypt message
Cryptography and Network Security 567
PGP Operation – Confidentiality &
Authentication
×
uses both services on same message
r
create signature & attach to message
r
encrypt both message & signature
r
attach RSA encrypted session key
Cryptography and Network Security 568
PGP Operation – Compression
×
by default PGP compresses message after
signing but before encrypting
r
so can store uncompressed message & signature for
later verification
r
& because compression is non deterministic
×
uses ZIP compression algorithm
Cryptography and Network Security 569
PGP Operation – Email Compatibility
×
when using PGP will have binary data to
send (encrypted message etc)
×
however email was designed only for text
×
hence PGP must encode raw binary data
into printable ASCII characters
×
uses radix64 algorithm
r
maps 3 bytes to 4 printable chars
r
also appends a CRC
×
PGP also segments messages if too big
Cryptography and Network Security 570
PGP Operation – Summary
Cryptography and Network Security 571
Segmentation & Reassembly
×
Email systems impose maximum length
r
50 Kb, for example
×
PGP provides automatic segmentation
r
Done after all other operations
r
Thus only one session key needed
Cryptography and Network Security 572
Key management
×
Generating unpredictable session keys
×
Identifying keys
r
Multiple public, private key pairs for a user
×
Maintain keys
r
Its own public, private keys of a PGP entity
r
Public keys of correspondents
Cryptography and Network Security 573
Session Key Generation
×
Algorithm used: CAST128
×
Input to CAST128
r
A 128bit key
r
Two 64 bits plaintexts to be encrypted
×
Output using cipher feedback mode
r
Generates 2 64bits ciphers form session key
×
Plaintexts are from 128bits randomized
number
r
Based on key stroke of user (timing and actual keys)
r
Then combined with previous session key
Cryptography and Network Security 574
Key Identifiers
×
Receiver has multiple public keys
r
How to know which private key is proper?
×
Approach
r
Sending the least significant 64 bits as key ID
r
Need send the receiver’s public key ID used for
encrypting the session key
r
Need send the sender’s public key ID, whose
corresponding private key used for signature
Cryptography and Network Security 575
Key Rings
×
Private key rings
r
Timestamp, Key ID, public key, encrypted private key,
user ID
×
Public key rings
r
Timestamp, Key ID, public key, owner trust, user ID,
key legitimacy, signature, signature trust
Cryptography and Network Security 576
Public Key Management
×
A public key attributed to B may belong to
C
r
C can send messages to A forge B’s sig
r
C can read any encrypted message to B
×
Approach to true public key
r
Physically get key from B
r
Obtain B’s key from mutual trusted authority
r
Using key legitimacy field
º
computed from the signature trust field and number
of certificates for the key
Cryptography and Network Security 577
Revoking Public Key
×
Reason
r
It is compromised: private key is open
r
Simply to avoid use of same key for a period
×
Approach
r
Owner issues key revocation certificate, signed by
owner
r
Using corresponding private key to sign the certificate
r
Disseminate the certificate as widely and as quickly as
possible
Cryptography and Network Security 578
S/MIME (Secure/Multipurpose
Internet Mail Extensions)
×
security enhancement to MIME email
r
original Internet RFC822 email was text only
r
MIME provided support for varying content types and
multipart messages
r
with encoding of binary data to textual form
r
S/MIME added security enhancements
×
have S/MIME support in various modern
mail agents: MS Outlook, Netscape etc
Cryptography and Network Security 579
S/MIME Functions
×
enveloped data
r
encrypted content and associated keys
×
signed data
r
encoded message + signed digest
×
clearsigned data
r
cleartext message + encoded signed digest
×
signed & enveloped data
r
nesting of signed & encrypted entities
Cryptography and Network Security 580
S/MIME Cryptographic Algorithms
×
hash functions: SHA1 & MD5
×
digital signatures: DSS & RSA
×
session key encryption: ElGamal & RSA
×
message encryption: TripleDES, RC2/40
and others
×
have a procedure to decide which
algorithms to use
Cryptography and Network Security 581
S/MIME Certificate Processing
×
S/MIME uses X.509 v3 certificates
×
managed using a hybrid of a strict X.509
CA hierarchy & PGP’s web of trust
×
each client has a list of trusted CA’s certs
×
and own public/private key pairs & certs
×
certificates must be signed by trusted
CA’s
Cryptography and Network Security 582
Certificate Authorities
×
have several wellknown CA’s
×
Verisign one of most widely used
×
Verisign issues several types of Digital IDs
×
with increasing levels of checks & hence
trust
Class Identity Checks Usage
1 name/email check web browsing/email
2+ enroll/addr check email, subs, s/w validate
3+ ID documents ebanking/service access
Cryptography and Network Security 583
Email SPAM
×
Spam is flooding the Internet with many
copies of the same message, in an attempt
to force the message on people who would
not otherwise choose to receive it. Most
spam is commercial advertising, often for
dubious products, getrichquick schemes,
or quasilegal services. Spam costs the
sender very little to send  most of the
costs are paid for by the recipient or the
carriers rather than by the sender
Cryptography and Network Security 584
Email Spam
×
Email spam has existed since the beginning
of the Internet, and has grown to about 90
billion messages a day, although about 80%
is sent by fewer than 200 spammers.
Botnets, virus infected computers, account
for about 80% of spam.
×
Email addresses are collected from
chatrooms, websites, newsgroups, and
viruses which harvest users address books,
and are sold to other spammers
Cryptography and Network Security 585
AntiSpam Techs
×
Some popular methods for filtering and
refusing spam include
r
email filtering based on the content of the email,
DNSbased blackhole lists (DNSBL), greylisting,
spamtraps, enforcing technical requirements,
checksumming systems to detect bulk email, and by
putting some sort of cost on the sender via a
Proofofwork system or a micropayment.
r
Each method has strengths and weaknesses and each is
controversial due to its weaknesses.
Cryptography and Network Security 586
Filtering Methods
×
Bayesian spam filtering
×
CRM114
×
dSPAM
×
Markovian discrimination
×
POPFile
×
Policydweight Postfix policydaemon before SMTP DATA
×
Procmail is an MDA (Mail Delivery Agent) for Unix systems.
×
Maildrop is an MDA (Mail Delivery Agent) for Unix systems.
×
Sendmail supports libmilter for mail filtering
×
Sieve (mail filtering language) is an RFC standard for
describing mail filters
×
SpamAssassin
×
AntiSpam SMTP Proxy
×
information filtering
×
White list#Email whitelists
Cryptography and Network Security 587
Summary
×
have considered:
r
secure email
r
PGP
r
S/MIME
Cryptography and Network Security 588
Cryptography and Network Security
Security on WWW
XiangYang Li
Cryptography and Network Security 589
Introduction
×
Introduction
×
Presentation of SSL
•
The inner workings of SSL
•
Attacks on SSL
×
Presentation of SHTTP
•
Comparison with SSL/TLS
•
Attacks on SHTTP
×
Other aspects of Web security
•
TLS
•
IPSec, Kerberos, SET
×
Conclusion
Cryptography and Network Security 590
Web Security
×
Web now widely used by business,
government, individuals
×
but Internet & Web are vulnerable
×
have a variety of threats
r
integrity
r
confidentiality
r
denial of service
r
authentication
×
need added security mechanisms
Cryptography and Network Security 591
SSL (Secure Socket Layer)
×
transport layer security service
×
originally developed by Netscape
×
version 3 designed with public input
×
subsequently became Internet standard
known as TLS (Transport Layer Security)
×
uses TCP to provide a reliable endtoend
service
×
SSL has two layers of protocols
Cryptography and Network Security 592
Location of SSL
Application Layer
Internet Protocol
(IP)
Transmission Control Protocol
(TCP)
Secure Socket Layer
(SSL)
×
SSL is build on top of
TCP
×
Provides a TCP like
interface
×
In theory can be used
by all type of
applications in a
transparent manner
Cryptography and Network Security 593
SSL Architecture
Cryptography and Network Security 594
SSL Architecture
×
SSL session
r
an association between client & server
r
created by the Handshake Protocol
r
define a set of cryptographic parameters
r
may be shared by multiple SSL connections
×
SSL connection
r
a transient, peertopeer, communications link
r
associated with 1 SSL session
Cryptography and Network Security 595
SSL Record Protocol
×
confidentiality
r
using symmetric encryption with a shared secret key
defined by Handshake Protocol
r
IDEA, RC240, DES40, DES, 3DES, Fortezza, RC4
40, RC4128
r
message is compressed before encryption
×
message integrity
r
using a MAC with shared secret key
r
similar to HMAC but with different padding
Cryptography and Network Security 596
SSL Change Cipher Spec Protocol
×
one of 3 SSL specific protocols which use
the SSL Record protocol
×
a single message
×
causes pending state to become current
×
hence updating the cipher suite in use
Cryptography and Network Security 597
SSL Alert Protocol
×
conveys SSLrelated alerts to peer entity
×
severity
º
warning or fatal
×
specific alert
º
unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter
º
close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
×
compressed & encrypted like all SSL data
Cryptography and Network Security 598
SSL Handshake Protocol
×
allows server & client to:
r
authenticate each other
r
to negotiate encryption & MAC algorithms
r
to negotiate cryptographic keys to be used
×
comprises a series of messages in phases
r
Establish Security Capabilities
r
Server Authentication and Key Exchange
r
Client Authentication and Key Exchange
r
Finish
Cryptography and Network Security 599
General purpose
×
Two step process:
•
Handshake : exchange private keys using a public key encryption
algorithm
•
Data transmission: exchange the required data using a private key
encryption
`
1.Handshake
2. Data transmission
Cryptography and Network Security 600
SSL Handshake Protocol
Cryptography and Network Security 601
handshake
`
Client
Server
Client Hello
Server Hello
Client Key Exchange
Change Cipher Specification
Server Certificate
Server Hello Done
Handshake Finished
Change Cipher Specifications
Handshake Finished
Cryptography and Network Security 602
hello
×
Client “Hello”:
•
List of supported private
key encryptions +
•
Client random number
×
Server “Hello”:
•
Selected encryption
algorithm
•
Server Random number
•
Session ID
×
Server Certificate:
•
Verify server’s identity
`
Client
Client Hello
Server Hello
Client Key Exchange
Change Cipher Specification
Server Certificate
Server Hello Done
Handshake Finished
Change Cipher Specifications
Handshake Finished
Server
Cryptography and Network Security 603
Key exchange
×
Client Key Exchange:
•
Client
º
Generate second
random: Pre Master
Key
º
Send Pre Master Key
º
Calculate Master Key
º
Calculate Secret Key
º
Calculate MAC Key
•
Server
º
Calculate Master Key
º
Calculate Secret Key
º
Calculate MAC Key
`
Client
Client Hello
Server Hello
Client Key Exchange
Change Cipher Specification
Server Certificate
Server Hello Done
Handshake Finished
Change Cipher Specifications
Handshake Finished
Server
Cryptography and Network Security 604
Resumed based on Session Id
`
Client
Server
Client Hello
Server Hello
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
Cryptography and Network Security 605
Certificate authority
×
Certificate Authority (CA) is a trusted
third party that helps identify the server.
×
How does everything work?
•
Server sends ID, public key to CA
•
CA creates and signs the server’s Certificate
•
Client receives the Certificate from Server
•
Client verifies the Certificate using the signature and
the CA’s public key
Cryptography and Network Security 606
MAC
×
MAC = Message Authentication Code
×
The initial message is split into fragments
×
For each fragment a “fingerprint” is
calculated using the MAC key
×
The fragment, fingerprint and record
header are encrypted and sent
×
Receiver checks the “fingerprint” using
MAC key to detect inconsistent messages
Cryptography and Network Security 607
Attacks on SSL
×
Certificate Injection Attack
•
The list of trusted Certificate Authorities is altered
•
Can be avoided by upgrading the OS or switching to a safer one.
×
Man in the Middle
•
Cipher Spec Rollback : regresses the public key encryption algorithms
•
Version Rollback : regression from SSL 3.0 to weaker SSL 2.0
•
Algorithm rollback : modify public encryption method
•
Truncation attack : TCP FINRST used to terminate connection
×
Timing attack
•
Can be avoided by randomly delaying the computations
×
Brute force
•
Can be used on servers that accept small key sizes: 40 bits for symmetric
encryptions and 512 for the asymmetric one.
Cryptography and Network Security 608
TLS (Transport Layer Security)
×
IETF standard RFC 2246 similar to SSLv3
×
with minor differences
r
in record format version number
r
uses HMAC for MAC
r
a pseudorandom function expands secrets
r
has additional alert codes
r
some changes in supported ciphers
r
changes in certificate negotiations
r
changes in use of padding
Cryptography and Network Security 609
TLS
TLS was developed by IETF to replace SSL version 3.
• Based on SSL version 3, with some changes:
• Replaced FORTEZZA key exchange option with DSS.
• Include the hash method HMAC used by IPSec for
authentication in IP headers.
• More differentiation between subprotocols.
• TLS has mechanisms for backwards compatibility with SSL.
Cryptography and Network Security 610
TLS
TLS has about 30 possible cipher ‘suites’, combinations of
key exchange, encryption method, and hashing method.
• Key exchange includes: RSA, DSS, Kerberos
• Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES,
and AES
• Hashing: SHA and MD5
(Note: Some of the suites are intentionally weak export
versions.)
Cryptography and Network Security 611
Secure Electronic Transactions
(SET)
×
open encryption & security specification
×
to protect Internet credit card
transactions
×
developed in 1996 by Mastercard, Visa etc
×
not a payment system
×
rather a set of security protocols &
formats
r
secure communications amongst parties
r
trust from use of X.509v3 certificates
r
privacy by restricted info to those who need it
Cryptography and Network Security 612
SET Components
Cryptography and Network Security 613
SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment
Cryptography and Network Security 614
Dual Signature
×
customer creates dual messages
r
order information (OI) for merchant
r
payment information (PI) for bank
×
neither party needs details of other
×
but must know they are linked
×
use a dual signature for this
r
signed concatenated hashes of OI & PI
Cryptography and Network Security 615
Purchase Request – Customer
Cryptography and Network Security 616
Purchase Request – Merchant
Cryptography and Network Security 617
Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
3. processes order and forwards the payment
information to the payment gateway for
authorization (described later)
4. sends a purchase response to cardholder
Cryptography and Network Security 618
Payment Gateway Authorization
1. verifies all certificates
2. decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
5. verifies dual signature on payment block
6. verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant
Cryptography and Network Security 619
Payment Capture
×
merchant sends payment gateway a
payment capture request
×
gateway checks request
×
then causes funds to be transferred to
merchants account
×
notifies merchant using capture response
Cryptography and Network Security 620
Security on the WWW
C SecureHTTP
Presentation of SHTTP
×
Designed by E. Rescorla and A. Schiffman
of EIT to secure HTTP connections
×
Proposed in 1994 but never used
commercially
×
Not to be confused with HTTPS: encrypts
HTTP messages at the application level
A
B
C
D
Cryptography and Network Security 621
Security on the WWW
C SecureHTTP
Location of SHTTP
A
B
C
D
Internet Protocol
(IP)
Transmission Control Protocol
(TCP)
SecureHTTP
Message encryption and
signature
Application Layer :
HTTP message
×
HTTPspecific message
encryption
×
Can possibly be used
over a secure channel
×
Designed to be
compatible with HTTP
for handling at lower
layers
Cryptography and Network Security 622
Security on the WWW
C SecureHTTP
SHTTP vs. SSL/TLS
×
HTTPspecific vs. general purpose SSL (IMAPS,
POPS, LDAPS…)
×
Burden of encryption not on
transmission/reception but rather on message
production/unpacking
×
Similar set of available ciphers, plus added
capabilities for signing (DSS, RSA)
×
Very general specifications, leaving a lot to
implement and a potential for incompatible
implementations
×
Only one reference implementation in NCSA
Mosaic
A
B
C
D
Cryptography and Network Security 623
Security on the WWW
C SecureHTTP
SHTTP vs. SSL/TLS: functionalities
A
B
C
D
Not provided Digital signature Nonrepudiation
During the initial public key
exchange (server auth. mandatory,
client auth. optional)
Key management on the keys used,
or digital signature
Authentication
MAC only Simple MAC or signing Integrity
Symmetric key cryptosystem
Complete communication encryption
Public or private cryptosystem
Encryption of the complete HTTP
transaction
Privacy
SSL SHTTP Security Service
×
SHTTP can make use of key management
×
Nonrepudiation is not provided by SSL
×
Signing is optional, but a major attraction to SHTTP
Cryptography and Network Security 624
Security on the WWW
C SecureHTTP
SHTTP vs. SSL/TLS: proxy traversal
A
B
C
D
SSLaware proxy
External
secure server
Enterprise environment
Proxy traversal : SSL connection
OR
SHTTPaware proxy
External
secure server
Enterprise environment
Proxy traversal : SHTTP messaging
SSL tunnel SSL tunnel
Encrypted data
Authentication
cleartext
Cryptography and Network Security 625
Security on the WWW
C SecureHTTP
SHTTP inner working
×
Messagebased encryption
×
Superset of HTTP: “outer” envelope
×
Specific headers added
A
B
C
D
SHTTP message
SHTTP headers
HTTP payload headers:
SecurityScheme, EncryptionIdentity,
CertificateInfo… + regular HTTP headers
HTTP message body
Request:
Secure*SecureHTTP/1.2
Response:
SecureHTTP/1.2 200 OK
Cryptography and Network Security 626
Security on the WWW
C SecureHTTP
SHTTP attacks
×
Basically the same as on SSL, since the ciphers are the same
×
Default values more secure in SHTTP than SSL at the time
of proposal (e.g. DES vs. RC4)
×
SHTTP generally stronger by design (more resilient to
proxy compromising)
×
More complex and wider specifications create a potential for
faulty implementations
×
No realworld use to field test the actual security of S
HTTP
A
B
C
D
Cryptography and Network Security 627
Security on the WWW
D Other protocols
HTTP has an authentication scheme as part of its original
protocol.
HTTP Basic Authentication
A
B
C
D
• Supported by almost all browsers and web servers.
• Password and username are sent in clear text
(base64 encoded) in the HTTP request message.
• Obviously not secure enough for sensitive information.
This scheme is being replaced by the slightly more secure
HTTP Digest Authentication, which sends a MD5 hash of the
password and other information.
Cryptography and Network Security 628
IPsec
IPSec is a security layer added to a computer’s protocol
stack in the kernel (Below TCP). It is invisible to the
application. It is implemented by adding additional
protocol numbers in the IP protocol field.
• Good for implementing a VPN.
• Packets can be either tunneled inside IPSec packets, or
Transported with only the data portion of the original
packet encrypted.
• Every IPSec end machine (which could be a LAN’s router)
must implement IPSec for it to work.
Cryptography and Network Security 629
Summary
×
have considered:
r
need for web security
r
SSL/TLS transport layer security protocols
º
de facto standard, versatile and lowlevel enough
to accommodate many types of payloads
r
SET secure credit card payment protocols
r
IPSec: true networklayer security for any applications
(not just the Web)
r
Kerberos: robust 2way authentication framework with
emphasis on security manageability
Cryptography and Network Security 630
Security on the WWW
Web Security
• SSL/TLS: de facto standard, versatile and lowlevel
enough to accommodate many types of payloads
• SHTTP: never took off, restricted to HTTP messages
• IPSec: true networklayer security for any
applications (not just the Web)
• Kerberos: robust 2way authentication framework
with emphasis on security manageability
D Conclusion
A
B
C
D
Cryptography and Network Security 631
Cryptography & Network Security
Malicious Software
XiangYang Li
Cryptography and Network Security 632
Malicious Software
What is the concept of defense: The parrying
of a blow. What is its characteristic feature:
Awaiting the blow.
—On War, Carl Von Clausewitz
Cryptography and Network Security 633
Viruses and Other Malicious Content
×
computer viruses have got a lot of publicity
×
one of a family of malicious software
×
effects usually obvious
×
have figured in news reports, fiction,
movies (often exaggerated)
×
getting more attention than deserve
×
are a concern though
Cryptography and Network Security 634
Malicious Software
Cryptography and Network Security 635
Trapdoors
×
secret entry point into a program
×
allows those who know access bypassing
usual security procedures
×
have been commonly used by developers
×
a threat when left in production programs
allowing exploited by attackers
×
very hard to block in O/S
×
requires good s/w development & update
Cryptography and Network Security 636
Logic Bomb
×
one of oldest types of malicious software
×
code embedded in legitimate program
×
activated when specified conditions met
r
eg presence/absence of some file
r
particular date/time
r
particular user
×
when triggered typically damage system
r
modify/delete files/disks
Cryptography and Network Security 637
Trojan Horse
×
program with hidden sideeffects
×
which is usually superficially attractive
r
eg game, s/w upgrade etc
×
when run performs some additional tasks
r
allows attacker to indirectly gain access they do not
have directly
×
often used to propagate a virus/worm or
install a backdoor
×
or simply to destroy data
Cryptography and Network Security 638
Zombie
×
program which secretly takes over another
networked computer
×
then uses it to indirectly launch attacks
×
often used to launch distributed denial of
service (DDoS) attacks
×
exploits known flaws in network systems
Cryptography and Network Security 639
Viruses
×
a piece of selfreplicating code attached to
some other code
r
cf biological virus
×
both propagates itself & carries a payload
r
carries code to make copies of itself
r
as well as code to perform some covert task
Cryptography and Network Security 640
Virus Operation
×
virus phases:
r
dormant – waiting on trigger event
r
propagation – replicating to programs/disks
r
triggering – by event to execute payload
r
execution – of payload
×
details usually machine/OS specific
r
exploiting features/weaknesses
Cryptography and Network Security 641
Virus Structure
program V :=
{goto main;
1234567;
subroutine infectexecutable := {loop:
file := getrandomexecutablefile;
if (firstlineoffile = 1234567) then goto loop
else prepend V to file; }
subroutine dodamage := {whatever damage is to be done}
subroutine triggerpulled := {return true if some condition holds}
main: mainprogram := {infectexecutable;
if triggerpulled then dodamage;
goto next;}
next:
}
Cryptography and Network Security 642
Types of Viruses
×
can classify on basis of how they attack
×
parasitic virus
×
memoryresident virus
×
boot sector virus
×
stealth
×
polymorphic virus
×
macro virus
Cryptography and Network Security 643
Macro Virus
×
macro code attached to some data file
×
interpreted by program using file
r
eg Word/Excel macros
r
esp. using auto command & command macros
×
code is now platform independent
×
is a major source of new viral infections
×
blurs distinction between data and program
files making task of detection much harder
×
classic tradeoff: "ease of use" vs
"security"
Cryptography and Network Security 644
Email Virus
×
spread using email with attachment
containing a macro virus
r
cf Melissa
×
triggered when user opens attachment
×
or worse even when mail viewed by using
scripting features in mail agent
×
usually targeted at Microsoft Outlook mail
agent & Word/Excel documents
Cryptography and Network Security 645
Worms
×
replicating but not infecting program
×
typically spreads over a network
r
cf Morris Internet Worm in 1988
r
led to creation of CERTs
×
using users distributed privileges or by exploiting
system vulnerabilities
×
widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS
×
major issue is lack of security of permanently
connected systems, esp PC's
Cryptography and Network Security 646
Worm Operation
×
worm phases like those of viruses:
r
dormant
r
propagation
º
search for other systems to infect
º
establish connection to target remote system
º
replicate self onto remote system
r
triggering
r
execution
Cryptography and Network Security 647
Morris Worm
×
best known classic worm
×
released by Robert Morris in 1988
×
targeted Unix systems
×
using several propagation techniques
r
simple password cracking of local pw file
r
exploit bug in finger daemon
r
exploit debug trapdoor in sendmail daemon
×
if any attack succeeds then replicated self
Cryptography and Network Security 648
Recent Worm Attacks
×
new spate of attacks from mid2001
×
Code Red
r
exploited bug in MS IIS to penetrate & spread
r
probes random IPs for systems running IIS
r
had trigger time for denialofservice attack
r
2
nd
wave infected 360000 servers in 14 hours
×
Code Red 2
r
had backdoor installed to allow remote control
×
Nimda
r
used multiple infection mechanisms
º
email, shares, web client, IIS, Code Red 2 backdoor
Cryptography and Network Security 649
Virus Countermeasures
×
viral attacks exploit lack of integrity
control on systems
×
to defend need to add such controls
×
typically by one or more of:
r
prevention  block virus infection mechanism
r
detection  of viruses in infected system
r
reaction  restoring system to clean state
Cryptography and Network Security 650
AntiVirus Software
×
firstgeneration
r
scanner uses virus signature to identify virus
r
or change in length of programs
×
secondgeneration
r
uses heuristic rules to spot viral infection
r
or uses program checksums to spot changes
×
thirdgeneration
r
memoryresident programs identify virus by actions
×
fourthgeneration
r
packages with a variety of antivirus techniques
r
eg scanning & activity traps, accesscontrols
Cryptography and Network Security 651
Advanced AntiVirus Techniques
×
generic decryption
r
use CPU simulator to check program signature &
behavior before actually running it
×
digital immune system (IBM)
r
general purpose emulation & virus detection
r
any virus entering org is captured, analyzed,
detection/shielding created for it, removed
Cryptography and Network Security 652
BehaviorBlocking Software
×
integrated with host O/S
×
monitors program behavior in realtime
r
eg file access, disk format, executable mods, system
settings changes, network access
×
for possibly malicious actions
r
if detected can block, terminate, or seek ok
×
has advantage over scanners
×
but malicious code runs before detection
Cryptography and Network Security 653
Summary
×
have considered:
r
various malicious programs
r
trapdoor, logic bomb, trojan horse, zombie
r
viruses
r
worms
r
countermeasures
Cryptography and Network Security 654
Cryptography & Network Security
Wireless LAN Security
Road to 802.11i
Xiangyang Li
Cryptography and Network Security 655
Contents
×
Introduction
×
Problem: 802.11b Not Secure!
×
Wired Equivalent Privacy – WEP
×
Types of Attacks
×
802.11b Proposed Solutions
×
802.1X
×
WiFi Protected Access (WPA)
×
802.11i: The Solution
×
Conclusion
Cryptography and Network Security 656
Introduction
×
Popular in offices, homes and public spaces
(airport, coffee shop)
×
Most popular: 802.11b
r
Example: Yahoo! DSL Wireless Kit
r
Theoretical max @ 11Mbps
r
Operate at 2.4GHz band
r
DSSS/FSSS modulation – similar to CDMA phones
Cryptography and Network Security 657
Introduction
×
Standards: IEEE 802.11 Series
r
802.11b – 11Mbps @ 2.4GHz
r
802.11a – 54Mbps @ 5.7GHz band
r
802.11g – 54Mbps @ 2.4GHz band
r
802.1X – security addon
r
802.11i – high security
Cryptography and Network Security 658
Problem: 802.11b Not Secure!
×
“No inherent security”
r
Wired ¬ Wireless media change was the objective
×
Wired Equivalent Privacy (WEP)
r
The only “security” built into 802.11
r
Uses RC4 Stream Cipher – in a bad way
r
Vulnerable to several types of attacks
×
Sometimes not even turned ON
Cryptography and Network Security 659
Wired Equivalent Privacy – WEP
×
RC4 stream cipher
r
Designed by Ron Rivest for RSA Security
r
Very simple
º
Initialization Vector (IV)
º
Shared Key
×
The issue is in the way RC4 is used
r
IV (24 bits) reuse and fixed key
r
Early versions used 40bit key
r
128bit mode effectively uses 104 bits
Cryptography and Network Security 660
Wired Equivalent Privacy – WEP
RC4 Key Stream Encryption (source:
http://mason.gmu.edu/~gharm/wireless.html)
Cryptography and Network Security 661
Types of Attacks
×
Attacks
r
Confidentiality
r
Integrity
r
Availability
Cryptography and Network Security 662
Types of Attacks
×
Attacks on Confidentiality
r
Traffic Analysis
r
Passive Eavesdropping
º
Very easy to do
r
Active Eavesdropping
r
Unauthorized Access
Cryptography and Network Security 663
Types of Attacks
×
Attacks on Confidentiality and/or
Integrity
r
ManInTheMiddle
×
Attacks on Integrity
r
Session Hijacking
r
Replay
×
Attacks on Availability
r
Denial of Service
Cryptography and Network Security 664
802.11b Proposed Solutions
×
Virtual Private Network
×
Closed Network
r
Through the use of SSID
×
Ethernet MAC address control lists
×
Replace RC4 with block cipher
×
Don’t reuse IV
×
Automatic Key Assignment
Cryptography and Network Security 665
802.1X: Interim Solution
×
Portbased authentication
r
Not specific to wireless networks
×
Authentication servers
r
RADIUS
×
Client authentication
r
EAP
Cryptography and Network Security 666
802.1X Problems
×
802.1X still has problems
r
Extensible Authentication Protocol (EAP)
º
Oneway authentication
r
Attacks
º
ManinMiddle
º
Session Hijacking
Cryptography and Network Security 667
802.1X Proposed Solutions
×
Perpacket authenticity and integrity
r
Lots of overhead
×
Authenticity and integrity of EAPOL
messages
×
Twoway authentication
Cryptography and Network Security 668
WiFi Protected Access (WPA)
×
Addresses issues with WEP
r
Key management
º
TKIP
º
Key expansion
r
Message Integrity Check
×
Software upgrade only
×
Compatible with 802.1X
×
Compatible with 802.11i
Cryptography and Network Security 669
802.11i
×
Finalized: June, 2004
×
Robust Security Network
×
WiFi Alliance: WPA2
×
Improvements made
r
Authentication enhanced
r
Key Management created
r
Data Transfer security enhanced
Cryptography and Network Security 670
802.11i  Authentication
×
Authentication Server
×
Twoway authentication
r
Prevents maninthemiddle attacks
r
Master Key (MK)
r
Pairwise Master Key (PMK)
Cryptography and Network Security 671
802.11i – Key Management
×
Key Types
r
Pairwise Transient Key
r
Key Confirmation Key
r
Key Encryption Key
r
Group Transient Key
r
Temporal Key
Cryptography and Network Security 672
802.11i – Key Management
Source: http://csrc.nist.gov/wireless/S10_802.11i%20Overviewjw1.pdf
Cryptography and Network Security 673
802.11i – Data Transfer
×
CCMP
r
Long term solution – mandatory for 802.11i
compliance
r
Latest AES encryption
r
Requires hardware upgrades
×
WRAP
r
Provided for early vendor support
×
TKIP
r
Carried over from WPA
Cryptography and Network Security 674
802.11i – Additional Enhancements
×
Preauthentication
r
Roaming clients
×
Client Validation
×
Passwordtokey mappings
×
Random number generation
Cryptography and Network Security 675
Conclusion
×
Basic 802.11b (with WEP)
r
Massive security holes
r
Easily attacked
×
802.1X
r
Good interim solution
r
Allows use of existing hardware
r
Can still be attacked
Cryptography and Network Security 676
Conclusion
×
WiFi Protected Access
r
Allows use of existing hardware
r
Compatible with 802.1X
r
Compatible with 802.11i
×
802.11i
r
May require hardware upgrades
r
Very secure
r
Nothing is ever guaranteed
Cryptography and Network Security 677
Cryptography & Network Security
IPsec
XiangYang Li
Cryptography and Network Security 678
IP Security
If a secret piece of news is divulged by a spy
before the time is ripe, he must be put to
death, together with the man to whom the
secret was told.
—The Art of War, Sun Tzu
Cryptography and Network Security 679
IP Security
×
have considered some application specific
security mechanisms
r
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
×
however there are security concerns that
cut across protocol layers
×
would like security implemented by the
network for all applications
Cryptography and Network Security 680
IPSec
×
general IP Security mechanisms
×
provides
r
authentication
r
confidentiality
r
key management
×
applicable to use over LANs, across public
& private WANs, & for the Internet
Cryptography and Network Security 681
IPSec Uses
Cryptography and Network Security 682
Benefits of IPSec
×
in a firewall/router provides strong
security to all traffic crossing the
perimeter
×
is resistant to bypass
×
is below transport layer, hence transparent
to applications
×
can be transparent to end users
×
can provide security for individual users if
desired
Cryptography and Network Security 683
IP Security Architecture
×
specification is quite complex
×
defined in numerous RFC’s
r
incl. RFC 2401/2402/2406/2408
r
many others, grouped by category
×
mandatory in IPv6, optional in IPv4
Cryptography and Network Security 684
IPSec Services
×
Access control
×
Connectionless integrity
×
Data origin authentication
×
Rejection of replayed packets
r
a form of partial sequence integrity
×
Confidentiality (encryption)
×
Limited traffic flow confidentiality
Cryptography and Network Security 685
Security Associations
×
a oneway relationship between sender &
receiver that affords security for traffic
flow
×
defined by 3 parameters:
r
Security Parameters Index (SPI)
r
IP Destination Address
r
Security Protocol Identifier
×
has a number of other parameters
r
seq no, AH & EH info, lifetime etc
×
have a database of Security Associations
Cryptography and Network Security 686
Authentication Header (AH)
×
provides support for data integrity &
authentication of IP packets
r
end system/router can authenticate user/app
r
prevents address spoofing attacks by tracking sequence
numbers
×
based on use of a MAC
r
HMACMD596 or HMACSHA196
×
parties must share a secret key
Cryptography and Network Security 687
Authentication Header
Cryptography and Network Security 688
Transport & Tunnel Modes
Cryptography and Network Security 689
Encapsulating Security Payload (ESP)
×
provides message content confidentiality &
limited traffic flow confidentiality
×
can optionally provide the same
authentication services as AH
×
supports range of ciphers, modes, padding
r
incl. DES, TripleDES, RC5, IDEA, CAST etc
r
CBC most common
r
pad to meet blocksize, for traffic flow
Cryptography and Network Security 690
Encapsulating Security Payload
Cryptography and Network Security 691
Transport vs Tunnel Mode ESP
×
transport mode is used to encrypt &
optionally authenticate IP data
r
data protected but header left in clear
r
can do traffic analysis but is efficient
r
good for ESP host to host traffic
×
tunnel mode encrypts entire IP packet
r
add new header for next hop
r
good for VPNs, gateway to gateway security
Cryptography and Network Security 692
Combining Security Associations
×
SA’s can implement either AH or ESP
×
to implement both need to combine SA’s
r
form a security bundle
×
have 4 cases (see next)
Cryptography and Network Security 693
Combining Security Associations
Cryptography and Network Security 694
Key Management
×
handles key generation & distribution
×
typically need 2 pairs of keys
r
2 per direction for AH & ESP
×
manual key management
r
sysadmin manually configures every system
×
automated key management
r
automated system for on demand creation of keys for
SA’s in large systems
r
has Oakley & ISAKMP elements
Cryptography and Network Security 695
Oakley
×
a key exchange protocol
×
based on DiffieHellman key exchange
×
adds features to address weaknesses
r
cookies, groups (global params), nonces, DH key
exchange with authentication
×
can use arithmetic in prime fields or
elliptic curve fields
Cryptography and Network Security 696
ISAKMP
×
Internet Security Association and Key
Management Protocol
×
provides framework for key management
×
defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
×
independent of key exchange protocol,
encryption alg, & authentication method
Cryptography and Network Security 697
ISAKMP
Cryptography and Network Security 698
Summary
×
have considered:
r
IPSec security framework
r
AH
r
ESP
r
key management & Oakley/ISAKMP
Cryptography and Network Security 699
Cryptography & Network Security
Firewalls
XiangYang Li
Cryptography and Network Security 700
Firewalls
The function of a strong position is to make the
forces holding it practically unassailable
—On War, Carl Von Clausewitz
Cryptography and Network Security 701
Introduction
×
seen evolution of information systems
×
now everyone want to be on the Internet
×
and to interconnect networks
×
has persistent security concerns
r
can’t easily secure every system in org
×
need "harm minimisation"
×
a Firewall usually part of this
Cryptography and Network Security 702
What is a Firewall?
×
a choke point of control and monitoring
×
interconnects networks with differing
trust
×
imposes restrictions on network services
r
only authorized traffic is allowed
×
auditing and controlling access
r
can implement alarms for abnormal behavior
×
is itself immune to penetration
×
provides perimeter defence
Cryptography and Network Security 703
Firewall Limitations
×
cannot protect from attacks bypassing it
r
eg sneaker net, utility modems, trusted organisations,
trusted services (eg SSL/SSH)
×
cannot protect against internal threats
r
eg disgruntled employee
×
cannot protect against transfer of all virus
infected programs or files
r
because of huge range of O/S & file types
Cryptography and Network Security 704
Firewalls – Packet Filters
Cryptography and Network Security 705
Firewalls – Packet Filters
×
simplest of components
×
foundation of any firewall system
×
examine each IP packet (no context) and
permit or deny according to rules
×
hence restrict access to services (ports)
×
possible default policies
r
that not expressly permitted is prohibited
r
that not expressly prohibited is permitted
Cryptography and Network Security 706
Firewalls – Packet Filters
Cryptography and Network Security 707
Attacks on Packet Filters
×
IP address spoofing
r
fake source address to be trusted
r
add filters on router to block
×
source routing attacks
r
attacker sets a route other than default
r
block source routed packets
×
tiny fragment attacks
r
split header info over several tiny packets
r
either discard or reassemble before check
Cryptography and Network Security 708
Firewalls – Stateful Packet Filters
×
examine each IP packet in context
r
keeps tracks of clientserver sessions
r
checks each packet validly belongs to one
×
better able to detect bogus packets out of
context
Cryptography and Network Security 709
Firewalls  Application Level Gateway
(or Proxy)
Cryptography and Network Security 710
Firewalls  Application Level Gateway
(or Proxy)
×
use an application specific gateway / proxy
×
has full access to protocol
r
user requests service from proxy
r
proxy validates request as legal
r
then actions request and returns result to user
×
need separate proxies for each service
r
some services naturally support proxying
r
others are more problematic
r
custom services generally not supported
Cryptography and Network Security 711
Firewalls  Circuit Level Gateway
Cryptography and Network Security 712
Firewalls  Circuit Level Gateway
×
relays two TCP connections
×
imposes security by limiting which such
connections are allowed
×
once created usually relays traffic without
examining contents
×
typically used when trust internal users by
allowing general outbound connections
×
SOCKS commonly used for this
Cryptography and Network Security 713
Bastion Host
×
highly secure host system
×
potentially exposed to "hostile" elements
×
hence is secured to withstand this
×
may support 2 or more net connections
×
may be trusted to enforce trusted
separation between network connections
×
runs circuit / application level gateways
×
or provides externally accessible services
Cryptography and Network Security 714
Firewall Configurations
Cryptography and Network Security 715
Firewall Configurations
Cryptography and Network Security 716
Firewall Configurations
Cryptography and Network Security 717
Access Control
×
given system has identified a user
×
determine what resources they can access
×
general model is that of access matrix with
r
subject  active entity (user, process)
r
object  passive entity (file or resource)
r
access right – way object can be accessed
×
can decompose by
r
columns as access control lists
r
rows as capability tickets
Cryptography and Network Security 718
Access Control Matrix
Cryptography and Network Security 719
Trusted Computer Systems
×
information security is increasingly important
×
have varying degrees of sensitivity of information
r
cf military info classifications: confidential, secret etc
×
subjects (people or programs) have varying rights
of access to objects (information)
×
want to consider ways of increasing confidence in
systems to enforce these rights
×
known as multilevel security
r
subjects have maximum & current security level
r
objects have a fixed security level classification
Cryptography and Network Security 720
Bell LaPadula (BLP) Model
×
one of the most famous security models
×
implemented as mandatory policies on system
×
has two key policies:
×
no read up (simple security property)
r
a subject can only read/write an object if the current security level
of the subject dominates (>=) the classification of the object
×
no write down (*property)
r
a subject can only append/write to an object if the current security
level of the subject is dominated by (<=) the classification of the
object
Cryptography and Network Security 721
Reference Monitor
Cryptography and Network Security 722
Evaluated Computer Systems
×
governments can evaluate IT systems
×
against a range of standards:
r
TCSEC, IPSEC and now Common Criteria
×
define a number of “levels” of evaluation
with increasingly stringent checking
×
have published lists of evaluated products
r
though aimed at government/defense use
r
can be useful in industry also
Cryptography and Network Security 723
Summary
×
have considered:
r
firewalls
r
types of firewalls
r
configurations
r
access control
r
trusted systems
Cryptography and Network Security 724
Cryptography and Network
Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Cryptography and Network Security 725
Intruders
They agreed that Graham should set the test
for Charles Mabledene. It was neither more
nor less than that Dragon should get Stern's
code. If he had the 'in' at Utting which he
claimed to have this should be possible, only
loyalty to Moscow Centre would prevent it. If
he got the key to the code he would prove his
loyalty to London Central beyond a doubt.
—Talking to Strange Men, Ruth Rendell
Cryptography and Network Security 726
Intruders
×
significant issue for networked systems is
hostile or unwanted access
×
either via network or local
×
can identify classes of intruders:
r
masquerader
r
misfeasor
r
clandestine user
×
varying levels of competence
Cryptography and Network Security 727
Intruders
×
clearly a growing publicized problem
r
from “Wily Hacker” in 1986/87
r
to clearly escalating CERT stats
×
may seem benign, but still cost resources
×
may use compromised system to launch
other attacks
Cryptography and Network Security 728
Intrusion Techniques
×
aim to increase privileges on system
×
basic attack methodology
r
target acquisition and information gathering
r
initial access
r
privilege escalation
r
covering tracks
×
key goal often is to acquire passwords
×
so then exercise access rights of owner
Cryptography and Network Security 729
Password Guessing
×
one of the most common attacks
×
attacker knows a login (from email/web page etc)
×
then attempts to guess password for it
r
try default passwords shipped with systems
r
try all short passwords
r
then try by searching dictionaries of common words
r
intelligent searches try passwords associated with the user (variations on
names, birthday, phone, common words/interests)
r
before exhaustively searching all possible passwords
×
check by login attempt or against stolen password file
×
success depends on password chosen by user
×
surveys show many users choose poorly
Cryptography and Network Security 730
Password Capture
×
another attack involves password capture
r
watching over shoulder as password is entered
r
using a trojan horse program to collect
r
monitoring an insecure network login (eg. telnet, FTP,
web, email)
r
extracting recorded info after successful login (web
history/cache, last number dialed etc)
×
using valid login/password can impersonate
user
×
users need to be educated to use suitable
precautions/countermeasures
Cryptography and Network Security 731
Intrusion Detection
×
inevitably will have security failures
×
so need also to detect intrusions so can
r
block if detected quickly
r
act as deterrent
r
collect info to improve security
×
assume intruder will behave differently to
a legitimate user
r
but will have imperfect distinction between
Cryptography and Network Security 732
Approaches to Intrusion Detection
×
statistical anomaly detection
r
threshold
r
profile based
×
rulebased detection
r
anomaly
r
penetration identification
Cryptography and Network Security 733
Audit Records
×
fundamental tool for intrusion detection
×
native audit records
r
part of all common multiuser O/S
r
already present for use
r
may not have info wanted in desired form
×
detectionspecific audit records
r
created specifically to collect wanted info
r
at cost of additional overhead on system
Cryptography and Network Security 734
Statistical Anomaly Detection
×
threshold detection
r
count occurrences of specific event over time
r
if exceed reasonable value assume intrusion
r
alone is a crude & ineffective detector
×
profile based
r
characterize past behavior of users
r
detect significant deviations from this
r
profile usually multiparameter
Cryptography and Network Security 735
Audit Record Analysis
×
foundation of statistical approaches
×
analyze records to get metrics over time
r
counter, gauge, interval timer, resource use
×
use various tests on these to determine if
current behavior is acceptable
r
mean & standard deviation, multivariate, markov
process, time series, operational
×
key advantage is no prior knowledge used
Cryptography and Network Security 736
RuleBased Intrusion Detection
×
observe events on system & apply rules to
decide if activity is suspicious or not
×
rulebased anomaly detection
r
analyze historical audit records to identify usage
patterns & autogenerate rules for them
r
then observe current behavior & match against rules to
see if conforms
r
like statistical anomaly detection does not require prior
knowledge of security flaws
Cryptography and Network Security 737
RuleBased Intrusion Detection
×
rulebased penetration identification
r
uses expert systems technology
r
with rules identifying known penetration, weakness
patterns, or suspicious behavior
r
rules usually machine & O/S specific
r
rules are generated by experts who interview & codify
knowledge of security admins
r
quality depends on how well this is done
r
compare audit records or states against rules
Cryptography and Network Security 738
BaseRate Fallacy
×
practically an intrusion detection system
needs to detect a substantial percentage
of intrusions with few false alarms
r
if too few intrusions detected > false security
r
if too many false alarms > ignore / waste time
×
this is very hard to do
×
existing systems seem not to have a good
record
Cryptography and Network Security 739
Distributed Intrusion Detection
×
traditional focus is on single systems
×
but typically have networked systems
×
more effective defense has these working
together to detect intrusions
×
issues
r
dealing with varying audit record formats
r
integrity & confidentiality of networked data
r
centralized or decentralized architecture
Cryptography and Network Security 740
Distributed Intrusion Detection 
Architecture
Cryptography and Network Security 741
Distributed Intrusion Detection –
Agent Implementation
Cryptography and Network Security 742
Honeypots
×
decoy systems to lure attackers
r
away from accessing critical systems
r
to collect information of their activities
r
to encourage attacker to stay on system so
administrator can respond
×
are filled with fabricated information
×
instrumented to collect detailed
information on attackers activities
×
may be single or multiple networked
systems
Cryptography and Network Security 743
Password Management
×
frontline defense against intruders
×
users supply both:
r
login – determines privileges of that user
r
password – to identify them
×
passwords often stored encrypted
r
Unix uses multiple DES (variant with salt)
r
more recent systems use crypto hash function
Cryptography and Network Security 744
Managing Passwords
×
need policies and good user education
×
ensure every account has a default password
×
ensure users change the default passwords to
something they can remember
×
protect password file from general access
×
set technical policies to enforce good passwords
r
minimum length (>6)
r
require a mix of upper & lower case letters, numbers, punctuation
r
block know dictionary words
Cryptography and Network Security 745
Managing Passwords
×
may reactively run password guessing tools
r
note that good dictionaries exist for almost any
language/interest group
×
may enforce periodic changing of passwords
×
have system monitor failed login attempts, &
lockout account if see too many in a short
period
×
do need to educate users and get support
×
balance requirements with user acceptance
×
be aware of social engineering attacks
Cryptography and Network Security 746
Proactive Password Checking
×
most promising approach to improving
password security
×
allow users to select own password
×
but have system verify it is acceptable
r
simple rule enforcement (see previous slide)
r
compare against dictionary of bad passwords
r
use algorithmic (markov model or bloom filter) to
detect poor choices
Cryptography and Network Security 747
Summary
×
have considered:
r
problem of intrusion
r
intrusion detection (statistical & rulebased)
r
password management
Cryptography and Network Security 748
This action might not be possible to undo. Are you sure you want to continue?