Data Security and Encryption (CSE348) 1. Revision Lectures 16-30 2.

transcript

Data Security and Encryption

(CSE348)

Revision

Lectures 16-30

RSA RSA is the best known, and by far the most widely

used general public key encryption algorithm

First published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78]

The Rivest-Shamir-Adleman (RSA) scheme has since that time ruled supreme as the most widely accepted

Implemented general-purpose approach to public-key encryption

It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using large integers (eg. 1024 bits)

Its security is due to the cost of factoring large numbers

RSA By Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over

integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy)

Uses large integers (eg. 1024 bits) Security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

RSA En/decryption• The scheme developed by Rivest, Shamir, and

Adleman makes use of an expression with exponentials

• Plaintext is encrypted in blocks• with each block having a binary value less than some

number n• The actual RSA encryption and decryption

computations are each simply a single exponentiation mod (n)

RSA En/decryption• Both sender and receiver must know the value of n• The sender knows the value of e, and only the

receiver knows the value of d• Thus, this is a public-key encryption algorithm with a

public key of PU = {e, n} and a private key of PR = {d, n}

• The message must be smaller than the modulus• The “magic” is in the choice of the modulus and

exponents which makes the system work

RSA En/decryption

• To encrypt a message M the sender:– obtains public key of recipient PU={e,n} – computes: C = Me mod n, where 0≤M<n

• To decrypt the ciphertext C the owner:– uses their private key PR={d,n} – computes: M = Cd mod n

• The message M must be smaller than the modulus n (block if needed)

Diffie-Hellman Key Exchange Public-key cryptography systems (PKCSs)

Begins with a description of one of the earliest and simplest PKCS

Diffie-Hellman key exchange

This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman

Diffie-Hellman Key Exchange That defined public-key cryptography [DIFF76b]

And is generally referred to as Diffie-Hellman key exchange

The concept had been previously described in a classified report in 1970 by Williamson (UK CESG)

And subsequently declassified in 1987, see [ELLI99]

Diffie-Hellman Key Exchange The purpose of the algorithm is to enable two users

to securely exchange a key

That can then be used for subsequent encryption of messages

The algorithm itself is limited to the exchange of secret values

A number of commercial products employ this key exchange technique

Diffie-Hellman Key Exchange

First public-key type scheme proposed

By Diffie & Hellman in 1976 along with the exposition of public key concepts now know that Williamson (UK CESG) secretly

proposed the concept in 1970

Practical method for public exchange of a secret key

Used in a number of commercial products

The purpose of the algorithm is to enable two users to securely exchange a key

That can then be used for subsequent encryption of messages

The algorithm itself is limited to the exchange of secret values

Which depends on the value of the public/private keys of the participants

Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial)

And depends for its effectiveness on the difficulty of computing discrete logarithms

A public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants

Value of key depends on the participants and their private and public key information

Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy

Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Man-in-the-Middle Attack Darth prepares by creating two private / public keys

Alice transmits her public key to Bob

Darth intercepts this and transmits his first public key to Bob

Darth also calculates a shared key with Alice

Bob receives the public key and calculates the shared key (with Darth instead of Alice)

Man-in-the-Middle Attack Bob transmits his public key to Alice

Darth intercepts this and transmits his second public key to Alice

Darth calculates a shared key with Bob

Alice receives the key and calculates the shared key (with Darth instead of Bob)

Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bob

ElGamal Cryptography

In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms

Closely related to the Diffie-Hellman technique [ELGA84, ELGA85]

The ElGamal cryptosystem is used in some form in a number of standards

Including the digital signature standard (DSS) and the S/MIME email standard

As with Diffie-Hellman, the global elements of ElGamal are a prime number q and a

Which is a primitive root of q

User A generates a private/public key pair as shown

The security of ElGamal is based on the difficulty of computing discrete logarithms

To recover either x given y, or k given K

Public-key cryptosystem related to D-H

Uses exponentiation in a finite field

With security based difficulty of computing discrete logarithms, as in D-H

Each user (eg. A) generates their key chooses a secret key (number): 1 < xA < q-1 compute their public key: yA = axA mod q

ElGamal Message Exchange Any user B that has access to A's public key can

encrypt a message as shown

These steps correspond to Figure 9.1a in that Alice generates a public/private key pair

Bob encrypts using Alice's public key; and Alice decrypts using her private key

See text for details of why these steps result in M being recovered

ElGamal Message Exchange

ElGamal Message Exchange K functions as a one-time key, used to encrypt and

decrypt the message

If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block

If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks

ElGamal Message Exchange The basic idea with El Gamal encryption is to choose

a random key, protect it

Then use it to scramble the message by multiplying the message with it

Two bits of info have to be sent: the first to recover this temporary key

The second the actual scrambled message

ElGamal Message Exchange See that El Gamal encryption involves 1 modulo

exponentiation

And a multiplication (vs 1 exponentiation for RSA)

Hash Function

• have considered:– hash functions• uses, requirements, security

– hash functions based on block ciphers– SHA-1, SHA-2, SHA-3

Hash Functions

• Condenses arbitrary message to fixed sizeh = H(M)

• Usually assume hash function is public• Hash used to detect changes to message• Want a cryptographic hash function– computationally infeasible to find data mapping to

specific hash (one-way property)– computationally infeasible to find two data to same

hash (collision-free property)29

Cryptographic Hash Function

Secure Hash Algorithm

• SHA originally designed by NIST & NSA in 1993• was revised in 1995 as SHA-1• US standard for use with DSA signature scheme – standard is FIPS 180-1 1995, also Internet RFC3174– nb. the algorithm is SHA, the standard is SHS

• Based on design of MD4 with key differences • Produces 160-bit hash values • Recent 2005 results on security of SHA-1 have raised

concerns on its use in future applications

SHA Versions

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

Message digest size 160 224 256 384 512

Message size < 264 < 264 < 264 < 2128 < 2128

Block size 512 512 512 1024 1024

Word size 32 32 32 64 64

Number of steps 80 64 64 80 80

SHA-3• SHA-1 not yet "broken”– but similar to broken MD5 & SHA-0– so considered insecure

• SHA-2 (esp. SHA-512) seems secure– shares same structure and mathematical

operations as predecessors so have concern• NIST announced in 2007 a competition for the SHA-3

next gen NIST hash function– goal to have in place by 2012 but not fixed

SHA-3 Requirements

• Replace SHA-2 with SHA-3 in any use– so use same hash sizes

• Preserve the online nature of SHA-2– so must process small blocks (512 / 1024 bits)

• Evaluation criteria– security close to theoretical max for hash sizes– cost in time & memory – characteristics: such as flexibility & simplicity

Message Authentication

• Message authentication is concerned with: – protecting the integrity of a message – validating identity of originator – non-repudiation of origin (dispute resolution)

• Will consider the security requirements• Then three alternative functions used:– hash function– message encryption– message authentication code (MAC)

Message Security Requirements

• disclosure• traffic analysis• masquerade• content modification• sequence modification• timing modification• source repudiation• destination repudiation

Message Authentication

• have considered:– message authentication requirements– message authentication using encryption– MACs– HMAC authentication using a hash function– CMAC authentication using a block cipher– Pseudorandom Number Generation (PRNG) using

Hash Functions and MACs

Digital Signatures

• Have looked at message authentication – but does not address issues of lack of trust

• Digital signatures provide the ability to: – verify author, date & time of signature– authenticate message contents – be verified by third parties to resolve disputes

• Hence include authentication function with additional capabilities

Digital Signature Model

Stallings Figure 13.1 is a generic model of the process of making and using digital signatures

Bob can sign a message using a digital signature generation algorithm

The inputs to the algorithm are the message and Bob's private key

Digital Signature Model

Any other user, say Alice, can verify the signature using a verification algorithm

Whose inputs are the message, the signature, and Bob's public key

Attacks and Forgeries• Attacks– key-only attack– known message attack– generic chosen message attack– directed chosen message attack– adaptive chosen message attack

• Break success levels– total break– selective forgery– existential forgery

Digital Signature Requirements

Must depend on the message signed Must use information unique to sender

to prevent both forgery and denial Must be relatively easy to produce Must be relatively easy to recognize & verify Be computationally infeasible to forge

with new message for existing digital signaturewith fraudulent digital signature for given message

Be practical save digital signature in storage

Digital Signatures

• have discussed:– digital signatures– ElGamal & Schnorr signature schemes– digital signature algorithm and standard

Key Management and Distribution• Topics of cryptographic key management / key

distribution are complex – cryptographic, protocol, & management issues

• Symmetric schemes require both parties to share a common secret key

• Public key schemes require parties to acquire valid public keys

• Have concerns with doing both45

Key Distribution

For symmetric encryption to work

Two parties to an exchange must share the same key

That key must be protected from access by others

Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key

Key Distribution

This is one of the most critical areas in security systems

On many occasions systems have been broken

Not because of a poor encryption algorithm

But because of poor key selection or management

It is absolutely critical to get this right!

Key Distribution

Symmetric schemes require both parties to share a common secret key

Issue is how to securely distribute this key

Whilst protecting it from others

Frequent key changes can be desirable

Often secure system failure due to a break in the key distribution scheme

Key Distribution

Given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B2. third party can select & deliver key to A & B3. if A & B have communicated previously can use

previous key to encrypt a new key4. if A & B have secure communications with a

third party C, C can relay key between A & B

Key Distribution The strength of any cryptographic system thus

depends on the key distribution technique

For two parties A and B, key distribution can be achieved in a number of ways:

Physical delivery (1 & 2) is simplest

But only applicable when there is personal contact between recipient and key issuer

Key Distribution This is fine for link encryption where devices & keys

occur in pairs

But does not scale as number of parties who wish to communicate grows

3 is mostly based on 1 or 2 occurring first, and also suffers that if an attacker ever succeeds in gaining access to one key

Key Distribution Then all subsequent keys will be revealed

A third party, whom all parties trust, can be used as a trusted intermediary

To mediate the establishment of secure communications between them (4)

Must trust intermediary not to abuse the knowledge of all session keys

Key Distribution

As number of parties grow

Some variant of 4 is only practical solution to the huge growth in number of keys potentially needed

Key Management and Distribution

• have considered:– symmetric key distribution using symmetric

encryption– symmetric key distribution using public-key

encryption– distribution of public keys• announcement, directory, authority, CA

– X.509 authentication and certificates

User Authentication

• This chapter examines some of the authentication functions that have been developed to support network-based use authentication

• User authentication is the fundamental building block and the primary line of defense

• User authentication is the basis for most types of access control and for user accountability

User Authentication

• RFC 2828 defines user authentication as the process of verifying an identity claimed by or for a system entity

• An authentication process consists of two steps:• Identification step• Verification step

User Authentication

• Identification step: Presenting an identifier to the security system

• Identifiers should be assigned carefully

• Because authenticated identities are the basis for other security services

• Such as access control service

User Authentication

• Verification step: Presenting or generating authentication information

• That corroborates the binding between the entity and the identifier

User Authentication

• In essence, identification is the means by which a user provides a claimed identity to the system

• User authentication is the means of establishing the validity of the claim

• User authentication is distinct from message authentication

User Authentication

Fundamental security building blockbasis of access control & user accountability

Process of verifying an identity claimed by or for a system entity

Has two steps:identification - specify identifierverification - bind entity (person) and identifier

Distinct from message authentication

Means of User Authentication Four means of authenticating user's identity Based one something the individual

knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign

Can use alone or combined All can provide user authentication All have issues

Kerberos

Trusted key server system from MIT Provides centralised private-key third-party

authentication in a distributed network allows users access to services distributed

through network without needing to trust all workstations rather all trust a central authentication server

Two versions in use: 4 & 5

Kerberos Requirements

• Its first report identified requirements as:– secure– reliable– transparent– scalable

• implemented using an authentication protocol based on Needham-Schroeder

Kerberos Requirements

• In a more open environment, in which network connections to other machines are supported

• An approach that requires the user to prove his or her identity for each service invoked

• And also require that servers prove their identity to clients, is needed to protect user information and resources housed at the server

User Authentication

have considered: remote user authentication issues authentication using symmetric encryption the Kerberos trusted key server system authentication using asymmetric encryption federated identity management

Wireless Network Security

• have considered:– IEEE 802.11 Wireless LANs• protocol overview and security

– Wireless Application Protocol (WAP)• protocol overview

– Wireless Transport Layer Security (WTLS)

IEEE 802.11

• IEEE 802 committee for LAN standards• IEEE 802.11 formed in 1990’s– charter to develop a protocol & transmission

specifications for wireless LANs (WLANs)• since then demand for WLANs, at different

frequencies and data rates, has exploded• hence seen ever-expanding list of standards

issued

Email Security

• Email is one of the most widely used and regarded network services

• Currently message contents are not secure – may be inspected either in transit – or by suitably privileged users on destination

system

Email Security Enhancements

• Confidentiality– protection from disclosure

• Authentication– of sender of message

• Message integrity– protection from modification

• Non-repudiation of origin– protection from denial by sender

Pretty Good Privacy (PGP)

• The Pretty Good Privacy (PGP) secure email program, is a remarkable phenomenon

• Has grown explosively and is now widely used

• Largely the effort of a single person, Phil Zimmermann

• Who selected the best available crypto algorithms to use & integrated them into a single program

• PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications

• It runs on a wide range of systems, in both free & commercial versions

• Widely used de facto secure email

• Developed by Phil Zimmermann

• Selected best available crypto algos to use

• Integrated into a single program

• On Unix, PC, Macintosh and other systems

• Originally free, now also have commercial versions available

S/MIME Messages

• S/MIME secures a MIME entity with a signature, encryption, or both

• forming a MIME wrapped PKCS object• have a range of content-types:– enveloped data– signed data– clear-signed data– registration request– certificate only message

Electronic Mail Security

• have considered:– secure email– PGP– S/MIME– domain-keys identified email

IP Security• The Internet community has developed application-

specific security mechanisms in a number of application areas

• That includes electronic mail (S/MIME, PGP), client/server (Kerberos)

• Web access (Secure Sockets Layer), and others

IP Security• However users have some security concerns that cut

across protocol layers

• By implementing security at the IP level, an organization can ensure secure networking, not only for applications

• That have security mechanisms but also for the many security-ignorant applications

IP Security

• Have a range of application specific security mechanisms– eg. S/MIME, PGP, Kerberos, SSL/HTTPS

• However there are security concerns that cut across protocol layers

• Would like security implemented by the network for all applications

IP Security• IP-level security encompasses three functional areas:

• Authentication, confidentiality, and key management

• The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header

• And that the packet has not been altered in transit

IP Security• The confidentiality facility enables communicating

nodes to encrypt messages to prevent eavesdropping by third parties

• The key management facility is concerned with the secure exchange of keys

• IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet

IP Security• In 1994, the Internet Architecture Board (IAB) issued

a report titled "Security in the Internet Architecture" (RFC 1636)

• The report stated the general consensus that the Internet needs more and better security

• They identified key areas for security mechanisms

IP Security• To provide security, the IAB included authentication

and encryption as necessary security features in the next-generation IP

• Which has been issued as IPv6

• Fortunately, these security capabilities were designed to be usable both with the current IPv4 and the future IPv6

IP Security• general IP Security mechanisms• provides– authentication– confidentiality– key management

• applicable to use over LANs, across public & private WANs, & for the Internet

• need identified in 1994 report– need authentication, encryption in IPv4 & IPv6

IP Security

• have considered:– IPSec security framework– IPSec security policy– ESP– combining security associations– internet key exchange– cryptographic suites used

Intruders• A significant security problem for networked systems

is hostile

• Or at least unwanted, trespass being unauthorized login or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse

• One of the two most publicized threats to security is the intruder (or hacker or cracker)

Intruders• Which Anderson identified three classes of:

• Masquerader: An individual who is not authorized to use the computer (outsider)

• Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider)

Intruders• Clandestine user: An individual who seizes

supervisory control of the system and uses this control to avoid auditing and access controls or to suppress audit collection (either)

Intruders

• Intruder attacks range from the benign (nonthreatening)

• Simply exploring net to see what is there

• To the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system)

Intruders• Significant issue for networked systems is hostile or

unwanted access• Either via network or local• Can identify classes of intruders:– masquerader– misfeasor– clandestine user

• Varying levels of competence

Intruders• The intruder threat has been well publicized,

particularly because of the famous “Wily Hacker” incident of 1986–1987, documented by Cliff Stoll

• Intruder attacks range from the benign to the serious

• At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there

Intruders• At the serious end are individuals who are

attempting to read privileged data

• Perform unauthorized modifications to data, or disrupt the system

• One of the results of the growing awareness of the intruder problem has been the establishment of a number of computer emergency response teams (CERTs)

Intruders• These cooperative ventures collect information about

system vulnerabilities

• And disseminate it to systems managers

• The techniques and behavior patterns of intruders are constantly shifting

Intruders• To exploit newly discovered weaknesses and to

evade detection and countermeasures

• Even so, intruders typically follow one of a number of recognizable behavior patterns

• And these patterns typically differ from those of ordinary users

Intruders• Clearly a growing publicized problem– from “Wily Hacker” in 1986/87– to clearly escalating CERT stats

• Range – benign: explore, still costs resources– serious: access/modify data, disrupt system

• Led to the development of CERTs• Intruder techniques & behavior patterns constantly

shifting, have common features

Examples of Intrusion

• Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information, without authorization

• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated software and music files

• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password

• Using an unattended, logged-in workstation without permission

Intruders

• have considered:– problem of intrusion, behavior and techniques– intrusion detection (statistical & rule-based)– password management

Viruses and Other Malicious Content

• Computer viruses have got a lot of publicity • One of a family of malicious software • Effects usually obvious • Have figured in news reports, fiction, movies• Getting more attention than deserve • Are a concern though

Malicious Software

Malicious Software• The terminology used for malicious software

presents problems

• Because of a lack of universal agreement on all terms and because of overlap

• Stallings Table 21.1, and this diagram from 3/e, provide a useful taxonomy

Malicious Software• It can be divided into two categories: those that

need a host program (being a program fragment eg virus)

• Those that are independent programs (eg worm)

• Alternatively one can also differentiate between those software threats that do not replicate (are activated by a trigger)

• Those that do (producing copies of themselves)

Malicious Software

• have considered:– various malicious programs– trapdoor, logic bomb, trojan horse, zombie– viruses– worms– distributed denial of service attacks

What is a Firewall?

• A firewall is inserted between the premises network and the Internet

• To establish a controlled link and to erect an outer security wall or perimeter

• Forming a single choke point where security and audit can be imposed

What is a Firewall?

A firewall:1.defines a single choke point that keeps unauthorized

users out of the protected network

• Prohibits potentially vulnerable services from entering or leaving the network

• and provides protection from various kinds of IP spoofing and routing attacks

What is a Firewall?

2. Provides a location for monitoring security-related events

3. A convenient platform for several Internet functions that are not security related

• such as NAT and Internet usage audits or logs

What is a Firewall?

4. A firewall can serve as the platform for IPSec to implement virtual private networks

• The firewall itself must be immune to penetration

• since it will be a target of attack

What is a Firewall?• A choke point of control and monitoring • Interconnects networks with differing trust• Imposes restrictions on network services– only authorized traffic is allowed

• Auditing and controlling access– can implement alarms for abnormal behavior

• Provide NAT & usage monitoring• Implement VPNs using IPSec• Must be immune to penetration

What is a Firewall?

• Stallings Figure 22.1a illustrates the general model of firewall use on the security perimeter

• As a choke point for traffic between the external less-trusted Internet and the internal more trusted private network

Firewall Limitations• Cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)• Cannot protect against internal threats– eg dissatisfied or colluding employees

• Cannot protect against access via WLAN– if improperly secured against external use

• Cannot protect against malware imported via laptop, PDA, storage infected outside

Firewalls

• have considered:– firewalls– types of firewalls• packet-filter, stateful inspection, application proxy,

circuit-level– basing• bastion, host, personal

– location and configurations• DMZ, VPN, distributed, topologies

Cybercrime / Computer Crime

• Computer crime, or cybercrime, is a term used broadly to describe criminal activity

• In which computers or computer networks are a tool, a target, or a place of criminal activity

• These categories are not exclusive and many activities can be characterized as falling in one or more categories

• The term cybercrime has a connotation of the use of networks specifically, whereas computer crime may or may not involve networks

• The U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity, as follows:

• Computers as targets: to acquire information stored on that computer system

• To control the target system without authorization or payment (theft of service)

• Or to alter the integrity of data or interfere with the availability of the computer or server

• Computers as storage devices: as a passive storage medium

• e.g. for stolen password lists, credit card, calling card numbers, proprietary corporate information, pornographic image files, or "warez" (pirated commercial software)

• Computers as communications tools: often traditional crimes committed online

• Examples include the illegal sale of prescription drugs, controlled substances, alcohol, and guns; fraud; and gambling

• A more specific list of crimes is defined in the international Convention on Cybercrime and shown in Table 18.1, in the text

• Yet another categorization is used in the CERT 2006 annual E-crime Survey, the results of which are shown in Table 23.2

• “Criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity”

• Categorize based on computer’s role:– as target– as storage device– as communications tool

• More comprehensive categorization seen in Cybercrime Convention, Computer Crime Surveys

Cybercrime and Computer Crime

• reviewed a range of topics:– cybercrime and computer crime– intellectual property issues

Privacy• Overlaps with computer security• Have dramatic increase in scale of info

collected and stored– motivated by law enforcement, national security,

economic incentives• But individuals increasingly aware of access

and use of personal / private info• Concerns on extent of privacy compromise

have seen a range of responses

Privacy and Ethical Aspects

• reviewed a range of topics:– privacy – ethical issues

Revision

Lectures 16-30

Best of Luck

Data Security and Encryption (CSE348) 1. Revision Lectures 16-30 2.

Documents