Post on 03-Jan-2016
description
transcript
Katz, Stoica F04
EE 122: (More) Network Security
November 5, 2003
Katz, Stoica F04
EECS 122: Introduction to Computer Networks
Network Security II
Computer Science Division
Department of Electrical Engineering and Computer Sciences
University of California, Berkeley
Berkeley, CA 94720-1776
3Katz, Stoica F04
Today’s Lecture: 20
Network (IP)
Application
Transport
Link
Physical
2
7, 8, 9
10,11
14, 15, 16
21, 22, 23
25
6
17,18
19,
20
4Katz, Stoica F04
Security Requirements
Authentication - Ensures that the sender and the receiver are who they are
claiming to be
Data integrity - Ensure that data is not changed from source to destination
Confidentiality - Ensures that data is red only by authorized users
Non-repudiation- Ensures that the sender has strong evidence that the
receiver has received the message, and the receiver has strong evidence of the sender identity, strong enough such that the sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message (not discussed in this lecture)
5Katz, Stoica F04
Outline
Cryptographic Algorithms (Confidentiality and Integrity)
Authentication System examples
6Katz, Stoica F04
Cryptographic Algorithms
Security foundation: cryptographic algorithms- Secret key cryptography, Data Encryption Standard
(DES)
- Public key cryptography, RSA algorithm
- Message digest, MD5
7Katz, Stoica F04
Symmetric Key
Both the sender and the receiver use the same secret keys
InternetEncrypt withsecret key
Decrypt withsecret key
Plaintext Plaintext
Ciphertext
8Katz, Stoica F04
Data Encryption Standard (DES)
DES encrypts a 64-bit block of plain text using a 64-bit key
Three phases1. Permute the 64 bits in the
block
2. Apply a given operation 16 times on the 64 bits
3. Permute the 64 bits using the inverse of the original permutation
Round 1
Round 16
... key
1st phaseIP(input)
3rd phaseIP-1(input)
2nd phase
9Katz, Stoica F04
Initial Permutation (IP)
IP: bit 58 of input becomes 1st bit, it 50 becomes 2nd bit, etc
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 462 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
IP-1: inverse of IP, e.g., IP(1) = 58, IP-1 (58) = 1
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
10Katz, Stoica F04
2nd Phase: Operation In Each Round
Key K is 64 bits 16 rounds Each round i select a 48
bit key Ki from the original 64 bit key K. Perform (F is a given function): +
F
63 0
63 32 31 0
Ki
Li-1 Ri-1
Li Ri
),( 11
1
iiii
ii
KRFLR
RL
11Katz, Stoica F04
Encrypting Larger Messages
Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext
+
Block1
Cipher1
DES
+
Block2
DES
+
Block3
DES
+
Block4
DES
Cipher2 Cipher3 Cipher4
IV
12Katz, Stoica F04
DES Properties
Provide confidentiality- No mathematical proof, but practical evidence suggests
that decrypting a message without knowing the key requires exhaustive search
- To increase security use triple-DES, i.e., encrypt the message three times
13Katz, Stoica F04
Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman)
Sender uses a public key- Advertised to everyone
Receiver uses a private key
InternetEncrypt withpublic key
Decrypt withprivate key
Plaintext Plaintext
Ciphertext
14Katz, Stoica F04
Generating Public and Private Keys
Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q
Chose encryption key e such that e and (p-1)*(q-1) are relatively prime
Compute decryption key d, where
d = e-1 mod ((p-1)*(q-1))
(equivalent to d*e = 1 mod ((p-1)*(q-1))) Public key consist of pair (n, e) Private key consists of pair (d, n)
15Katz, Stoica F04
RSA Encryption and Decryption
Encryption of message block m: - c = me mod n
Decryption of ciphertext c: - m = cd mod n
16Katz, Stoica F04
Example (1/2)
Choose p = 7 and q = 11 n = p*q = 77 Compute encryption key e: (p-1)*(q-1) = 6*10 = 60
chose e = 13 (13 and 60 are relatively prime numbers) Compute decryption key d such that 13*d = 1 mod 60
d = 37 (37*13 = 481)
17Katz, Stoica F04
Example (2/2)
n = 77; e = 13; d = 37 Send message block m = 7 Encryption: c = me mod n = 713 mod 77 = 35 Decryption: m = cd mod n = 3537 mod 77 = 7
18Katz, Stoica F04
RSA Proof Sketch (1/4)
mod properties. Suppose a = b mod k, and c = d mod k. Then
1) a + c = (b + d) mod k
2) a*c = (b*d) mod k
19Katz, Stoica F04
RSA Proof Sketch (2/4)
Theorem: Assume a and d are relatively primes, (a, d) = 1. Then a*b = a*c mod d implies b = c mod d
Proof:Since (a, d) = 1, there exists m and n such that a*m + d*n = 1 a*m = -d*n + 1 a*m = 1 mod d (1)Then, we have a*b = (a*c) mod d (a*m*b) = (a*m*c) mod d (using mod additive property) a = c mod d (from (1))
20Katz, Stoica F04
RSA Proof Sketch (3/4)
Euler Theorem: Let Φ(d) be the number of numbers less than d relative prime to d, and suppose (a, d) = 1. Then aΦ(d) = 1 mod d.
Proof:Let a1, a2, .., aΦ(d) by the prime numbers to a. Then for all i(ai, 1) = 1, (a, d) = 1, and (a*ai, d) = 1.
Note that (a*ai mod d) are Φ(d) relatively prime numbers (< d) to d.
Thus, lists a1, a2, …, aΦ(d) and (a*a1) mod n, (a*a2) mod n, …, (a*aΦ(d)) mod d,contain the same numbers!
Using mod properties we have: (a*a1)*(a*a2)* .. *(a*aΦ(d)) = (a1*a2*… *aΦ(d)) mod d aΦ(d) (a1*a2*… *aΦ(d)) = (a1*a2*… *aΦ(d)) mod d (from prev. Theorem) aΦ(d) = 1 mod d
21Katz, Stoica F04
RSA Proof Sketch (4/4)
Theorem: Suppose (1) p and q are primes, (2) n = pq, (3) e*d = 1 mod (p-1)(q-1), and (4) c = me mod n. Then m = cd mod n
Proof:Assume m = 1 mod p and m = 1 mod q (Otherwise much longer proof)
Since p and q are primes Φ(p) = p -1, Φ(q) = q -1, and Φ(p*q) = (p-1)*(q-1). Since m = 1 mod (p*q) = 1 mod n, from Euler Theorem mΦ(n) = 1 mod n m(p-1)(q-1) = 1 mod pq
ce mod n = m(e*d) mod n = c(k*(p-1)(q-1) + 1) mod pq = mk*(p-1)(q-1))* m mod pq = m mod pq = m (since m < p*q)
22Katz, Stoica F04
Properties
Confidentiality A receiver A computes n, e, d, and sends out (n, e)
- Everyone who wants to send a message to A uses (n, e) to encrypt it
How difficult is to recover d ? (Someone that can do this can decrypt any message sent to A!)
Recall that
d = e-1 mod ((p-1)*(q-1)) So to find d, you need to find primes factors p and q
- This is provable very difficult
23Katz, Stoica F04
Message Digest (MD) 5
Can provide data integrity- Used to verify the authentication of a message
Idea: compute a hash on the message and send it along with the message
Receiver can apply the same hash function on the message and see whether the result coincides with the received hash
24Katz, Stoica F04
MD 5 (cont’d)
Basic property: digest operation very hard to invert- In practice someone cannot alter the message without
modifying the digest
InternetDigest(MD5)
Plaintext
digest
Digest(MD5)
=
digest’
NO
corrupted msg Plaintext
25Katz, Stoica F04
Message Digest Operation
Transformation contains complex operations (see textbook)
512 bits 512 bits 512 bits
Message (padded)
Initial digest(constant)
Transformation
Transformation
Transformation
...
Message digest
26Katz, Stoica F04
Outline
Cryptographic Algorithms (Confidentiality and Integrity)
Authentication System examples
27Katz, Stoica F04
Authentication
Goal: Make sure that the sender an receiver are the ones they claim to be
Two solutions based on secret key cryptography (e.g., DES)
- Three-way handshaking
- Trusted third party
One solution based on public key cryptography (e.g., RSA)
- Public key authentication
28Katz, Stoica F04
Simple Three-Way Handshaking
E(m,k) – encrypt message m with key k
D(m,k) – decrypt m with key k
CHK and SHK – client and server shared secrete keys
SK – session key used for data communication
- This reduces the number of messages containing CHK and SHK
Question: how are CHK and SHK communicated in the first place?
clientId, E(x, CHK)
E(x+1, SHK), E(y,SHK)
E(y+1, CHK)
E(SK,SHK)
client server
29Katz, Stoica F04
Trusted Third Party
Trust a third party entity, authentication server Scenario: A wants to communicate with B Assumption: both A and B share secrete keys with S:
KA and KB
Notations:- T: timestamp (also serves the purpose of a random number)
- L: lifetime of the session
- K: session’s key
30Katz, Stoica F04
Trusted Third Party (cont’d)
A,B
E(T+1,K)
E((T,L,K,B),KA)E((T,L,K,A),K
B) E((A,T),KA)E((T,L,K,A),K
B)
S A B
31Katz, Stoica F04
Public Key Authentication
Based on public key cryptography Each side need only to know the
other side’s public key- No secrete key need to be shared
A encrypts a random number x and B proves that it knows x
A can authenticate itself to be in the same way
E(x, PublicB)
x
A B
32Katz, Stoica F04
Outline
Cryptographic Algorithms (Confidentiality and Integrity)
Authentication System examples
33Katz, Stoica F04
Public Key Infrastructure (PKI)
System managing public key distribution on a wide-scale
Trust distribution mechanism Allow any arbitrary level of trust
34Katz, Stoica F04
PKI Properties
Authentication via Digital Certificates Confidentiality via Encryption Integrity via Digital Signatures Non–Repudiation via Digital Signatures
35Katz, Stoica F04
Components of a PKI
36Katz, Stoica F04
Digital Certificate
Signed data structure that binds an entity with its corresponding public key
- Signed by a recognized and trusted authority, i.e., Certification Authority (CA)
- Provide assurance that a particular public key belongs to a specific entity
37Katz, Stoica F04
Certification Authority
People, processes responsible for creation, delivery and management of digital certificates
Organized in an hierarchy
CA-1 CA-2
Root CA
38Katz, Stoica F04
Registration Authority
People, processes and/or tools that are responsible for
- Authenticating the identity of new entities (users or computing devices)
- Requiring certificates from CA’s.
39Katz, Stoica F04
Certificate Repository
A database which is accessible to all users of a PKI, contains:
- Digital certificates,
- Certificate revocation information
- Policy information
40Katz, Stoica F04
Example
Alice generates her own key pair.
public keyAlice
private keyAlice
Bob generates his own key pair.
Both sent their public key to a CA and receive a digital certificate
public keyBob
private keyBob
41Katz, Stoica F04
Example
Alice gets Bob’s public key from the CA
private keyAlice
public key
Bob
private keyBob
public keyAlice
Bob gets Alice’s public key from the CA
42Katz, Stoica F04
Example
Message
Alice Bob
Hash MessageHash
Encryption Decryption
AlicePrivate
AlicePublic
Hash=?
Alice use private key to sign: use public key cryptography to provide integrity
43Katz, Stoica F04
Certificate Revocation
Process of publicly announcing that a certificate has been revoked and should no longer be used.
Approaches:- Use certificates that automatically time out
- Use certificate revocation list
- Use list that itemizes all revoked certificates in an on-line directory
44Katz, Stoica F04
Pretty Good Privacy (PGP)
Provide- Authentication
- Confidentiality
Application examples: file transfers, e-mail Authentication weaker than PKI, but
- Freely available
- Not controlled by a government or standard organization
45Katz, Stoica F04
PGP Services
Authentication Digital signature; uses DSS/SHA or RSA/SHA
Confidentiality Encryption, e.g., three-key triple DES or RSA
Also provides- Compression Zip
- E-mail compatibility Radix-64 conversion
- Segmentation
46Katz, Stoica F04
PGP: Public Key Management
No rigid public key management scheme Problem: how to get public key reliable
- Possible solution: physically or by phone. Secure but unpractical
PGP solution: build a ”web of trust” - Assume you know several variably trusted users
- Each of these indvidual can sign certificates for other users
- Each signature has asociated a trust field indicating the level of trust in the certificate
47Katz, Stoica F04
48Katz, Stoica F04
What do You Need To Know
Security requirements Cryptographic algorithms
- How does DES and RSA work (no proof for RSA)
Authentication algorithms Public key management, digital certificates (high
level)