IT 263 Winter 2006/2007 John Kristoff - DePaul University 1

Applied Networks & Security

Crypto – with Critical Analysis

http://condor.depaul.edu/~jkristof/it263/

John Kristoffjtk@depaul.edu

IT 263 Winter 2006/2007 John Kristoff - DePaul University 2

Critical analysis disclaimer

Following this disclaimer are slides used in other versions of the course. We mark up some slides using strikethroughs and underlined red in comic sans ms 20pt font. This is not meant to slight other teachers or their material. Much of the material is good and helpful so we use it.

We do this to explore complex issues, refresh dated material, correct inaccuracies and stimulate critical thinking. In some cases we are pedantic where it seems useful, but we are not exhaustive and try to avoid being overly tedious when it is unnecessary.

3

Security Technologies and Cryptography

Topics

Security technologies Cryptography Fundamentals (Symmetric,

Asymmetric, Hash, HMAC) Authentication Services Read chapter 7 One thing I've noticed missing is User Education,

this is really hard, but you still gotta do it, technical solutions can't fix the dork who helpfully gives his password to a so-called administrator who calls and asks for it

5

Layered Security Architecture

To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing.

One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls?

What are the “tools” and technologies available?

6

Security Technologies Identity technologies Firewalls Intrusion detection systems (IDS) Intrusion Prevention Systems (IPS) Host and application security Content filtering Cryptography Physical security Methods and Policies – change control,

vulnerability assessment

7

Identities Technologies Username/password One time passwords (OTP) – Synchronous and

Asynchronous “Tokens” Remote Authentication Dial-In User Service

(RADIUS)/Terminal Access Control Access Control System (TACACS+)

Public Key Infrastructure (PKI) Biometrics Some “physical” characteristics: MAC @, IP @, Chip

ID. Side note: “strong/2-factor” authentication

terminology.

8

Firewalls

Stateless packet filters - Router with access control list (ACL)

Statefull Filters Proxy firewalls Host firewalls Much more on that in later lectures

9

Intrusion detection systems

Signature-based Network IDS Anomaly-based Network IDS

10

Intrusion Prevention Systems (IPS)

IDS with a twist! Block the attack if you identified it.

IPS also are actually next generation firewalls

11

Host and application security

File system integrity checking Antivirus protection “Sandboxing” systems Patch management and deployment

12

Content filtering

Proxy servers (also firewall) Web filtering E-mail filtering Activity monitoring

13

Cryptography

VPNs Network layer crypto (IPSEC) L5 to L7 crypto (SSL, TLS, terminal

server) File system encryption Symmetric vs. asymmetric crypto

14

Physical Security Redundancy Fire suppression Locks, bars, vaults. Note: what about your

backup tapes?? Physical lockdown of external media (see host

security) Protection against electromagnetic leaks –

Tempest. See: http://www.eskimo.com/~joelm/tempest.html http://www.divideconcept.net/index.php?page

=tempest/index.php

15

Methods and Policies

CRITICAL ASPECT!! Often overlooked Formal security policies development

and enforcement: This is the foundation of any INFOSEC program.

Acceptable Use Policies (AUP) Regular Vulnerability Assessments Software development methods Audits

16

Cryptography Cryptography is crucial: it is the key building

block for many other security services. Without it: no Ecommerce, no authentication

services, no secure logins. It is a key component that will allow:

Confidentiality Services, Integrity Services and Authentication Services.

What does Cryptography means? Origin of the word: from Greek:

Crypto – Secret Graph – Writing

Not a new concept: was used by Romans: Ceasar Cipher

17

Overview Encryption is the process of taking a message

(in “cleartext” or “plaintext” format) and transform it (in a format often called “ciphertext”) so that its meaning can not be understood.

Decryption is the process of taking the ciphertext and transforming it back to cleartext.

To encrypt a message, you will use an encryption algorithm and an encryption key.

To decrypt a message, you will use a decryption algorithm and a decryption key.

18

Characteristics of Encryption Algorithms

The Encryption/Decryption algorithms must have the following characteristics: Efficient: must minimize amount of memory

and time required to run them. Secure and/or reliable. Two choices:

Make the algorithm secret. The opponent does not know HOW to decrypt the data. Make the algorithm public.

The opponent knows “how” to decrypt the data but the only way to decrypt the data is to try all possible keys. This types of attacks are known as “brute force” attacks.

19

Keep algorithm Secret

You can “hide” the method/algorithm used by implementing it in hardware devices or through a compiled algorithm. In software: you can be target of reverse engineering: almost

always feasible to decompile/reverse engineer it. In hardware: Much harder to analyze but the secrecy can be

compromised by: A disgruntle employee. A disgruntle or careless vendor.

Now if the algorithm used to encrypt has a flaw: an attacker may be able to decrypt the data even without knowing the key.

By keeping the algorithm secret, it is not subject to the analysis of it by Cryptanalysts that may identify a weakness before large deployment.

20

Cases Studies: make method secret

Let’s take a look at some concrete solutions that used this secrecy to secure the encrypted the data: Cable TV Scrambling DVD Encoding

21

Cases Studies: Make algorithm secret

Cable/Sat TV Scrambling Rely on hardware encoding/scrambling Manufacturer rely on difficulty to analyze

hardware functions and reproduce them. However, one can find “cheap”

descrambler for sale.

22

Cases Studies: Make algorithm secret

DVD Encoding Movie industry spent years developing a standard (CSS) for encryption. After development they simply released it. Not for review, but the full

product (DVD) that relied on the standard. Encryption keys were assigned to DVD manufacturers and decryption

keys based on them were distributed to all DVD reader manufacturers to build in all DVD readers.

Two “ooopps” happened: A DVD software reader improperly protected one decryption key and it was

made public. Several “security technologists” reversed engineered and decoded the

encryption algorithm used. Soon after a software program (DeCSS) was released that allows one to

pull the decrypted data off the DVD disk and play/save it like any other multimedia file.

What was the movie industry reaction: Sue them but the damage is done: nobody can order or afford the recall of all DVD players!

Lesson learned: Security by Secrecy does not work!

23

Make the algorithm public The algorithm will be scrutinized by experts and if after some time,

nobody find a weakness: chances are: there are none! So how do you defeat the encryption? The only way is by going

through and trying all possible decryption keys! This is called a “Brute Force” attack.

How many possible keys exist? It depends on the length/size of the key. 40 bits key – 240

56 bits key – 256

128 bits key – 2128

In average you will need to go through ½ the possible keys.

However here is a fun question: how do you know you found the right key? Can you identify the plaintext? If it is English (or French for that matter) it is easy but what if it is a binary file?

24

Make the algorithm public So how do you protect the secrecy?

Use a longer key!!! However the longer the key, the longer it takes to

encrypt/decrypt the data. So we can establish that it will be possible for anybody to

decrypt the data: the problem is not IF they can decrypt it but HOW LONG will it take to decrypt it!

Make the “cost” of running a brute force attack longer than the value of the data. For example: If it takes you 4 years to decode a credit card number that has a 2

years expiration, is it worth trying? If you need to build a $10,000.00 decryption machine to decrypt

ordering information that will allow you to hijack $2,000,000.00 worth of data in 3 months, is it worth it?

25

Case Study: Reliable Algorithm with long key: is it safe?

If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping.

Is that really true? What could go wrong?

26

Case Study: Reliable Algorithm with long key: is it safe?

If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping.

Is that really true? What could go wrong?

You also need to protect your keys.

27

Friends and enemies: Alice, Bob, and Trudy

well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, control messages

data data

Alice Bob

Trudy

28

Who might Bob, Alice be?

… well, real-life Bobs and Alices! Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table

updates other examples?

29

There are bad guys (and girls) out there!

Q: What can a “bad guy” do?A: a lot!

eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in

packet (or any field in packet) hijacking: “take over” ongoing connection by

removing sender or receiver, inserting himself in place

denial of service: prevent service from being used by others (e.g., by overloading resources)

30

The language of cryptography

symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret

(private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

Symmetric key cryptography

symmetric key crypto: Bob and Alice share known same (symmetric) key: K

e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m K (m)A-B

K (m)A-Bm = K ( ) A-B

32

Symmetric key crypto: DES

DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input How secure is DES?

First DES Challenge 1997: 56-bit key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months

no known “backdoor” decryption approach making DES more secure:

use three keys sequentially (3-DES) on each datum use cipher-block chaining (64-bit block)

33

Symmetric key crypto: DES

initial permutation 16 identical “rounds” of

function application, each using different 48-bit key

final permutation

DES operation

34

AES: Advanced Encryption Standard

new (Nov. 2001) symmetric-key NIST standard, replacing DES

processes data in 128-bit blocks 128, 192, or 256 bit keys brute force decryption (try each

possible key) taking 1 sec on DES, takes 149 trillion years for AES

35

Other Symmetric Encryption Standards

Wired Equivalent Privacy (WEP) Developed for 802.11 Wireless LANs 40-bit or 104-bit keys Note: WEP is NOT secure: it will prevent a casual

eavesdropper to get traffic but is easy to break. 3DES

Problem of DES: Key too short 3DES uses 3 successive iteration of DES with 3 keys (K1,

K2, K3) making an effective key length of 168-bits. Note: 3DES is very processor intensive.

36

Symmetric Encryption

Secret Key Distribution Problem How does one user/app distribute the encryption

key to the other user securely? Over the telephone? By e-mail?

Usually a system admin must enter the key manually at both ends before communication can occur (as with WEP, for example). This may present a “start-up problem”.

Also if “N” parties want to communicate with each others, how many symmetric keys must be generated?

37

Public Key Cryptography

symmetric key crypto requires sender, receiver

know shared secret key Q: how to agree on key

in first place (particularly if never “met”)?–- Key Distribution Center

public key cryptography radically different

approach [Diffie-Hellman76, RSA78]

sender, receiver do not share secret key

public encryption key known to all

private decryption key known only to receiver

38

Asymmetric Encryption Asymmetric Cryptology is the most important breakthrough is

cryptographic science in 4000 years. The key used for encryption is different than the key used for

decryption. Public Key encryption uses manipulation of message AND

mathematical properties between the keys used. Instead of using only ONE key, public key cryptography uses TWO keys that are linked together by mathematical properties. Example: Create pair of keys (1/4, 4) Use a multiplication x4 (public key) to encrypt and Use a division x ¼ (private key) to decrypt Of course, it is obvious in this case to crack the private key when knowing

the public key! Now we have 2 keys, this has great consequences in term of

confidentiality, key distribution and authentication: We can use one key as a “public” key and openly distribute it while keeping one key “private” for sole use by the party that generated the pair of keys.

39

Public key/Asymmetric cryptography Misconceptions

Public key/Asymmetric cryptography has several common misconceptions: More secure than conventional encryption: WRONG

security of the scheme only depends on the key length (assuming no flaw in encryption methods).

Make conventional encryption obsolete: WRONG because of much larger overhead of PK, usually it is only used for initial

communication and to allow 2 parties to securely communicate and exchange a common symmetric key that will then be used for all communication encryption.

Key distribution trivial: WRONG many aspects are difficult and advanced procedures must still be

involved. The private keys must also be carefully protected. Also we need a method to trustfully and reliably distribute the public key.

40

Asymmetric Cryptography Requirements

It’s computationally easy to generate a pair of keys It’s computationally easy to encrypt It’s computationally easy to decrypt It is computationally infeasible for an opponent to

derive the private key from the known public key It is computationally infeasible for an opponent to

recover the original message from the ciphertext knowing only the public key.

(useful but not necessary requirement) Either of the 2 related keys can be used for encryption and the other for decryption. M=DK-pub[EK-priv(M)]=DK-priv[EK-pub(M)]

41

Public key cryptography

plaintextmessage, m

ciphertextencryptionalgorithm

decryption algorithm

Bob’s public key

plaintextmessageK (m)B

+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

RSA: Choosing keys

1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

K B+ K B

-

RSA: Encryption, decryption

0. Given (n,e) and (n,d) as computed above

1. To encrypt bit pattern, m, compute ( m < n )c = m mod ne (i.e., remainder when m is divided by n)e

2. To decrypt received bit pattern, c, computem = c mod nd (i.e., remainder when c is divided by n)d

m = (m mod n)e mod ndMagichappens!

c

RSA: another important property

The following property will be very useful later:

K (K (m)) = m BB- +

K (K (m)) BB+ -

=

use public key first, followed by private key

use private key first, followed by public key

Result is the same!

45

Authentication Like cryptography, authentication services are a key

foundation upon which many other services are provided. Why do we need authentication?

A user claiming a given identity must be able to verify it. Because we want to make sure we give access to the correct

users and the identity of the user has been verified via authentication services.

The user must be accountable for his/her action (non-repudiation). Accountability can only be enforced if the its identity was checked.

Authentication is not only for users: services and applications should also be authenticated. Wouldn’t you want to make sure that the web page that is displayed really comes from amazon.com before you enter your credit card number?

46

Identity and Authentication Identity services determine who the user is. “Hi all. I am Elvis!” - Elvis is my identity. Identity can be given by the user via its username, account

name, SS#, …etc… It can also be established by biometric information: a fingerprint

will declare a user identity. At the same, it can also provide authentication of the identity.

Identity must be verified using some method. It can be as easy as NONE: “Hey you say you are Elvis why

should I doubt that” Or ask for a password: “graceland” Or look for a characteristic: “He has dark hair: He is Elvis” Or ask for something he posses: “He has the keys to

Graceland, therefore he is Elvis” That identity verification process is the authentication process.

47

Authentication Methods Authentication can be established by:

Something you know: A password Something you have: you may have a hardware token, or have a

special software on the PC. Something you are: Biometric authentication, you are a specific

MAC address or IP You may want to use 1 method to authenticate a user or 2

or 3 combined. This later methods are usually referred to as “strong authentication”.

Authentication methods used must be decided based on business requirements. Some application/data access may require weak authentication some very strong.

These decisions are business decisions and must be documented in an organization’s security policy.

48

Other Services Enabled by Authentication Authorization: Is the authenticated user

authorized to perform an activity or to access a given data or application?

Accounting: Log the utilization of a resource: how long did the user access a service/application? How much data was accessed, read, written downloaded? This will be logged in audit trails for accountability purposes (charge back, non-repudiation).

49

Authentication protocols

Goal: Bob wants Alice to “prove” her identity to him

Protocol ap1.0: Alice says “I am Alice”

Failure scenario??“I am Alice”

50

Authentication protocols

Goal: Bob wants Alice to “prove” her identity to him

Protocol ap1.0: Alice says “I am Alice”

in a network,Bob cannot “see” Alice,

so Trudy simply declares

herself to be Alice“I am Alice”

51

Authentication protocols: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address

Failure scenario??

“I am Alice”Alice’s IP address

52

Authentication protocols: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address

Trudy can createa packet

“spoofing”Alice’s address

“I am Alice”Alice’s IP address

53

Authentication protocols: another try

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

Failure scenario??

“I’m Alice”Alice’s IP addr

Alice’s password

OKAlice’s IP addr

54

Authentication protocols: another try

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

playback attack: Trudy records Alice’s packet

and laterplays it back to Bob

“I’m Alice”Alice’s IP addr

Alice’s password

OKAlice’s IP addr

“I’m Alice”Alice’s IP addr

Alice’s password

55

Authentication protocols: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

Failure scenario??

“I’m Alice”Alice’s IP addr

encrypted password

OKAlice’s IP addr

56

Authentication protocols: another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

recordand

playbackstill works!

“I’m Alice”Alice’s IP addr

encryptedpassword

OKAlice’s IP addr

“I’m Alice”Alice’s IP addr

encryptedpassword

Authentication protocols: yet another try

Goal: avoid playback attack

Failures, drawbacks?

Nonce: number (R) used only once–in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice

must return R, encrypted with shared secret key

“I am Alice”

R

K (R)A-BAlice is live, and only Alice knows key to encrypt

nonce, so it must be Alice!

Authentication protocols: ap5.0

ap4.0 requires shared symmetric key can we authenticate using public key techniques?ap5.0: use nonce, public key cryptography

“I am Alice”R

Bob computes

K (R)A-

“send me your public key”

K A+

(K (R)) = RA-

K A+

and knows only Alice could have the private key, that encrypted R

such that(K (R)) = RA

-K A

+

ap5.0: security holeMan (woman) in the middle attack (MITM):

Trudy poses as Alice (to Bob) and as Bob (to Alice)

I am Alice I am AliceR

TK (R)-

Send me your public key

TK +

AK (R)-

Send me your public key

AK +

TK (m)+

Tm = K (K (m))+

T-

Trudy gets

sends m to Alice encrypted with

Alice’s public key

AK (m)+

Am = K (K (m))+

A-

R

ap5.0: security holeMan (woman) in the middle attack: Trudy

poses as Alice (to Bob) and as Bob (to Alice)

Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well!Protocol op5.0 is only as secure as the distribution of public keys…

61

Password Authentication Most common form of authentication but we need to take some time to think

about it and see how it can be misused. Initial password selection.

How do you determine/generate the initial password? Password complexity

What type of complexity should you require? Minimum length Inclusion of letters, numbers, special characters Can the user choose it own password or should it be generated for them. Note: if it is

generate and is extremely complex, the chance that a user writes it on a note and stick it to the monitor is high! Not a great idea!

Aging Should the user be required to change it every X Days. Should they be prohibited to re-use same password or a variation of it. Popular way for

users is to use: “mypass1” then “mypass2” then “mypass3” …etc… Lockouts

Should the account be locked-out after X bad attempts? This can lead to problems if too strict.

The education of the user community is essential for the successful implementation of a good password policy.

62

Token Authentication A “Token” device or password generator is usually hand-held device

that generate a password. Has a display sometime a keypad for data/pin entry 2 main types: Synchronous and asynchronous. Synchronous

The device and the server synchronize their time. Based on the time, a password is generated.

The devices (usually) re-synch on a successful authentication. Drawback: if a user does not authenticate for a long time (usually months),

the synchronization may be lost and require manual (admin) action. Asynchronous

Use a challenge-response method Server send a message User enter a pin or password Token calculates a password and display it User enter displayed password to server

63

Biometric Authentication Basic idea: verify an identity by a unique

personal attribute (something you are) Very effective but the systems have some

characteristics you need to be aware of: False positives are possible. False negative are possible.

Become more viable and popular as system reliability and pricing are getting lower

Often used in conjunction with another authentication form (passwords, pins)

64

Biometric Examples

Fingerprint Read someone’s fingerprint

Palm Scan Similar than fingerprints but on whole hand.

Hand Geometry Based on length, width of hand and fingers

Retina Scan Look for blood vessel patterns

Iris Scan Based on colored portion of eye. Unique pattern of colors, rings, rifts, …etc..

Signature Dynamics Based on speed and patterns that an individual use to sign

Keyboard Dynamics Based on speed and motions an individual use to type a phrase or a password.

Voice Print Based on voice sounds and patterns

Facial Scan Based on an individual’s facial characteristics, bone structure, sizes.

65

Kerberos Kerberos is a set of authentication services developed

at MIT as part of project Athena. Where does name come from? Greek Mythology:

Kerberos was a 3-headed dog that guards the entrance to the underworld.

Key benefit of Kerberos: it can provide a single sign-on system for distributed and heterogeneous environments.

At the core was also the idea that it will be implemented in very hostile environments and must include authentication of users, services and hosts.

Based on a symmetric crypto key and provides end-to-end security. Passwords are never transmitted.

66

Digital Signatures

Cryptographic technique analogous to hand-written signatures.

sender (Bob) digitally signs document, establishing he is document owner/creator.

verifiable, non-forgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

Similar to authentication but not the same

67

Digital Signatures

Simple digital signature for message m: Bob signs m by encrypting with his private key K-

B, creating “signed” message, K-

B(m)

-

Dear Alice

Oh, how I have missed you. I think of you all the time! …(blah blah blah)

Bob

Bob’s message, m

Public keyencryptionalgorithm

Bob’s privatekey

K B-

Bob’s message, m, signed

(encrypted) with his private key

K B-(m)

68

Digital Signatures (more)

Suppose Alice receives msg m, digital signature K-B(m)

Alice verifies m signed by Bob by applying Bob’s public key K+B to

K-B(m) then checks K+

B(K-B(m) ) = m.

If K+B(K

-B(m) ) = m, whoever signed m must have used Bob’s

private key.

+

-

-

Alice thus verifies that:Bob signed m.No one else signed m.Bob signed m and not m’.

Non-repudiation: Alice can take m, and signature K-

B(m) to court and prove that Bob signed m.

-

69

Message Digests

Computationally expensive to public-key-encrypt long messages

Goal: fixed-length, easy- to-compute digital “fingerprint”

apply hash function H to m, get fixed size message digest, H(m).

Hash function properties: many-to-1 produces fixed-size msg

digest (fingerprint) given message digest

x, computationally infeasible to find m such that x = H(m)

large message

m

H: HashFunction

H(m)

large message

mH: Hashfunction H(m)

digitalsignature(encrypt)

Bob’s private

key K B-

+

Bob sends digitally signed message:Alice verifies signature and integrity of digitally signed message:

KB(H(m))-

encrypted msg digest

KB(H(m))-

encrypted msg digest

large message

mH: Hashfunction

H(m)

digitalsignature(decrypt)

H(m)

Bob’s public

key K B+

equal ?

Digital signature =signed message digest

71

Hash Function Algorithms

MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct

msg m whose MD5 hash is equal to x. SHA-1 is also used. (Secure Hash Algorithm)

US Federal standard [NIST, FIPS PUB 180-1] 160-bit message digest

72

MAC Hash Function

The CRC Code that is used for error detection is an example of a hash function.

For security services, we call the hash code a Message Authentication Code (MAC) or Hash MAC (HMAC).

To ensure message Integrity (make sure that the message received was the same as the message sent): Sender calculates MAC code and appends to message Receiver calculates MAC code and compares to sender’s

MAC. If they match, then message was not altered in transmission.

73

Message Integrity Can’t an attacker modify the message AND re-

calculate the MAC? How do you ensure that the real sender calculated the Hash MAC?

For Symmetric (Private Key) systems: the sender can encrypt the HMAC using the private key and send it. The receiver then recalculates the message hash and decrypts the HMAC. If it matches: it proves that the party that possessed the encryption key created the message and the hash.

For Public Key systems: Same idea but the sender uses his private key to encrypt the hash. The receiving party uses the sender’s public key to decrypt the hash and verify it.

74

Trusted Intermediaries

Symmetric key problem: How do two entities establish

shared secret key over network?

Solution: trusted key distribution

center (KDC) acting as intermediary between entities

Public key problem: When Alice obtains Bob’s

public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s?

Solution: trusted certification

authority (CA)

75

Key Distribution Center (KDC)

Alice, Bob need shared symmetric key. KDC: server shares different secret key with each

registered user (many users) Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for

communicating with KDC.

KB-KDC

KX-KDC

KY-KDC

KZ-KDC

KP-KDC

KB-KDC

KA-KDC

KA-KDC

KP-KDC

KDC

76

Key Distribution Center (KDC)

Aliceknows R1

Bob knows to use R1 to

communicate with Alice

Alice and Bob communicate: using R1 as session key for shared symmetric encryption

Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?

KDC generates

R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )

Certification Authorities

Certification authority (CA): binds public key to particular entity, E.

E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA –

CA says “this is E’s public key”

Bob’s public

key K B+

Bob’s identifying

information

digitalsignature(encrypt)

CA private

key

K CA-

K B+

certificate for Bob’s public key,

signed by CA

78

Certification Authorities

When Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate, get Bob’s

public key

Bob’s public

key K B+

digitalsignature(decrypt)

CA public

key K CA+

K B+

79

Public Key Infrastructure (PKI) A PKI consist of programs, protocols, procedures, public key

encryption mechanisms, database, data formats. This comprehensive structure allows people to communicate in

a secure and predictable manner. Based on 2 main aspects:

Public key cryptology X.509 standard protocols for exchanging digital certificates

The security services it provides are: Authentication Confidentiality Integrity Non-repudiation

Fundamental Issue: How do you authenticate a person or application before you make use of their public key?

80

Digital Certificates To be part of a PKI a user or service needs a “Digital

Certificate”. The digital certificate contains the credential of the entity,

identifying information and its public key. “How can I trust the certificate?”

Because the certificate was signed by a trusted third party called the “Certificate Authority” (CA)

Key point: user certificates are assumed to have been created by some trusted Certificate Authority and placed in the directory of the CA by the CA or the user. If certificate placed by user, you need a strong mechanism to ensure

authentication of user. Note: each user still needs to protect their secret key. The

certificate and PKI do not assist you for that. Which Certificate Authorities do I trust?

Certain trusted root CAs are configured in your browser. Root CAs can then authenticate other CAs.

81

Public versus Private CA You want to use certificates, should you implement your

own CA infrastructure or purchase Certificate(s) from a well-known CA provider (Verisign, Entrust, …etc..)?

Response: well it depends on the needs, requirements and what these certificates will be used for.

Private CA Advantages: No need to spend annual $$ for renewal. Can generate large number of certificates at little/no additional

costs. Public CA Advantages:

Will be recognized as valid by all Internet Users. No need to support CA servers internally. No need to manage registration of users and certificate

revocation internally.

82

Cryptography in real life

Secure emailSecure socketsSecurity in 802.11

Secure e-mail

Alice: generates random symmetric private key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bob’s public key. sends both KS(m) and KB(KS) to Bob.

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m )

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m )

KB(KS )+

Secure e-mail

Bob: uses his private key to decrypt and recover KS

uses KS to decrypt KS(m) to recover m

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m )

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m )

KB(KS )+

Secure e-mail (continued)

• Alice wants to provide sender authentication message integrity.

• Alice digitally signs message.• sends both message (in the clear) and digital signature.

H( ). KA( ).-

+ -

H(m )KA(H(m))-

m

KA-

Internet

m

KA( ).+

KA+

KA(H(m))-

mH( ). H(m )

compare

Secure e-mail (continued)

• Alice wants to provide secrecy, sender authentication, message integrity.

Alice uses three keys: her private key, Bob’s public key, newly created symmetric key

H( ). KA( ).-

+

KA(H(m))-

m

KA-

m

KS( ).

KB( ).+

+

KB(KS )+

KS

KB+

Internet

KS

87

Pretty Good Privacy (PGP)

Internet e-mail encryption scheme, de-facto standard.

uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.

provides secrecy, sender authentication, integrity.

inventor, Phil Zimmerman, was target of 3-year federal investigation.

---BEGIN PGP SIGNED MESSAGE---

Hash: SHA1

Bob:My husband is out of town tonight.Passionately yours, Alice

---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/12EpJ+lo8gE4vB3

mqJhFEvZP9t6n7G6m5Gw2---END PGP SIGNATURE---

A PGP signed message:

88

Secure sockets layer (SSL)

transport layer security to any TCP-based app using SSL services.

used between Web browsers, servers for e-commerce (shttp).

security services: server authentication data encryption client authentication

(optional)

server authentication: SSL-enabled browser

includes public keys for trusted CAs.

Browser requests server certificate, issued by trusted CA.

Browser uses CA’s public key to extract server’s public key from certificate.

check your browser’s security menu to see its trusted CAs.

89

SSL (continued)

Encrypted SSL session: Browser generates symmetric

session key, encrypts it with server’s public key, sends encrypted key to server.

Using private key, server decrypts session key.

Browser, server know session key All data sent into TCP socket

(by client or server) encrypted with session key.

SSL: basis of IETF Transport Layer Security (TLS).

SSL can be used for non-Web applications, e.g., IMAP.

Client authentication can be done with client certificates.

90

IEEE 802.11 security War-driving: drive around Bay area, see what 802.11

networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy!

Securing 802.11 encryption, authentication first attempt at 802.11 security: Wired Equivalent

Privacy (WEP): a failure current attempt: 802.11i

91

Wired Equivalent Privacy (WEP):

authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host

no key distribution mechanism authentication: knowing the shared key is enough

92

802.11i: improved security

numerous (stronger) forms of encryption possible

provides key distribution uses authentication server separate

from access point

93

Network Security (summary)

Basic techniques…... cryptography (symmetric and public) authentication message integrity key distribution

…. used in many different security scenarios secure email secure transport (SSL) IP sec 802.11