Detecting Eavesdropping A Solution

Network Security (N. Dulay & M. Huth)

Classical Cryptography (2.1)

Detecting Eavesdropping

A Solution



Quantum Cryptography

Quantum Computing Quantum Cryptography

Algorithms for key distribution, coin flipping, bit commitment, oblivious transfer, etc

In 1994 Peter Schor devised a quantum computing algorithm to factorise large numbers in polynomial time!

(Un)fortunately no-one is yet able how to build a suitable quantum computer.

Can we use quantum effects to detect passive eavesdropping?

Particles (e.g. Photons) exist in N places at once with different probabilities.

We can measure position or velocity but not both

Quantum world is uncertain.

But we can use this uncertainty to generate a key!



Polarisation: Noddy's guide

Photons vibrate in some direction e.g.

Polarised when many photons vibrate in the same direction

Polarisation filters only allow photons polarised in a defined direction (angle) through, e.g100%

0%

50%

Up and down

Left and right

At some angle



Wiesner's Quantum Money Each note has a printed serial number and a set of "photon-stores"

that hold differently polarised photons. Only the Bank knows the polarisations for any serial number. We can produce counterfeit notes if we can measure the correct

polarisations. But to do this we need to guess the correct orientations.

DoC Bank £100 22AC320FR00



Wiesner's Quantum Money Filter Result

100%

0%

50%

50%

?

?



Basis

Polarisation measured in a basis.

Basis consists of 2 orthogonal directions, e.g.

If polarisation is read in a matching basis -> we learn polarisation

If read in wrong basis -> we learn a random polarisation!

Rectilinear

Diagonal

Okay

Random



Bennett & Brassard Protocol Alice sends pulses to Bob. Bob uses polarisation detectors with randomly set

basis Bob tells Alice his settings. Alice tells Bob which settings were correct. Settings map to 0 and 1’s, e.g. — and / map to 0, while | and \ map to 1. Alice and Bob only use those settings as a secret key (or 1-time pad key)

1 1 0 0 0 1 1 1 0

1 1 1 00/1 0/1 0/1 0/1 0/1



Protocol Continued

Eavesdropper Eve also does not know correct polarisations, so like Bob will pick wrong basis 50% of the time. Knowing Bob's settings after the event does not help, because she will have measured half of them incorrectly.

Worse still, Eve will introduce errors, which Alice & Bob can detect, since Eve’s wrong guesses will change polarisation of pulses

To detect Eve, Alice and Bob only need to compare a few bits in their message.

If errors found then we have an Eavesdropper.

If no errors: Use rest of message



Reading

Simon Singh, The Code Book, Chapter 8

Quantum Computing Course (482), Next term



Classical CryptographyClassical Cryptography

Michael Huth

[email protected]

www.doc.ic.ac.uk/~mrh/430/



Why Cryptography?

CONFIDENTIALITYKeep information secret

AUTHENTICATIONReceiver can verify who sender was

INTEGRITYDetect modified messages

NON-REPUDIATIONSender cannot later falsely deny sending a message. Receiver cannot falsely deny receiving it.



Encryption

Encrypt (E)Plaintext (P)hello world

Ciphertext (C)JHN+K9[

C = E (P)

Decrypt (D)Ciphertext (C) Plaintext (P)

P = D (C)

P = D (E (P))



Encryption with a Secret Key

Encrypt (E)Plaintext (P) Ciphertext (C)

C = Ek (P)

P = Dk (Ek (P))

Key (k)


P = Dk (C)

Key (k)

Kerchoff’s Principle - Secrecy should lie in keeping a key secret. Assume algorithm is known.



Encryption with 2 Keys

P = Dk2 (Ek1 (P))

Encrypt (E)Plaintext (P) Ciphertext (C)

C = Ek1 (P)

Key1 (k1)


P = Dk2 (C)

Key2 (k2)



Steganography

Dear George, 3rd March

Greetings to all at Oxford. Many thanks for your

letter and for the Summer examination package.

All Entry Forms and Fees Forms should be ready

for final dispatch to the Syndicate by Friday

20th or at the very least, I’m told, by the 21st.

Admin has improved here, though there’s room

for improvement still; just give us all two or three

more years and we’ll really show you! Please

don’t let these wretched 16+ proposals destroy

your basic O and A pattern. Certainly this

sort of change, if implemented immediately,

would bring chaos.

Conceal existence of message, e.g. 1st letter of each word, least sig. bit of graphic image

Useless once method discovered

Peter Wayner, Disappearing Cryptography, 2nd ed, Morgan Kaufmann, 2002



Steganography **

Dear George, 3rd March

Greetings to all at Oxford. Many thanks for your

letter and for the Summer examination package.

All Entry Forms and Fees Forms should be ready

for final dispatch to the Syndicate by Friday

20th or at the very least, I’m told, by the 21st.

Admin has improved here, though there’s room

for improvement still; just give us all two or three

more years and we’ll really show you! Please

don’t let these wretched 16+ proposals destroy

your basic O and A pattern. Certainly this

sort of change, if implemented immediately,

would bring chaos.



Codes

Pre-arranged set of secret codes/meanings.

BEST if used once only.Security weakens with each use if intercepted

Only small set of pre-arranged messages. What if we wanted to communicate “Launch half the missiles” or “Disarm missiles”?

EXAMPLE

Mobius -> Launch missiles

Zebra -> Don’t Launch



One-time Pad

Use a random key as long as the message. Must not reuse the key sequence ever again.

Both parties must have key sequence

Hotline between USA and USSR was rumoured to use a one-time pad.

Destroy key sequence after use

Advantages?

Disadvantages?

EXAMPLE

Key is number of places to shift letter

K 321424P launchC OCVREL

Suggest a good 1-time pad function for binary data?



Substitution Ciphers

Each letter (or group) is replaced by another letter (group)

MONOALPHABETIC CIPHEREach character is replaced by a corresponding character

CAESAR CIPHERCircularly shift each letter three positions along in the alphabet,e.g. zebra -> CHEUD

ROT13Like Caesar but rotate 13 places. Used to hide offensive jokes, solutions to puzzles etc

BRUTE FORCE ATTACK

CHEUD1 bgdtc2 afcsb3 zebra4 ydapz...25 digve

Algorithm known Only 25 keys What if Plaintext

language is not easily recognisable?



Substitution Ciphers GENERAL MONOALPHABETIC CIPHERS

Use a random mapping, e.g:

abcedfghijklmnopqrstuvwxyz

ESFNCRTBZLMVAYXUPKDJOWQGIH

increases no of keys to 26! > 4*10^26

HOMOPHONIC CIPHERSEach character has several ciphertext mappings, as many as its relative frequency

POLYGRAM CIPHERSMap groups of characters, e.g. aly -> RTQ

POLYALPHABETIC CIPHERSVary monoalphabetic cipher during ciphering/deciphering procedure

ATTACKING GENERALMONOALPHABETIC CIPHERS

Consider nature of Plaintext, e.g. statistical properties.

Frequency of letterse 12.75%t 9.25%r 8.50%n 7.75%

Frequency of common words

Repeating letters

2-letter combinations (digrams): th, in, er, re, an

3-letter combinations (trigrams): the, ing, and, ion



Rotor Machine

E.g. ENIGMA MACHINE. Polyalphabetic Cipher

Several interconnected substitution rotating cylinders.

Example:Input Rotor1 Rotor2 Rotor3

Output A A->F F->X X->N N

Rotor 3 now shifts (its substitutions change) A A->F F->X X->W W

Rotor 3 now shifts (its substitutions change)

... After 26 shifts by Rotor 3, it will be back to its original, substitution Rotor 2 now shifts.

A A->F F->B B->S S

With 3 rotors and 26 letters we have a period = 26^3 = 17,576 substitution alphabets



Transposition Ciphers

Rearrange order of characters (permutation)

SIMPLE COLUMNAR CIPHERUsing a grid, write plaintext horizontally, read ciphertext.vertically.

P launchmissilesnow

launchmissilesnow

C LMEAISUSNNSOCIWHL

ATTACK ON COLUMNAR CIPHERCiphertext has same letter frequencies as plaintext -> Easy

MULTIPLE TRANSPOSITION CIPHERSPass a plaintext through two or more transposition ciphers -> Much harder to attack.



Cryptanalysis

CIPHERTEXT ONLY ATTACK

KNOWN PLAINTEXT ATTACK

CHOSEN PLAINTEXT ATTACK

CHOSEN CIPHERTEXT ATTACK

E C known

E C knownP known

E C generatedP chosen

C chosengenerated D

Discover” key, and/or plaintext if not known

We assume algorithm is known (Kerckoff’s principle)



Cryptanalysis

EXAMPLES OF ATTACK

Passive Attacks

Active Attacks

Brute Force

Birthday

Man-in-the-Middle

Replay

Cut & Paste

Time Resetting

Many more...

PRACTICAL CRYPTANALYSISAcquire a key by any means, e.g.

Theft

Bribery (“Purchase-Key” attack)

Blackmail

Torture

Hypnosis



Cryptographic Strength UNCONDITIONALLY SECURE

No matter how much ciphertext is available, it is still not enough to infer the plaintext (even with infinite computational power). Only ONE-TIME PADS with random keys are unconditionally secure. Known as PERFECT SECRECY for encryption systems.

PROVABLY SECURECryptosystem shown to be as difficult to defeat as some supposedly difficult (number-theoretic) problem, e.g. factorisation of large primes. Has an equivalence proof.

COMPUTATIONALLY INFEASIBLE (PRACTICALLY SECURE)Belief that cryptosystem cannot be broken with “available” resources; formalizations thereof exist already, e.g. “secure for any adversary with computational power in randomized polynomial time”



Cost & Timeliness

£ COST TO BREAK > £ VALUE OF INFORMATION

TIME TO BREAK > USEFUL LIFETIME OF INFORMATION



Reading

Stallings. Chapter 2.



Cryptographic Design Vulnerabilities

Bruce SchneierIEEE Computer, Sept 98,

p29-33



Security, ha ha ha

Lock with 4 pins, each with10 positions

Burglar may need to try10,000 combinations to guarantee success (brute-force attack)

What if 10 pins?-> 10 billion positions

Great, but....



A burglar could....

Smash the windows Kick in the doors Masquerade as a policeman Threaten owner with violence etc....

Better locks can’t help with these attacks

Same is true for cryptography. Good/strong cryptography is important but not a panacea



Marketing hype

“128-bit keys mean strong security” “40-bit keys are weak” “triple-DES is much stronger than single DES”

Be wary of products making such statements/claims.

Many products are buzzword-compliant, they use strong cryptography but aren’t particularly secure



Attacks against Design

Cryptosystems use algorithms for encryption, digital signatures, one-way hash functions, random-numbers etc.

Break any one and you can usually break the whole system!

Cryptographic functions often have very narrow usage

It’s very difficult to design a secure cryptosystem, even with good software engineers, e.g. Microsoft’s Point-to-Point-Tunneling Protocol (PPTP) used an inappropriate mode for the RC4 encryption algorithm rendering it insecure



Attacks against Implementation

Many cryptosystems fail because of mistakes in implementation, e.g. don’t securely destroy unencrypted text after encryption, have code that allows buffer overflow, are poor error checking and recovery,

“Trivial” code-optimisations can break security

Implementation trade-offs e.g. to enhance usability at the expense of security

Systems that allow old keys to be recovered in an emergency



Attacks against Hardware

Highly secure environments deploy tamper-resistant hardware, e.g. tokencards, smartcards

Techniques/hardware to defeat them are also being developed, e.g. timing attack on RSA private keys measured relative times of cryptographic operations. Attacks that measure power consumption, radiation emissions, introduce faults and analyse effects

Cost to Defeat Tamper Resistance >> Value of Data



Attacks against Trust Models

Who or what in the system is trusted, in what way, and to what extend?

Some commerce systems can be broken by a merchant and a customer colluding or two different customers colluding

Many systems make poor assumptions, eg, desktop is secure, network is secure, employees are trusted

Design choices are sometimes ignored when it comes time to sell a product/system.



Attacks “on” Users

Pass on password to colleagues

Use same password on different systems

Write random passwords on paper

Don’t report missing smartcard

Don’t change (weak) default settings

Users need to be educated



Attacks against Failure Recovery

Recovering the key for one file, should not allow every file to be read

Reverse-engineering one smart card should not reveal secret info in others

Options which switch off security, or make it less secure

Version rollback attack to insecure version



Attacks against Cryptography

Proprietary algorithms/protocols -> invariably weak. Cryptanalysts are very good at breaking published algorithms, even better against proprietary ones!

Keeping the algorithm secret doesn’t make much difference against determined opponents, algorithms can be reverse-engineered



Conclusion

A good security product must defend against every possible attack, even attacks that haven’t been invented yet!

Attackers often only need find one flaw in order to defeat a system.

In addition, they can collude & conspire.

They can wait for technology to give them the edge.

But don’t worry - Cryptography is a lot fun !!



Optional but Recommended Reading

Links to these papers and documents are provided on the 430 course home page.

PriceWaterHouseCoopers’ 2010 Survey on the Global State of Information Security

Ciphertext-only Crytanalysis of the Enigma, by James J. Gillogly



Notes on Tutorial for Classical Cryptography

Michael Huth [email protected]

www.doc.ic.ac.uk/~mrh/430/



Why is Keyless Encryption bad?

Every group has own algorithm Can’t use Off-the-Shelf algorithm, no

implementation choices Change group - change algorithm Key comprise - change algorithm Poor quality control - little or no peer

review No standards Easy to reverse-engineer algorithm

Kerchoff’s principle - Assume algorithm is known, Secrecy should lie in keeping key secret.



What Encryption doesn’t handle **

Destructive Attacks, Replay attacks

Unencrypted documents, e.g. before encryption or after decryption

Modification of encryption program

Lost or Stolen keys or passwords

Traitors

Interception incl. Traffic Analysis

Successful cryptanalysis



Steganography

The supply of game for London is going steadily up. Head keep Hudson, we believe, has been now told to receive all orders for fly paper and for preservations of your hen-pheasant's life.

"The Gloria Scott"Arthur Conan Doyle.



DECRYPT

C=E(P)=

P=D(C)=

BRUTE FORCE ATTACKDetermine key for:

E Q V

WKXPEVXS



Freemason Cipher

A B C J

D E F K L

G H I M

N • O • P • W

Q • R • S • X Y

T • U • V • Z

•• •

•



Decipher

• •

? ? ? ?



SNPLTDFKAUOS

Transposition Ciphers



End-to-End Encryption

Ek DkP P

Node1(Host)

Node2 Node3 Node4(Host)

C C



Link-to-Link Encryption

Dk1 Ek2 Dk2 Ek3Ek1 Dk3P P

Node1(Host)

Node2 Node3 Node4(Host)

C1 C2 C3



Link-to-Link vs End-to-End

Msg exposed in sending host & intermediate nodes

Applied by sending host, host responsible for encryption

Transparent to processes

All messages usually encrypted

Can be done in hardware

Requires one key per link pair

Provides host/node authentication

More ciphertext

Can hide more IP headers

Msg encrypted in sending host & receiving nodes

Applied by sending process, process responsible for encryption

Process applies encryption

Process decides when to encrypt

Usually done in software

Requires one key per process pair

Provides application/user authentication

Traffic analysis easier



P1 P3

P2

Link-to-Link & End-to-End Encryption

N

N

N

N

Host Host

Host

End-to-End

Link-to-Link

Encryption/decryption devices

Date post:	31-Jan-2016
Category:	Documents
Upload:	lionel
View:	34 times
Download:	0 times

Detecting Eavesdropping A Solution

Documents