IT 263 Winter 2006/2007 John Kristoff - DePaul University 1
Applied Networks & Security
Crypto – with Critical Analysis
http://condor.depaul.edu/~jkristof/it263/
John [email protected]
IT 263 Winter 2006/2007 John Kristoff - DePaul University 2
Critical analysis disclaimer
Following this disclaimer are slides used in other versions of the course. We mark up some slides using strikethroughs and underlined red in comic sans ms 20pt font. This is not meant to slight other teachers or their material. Much of the material is good and helpful so we use it.
We do this to explore complex issues, refresh dated material, correct inaccuracies and stimulate critical thinking. In some cases we are pedantic where it seems useful, but we are not exhaustive and try to avoid being overly tedious when it is unnecessary.
Topics
Security technologies Cryptography Fundamentals (Symmetric,
Asymmetric, Hash, HMAC) Authentication Services Read chapter 7 One thing I've noticed missing is User Education,
this is really hard, but you still gotta do it, technical solutions can't fix the dork who helpfully gives his password to a so-called administrator who calls and asks for it
5
Layered Security Architecture
To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing.
One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls?
What are the “tools” and technologies available?
6
Security Technologies Identity technologies Firewalls Intrusion detection systems (IDS) Intrusion Prevention Systems (IPS) Host and application security Content filtering Cryptography Physical security Methods and Policies – change control,
vulnerability assessment
7
Identities Technologies Username/password One time passwords (OTP) – Synchronous and
Asynchronous “Tokens” Remote Authentication Dial-In User Service
(RADIUS)/Terminal Access Control Access Control System (TACACS+)
Public Key Infrastructure (PKI) Biometrics Some “physical” characteristics: MAC @, IP @, Chip
ID. Side note: “strong/2-factor” authentication
terminology.
8
Firewalls
Stateless packet filters - Router with access control list (ACL)
Statefull Filters Proxy firewalls Host firewalls Much more on that in later lectures
10
Intrusion Prevention Systems (IPS)
IDS with a twist! Block the attack if you identified it.
IPS also are actually next generation firewalls
11
Host and application security
File system integrity checking Antivirus protection “Sandboxing” systems Patch management and deployment
12
Content filtering
Proxy servers (also firewall) Web filtering E-mail filtering Activity monitoring
13
Cryptography
VPNs Network layer crypto (IPSEC) L5 to L7 crypto (SSL, TLS, terminal
server) File system encryption Symmetric vs. asymmetric crypto
14
Physical Security Redundancy Fire suppression Locks, bars, vaults. Note: what about your
backup tapes?? Physical lockdown of external media (see host
security) Protection against electromagnetic leaks –
Tempest. See: http://www.eskimo.com/~joelm/tempest.html http://www.divideconcept.net/index.php?page
=tempest/index.php
15
Methods and Policies
CRITICAL ASPECT!! Often overlooked Formal security policies development
and enforcement: This is the foundation of any INFOSEC program.
Acceptable Use Policies (AUP) Regular Vulnerability Assessments Software development methods Audits
16
Cryptography Cryptography is crucial: it is the key building
block for many other security services. Without it: no Ecommerce, no authentication
services, no secure logins. It is a key component that will allow:
Confidentiality Services, Integrity Services and Authentication Services.
What does Cryptography means? Origin of the word: from Greek:
Crypto – Secret Graph – Writing
Not a new concept: was used by Romans: Ceasar Cipher
17
Overview Encryption is the process of taking a message
(in “cleartext” or “plaintext” format) and transform it (in a format often called “ciphertext”) so that its meaning can not be understood.
Decryption is the process of taking the ciphertext and transforming it back to cleartext.
To encrypt a message, you will use an encryption algorithm and an encryption key.
To decrypt a message, you will use a decryption algorithm and a decryption key.
18
Characteristics of Encryption Algorithms
The Encryption/Decryption algorithms must have the following characteristics: Efficient: must minimize amount of memory
and time required to run them. Secure and/or reliable. Two choices:
Make the algorithm secret. The opponent does not know HOW to decrypt the data. Make the algorithm public.
The opponent knows “how” to decrypt the data but the only way to decrypt the data is to try all possible keys. This types of attacks are known as “brute force” attacks.
19
Keep algorithm Secret
You can “hide” the method/algorithm used by implementing it in hardware devices or through a compiled algorithm. In software: you can be target of reverse engineering: almost
always feasible to decompile/reverse engineer it. In hardware: Much harder to analyze but the secrecy can be
compromised by: A disgruntle employee. A disgruntle or careless vendor.
Now if the algorithm used to encrypt has a flaw: an attacker may be able to decrypt the data even without knowing the key.
By keeping the algorithm secret, it is not subject to the analysis of it by Cryptanalysts that may identify a weakness before large deployment.
20
Cases Studies: make method secret
Let’s take a look at some concrete solutions that used this secrecy to secure the encrypted the data: Cable TV Scrambling DVD Encoding
21
Cases Studies: Make algorithm secret
Cable/Sat TV Scrambling Rely on hardware encoding/scrambling Manufacturer rely on difficulty to analyze
hardware functions and reproduce them. However, one can find “cheap”
descrambler for sale.
22
Cases Studies: Make algorithm secret
DVD Encoding Movie industry spent years developing a standard (CSS) for encryption. After development they simply released it. Not for review, but the full
product (DVD) that relied on the standard. Encryption keys were assigned to DVD manufacturers and decryption
keys based on them were distributed to all DVD reader manufacturers to build in all DVD readers.
Two “ooopps” happened: A DVD software reader improperly protected one decryption key and it was
made public. Several “security technologists” reversed engineered and decoded the
encryption algorithm used. Soon after a software program (DeCSS) was released that allows one to
pull the decrypted data off the DVD disk and play/save it like any other multimedia file.
What was the movie industry reaction: Sue them but the damage is done: nobody can order or afford the recall of all DVD players!
Lesson learned: Security by Secrecy does not work!
23
Make the algorithm public The algorithm will be scrutinized by experts and if after some time,
nobody find a weakness: chances are: there are none! So how do you defeat the encryption? The only way is by going
through and trying all possible decryption keys! This is called a “Brute Force” attack.
How many possible keys exist? It depends on the length/size of the key. 40 bits key – 240
56 bits key – 256
128 bits key – 2128
In average you will need to go through ½ the possible keys.
However here is a fun question: how do you know you found the right key? Can you identify the plaintext? If it is English (or French for that matter) it is easy but what if it is a binary file?
24
Make the algorithm public So how do you protect the secrecy?
Use a longer key!!! However the longer the key, the longer it takes to
encrypt/decrypt the data. So we can establish that it will be possible for anybody to
decrypt the data: the problem is not IF they can decrypt it but HOW LONG will it take to decrypt it!
Make the “cost” of running a brute force attack longer than the value of the data. For example: If it takes you 4 years to decode a credit card number that has a 2
years expiration, is it worth trying? If you need to build a $10,000.00 decryption machine to decrypt
ordering information that will allow you to hijack $2,000,000.00 worth of data in 3 months, is it worth it?
25
Case Study: Reliable Algorithm with long key: is it safe?
If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping.
Is that really true? What could go wrong?
26
Case Study: Reliable Algorithm with long key: is it safe?
If you use an algorithm that has no known weakness (for example 3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping.
Is that really true? What could go wrong?
You also need to protect your keys.
27
Friends and enemies: Alice, Bob, and Trudy
well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
28
Who might Bob, Alice be?
… well, real-life Bobs and Alices! Web browser/server for electronic
transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table
updates other examples?
29
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?A: a lot!
eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in
packet (or any field in packet) hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in place
denial of service: prevent service from being used by others (e.g., by overloading resources)
30
The language of cryptography
symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret
(private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
Symmetric key cryptography
symmetric key crypto: Bob and Alice share known same (symmetric) key: K
e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
A-B
KA-B
plaintextmessage, m K (m)A-B
K (m)A-Bm = K ( ) A-B
32
Symmetric key crypto: DES
DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input How secure is DES?
First DES Challenge 1997: 56-bit key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months
no known “backdoor” decryption approach making DES more secure:
use three keys sequentially (3-DES) on each datum use cipher-block chaining (64-bit block)
33
Symmetric key crypto: DES
initial permutation 16 identical “rounds” of
function application, each using different 48-bit key
final permutation
DES operation
34
AES: Advanced Encryption Standard
new (Nov. 2001) symmetric-key NIST standard, replacing DES
processes data in 128-bit blocks 128, 192, or 256 bit keys brute force decryption (try each
possible key) taking 1 sec on DES, takes 149 trillion years for AES
35
Other Symmetric Encryption Standards
Wired Equivalent Privacy (WEP) Developed for 802.11 Wireless LANs 40-bit or 104-bit keys Note: WEP is NOT secure: it will prevent a casual
eavesdropper to get traffic but is easy to break. 3DES
Problem of DES: Key too short 3DES uses 3 successive iteration of DES with 3 keys (K1,
K2, K3) making an effective key length of 168-bits. Note: 3DES is very processor intensive.
36
Symmetric Encryption
Secret Key Distribution Problem How does one user/app distribute the encryption
key to the other user securely? Over the telephone? By e-mail?
Usually a system admin must enter the key manually at both ends before communication can occur (as with WEP, for example). This may present a “start-up problem”.
Also if “N” parties want to communicate with each others, how many symmetric keys must be generated?
37
Public Key Cryptography
symmetric key crypto requires sender, receiver
know shared secret key Q: how to agree on key
in first place (particularly if never “met”)?–- Key Distribution Center
public key cryptography radically different
approach [Diffie-Hellman76, RSA78]
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
38
Asymmetric Encryption Asymmetric Cryptology is the most important breakthrough is
cryptographic science in 4000 years. The key used for encryption is different than the key used for
decryption. Public Key encryption uses manipulation of message AND
mathematical properties between the keys used. Instead of using only ONE key, public key cryptography uses TWO keys that are linked together by mathematical properties. Example: Create pair of keys (1/4, 4) Use a multiplication x4 (public key) to encrypt and Use a division x ¼ (private key) to decrypt Of course, it is obvious in this case to crack the private key when knowing
the public key! Now we have 2 keys, this has great consequences in term of
confidentiality, key distribution and authentication: We can use one key as a “public” key and openly distribute it while keeping one key “private” for sole use by the party that generated the pair of keys.
39
Public key/Asymmetric cryptography Misconceptions
Public key/Asymmetric cryptography has several common misconceptions: More secure than conventional encryption: WRONG
security of the scheme only depends on the key length (assuming no flaw in encryption methods).
Make conventional encryption obsolete: WRONG because of much larger overhead of PK, usually it is only used for initial
communication and to allow 2 parties to securely communicate and exchange a common symmetric key that will then be used for all communication encryption.
Key distribution trivial: WRONG many aspects are difficult and advanced procedures must still be
involved. The private keys must also be carefully protected. Also we need a method to trustfully and reliably distribute the public key.
40
Asymmetric Cryptography Requirements
It’s computationally easy to generate a pair of keys It’s computationally easy to encrypt It’s computationally easy to decrypt It is computationally infeasible for an opponent to
derive the private key from the known public key It is computationally infeasible for an opponent to
recover the original message from the ciphertext knowing only the public key.
(useful but not necessary requirement) Either of the 2 related keys can be used for encryption and the other for decryption. M=DK-pub[EK-priv(M)]=DK-priv[EK-pub(M)]
41
Public key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)B
+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
RSA: Choosing keys
1. Choose two large prime numbers p, q. (e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
K B+ K B
-
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute ( m < n )c = m mod ne (i.e., remainder when m is divided by n)e
2. To decrypt received bit pattern, c, computem = c mod nd (i.e., remainder when c is divided by n)d
m = (m mod n)e mod ndMagichappens!
c
RSA: another important property
The following property will be very useful later:
K (K (m)) = m BB- +
K (K (m)) BB+ -
=
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
45
Authentication Like cryptography, authentication services are a key
foundation upon which many other services are provided. Why do we need authentication?
A user claiming a given identity must be able to verify it. Because we want to make sure we give access to the correct
users and the identity of the user has been verified via authentication services.
The user must be accountable for his/her action (non-repudiation). Accountability can only be enforced if the its identity was checked.
Authentication is not only for users: services and applications should also be authenticated. Wouldn’t you want to make sure that the web page that is displayed really comes from amazon.com before you enter your credit card number?
46
Identity and Authentication Identity services determine who the user is. “Hi all. I am Elvis!” - Elvis is my identity. Identity can be given by the user via its username, account
name, SS#, …etc… It can also be established by biometric information: a fingerprint
will declare a user identity. At the same, it can also provide authentication of the identity.
Identity must be verified using some method. It can be as easy as NONE: “Hey you say you are Elvis why
should I doubt that” Or ask for a password: “graceland” Or look for a characteristic: “He has dark hair: He is Elvis” Or ask for something he posses: “He has the keys to
Graceland, therefore he is Elvis” That identity verification process is the authentication process.
47
Authentication Methods Authentication can be established by:
Something you know: A password Something you have: you may have a hardware token, or have a
special software on the PC. Something you are: Biometric authentication, you are a specific
MAC address or IP You may want to use 1 method to authenticate a user or 2
or 3 combined. This later methods are usually referred to as “strong authentication”.
Authentication methods used must be decided based on business requirements. Some application/data access may require weak authentication some very strong.
These decisions are business decisions and must be documented in an organization’s security policy.
48
Other Services Enabled by Authentication Authorization: Is the authenticated user
authorized to perform an activity or to access a given data or application?
Accounting: Log the utilization of a resource: how long did the user access a service/application? How much data was accessed, read, written downloaded? This will be logged in audit trails for accountability purposes (charge back, non-repudiation).
49
Authentication protocols
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario??“I am Alice”
50
Authentication protocols
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
in a network,Bob cannot “see” Alice,
so Trudy simply declares
herself to be Alice“I am Alice”
51
Authentication protocols: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Failure scenario??
“I am Alice”Alice’s IP address
52
Authentication protocols: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Trudy can createa packet
“spoofing”Alice’s address
“I am Alice”Alice’s IP address
53
Authentication protocols: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
54
Authentication protocols: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
playback attack: Trudy records Alice’s packet
and laterplays it back to Bob
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
Alice’s password
55
Authentication protocols: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
encrypted password
OKAlice’s IP addr
56
Authentication protocols: another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
recordand
playbackstill works!
“I’m Alice”Alice’s IP addr
encryptedpassword
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
Authentication protocols: yet another try
Goal: avoid playback attack
Failures, drawbacks?
Nonce: number (R) used only once–in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
K (R)A-BAlice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
Authentication protocols: ap5.0
ap4.0 requires shared symmetric key can we authenticate using public key techniques?ap5.0: use nonce, public key cryptography
“I am Alice”R
Bob computes
K (R)A-
“send me your public key”
K A+
(K (R)) = RA-
K A+
and knows only Alice could have the private key, that encrypted R
such that(K (R)) = RA
-K A
+
ap5.0: security holeMan (woman) in the middle attack (MITM):
Trudy poses as Alice (to Bob) and as Bob (to Alice)
I am Alice I am AliceR
TK (R)-
Send me your public key
TK +
AK (R)-
Send me your public key
AK +
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted with
Alice’s public key
AK (m)+
Am = K (K (m))+
A-
R
ap5.0: security holeMan (woman) in the middle attack: Trudy
poses as Alice (to Bob) and as Bob (to Alice)
Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well!Protocol op5.0 is only as secure as the distribution of public keys…
61
Password Authentication Most common form of authentication but we need to take some time to think
about it and see how it can be misused. Initial password selection.
How do you determine/generate the initial password? Password complexity
What type of complexity should you require? Minimum length Inclusion of letters, numbers, special characters Can the user choose it own password or should it be generated for them. Note: if it is
generate and is extremely complex, the chance that a user writes it on a note and stick it to the monitor is high! Not a great idea!
Aging Should the user be required to change it every X Days. Should they be prohibited to re-use same password or a variation of it. Popular way for
users is to use: “mypass1” then “mypass2” then “mypass3” …etc… Lockouts
Should the account be locked-out after X bad attempts? This can lead to problems if too strict.
The education of the user community is essential for the successful implementation of a good password policy.
62
Token Authentication A “Token” device or password generator is usually hand-held device
that generate a password. Has a display sometime a keypad for data/pin entry 2 main types: Synchronous and asynchronous. Synchronous
The device and the server synchronize their time. Based on the time, a password is generated.
The devices (usually) re-synch on a successful authentication. Drawback: if a user does not authenticate for a long time (usually months),
the synchronization may be lost and require manual (admin) action. Asynchronous
Use a challenge-response method Server send a message User enter a pin or password Token calculates a password and display it User enter displayed password to server
63
Biometric Authentication Basic idea: verify an identity by a unique
personal attribute (something you are) Very effective but the systems have some
characteristics you need to be aware of: False positives are possible. False negative are possible.
Become more viable and popular as system reliability and pricing are getting lower
Often used in conjunction with another authentication form (passwords, pins)
64
Biometric Examples
Fingerprint Read someone’s fingerprint
Palm Scan Similar than fingerprints but on whole hand.
Hand Geometry Based on length, width of hand and fingers
Retina Scan Look for blood vessel patterns
Iris Scan Based on colored portion of eye. Unique pattern of colors, rings, rifts, …etc..
Signature Dynamics Based on speed and patterns that an individual use to sign
Keyboard Dynamics Based on speed and motions an individual use to type a phrase or a password.
Voice Print Based on voice sounds and patterns
Facial Scan Based on an individual’s facial characteristics, bone structure, sizes.
65
Kerberos Kerberos is a set of authentication services developed
at MIT as part of project Athena. Where does name come from? Greek Mythology:
Kerberos was a 3-headed dog that guards the entrance to the underworld.
Key benefit of Kerberos: it can provide a single sign-on system for distributed and heterogeneous environments.
At the core was also the idea that it will be implemented in very hostile environments and must include authentication of users, services and hosts.
Based on a symmetric crypto key and provides end-to-end security. Passwords are never transmitted.
66
Digital Signatures
Cryptographic technique analogous to hand-written signatures.
sender (Bob) digitally signs document, establishing he is document owner/creator.
verifiable, non-forgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document
Similar to authentication but not the same
67
Digital Signatures
Simple digital signature for message m: Bob signs m by encrypting with his private key K-
B, creating “signed” message, K-
B(m)
-
Dear Alice
Oh, how I have missed you. I think of you all the time! …(blah blah blah)
Bob
Bob’s message, m
Public keyencryptionalgorithm
Bob’s privatekey
K B-
Bob’s message, m, signed
(encrypted) with his private key
K B-(m)
68
Digital Signatures (more)
Suppose Alice receives msg m, digital signature K-B(m)
Alice verifies m signed by Bob by applying Bob’s public key K+B to
K-B(m) then checks K+
B(K-B(m) ) = m.
If K+B(K
-B(m) ) = m, whoever signed m must have used Bob’s
private key.
+
-
-
Alice thus verifies that:Bob signed m.No one else signed m.Bob signed m and not m’.
Non-repudiation: Alice can take m, and signature K-
B(m) to court and prove that Bob signed m.
-
69
Message Digests
Computationally expensive to public-key-encrypt long messages
Goal: fixed-length, easy- to-compute digital “fingerprint”
apply hash function H to m, get fixed size message digest, H(m).
Hash function properties: many-to-1 produces fixed-size msg
digest (fingerprint) given message digest
x, computationally infeasible to find m such that x = H(m)
large message
m
H: HashFunction
H(m)
large message
mH: Hashfunction H(m)
digitalsignature(encrypt)
Bob’s private
key K B-
+
Bob sends digitally signed message:Alice verifies signature and integrity of digitally signed message:
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
mH: Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bob’s public
key K B+
equal ?
Digital signature =signed message digest
71
Hash Function Algorithms
MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct
msg m whose MD5 hash is equal to x. SHA-1 is also used. (Secure Hash Algorithm)
US Federal standard [NIST, FIPS PUB 180-1] 160-bit message digest
72
MAC Hash Function
The CRC Code that is used for error detection is an example of a hash function.
For security services, we call the hash code a Message Authentication Code (MAC) or Hash MAC (HMAC).
To ensure message Integrity (make sure that the message received was the same as the message sent): Sender calculates MAC code and appends to message Receiver calculates MAC code and compares to sender’s
MAC. If they match, then message was not altered in transmission.
73
Message Integrity Can’t an attacker modify the message AND re-
calculate the MAC? How do you ensure that the real sender calculated the Hash MAC?
For Symmetric (Private Key) systems: the sender can encrypt the HMAC using the private key and send it. The receiver then recalculates the message hash and decrypts the HMAC. If it matches: it proves that the party that possessed the encryption key created the message and the hash.
For Public Key systems: Same idea but the sender uses his private key to encrypt the hash. The receiving party uses the sender’s public key to decrypt the hash and verify it.
74
Trusted Intermediaries
Symmetric key problem: How do two entities establish
shared secret key over network?
Solution: trusted key distribution
center (KDC) acting as intermediary between entities
Public key problem: When Alice obtains Bob’s
public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s?
Solution: trusted certification
authority (CA)
75
Key Distribution Center (KDC)
Alice, Bob need shared symmetric key. KDC: server shares different secret key with each
registered user (many users) Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for
communicating with KDC.
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDC
KB-KDC
KA-KDC
KA-KDC
KP-KDC
KDC
76
Key Distribution Center (KDC)
Aliceknows R1
Bob knows to use R1 to
communicate with Alice
Alice and Bob communicate: using R1 as session key for shared symmetric encryption
Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?
KDC generates
R1
KB-KDC(A,R1)
KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )
Certification Authorities
Certification authority (CA): binds public key to particular entity, E.
E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA –
CA says “this is E’s public key”
Bob’s public
key K B+
Bob’s identifying
information
digitalsignature(encrypt)
CA private
key
K CA-
K B+
certificate for Bob’s public key,
signed by CA
78
Certification Authorities
When Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate, get Bob’s
public key
Bob’s public
key K B+
digitalsignature(decrypt)
CA public
key K CA+
K B+
79
Public Key Infrastructure (PKI) A PKI consist of programs, protocols, procedures, public key
encryption mechanisms, database, data formats. This comprehensive structure allows people to communicate in
a secure and predictable manner. Based on 2 main aspects:
Public key cryptology X.509 standard protocols for exchanging digital certificates
The security services it provides are: Authentication Confidentiality Integrity Non-repudiation
Fundamental Issue: How do you authenticate a person or application before you make use of their public key?
80
Digital Certificates To be part of a PKI a user or service needs a “Digital
Certificate”. The digital certificate contains the credential of the entity,
identifying information and its public key. “How can I trust the certificate?”
Because the certificate was signed by a trusted third party called the “Certificate Authority” (CA)
Key point: user certificates are assumed to have been created by some trusted Certificate Authority and placed in the directory of the CA by the CA or the user. If certificate placed by user, you need a strong mechanism to ensure
authentication of user. Note: each user still needs to protect their secret key. The
certificate and PKI do not assist you for that. Which Certificate Authorities do I trust?
Certain trusted root CAs are configured in your browser. Root CAs can then authenticate other CAs.
81
Public versus Private CA You want to use certificates, should you implement your
own CA infrastructure or purchase Certificate(s) from a well-known CA provider (Verisign, Entrust, …etc..)?
Response: well it depends on the needs, requirements and what these certificates will be used for.
Private CA Advantages: No need to spend annual $$ for renewal. Can generate large number of certificates at little/no additional
costs. Public CA Advantages:
Will be recognized as valid by all Internet Users. No need to support CA servers internally. No need to manage registration of users and certificate
revocation internally.
Secure e-mail
Alice: generates random symmetric private key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bob’s public key. sends both KS(m) and KB(KS) to Bob.
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
Secure e-mail
Bob: uses his private key to decrypt and recover KS
uses KS to decrypt KS(m) to recover m
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
Secure e-mail (continued)
• Alice wants to provide sender authentication message integrity.
• Alice digitally signs message.• sends both message (in the clear) and digital signature.
H( ). KA( ).-
+ -
H(m )KA(H(m))-
m
KA-
Internet
m
KA( ).+
KA+
KA(H(m))-
mH( ). H(m )
compare
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication, message integrity.
Alice uses three keys: her private key, Bob’s public key, newly created symmetric key
H( ). KA( ).-
+
KA(H(m))-
m
KA-
m
KS( ).
KB( ).+
+
KB(KS )+
KS
KB+
Internet
KS
87
Pretty Good Privacy (PGP)
Internet e-mail encryption scheme, de-facto standard.
uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.
provides secrecy, sender authentication, integrity.
inventor, Phil Zimmerman, was target of 3-year federal investigation.
---BEGIN PGP SIGNED MESSAGE---
Hash: SHA1
Bob:My husband is out of town tonight.Passionately yours, Alice
---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/12EpJ+lo8gE4vB3
mqJhFEvZP9t6n7G6m5Gw2---END PGP SIGNATURE---
A PGP signed message:
88
Secure sockets layer (SSL)
transport layer security to any TCP-based app using SSL services.
used between Web browsers, servers for e-commerce (shttp).
security services: server authentication data encryption client authentication
(optional)
server authentication: SSL-enabled browser
includes public keys for trusted CAs.
Browser requests server certificate, issued by trusted CA.
Browser uses CA’s public key to extract server’s public key from certificate.
check your browser’s security menu to see its trusted CAs.
89
SSL (continued)
Encrypted SSL session: Browser generates symmetric
session key, encrypts it with server’s public key, sends encrypted key to server.
Using private key, server decrypts session key.
Browser, server know session key All data sent into TCP socket
(by client or server) encrypted with session key.
SSL: basis of IETF Transport Layer Security (TLS).
SSL can be used for non-Web applications, e.g., IMAP.
Client authentication can be done with client certificates.
90
IEEE 802.11 security War-driving: drive around Bay area, see what 802.11
networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy!
Securing 802.11 encryption, authentication first attempt at 802.11 security: Wired Equivalent
Privacy (WEP): a failure current attempt: 802.11i
91
Wired Equivalent Privacy (WEP):
authentication as in protocol ap4.0 host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host
no key distribution mechanism authentication: knowing the shared key is enough
92
802.11i: improved security
numerous (stronger) forms of encryption possible
provides key distribution uses authentication server separate
from access point