COEN 350: Network Security Overview of Cryptography

COEN 350: Network Security

Overview of Cryptography

Table of contents Introduction Cryptographic Security One Way Functions Secret Key Cryptography Public Key Cryptography Message Authentication Codes Zero Knowledge Proofs Diffie Hellman Key Exchange

Cryptography Traditional use of cryptography

Encrypt a plain text into cypher Only people with the right knowledge can

recover plain text. Secret Key (Symmetric) Cryptography

Encryption and decryption use secret key c. Public Key (Asymmetric) Cryptography

Encryption and decryption use two different keys.

Cryptography

Other uses of cryptography Secure data while stored. Authenticate entities. Ensure integrity of data. Sign statements so that signature

cannot be repudiated.

Cryptography

Other uses of cryptography Fast file destruction:

Encrypt files with a secret key. Destroy secret key to securely delete the

file. E-cash

Hash Functions Given an object, create a hash

(short bit-string) of the object. Hashs differ Objects differ Objects differ with overwhelming prob.

Hashes differ Cryptographically secure hash:

Given a hash, cannot find object with that hash.

Hash Functions

Tripwire Protect OS against trojans. Maintain hashes of all system libraries

in a secure area. Check hash against known hash

periodically.

Cryptographic Security

Leverage in cryptography comes from functions that are hard to compute without special knowledge.

“Hard to compute” difficult to substantiate

Cryptographic Security “Hard to compute” = NP complete

Problem is P: can be solved deterministically in polynomial time.

Problem is NP: solution can be verified in polynomial time.

Central Conjecture: NP P. NP-complete: If this problem can be solved in

polynomial time then all NP problems can be solved in polynomial time.

NP-complete problems: Intrinsically difficult problems to solve on a computer.

But: NP completeness is tendency. Instances of NP-complete problems can be easy

to solve. Knapsack problem.

“Computationally hard” = “Takes n years to solve on best machine.”

Breaking codes is usually parallelizable. Use distributed attack. SETI@home

Moore’s law: Computers double in speed every 16 months.

UNIX password cracking UNIX passwords are 8 characters long.

Assume 102 printable characters in a password.

1016 possible passwords. 10000 password attempts a second takes

1012/2 seconds to find random password. 16,000 years to find password

Dictionary attacks take much less.

Cryptographic Security DES Data encryption standard Published in 1977 by National Bureau of

Standards. Uses 56 bit key Brute-Force attack succeeds after ~1016 tries. 1977: Diffie Hellman:

Spend $20,000,000.- to build parallel machine that can find key in 12 hours.

1998: Electronic Frontier Association Build DES cracker for $250,000.- that could break a

key in 4 days. $150,000.- for second cracker

Security of Algorithms Fundamental Security Paradigm

"If a lot of smart people have tried to crack a paradigm for a long time, then it is impossible to crack the

paradigm."

Cryptographic SecurityModels for evaluating security Unconditional Security

Adversary has unlimited computational resources, but there is not enough information available to defeat the system.

Example: One Time Pad Complexity Theoretic Security

Defines an appropriate model of computation Adversaries can mount attacks that use space and

time polynomial resources. These attacks might be in practice impossible. True attacks might be non-polynomial.

Models for evaluating security Provable Security

Difficulty of defeating a protocol is at least as hard as another (supposedly difficult) problem.

Computational Security Measures the amount of effort (using

the best methods available now) required to defeat a system.

One-Way Functions

One way function Easy to compute Hard to invert.

“Hard” means computationally infeasible.

One-Way Functions Example X = {1, 2, ... , 16} Define f: X → X, x → x3 mod 17.

This function is reasonably easy to compute.

Surprisingly hard to calculate logarithms in a finite field.

Use the following table. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

1 8 10 13 6 12 3 2 15 14 5 11 4 7 9 16l

One-Way Functions

Pre-image resistance: Given a possible image y, it is

computationally impossible to find any preimage x such that f (x) = y.

Second pre-image resistance: Given a pre-image x, it is

computationally infeasible to find another preimage z, z x, such that f (x) = f (z).

One-Way Functions

Collision resistant: It is computationally infeasible to find

any two distincts inputs x, x', x' x such that f(x) = f(x').

One-Way Functions

Definition: A function f is a strong one-way hash function (also known as a collision resistant (one-way) hash function) if and only if f is easily computable, that is, given x, it is

easy to calculate f(x).

f is pre-image resistant.

f is second pre-image resistant.

f is collision resistant.

One-Way Functions

One-Way function with trapdoors Much in cryptography is based on

being able to do a difficult thing when possessing a secret.

There are one-way functions that are easy to invert if one knows a secret.

One-Way Functions Choose

p = 48611 (a prime) q = 53993 (a prime) n = p·q.

Define f f (x) = x 3 mod n. f is one way, if we only know n. If we know the secret that n = pq, then

there is an algorithm that solves x 3 = y mod n for given y and unknown x.

One-Way Functions One-way function with trapdoor

Family of functions fi where i I, an index set.

Each fi is one-way. There exists functions hi and a secret

s such that hi (s, .) is easy to compute fi (hi (s, y)) = y.

That is, hi (s, .) is the inverse function of fi

Secret Key Cryptography

Conventional encryption uses a secret to convert plaintext to cipher and the same secret to convert cipher to plaintext.

A Greek general tattoos the message into the crown of the head of a slave who then lets his hair grow again. When the slave reaches the destination, the recipient reads the message after the slave has shaven his head again.

One-time pad Caesar’s cypher

Encryption uses an algorithm publicly known.

Sender and receiver use a secret key.

Generic recipe: Take the plain text. Apply a transformation (based on secret,

reversible with secret). Repeat until result is sufficiently

disguised Product cipher

Use first one transformation, then another one.

Substitution Permutation Network Each state involves substitutions

and permutations. Substitutions:

Take an input, replace it by an output. Often implemented as a table.

Input needs to be small.

Secret Key Cryptography Permutations

Take the bits and reorder them.

Secret Key Cryptography Substitution

Permutation Network

Encode from top to bottom

Decode from bottom to top

Secret Key Cryptography Iterated block cipher

Made up of rounds. In each round, apply an transformation

with a separate key (the round key). Feistel Cipher

Secret Key Cryptography Feistel Cipher

Iterated Block cipher Block size is 2t. Each round:

Breaks input into left half L(n) and right half R(n)

L(n+1) = R(n). R(n+1) = Mangler(R(n), Kn) L(n)

Kn is round key.

Feistel round for encryption (left) and decryption (right)

Secret Key Cryptography DES (1977)

uses a 64b key with a parity check, so that effective key size is 56b.

Derives 16 round keys of 48b each. Works on input of size 64. Uses 16 round Feistel algorithm

IDEA (1991) Uses a 128b key Uses 8 computationally identical rounds based on

generalized Feistel algorithm Additional beginning and ending transformation.

Secret Key Cryptography Typical block code takes 64b plaintext

and changes it to 64b cipher text. Electronic Code Book:

Break plain text into 64b-blocks. Encrypt all blocks. Vulnerable to attacks

Two identical text blocks are encrypted the same way.

Allows guessing contents. Reordering of plain text = Reordering of cipher

text. Change meaning of cipher text.

Secret Key Cryptography Example:

Database contains employee and salary information.

Encrypted:

Secret Key Cryptography Switch portion of cipher text

Resulting plaintext

Secret Key CryptographyCipher Block Chaining

Encryption and Decryption

Secret Key Cryptography Cipher Block Chaining If we do not mind to mangle some

data, we can switch bits. How? Your turn.

Assume we want to flip bit 3 in m4 We switch bit 3 in c3

This probably mangles m3 But has the desired effect on m4

Secret Key Cryptography Second thread to CBC:

Assume attacker knows plain text and cipher, i.e. m1, m2, …, c1, c2, …, IV

Attacker can calculate D(c1), D(c2), … Can build library of ci D(ci) and use it for

other attacks.

Secret Key Cryptography Output Feedback modes Same idea, but prevents these types

of attacks.

Output Feed Back Cipher Feed Back

Secret Key Cryptography One-Time Pad

Only proven secure cryptographic method But the pad needs to be transmitted

between sender and receiver. XORing with a short string is not

secure. See projects

RC4 One time pad generated by random

number generator, seeded with key Considered still secure (if you let the

RNG run for a few hundred rounds) If plain-text can be guessed,

vulnerable to bit flipping How? (Your turn)

Secret Key Cryptography Message Authentication Code

Can be calculated with cipher block chaining or similar method.

c6 is the MAC

Public Key Cryptography Asymmetric Key Cryptograpy.

Use one key for encryption, another for decryption.

E(e,.) encryption with key e D(d,.) is decryption with key d D(d,E(e,m)) = E(e,D(d,m)) = m for all

messages m. Note: Not all public key systems have this

commutativity between D and E.

Public Key Cryptography Keep one key public, the other one private. Use public key to encrypt, give Bob secret key to

decrypt.

Public Key Cryptography Signing Messages.

Alice creates a public key pair (e,d) and gives or publishes e.

Alice uses private key to calculate s = D(d,m) Pad with zeroes if necessary.

Bob uses Alice's public key to decrypt E(e,s) = E(e,D(d,m')) = m.

If m is in the format that a signed message has, then Bob accepts the message as truly Alice's.

Public Key CryptographyRSA RSA: Rivest Shamir Adleman Choose n = pq, p, q large primes Select e that is coprime to –

(n)=(p – 1)(q – 1) Find d such that ed = 1 mod (n).

Only computationally feasible if n = pq is known.

Public key: (e,n) Private key: (d,n)

Public Key CryptographyRSA Encryption with private key. Divide messages into chunks < n Encrypt chunk c as c1 = ce mod n. Decryption

Calculate c = c1d mod n.

c1d = (ce)d = ced = cx(n)+1 = c

Using Euler’s theorem a(n) = 1 mod n.

Public Key Cryptography

RSA is safe if used with caution.

Message Authentication Code

Also known as MIC (Message Integrity Code).

Append MAC to message. Nobody can change message

without changing MAC. Easy to check whether MAC

belongs to the message.

Message Authentication Code

Symmetric key MACs using a hash function Message Calculate hash value Protect hash value by encrypting it

with a secret key. Sender and receiver share the

secret key.

Message Authentication Code ISO 8732-2: (Banking - Approved Algorithm for Message

Authentication)

MAC(Message M) { for(i=0; i <= LengthOfMessage; i++) {

v = v << 1 e = v XOR w x = [ ((e + y mod 2**32) or A and C) * (x XOR M(i) ] mod 2**32-1 y = [ ((e + x mod 2**32) or B and D) * (y XOR M(i) ] mod 2**32-2 } return x XOR y;

where A, B, C, and D are constants, and v and w are determined by the key.

Message Authentication Code Cipher Block Chaining (CBC) derived

Message Authentication Code Public Key Message Authentication

If message is small Alice encrypts with private key. Bob decrypts with public key.

If message looks right, it comes from someone who knows Alice’s key.

If message is large Calculate a digest (hash) of the message Alice encrypts digest with private key. Bob decrypts digest with public key. If digest matches, it comes from Alice.

Message Authentication Code MD5

MD5 was developed by Rivest in 1994. Its 128 bit (16 byte) message digest

SHA1 Secure Hash Algorithm developed by NIST published in 1994 produces a 160-bit (20 byte) message

digest

Message Authentication Codes

MD5 is broken: Possible to generate two meaningful

files with the same MD5 value. SHA-1 is almost broken:

Finding a file with a given SHA-1 value is now computationally feasible.

Use SHA-256, SHA-512, WHIRLPOOL

Zero Knowledge Proof A potentially new way for identification. Challenge-Response

Claimant proves identity to verifier by demonstrating knowledge of a secret.

E.g. Verifier gives Claimant random number. Claimant can encode it, thus proving

knowledge of a secret key. But observer now knows an encryption with

the secret key: a knowledge leak Password: Forces claimant to give out

password.

Zero-Knowledge Proofs

Interactive proof system that claimant knows secret.

But secret is not revealed to verifier or an observer.

Zero-Knowledge Proof

Alice wants to convince Bob that she knows the secret word to the door in this cave.

But Alice doesn’t want to show Bob how she does it.

Zero-Knowledge Proof Bob and Alice

walk to A. Alice walks to

either C or D. Bob goes to B and

cries out “left” or “right”

Alice can satisfy the request.

Zero-Knowledge Proof Repeat n times. Alice is lucky with

probability ½ and does not have to open door.

Alice is always lucky with probability 1/2n

Zero-Knowledge Proof Hostile observer

cannot distinguish between Alice and Bob playing a charade or Alice knowing how to get through the door.

Zero Knowledge Proof. Fiat Shamir:

A trusted center publishes a modulus n = p·q that is the product of two primes.

Alice selects a secret s coprime to n and publishes v = s 2 mod n as its public key.

Repeat n times: Alice chooses a random number r and sends r2 to

Bob. Bob randomly selects e = 0 or e = 1. Alice sends y = r · se mod n to Bob Bob accepts this proof if y 2 = r 2 v e mod n.

Zero Knowledge Proof

Assume Alice is an impostor. If Alice guesses that Bob will send

e = 0. Alice picks s and sends v = s2 to Bob. Bob asks for e = 0. Alice sends rs Bob checks out that (rs)2 = r 2 v

Zero Knowledge Proof

Assume Alice is an impostor. If Alice guesses that Bob will send

e = 1. Alice picks a and sends v = a2/v to

Bob. Bob asks for e = 1. Alice sends a Bob checks out that a 2 = a 2/v · v

Diffie Hellmann

First public key system. Two partners share secret number. No eavesdropper can deduce

secret number.

Diffie Hellman p large prime g < p

Best choice is a generator modulo p: n i : n = gi.

(p,g) are public. Alice picks secret r. Bob picks secret s. Alice sends gr mod p to Bob. Bob sends gs mod p to Alice. Common key is t = (gr)s = (gs)r mod t.

Diffie Hellman

Snooper needs to derive t from gr and gs.

This is computationally equivalent to calculate r from gr mod p.

Diffie Hellman Man-in-the-middle-attack:

Mallory intercepts communications between Alice and Bob.

Alice sends gr to Mallory. Mallory sends gr’ to Bob. Bob sends gs to Mallory. Mallory sends gs’ to Alice. Alice establishes common key grs’ with Mallory. Bob establishes common key gr’s with Mallory. Alice and Bob communicate via Mallory, who

reads the traffic (or changes it).

Diffie Hellman

Social defense against this attack: Alice publicly distributes gr mod p.

COEN 350: Network Security Overview of Cryptography

Documents

Portfolio Coen Smit

COEN 350 Network Defense in Depth Firewalls. Terms of the Trade Border Router First / last router under control of system administration. DMZ Demilitarized

COEN 350 Security Threats. Network Based Exploits Phases of an Attack Reconnaissance Scanning Gaining Access Expanding Access Covering Tracks

COEN Startup Burners

Ann Coen Photography

Fratelli Coen Locarno

Stage eindpresentatie Coen

Preghiere Degli Eletti Coen

Joel Coen (1954) and Ethan Coen (1957) ENGL 6750/7750 Film Studies

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal

Coen Brothers Powerpoint

COEN 350 Email Security. Contents Why? How to forge email? How to spot spoofed email. Distribution Lists The twist that makes email authentication … interesting

Resume Coen Wehrmeijer

Miller’s Crossing (1990) The Coen Brothers. Miller’s Crossing (1990) The Coen Brothers

COEN 351 E-Commerce Security Essentials of Cryptography

Coen Boards

Coen 2008 Project 03

BLOOD SIMPLE Joel Coen and Ethan Coen …screenplaysandscripts.com/script_files/B/Blood_Simple.pdf"BLOOD SIMPLE" By Joel Coen and Ethan Coen LANDSCAPES An opening voice-over plays

Joel Coen (1954) and Ethan Coen (1957)

JOEL COEN & ETHAN COEN RAISING ARIZONA - Raindance · JOEL COEN & ETHAN COEN RAISING ARIZONA OVER BLACK: VOICE-OVER: My name is H. I. McDunnough ... A WALL With horizontal hatch lines