CSCI 362 Computer and Network Securitycsci362/2012-fall/wp-content/...Cipher This is a test of the emergency broadcast system. If this had been an actual emergency, you would have

CSCI 362 Computer and Network Security

Cryptology

If you like this subject...

Dr. Kahn is a Bucknell alumnus,class of 1951

Dr. Singh’s bookis a world-widebest seller

Mr. Stephensonis a very successfulcontemporarywriter of fiction

fiction

non-fiction non-fiction

Function

This is a test of the emergency broadcast system. If this had been an actual emergency, you would have been instructed where to tune in your area for news and official information.

f

BAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.

Cipher


fBAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.

f -1

Function


f


K0 K1 Kn-1...

p c

c = f (p, K0, K1, ..., Kn-1)

Cipher


f


K0 K1 Kn-1... KEY(S)

p c

c = f (p, K0, K1, ..., Kn-1)

Notation

plaintext = pciphertext = c

K0,K1,...,Kn-1c = E (p)

K0,K1,...,Kn-1p = D (c)

encipherment, encryption

decipherment, decryption

Symmetric Key Cipher

K0,K1,...,Kn-1c = E (p)

K0,K1,...,Kn-1p = D (c)

K0,K1,...,Kn-1p = D (E (p))K0,K1,...,Kn-1

Identical encipherment and decipherment keys

Stream Cipher

plaintext stream ciphertext stream

key stream

fThis is a test of... BAAS+TU1A/TRVR.IP...

c[i] = f (p[i], K[i])

w#4a57123$g$#%H*...

The length of the keystream must match the length of the plaintext stream

Stream Cipher


key stream


w#4a57123$g$#%H*...

g

key

XKCD241012

Stream Cipher


key stream


w#4a57123$g$#%H*...

g

key

XKCD241012

arbitrarylength

arbitrarylength

fixedlength

CryptanalysisThe science of recovering the plaintext of a message without knowledge of the encryption key. Successful cryptanalysis may result in the recovery of a message or an encryption key.

Kerckhoffs’ Principle: Secrecy must rely solely on the encryption key (the attacker may have detailed information on the cryptographic algorithm).

Compromise is the disclosure of a key without the use of any cryptanalysis.

An attack is an attempt to recover plaintext or key from a collection of enciphered messages.

Cryptanalysis AttacksCiphertext-only attack

Given the ciphertext of several messages enciphered with the same algorithm (and perhaps the same key), recover the plaintext of as many messages as possible, or yet recover the key(s) used.

C1 = Ek(P1), C2 = Ek(P2), ..., Ci = Ek(Pi) Deduce

P1, P2, ..., Pi and/or

an algorithm to infer Pi+1 from Ci+1

Cryptanalysis AttacksKnown-plaintext attack

Force the adversary to encipher a known plaintext. The captured encipherment of the known text can reveal characteristics of algorithm and key.

P1, Ek(P1), P2, Ek(P2), ..., Pi, Ek(Pi), where P1, P2, ..., Pi are chosen by the attacker

Deduce

k and/or

an algorithm to infer Pi+1 from Ci+1

Given

Cryptanalysis AttacksFrequency analysis

If bash is invoked with the name sh, it tries to mimic the startupbehavior of historical versions of sh as closely as possible, whileconforming to the POSIX standard as well. When invoked as aninteractive login shell, or a non-interactive shell with the --loginoption, it first attempts to read and execute commands from/etc/profile and ~/.profile, in that order. The --noprofile optionmay be used to inhibit this behavior. When invoked as an interactiveshell with the name sh, bash looks for the variable ENV, expands itsvalue if it is defined, and uses the expanded value as the name of afile to read and execute. Since a shell invoked as sh does not attemptto read and execute commands from any other startup files, the--rcfile option has no effect. A non-interactive shell invoked withthe name sh does not attempt to read any other startup files. Wheninvoked as sh, bash enters posix mode after the startup files areread.

PLAINTEXT:


li edvk lv lqyrnhg zlwk wkh qdph vk, lw wulhv wr plplf wkh vwduwxsehkdylru ri klvwrulfdo yhuvlrqv ri vk dv forvhob dv srvvleoh, zklohfrqiruplqj wr wkh srvla vwdqgdug dv zhoo. zkhq lqyrnhg dv dqlqwhudfwlyh orjlq vkhoo, ru d qrq-lqwhudfwlyh vkhoo zlwk wkh --orjlqrswlrq, lw iluvw dwwhpswv wr uhdg dqg hahfxwh frppdqgv iurp/hwf/suriloh dqg ~/.suriloh, lq wkdw rughu. wkh --qrsuriloh rswlrqpdb eh xvhg wr lqklelw wklv ehkdylru. zkhq lqyrnhg dv dq lqwhudfwlyhvkhoo zlwk wkh qdph vk, edvk orrnv iru wkh yduldeoh hqy, hasdqgv lwvydoxh li lw lv ghilqhg, dqg xvhv wkh hasdqghg ydoxh dv wkh qdph ri diloh wr uhdg dqg hahfxwh. vlqfh d vkhoo lqyrnhg dv vk grhv qrw dwwhpsw wr uhdg dqg hahfxwh frppdqgv iurp dqb rwkhu vwduwxsilohv, wkh --ufiloh rswlrq kdv qr hiihfw. d qrq-lqwhudfwlyh vkhoo lqyrnhgzlwk wkh qdph vk grhv qrw dwwhpsw wr uhdg dqb rwkhu vwduwxs ilohv. zkhq lqyrnhg dv vk, edvk hqwhuv srvla prgh diwhu wkh vwduwxsilohv duh uhdg.

CIPHERTEXT:

English Language(Sources: “Moby Dick”, by Herman Melville and “The Picture of Dorian Gray”, by Oscar Wilde)


English Language Additive Cipher


English Language Multiplicative Cipherk=11


English Language Affine Cipherk=(s=11,r=5)


Ideally, a cipher would completely flatten the single symbol frequencies bars.

The Vigenère cipher doesn’t quite meet this goal, but it does a better job than the other ciphers we’ve seen.


TH 52563

HE 44727

ER 29017

IN 28537

AN 27957

RE 23086

HA 21373

ND 21089

ED 19388

OU 19306

NG 17848

HI 17183

AT 16986

EN 16622

ON 15453

ING 14442

THE 9619

HAT 7309

THA 6487

HER 6063

ERE 5911

TER 4821

THI 4308

VER 4214

ENT 4174

ITH 3918

WIT 3663

GHT 3254

WHA 3173

HIN 3118

Repeated LettersTextbook: SS, EE, TT, LL, MM, OOTotal letters in text: 1764911

A 10B 517C 612D 741E 7506F 1876G 452H 5I 52K 3L 10374

digrams trigrams 4-grams Most repeated symbols

THER 4412

OULD 2578

IGHT 2383

HERE 2332

THIN 2192

TION 2114

HING 2084

OUGH 1910

WHAL 1712

EVER 1629

HALE 1596

TING 1499

RING 1340

THOU 1298


ST 14235

AR 14030

TE 13669

LE 13419

ES 13348

OR 13327

SE 12663

IS 12375

EA 12333

AL 11941

VE 11308

AS 10470

LL 10374

NE 10348

NT 10292

ION 2993

OME 2984

EVE 2947

EAR 2907

AIN 2891

INT 2834

AVE 2823

OUL 2811

HOU 2800

ESS 2756

IGH 2756

NCE 2755

TED 2728

HEN 2690

ULD 2578

ERED 1257

WOUL 1239

LING 1226

NING 1225

OUND 1185

OTHE 1175

KING 1067

ANCE 1060

SELF 1031

ERIN 1022

MENT 1016

DING 998

EATH 992

ATHE 986

ATIO 984

NDER 977

M 908N 1085O 5514P 1607R 2040S 4766T 2801U 1X 21Z 66

Additional statistics

Mr. Zoliparia laffs. Whare did u get yoor litl pal? he askz. She crold out thi woodwurk, I sez, n he laffs agen an Im evin moar embrasd n getting qwite swety now. Dat dahn ant! Makin a full ov me. N makin mah fais awl beeg an bloted in dat bust shees wukin on now n stew not going bak in hir box Ither.

This is a slightly modified passage fromFeersum Endjinn, by Iain M. Banks

Is it possible to write mangled but understandable English (or any other language) and purposefully alter the relative frequencies of individual characters and perhaps even of digrams, trigrams, etc? Is it possible to write large chunks of text avoiding one specific letter? Ultimately, what we are asking ourselves is: can we create plaintext that distorts the language signature so much that it makes ciphertext frequency analysis hard?

Does frequency analysis work on short texts? How large do texts need to be for it to work well?

Cryptanalysis AttacksLimitations of Frequency analysis

Cryptanalysis AttacksRubberhose attack

Sometimes, it may be much “easier” to obtain encryption keys by means of threats, torture, blackmail, espionage, etc. Of course, one has to weigh in the ethics of such types of attacks.

Since the human element may be considered the weakest link in the chain that security is built on, it may be the easiest to break.

One Time Pad


key stream


c[i] = f (p[i], K[i])

w#4a57123$g$#%H*...

One Time Pad

•Truly random keystreams

•Truly unique keystreams for the encipherment of each message

•Perfectly secure key distribution to all parties involved

•Perfect key confidentiality

One Time Pad


key stream


c[i] = f (p[i], K[i])

w#4a57123$g$#%H*...

PROVABLY

UNBREAKABLE

One Time Pad


key stream


c[i] = f (p[i], K[i])

w#4a57123$g$#%H*...

PROVABLY

UNBREAKABLE

If this is so great, why aren’t people using it?

One Time Pad


key stream

xor1011010111 ?

c[i] = p[i] xor K[i]

0110111010

Block Cipher

plaintext ciphertext

fTHISISATESTOFTHEMERGENCYB...

BAAS+TU1A/TRVR.IP-HDM3MFWRRPPT...

key

XKCD241012

Blocks have fixed length

Block Cipher

plaintext ciphertext

fTHISISATESTOFTHEMERGENCYB...

BAAS+TU1A/TRVR.IP-HDM3MFW...key

XKCD241012arbitrarylength

arbitrarylengthfixed

length

Feistel Ciphers(Harst Feistel, 1950s-1960s)

input

Left half Right half

f1

f2

f3

The symbol means bitwise XOR.

Functions f1, f2, …, fi are called round functions.

Notation for Feistel ciphers:

successive round functions

example on the left

Decryption of Feistel ciphers:

The round functions do not have to be individually invertible: fewer constraints on how to achieve good diffusion and confusion, leads to smaller code size, faster implementation in software, fewer gates in hardware, etc.

ψ(f, g, h, . . .) = ψ(f1, f2, f3)

ψ(f1, f2, f3, . . . , fn−1, fn) =

ψ−1(fn, fn−1, . . . , f3, f2, f1)

The DES Algorithm

Each 64-bit block of plaintext goes through:

• An initial permutation.

• 16 rounds of substitution and transposition operations influenced by a 48-bit subkey for each round, which is derived from the 56-bit DES key.

• A final permutation.

64-bit block

64-bit block

plaintext

ciphertext

56-bit key

round 1

round 2

round 3

round 4

round 5

round 16

roundsubkey

generation

…IP

FP

DES is a Feistel CipherEncryption: Take each block and divide into two halves, L and R. Each round consists of computing the XOR of L with F(Ki,R) for some function F, and round key Ki, and then swapping L and R.

Decryption: Swap L and R, then XOR L with F(Ki,R).

Single DES Round:

Bit shuffle ExpandSubstituteF

RLKi

A DES Round 64-bit input

64-bit output

L1 (32-bit) R1 (32-bit)

R2 (32-bit)L2 (32-bit)

EP

XOR

S-Box

P-Box

XOR

Subkeyi

Consider a C implementation:

Question: How do you perform bitwise operations?

Question: How do you split a 64-bit value into two 32-bit values?

Question: How do you permute the bits in a variable?

S-boxes• S-boxes perform substitution operations.• There are 8 different S-boxes.• Each S-box takes 6 input bits and produces 4 output bits:

• Bits 1-6 are the input to S-box 1.• Bits 7-12 are the input to S-box 2, etc.

S-box Operation• Each S-box contains 4 rows and 16 columns of entries• Example - S-box 1:

• The first and last of the 6 input bits to an S-box form a two-digit binary number that specifies one of the 4 rows:– 00 for the zeroth row, 01 for the first row, 10 for the second row, and 11 for the third

row.

• The middle four input bits form a four-digit binary number that specifies one of the 16 columns:– 0000 for the zeroth column, 0001 for the first column, . . ., and 1111 for the 15th

column.

S-box Operation

• The entry found at the intersection of the specified row and column is the four-digit binary output for the S-box.

Examples using S-box 1:

• 011010 (input) = row 0, column 13 = 9 = 1001 (output).• 110010 (input) = row 2, column 9 = 12 = 1100 (output).• 000011 (input) = row 1, column 1 = 15 = 1111 (output).

The S-boxes

Example

• The 48-bit result of the XOR operation:– 110011111011001001001011100101110100010001001001

• The 32-bit result of the S-box substitutions:– 10110101001111111100010011101010

P-box

• The 32-bit output of the S-boxes is passed through a P-box.

• The P-box permutes the bits into a new order:

– The first output bit from the S-boxes is moved into position 16.

– The second bit is moved into position 7.

– The third bit is moved into position 20.

…

– The thirty-second bit is moved into position 25.

Second XOR Operation

• The 32-bit output of the P-box is XORed with the left half of the original 64-bit input block– Output from P-box (32 bits)

• 10001101110101100101011001011111

– Left half of input block (32 bits)• 11100010101110100011100011001101

• The 32-bit output of the XOR operation:– 01101111011011000110111010010010

Decryption

• The same algorithm and key are used for decryption.• The subkeys are applied in the opposite order:–Subkey 16 is used during the first round of decryption,–Subkey 15 is used during the second round of decryption, …–Subkey 1 is used during the 16th round of decryption.

Stronger Encryption with DES 3DES:

- Define two key values K1 and K2.

- Each block is encrypted as: (the second pass encrypts with decryption)

- Decryption does the reverse:

E D E

K1 K2 K1

m c

D E D

K1 K2 K1

c m

Note that encrypting twice with the same key is not much more than a single encryption (exhaustive search requires the same number of keys to be tested; it is true that each key has to be tested twice, but that isn’t a big deal).

Also, encrypting twice with two keys is not as strong as encrypting once with a key twice as long. There exists a possible attack that breaks double-encryption DES in roughly twice the time for a brute-force attack on single-encryption DES.

See [Kaufman 2002] if you want to understand why the 3rd time is the charm.

DES Summary

• DES is deprecated and vulnerable to attacks with modern computing technology. NIST recommends that AES be used instead.

• DES helped to focus and unify the cryptography research community.

• NIST’s 1998 call for an Advanced Encryption Standard to replace DES produced 15 promising candidate algorithms from researchers all over the world.

Block Cipher Modes

Using Block Ciphers: PaddingIf the plaintext length is not an exact multiple of the block size, the plaintext needs to be

padded.

• Clearly, padding must be reversible.

• An erroneous padding must be treated as an authentication failure.

• Let l(P) be the length of the plaintext in bytes. Use one of the two following schemes:

1) Append a single byte with value 128, then as many 0 bytes to make l(P) a multiple of the block size b.

2) Let n be the number of padding bytes required. Pad P with n bytes, each with value n. Calculate n so that it satisfies:

Electronic Code Book (ECB)

P1 P2 P3 P4 P5 P6 P7 P8 P9

plaintext message

E E E E E E E E E

C1 C2 C3 C4 C5 C6 C7 C8 C9

- If any two blocks mi and mj are identical, the corresponding ci and cj will also be identical: one can learn the key from the repeated blocks.- The blocks can be rearranged or tampered with.

K K K K K K K K K

ciphertext message

BIG ISSUES

Cipher Block Chaining (CBC)

E

- If all messages were to use the same IV, someone could figure out facts about the messages being encrypted.

- If IV is chosen randomly, then even if the same message is repeatedly encrypted, their corresponding ciphertext will be different each time.

- The message may still be modified in transit: the effect may be obvious to human eyes, but hard to spot by a program.

P1

C1

IV

E

P2

C2

E

P3

C3

E

P4

C4

E

P5

C5

E

P6

C6

E

P7

C7

K K K K K K K

BIG ISSUES

Cipher Block Chaining (CBC)

Each block of plaintext is “randomized” according to the previous ciphertext block. Identical plaintext blocks will most likely encrypt to different ciphertext blocks.

How do you choose C0 (the initialization vector)? Two different messages starting with the same block, yield ciphertexts that start with the same block: this opens a breach for attackers. Possible solutions:

1) Use a message counter.2) Use a random number:

3) Use a nonce: Each message is given a nonce (a unique number used only once). You have to be careful never to use the same nonce twice with the same key! Each message P is assigned a number (a counter that does not wrap around). This number is used to construct a nonce unique in the whole system. The nonce has the size of a block, and is next encrypted with K producing C0. Send the message number in front of the ciphertext, so that the receiver can

reconstruct the nonce. The receiver must accept any one message number only once!

Output Feedback Mode (OFB)This is actually a stream cipher: the message is XORed with the one-time pad generated by OFB.

- The IV can be chosen randomly and sent with the ciphertext or it can be generated from a nonce.

-There is no need for padding: you only send as many ciphertext bytes as there are plaintext bytes.

- The secrecy relies on the one-time pad really being used only once!

- If a lot of data is encrypted, it is possible that a sequence of key blocks could start repeating…

K0 = IV

Ki = E(K,Ki−1), for i = 1, . . . , k

Ci = Pi ⊕Ki

Output Feedback Mode (OFB)

P1

C1

E

K

K0

P2

C2

E

K

P3

C3

E

K

Pk

Ck

E

K

...

K0 = IV

Ki = E(K,Ki−1), for i = 1, . . . , k

Ci = Pi ⊕Ki

Output Feedback Mode (OFB)

P1

C1

E

K

K0

P2

C2

E

K

P3

C3

E

K

Pk

Ck

E

K

...

pseudo-random number generator

seed

K0 = IV

Ki = E(K,Ki−1), for i = 1, . . . , k

Ci = Pi ⊕Ki

Counter Mode (CTR)

Ki = E(K, nonce�i), for i = 1, . . . , k

Ci = Pi ⊕Ki

Counter Mode (CTR)

E

P1

K1

IV

K

C1

E

P2

IV || 1

K

C2

E

P3

IV || 2

K

C3

K2 K3


Ci = Pi ⊕Ki

Counter Mode (CTR)

E

P1

K1

IV

K

C1

E

P2

IV || 1

K

C2

E

P3

IV || 2

K

C3

K2 K3


Ci = Pi ⊕Ki

This is also a stream cipher. The key stream is generated very simply using the IV as a starting point and adding to it a counter value (which represents the number of blocks processed).

pseudo-random number generatorseed

Message Digest Functions

Overview

• Cryptographic hash functions are functions that:– Map an arbitrary-length (but finite) input to a fixed-size output.– Are one-way (hard to invert).– Are collision-resistant (difficult to find two values that produce the

same output).

• Examples:– Message digest functions - protect the integrity of data by creating

a fingerprint of a digital document.– Message Authentication Codes (MAC) - protect both the integrity

and authenticity of data by creating a fingerprint based on both the digital document and a secret key.

Checksums vs. Message Digests

• Checksums:– Used to produce a compact representation of a message.– If the message changes the checksum will probably not match.– Good: accidental changes to a message can be detected.– Bad: easy to purposely alter a message without changing the checksum.

• Message digests:– Used to produce a compact representation (called the fingerprint or

digest) of a message.– If the message changes the digest will probably not match.– Good: accidental changes to a message can be detected.– Good: difficult to alter a message without changing the digest.

Hash Functions

• Message digest functions are hash functions:• A hash function, H(M)=h, takes an arbitrary-length input, M, and

produces a fixed-length output, h.

• Example hash function:• H = sum all the letters of an input word modulo 26.• Input = a word.• Output = a number between 0 and 25, inclusive.• Example:

• H(“Elvis”) = ((‘E’ + ‘L’ + ‘V’ + ‘I’ + ‘S’) mod 26)• H(“Elvis”) = ((5+12+22+9+19) mod 26)• H(“Elvis”) = (67 mod 26)• H(“Elvis”) = 15

Collisions

• For the hash function:• H = sum all the letters of an input word modulo 26.

• There are more inputs (words) than possible outputs (numbers 0-25).

• Some different inputs produce the same output.• A collision occurs when two different inputs produce the

same output:• The values x and y are not the same, but H(x) and H(y) are

the same.

Collision-Resistant Hash Functions

• Hash functions for which it is difficult to find collisions are called collision-resistant.

• A collision-resistant hash function, H(M)=h:• For any message, M1, it is difficult to find another

message, M2 such that:• M1 and M2 are not the same.• H(M1) and H(M2) are the same.

One-Way Hash Functions

• A function, H(M)=h, is one-way if:• Forward direction: given M it is easy to compute h.

• Backward direction: given h it is difficult to compute M.

• A one-way hash function:• Easy to compute the hash for a given message.• Hard to determine what message produced a given hash

value.

Message Digest Functions

Message digest functions are collision-resistant, one-way hash functions:

• Given a message it is easy to compute its digest.• Hard to find any message that produces a given digest

(one-way).• Hard to find any two messages that have the same

digest (collision-resistant).

Using Message Digest Functions

Message digest functions can be used to protect data integrity:• A company makes some software available for download

over the World Wide Web.

• Users want to be sure that they receive a copy that has not been tampered with.

• Solution:• The company creates a message digest for its software.

• The digest is transmitted (securely) to users.

• Users compute their own digest for the software they receive.

• If the digests match the software probably has not been altered.

The Secure Hash Algorithm (SHA)

• A Federal Information Processing Standard (FIPS 180-1) adopted by the U.S. government in 1995.

• Based on a message digest function called MD4 created by Ron Rivest.

• Developed by NIST and the NSA.• Input: a message of b bits.• Output: a 160-bit message digest.

What secure means is relative: a number of proof of concept results have shown collisions with variants of SHA.

SHA - Padding• Input: a message of b bits

• Padding makes the message length a multiple of 512 bits.

• The input is always padded (even if its length is already a multiple of 512).

• Padding is accomplished by appending to the input:– A single bit, 1,

– Enough additional bits, all 0, to make the final 512-bit block exactly 448 bits long,

– A 64-bit integer representing the length of the original message in bits.

SHA – Padding Example

• Consider the following message:• M = 01100010 11001010 1001 (20 bits)

• To pad we append:• 1 (1 bit),

• 427 0s (because 448-21 = 427 bits),

• 64-bit binary representation of the number 20 (64 bits).

• Result:• Pad(M) = 01100010 11001010 10011000 00000000 . . . 00000000

00010100 (512 bits).

• 464 0s have been omitted above (denoted by the ellipsis).

Message Digests are not enough…

• Example: We want to use a message digest function to protect files on our computer from intruders:– Calculate digests for important files and store them in a table.– Recompute and check from time to time to verify that the files have not

been modified.

• Good: if someone modifies a file the change will be detected since the digest of that file will be different.

• Bad: the attacker could just compute new digests for modified files and install them in the table.

• What is needed is a function that depends not only on the message, but also on some kind of secret.

Attacks on Message Digests

• Brute-force: Let H be a message digest, a one-way function and M be some piece of data. Can you find a piece of data M’ such that H(M) = H(M’)? Say that you generate sequences of M’ and compute H(M’) for each one until you find a match. How many M’ would you have to test?

• Birthday Attack: Say that H(.) produces n bits. If you choose M’ at random, you need to try at most 2n/2 messages to have greater than 50% chance of finding the M’ that you want. (See the Birthday Paradox in probability theory textbooks.)

Message Authentication Codes

• A message authentication code (MAC) is a key-dependent message digest function:

MAC(Key,Message) = h

• The MAC can only be created or verified by someone who knows Key.

• One can turn a one-way hash function into a MAC by encrypting the hash value with a symmetric-key cipher.

Using a MAC

MAC can be used to protect data integrity and authenticity:

• Want to use a MAC to protect files on our computer against tampering:• Calculate MAC values for important files and store them in a table,• Recompute MACs from time to time and compare to stored values to verify that the

files haven’t been modified.

• Good: If someone modifies a file the hash of that file will be different.

• Good: As long as no one knows the proper key, new MACs can’t be stored in the table to cover the intruder’s tracks.

Implementing a MAC

Question: Does this structure look familiar?

Libraries for MDs and MACs

mhash: Supports SHA1, GOST, HAVAL256, HAVAL224, HAVAL192, HAVAL160, HAVAL128, MD5, MD4, RIPEMD160, TIGER, TIGER160, TIGER128, CRC32B and CRC32 checksums. Free (GNU LGPL).

http://mhash.sourceforge.net

Openssl: All that you could want and more. http://openssl.org

java.security: Offers a number of classes for applications needing crypto primitives. MessageDigest, for instance, is a class that produces digests according to MD5 or SHA.

http://java.sun.com/j2se/1.4.2/docs/api/

Summary

Message digests• Message digest functions are collision-resistant, one-way hash functions:

• Collision-resistant: hard to find two values that produce the same output,• One-way: hard to determine what input produced a given output.

• Protects the integrity of a digital document.

MACs– A message authentication code is a key-dependent message digest

function:• The output is a function of both the hash function and a secret key.• The MAC can only be created or verified by someone who knows the key.

– Protects the integrity and the authenticity of a digital document.

Public Key Algorithms

Secret Key Cryptography

Alice Bob

plaintext

key

ciphertext

key

plaintext

openchannel

Alice and Bob share a secret: the key value.The communication on the open channel is secure as long as only trusted parties know the key.

Problem: Key distribution (the insecure channel won’t help there).

Public Key Cryptography

Alice Bob

plaintext

key<Alice,private>

ciphertext

key<Alice,pub>

plaintext

openchannel

Question: How has this solved the key distribution problem?

key<Alice,pub>

openchannel

openchannel

key<Alice,pub>

key<Bob,pub>

key<Bob,private>key<Bob,public>

Public Key Cryptography

Generate a private key for Bob (Bpriv). This is a secret and must be known only to Bob.

Generate a public key for Bob (Bpub). This is not a secret and must be disclosed to anyone who wants to send messages to Bob.

If Alice wants to communicate secretly with Bob, she needs to get a hold of Bob public key. Then, Alice encrypts her message with Bpub and sends it to Bob. Only Bob, who holds Bpriv can decrypt Alice’s message.

If Bob wants to put his digital signature on messages he sends out, he can encrypts them with his private key Bpriv. Whoever receives these messages and has Bpub is able to decrypt the messages. These parties can be sure that only someone with Bpriv, that is Bob, could have signed them. This can be used to guarantee non-repudiation.

Modular Addition

+ 0 1 2 3 4 5 6 7 8 9

0 0 1 2 3 4 5 6 7 8 9

1 1 2 3 4 5 6 7 8 9 0

2 2 3 4 5 6 7 8 9 0 1

3 3 4 5 6 7 8 9 0 1 2

4 4 5 6 7 8 9 0 1 2 3

5 5 6 7 8 9 0 1 2 3 4

6 6 7 8 9 0 1 2 3 4 5

7 7 8 9 0 1 2 3 4 5 6

8 8 9 0 1 2 3 4 5 6 7

9 9 0 1 2 3 4 5 6 7 8

If we encipher with addition mod 10, we decipher with subtraction mod 10 (subtract normally; if result is negative, add 10).

Modular Multiplication. 0 1 2 3 4 5 6 7 8 9

0 0 0 0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6 7 8 9

2 0 2 4 6 8 0 2 4 6 8

3 0 3 6 9 2 5 8 1 4 7

4 0 4 8 2 6 0 4 8 2 6

5 0 5 0 5 0 5 0 5 0 5

6 0 6 2 8 4 0 6 2 8 4

7 0 7 4 1 8 5 2 9 6 3

8 0 8 6 4 2 0 8 6 4 2

9 0 9 8 7 6 5 4 3 2 1

We have a cipher if we multiply by 1, 3, 7, or 9. To decipher, we multiply by key-1, the multiplicative inverse of the key, that is, the number by which you’d multiply (mod 10) key to get 1.

encipher=3, decipher=7




What we want is to find numbers that are relatively prime to 10 because they will have multiplicative inverses, and thus we’ll have a cipher with modular multiplication.

Modular MultiplicationSo far we understand that if we can choose a key that has a multiplicative inverse,

we have a cipher with modular multiplication.

How many numbers less than n are relatively prime to n?

Modular Exponentiationxy 0 1 2 3 4 5 6 7 8 9 10 11 12

0 0 0 0 0 0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1 1 1 1 1 1 1

2 1 2 4 8 6 2 4 8 6 2 4 8 6

3 1 3 9 7 1 3 9 7 1 3 9 7 1

4 1 4 6 4 6 4 6 4 6 4 6 4 6

5 1 5 5 5 5 5 5 5 5 5 5 5 5

6 1 6 6 6 6 6 6 6 6 6 6 6 6

7 1 7 9 3 1 7 9 3 1 7 9 3 1

8 1 8 4 2 6 8 4 2 6 8 4 2 6

9 1 9 1 9 1 9 1 9 1 9 1 9 1

To have a cipher with modular exponentiation we need to be able to define encipher and decipher operations. How can we find the exponentiative inverse?

This works for primes and products of distinct primes.

RSA

Encryption Decryption Digital Signature

Why RSA Works

RSA uses arithmetic mod n, where n=pq.

We chose d and e so that de=1 mod φ(n).

We know that φ(n)=(p-1)(q-1), so for any x:

Why RSA is Secure

If you know n, you could say that by factoring it into n=pq, you could compute φ(n), then e and d.

When n is sufficiently large, factoring it is no walk in the park. RSA is secure as long as n is so large that in order to factor it, one would have to spend a very long time using the most advanced computing resources.

Diffie-HelmanProblem: Two parties, Alice and Bob, need to agree on a key value to use, but

can communicate only via an insecure channel.

Solution: Two prime numbers p and g are chosen and publicly distributed. Each of the parties picks a large random number and keeps it secret; say we then have SA and SB.

Alice picks SA. Alice computes

Bob picks SB. Bob computes

Alice and Bob exchange TA and TB (in whatever order).

Alice computes . Bob computes .

Now, both Alice and Bob computed the same number:

“Man”-in-the-middle Attack

Eve

Questions: What allowed this kind of attack to happen? How can one prevent against it?

Public Key InfrastructureGoal: To distribute public keys. Who can say that the public keys

you find in some database really belong to the people they are said to belong? What is needed is for someone trustworthy to distribute keys and to vouch for the authenticity of these keys (a Certification Authority, CA).

A Public Key Infrastructure (PKI) consists of:– certificates,

– a certificate repository,

– a method for revoking certificates, and

– a method for evaluating a chain of certificates from known and trusted public keys (trust anchors).

CertificateDefinition: a certificate is a signed message vouching that a

certain public key really belongs to a particular name.

Say you trust a specific CA called TrustMeDude. A certificated issued by TrustMeDude can tell you what Bob’s public key is:

As long as you know the public key from TrustMeDude, you can verify the signature on the certificate and be sure that it was issued by that CA.

Trust Chains

Such trust chains allow for relationships to be verified and extended, but there are problems in this model...

Trust ModelsMonopoly model: there is a single CA for the whole world which can be

trusted by all.

Monopoly plus Registration Authorities: the single CA chooses RAs to securely check, obtain, and vouch for public keys.

Delegated CAs: the trust anchor CA can issue certificates to other CAs, vouching for their keys and trustworthiness.

Oligarchy model: there are many trust anchors, a certificate from any of them is acceptable (web browsers).

Anarchy model: each user is responsible for defining the trust anchors; anyone is allowed to vouch for anyone else (PGP).

References

• Fundamentals of Secure Computer Systems, Brett Tjaden. Franklin, Beedle & Associates, 2003.

• Security Engineering, Ross Anderson. Wiley, 2001.

• Applied Cryptography, Bruce Schneier. Wiley, 1996.

• Practical Cryptography, Bruce Schneier and Neils Ferguson. Wiley, 2002.

• The Code Book, Simon Singh.

Documents

CSCI 362 Computer and Network Securitycsci362/2012-fall/wp-content/...Cipher This is a test of the emergency broadcast system. If this had been an actual emergency, you would have