37
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

Embed Size (px)

Citation preview

Page 1: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

Dr. Kalpakis

CMSC 621, Advanced Operating Systems.

Security & Cryptography

Page 2: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 2

Protection vs Security

The protection mechanisms (ACLs, etc) discussed earlier assist

us in preventing unauthorized access and use of computer

resources

what happens if an intruder bypasses the protection

mechanisms?

Cryptography can be used so that an intruder is unable to

understand or use information obtained without authorization

Page 3: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 3

Cryptography Terminology

Plaintext (or cleartext)

is the intelligible message

Ciphertext

is the unintelligible message

Encryption and decryption

Are the processes to convert between plaintext and ciphertext

Key

Is the parameter used in an encryption/decryption algorithm

Page 4: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 4

Cryptography Terminology

CryptosystemA system for encryption/decryption of information

Symmetric cryptosystem

use the same key for both encryption and decryption

Asymmetric cryptosystem

use the different keys for encryption and decryption

Cryptologythe designing & breaking of cryptosystems

Cryptographythe practice of using cryptosystems for confidentiallity of information

Cryptoanalysisthe breaking cryptosystems

Page 5: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 5

Basic Structure of a Cryptosystem

Encrypt Decrypt

Break

Encryption Key Ke Decryption Key Kd

Plaintext M

Ciphertext C

Plaintext M

Plaintext MSide Information

Alice Bob

Eve

Page 6: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 6

Basic Attacks to Cryptosystems

Cryptosystem attacks are classified based on the amount of side

information available to an intruder

Attack classification

ciphertext-only

intruder only has access to the ciphertext

known-plaintext

intruder has access to the ciphertext and considerable amount of plaintext

chosen-plaintext

intruder has access to a chosen plaintext and its corresponding ciphertext

Page 7: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 7

Design Principles for Cryptosystems

Shannon’s principles

Diffusion principle

spread the correlations and dependencies among key and words over the text

as much as possible in order to maximize the length of plaintext needed to

break the system

Confusion principle

change a piece of information so that ciphertext has no obvious relationship

with plaintext

Computational Intractability principle

“every” algorithm for determining a key needed to break cryptosystem is

“believed” to require exhaustive search of a very large search space

Page 8: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 8

A Taxonomy of Cryptosystems

Conventional systems

Modern systems

private key systems

public key systems

Page 9: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 9

Conventional Cryptosystems

Conventional cryptosystems are based on substitution ciphers

Caesar’s cipher

E(M) = (M + k) modulo 26

where M is a letter and k=3 is the key

Simple substitution cipher

E(M) = Key[M]

where Key is an arbitrary permutation of a single alphabet

Vigenere cipher

choose N simple substitution ciphers and encrypt the jth letter using the (j mod

N) substitution cipher

One-time pad

encrypt by Xoring message with a key, whose size equals the size of the message

Page 10: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 10

DES

The Data Encryption Standard (DES) is a modern private-key

cryptosystem

It is a block cipher that uses two basic operations

permutation,

and substitution

It breaks a message in 64-bit blocks and encrypts/decrypts each

block individually

It uses a 56-bit secret key, which is expanded to 64-bits using

parity bits

Page 11: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 11

DES

Has three stages

plaintext block undergoes an initial permutation IP

permuted block undergoes for 16 times a complex transformation

A block at the ith iteration is broken into two 32-bit blocks Li & Ri

transformed block undergoes the inverse IP’ of the permutation IP at the

1st stage

DES transformation in the ith iteration, i=1,2,…,16

K i= Phi(Key, i) 48-bit key of ith iteration

L i = Ri-1

R i = L i xor F (Ri-1 , K i )

Page 12: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 12

DES

Function F does the following

expands R i into a 48-bits quantity E(R i) by permuting and duplicating

some bits of R

Xors E(R i) with K i and partitions the result into eight 6-bit blocks Q1,

Q2,…,Q8

passes each Q j 6-bit block through a separate 6-to-4 bit substitution box

concatenates all transformed 4-bit Q j blocks and then permutes them

Page 13: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 13

DES

Decryption is done by executing the three stages in reverse order and each time using the inverse function/operation

permute cipher text using IP’

undo the 16 transformations, for i=16,15,…,1, using the same keys K1,

K2, …, K16

R i-1 = R i

L i-1 = R i xor f ( L i , K i )

permute transformed ciphertext with IP

For added security, block chaining can be usedeach plaintext block is Xored with the ciphertext of the previous plaintext block

triple encryption (DES does not form a group)

Rijdael: new private key standard

Page 14: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 14

Public-Key Cryptosystems

Private key cryptosystems requires a secure mechanism for

distributing the private keys to communicating parties

Diffie and Hellman proposed public key cryptosystems

public key systems make the encryption key publicly available and keep

the decryption key secret

public key systems are based on the computational intractability

principle (using problems such as factoring primes, discrete logarithm,

knapsack, etc)

Page 15: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 15

Public Key Cryptosystems

public key systems satisfy the following

DSK(EPK(M)) = M for every message M

The encryption and decryption functions E and D are computationally

efficient

Knowledge of E, D, and PK (public key) does not compromise SK

(secret key)

DPK(ESK(M)) = M for every message M, if message singing/verification

is desired

Page 16: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 16

Trapdoor One-Way Functions

One-way functions F

F is invertible and easy to compute

inverting F is computationally intractable, ie given y finding x such that

y=F(x) is believed to be computationally infeasible

Trapdoor one-way functions F

y=F(x) can be solved efficiently provided some secret information for F

is available

Diffie and Hellman suggested that one way to implement public

key systems is to use trapdoor one-way functions

Page 17: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 17

Number Theory Background

GCD Recursion Theorem & the Extended Euclid’s algorithm

)'',','(),,(return

)mod,()',','( 01return 0 if

),(

and given )( computecan below algorithm sEuclid' Extended The

gcdsuch that and integers exists thereMoreover,)mod,gcd(),gcd( ,0,0 integers allFor

yb

axydyxd

babEuclidyxd), (a,(d,x,y) b

baEuclid

bad,x,y

byax(a,b)dyxbabbaba

Page 18: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 18

Number Theory Background

Euler’s phi function, Euler’s and Fermat’s Theorems

paZa

Zanan

n-(n) nZ

pp

nn

n

mod1 , then prime is p If Theorem. sFermat'

.,mod1 ,1 allFor Theorem. Eulers

.1 thenprime is If . n, modulo

group tivemultiplica theof size theis p

1-1n (n)function phi sEuler'

1*

*)(

*n|p

Page 19: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 19

Number Theory Background

The Chinese Remainder Theorem

Origins

Sun-Tsu, circa 100 A.D. considered the problem of finding those integers x

that leave remainders 2, 3, and 2 when divided by 3, 5, and 7 respectively

(which are of the form x=23+105k).

Its essence

component. each tupleon tly independen operations theperformingby

ZZZ),,,( on tuples

or Z elements on the performedeither can ),( Operations

.mod where),,,( isbijection Theprime. relatively pairwise

are n theall and whereZZZ

and between Z structure) edescriptivbijection( a providesIt

*n

*n

*n21

*n

21

i21*n

*n

*n

*n

k21

k21

k

iik

k

aaa

a

naaaaaa

nnnn

Page 20: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 20

Number Theory Background

A corollary of the Chinese Remainder Theorem states that

.21for mod ifonly and if mod , and integers allfor then and prime relatively pairwise are ,,, If 2121

,k,,inaxnaxaxnnnnnnn

i

kk

Page 21: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 21

RSA

Rivest, Shamir, and Adleman introduced the RSA public-key

cryptosystem based on Diffie and Hellman

RSA works as follows

secretkept also are and that critical isIt keysecret theas andkey public theas Use

mod1equation thesolve i.e. , modulo of inverse tivemultiplica theCompute

toprime relatively that integer positive large a Choose

)1)(1()( and Compute

and integers prime positive large twoChoose

Np,q,(d,n)SK(e,n)PK

N edNde

Nd

qpnNpqn

qp

Page 22: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 22

RSA

RSA’s encryption function is

EPK(M) = Me mod n

where PK=(e,n)

RSA’s decryption function is

DSK(M) = Md mod n

where SK=(d,n)

these two encryption/decryption functions satisfy

DSK(EPK(M)) = M

DPK(ESK(M)) = M

can be computed efficiently given PK or SK

knowledge of PK does not compromise SK

Page 23: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 23

RSA

Correctness of RSA is based on

Fermat’s theorem and on the Chinese Remainder Theorem

Example values for RSA

choose p=5 and q=11

set n=55 and N=40

choose d=23

compute e=7 using the extended Euclid algorithm

encrypt M=8 to 2 using “repeated squaring”

Page 24: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 24

RSA

A more realistic example set of values for RSA

(courtesy of Prof. Stephens)

n = 2419753086 4197530864 2125371358 0246913580 2471460971 7

p = 1555555555 5555555555 560261

q = 1555555555 5555555555 560497

e = 512896171

d = 1955459782 2571725357 3495557871 3933814929 3601459917 1

sqrt(n) approximately = 1555555555 5555555555 560378

number of positive integers < n that are relative prime to n is equal to phi(n)

phi(n) = 2419753086 4197530864 2125340246 9135802469 1360348896 0

Page 25: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 25

Authentication

Objectiveverify the identity of communicating entities

Authentication servicesinteractive communication (synchronous)

one-way communication (asynchronous)

signed communication (verifiable conversation by third party)

Potential threatsaltering messages

replaying old messages

denial of service

interference with ongoing communication

impersonation

Page 26: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 26

Interactive Communication Protocols

Require an authoritative Authentication Server (AS) for

securely distributing conversation keys

Each user registers its secret key with the AS, which is shared

only between the AS and the user, and their public key if any

Requirements – use case

Alice wants to communicate with Bob so that

the message is intelligible to Bob, but not Eve

it should be evident that the message was sent by Alice, and that is not a

replay of an older message from Alice

Page 27: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 27

Interactive Communication with Private Key Systems

Alice wants to converse with Bob

Denning-Sacco’s modification to handle compromised conversation keys

A message is not a reply attack if |LocalClock-T|<LocalClock’s disrepancy from

AS’s clock plus the estimated maximum network delay

Step Sender Receiver MessageAlice obtains conversation key

1 A AS A,B,IA2 AS A E_KA(IA,B,CK,T,E_KB(CK,T,A))

Communicate conversation key to Bob3 A B E_KB(CK,T,A)

Bob verifies Alice's intention to communicate4 B A E_CK(IB)5 A B E_CK(IB-1)

Page 28: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 28

Interactive Communication with Public Key Systems

Alice wants to communicate with Bob

Step Sender Receiver MessageAlice obtain Bob's public key

1 A AS A,B2 AS A E_SKAS(PKB,B)

Alice handshakes with Bob3 A B E_PKB(IA,A)4 B A E_PKA(IA,IB)5 A B E_PKB(IB)

Page 29: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 29

One-Way Communication with Private Key Systems

Alice wants to email message M to Bob

Bob should be able to authenticate integrity of Alice’s message

even if Alice is not currently available

Eve should not be able to impersonate Alice

Step Sender Receiver MessageAlice obtains secret key

1 A AS A,B,IA2 AS A E_KA(IA,B,CK,E_KB(CK,A))

Alice sends the secret key and her encypted message to Bob3 A B E_KB(CK,A); E_CK(M)

Protocol is succeptible to playback attacks

Page 30: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 30

One-Way Communication with Public Key Systems

Alice wants to email message M to Bob

Step Sender Receiver MessageAlice obtain Bob's public key from Authentication Server

1 A AS A,B2 AS A E_SKAS(PKB,B)

Alice sends her email to Bob3 A B E_PKB(B,I,E_SKA(M))

Page 31: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 31

Digital Signatures

Must satisfy the following

a user can not forge signatures

sender of signed message can not deny the validity of his signature

receipient can not modify the signature of a signed message

Page 32: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 32

Digital Signatures using Private Key Systems

Alice wants to sign a message to be sent to Bob

Step Sender Receiver Message1 Alice computes characteristic CS of her message M

Alice gets signature block from Authetication Server2 A AS A, E_KA(CS)3 AS A E_KAS(A,CS)4 Alice sends message M with signature block to Bob

Bob verifies Alice's signature5 B AS B, E_KAS(A,CS)6 AS B E_KB(A,CS)7 Bob computes characteristic CS' of M8 Bob accepts M if CS=CS'

Page 33: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 33

Digital Signatures using Public Key Systems

Alice wants to sign a message to be sent to Bob

Step Sender Receiver Message1 Alice signs her message M; her signature is S=E_SKA(M)

Alice sends Bob M with S encrypted 2 A B E_PKB(S)3 Bob decrypts message with his SKB and obtains S4 Bob obtains Alice's message via E_PKA(S)

Page 34: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 34

Kerberos

An authentication system for an open network computing

environment where user’s machines are under their complete

control and can not be trusted to identify users to network

services

Consists of

Client (C)

Kerberos Server (K)

Ticket Granting Server (TGS)

Server (S)

User (U)

Page 35: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 35

Kerberos Phase I: Getting the Initial Ticket

User provides the Client machine his/her identity

Client sends to Kerberos server K the msg

Kerberos server K

Client upon receipt of msg

lifetimestamptgsKTEM

lifetimestampKtgsUETK

tgsUtgsUK

tgsUKtgsU

tgsU

U

tgs

,,,, message theCclient toSends

,,,, ticket theCreateskey session Generates

,,

,,

,

lifetimestamptgsKTM

KP

tgsUtgsU

U

,,,, use futurefor store andextract to msg sKerberos' Decrypts

key private suser' computes and passworduser Gets

,,

tgsU ,

U

Page 36: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 36

Kerberos, Phase II: Getting a Server Ticket

User/Client wants to use a network service S

Ticket Granting Server TGS

Client upon receiving msg from TGS

UtgsU

KU

AT

timestampCEAtgsU

,S, msg Server the GrantingTicket the toSends

,tor authenticaan Computes

,

,

lifetimestampSKTEM

lifetimestampKETK

AKT

SCSCK

SCKSC

SC

U

tgsUtgsU

tgsU

S

,,,, msg theCclient toSend

,,S,C, ticket service Createkey session service Generate

tor authentica of s timelinesCheckskey session theextracts and Decrypts

,,

,,

,

,,

,

use futurefor thesestores and ticket service the and ,key session service obtain the toTGS from msg theDecrypts

,

,

SC

SC

TKM

Page 37: Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Cryptography

CMSC 621 37

Kerberos, Phase III: Requesting a Service

Client requests service from server S

Service server S upon receipt of the msg

CSC

KC

AT

timestampCEASC

, msg Server the Service the toSends

,tor authenticaan Computes

,

,

client theoidentity t its prove to1 msg thesendsmay Server

service provides then and tor authentica of validity and s timelinesChecks

key session theextracts

and ,key private its with ,,S,C, Decrypts

,

,

,,

timestampE

A

K

KlifetimestampKET

SC

S

K

C

SC

SSCKSC