Upload
adam-cox
View
226
Download
1
Tags:
Embed Size (px)
Citation preview
Dr. Kalpakis
CMSC 621, Advanced Operating Systems.
Security & Cryptography
CMSC 621 2
Protection vs Security
The protection mechanisms (ACLs, etc) discussed earlier assist
us in preventing unauthorized access and use of computer
resources
what happens if an intruder bypasses the protection
mechanisms?
Cryptography can be used so that an intruder is unable to
understand or use information obtained without authorization
CMSC 621 3
Cryptography Terminology
Plaintext (or cleartext)
is the intelligible message
Ciphertext
is the unintelligible message
Encryption and decryption
Are the processes to convert between plaintext and ciphertext
Key
Is the parameter used in an encryption/decryption algorithm
CMSC 621 4
Cryptography Terminology
CryptosystemA system for encryption/decryption of information
Symmetric cryptosystem
use the same key for both encryption and decryption
Asymmetric cryptosystem
use the different keys for encryption and decryption
Cryptologythe designing & breaking of cryptosystems
Cryptographythe practice of using cryptosystems for confidentiallity of information
Cryptoanalysisthe breaking cryptosystems
CMSC 621 5
Basic Structure of a Cryptosystem
Encrypt Decrypt
Break
Encryption Key Ke Decryption Key Kd
Plaintext M
Ciphertext C
Plaintext M
Plaintext MSide Information
Alice Bob
Eve
CMSC 621 6
Basic Attacks to Cryptosystems
Cryptosystem attacks are classified based on the amount of side
information available to an intruder
Attack classification
ciphertext-only
intruder only has access to the ciphertext
known-plaintext
intruder has access to the ciphertext and considerable amount of plaintext
chosen-plaintext
intruder has access to a chosen plaintext and its corresponding ciphertext
CMSC 621 7
Design Principles for Cryptosystems
Shannon’s principles
Diffusion principle
spread the correlations and dependencies among key and words over the text
as much as possible in order to maximize the length of plaintext needed to
break the system
Confusion principle
change a piece of information so that ciphertext has no obvious relationship
with plaintext
Computational Intractability principle
“every” algorithm for determining a key needed to break cryptosystem is
“believed” to require exhaustive search of a very large search space
CMSC 621 8
A Taxonomy of Cryptosystems
Conventional systems
Modern systems
private key systems
public key systems
CMSC 621 9
Conventional Cryptosystems
Conventional cryptosystems are based on substitution ciphers
Caesar’s cipher
E(M) = (M + k) modulo 26
where M is a letter and k=3 is the key
Simple substitution cipher
E(M) = Key[M]
where Key is an arbitrary permutation of a single alphabet
Vigenere cipher
choose N simple substitution ciphers and encrypt the jth letter using the (j mod
N) substitution cipher
One-time pad
encrypt by Xoring message with a key, whose size equals the size of the message
CMSC 621 10
DES
The Data Encryption Standard (DES) is a modern private-key
cryptosystem
It is a block cipher that uses two basic operations
permutation,
and substitution
It breaks a message in 64-bit blocks and encrypts/decrypts each
block individually
It uses a 56-bit secret key, which is expanded to 64-bits using
parity bits
CMSC 621 11
DES
Has three stages
plaintext block undergoes an initial permutation IP
permuted block undergoes for 16 times a complex transformation
A block at the ith iteration is broken into two 32-bit blocks Li & Ri
transformed block undergoes the inverse IP’ of the permutation IP at the
1st stage
DES transformation in the ith iteration, i=1,2,…,16
K i= Phi(Key, i) 48-bit key of ith iteration
L i = Ri-1
R i = L i xor F (Ri-1 , K i )
CMSC 621 12
DES
Function F does the following
expands R i into a 48-bits quantity E(R i) by permuting and duplicating
some bits of R
Xors E(R i) with K i and partitions the result into eight 6-bit blocks Q1,
Q2,…,Q8
passes each Q j 6-bit block through a separate 6-to-4 bit substitution box
concatenates all transformed 4-bit Q j blocks and then permutes them
CMSC 621 13
DES
Decryption is done by executing the three stages in reverse order and each time using the inverse function/operation
permute cipher text using IP’
undo the 16 transformations, for i=16,15,…,1, using the same keys K1,
K2, …, K16
R i-1 = R i
L i-1 = R i xor f ( L i , K i )
permute transformed ciphertext with IP
For added security, block chaining can be usedeach plaintext block is Xored with the ciphertext of the previous plaintext block
triple encryption (DES does not form a group)
Rijdael: new private key standard
CMSC 621 14
Public-Key Cryptosystems
Private key cryptosystems requires a secure mechanism for
distributing the private keys to communicating parties
Diffie and Hellman proposed public key cryptosystems
public key systems make the encryption key publicly available and keep
the decryption key secret
public key systems are based on the computational intractability
principle (using problems such as factoring primes, discrete logarithm,
knapsack, etc)
CMSC 621 15
Public Key Cryptosystems
public key systems satisfy the following
DSK(EPK(M)) = M for every message M
The encryption and decryption functions E and D are computationally
efficient
Knowledge of E, D, and PK (public key) does not compromise SK
(secret key)
DPK(ESK(M)) = M for every message M, if message singing/verification
is desired
CMSC 621 16
Trapdoor One-Way Functions
One-way functions F
F is invertible and easy to compute
inverting F is computationally intractable, ie given y finding x such that
y=F(x) is believed to be computationally infeasible
Trapdoor one-way functions F
y=F(x) can be solved efficiently provided some secret information for F
is available
Diffie and Hellman suggested that one way to implement public
key systems is to use trapdoor one-way functions
CMSC 621 17
Number Theory Background
GCD Recursion Theorem & the Extended Euclid’s algorithm
)'',','(),,(return
)mod,()',','( 01return 0 if
),(
and given )( computecan below algorithm sEuclid' Extended The
gcdsuch that and integers exists thereMoreover,)mod,gcd(),gcd( ,0,0 integers allFor
yb
axydyxd
babEuclidyxd), (a,(d,x,y) b
baEuclid
bad,x,y
byax(a,b)dyxbabbaba
CMSC 621 18
Number Theory Background
Euler’s phi function, Euler’s and Fermat’s Theorems
paZa
Zanan
n-(n) nZ
pp
nn
n
mod1 , then prime is p If Theorem. sFermat'
.,mod1 ,1 allFor Theorem. Eulers
.1 thenprime is If . n, modulo
group tivemultiplica theof size theis p
1-1n (n)function phi sEuler'
1*
*)(
*n|p
CMSC 621 19
Number Theory Background
The Chinese Remainder Theorem
Origins
Sun-Tsu, circa 100 A.D. considered the problem of finding those integers x
that leave remainders 2, 3, and 2 when divided by 3, 5, and 7 respectively
(which are of the form x=23+105k).
Its essence
component. each tupleon tly independen operations theperformingby
ZZZ),,,( on tuples
or Z elements on the performedeither can ),( Operations
.mod where),,,( isbijection Theprime. relatively pairwise
are n theall and whereZZZ
and between Z structure) edescriptivbijection( a providesIt
*n
*n
*n21
*n
21
i21*n
*n
*n
*n
k21
k21
k
iik
k
aaa
a
naaaaaa
nnnn
CMSC 621 20
Number Theory Background
A corollary of the Chinese Remainder Theorem states that
.21for mod ifonly and if mod , and integers allfor then and prime relatively pairwise are ,,, If 2121
,k,,inaxnaxaxnnnnnnn
i
kk
CMSC 621 21
RSA
Rivest, Shamir, and Adleman introduced the RSA public-key
cryptosystem based on Diffie and Hellman
RSA works as follows
secretkept also are and that critical isIt keysecret theas andkey public theas Use
mod1equation thesolve i.e. , modulo of inverse tivemultiplica theCompute
toprime relatively that integer positive large a Choose
)1)(1()( and Compute
and integers prime positive large twoChoose
Np,q,(d,n)SK(e,n)PK
N edNde
Nd
qpnNpqn
qp
CMSC 621 22
RSA
RSA’s encryption function is
EPK(M) = Me mod n
where PK=(e,n)
RSA’s decryption function is
DSK(M) = Md mod n
where SK=(d,n)
these two encryption/decryption functions satisfy
DSK(EPK(M)) = M
DPK(ESK(M)) = M
can be computed efficiently given PK or SK
knowledge of PK does not compromise SK
CMSC 621 23
RSA
Correctness of RSA is based on
Fermat’s theorem and on the Chinese Remainder Theorem
Example values for RSA
choose p=5 and q=11
set n=55 and N=40
choose d=23
compute e=7 using the extended Euclid algorithm
encrypt M=8 to 2 using “repeated squaring”
CMSC 621 24
RSA
A more realistic example set of values for RSA
(courtesy of Prof. Stephens)
n = 2419753086 4197530864 2125371358 0246913580 2471460971 7
p = 1555555555 5555555555 560261
q = 1555555555 5555555555 560497
e = 512896171
d = 1955459782 2571725357 3495557871 3933814929 3601459917 1
sqrt(n) approximately = 1555555555 5555555555 560378
number of positive integers < n that are relative prime to n is equal to phi(n)
phi(n) = 2419753086 4197530864 2125340246 9135802469 1360348896 0
CMSC 621 25
Authentication
Objectiveverify the identity of communicating entities
Authentication servicesinteractive communication (synchronous)
one-way communication (asynchronous)
signed communication (verifiable conversation by third party)
Potential threatsaltering messages
replaying old messages
denial of service
interference with ongoing communication
impersonation
CMSC 621 26
Interactive Communication Protocols
Require an authoritative Authentication Server (AS) for
securely distributing conversation keys
Each user registers its secret key with the AS, which is shared
only between the AS and the user, and their public key if any
Requirements – use case
Alice wants to communicate with Bob so that
the message is intelligible to Bob, but not Eve
it should be evident that the message was sent by Alice, and that is not a
replay of an older message from Alice
CMSC 621 27
Interactive Communication with Private Key Systems
Alice wants to converse with Bob
Denning-Sacco’s modification to handle compromised conversation keys
A message is not a reply attack if |LocalClock-T|<LocalClock’s disrepancy from
AS’s clock plus the estimated maximum network delay
Step Sender Receiver MessageAlice obtains conversation key
1 A AS A,B,IA2 AS A E_KA(IA,B,CK,T,E_KB(CK,T,A))
Communicate conversation key to Bob3 A B E_KB(CK,T,A)
Bob verifies Alice's intention to communicate4 B A E_CK(IB)5 A B E_CK(IB-1)
CMSC 621 28
Interactive Communication with Public Key Systems
Alice wants to communicate with Bob
Step Sender Receiver MessageAlice obtain Bob's public key
1 A AS A,B2 AS A E_SKAS(PKB,B)
Alice handshakes with Bob3 A B E_PKB(IA,A)4 B A E_PKA(IA,IB)5 A B E_PKB(IB)
CMSC 621 29
One-Way Communication with Private Key Systems
Alice wants to email message M to Bob
Bob should be able to authenticate integrity of Alice’s message
even if Alice is not currently available
Eve should not be able to impersonate Alice
Step Sender Receiver MessageAlice obtains secret key
1 A AS A,B,IA2 AS A E_KA(IA,B,CK,E_KB(CK,A))
Alice sends the secret key and her encypted message to Bob3 A B E_KB(CK,A); E_CK(M)
Protocol is succeptible to playback attacks
CMSC 621 30
One-Way Communication with Public Key Systems
Alice wants to email message M to Bob
Step Sender Receiver MessageAlice obtain Bob's public key from Authentication Server
1 A AS A,B2 AS A E_SKAS(PKB,B)
Alice sends her email to Bob3 A B E_PKB(B,I,E_SKA(M))
CMSC 621 31
Digital Signatures
Must satisfy the following
a user can not forge signatures
sender of signed message can not deny the validity of his signature
receipient can not modify the signature of a signed message
CMSC 621 32
Digital Signatures using Private Key Systems
Alice wants to sign a message to be sent to Bob
Step Sender Receiver Message1 Alice computes characteristic CS of her message M
Alice gets signature block from Authetication Server2 A AS A, E_KA(CS)3 AS A E_KAS(A,CS)4 Alice sends message M with signature block to Bob
Bob verifies Alice's signature5 B AS B, E_KAS(A,CS)6 AS B E_KB(A,CS)7 Bob computes characteristic CS' of M8 Bob accepts M if CS=CS'
CMSC 621 33
Digital Signatures using Public Key Systems
Alice wants to sign a message to be sent to Bob
Step Sender Receiver Message1 Alice signs her message M; her signature is S=E_SKA(M)
Alice sends Bob M with S encrypted 2 A B E_PKB(S)3 Bob decrypts message with his SKB and obtains S4 Bob obtains Alice's message via E_PKA(S)
CMSC 621 34
Kerberos
An authentication system for an open network computing
environment where user’s machines are under their complete
control and can not be trusted to identify users to network
services
Consists of
Client (C)
Kerberos Server (K)
Ticket Granting Server (TGS)
Server (S)
User (U)
CMSC 621 35
Kerberos Phase I: Getting the Initial Ticket
User provides the Client machine his/her identity
Client sends to Kerberos server K the msg
Kerberos server K
Client upon receipt of msg
lifetimestamptgsKTEM
lifetimestampKtgsUETK
tgsUtgsUK
tgsUKtgsU
tgsU
U
tgs
,,,, message theCclient toSends
,,,, ticket theCreateskey session Generates
,,
,,
,
lifetimestamptgsKTM
KP
tgsUtgsU
U
,,,, use futurefor store andextract to msg sKerberos' Decrypts
key private suser' computes and passworduser Gets
,,
tgsU ,
U
CMSC 621 36
Kerberos, Phase II: Getting a Server Ticket
User/Client wants to use a network service S
Ticket Granting Server TGS
Client upon receiving msg from TGS
UtgsU
KU
AT
timestampCEAtgsU
,S, msg Server the GrantingTicket the toSends
,tor authenticaan Computes
,
,
lifetimestampSKTEM
lifetimestampKETK
AKT
SCSCK
SCKSC
SC
U
tgsUtgsU
tgsU
S
,,,, msg theCclient toSend
,,S,C, ticket service Createkey session service Generate
tor authentica of s timelinesCheckskey session theextracts and Decrypts
,,
,,
,
,,
,
use futurefor thesestores and ticket service the and ,key session service obtain the toTGS from msg theDecrypts
,
,
SC
SC
TKM
CMSC 621 37
Kerberos, Phase III: Requesting a Service
Client requests service from server S
Service server S upon receipt of the msg
CSC
KC
AT
timestampCEASC
, msg Server the Service the toSends
,tor authenticaan Computes
,
,
client theoidentity t its prove to1 msg thesendsmay Server
service provides then and tor authentica of validity and s timelinesChecks
key session theextracts
and ,key private its with ,,S,C, Decrypts
,
,
,,
timestampE
A
K
KlifetimestampKET
SC
S
K
C
SC
SSCKSC