Network security

Basic encryption techniques

Luk Stoops VUB - programming laboratory

Security Problems

• Student• To have fun snooping on people’s email

• Hacker• To test out someone’s security system; steal data

• Sales rep• To claim to represent all of Europe, not just Andorra

• Businessman• To discover a competitor’s strategic marketing plan

Security Problems

• Ex-employee• To get revenge for being fired

• Accountant• To Embezzle money from a company

• Stockbroker• To deny a promise made to a customer by email

Security Problems

• Con man• To steal creditcard numbers for sale

• Spy• To learn an enemy’s military strength

• Terrorist• To steal germ warfare secrets

• …• ...

Network Security

• Secrecy• user authorisation

• Authentication• determining who you are talking to

• Nonrepudiation• signatures

• Integrity control• received message, is it not modified ?

Traditional Cryptography

Encryption DecryptionPlaintextP

PlaintextP

Intruder

Encryption keyEk

Decryption KeyDk

CiphertextC=Ek(P)

Some Terminology

• Cryptanalysis• The art of breaking ciphers

• Cryptography• The art of devising ciphers

• Cryptology• Cryptanalysis & Cryptography

Method of Encryption

• Cryptanalyst knows method of encryption

• Amount of effort to invent, test and install a new method every time the old method is compromised or thought to be compromised has always made it impractical to keep this secret

• This is where the key enters

The Key

• Combination Lock• 2 digits = 100 possibilities

• 3digits = 1000 possibilities

• Workfactor for the cryptanalyst by exhaustive search of the key space is exponential in the key length

• range from 64-bit to 256-bits keys

Cryptoanalyst Variations

• Ciphertext only• only ciphertext

• Known plaintext (“please login”)• matched ciphertext and plaintext

• Chosen plaintext• matched ciphertext and chosen plaintext

Substitution Cipher

ABCDEFGHIJKLMNOPQRSTUVWXYZ

BCDEFGHIJKLMNOPQRSTUVWXYZA

Caesar cipher

ABCDEFGHIJKLMNOPQRSTUVWXYZQWERTYUIOPASDFGHJKLZXCVBNM

Monoalphabetic substitution

Monoalphabetic Substitution

• 26! = 4 . 10 possible keys• 1 sec per solution = 10 years• Statistical properties

• most common letters: e, t, o, a, n, i, …• most common digrams: th, in, er, re, an• most common trigrams: the, ing, and, ion

– Counting relative frequencies and assigning most common letters, then digrams ..

– Guessing likely words (financial)

26

13

Transposition Cipher

• Reorder the letters but do not disguise them• afllskaselawabtoosscdlnmoman

esilyntrnntsoepaedobueriricc

• Breaking transposition ciphers– Frequency analysis: normal pattern– guess number of columns

• digrams depend on keylength

– ordering found by english

plaintext digrams

MEGABUCK74512836pleasetransferonemilliondollarstomyswissbankaccountabcde

One-Time Pads

• Unbreakable cipher

• A B C

010000010100001001000011 data

101100110101010011010100 random bit key

111100100001011010010111 ciphertext

• key on CD ?

Cryptographic principles

• All encrypted messages must contain some redundancy information– active intruders cannot send random junk– easier to break the message

• Prevent active intruders from playing back old messages (timestamps)

Secret-Key Algorithms

• Complex and involuted encryption algorithm

Permutation Substitution212 = 4096

8 x 4 = 32

Data Encryption Standard (DES)

DES (cont.)

• IBM 1977

• No longer secure in its original form

• Parameterised by 56-bit key

• 19 stages

• Decryption with same key in reverse order

• Complexity lies in iteration function

(S- & P boxes)

DES Subversion

• DES is basically a monoalphabetic substitution• Encrypting a longer message is done by breaking

it up in consecutive 8-byte (64-bit) blocks

DES Chaining

• Chaining makes block i a function of all previous blocks

• Same plaintext no longer maps onto the same cyphertext

Random initialisation vector IV

DES Cipher Feedback Mode

• Byte-by-byte encryption• initialisation vector needed

Congratulations ! You have won the Chinese Lottery.To collect, please call 0800-11111111

Breaking DES

• Original 128-bit key reduced to 56 under NSA pressure

• 1977 20 million $ DES breaking machine in one day

• 140.000 people checking 7x1016 keys in a month

• Chinese Lottery

– 1.2 billion people with chip that searches 1 million encryption's / sec

• within 60 sec key is found

Des Cracker

• July 17, 1998: EFF Builds DES Cracker

• $220,000 device

• Average of 4.5 days to crack a key

• June 8, 1998: government :– “FBI is unable to crack DES”

• 56-bit key is too short

http://www.eff.org/descracker/

Breaking DES (cont.)

• Insecure DES is still widely used for secure applications such as banking

• Using DES 2 times ?– 2112 = 1033

– 1 billion DES chips, 1 billion operations / sec takes 100 million years

– meet-in-the-middle attack: 257 operations

Triple Encryption DES

• EDE for backward compatibility with single-key DES systems (k1 = k2)

• No breaking method known – Not enough silicon in the universe.– Not enough time before sun burns out.

• 3-key EEE system is even better (168-bits)

International Data Encryption Algorithm IDEA

• Swiss

• 128-bit

• generates

52

16-bit keys– 6 / iteration

– 4 / transform

Advanced Encryption Standard

• 1972: National Institute of Standards and Technology

– public request for encryption algorithm• DES

• January 1997: new public request for AES

• 15 submissions in June 1998 (12 survived)

• March 1999 (5 candidates)

• January 2000 (winner)

http://www.nist.gov/aes/

Public-Key Algorithms

• Key protection and distribution problem

• 1976 Diffie and Hellman (Stanford univ.)

• encryption and decryption key are different

• decryption key can not be derived from the encryption key

• encryption key is made public

A BEaDa

EbDb

Eb(p)

RSA Algorithm

• Rivest, Shamir, Adleman

• based on the difficulty of factoring large numbers

• Factoring a 200-digit number requires

4 billion years of computer time

• too slow for encrypting large volumes of data

• Used to distribute a one-time session keys for use with DES or IDEA

Knapsack algorithm

• Merkle and Hellmann 1978– Large number of objects with different weight– selecting a subset in knapsack– total weight and list of possible objects is

public

• broken by Shamir and Rivest

Authentication

Alice Bob

Trudy

• Technique used by a process to verify that its communication partner is who it is supposed to be

Key Distribution

Centre

Authentication Shared Secret Key

• Key agreed upon on the telephone or in person• R random 128-bit number

Authentication Shared Secret Key (cont.)

• Combining information

• But ...

Authentication The Reflection Attack

• Designing a correct authentication protocol is harder than it looks

Authentication Safety rules

• Have the initiator prove who she is before the responder has to

• Have the initiator and responder use different keys for proof (Kab Kab’)

• Have the initiator and responder draw their challenges from different sets (even & odd numbers)

Authentication Establishing a Shared Key

• Diffie-Hellman key exchange– n, g, (n-1)/2 : large prime numbers

512-bit 512-bit

• But ...

Authentication The Bucket Brigade Attack

• (wo)man-in-the-middle attack

• Interlock protocol (a/2 - b/2 - a/2 - b/2)

Authentication Key Distribution Center

• Ks = session key

• Authentication happens for free

• But ...

Authentication Replay Attack

• Trudy gets a job from Alice

• Alice ask Bob to transfer money to Trudy

• Trudy, snooping on the network copies the message (2) and the money--transfer request that follows it

• Trudy replays this messages

KDBC

Authentication Needman-Schroeder

• Timestamps

• Unique message number (nonce)

• Multiway challenge-response protocol

Authentication Kerberos

• Used in many real systems• Authentication server• Ticket-Granting server

Authentication Public-Key

• Public keys must be known• Public keys in a public database ?

– bucket brigade attack possible

Digital Signatures

• Signing (an order to buy a ton of gold)

1 The receiver can verify the claimed identity of the sender

2 The sender cannot later repudiate the contents of the message

3 The receiver cannot possibly have concocted the message himself

Digital Signatures Secret-Key Signatures

• Proof that the message came from Alice– BB only accept messages from A if encrypted with Ka

– Bob produces exhibit KBB(A,t,P)

– RA(random number) + t (timestamp) to prevent replay attacks

Big Brother

Digital Signatures Public-Key Signatures

• Does not require a trusted authority• P = E(D(P)) = D(E(P))

• Proof: Bob produces exhibit P and DA(P)

• But...

Digital Signatures Public-Key Problems

• Alice discloses her secret key– If the price of gold drops, she can repudiate

here message to Bob by telling the police here key was stolen

• Alice decides to change her key– Some authority should record all key changes

and their dates

Digital Signatures Message Digests

• Authentication without secrecy– Given P, it is easy to compute MD(P)– Given MD(P), it is effectively impossible to find P– No one can generate two messages that have the same message

digest• MD5 Rivest (RSA)• SHA Secure Hash Algorithm (NIST, 1993)

Digital Signatures Digest in SET

• Changing a single bit in the message will change roughly half the bits in the message digest.

Digital Signatures Digital Signature Standard

• 1991, National Institute of Standards and Technology• El Gamal public-key algorithm• difficulty of computing discrete logarithms

Too secret (NSA)

Too new (not yet thoroughly analysed)

Too slow (10 to 40 times slower than RSA)

Too insecure (512-bit key)

Email Privacy

• Pretty Good Privacy (Zimmermann)– Privacy– Authentication– Digital signatures– Compression– Free of charge via the Internet

• Privacy Enhanced Mail

PGP

Content +typing speed

Cipher feedback mode

PGP message

• RSA key lengths– Casual (384-bit): can be broken with large budget

– Commercial (512-bit): breakable by TLA organisations

– Military (1024): not breakable by anyone on earth

– Alien (2048): not breakable by anyone in the universe

Browser security

• SSL (Secure Socket Layer) - Netscape

• Public key cryptography.

• Certificates (verisign, Belsign, AT&T …)– data encryption– server authentication– message integrity– client authentication

Java Security API

• import java.security.*;

• MessageDigest messagedigest = MessageDigest.getInstance(”SHA”);

• KeyPairGenerator keypairgenerator = KeyPairGenerator.getInstance(”DSA”);

• Signature signature = Signature.getInstance(”DSA”);

{ Signature signature = Signature.getInstance("DSA");

signature.initSign(privatekey); int n = 0; byte [] s = new byte [1000]; while ((n = inputstreamMessage.read(s)) > -1) { signature.update(s, 0, n); } s = signature.sign(); return s; }

Signing an input stream in Java

Suggested Readings

• Tanenbaum, Andrew, S., ”Computer Networks”• Anderson,R., “Why Cryptosystems Fail”• Kaufman et al., “Network Security”• Schneier, “Applied Crypthography”• Dr. Dobb’s journal, december 1998