Computer Security. Two main issues are current regarding security for computer communication systems

Transcription

1 Computer Security Two main issues are current regarding security for computer communication systems Data encryption User authentication Encryption and authentication between single users can be performed quite simply by ciphers and private keys etc. Once computer networks are involved the task takes on a new set of problems. The number of possible users is huge. Users with whom communication is required are often unknown. The only communication path to the user is often the path that needs to be secured. We will firstly look at a block cipher technique (DES), then a public key algorithm (RSA)

2 Data Encryption Standard (DES) This encryption system is of the conventional block cipher type. It has been certified by the US government and others as secure but not classified communications. It works on 64 bits of data at a time by using a 56 bit key.

3 64 bit Plaintext bit key... Initial Permutation Permuted choice 1 Iteration 1 K1 Permuted choice 2 Left circular shift Iteration 2 K2 Permuted choice 2 Left circular shift Iteration 16 K16 Permuted choice 2 Left circular shift 32 bit swap Inverse initial permutation bit ciphertext

4 64 bit Plaintext bit key... Initial Permutation Permuted choice 1 Iteration 1 K 1 Permuted choice 2 Left circular shift Iteration 2 K 2 Permuted choice 2 Left circular shift Iteration 16 K16 Permuted choice 2 Left circular shift 32 bit swap Inverse initial permutation bit ciphertext The 64 bits of data are first permuted using a function. This data is then permuted 16 times with subkey versions of the key which was also permuted on input. After a 32 bit swap the data is permuted in the reverse of the initial function. The sub keys are produced by a circular shift and a permutation.

5 Li-1 Ri-1 Ci-1 Di-1 Expansion/ permutation (E table) XOR Ki 48 Substitution/choice (S box) 32 Permutation Left shift Left shift Permutation/contraction XOR Li Ri Ci Di Concerns have been raised whether the S boxes are cryptographically strong.

6 Another worry is the fact that there are only 2 56 (7.2 x ) possible keys. If a computer could try one key each microsecond it would take over 1000 years to try half the keys. Lots of money (parallel processing) can crack the key (Assuming you know the data when you see it) Machine cost $100, $1,000, $10,000, Search time 35 hours 3.5 hours 21 minutes Plus development costs

7 An improvement over DES has been developed called Triple DES K1 K2 K1 Plaintext Encrypt Decrypt Encrypt Ciphertext K1 K2 K1 Ciphertext Decrypt Encrypt Decrypt Plaintext This gives the system an effective key length of 112 bits thus improving the security. 5.2 x combinations giving 8.2 x years to break at 1 microsecond per try for half the combinations.

8 Authentication If a message is encrypted then authentication is also performed when the message is correctly decoded. There are often times when we do not wish to encrypt but do need to authenticate the sender. Sending a message to a large number of destinations. They would all have to have the same correct key or individual correct keys. This in itself is a security risk. When high traffic at a destination means the time to decrypt all messages would be excessive.

9 Message Authentication Code (MAC) K Data Encrypt K Encrypt MAC COMPARE A code is produced from a key and the data to be sent The code is appended to the data before sending At the receive end the same procedure is performed The code is compared This is similar to generating and checking a CRC on a data frame where the generating polynomial is kept secret.

10 Hash Functions A hash function is a function that the data is passed through. It produces a code fingerprint identifying the data. H(x) = m H Hash function x data m hash code Apart from being able to handle the size of data passed to it efficiently, it must Have a one way property, ie you can generate the code from the data but not the data from the code. (Given m you can't find x) Alternative messages with the same hash code cannot easily be found. (Can't find y x where H(x) = H(y) Not easy to find two data sets with the same hash code (Can't find x & y where H(x) = H(y))

11 Data HASH HASH K K COMPARE Conventional encryption

12 Data HASH HASH Kprivate Kpublic COMPARE Public Key encryption

13 Data HASH COMPARE HASH Secret value

14 A simple hash function is an XOR of the data arranged into blocks with the number of columns equal to the hash code size b11 b21 b31 b41 b51 b61 b1m b2mb3m b4mb5m b6m bn1 bnm... c1 c2 c3 c4 c5 c6 cn c i = b i1 b i2... b im This type of hash has no cryptographic strength itself.

15 MD5 MD5 is a very common function algorithm 1. Data is padded to be 64 bits less than an integer multiple of 512 bits 2. The 64 bits at the end are used to contain the length of the data (LSBs of it). 3. Four buffers contain 128 bit, used to hold the hash code are initialised A = B = 89ABCDEF C = FEDCBA98 D =

16 4. The data is then processed 512 bits at a time Data Length ABCD Y 0 Y H MD5 H MD Y q Pad 512 Y L H MD5 H MD bit digest The data is broken up into 512 bit chunks and the MD5 algorithm applied

17 Y q 512 MD q A B C D ABCD <-f F (ABCD, Y q, T[1..16]) A B C D ABCD <-f G (ABCD, Y q, T[17..32]) A B C D ABCD <-f H (ABCD, Y q, T[33..48]) A B C D ABCD <-f I (ABCD, Y q, T[49..64]) MDq+1 128

18 The functions in the MD5 are F(X, Y,Z) = (X Y)+ ( X Z) G(X,Y, Z) = (X Y) + (Y Z ) H(X,Y, Z) = X Y Z I(X,Y, Z) = Y (X + Z ) 5. The output from this is the 128 bit digest The data is very well represented in the hash which produces a digest which satisfies the criteria for the hash. Before we look at public key encryption we should examine one more technique that is used very commonly. This is another algorithm for fast encryption of data for privacy.

19 RC4 (Rivest's Cipher 4) RC4 is a symmetric key algorithm, but instead of operating on a block of bits at a time, it operates on a bitstream. It operates with a variable-length key up to 256 bits. This cipher has a 256-entry substitution-box, the entries are permutations of the numbers 0 through 255, and the particular permutation is a function of the key. To initialise the box first fill it linearly so that S 0 =0, S 1 =1,, S 255 =255. Then fill another 256-byte array with the key, repeating the key as often as necessary to fill the whole array (K 0, K 1,, K 255 ). Set the index j = 0, then: For i = 0 to 255 j = (j + S i + K i ) mod 256 swap S i and S j

20 To generate a byte for encryption, first take two counters (i and j) initialized to zero, then: i = ( i + 1) mod 256 j = (j + S i ) mod 256 swap S i and S j t = (S i + S j ) mod 256 K = St The byte K is then XORed with the plaintext to produce ciphertext, or XORed with the ciphertext to produce the plaintext. Encryption is about 10 times faster than DES in software.

21 Public Key Encryption The system entails the generation of 2 keys for each participant A public key which is placed in a register where anyone may get a copy of it A private key that only the participant has access to Either key can be used to encrypt the data. The other key will then be used to decrypt it. The heart of the system is the mathematical algorithm that generates the related key pair. The cryptographic strength is related to the algorithm and the key length. The system can be used for privacy and/or authentication

22 Cryptanalyst X K Bpriv A B Message source X Encrypt Y Decrypt X Message dest K Bpub Key pair K Bpriv Public key system for privacy

23 Cryptanalyst K Apriv A B Message source X Encrypt Y Decrypt X Message dest K Apriv Key pair K Apub Public key system for authentication

24 RSA Public-Key Algorithm (Rivest, Shamir & Adleman) The system uses a block cipher for values < n For Plaintext M and Ciphertext C C = M e modulo n M = C d modulo n = (M e ) d modulo n = M ed modulo n Both sender and receiver know n, the sender knows e and the receiver knows d. Thus K pub = K{e,n} K priv = K{d,n}

25 It is possible to find e, d & n such that M=M ed modulo n for all M < n It is possible to calculate M e and C d for all M < n It is not easy to find d given e and n when e and n are large The values for e, d and n need to be carefully chosen.

26 Key generation Select n as the product of two prime numbers p & q We choose p = 11, q = 7 ( p and q might normally have 100's of digits) n = p x q = 11 x 7 = 77 Now choose e where e is relatively prime to (p-1) x (q-1) (relatively prime means they have no common factors except 1) (p-1) x (q-1) = (11-1) x (7-1) = 10 x 6 = 60 let us choose e = 7 For d we must find a number where (e x d) -1 = 0 modulo (p-1) x (q-1) This means (e x d) -1 is evenly divisible by (p-1) x (q-1) = 60 Choose d = 43 (e x d) -1 = (7 x 43)-1 = 300 (300 is divisible by 60) K pub = K{7,77} K priv = K{43,77}

27 Encrypt a message Lets send a simple message containing the letters of the alphabet number HELLO = 8, 5, 12, 12, 15 (In real life we would send messages containing much more than one letter.) To encrypt we multiply out the message 8 7 modulo 77, 5 7 modulo 77, 12 7 modulo 77, 12 7 modulo 77, 15 7 modulo 77 = 57, 47, 12, 12, 71

28 Decrypt a message 57, 47, 12, 12, 71 is received Remember our keys were K pub = K{7,77} K priv = K{43,77} We now raise these received numbers to 43rd power modulo modulo 77, 4743modulo 77, 1243modulo 77, 1243modulo 77, 7143modulo 77 = 8, 5, 12, 12, 15 = HELLO The original message!!

29 These calculations results in large numbers (especially if you try it on your calculator) Eg But it can be made simpler (computers can use this technique as well). Write it as a sum of powers of = = x 71 8 x 71 2 x 71 1 Now 71 2 = 5041 = 36 modulo 77 Similarly 71 8 = (71 2 ) 4 = = (71 2 ) 16 = So = x 36 4 x 36 x 71 modulo 77

30 71 43 = x 36 4 x 36 x 71 modulo 77 We can continue further 36 2 = 1296 = 64 modulo 77 and so 36 4 = (36 2 ) 2 = 64 2 modulo = (36 2 ) 8 = 64 8 modulo 77 so = 64 8 x 64 2 x 36 x 71 modulo 77 continuing we get = 64 8 x 64 2 x 36 x 71 modulo 77 = 15 4 x 15 x 36 x 71 modulo 77 = 71 2 x 15 x 36 x 71 modulo 77 = 36 x 15 x 36 x 71 modulo 77 = 15 modulo 77 = 15 the correct answer.

31 This encryption and authentication process works well when each partner has the appropriate keys. I can verify that it is you sending me data by using your public key. But how do I know the key that I am using is really YOUR public key and not the key of an imposter. If you send me a copy of it (a) I don't know it is you sending it (b) Someone may intercept it on the way and tamper with it To solve these problems protocols have been developed. We will examine the most popular which is used for secure internet communications.

32 SSL (Secure Socket Layer) This protocol was developed by Netscape for use in their WWW browser. It has since found use in many applications and is the present standard for secure WWW commerce (ecommerce) for all browsers (even IE4). HTTP LDAP IMAP Application layer SSL Network layer TCP/IP HTTP LDAP IMAP HyperText Transport Protocol Lightweight DirectoryAccess Protocol Internet Messaging Access Protocol It can Authenticate the server to the client. Allow the client and server to select the cryptographic algorithms that they both support. Optionally authenticate the client to the server. Use public-key encryption techniques to generate shared secrets. Establish an encrypted SSL connection.

33 Data from Netscape - another good site is Strength category and recommended use Cipher suites Strongest cipher suite. Permitted for deployment within the United States only. This cipher suite is appropriate for banks and other institutions that handle highly sensitive data. Cipher Suites Triple DES, which supports 168-bit encryption,with SHA-1 message authentication. Triple DES is the strongest cipher supported by SSL, but it is not as fast as RC4. Triple DES uses a key three times as long as the key for standard DES. Because the key size is so large, there are more possible keys than for any other cipher-- approximately 3.7 * Both SSL 2.0 and SSL 3.0 support this cipher suite. SHA-1 is a Secure Hash Algorithm similar to MD5

34 Strong cipher suites. Permitted for deployments within the United States only (now released to the world). These cipher suites support encryption that is strong enough for most business or government needs. RC4 with 128-bit encryption and MD5 message authentication. Because the RC4 and RC2 ciphers have 128-bit encryption, they are the second strongest next to Triple DES (Data Encryption Standard), with 168-bit encryption. RC4 and RC2 128-bit encryption permits approximately 3.4 * 1038 possible keys, making them very difficult to crack. RC4 ciphers are the fastest of the supported ciphers. Both SSL 2.0 and SSL 3.0 support this cipher suite. RC2 with 128-bit encryption. RC2 ciphers are slower than RC4 ciphers. This cipher suite is supported by SSL 2.0 but not by SSL 3.0. DES, which supports 56-bit encryption, with SHA-1 message authentication. DES is stronger than 40-bit encryption, but not as strong as 128- bit encryption. DES 56-bit encryption permits approximately 7.2 * 1016 possible keys. Both SSL 2.0 and SSL 3.0 support this cipher suite, except that SSL 2.0 uses MD5 rather than SHA-1 for message authentication.

35 Exportable(old) (from US)cipher suites. These cipher suites are not as strong as those listed above, but may be exported to most countries (note that France permits them for SSL but not for S/MIME). They provide the strongest encryption available for exportable products. RC4 with 40-bit encryption and MD5 message authentication. RC4 40-bit encryption permits approximately 1.1 * (a trillion) possible keys. RC4 ciphers are the fastest of the supported ciphers. Both SSL 2.0 and SSL 3.0 support this cipher. RC2 with 40-bit encryption and MD5 message authentication. RC2 40-bit encryption permits approximately 1.1 * (a trillion) possible keys. RC2 ciphers are slower than the RC4 ciphers. Both SSL 2.0 and SSL 3.0 support this cipher.

36 Weakest cipher suite. This cipher suite provides authentication and tamper detection but no encryption. Server administrators must be careful about enabling it, however, because data sent using this cipher suite is not encrypted and may be accessed by eavesdroppers. No encryption, MD5 message authentication only. This cipher suite uses MD5 message authentication to detect tampering. It is typically supported in case a client and server have none of the other ciphers in common. This cipher suite is supported by SSL 3.0 but not by SSL 2.0.

37 The heart of SSL is the "handshake" Client Server 1. The client contacts a secure web server (HTTPS) with SSL version, cipher settings, etc Server Client 2. The server responds with its certificate and information about itself (SSL version, cipher settings etc) The client attempts to authenticate the server from the certificate it was sent. We need to see the contents of the certificate first.

38 Server s public key Certificate serial # Certificate expiry Server s DN Issuer s DN Issuer s digital signature The certificate contains the servers public key plus information about the certificate including the distinguished name (DN) of the server. It also has the DN of an issueing Certifying Authority (CA) and a digital signature from this CA. A CA is a respected company or authority that deals in accrediting the identity of web server sites.

39 Server s public key Certificate serial # Certificate expiry Server s DN Issuer s DN Issuer s digital signature Your web browser will already have certificates (containing public keys) from these CAs and more may be added. The correct public key for the CA who signed the server's certificate is used to authenticate the digital signature (which was encrypted using the CA's private key). If the expected DN of the server is revealed then the certificate must be authentic. This therefore forms a letter of introduction, for the server, from the CA.

40 For full authentication the client must verify Is the date of the certificate valid Is the CA a trusted CA Does the CA's public key validate the digital signature Does the domain name in the server's DN match the domain name the certificate was sent from. (This is to prevent a "man-in-the-middle" attack)

41 Client Server 3. The client now uses the public key of the server to encrypt a "premaster secret" which it sends to the server. If the server has requested client authentication the client will also send its certificate containing its public key to the server. The server will perform authentication on the clients certificate. 4. The server takes the premaster secret from the client and performs a number of steps with it to create a "master secret". The client also does the same thing. Now both server and client have the same shared master secret. 5. Server and client both create a session key from the master secret

42 6. Both server and client send messages to each other saying that the handshake is complete. Further communication is now conducted using a symetric key cipher (RC4 for example, 40 bits or 128 bits, or another supported cipher.) Symetric key ciphers are much faster than public key encryption. Public key encryption must use a very large key to achieve crytpographic strength. (Typically more than 500 bits) This makes it slow for general data encryption.

43 Certificates Certificates used in SSL conform to the X.509 certificate standard. Certificate: Data: Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36: Not After: Sun Oct 17 18:36: Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: Modulus: 00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48: e6:2a:2a:86:ed:27:40:4d:86:b3:05:c0:01:bb: 50:15:c9:de:dc:85:19:22:43:7d:45:6d:71:4e: 17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:98:ce: 7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72: b5:e9:73:49:38:76:ef:b6:8f:ac:49:bb:63:0f: 9b:ff:16:2a:e3:0e:9d:3b:af:ce:9a:3e:48:65: de:96:61:d5:0a:11:2a:a2:80:b0:7d:d8:99:cb: 0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54: 91:f4:15 Public Exponent: (0x10001) Extensions: Identifier: Certificate Type Critical: no Certified Usage: SSL Client Identifier: Authority Key Identifier Critical: no Key Identifier: f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a: e6:5c:fb:36:26:c9 Signature: Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c: 01:69:8e:54:65:fc:06:30:43:34:d1:63:1f:06: 7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb: f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9: c6:11:0a:02:a2:e0:cc:2a:75:6c:8b:b6:9b:87: 00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5: b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85: 6d:d6:59:e8:41:42:a5:4a:e5:26:38:ff:32:78: a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8: dd:c4

44 CA verification is often performed in a hierarchical chain Root CA Ozzy CA Check signed by Root CA Honest Bob s CA My Cert Check signed by Ozzy CA Check signed by Honest Bob s CA The chain must be authenticated until a trusted CA is found in the browser certificate database.