Course: Network Security Class: MSCS/BSCS/PHD Instructor: Ghazi Salahuddin Session: Fall 2009

Transcription

1 Introduction to Cryptography Course: Network Security Class: MSCS/BSCS/PHD Instructor: Ghazi Salahuddin Session: Fall 2009

2 Objectives Objectives of Lecture Explain the generic properties of secret key, message digest, and public key algorithms, and how it is used.

3 Objectives This lecture will familiarize you with What is Cryptography? Breaking an Encryption Scheme Types of Cryptographic Functions Secret Key Cryptography Public Key Cryptography Hash Algorithms

4 What is Cryptography? Comes form the Greek work κρυππο (hidden or secret) and γραφη (writing) What is Cryptography? Art of mangling information into apparent unintelligibility in a manner to allow a secret method of unmangling.

5 Cryptography Services Cryptography Provides Ability to send information between participants in a way that prevents others from reading it. Focus Kind of Cryptography that is based on representing information as numbers and mathematically manipulating those numbers. Provides services like Integrity Checking Authentication

6 Cryptography Services Integrity Reassuring the recipient of a message that the message has not been altered since it was generated by a legitimate source Authentication Verifying someone s (or something s) identity

7 Cryptographic System Encryption Decryption plaintext cipher text plaintext Plain text or Clear Text A message in its original form Ciphertext Mangled Information Encryption The process for producing ciphertext from plaintext Decryption The reverse process of encryption

8 Cryptographers vs. Cryptanalysts Cryptographers Invent Clever secret codes Cryptanalysts Attempts to break secret codes Success of Cryptographers rests on the Fundamental Tenet of Cryptography If lots of smart people failed to solve a problem, Then it won t be solved (soon)

9 Cryptographic Systems Components Cryptographic system involve both Algorithm Secret Value (Key) Reasons for Having key 1. It is difficult to devise new algorithms 2. Allow reversible scrambling of information 3. It is difficult to explain newly devised algorithm with participants 4. There is not harm if even algorithm is known to bad guys (cryptanalysts)

10 Computational Difficulty No Algorithm provides 100% security Cryptographic algorithm needs to be reasonably efficient for good guys to compute. Cryptographic algorithms are not impossible to break A bad guy can simply try all possible until one works. Secure Algorithm - Computational difficulty to break An algorithm taking more time to break by bad guy will be considered more secure. If the best possible scheme will take 10 million years to break using all of the computers, then it can be considered reasonably secure.

11 Computational Difficulty Often an encryption scheme can be made more secure by making the key longer. It makes more little work for the good guy but will require exponentially higher time to try all possible combinations by bad guy for breaking the key. Computers make bad guy job easy Computers can be used to exhaustively try keys. Thousand and million of keys can be tried per second. Also, lot of keys can be tried in parallel by using multiple computers, saves time to break.

12 Computational Difficulty A cryptographic algorithm can also have variable-length key It can be made more secure by increasing the length of the key. Some algorithms have a fixed-length key but similar algorithm with a longer key can be developed if necessary.

13 Try something else.. Bolt Cutter Always Works.. Breaking the cryptographic scheme is often only one way for getting what you want. For instance, bolt cutter works no matter how many digits are in the combination for briefcase lock. You can get further with a kind word and a gun than you can with a kind word alone. --Willy Sutton, bank robber

14 To Publish or Not to Publish Arguments 1. Keeping a cryptographic algorithm as secret as possible will enhance its security. 2. Publishing the algorithm, so that it is widely known, will enhance its security. It seems that keeping the algorithm secret must be more secure it makes for more work for the cryptanalysts to try to figure out what the algorithm is.

15 To Publish or Not to Publish Arguments for Publishing It is difficult to keep the algorithm secret if an algorithm is widely used. Bad guy will probably find out about it eventually anyway (e.g. reverse engineering) It s better to tell a lot of no malicious people about the algorithm, so in case of weaknesses, good guys will discover them rather than bad guy. Academic community publications improves the discovered weaknesses. A bad guy who discovers a weakness will exploit it for doing bad-guy things like embezzling money or stealing trade secrets.

16 To Publish or Not to Publish Arguments for Not Publishing Cryptosystems for military to be kept secret. The military ciphers are unpublished mainly to keep good cryptographic methods out of hands of the enemy rather than to keep them from crypt analyzing our codes. If a commercial algorithm is unpublished today, it s probably for trade secret reasons or because this makes it easier to get export approval rather than to enhance it security.

17 Secret Codes Secret code (or cipher) mean any method of encrypting data. Ceaser Cipher Attributed to Julius Ceaser Substitute for each letter of the message, the letter which is 3 letters later in the alphabet (and wrap around to A from Z) For Example: DOZEN would become GRCHQ It is very easy to know the actual text from encrypted text.

18 Secret Codes Captain Midnight Secret decoder rings An enhancement to the Ceaser cipher distributed in The variant is to pick a secret number n between 1 and 25, instead of always using 3. Substitute for each letter of the message, the letter which is n higher ( and wrapped) around to A from Z). For n=1 Cleartext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext: BCDEFGHIJKLMNOPQRSTUVWXYZA Example: HAL would become IBM For n=25 Cleartext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext: ZABCDEFGHIJKLMNOPQRSTUVWXY Example: IBM would become HAL There are only 26 possible ns to try, it is very easy to break this cipher if you know it is being used and you can recognize a message once it s decrypted.

19 Secret Codes Monoalphabetic cipher It consists of an arbitrary mapping of one letter to another letter. There are 26! Possible pairings of letters, which is approximately 4x It looks more secure, because to try all possibilities it would take 10 trillion years if it takes 1 microsecond to try each one. Statistical Analysis of Language Statistical analysis means that certain letters and letter combinations are more common than others. It turns out to be fairly easy to break. For instance, many daily news papers have a daily cryptogram, which is a monoalphabetic cipher, and can be broken.

20 English letter Frequencies

21 Breaking an Encryption Scheme There are three types of attacks for breaking an encryption scheme Attack Types Ciphertext only Known plaintext Chosen Plaintext

22 Ciphertext only In this type of attack the encryption algorithm and ciphertext is known to bad guy. How a bad guy can figure out the plaintext if he can only see the cipher text?? How to break??? One possible solution is to search through all the keys. It is essential in this attack that the bad guy should be able to recognize when he has successes. (readable English Text) It is also known as recognizable plaintext attack. It is essential for bad guy to have enough ciphertext. Example; Having XYZ ciphertext is not enough information and have multiple possible substitution like THE/CAT/HAT and many more.. any of the following words can be the plaintext for XYZ The hot cat was sad but you may now sit and use her big red pen.

23 Ciphertext only How to break??? Often, it is not necessary to search through a lot of keys. If normal English words are taken as passwords, then it is possible to avoid trying non-english words and can reduce to try all possible combinations of number of characters within the password. (English dictionary is used for recognizing English words) On average half of all possible keys must be tried to achieve success. A strong encryption algorithm can secure from these type of attacks.

24 Known Plaintext Following is known to bad guy Encryption Algorithm Ciphertext One or more plaintext-ciphertext pairs formed with the secret key How plaintext-ciphertext pairs are known to attacker? One possibility is that secret data might now remain secret forever For instance, the data might consist of specifying the next city to be attacked. Once the attack occurs, the plaintext to the previous day s ciphertext is now known. How Attack Works? From it, the attacker would learn the mappings of a substantial fraction of the most common letters. It is important to design the systems that use such a cryptographic algorithm to minimize the possibility that a bad guy will ever be able to obtain <plaintext, ciphertext> pairs.

25 Chosen Plaintext Following is known to bad guy Encryption Algorithm Ciphertext Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key How it works? It allows the attacker to get all the letters of the alphabet encrypted and then be able to decrypt with certainly any encrypted message. What attacker Needs to do? It is very easy to send few plaintext message and get their corresponding encrypted messages. Allow to obtain all substitutions and decrypt any possible encrypted message.

26 Chosen Plaintext How attacker get all these information? Attacker can choose any plaintext he wants, and get the system to tell him what the corresponding cipher text is. Suppose a telegraph company offered a service in which they encrypt and transmit message for you. Suppose Fred has eavesdropped on Alice s encrypted message. Now Fred would like to break the telegraph company s encryption scheme so that he can decrypt Alice s message. He can obtain the corresponding cipher text to any message he chooses by paying the telecom company to send the message for him. For instance, Fred knew they were using a mono-alphabetic cipher, he might send the message The Quick brown fox jumps over the lazy dog. (Includes A-Z)

27 Types of Cryptographic Functions Hash Functions It involves the use of Zero Keys Secret Key Functions It involves the use of only one key, called secret key Public Key Functions It involves the use of two keys, called public and private keys

28 Secret Key Cryptography plaintext Encryption cipher text Key cipher text Decryption plaintext It involves the use of only one key. Same key is used for encryption and decryption. Cipher text remain of same length as of plaintext after encryption It is also known as conventional Cryptography or Symmetric cryptography. Examples: Captain midnight code and monoalphabetic ciphers

29 Secret Key Cryptography Classic Ciphers comprise of two basic components: Substitution Cipher Transposition cipher Monoalphabetic Polyalphabetic Several of these ciphers are grouped together to form a product cipher

30 Security uses of Secret Key Cryptography Following are type of things that can be done by using secret key cryptography Transmitting over an Insecure channel Secure Storage on Insecure Media Authentication Integrity Check

31 Transmitting over an Insecure channel If sender and receiver agree on a shared secret (a key), then by using the secret key then both can send messages to one another on a medium that can be tapped, without worrying about eveasdroppers. The only requirement is to have the sender encrypt the message and the receiver decrypt them using the shared secret. An eavesdropper will only see unintelligible data This is the classic use of cryptography.

32 Secure Storage on Insecure Media If you invent a key and encrypt the information using the key, you can store it anywhere and it is safe so long as you can remember the key. Forgetting the key makes the data irrevocably lost, so this must be used with great care. Between the clever theives and court orders, ther are very few places that are truly secure, and none of them is convenient.

33 Authentication Spy Movies use passwords In spy movies password used for authentication Problem: Any one revealing their conversation or initiating one falsely can gain information useful for replaying later and impersonating the person to whom they are talking. Strong Authentication It means some one can prove knowledge of a secret without revealing it. It is useful when two computers are trying to communicate over an insecure network.

34 Authentication Challenge-Response Authentication with Shared Secret Suppose Alice and Bob share a key K AB and they want to verify they are speaking to each other. Then each pick a random number, which is known as challenge. Alice Pick r A and Bob picks r B. The value x encrypted with the key K AB is known as response to the challenge x. Alice Bob r A r A encrypted with K AB r B r B encrypted with K AB Figure: challenge-response authentication with shared secret

35 Authentication If Alice and Bob complete this exchange, they have each proven to the other party that they know KAB without revealing it to an impostor or an eavesdropper. If someone, say Fred, were impersonating Alice, he could get Bob to encrypt a value for him (though he wouldn t be able to tell if the person he was talking to was really Bob). But this information would not be useful later in impersonating Bob to the real Alice because the real Alice would pick a different challenge.

36 Authentication Always use large challenge space to avoid repeating There is an opportunity for Fred to obtain some <choosen plaintext, ciphertext> pairs, since he can claim to be Bob and Ask Alice to encrypt a chllenge to him. It is essential that challenge to be chosen from a large enough space, 2 64 values, so that there is no significant chance of using the same as twice.

37 Integrity Check Cryptographic checksum A secret key scheme can be used to generate a fixed-length cryptographic checksum associated with a message. What is a checksum? An ordinary (noncryptographic) checksum protects against accidental corruption of message The term checksum comes from the operation of breaking a message into fixed-length blocks and adding them up. The sum is sent along with the message. The Receiver similarly break up the message, repeats the addition and checks the sum. If the message had been garbled en route, the sum will not match the sum sent and the message is rejected.

38 Integrity Check What is CRC? If flaky hardware turns a bit off somewhere, it is likely to turn a corresponding bit on some where else. To protect against such regular flaws in hardware, more complex checksum called CRC (Cyclic redundancy Check) were devised. It still protects against faulty hardware and not an intelligent attacker. Since CRC algorithm are published, an attacker wanted to change a message could do so, compute the CRC of the new message, and sent that along. Note: if you don t remember about CRC then please refer the book of Forouzan for refresh the concepts.

39 Integrity Check Cryptographic checksum A secret checksum algorithm provides protection against malicious changes to a message. An attacker not knowing the algorithm can t compute the right checksum for the message to be accepted as authentic. It is better to have a common (known) algorithm and a secret key. How it Works? Given a key and a message, the algorithm produces a fixed-length message authentication code (MAC) that can be sent with the message. A MAC is often called a MIC (Message Integrity Check).

40 Integrity Check MAC/MIC and bad guys Bad guy want to modify the message and don t know the key. He will guess a MAC, which chances of getting right depends on the MAC length. A typical MAC is at least 48-bits long. Chance of getting away with forged message is only one in 280 trillion.

41 Public Key Cryptography plaintext Encryption cipher text Public Key Private Key cipher text Decryption plaintext It is also referred to as asymmetric Cryptography. It is a new field, invented in It involves the use of two keys: Private key : that need not be revealed to anyone, Public key: that is preferably known to the entire world.

42 Public Key Cryptography Additional Advantage: Digital Signatures A digital signature can be generated on a message. A digital signature is a number associated with a message, like the checksum or the MAC. A digital can only be generated by someone knowing the private key. plaintext Signing Private Key Signed Message Public Key Signed Message Verification plaintext

43 Public Key Cryptography Difference between Digital Signature and MAC A Checksum or MAC can be generated by anyone. A digital signature can only be generated by someone knowing the private key. A public key signature differs from a secret key MAC because verification of a MAC requires knowledge of the same secret as was used too create it. Anyone who can verify a MAC can also generate one. In contrast, verification of the signature only requires knowledge of the public key. Example Alice can sign a message by generating a signature only she can generate and other people can verify that it is Alice s signature, but can not forge her signature. It is called signature because it shares with handwritten signatures the property that it is possible to recognize a signature authentic without being able to forge it.

44 Public Key Cryptography Security Use of Public Key Cryptography Public key cryptography algorithms are slower than secret key cryptography algorithms Usually used with secret key cryptography algorithms Network security is easily configurable. Conversation: Authentication at start using PK Encryption during conversation using SK Alice encrypt the secret key using public key and send to Bob. Alice and Bob us the secret key to encrypt conversation. Only Bob can decrypt the secret key Bob does not know that it was Alice who sent the message. Alice digitally sign the encrypted secret key using the private key.

45 Transmitting over an Insecure channel Suppose Alice s <private key, public key> pair is <e A, d A ) and Bob s key pair is <e B, d B ). Assume Alice know Bob s public key and Bob knows Alice s public key. Both can send the secured message over insecure channel. Alice Bob Encrypt m A using e B Decrypt m A using d B Decrypt m B using d A Encrypt m B using e A

46 Secure Storage on Insecure Media It works same as with Secret key cryptography. You d encrypt the data with your public key and no body can decrypt it except you, since decryption will require the use of private key. Better Performance You wouldn t encrypt the data directly with the public key Randomly generate the secret key, encrypt the data with that secret key, and encrypt that secret key with the public key. If you loose your private key, the data is irretrievably lost. You can encrypt an additional copy of the data encryption key under the public key of someone you trust, like your lawyer. You can store copies of your private key with someone you trust.

47 Authentication Weakness of Secret Key Authentication If Alice and Bob wants to communicate, they have to share a secret. If bob wants to prove his identity with lots of identities then he needs to remember lots of keys (One for each entity). If Alice uses the same shared secret with Alice as Carol, then Carol and Alice can impersonate to each other. Public key Authentication Bob only needs to remember a single secret, his own key. If bob wants to be able to verify the identify of thousands of entities, then he will only need to know thousands of public keys (PKI helps to manage it in efficient way)

48 Authentication How it Works? How Alice can use the public key cryptography for verifying ob s identity assuming Alice knows Bob s public key?? Alice Chooses a random number r, encrypt it using the Bob s publick key e B, and send the result to bob. Bob proves he knows d B by decrypting the message and sending r back to Alice Alice Bob Encrypt r using e B Decrypt to r using d B r

49 Authentication Other Advantages Alice does not need to keep any secret information in order to verify Bob. For instance, Alice might be a computer system in which back tapes are unencrypted and easily stolen. With secret key based authentication, if Carol stole a backup tape ad read the key that Alice shares with bob, she could then trick Bob into thinking she was Alice. In contrast, with public key based authentication, the only information on Alice s backup tapes is public key information, and that can not be used to impersonate Bob.

50 Digital Signatures Digital Signatures provide two important functions They prove who generated the information They prove that the information has not been modified in any way by anyone since the message and matching signature were generated. Public key technology (Digital signature) is useful to prove that a message was generated by a particular individual. Bob s signature for a message m can only be generated by someone with knowledge of Bob s private key. Signature depends on the contents of message m. If m is modified then signature becomes invalid.

51 Digital Signatures Digital Signatures vs. Secret key cryptography MACs Digital Signatures offer important advantage (Non-repudiation) over secret key cryptography MACs. Bob sells widgets and Alice routinely buys them. Orders are placed through mail with signed purchase order. Both agree with message to order widgets. To avoid forging orders, Alice will include a message integrity code on her messages. It can be either a secret key MAC of public key based signature. What are the complications with both approaches?????

52 Digital Signatures Everyone generates the signature using their own private key If public key signatures are used by Alice and Bob Bob can show the signed message to the judge and it can be verified that it was signed with Alice s key (private key) If Alice claims the key stolen or misuse but still he will be responsible due to contract and his responsibility to secure his private key. Digital signatures are created by private key of sender and can be easily idetified with the knowledge of sender private key.

53 Digital Signatures Bob cant prove if Alice deny the placed order (Same Shared Key) Suppose Alice placed a big order but she changes her mind. There is big penalty for cancelling order. She wants to deny that she ever placed the order Bob sues to Alice.. If Alice authenticated the message by computing a MAC based on a key that shares with Bob, Bob knows Alice really placed the order because no body other than Bob know that key. If Bob knows he didn t create the message he knows it must have been Alice. Bob can t prove it to anyone, since he knows the same key that Alice used to sign the order, he could have forged the signature on the message himself to the judge that he didn t.

54 Hash Algorithms Hash algorithms are also called Message Digests or one-way transformations. What is Hash Function? It is a mathematical transformation It takes a message of arbitrary length (transformed into a string of bits) Computes a fixed-length number from it. Example Take the message m and treat it as a number Add some large constants and Square it Take the middle n digits as hash.

55 Hash Algorithms Properties of hash of a message For any message m, it is easy to compute h(m), doesn t take lot of processing to compute the hash. Given h(m), there is no way to find an m that hashes to h(m) in a way that is substantially easier then going through all possible values of m and computing h(m) for each one. Many different values of m can be transformed to the same value h(m) (because there are many more possible values of m), it is computationally infeasible to find two values that hash to the same thing. Basic idea of a message digest function is that the input is mangled so badly the process cannot be reversed.

56 Password Hashing To store hash of password is secure than storing unencrypted passwords in a system. When a password is supplied, it computes the password s has and compares it with the stored hash value. If they match, the password is deemed correct.

57 Password Hashing If the hashed password file is obtained by an attacker, it is not immediately useful because the password can t be derived from the hashes. If systems make the password hash file publically reachable, it involves security risk Even if there are no cryptographic flaws in the hash, it is possible to guess passwords and hash them to see if they match. If a user is careless and select a guessable password, an exhaustive search would crack the password. Many systems hide the hashed password list or file.

58 Message Integrity Hash functions can be used to generate a MAC to protect the integrity of messages transmitted over insecure media (same like secret key crypt) If we merely sent the message and used the hashed of the message as MAC, this would not be secure. Hash functions are well-known, bad guy can modify the message and compute a new hash for the new message, and transmits it. Keyed Hash provides more secure mechanism.

59 Message Integrity A message can be concatenated with secret key for calculating the hash and provides secure integrity. Alice Bob Secret Message Hash?= Hash Secret

60 Message Integrity What is Keyed Hash?? If Alice and Bob have agreed on a secret. Alice can use a hash to generate a MAC for a message to bob by taking the message. Concatenate the secret, and compute the hash of the secret. Alice send the hash and the message (without the secret) to Bob. Bob concatenates the secret to the received message and computes the hash of the result. If that matches the received hash, Bob can have confidence the message was sent by someone knowing the secret.

61 Message fingerprint Scenario / Requirements You want to know whether some large data structures (e.g. programs) has been modified from one day to the next. Solution 1: Multiple Copies You could keep a copy of the data on some temper-proof backing store and periodically compare it to the active version. Solution 2: Hash function Use of hash function can save storage (hash is small compare to file). You simply save the message digest of the data on the tamper-proof backing store. If the message digest hasn t changed, you can be confident none the of the data has. Hash functions must be secured and protected from bad guys

62 Downline Load Security What is downline load? Many devices connected to network (like routers or printers) do not have nonvolatile memory to store the programs they normally run. They keep a bootstrap program smart enough to get a program from the network and run it. This scheme is called downline load. Downline Load Security Suppose you want to downline a program and make sure that it hasn t been corrupted. If you know the proper hash of the program, you can compute the hash of the loaded program and make sure it has the proper value before running the program.

63 Digital Signature Efficiency Digital signature vs. digest efficiency The best known public key algorithms are sufficiently processorintensive that is desirable to compute a message digest of the message and sign that, rather than to sign the message directly. The message digest algorithms are much less processorintensive, and the message digest is much shorter than the message.

64 Cryptography Tools Cypher Calc Command Line Scriptor CryptoHeaven PGP Crack Magic Lantern Advanced File Encryptor Encryption Engine Encrypt files Omziff ABC CHAOS EncryptOnClick CryptoForge SafeCryptor CrypTool Micrsoft Cryptography Tools Encrypt PDF Encrypt Easy Encrypt my folder Advanced HTML encrypt and Password Protect Encrypt HTML Source Alive file Encryption Polar Cryto Light CryptoSafe Crypt Edit CrypSecure Cryptlib Crypto++ Library

65 Summary