Cryptography. Dr. Ahmad Almulhem. Spring Computer Engineering Department, KFUPM. Ahmad Almulhem - Network Security Engineering / 84

Transcription

1 Cryptography Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering / 84

2 Outline Cryptography Cryptosystem Attacks Part I Overview Ahmad Almulhem - Network Security Engineering / 84

3 Outline Cryptography Cryptosystem Attacks Outline What is Cryptography? Classical Cryptography - Caesar cipher - Vigénere cipher - DES Public Key Cryptography - Diffie-Hellman - RSA Cryptographic Checksums - HMAC Ahmad Almulhem - Network Security Engineering / 84

4 Outline Cryptography Cryptosystem Attacks Cryptography The word cryptography comes from two Greek words meaning secret writing and is the art and science of concealing meaning Cryptanalysis is the breaking of codes Cryptography is a deep mathematical subject In this course (system design), Cryptography is a tool/mechanism Cryptography provides - Secure communication (cryptographic protocols) - Confidentiality - Integrity - Non-repudiation (verification and trust of signatures) Ahmad Almulhem - Network Security Engineering / 84

5 Outline Cryptography Cryptosystem Attacks Cryptosystem A Cryptosystem is a quintuple (E, D, M, K, C) M set of plaintexts K set of keys C set of ciphertexts E set of encryption functions e : M K C D set of decryption functions d : C K M Example (Caesar cipher) M = { sequences of letters } K = {i i is an integer and 0 i 25} E = {E k k K and for all letters m,e k (m) = (m + k) mod 26} D = {D k k K and for all letters c,d k (c) = (26 + c k) mod 26} C = M Ahmad Almulhem - Network Security Engineering / 84

6 Outline Cryptography Cryptosystem Attacks Basis for Attacks Attacks (Cryptanalysis) Opponent whose goal is to break cryptosystem is the adversary - Assume adversary knows algorithm used, but not key Three types of attacks: - ciphertext only : adversary has only ciphertext; goal is to find plaintext, possibly key - known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key - chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key Ahmad Almulhem - Network Security Engineering / 84

7 Outline Cryptography Cryptosystem Attacks Basis for Attacks Basis of Cryptanalysis Mathematical attacks - Based on analysis of underlying mathematics Statistical attacks - Make assumptions about the distribution of letters, pairs of letters (digrams), triplets of letters (trigrams), etc. - Called models of the language - Examine ciphertext, correlate properties with the assumptions. Ahmad Almulhem - Network Security Engineering / 84

8 Classical Cryptography Transposition Substitution DES AES Part II Classical Cryptography Ahmad Almulhem - Network Security Engineering / 84

9 Classical Cryptography Transposition Substitution DES AES Classical Cryptography Sender, receiver share common key - Keys may be the same, or trivial to derive from one another - Sometimes called symmetric cryptography, single-key, shared-key, etc. Two basic types - Transposition ciphers - Substitution ciphers - Combinations are called product ciphers Ahmad Almulhem - Network Security Engineering / 84

10 Classical Cryptography Transposition Substitution DES AES Transposition Cipher Attacking Example Transposition Cipher Rearrange letters in plaintext to produce ciphertext Example (Rail-Fence Cipher) Plaintext: HELLO WORLD arrange plaintext as follows: HLOOL ELWRD Ciphertext is HLOOL ELWRD Ahmad Almulhem - Network Security Engineering / 84

11 Classical Cryptography Transposition Substitution DES AES Transposition Cipher Attacking Example Attacking Transposition Ciphers Transposition is a permutation function - Frequency of characters is not changed - Statistical properties are not changed Anagramming Attack - If 1-gram frequencies match English frequencies, but other n-gram frequencies do not, probably transposition - Rearrange letters to form n-grams with highest frequencies English Characters Frequency (Denning 1982) a h n t b i o u c j p v d k q w e l r x f m s y g z Ahmad Almulhem - Network Security Engineering / 84

12 Classical Cryptography Transposition Substitution DES AES Transposition Cipher Attacking Example Example Ciphertext: HLOOLELWRD - Frequencies of 2-grams beginning with H HE HO HL, HW, HR, HD < Frequencies of 2-grams ending in H WH EH, LH, OH, RH, DH Implies E follows H Arrange so the H and E are adjacent HE LL OW OR LD Read off across, then down, to get original plaintext Ahmad Almulhem - Network Security Engineering / 84

13 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Substitution Ciphers Change characters in plaintext to produce ciphertext Example (Caesar cipher) Plaintext is HELLO WORLD (src: Change each letter to the third letter following it (A goes to D, X goes to A, Y to B, Z to C) Key is 3, usually written as letter D Ciphertext is KHOOR ZRUOG Ahmad Almulhem - Network Security Engineering / 84

14 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Attacking Substitution Ciphers Exhaustive search - If the key space is small enough, try all possible keys until you find the right one - Caesar cipher has 26 possible keys Statistical analysis - Compare to 1-gram model of English Ahmad Almulhem - Network Security Engineering / 84

15 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Statistical Attack Compute frequency of each letter in ciphertext (KHOOR ZRUOG): G = 0.1 H = 0.1 K = 0.1 O = 0.3 R = 0.2 U = 0.1 Z = 0.1 Apply 1-gram model of English Character Frequency (Denning 1982) a h n t b i o u c j p v d k q w e l r x f m s y g z Ahmad Almulhem - Network Security Engineering / 84

16 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Statistical Attack (continue) Let φ(i) be a correlation function of the frequency of each letter in ciphertext with the corresponding letter in English, φ(i) = f (c)p(c i) 0 c 25 - i is the key - f (c) is the frequency of character c in ciphertext - p(x) is the frequency of character x in English For our ciphertext (KHOOR ZRUOG): φ(i) = 0.1p(6 i) + 0.1p(7 i) + 0.1p(10 i) + 0.3p(14 i) + 0.2p(17 i) + 0.1p(20 i) + 0.1p(25 i) Ahmad Almulhem - Network Security Engineering / 84

17 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Statistical Attack (continue) Correlation: φ(i) for 0 i 25 i φ(i) i φ(i) i φ(i) i φ(i) Most probable keys, based on φ: - φ(6) = plaintext: EBIIL TLOLA - φ(10) = plaintext AXEEH PHKEW - φ(3) = plaintext HELLO WORLD - φ(14) = plaintext WTAAD LDGAS) The only English phrase is for i = 3 (key = 3 or D ) Results have to checked; statistcal attacks only reduce search space Ahmad Almulhem - Network Security Engineering / 84

18 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Caesar s Problem Key is too short - Can be found by exhaustive search - Statistical frequencies not concealed well - They look too much like regular English letters Solution: make the key longer - Multiple letters in key - Idea is to smooth the statistical frequencies to make cryptanalysis harder Ahmad Almulhem - Network Security Engineering / 84

19 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Vigénere Cipher Like Caesar cipher, but use a phrase Example - Message: THE BOY HAS THE BALL - Key: VIG - Encipher using Caesar cipher for each letter: key: plain: cipher: VIGVIGVIGVIGVIGV THEBOYHASTHEBALL OPKWWECIYOPKWIRG Relevant Parts of Tableau G I V A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E H T Ahmad Almulhem - Network Security Engineering / 84

20 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking The Vigenére tableau (src: Ahmad Almulhem - Network Security Engineering / 84

21 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Vigénere Cipher: Useful Terms The period: length of key - In above example, period is 3 The tableau: table used to encipher and decipher - Vigénere cipher has key letters on top, plaintext letters on the left polyalphabetic cipher: the key maps to several different letters - Caesar cipher is monoalphabetic Ahmad Almulhem - Network Security Engineering / 84

22 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Attacking The Vigenére Cipher The Vigenére Cipher can be broken using the following steps: 1 Find the period (key length); call it n 2 Break ciphertext into n parts - Each part is enciphered using the same key letter (Caesar cipher) 3 Solve each part as a Caesar cipher! Ahmad Almulhem - Network Security Engineering / 84

23 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Attacking The Vigenére Cipher Finding the Period : Method 1 Kasiski Test: repetitions in the ciphertext occur when characters of the key appear over the same characters in the plaintext. Example key: VIGVIGVIGVIGVIGV plain: THEBOYHASTHEBALL cipher: OPKWWECIYOPKWIRG distance: the key and plaintext line up over the repetitions (red) - distance between repetitions is 9 - the period is a factor of 9 (that is, 1, 3, or 9) Ahmad Almulhem - Network Security Engineering / 84

24 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking Attacking The Vigenére Cipher Finding the Period : Method 2 Compute Index of Coincidence (IC) 0 i n IC = F i(f i 1) n(n 1) - n is length of ciphertext - F i the number of times character i occurs in ciphertext Meaning: The probability that two randomly chosen letters from ciphertext will be the same. For English language: Period Large Expected IC Ahmad Almulhem - Network Security Engineering / 84

25 Classical Cryptography Transposition Substitution DES AES Substitution Ciphers Attacking Substitution Ciphers Attacking One-Time Pad A Vigenre cipher with a random key at least as long as the message Provably unbreakable - Why? Look at ciphertext DXQR. Equally likely to correspond to plaintext DOIT (key AJIY) and to plaintext DONT (key AJDY) and any other 4 letters Warning: keys must be random, or you can attack the cipher by trying to regenerate the key! - Approximations, such as using pseudorandom number generators to generate keys, are not random Ahmad Almulhem - Network Security Engineering / 84

26 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy Data Encryption Standard (DES) Most widely used block cipher in world Adopted in 1977 by NBS (now NIST) - as FIPS PUB 46 Encrypts 64-bit data using 56-bit key Has widespread use Has been considerable controversy over its security Ahmad Almulhem - Network Security Engineering / 84

27 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES History IBM developed Lucifer cipher - by team led by Feistel in late 60s - used 64-bit data blocks with 128-bit key then redeveloped as a commercial cipher with input from NSA and others in 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES Ahmad Almulhem - Network Security Engineering / 84

28 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy Data Encryption Standard (DES) A block cipher: - encrypts blocks of 64 bits using a 64 bit key - outputs 64 bits of ciphertext A product cipher - basic unit is the bit - performs both substitution and transposition (permutation) on the bits Cipher consists of 16 rounds (iterations) each with a round key generated from the user-supplied key Ahmad Almulhem - Network Security Engineering / 84

29 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES Structure 16 identical stages (rounds) Initial permutation (IP) and final permutation (FP); FP = IP 1 (no cryptography significance, easier interface, make DES run slower in software) In each round, the block is divided into two 32-bit halves This criss-crossing is known as the Feistel scheme (decryption and encryption are similar) For decryption, subkeys are applied in the reverse order Ahmad Almulhem - Network Security Engineering / 84

30 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES: The Feistel (F) function 1 Expansion (E-Box): (duplicating some bits) 2 Key mixing: XOR result with round key 3 Substitution (S-Box): 6bits 4bits (nonlinear lookup table) 4 Permutation (P-Box) Ahmad Almulhem - Network Security Engineering / 84

31 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES: Generating Round Keys Permuted Choice 1 (PC-1): 56 bits (out of 64 bits) are permuted Remaining 8 bits are discarded or used as parity check The 56 bits are divided into two 28-bit halves Both halves are rotated left by one or two bits Permuted Choice 2 (PC-2): 48-bits subkey (24 from the left half, and 24 from the right) Each bit is used in approximately 14 out of the 16 subkeys Ahmad Almulhem - Network Security Engineering / 84

32 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES: Avalanche Effect (Stallings 2003) DES has a strong Avalanche Effect Two plaintext differing by one bit One key One plaintext Two keys differing by one bit round bits differ round bits differ Ahmad Almulhem - Network Security Engineering / 84

33 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES Modes Electronic Code Book Mode (ECB) - Encipher each block independently Cipher Block Chaining Mode (CBC) - Xor each block with previous ciphertext block - Requires an initialization vector for the first one Encrypt-Decrypt-Encrypt Mode (2 keys: k,k ) - c = DES k (DES 1 k (DES k(m))) Encrypt-Encrypt-Encrypt Mode (3 keys: k,k,k ) - c = DES k (DES k (DES k (m))) Ahmad Almulhem - Network Security Engineering / 84

34 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy CBC Mode Encryption Ahmad Almulhem - Network Security Engineering / 84

35 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy CBC Mode Decryption Ahmad Almulhem - Network Security Engineering / 84

36 Classical Cryptography Transposition Substitution DES AES Overview Details Avalanche Effect Modes Controversy DES: Controversy in 1976, Diffie, Hellman said in a few years technology would allow DES to be broken in days Key Size: 56-bit (2 56 = possible keys) - performing 1 encryption per µs requires 1142 years! - Recent advances made brute force attack possible - In 1997, using idle cycles of thousands of computers across the Internet - In 1998 a DES cracker was built by the EFF for (cost: $250K). The machine brute-forced DES in less than 3 days - In 2007, the COPACOBANA machine (cost: $10K) brute-forced DES keys in less than a week Design decisions not public - S-boxes may have backdoors Ahmad Almulhem - Network Security Engineering / 84

37 Classical Cryptography Transposition Substitution DES AES Overview Animation The AES Cipher - Rijndael Designed by Rijmen-Daemen in Belgium Has 128/192/256 bit keys, 128 bit data An iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round Designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity Ahmad Almulhem - Network Security Engineering / 84

38 Classical Cryptography Transposition Substitution DES AES Overview Animation AES History A replacement for DES was needed Several theoretical attacks were discovered Brute force attacks becomes feasible Triple-DES is slow and has small blocks US NIST issued call for replacement cipher in candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 Issued as an FIPS PUB 197 standard in Nov-2001 Ahmad Almulhem - Network Security Engineering / 84

39 Classical Cryptography Transposition Substitution DES AES Overview Animation AES Animation Ahmad Almulhem - Network Security Engineering / 84

40 Public Key Cryptography RSA Part III Public Key Cryptography Ahmad Almulhem - Network Security Engineering / 84

41 Public Key Cryptography RSA Overview Requirements Applications Public Key Cryptography Two keys: - private key known only to individual - public key available to anyone The two keys are linked mathematically, such that - knowing the public key tells you nothing about the private one - private key unlock messages encrypted by public key Examples: - RSA - elliptic curve cryptography Ahmad Almulhem - Network Security Engineering / 84

42 Public Key Cryptography RSA Overview Requirements Applications Public Key Cryptography Introduced by Diffie and Hellman (Stanford Univ) in 1976 (W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. on Information Theory, vol.22, no.6, Nov 1976) Known earlier in classified community (James Ellis, British Gov.) Probably most significant advance in the 3000 year history of cryptography Uses clever application of Number Theory concepts Complements rather than replaces private key cryptography Ahmad Almulhem - Network Security Engineering / 84

43 Public Key Cryptography RSA Overview Requirements Applications Requirements 1 It must be computationally easy to encipher or decipher a message given the appropriate key 2 It must be computationally infeasible to derive the private key from the public key 3 It must be computationally infeasible to determine the private key from a chosen plaintext attack Ahmad Almulhem - Network Security Engineering / 84

44 Public Key Cryptography RSA Overview Requirements Applications Applications Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public one - Modifyed ciphertext can not be deciphered - Digital signatures - Non-Repudiation Key exchange (of session keys) Ahmad Almulhem - Network Security Engineering / 84

45 Public Key Cryptography RSA Overview Background Algorithm Example Strength RSA Developed by Rivest, Shamir and Adelman (MIT) in 1977 Exponentiation cipher Relies on the difficulty of determining the number of numbers relatively prime to a large integer n Ahmad Almulhem - Network Security Engineering / 84

46 Public Key Cryptography RSA Overview Background Algorithm Example Strength Background Definition (totient function φ(n)) Number of positive integers less than n and relatively prime to n - relatively prime means with no factors in common with n - if p is a prime number then φ(p) = p 1 Example 1 φ(10) = 4 1, 3, 7, 9 are relatively prime to 10 2 φ(21) = 12 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21 3 φ(11) = 10 all numbers from 1 to 10 are relatively prime to 11 Ahmad Almulhem - Network Security Engineering / 84

47 Public Key Cryptography RSA Overview Background Algorithm Example Strength Algorithm Choose two large prime numbers p and q Let n = p q; then φ(n) = (p 1)(q 1) Choose e < n such that e is relatively prime to φ(n) Compute d such that e d mod φ(n) = 1 Public key: (e, n) Private key: d Encipher: c = m e mod n Decipher: m = c d mod n Ahmad Almulhem - Network Security Engineering / 84

48 Public Key Cryptography RSA Overview Background Algorithm Example Strength Example (Encryption) Take p = 7, q = 11, so n = 77 and φ(n) = 60 Alice chooses e = 17, making d = 53 - e d = = 901 mod 60 = 1 Bob wants to send Alice secret message HELLO ( ) E(07) = mod 77 = 28 E(04) = mod 77 = 16 E(11) = mod 77 = 44 E(11) = mod 77 = 44 E(14) = mod 77 = 42 Bob sends Ahmad Almulhem - Network Security Engineering / 84

49 Public Key Cryptography RSA Overview Background Algorithm Example Strength Example (Decryption) Alice receives Alice uses private key, d = 53, to decrypt message: D(28) = mod 77 = 07 D(16) = mod 77 = 04 D(44) = mod 77 = 11 D(44) = mod 77 = 11 D(42) = mod 77 = 14 Alice translates message to letters to read HELLO - No one else could read it, as only Alice knows her private key and that is needed for decryption Ahmad Almulhem - Network Security Engineering / 84

50 Public Key Cryptography RSA Overview Background Algorithm Example Strength RSA Security Factoring the modulus n into p and q is a hard problem - primes should be at least of 512 bits (155 digits) - n 1024-bit is safe for medium term security - n 2048-bit is better for long term security Block size has to be large - Encyphering 1 character per block cause RSA to be broken like classical substitution ciphers - Attacker may rearrange block and alter message meaning (ON NO) The use of very large numbers makes it slow Ahmad Almulhem - Network Security Engineering / 84

51 Cryptographic Checksums Summary Part IV Cryptographic Checksums Ahmad Almulhem - Network Security Engineering / 84

52 Cryptographic Checksums Summary Example Definition Collisions Keys Cryptographic Checksums Data integrity Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller than n except in unusual circumstances The smaller set is called the checksum or message digest Receiver recomputes the checksum to check the message integrity Ahmad Almulhem - Network Security Engineering / 84

53 Cryptographic Checksums Summary Example Definition Collisions Keys Example Example: ASCII parity bit ASCII has 7 bits; 8th bit is parity Even parity: even number of 1 bits Odd parity: odd number of 1 bits Bob receives as bits. If Sender is using even parity; 6 1 bits received, so character was received correctly Note: could be garbled, but 2 bits would need to have been changed to preserve parity If Sender is using odd parity; even number of 1 bits received, so character was not received correctly Ahmad Almulhem - Network Security Engineering / 84

54 Cryptographic Checksums Summary Example Definition Collisions Keys Definition A Cryptographic checksum function h : A B is a function that has the following properties: 1 For any x A, h(x) is easy to compute 2 For any y B, it is computationally infeasible to find x A such that h(x) = y 3 It is computationally infeasible to find two inputs x,x A such that x x and h(x) = h(x ) 4 Alternate form (stronger): Given any x A, it is computationally infeasible to find a different x A such that h(x) = h(x ). Ahmad Almulhem - Network Security Engineering / 84

55 Cryptographic Checksums Summary Example Definition Collisions Keys Collisions Checksum has fewer bits several messages produce same checksum! If x x and h(x) = h(x ), x and x are a collision Good checksum functions produce same number of messages per checksum Definition (Pigeonhole principle) Pigeonhole principle: if there are n containers for n + 1 objects, then at least one container will have 2 objects in it. Application: if there are 32 files and 8 possible cryptographic checksum values, at least one value corresponds to at least 4 files Ahmad Almulhem - Network Security Engineering / 84

56 Cryptographic Checksums Summary Example Definition Collisions Keys Using Keys 1 Keyed cryptographic checksum: requires cryptographic key DES in chaining mode: encipher message, send last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. 2 Keyless cryptographic checksum: requires no cryptographic key MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru Ahmad Almulhem - Network Security Engineering / 84

57 Cryptographic Checksums Summary Summary Two main types of cryptosystems: classical and public key Classical cryptosystems encipher and decipher using the same key - Or one key is easily derived from the other Public key cryptosystems encipher and decipher using different keys - Computationally infeasible to derive one from the other Cryptographic checksums provide a check on integrity Ahmad Almulhem - Network Security Engineering / 84

58 Overview Key Distribution Key Exchange Protocols PKI Part V Network and Cryptography Ahmad Almulhem - Network Security Engineering / 84

59 Overview Key Distribution Key Exchange Protocols PKI Network and Cryptography Problems Network and Cryptography Cryptography provides the cornerstone for secure communication Encryption algorithms and protocols are valuable components/tools Using cryptosystems over a network introduces many problems! Cryptography is sensitive to environment Using cipher requires knowledge of environment, and threats in the environment, in which cipher will be used Is the set of possible messages small? Do the messages exhibit regularities that remain after encipherment? Can an active wiretapper rearrange or change parts of the message? Ahmad Almulhem - Network Security Engineering / 84

60 Overview Key Distribution Key Exchange Protocols PKI Network and Cryptography Problems Attack 1: Precomputation Set of possible messages M small Public key cipher f used Idea: precompute set of possible ciphertexts f (M), build table (m,f (m)) When ciphertext f (m) appears, use table to find m Also called forward searches Ahmad Almulhem - Network Security Engineering / 84

61 Overview Key Distribution Key Exchange Protocols PKI Network and Cryptography Problems Attack 1: Precomputation (Example) Cathy knows Alice will send Bob one of two messages: {BUY, SELL} Using public key e Bob, Cathy precomputes c 1 = {BUY, e Bob } c 2 = {SELL, e Bob } Cathy sees Alice send Bob c 2 Cathy knows Alice sent SELL Ahmad Almulhem - Network Security Engineering / 84

62 Overview Key Distribution Key Exchange Protocols PKI Network and Cryptography Problems Attack 2: Misordered Blocks Alice sends Bob message n Bob = 77, e Bob = 17, d Bob = 53 Message is LIVE ( ) Enciphered message is Eve intercepts it, rearranges blocks Now enciphered message is Bob gets enciphered message, deciphers it He sees EVIL Ahmad Almulhem - Network Security Engineering / 84

63 Overview Key Distribution Key Exchange Protocols PKI Network and Cryptography Problems Attack 3: Statistical Regularities If plaintext repeats, ciphertext may too Example using DES: input (in hex): corresponding output (in hex): ef7c 4bb2 b4ce 6f3b ef7c 4bb2 b4ce 6f3b Fix: cascade blocks together (chaining) Ahmad Almulhem - Network Security Engineering / 84

64 Overview Key Distribution Key Exchange Protocols PKI Overview Key Distribution Problem Algorithm like DES, Rijndael requires a shared a key! Bootstrap problem: how do Alice and Bob begin? Alice can t send the key to Bob in the clear! Key Types Interchange Keys : associated with user - long-term - compromising is catastrophic Session Keys : associated with communication - short-term - compromising does not affect long-term security Ahmad Almulhem - Network Security Engineering / 84

65 Overview Key Distribution Key Exchange Protocols PKI Overview Key Distribution Problem Possible Solutions: 1. Physical Distribution: : - use a trusted courier (secure channel) - used widely until 1970s 2. Distribution Protocol: : - assume a trusted 3rd party 3. Public Key Cryptography: : - most widely used technique Ahmad Almulhem - Network Security Engineering / 84

66 Overview Key Distribution Key Exchange Protocols PKI Overview Key Distribution Problem For n users, n(n 1) 2 keys! students, 50 million keys! How do you manage them? What if compromised?! Ahmad Almulhem - Network Security Engineering / 84

67 Overview Key Distribution Key Exchange Protocols PKI Overview Key Distribution Problem For n users, n(n 1) 2 keys! students, 50 million keys! How do you manage them? What if compromised?! For n users, n keys For students, keys Session keys generated as needed Needs protocol and trusted server Ahmad Almulhem - Network Security Engineering / 84

68 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Key Exchange Protocols Assumptions Alice and Bob can not send the key in the clear Alice and Bob trust a 3rd part Cathy Alice and Bob already have keys with Cathy Cryptosystem and protocol are public; keys are secret Attacker is the network! Possible attacks: eavesdropping, replay, modification, masquerading Ahmad Almulhem - Network Security Engineering / 84

69 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Notations Notation (Alice-Bob) A B : {M}K A sends to B a message M encrypted with key K A B : {M N a }K ab {T a }K bs communicating parties: A, B, S message: M concatenation: nonces (number used once; random): N a, N b,... timestamps: T a, T b,... shared keys: K ab, K bs Ahmad Almulhem - Network Security Engineering / 84

70 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Simple Protocol (Schneier 96) Steps 1 A C : {B}K ac 2 C A : {K ab }K ac {K ab }K bc 3 A B : {K ab }K bc Ahmad Almulhem - Network Security Engineering / 84

71 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Simple Protocol (Schneier 96) Steps 1 A C : {B}K ac 2 C A : {K ab }K ac {K ab }K bc 3 A B : {K ab }K bc Problems How does Bob know he is talking to Alice? Replay attack (3,msg) msg = deposit $500 in my account Ahmad Almulhem - Network Security Engineering / 84

72 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Needham-Schroeder Protocol (Needham-Schroeder 78) Steps : 1 A C : {A B N a} 2 C A : {A B N a K ab {A K ab }K bc }K ac 3 A B : {A K ab }K bc 4 B A : {N b }K ab 5 A B : {N b 1}K ab Ahmad Almulhem - Network Security Engineering / 84

73 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Needham-Schroeder Protocol (Needham-Schroeder 78) Steps : 1 A C : {A B N a} 2 C A : {A B N a K ab {A K ab }K bc }K ac 3 A B : {A K ab }K bc 4 B A : {N b }K ab 5 A B : {N b 1}K ab Argument: Alice talking to Bob Second message: Enciphered using key only she and Cathy knows (So Cathy enciphered it) Response to first message (N a in it matches N a in first message) Third message: Alice knows only Bob can read it (only Bob can derive session key from message) Any messages enciphered with that key are from Bob Ahmad Almulhem - Network Security Engineering / 84

74 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Needham-Schroeder Protocol (Needham-Schroeder 78) Steps : 1 A C : {A B N a} 2 C A : {A B N a K ab {A K ab }K bc }K ac 3 A B : {A K ab }K bc 4 B A : {N b }K ab 5 A B : {N b 1}K ab Argument: Bob talking to Alice Third message: Enciphered using key only he and Cathy knows (So Cathy enciphered it) Cathy provided session key and says Alice is other party Fourth & Fifth message: Uses session key to determine if it is replay from Eve If not, Alice will respond correctly in fifth message If so, Eve cant decipher N b and so cant respond, or responds incorrectly Ahmad Almulhem - Network Security Engineering / 84

75 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Needham-Schroeder Protocol (Needham-Schroeder 78) Steps : 1 A C : {A B N a} 2 C A : {A B N a K ab {A K ab }K bc }K ac 3 A B : {A K ab }K bc 4 B A : {N b }K ab 5 A B : {N b 1}K ab Discussion Prevent eavesdropping, replay, modification, masquerading Fails if the session key (K ab ) is compromised! Eve can replay the last 3 messages Eve can pretend to be Alice Variations: use timestamps (Denning and Sacco 81) use an identification-number (Ottway-Rees 87) Ahmad Almulhem - Network Security Engineering / 84

76 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Needham-Schroeder Protocol + Timestamps (Denning and Sacco 81) Steps : 1 A C : {A B N a} 2 C A : {A B N a K ab {A T K ab }K bc }K ac 3 A B : {A T K ab }K bc 4 B A : {N b }K ab 5 A B : {N b 1}K ab Discussion Adding timestamps prevent replaying old session keys Needs clock synchronization! may either reject valid messages or accept replays Forms the basis for Kerberos protocol (MIT, RFC 4120) Used by MS Window OS Ahmad Almulhem - Network Security Engineering / 84

77 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Exchanging Keys with Public Cryptograpgy Available Keys: E a, E b Alice and Bob s public keys known to all D a, D b Alice and Bob s private keys known only to owner Simple Protocol (version 1) - Alice and Bob exchange session key K ab {K ab }E b Ahmad Almulhem - Network Security Engineering / 84

78 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Exchanging Keys with Public-Key Cryptography Problem: Vulnerable to forgery or replay Because E b known to anyone, Bob has no assurance that Alice sent message Simple fix uses Alice s private key Simple Protocol (version 2) - Alice and Bob exchange session key K ab {{K ab }D a}e b Ahmad Almulhem - Network Security Engineering / 84

79 Overview Key Distribution Key Exchange Protocols PKI Background Simple Protocol Needham-Schroeder Public Key Exchanging Keys with Public-Key Cryptography Cautions: Assumes Bob has Alice s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (see below) Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI) Man-in-the-middle Attack 1 Alice Cathy: {send Bob s public key} [intercepted by Eve] 2 Eve Cathy: {send Bob s public key} 3 Cathy Eve: E b 4 Eve Alice: E e 5 Alice Bob: {K ab }E e [intercepted by Eve] 6 Eve Bob: {K ab }E b Ahmad Almulhem - Network Security Engineering / 84

80 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Digital Certificates Goal: Binding identity (Alice) to public key Create token (message) containing Identity of principal (here, Alice) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) Sign it with the public key of trusted authority (here, Cathy) Simple Certificate C a = {Alice E a T }E c Ahmad Almulhem - Network Security Engineering / 84

81 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications X.509 Certificates Issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) Notation CA<<A>> denotes certificate for A signed by CA Ahmad Almulhem - Network Security Engineering / 84

82 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Using Digital Certificates The (Certificate Authority) CA owns a public key and a private key The CA s public key is put in a self-signed certificate that is distributed through many channels (e.g embedded in browser) The CA use its private key to sign certificates containing identity and corresponding public key of requesters after verifying their identities Certificates are made available in public databases or exchanged online Ahmad Almulhem - Network Security Engineering / 84

83 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Communicating with Certificates Both Alice and Bob have the CA self-signed certificate (obtained through off-line means) When Alice wants to send a message to Bob She retrieves Bob s certificate from a public database She verifies the CAs signature on Bobs certificate She extracts Bob s public key She uses the Bob s public key and her own secret key to encrypt the message Self-signed (root) certificates Ahmad Almulhem - Network Security Engineering / 84

84 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Certificate Hierarchy If both users share a common CA then they are assumed to know its public key Otherwise CA s must form a hierarchy Use certificates linking members of hierarchy to validate other CA s (cross-certify) Each CA has certificates for clients (forward) and parent (backward) Each client trusts parents certificates Enable verification of any certificate from one CA by users of all other CAs in hierarchy Ahmad Almulhem - Network Security Engineering / 84

85 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Certificate Hierarchy A establish a certificate path to B: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>> B establish a certificate path to A: Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>> Ahmad Almulhem - Network Security Engineering / 84

86 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Pretty Good Privacy (PGP) Created by Philip Zimmermann in communications Use a bottom-up approach; instead of a top-down PKI Each user acts as a CA A certificate is composed of: One public key packet Zero or more signature packets Forms a web of trust among users Ahmad Almulhem - Network Security Engineering / 84

87 Overview Key Distribution Key Exchange Protocols PKI Certificates X.509 Hierarchy PGP Applications Other Applications Transport Layer Security (TLS/SSL) HTTPS SSH IPsec Ahmad Almulhem - Network Security Engineering / 84