Summary. Final Week. CNT-4403: 21.April

Transcription

1 Summary Final Week CNT-4403: 21.April

2 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic Data Integrity CNT-4403: 21.April

3 Using Symmetric Keys 1 1 Exchange keys Authenticate Alice Bob B Assume T shares a key with A (K A ) and B (K B ) Trent T (Host) E A (M) :encryption with key shared by A and T CNT-4403: 21.April

4 Wide-Mouth Frog Simplest Authentication/Key Exchange 5 E K (M) 1 Alice Generate random K 2 A, E A (T A,B,K) 4 E B (T T,A,K) Bob B Trent T (Host) 3 Decrypt message using K A CNT-4403: 21.April

5 Yahalom Equal? 1 A, R A Alice 4 E A (B, K, R A, R B ) 5 E B (A,K), E K (R B ) Bob B 4 E B (A,K) 2 B, E B (A, R A, R B ) Equal? Assume T shares a key with A (K A ) and B (K B ) Trent T (Host) 3 Generate random K CNT-4403: 21.April

6 Needham-Schroeder 4 Extract key K 5 E B (K,A) 6 Extract key K 8 E K (R B ) Alice 1 A, B, R A 9 E K (R B -1) 7 Bob B Generate random R B 3 E A (R A, B, K, E B (K,A)) Match? Equal? Trent T (Host) 2 Generate random K CNT-4403: 21.April

7 Kerberos - Simplified Kerberos 5: Variant of Needham-Schroeder 6 E K (A,T), E B (T,L,K,A) Alice 7 E K (T+1) Bob B 1 A, B 5 E A (T,L,K,B), E B (T,L,K,A) 2 Generate timestamp T 4 Generate random K Trent T (Host) 3 Generate lifetime L CNT-4403: 21.April

8 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic Data Integrity CNT-4403: 21.April

9 Multiple Encryption and DES Uses 56-bit keys to encrypt 64 bit blocks Differential cryptanalysis O(2 47 ) encryptions Linear cryptanalysis O(2 43 ) encryptions Can we make DES withstand attacks without changing its structure? Yes! CNT-4403: 21.April

10 Double DES 2 DES with keys K 1 and K 2 : C = E K2 (E K1 (P)) K 1 K 2 P DES Encrypt X DES Encrypt C K2 K 1 DES Decrypt DES Decrypt C X P CNT-4403: 21.April

11 2 DES: Meet-in-the-Middle 2 DES uses two keys: 56+56=112 bits Is the strength 2 56 of DES? NO!!!! Given P and C Encrypt P for all possible 2 56 values of K 1 Store in table T: pairs (K 1, E K1 (P)) Decrypt C for all possible 2 56 values of K 2 Search D K2 (C) in table T Success when E K1 (P) = D K2 (C) Attack takes O(2 56 ) steps similar to DES CNT-4403: 21.April

12 Modes of Operation Block ciphers encrypt fixed size blocks DES encrypts 64-bit blocks with 56-bit key Need to encrypt and decrypt arbitrary amounts of data in practice NIST SP A defines 5 modes Electronic Code Book: ECB Cipher Block Chaining: CBC Cipher Feedback: CFB Output Feedback: OFB Counter Mode: CTR Can be used with any block cipher CNT-4403: 21.April

13 Electronic Code Book (ECB) Split message into blocks of length b (e.g., 64 bits) Use the same key to encrypt each block Each block is mapped into a unique value like a codebook P 1 P s K DES Encrypt (s blocks) K DES Encrypt C 1 C s CNT-4403: 21.April

14 ECB Decryption C 1 C s K DES Decrypt K (s blocks) DES Decrypt P 1 P s Weakness due to independent encryptions Same bit repeated each b positions Main use is sending a few blocks of data E.g., shared keys CNT-4403: 21.April

15 Cipher Block Chaining (CBC) Use Initial Vector (IV) to start process Chain current cipher block into next encryption IV P 1 P 2 (s blocks) K DES Encrypt K DES Encrypt C 1 C 2 C 1 CNT-4403: 21.April

16 CBC: Decryption C 1 C 2 C 1 (s blocks) K DES Decrypt K DES Decrypt IV P 1 P 2 CNT-4403: 21.April

17 Cipher Feedback Mode (CFB) Message is treated as a stream of bits Take s bits at a time; s<b K IV (b bits) DES Encrypt K IV Shift s bits DES Encrypt (so on) s bits Discard s bits Discard P 1 (s) P 2 (s) C 1 C 2 CNT-4403: 21.April

18 Counter Mode (CTR) b is block size Counter 1 Counter 2 K Encrypt K Encrypt (so on) P 1 (b) P 2 (b) C 1 Counter 2 = Counter 1 +1,.., Counter n = Counter n C 2 CNT-4403: 21.April

19 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic Data Integrity CNT-4403: 21.April

20 Message Authentication Why? Prove the integrity of a message Message M Sender generates M Receiver wants to ensure that message received is the same as M Sender and Receiver share a symmetric key K CNT-4403: 21.April

21 Example 1: Authentication (Sender) M (L bits) M (L bits) E(K,[M H(M)]) Encryption Algorithm Hash value Key K Hash H CNT-4403: 21.April

22 Example 1: How to Verify? (Receiver) M (L bits) Hash H Hash h 2 E(K,[M H(M)]) Decryption Algorithm h 1 = h 2? Hash value h 1 Key K CNT-4403: 21.April

23 Example 2: Message Authentication M (L bits) Hash H Hash value Encryption Algorithm E(K, H(M)) Key K M (L bits) CNT-4403: 21.April

24 Example 2: How to Verify? Key K E(K, H(M)) Decryption Algorithm Hash value h 1 h 1 = h 2? M (L bits) Hash value h 2 Hash H CNT-4403: 21.April

25 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic Data Integrity CNT-4403: 21.April

26 Access Matrix Model (Lampson 1971) Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 21.April

27 Access Matrix Implementation Access Matrix can be sparse Space inefficient Instead Access Control Lists Capabilities Relations CNT-4403: 21.April

28 Access Control List - ACL Maintained for each object (or subject) No entries when no permissions G: ACL A r B r B w B own Each column of the access matrix is stored with the object corresponding to that column CNT-4403: 21.April

29 Capability Unforgeable token that gives possesor certain rights Object to which access is permitted Right for the object F How to make it unforgeable r Capability giving the right to read object F 1. Only OS can access capability user gets a pointer 2. Encrypted capabilities access control mechanism has key CNT-4403: 21.April

30 Capability List: C-List F r F w F own G r Alice Each row of the access matrix is stored with the subject corresponding to that row CNT-4403: 21.April

31 Access Control Relations Subject Access Object A r F A w F A own F A r G B r G B w G B own G Commonly used in relational database management systems CNT-4403: 21.April

32 ACLs vs. Capabilities ACL's require authentication of subjects Capabilities do not require authentication of subjects, but do require Unforgeability Control of propagation of capabilities CNT-4403: 21.April

33 Security Policies Statement of the security we expect the system to enforce Military Security Policy Commercial Security Policies Clark-Wilson Separation of Duty Chinese Wall Security Policy CNT-4403: 21.April

34 Military Security Policy Each object has a sensitivity level rank object Unclassified, restricted, confidential, secret, top secret Top Secret Information at a level is More sensitive than level below Less sensitive than level above Secret Confidential Restricted Unclassified CNT-4403: 21.April

35 Military Security Policy (cont d) Access according to need-to-know rule Information is associated to projects One or more Called compartments Example: Projects alpha and beta Both use secret information But staff on alpha does not need access to beta CNT-4403: 21.April

36 Dominance Classification of an object <rank; compartments> Clearance of subject Indication that subject can access information up to a level of sensitivity <rank; compartments> Dominance: s o (subject dominates object) rank s rank o and compartments o included in compartments s Then s can read o CNT-4403: 21.April

37 Dominance: Example Object classified <secret; {Sweden}> Accessible by subject with clearence <top secret; {Sweden}> : YES or NO? <secret; {Sweden, Denmark}>: YES or NO? <top secret; {Denmark}>: YES or NO? CNT-4403: 21.April

38 Commercial Security Policies Concerns Industrial espionage Corporate finance leaks Clark-Wilson Separation of Duty (read P&P: C 5.2 pg ) Chinese Wall Security Policy Brewer and Nash 89 CNT-4403: 21.April

39 Chinese Wall Security Policy Handles conflicts of interest in companies Person in company obtains sensitive information about competitors Three levels of abstraction Objects (e.g., files) concern a single company Company groups all objects pertaining to a company Conflict classes groups of competing companies Each object belongs to a single group Each company group belongs to single conflict class CNT-4403: 21.April

40 Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Fobidden! Chocolate Comp. Banks Citicorp Airlines Suchard Credit Lyonais Lyonnais United Nestle Deutche Bank CNT-4403: 21.April

41 Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Access to object granted only if First access to a conflict class Object is from same group as a previous access CNT-4403: 21.April

42 Bell-LaPadula Model Formal description of the allowable paths of information flow in a secure system Describes allowable communication between subjects and object Formalization of the military security policy CNT-4403: 21.April

43 Bell-LaPadula Definition Set S of subjects: s S has clearance C(s) Set O of objects: o O has classification C(o) Ordered by relation - dominance Simple Security Property: s may read o only if C(o) C(s) Clearance of s dominates classification of o Star Property: s who has read access to o may write to object p only if C(o) C(p) The contents of o can only be written to objects at least that high Prevents write-down CNT-4403: 21.April

44 Bell-LaPadula Example High Write O 5 Write Clearance Sensitivity Read Bob Read O 4 Only if Carol does not have read access to higher level object! Write O 3 Write O2 Carol Write Read Alice Read O 6 O1 Low CNT-4403: 21.April