Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Transcription

1 and secure channel May 17, / 45

2 / 45

3 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X = D(KD, Y ) plain text 3 / 45

4 Introduction Classification of cryptographic systems based on number of keys used symmetric K E = K D a.k.a. conventional, secret-key or single-key oldest form of most widely used asymmetric K E K D a.k.a. public-key developed in the late 1970s 4 / 45

5 Introduction Classification of cryptographic systems based on number of keys used based on way in which plaintext is processed substitution cipher input P L A I N T E X T A BC D. E.. Z encrypt decrypt X EZ S T... D C I P H E R T E X T output block cipher stream cipher 5 / 45

6 Introduction Classification of cryptographic systems based on number of keys used based on way in which plaintext is processed substitution cipher block cipher input encrypt decrypt output stream cipher 6 / 45

7 Introduction Classification of cryptographic systems based on number of keys used based on way in which plaintext is processed substitution cipher block cipher stream cipher input encrypt decrypt output 7 / 45

8 Introduction Location of devices link L3 host L3 L3 host L3 end-to-end L3 host L3 L3 host L3 8 / 45

9 Introduction Key distribution application (1) security service host (2) key distribution center (3) application security service host (4) 9 / 45

10 Substitution ciphers Some examples Julius Caesar plaintext a b c d e... w x y z ciphertext D E F G H... Z A B C Augustus Caesar plaintext a b c d e... w x y z ciphertext C D E F G... Y Z A B changed the key from D to C Arabs generalized idea into monoalphabetic substitution plaintext a b c d e... w x y z ciphertext W I M A B... V X Y Z for instance with key WIM 10 / 45

11 Substitution ciphers Some examples example of monoalphabetic substitution: key = SECURITY substitution table: abcdefghijklmnopqrstuvwxyz SECURITYABDFGHJKLMNOPQVWXZ ciphertext: IAHU OYR NJFPOAJH 11 / 45

12 Substitution ciphers Attacks attacks to retrieve the key use: frequency of individual letters frequency of combinations of letters (e.g. letter-pairs) solution: stream cipher: encrypt based on plaintext symbol and on its position in the plaintext stream block cipher: encrypt based on a block of several plaintext symbols 12 / 45

13 Block ciphers Example Playfair the key is a 5 5 table, with all the letters of the alphabet, except the letter j replace all j with i in the cleartext group letters in blocks of 2 separate double letters in the same block by adding the letter x in between if necessary, add letter z at the end to complete the last letter-pair encrypt the plaintext block by block when the 2 letters are in the same row or column, replace them by the succeeding letters when the 2 letters are at the corners of a rectangle in the table, replace them with the letters at the other two corners of this rectangle. 13 / 45

14 Block ciphers Example Playfair key = plaintext: P A L M E R S T O N B C D F G H I K Q U V W X Y Z Lord Granville s letter : lo rd gr an vi lx le sl et te rz MT TB BN ES WH TL MP TA LN NL NV 14 / 45

15 Block ciphers Attacks attacks to retrieve the key: if you change a single letter of the plaintext, most often only a single letter of the ciphertext will change frequency of digraphs (letter pairs) must be used, rather than single letters, so the distribution is much flatter solution: Data Standard (DES) uses a block length of 64 bits (= 8 ASCII characters) Advanced Standard (AES) uses a block length of 128 bits 15 / 45

16 Stream ciphers Example Blaise de Vigenère cipher consider: A=0, B=1,..., Z=25 plaintext p(i = 0... N p 1) key K(i = 0... N K 1) : ciphertext C(i) = (p(i) + K(i % N K )) % / 45

17 Stream ciphers Example Blaise de Vigenère cipher example: A B C D E F G H I J 10 K L M N O P Q R S T 20 U V W X Y Z plaintext: tobeornottobethatisthequestion key: runrunrunrunrunrunrunrunrunrun ciphertext: KIOVIEEIGKIOVNURNVJNUVKHVMGZIA Other example: RC4 17 / 45

18 cryptography public key private key plain text X Kpu algorithm authentication (signing) Y = E(Kpu, X ) decryption ciphertext algorithm Kpr X = D(Kpr, Y ) plain text private key public key Kpr Kpu plain text X algorithm Y = E(Kpr, X ) decryption ciphertext algorithm X = D(Kpu, Y ) plain text 18 / 45

19 cryptography eg: RSA (Ron Rivest, Adi Shamir, Len Adleman) 19 / 45

20 Where to encrypt? basic OSI communication model application application A 2 A 1 A 3... A 1 A 2 A 3... transport network data link physical transport network data link physical 20 / 45

21 Where to encrypt? network (VPN : eg. IPSEC) application application A 1 A 2 A 3... A 1 A 2 A 3... transport transport network data link physical network data link physical 21 / 45

22 Where to encrypt? transport (eg. SSL/TLS) application A 1 A 2 A 3... transport security transport network data link application A 1 A 2 A 3... transport security transport network data link physical physical 22 / 45

23 Where to encrypt? (eg. SSH, PGP) application application application A 1 A 2 A 3... A 1 A 2 A 3... transport transport network data link physical network data link physical 23 / 45

24 IPSEC associations security association (SA): one-way relationship between sender and receiver (for bi-directional relationship 2 SA s are needed) uniquely identified by security parameters index (SPI) IP destination address: identifies end-user system or intermediate network system (e.g. a firewall) security protocol identifier: indicates whether this association is for AH (Authentication Header) or ESP (Encapsulating Payload) 24 / 45

25 IPSEC associations each system implements a security association database, that manages the following parameters for each SA: sequence number counter sequence counter overflow: flag whether this overflow is allowed or not anti-replay window W AH information: authentication algorithm, keys, key lifetimes, etc. ESP information: and authentication algorithm, keys, key lifetimes, initialization values, etc. protocol mode: tunnel, transport or wildcard path MTU 25 / 45

26 IPSEC Authentication header usage modes: transport mode for end-to-end authentication tunnel mode for end-to-intermediate authentication 26 / 45

27 IPSEC Authentication header use cases end-to-end authentication PC end-to-intermediate authentication FW PC PC 27 / 45

28 IPSEC Authentication header original packet: IP TCP application data transport mode AH authentication: IP AH TCP application data tunnel mode AH authentication: authenticated (except mutable fields) IP AH IP TCP application data authenticated (except mutable fields in IP ) 28 / 45

29 IPSEC Authentication header anti-replay mechanism (using sequence numbers) fixed window size W N valid packet received valid packet not yet received N highest sequence number received in a valid packet 29 / 45

30 IPSEC Authentication header Integrity Check Value (ICV) = MD5 or SHA-1 based HMAC truncated to its first 96 bits, and computed over IP header fields that: do not change in transit (immutable) change in transit but have predictable value on arrival (fields that change in transit and have unpredictable values on arrival, e.g. TTL, are set to zero for computing the MAC) AH header, with authentication data field set to zero complete upper-level protocol data (e.g. TCP segment in transport mode or inner IP datagram in tunnel mode) 30 / 45

31 IPSEC Authentication header authentication header (AH) next header payload length reserved security parameters index (SPI) sequence number... authentication data / 45

32 IPSEC Encapsulating security payload usage modes: transport mode for end-to-end tunnel mode for end-to-intermediate, and for intermediate-to-intermediate 32 / 45

33 IPSEC Encapsulating security payload use cases PC PC end-to-intermediate authentication FW end-to-end authentication intermediate-to-intermediate authentication PC FW PC 33 / 45

34 IPSEC Encapsulating security payload original packet: IP TCP application data transport mode ESP : IP tunnel mode ESP : ESP hdr TCP application data encrypted authenticated ESP trlr ESP auth IP ESP hdr IP TCP application data ESP trlr ESP auth encrypted authenticated 34 / 45

35 IPSEC Encapsulating security payload encapsulating security payload (ESP) security parameters index (SPI) sequence number... payload data padding... pad length next header... authentication data / 45

36 IPSEC Key management typically 4 keys are required (AH and ESP in 2 directions) types of key management: manual automated, uses: Oakley key determination protocol (refinement of Diffie-Hellman key exchange mechanism) Internet Association and Key Management Protocol (ISAKMP) 36 / 45

37 Simple client ClientHello ClientKeyExchange ChangeCipherSpec Finished server ServerHello ServerKeyExchange ServerHelloDone ChangeCipherSpec Finished 37 / 45

38 Simple the client sends a ClientHello message to the server specifying its own capabilities. This message contains: Version: identifies the highest version of the SSL protocol that the client supports RandomNumber: a 32-byte random number used to seed the cryptographic calculations SessionID: identifies this specific SSL session CipherSuites: a list of the cryptographic parameters that the client supports CompressionMethods: identifies the data compression methods that the client supports 38 / 45

39 Simple the server replies with a ServerHello message to the client specifying the versions and protocols it selected from the ClientHello message. This message contains: Version: identifies the version of the SSL protocol to be used for this communication RandomNumber: a 32-byte random number used to seed the cryptographic calculations SessionID: identifies this specific SSL session CipherSuite: the cryptographic parameters (algorithms and key sizes) to be used for this communication CompressionMethod: the data compression method to be used for this communication 39 / 45

40 Simple server sends ServerKeyExchange message to client, complementing the CipherSuite field of the ServerHello message. The message is sent in plaintext and therefore can only contain public key information. Its exact format depends on the particular public key algorithm that is used. server finally sends ServerHelloDone message to client. It contains no real information but just informs the client that the server has finished with its initial negotiation messages and therefore the client can move to the next phase of establishing the secure communications. 40 / 45

41 Simple client sends ClientKeyExchange message to server with the symmetric key that both parties will use for this session, encrypted with the public key of the server. Both parties now have all the information they need to start encrypting their communications. the client sends a ChangeCipherSpec message to the server first, and then the server sends a ChangeCipherSpec back to the client. A system that sends a ChangeCipherSpec message, switches its write state to the new state. A system that receives a ChangeCipherSpec message switches its receive state. 41 / 45

42 Simple immediately behind the ChangeCipherSpec message, each system sends a Finished message containing a cryptographic hash of important information (key information and contents of the already exchanged SSL handshake messages) to verify that the negotiation was successful and that security has not been compromised. 42 / 45

43 Server authentication threat: man-in-the-middle attack client attacker server client server ClientHello Client Hello ClientKeyExchange ChangeCipherSpec Finished Server Hello Server KeyExchange Server HelloDone Client KeyExchange ChangeCipherSpec Finished ServerHello ServerKeyExchange ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished 43 / 45

44 Server authentication client ClientHello ClientKeyExchange ChangeCipherSpec Finished server ServerHello Certificate ServerHelloDone ChangeCipherSpec Finished 44 / 45

45 Server authentication the server sends a Certificate message instead of a ServerKeyExchange message, containing a certificate chain beginning with the server s public key certificate and ending with the certificate authority s root certificate. The client must make sure it can trust the certificate from the server by verifying the certificate signatures, validity times, and revocation status. the ClientKeyExchange message uses the public key from the server s Certificate message to encrypt the session key. 45 / 45