The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Transcription

1 The Network Security Model Bob and lice want to communicate securely. Trudy (the adversary) has access to the channel. Kai Shen lice data channel secure sender data, control s secure receiver Bob data Trudy 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall Who might Bob and lice be? What can an adversary do? Web browser/server for electronic transactions (e.g., online purchases/banking) DNS servers routers exchanging routing table updates well, reallife Bobs and lices! eavesdrop: understand the content of s actively changing s impersonation: fake (spoof) identity denial of service: prevent service from being used by others (e.g., by overloading resources) 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall CSC 257/457 Fall

2 What is Network Security? Confidentiality: only sender, intended receiver should understand contents uthentication: sender, receiver want to confirm identity of each other Confidentiality: cryptography uthentication Integrity Message Integrity: sender, receiver want to ensure not altered (in transit, or afterwards) ccess and vailability: services must be accessible and available to (and only to) legitimate users. 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall The Language of Cryptography Symmetric Key Cryptography: Monoalphabetic Cipher First goal of cryptography: confidentiality. lice s K encryption encryption ciphertext Bob s K B decryption decryption Monoalphabetic cipher: substitute one letter for another. : abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Example: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc symmetric crypto: encryption and decryption s are identical. (both are secret) public crypto: encryption is public, decryption is secret. 12/2/2009 CSC 257/457 Fall Q1: How hard to break this simple cipher? brute force? other? Q2: How to make it more difficult to break? 12/2/2009 CSC 257/457 Fall CSC 257/457 Fall

3 Symmetric Key Cryptography: DES ES: dvanced Encryption Standard DES: Data Encryption Standard US encryption standard [NIST 1993] 56bit symmetric, 64bit input encryption: initial permutation 16 rounds, each using different 48 bits of final permutation decryption: reverse operation using the same How secure is DES? DES Challenge (1999): 56bitencrypted phrase decrypted (brute force) in 22 hours 15 minutes Making DES more secure: use three s sequentially (3DES) use more bits 12/2/2009 CSC 257/457 Fall new (Nov. 2001) symmetric NIST standard, replacing DES processes data in 128 bit blocks 128, 192, or 256 bit s brute force decryption (try each ) taking 1 sec on DES, takes 149 trillion years for 128bit ES 12/2/2009 CSC 257/457 Fall Public Key Cryptography symmetric cryptography requires sender, receiver know shared secret Q: how to agree on in first place? (particularly difficult if Trudy is eavesdropping on all communication) public cryptography encryption is different from decryption encryption is public, known to everyone, also called public decryption is secret, known only to receiver, also called private, m Public Key Cryptography encryption ciphertext + K (m) B K B + decryption Bob s public K Bob s private B m = K (K + (m)) B B Principle for choosing the public/private pair: One should not be able to derive the private from the public. 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall CSC 257/457 Fall

4 Public Key Cryptography: RS (Ron Rivest, di Shamir and Len dleman) Choosing s: Choose two large prime numbers p, q. (e.g., 1024 bits each) Compute n = pq, z = (p1)(q1) Choose e (with e<n) that has no common factors with z. Choose d such that ed1 is exactly divisible by z. Public is (n,e). Private is (n,d). To encrypt a, m (<n): do c = m e mod n To decrypt a received ciphertext, c: do m = c d mod n Reason: for any m (relatively prime with n) m z mod n = 1; therefore m ed1 mod n = 1 nother property: (m d mod n) e mod n = m RS is much slower than the symmetric cryptos. 12/2/2009 CSC 257/457 Fall Confidentiality: cryptography uthentication Integrity 12/2/2009 CSC 257/457 Fall uthentication: version 1.0 uthentication: Bob wants lice to prove her identity to him. uthentication: version 2.0 Protocol ap2.0: lice says I am lice and sends her secret password to prove it. Protocol ap1.0: lice says I am lice. I am lice I am lice Failure scenario?? Trudy can simply declare herself to be lice I m lice lice s password Failure scenario?? playback attack: Trudy records lice s packet and later plays it back to Bob I m lice lice s password 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall CSC 257/457 Fall

5 uthentication: version 3.0 Goal: avoid playback attack Nonce: number (R) used only once inalifetime ap3.0: Bob sends lice a nonce, R. lice must return R, encrypted with shared secret I am lice R K (R) B only lice knows to encrypt nonce, so it must be lice! 12/2/2009 CSC 257/457 Fall uthentication: version 4.0 ap3.0 requires shared symmetric. Key distribution can be a problem. ap4.0: use nonce, public cryptography. I am lice Bob computes R + K (K (R)) = R K (R) and knows only lice could have the private, that encrypted R such that + K (K (R)) = R 12/2/2009 CSC 257/457 Fall Confidentiality: cryptography uthentication Integrity Integrity Digital Signatures: Cryptographic technique to ensure document integrity. it analogous to handwritten signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. the recipient (lice) receives the document and the digital signatures. the recipient can be sure that the document is verifiable: Bob signed the document. nonforgeable: the document hasn t been changed since Bob signed it. 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall CSC 257/457 Fall

6 Digital Signatures Bob signs m by encrypting with his private, creating a digital signature K B (m) Bob s, m Bob s private K B K B (m) Dear lice Bob s, Oh, how I have missed Public m, signed you. I think of you all the time! (blah blah blah) encryption (encrypted) with his private Bob Suppose lice receives msg m and its digital signature K B (m) lice applies Bob s public K B+ to K B (m) then checks whether K B+ (K B (m)) = m. If so, whoever signed m must have used Bob s private. Message Digests apply a hash function H to m, get a much smaller digest. large m H: Hash Function publicencrypt the digest to generate the digital signature K B (). example hash functions? Problem: computationally expensive to publicencrypt long s. 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall Bob sends digitally signed digest: large m Digital signature = signed digest H: Hash function Bob s private K B digital signature (encrypt) encrypted msg digest + K B () lice verifies signature and integrity of digitally signed : large m H: Hash function Bob s public + K B equal? encrypted msg digest K B () digital signature (decrypt) 12/2/2009 CSC 257/457 Fall Message Digests: good/bad hash function apply a hash function H to m, get a much smaller digest. publicencrypt the digest to generate the digital signature K B (). Good/bad has functions? Note: given a hash function, it is possible for many s sharing the same digest. 12/2/2009 CSC 257/457 Fall CSC 257/457 Fall

7 Internet Checksum: Poor Hash Function for Generating Message Digests Given a and its Internet checksum, it is easy to find another with same checksum. I O U B O B SCII format 49 4F E D2 42 B2 C1 D2 C I O U B O B different s but identical checksums! SCII format 49 4F E D2 42 B2 C1 D2 C Hash function property: given digest x for m, computationally infeasible to find another m that shares the same digest. Good Hash Functions for Generating Message Digests MD5 hash function widely used computes 128bit digest in 4step process. appears difficult to construct m whose MD5 hash is equal to x. SH1 is also used. [NIST, FIPS PUB 1801] 160bit digest 12/2/2009 CSC 257/457 Fall /2/2009 CSC 257/457 Fall Disclaimer Parts of the lecture slides contain original work of James Kurose, Larry Peterson, and Keith Ross. The slides are intended for the sole purpose of instruction of computer networks at the University of Rochester. ll copyrighted materials belong to their original owner(s). 12/2/2009 CSC 257/457 Fall CSC 257/457 Fall