Basics of Cryptography, Cryptoprotocols, and Steganography

Similar documents
UNIT - IV Cryptographic Hash Function 31.1

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CS Computer Networks 1: Authentication

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Kurose & Ross, Chapters (5 th ed.)

CSC 482/582: Computer Security. Security Protocols

Security. Communication security. System Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography (Overview)

Public Key Algorithms

Topics. Number Theory Review. Public Key Cryptography

PROTECTING CONVERSATIONS

Diffie-Hellman. Part 1 Cryptography 136

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Public-key Cryptography: Theory and Practice

1 Identification protocols

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

(2½ hours) Total Marks: 75

Chapter 9: Key Management

Network Security Chapter 8

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Cryptographic Concepts

CCNA Security 1.1 Instructional Resource

CPSC 467b: Cryptography and Computer Security

CS 111. Operating Systems Peter Reiher

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Securing Internet Communication: TLS

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

2.1 Basic Cryptography Concepts

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

CS 161 Computer Security

CS61A Lecture #39: Cryptography

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

CS 161 Computer Security

Crypto meets Web Security: Certificates and SSL/TLS

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Ref:

Elements of Security

David Wetherall, with some slides from Radia Perlman s security lectures.

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

HY-457 Information Systems Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Outline Key Management CS 239 Computer Security February 9, 2004

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Computer Networks. Wenzhong Li. Nanjing University

Lecture 1 Applied Cryptography (Part 1)

CS 161 Computer Security

CS 425 / ECE 428 Distributed Systems Fall 2017

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Winter 2011 Josh Benaloh Brian LaMacchia

Chapter 9 Public Key Cryptography. WANG YANG

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Cryptographic Checksums

Outline More Security Protocols CS 239 Computer Security February 6, 2006

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Verteilte Systeme (Distributed Systems)

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

18-642: Cryptography 11/15/ Philip Koopman

What did we talk about last time? Public key cryptography A little number theory

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

The Match On Card Technology

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

18-642: Cryptography

Cryptographic Systems

Cryptographic Protocols 1

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Authentication and Key Distribution

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Refresher: Applied Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Introduction to Cryptography. Ramki Thurimella

Full file at

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Key Establishment and Authentication Protocols EECE 412

Data Security and Privacy. Topic 14: Authentication and Key Establishment

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Transcription:

Basics of Cryptography, Cryptoprotocols, and Steganography 14 August 2017 Clark Thomborson University of Auckland

Security Requirements Alice wants to send a message to Bob. Moreover, Alice wants to send the message securely: Alice wants to make sure Eve cannot read the message. [Adapted from Schneier, Applied Cryptography, 2 nd edition, 1996] Exercise 1. Draw a picture of this scenario. Exercise 2. Discuss Alice s security requirements, using the terminology developed to date in CompSci 725. Exercise 3. In this scenario, Alice is the sender, Bob is the receiver, and Eve is the eavesdropper. Name another actor with an important role in communication security. Sample answers are widely available on the internet, see e.g. http://en.wikipedia.org/wiki/alice_and_bob. Crypto and Stego 2

ALICE ANDBOB HTTP://XKCD.COM/177/ (CREATIVE COMMONS 2.5 LICENCE) Crypto and Stego CompSci 725sc07-10.3

From A Security Model for VoIP Steganography, by Yu, 4 Thomborson et al., DOI 10.1109/MINES.2009.227, 2009.

An Attack Taxonomy for Communication Systems 1. Interception (attacker reads the message) 2. Interruption (attacker prevents delivery) 3. Modification (attacker changes the message) 4. Fabrication (attacker injects a message) a) Impersonation (attacker pretends to be a legitimate sender or receiver, e.g. this is either a fabrication or an interruption) 5. Stegocommunication (Alice and Bob make surreptitious use of a communication system; Eve wears a white hat ) 6. Repudiation (a black-hat Alice falsely asserts she did not send a message to Bob, or a black-hat Bob falsely asserts that he didn t receive a message from Alice); white-hat Judy is the judge. Crypto and Stego 5

Symmetric and Public-Key Encryption If the decryption key d can be computed from the encryption key e, then the algorithm is called symmetric. Example: E(p) = (p + e) mod 256 is a symmetric (and very weak) encryption of a char p, because D(x) = (x + d) mod 256 is a decryptor when d = 256 - e. If the decryption key cannot be feasibly computed from the encryption key, then the algorithm is called asymmetric or publickey. Crypto and Stego 6

Message Integrity Encryption assures confidentiality Assume: the attacker can t discover the key or crack the cypher. Integrity can also be assured by message codes. Sending a plaintext message, plus its Message Authentication Code (MAC), will ensure message integrity to anyone who knows the (shared) secret key. The CBC-MAC is the last ciphertext block from a CBC-mode block cipher. Changing any message bit will change the MAC this defends against modification. Unless you know the secret key, you can t compute a MAC from the plaintext this defends against fabrication. Keyed hashes (HMACs) are another popular type of MAC. SHA-1 and MD5 are used in SSL To learn more, read Stamp s Information Security, 2 nd Edition, Wiley, 2011, at pp. 136-7. Crypto and Stego 7

MAC http://en.wikipedia.org/wiki/message_authentication_code Crypto and Stego 8

Public Key Cryptography Encryption E: Plaintext EncryptionKey Cyphertext Decryption D: Cyphertext DecryptionKey Plaintext The sender must know the encryption key. The receiver can decrypt, if they know the decryption key. In public-key cryptography, we use key-pairs (s, p), where our secret key s cannot be computed efficiently (as far as anyone knows) from our public key p and our encrypted messages. The algorithms (E, D) are standardized. We let everyone know our public key p. We don t let anyone else know our corresponding secret key s. Anybody can send us encrypted messages using E(*, p). Convenient notation: {P} Alice is plaintext P that has been encrypted by a secret key named Alice. [Stamp, pp. 89-91, 323] Crypto and Stego 9

Authentication in PK Cryptography We can use a secret key s to encrypt a message which everyone can decrypt using our corresponding public key p. E(P, s) is a signed message. Simpler notation: [P] Alice Only people who know the secret key named Alice can create this signature. Anyone who knows the public key for Alice can validate this signature. This defends against impersonation and repudiation attacks. If you use a key-pair (s, p) for encryption, then you can t use it safely for signing! Do you understand why? Crypto and Stego 10

Key Management & Distribution We should use many different public/private key pairs: For our email, For our bank account (our partner knows this private key too), For our workgroup (shared with other members), A public key infrastructure (PKI) will help us create, publicise, and discover public keys (p 1, p 2, ). A certificate authority (CA) is a registry for public keys this is an important part of a PKI.. The CA uses one of its signing keys to sign a certificate of the form [name, p] CA. Anyone who knows the CA s corresponding public key can verify that p was registered by someone who convinced the CA that they are identified by name. Note: we also need some way to discover CAs and their keys our web browsers help with this Crypto and Stego 11

Some Security Issues with CAs The name in a certificate might not be a unique identifier for a person or an organisation there are many people named John Doe. A CA might register a key to an impersonator. The end-user might not inspect the certificate to confirm that name is a (reasonably) unique identifier for the person or organisation they are trying to communicate with. Crypto and Stego 12

A Simple Cryptographic Protocol R A Alice [B, Bob ] CA {SK} B, {P} SK 1. Alice sends a service request R A to Bob. 2. Bob replies with his digital certificate. Bob Bob s certificate contains Bob s public key B and Bob s name. This certificate was signed by a Certificate Authority, using a public key CA which Alice already knows. 3. Alice creates a symmetric key SK. This is a session key. Alice sends SK to Bob, encrypted with public key B. Alice and Bob will use SK to encrypt their plaintext messages. Crypto and Stego 13

Protocol Analysis R A R A [T, Trudy ] CA {SK} T, {P} SK [B, Bob ] CA {SK} B, {P} SK Trudy: acting as Alice to Bob, Alice and as Bob to Alice Bob How can Alice detect that Trudy is in the middle? What does your web-browser do, when it receives a digital certificate that says Trudy instead of Bob? Trudy s certificate might be [T, Bob ] CA If you follow a URL to https://www.bankofamerica.org, your browser might form an SSL connection with a Nigerian website which spoofs the website of a legitimate bank, or a website controlled by a disgruntled BoA customer. Have you ever inspected an SSL certificate? Crypto and Stego 14

Attacks on Cryptographic Protocols A ciphertext may be broken by Discovering the restricted algorithm (if the algorithm doesn t require a key). Discovering the key by non-cryptographic means (bribery, theft, just asking ). Discovering the key by brute-force search (through all possible keys). Discovering the key by cryptanalysis based on other information, such as known pairs of (plaintext, ciphertext). The weakest point in the system may not be its cryptography! See Ferguson & Schneier, Practical Cryptography, 2003. For example: you should consider what identification was required, when a CA accepted a key, before you accept any public key from that CA as a proof of identity. Crypto and Stego 15

Limitations and Usage of PKI If a Certificate Authority is offline, or if you can t be bothered to wait for a response, you will use the public keys stored in your local computer. Warning: a public key may be revoked at any time, e.g. if someone reports their key was stolen. Key Continuity Management is an alternative to CAs. The first time someone presents a key, you decide whether or not to accept it. When someone presents a key that you have accepted previously, it s ok to accept it again if you haven t had any bad experiences with that key, If someone presents a changed key, you should think carefully before accepting! This idea was introduced in SSH, in 1996. It was named, and identified as a general design principle, by Peter Gutmann (http://www.cs.auckland.ac.nz/~pgut001/). Reference: Simson Garfinkel, in http://www.simson.net/thesis/pki3.pdf Crypto and Stego 16

Identification and Authentication You can authenticate your identity to a local machine by what you have (e.g. a smart card), what you know (e.g. a password), what you are (e.g. your thumbprint or handwriting) After you have authenticated yourself locally, then you can use cryptographic protocols to authenticate your outgoing messages (if others know your public key); verify the integrity of your incoming messages (if you know your correspondents public keys); send confidential messages to other people (if you know their public keys). Warning: you (and others) must trust the operations of your local machine! We ll return to this subject Crypto and Stego 17

Steganography The art of sending undetectable messages. The primary goal of the wardens is detection of stegocommunication. The primary goal of the prisoners is availability. It s up to the analyst to decide the colours of the hats! Steganography, like cryptography, may be used by black-hats or white-hats. Steganography is complementary to cryptography. Using strong cryptography, Alice and Bob achieve confidentiality and integrity. Alice and Bob should use steganography if they re worried about availability or traffic analysis. Cryptographic communications are obviously encrypted. If warden Walter can t understand what Alice is saying Should he punish Alice for sending an encrypted message? Should he prevent Alice s encrypted message from reaching Bob? Should he carefully watch Bob, after allowing him to read the message? Crypto and Stego 18

Wardens and Prisoners On July 17 [1965], a prisoner [in Mt Eden Prison] asked a guard to pass a newspaper to another prisoner in another cell. The guard found a coded note in its pages. Unable to decipher the message he simply copied it for the file. Inexplicably, he then delivered the newspaper and its mysterious contents. If that note had been successfully read, what occurred next would have been avoided. The prisoners began smashing up the central office and set it on fire at the same time other prisoners were being unlocked. What the Herald would later call a wild orgy of destruction ensured firefighters entering the jail were forced to retreat. [ The night all hell broke loose at Mt Eden Prison, NZ Herald, 28 July 2015] Crypto and Stego 19

Watermarking, Tamper-Proofing and Obfuscation Tools for Software Protection Christian Collberg & Clark Thomborson IEEE Transactions on Software Engineering 28:8, 735-746, August 2002. DOI: 10.1109/TSE.2002.1027797

Watermarking and Fingerprinting Watermark: an additional message, embedded into a cover message. Messages may be images, audio, video, text, executables, Visible or invisible (steganographic) embeddings Robust (difficult to remove) or fragile (guaranteed to be removed) if cover is distorted. Watermarking (only one extra message per cover) or fingerprinting (different versions of the cover carry different messages). Crypto and Stego CompSci 725sc07-10.21

Our Desiderata for (Robust, Invisible) SW Watermarks Watermarks should be stealthy -- difficult for an adversary to locate. Watermarks should be resilient to attack -- resisting attempts at removal even if they are located. Watermarks should have a high data-rate -- so that we can store a meaningful message without significantly increasing the size of the object. Crypto and Stego 22

Attacks on Watermarks Subtractive attacks: remove the watermark (WM) without damaging the cover. Additive attacks: add a new WM without revealing which WM was added first. Distortive attacks: modify the WM without damaging the cover. Collusive attacks: examine two fingerprinted objects, or a watermarked object and its unwatermarked cover; find the differences; construct a new object without a recognisable mark. Crypto and Stego 23

Defenses for Robust Software Watermarks Obfuscation: we can modify the software, so that a reverse engineer will have great difficulty figuring out how to reproduce the cover without also reproducing the WM. Tamperproofing: we can add integrity-checking code that (almost always) renders it unusable if the object is modified. Crypto and Stego 24

Classification of Software Watermarks Static code watermarks are stored in the section of the executable that contains instructions. Static data watermarks are stored in other sections of the executable. Dynamic data watermarks are stored in a program s execution state. Such watermarks are resilient to distortive (obfuscation) attacks. Crypto and Stego 25

Dynamic Watermarks Easter Eggs are revealed to any end-user who types a special input sequence. Execution Trace Watermarks are carried (steganographically) in the instruction execution sequence of a program, when it is given a special input. Data Structure Watermarks are built (steganographically) by a program, when it is given a special input sequence (possibly null). Crypto and Stego 26

Easter Eggs The watermark is visible -- if you know where to look! Not resilient, once the secret is out. See www.eeggs.com Crypto and Stego CompSci 725sc07-10.27

Software Obfuscation Many authors, websites and even a few commercial products offer automatic obfuscation as a defense against reverse engineering. Existing products generally operate at the lexical level of software, for example by removing or scrambling the names of identifiers. We were the first (in 1997) to use opaque predicates to obfuscate the control structure of software. Crypto and Stego 28

Opaque Predicates {A; B } A A A T p T F T P? F T P T F B B B B B bug always true indeterminate tamperproof 29

Conclusion Software obfuscation can make it more difficult for pirates to defeat standard tamperproofing mechanisms, or to engage in other forms of reverse engineering. Software watermarking can embed ownership marks in software, making it difficult for anyone to be sure that they have removed all the marks. Software steganography is immature: More R&D is required before robust obfuscating and watermarking tools will be easy to use. Crypto and Stego 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback