Lecture 4: Cryptography III; Security. Course Administration

Similar documents
Course Administration

CS 392/6813: Computer Security Fall Nitesh Saxena. *Adopted from Previous Lectures by Nasir Memon

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Pretty Good Privacy (PGP

Cryptography and Network Security

Key management. Pretty Good Privacy

Data Integrity. Modified by: Dr. Ramzi Saifan

CS408 Cryptography & Internet Security

UNIT - IV Cryptographic Hash Function 31.1

Lecture 1 Applied Cryptography (Part 1)

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Management and Distribution

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Lecture 1: Course Introduction

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

CS Computer Networks 1: Authentication

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cryptographic Checksums

Introduction to Cryptography. Lecture 6

Data Integrity & Authentication. Message Authentication Codes (MACs)

Public-Key Infrastructure NETS E2008

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Lecture 4: Hashes and Message Digests,

Lecture 15 Public Key Distribution (certification)

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Information Security CS 526

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Message Authentication Codes and Cryptographic Hash Functions

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Kurose & Ross, Chapters (5 th ed.)

Pretty Good Privacy (PGP)

Digital Certificates Demystified

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Fall 2010/Lecture 32 1

S. Erfani, ECE Dept., University of Windsor Network Security

Cryptographic Hash Functions

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CS155. Cryptography Overview

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSCE 715: Network Systems Security

Chapter 9: Key Management

Appendix A: Introduction to cryptographic algorithms and protocols

Cryptographic Protocols 1

Cryptography (Overview)

T Cryptography and Data Security

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

P2_L8 - Hashes Page 1

Public-key Cryptography: Theory and Practice

Diffie-Hellman. Part 1 Cryptography 136

Message authentication codes

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography and Network Security. Sixth Edition by William Stallings

User Authentication Principles and Methods

Integrity of messages

Crypto meets Web Security: Certificates and SSL/TLS

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Security in ECE Systems

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Data Integrity & Authentication. Message Authentication Codes (MACs)

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

ECE 646 Lecture 3. Key management

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Introduction to Software Security Hash Functions (Chapter 5)

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Introduction to Cryptography. Ramki Thurimella

SECURITY IN NETWORKS 1

Spring 2010: CS419 Computer Security

Cryptographic hash functions and MACs

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Cryptography and Network Security

CSE 565 Computer Security Fall 2018

CSC 482/582: Computer Security. Security Protocols

Symmetric Crypto MAC. Pierre-Alain Fouque

Security. Communication security. System Security

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Public Key Algorithms

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Lecture 4: Authentication and Hashing

Unit 8 Review. Secure your network! CS144, Stanford University

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

BCA III Network security and Cryptography Examination-2016 Model Paper 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS 356 Internet Security Protocols. Fall 2013

Computer Security: Principles and Practice

CS 425 / ECE 428 Distributed Systems Fall 2017

IBM i Version 7.2. Security Digital Certificate Manager IBM

Transcription:

Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Course Administration HW/Lab 1 Posted Due at 11am on Sep 29 Labs are active starting this week Please only attend the sessions you registered for Everyone receiving my emails? Lecture slides worked okay? 2 1

Outline of Today s lecture Hash Functions Properties Birthday Paradox Generic Design Message Authentication Code Email Security Key Distribution Private Key Setting Public Key Setting 3 Hash Functions 4 2

Cryptographic Hash Functions Requirements of cryptographic hash functions: Can be applied to data of any length. Output is fixed length, usually very short Relatively easy to compute h(x), given x Function is deterministic Infeasible to get x, given h(x). One-wayness property Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property Infeasible to find any pair x and y (x y) such that h(x) = h(y). Strong-collision resistance property or just collision resistance 5 Some Applications of Hash Functions In general, can be used as a checksum for large amounts of data Password hashing Digital signatures Message authentication codes (will study in a bit) Used also in RSA-OAEP, and many other cryptographic constructions 6 3

Hash Output Length How long should be the output (n bits) of a cryptographic hash function? To find collision - randomly select messages and check if hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? Birthday paradox - a collision can be found in roughly sqrt(n) = 2 (n/2) trials for an n bit hash In a group of 23 (~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) Hence n should be at least 160 7 Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is: k 1 1 2 k 1 i 1 1 1 1 i 1 i 1 k( k 1)/2N 2 3 (as for small, 1,as 1) 2! 3! = N N N n k 1 i/ n x x e x e x e x x x e So for at least one collision we have probability of whose value is above 0.5 when k 1.17 1 e k( k 1)/2N 8 N 4

Generic Hash Function Merkle- Damgard Construction This design for H() is collision-resistant given that h() is collision resistant Intuitively, this is because there is a avalanche effect even if the inputs differ in just 1 bit, the outputs will be completely different IV is a known public constant 9 An Illustrative Example from Wikipedia 10 5

Practical Examples SHA-1 Output 160 bits B day attack requires 2 80 calls Faster attacks 2 69 calls http://infosec.sdu6.edu.cn/uploadfile/papers/finding%20collisions%20in %20the%20Full%20SHA-1.pdf MD5 Output is 128 bits, so B day attack requires 2 64 calls only Faster attacks to find a collision: http://eprint.iacr.org/2004/199.pdf Better use stronger versions, such as SHA-256 Although, these attacks are still not practical they only find two random messages that collide 11 Further Reading Stallings Chapter 3 HAC Chapter 9 12 6

Message Authentication Codes 13 Message Authentication Codes Provide integrity as well as authentication Send (m, MAC); MAC is created on m using the key shared between two parties Has to be deterministic to enable verification Unlike encryption schemes We want MAC to be as small and as secure as possible Can not provide non-repudiation Why not? 14 7

MAC Functions KeyGen outputs a key MAC creates a checksum on m using key K Verify validates whether the checksum on m is computed correctly Just create MAC and compare 15 Security Notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 16 8

Can encryption be used as a MAC? No, not in general Intuitively because encryption achieves properties different from MAC See a counter-example: One-time pad as a MAC bad idea! However, you can use 3-DES or AES as a building block for MAC 17 MAC Based on Block Cipher in the CBC mode CBC-MAC 18 9

CBC-MAC Note that this is deterministic IV = [0] Unlike CBC encryption Only the last block of the output is used as a MAC This is secure under CMA attack For pre-decided fixed-length messages Intuitively because of the presence of an avalanche effect 19 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC 2104. Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 20 10

HMAC Block size b bits. K + - K padded with bits on the left to make b bits. ipad 0110110 (ox36) repeated b/8 times. opad 1011100 (0x5c) repeated b/8 times. Essentially HHMAC K = H[(K + xor opad) H[(K + xor ipad) M]] 21 Security of HMAC Security related to the collision resistance of the underlying hash function http://www.cse.ucsd.edu/~mihir/papers/hma c.html 22 11

Stallings Chapter 3 HAC Chapter 9 Further Reading 23 Email Security via PGP 24 12

Email Security Email is one of the most widely used and regarded network services By default, email communication is NOT secure may be inspected either in transit, or by suitably privileged users on destination system may be impersonated/spoofed 25 Email Security Enhancements Confidentiality protection from disclosure Authentication of sender of message Message integrity protection from modification Non-repudiation of origin protection from denial by sender 26 13

Pretty Good Privacy (PGP) Open source, freely available software package for secure e-mail De facto standard for secure email Developed by Phil Zimmermann Selected best available crypto algorithms to use Runs on a variety of platforms like Unix, PC, Macintosh and other systems Originally free (now also have commercial versions available) 27 PGP Operation Authentication Just use digital signatures: 1. Sender creates message 2. Generates a digital signature for the message 3. Use SHA-1 to generate 160-bit hash of message 4. Signed hash with RSA using sender's private key, and is attached to message 5. Receiver uses RSA with sender's public key to decrypt and recover hash code 6. Receiver verifies received message using hash of it and compares with decrypted hash code 28 14

PGP Operation Confidentiality 1. Sender generates a message 2. Generates a128-bit random number as session key 3. Encrypts the message using CAST-128 / IDEA / 3DES in CBC mode with session key 4. Session key encrypted using RSA with recipient's public key and attached to the msg 5. Receiver uses RSA with private key to decrypt and recover session key 6. Session key is used to decrypt message 29 PGP Operation Confidentiality & Authentication Can use both services on the same message create signature & attach it to the message encrypt both message & signature attach RSA encrypted session key This sequence is preferred because --one can store the plaintext message/file and its signature --no need to store the ciphertext for future signature verification 30 15

PGP Operation Compression PGP compresses messages to save space for e-mail transmission and storage By default, PGP compresses message after signing but before encrypting so can store uncompressed message & signature for later verification Encryption after compression strengthens security (because compression has less redundancy) uses ZIP compression algorithm 31 PGP Operation Email Compatibility When using PGP will have binary data (8-bit octets) to send (encrypted message, etc) However, email was designed only for text Hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC PGP also segments messages if too big (maximum length 50,000 octets) 32 16

PGP Operation Summary 33 PGP Session Keys Need a session key for each message of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES Uses random inputs taken from actual keys hit keystroke timing of a user mouse movement 34 17

PGP Public & Private Keys Since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message Could send full public-key with every message But, this is inefficient Rather use a key identifier based on key is least significant 64-bits of the key will very likely be unique also use key ID in signatures 35 PGP Key Rings each PGP user has a pair of keyrings: public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted key (encrypted with a hashed passphrase) security of private keys thus depends on the pass-phrase security 36 18

PGP Message Generation 37 PGP Message Reception 38 19

PGP Key Distribution Public keys for encrypting session keys / verifying signatures. Private keys for decrypting session keys / creating signatures. Where do these keys come from and on what basis can they be trusted? 39 PGP Key Distribution PGP adopts a trust model called the web of trust. No centralized authority Individuals sign one another s public keys, these certificates are stored along with keys in key rings. PGP computes a trust level for each public key in key ring. Users interpret trust level for themselves. 40 20

PGP Key Distribution Issues Original intention was that all e-mail users would contribute to web of trust. Reality is that this web is sparsely populated. How should security-unaware users assign and interpret trust levels? Later versions of PGP support X.509 certs. 41 PGP in Practice PGP plugins available Standalone Email clients (Enigmail) Browser extensions (e.g., FireGPG, Mailvelope) SecureGmail (Chrome extension) You will be playing around with this as part of Lab 1 (Problem 1) 42 21

Chapter 8 of Stallings References 43 Key Distribution 44 22

Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a trusted (or authenticated) copy of Bob s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 45 Private Key Distribution: An Attempt Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA (K) to Alice and E KB (K) to Bob. Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack! 46 23

Session Key Exchange with KDC Needham- Schroeder Protocol A -> KDC ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA ( K ID B N 1 E KB (K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E KB (K ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(n 2 )) (Sure I can!) Dennig-Sacco (replay) attack on the protocol 47 Session Key Exchange with KDC Needham- Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA ( K ID B N 1 E KB (TS1, K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2), E KB (TS1, K ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1) (OK Alice, here is a proof that I am really Bob) 48 24

Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can OTP make for a good MAC? Can H(K m) make for a good MAC? Does HMAC provide non-repudiation? 49 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a trusted (or authenticated) copy of Bob s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 50 25

Public Key Distribution Public announcements (such as email) Can be forged Public directory Can be tampered with Public-key certification authority (CA) (such as verisign) This is what we use in practice CA issues certificates to the users 51 Naming and Certificates Certification authority s vouch for the identity of an entity - Distinguished Names (DN). /O=UAB/OU=CIS/CN=Nitesh Saxena Although CN may be same, DN is different. Policies of certification Authentication policy What level of authentication is required to identify the principal. Issuance policy Given the identity of principal will the CA issue a certificate? 52 26

Types of Certificates CA s vouch at some level the identity of the principal. Example Verisign: Class 1 Email address Class 2 Name and address verified through database. Class 3- Background check. 53 Public Key Certificate Public Key Certificate Signed messages specifying a name (identity) and the corresponding public key. Signed by whom Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA s public key. 54 27

Public Key Certificate Note: Mechanism of certification and content of certificate, will vary but at the minimum we have email verification and contains ID and Public Key. 55 Certificate Verification/Validation 56 28

Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) a list of every certificate that has been revoked but not expired. CRL s quickly grow large! CRL s distributed periodically. What about time period between revocation and distribution of CRL? Other mechanisms OCSP (online certificate status protocol) 57 X.509 Clearly, there is a need for standardization X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA). 58 29

X.509 Certificate 59 Advantages of CA Over KDC CA does not need to be on-line all the time! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. 60 30

Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust PKI providers. Your own PKI using Mozilla/Microsoft certificate servers 61 Problems with PKI Private Key Where and how is private key stored? Host encrypted with pass phrase Host encrypted by OS or application Smart Card Assumes secure host or tamper proof smartcard. 62 31

Problems with PKI - Conflicts X.509, and PGP remain silent on conflicts. They assume CA s will ensure that no conflicts arise. But in practice conflicts may exist John A. Smith and John B. Smith may live at the same address. 63 Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled How do you trust CA from country XYZ (your favorite prejudice). 64 32

Stallings Chapter 4 HAC Chapter 12 Further Reading 65 Further Reading X.509 page http://www.ietf.org/html.charters/pkixcharter.html Ten Risks of PKI - http://www.schneier.com/paper-pki.html 66 33

Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do? 67 Some Questions Sometimes when you access an https website, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? 68 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback