CSC574: Computer & Network Security

CSC574: Computer & Network Security Lecture 4 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning)

Announcements Homework 2, assigned. Due Friday, January 29 th at 11:59pm 2

Modes of Operation Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation ECB (Electronic Code Book) CBC (Cipher Block Chaining) OFB (Output Feedback) CFB (Cipher Feedback) CTR (Counter) 3

Issues for Block Chaining Modes Information leakage: Does it reveal info about the plaintext blocks? Ciphertext manipulation: Can an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. Parallel/Sequential: Can blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? Error Propagation: If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? 4

Electronic Code Book Plaintext (ECB) M 1 M 2 M 3 M 4 46 + padding Key E E E E Ciphertext C 1 C 2 C 3 C 4 The easiest mode of operation; each block is independently encrypted 5

ECB Decryption M 1 M 2 M 3 M 4 46 + padding Key D D D D C 1 C 2 C 3 C 4 Each block is independently decrypted 6

ECB Issues Information leaks: two ciphertext blocks that are the same Manipulation: switch ciphertext with predictable results on plaintext (e.g., shuffle). Parallel: yes Propagate: no Plaintext ECB Other modes 7

Cipher Block Chaining (CBC) M 1 M 2 M 3 M 4 46 + padding Initialization Vector Key E E E E C 1 C 2 C 3 C 4 Chaining dependency: each ciphertext block depends on all preceding plaintext blocks 8

Initialization Vectors Initialization Vector (IV) Used along with the key; not secret For a given plaintext, changing either the key, or the IV, will produce a different ciphertext Why is that useful? IV generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers 9

CBC Decryption M 1 M 2 M 3 M 4 46 + padding Initialization Vector Key D D D D C 1 C 2 C 3 C 4 How many ciphertext blocks does each plaintext block depend on? 10

CBC Properties Does information leak? Identical plaintext blocks will produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate? yes (encryption), a little (decryption) 11

Output Feedback Mode (OFB) Initialization Vector one-time pad Key E Pseudo-Random E Number Generator E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 12

OFB Decryption IV one-time pad Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 No block decryption required! 13

OFB Properties Does information leak? identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (generating pad), yes (XORing with blocks) Do ciphertext errors propagate???? 14

OFB (Cont d) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! Conclusion: IV must be different every time 15

Cipher Feedback Mode (CFB) IV Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 Ciphertext block C j depends on all preceding plaintext blocks 16

CFB Decryption IV Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 No block decryption required! 17

CFB Properties Does information leak? Identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate???? 18

Counter Mode (CTR) IV IV++ IV++ Key E E E M 1 M 2 M 3 C 1 C 2 C 3 19

CTR Mode Properties Does information leak? Identical plaintext block produce different ciphertext blocks Can ciphertext be manipulated profitably??? Parallel processing possible Yes (both generating pad and XORing) Do ciphertext errors propagate???? Allow decryption the ciphertext at any location Ideal for random access to ciphertext 20

Basic truths of cryptography Cryptography is not frequently the source of security problems Algorithms are well known and widely studied Vetted through crypto community Avoid any proprietary encryption Claims of new technology or perfect security are almost assuredly snake oil 21

Building systems with cryptography Use quality libraries SSLeay, cryptolib, openssl Find out what cryptographers think of a package before using it Code review like crazy Educate yourself on how to use library Understand caveats by original designer and programmer 22

Common pitfalls Generating randomness Storage of secret keys Virtual memory (pages secrets onto disk) Protocol interactions Poor user interface Poor choice of parameters or modes 23

What encryption does and does not Does: confidentiality Doesn t do: data integrity source authentication Need: ensure that data is not altered and is from an authenticated source 24

Principals Src=Alice, Dest=Bob Msg = network security is fun! Alice Bob Eve 25

Man-in-the-Middle (MitM) attack Src=Alice, Dest=Bob Msg = network security is fun! Src=Alice, Dest=Bob Msg = network security is not fun! Alice Eve Bob 26

Man-in-the-Middle (MitM) attack Src=Alice, Dest=Bob Msg = E K1 ( network security is fun! ) Src=Alice, Dest=Bob Msg = E K2 ( network security is not fun! ) Alice Eve Bob 27

Message Authentication Codes (MACs) MACs provide message integrity and authenticity MACK(M) use symmetric encryption to produce short sequence of bits that depends on both the message (M) and the key (K) MACs should be resistant to existential forgery: Eve should not be able to produce a valid MAC for a message M' without knowing K To provide confidentiality, authenticity, and integrity of a message, Alice sends EK(M,MACK(M)) where EK(X) is the encryption of X using key K Proves that M was encrypted (confidentiality and integrity) by someone who knew K (authenticity) 28

Message Authenticity Src = Alice, Dest = Bob Msg = { network security is fun, MACk( network security is fun! )} Src = Alice, Dest = Bob Msg = { network security isn t fun!,???} Alice Eve Bob Without knowledge of k, Eve can t compute a valid MAC for her forged message! 29

Encryption and Message Authenticity Src = Alice, Dest = Bob Msg = Ek1{{ network security is fun, MACk2( network security is fun! )}} Alice Eve Without knowing k1, Eve can t read Alice s message. Bob Without knowing k2, Eve can t compute a valid MAC for her forged message! 30

Cryptographic Hash Functions Hash function h: deterministic one-way function that takes as input an arbitrary message M (sometimes called a preimage) and returns as output h(m), a small fixed length hash (sometimes called a digest) Hash functions should have the following two properties: compression: reduces arbitrary length string to fixed length hash ease of computation: given message M, h(m) is easy to compute 31

Hash functions are usually fairly inexpensive (i.e., compared with public key cryptography) % openssl speed sha Doing sha1 for 3s on 16 size blocks: 4470649 sha1's in 3.00s Doing sha1 for 3s on 64 size blocks: 3442313 sha1's in 2.99s Doing sha1 for 3s on 256 size blocks: 2040819 sha1's in 3.00s Doing sha1 for 3s on 1024 size blocks: 773189 sha1's in 3.00s Doing sha1 for 3s on 8192 size blocks: 114222 sha1's in 3.00s... Doing sha512 for 3s on 16 size blocks: 2849624 sha512's in 2.99s Doing sha512 for 3s on 64 size blocks: 2837564 sha512's in 3.00s Doing sha512 for 3s on 256 size blocks: 1416 sha512's in 3.00s Doing sha512 for 3s on 1024 size blocks: 481337 sha512's in 3.00s Doing sha512 for 3s on 8192 size blocks: 71397 sha512's in 3.00s OpenSSL 1.0.0d 8 Feb 2011 built on: Tue Feb 15 16:03:54 EST 2011 options:bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: /usr/bin/gcc-4.2 -fpic -fno-common -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS - D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int - Wall The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha1 23843.46k 73681.62k 174149.89k 263915.18k 311902.21k sha256 18572.85k 47224.32k 89395.29k 115009.19k 125728.09k sha512 15248.82k 60534.70k 109347.50k 164296.36k 194961.41k 32

Why might hashes be useful? Message authentication codes (MACs): e.g.: MACK(M) = h(k M) (but don't do this, use HMAC instead) Modification detection codes: detect modification of data any change in data will cause change in hash 33

Prof. Pedantic proposes the following hash function, arguing that it offers both compression and ease of computation. h(m) = 0 if the number of 0s in M is divisible by 3 h(m) = 1 otherwise Why is this a lousy crypto hash function? 34

Cryptographic Hash Functions Properties of good cryptographic hash functions: preimage resistance: given digest y, computationally infeasible to find preimage x' such that h(x')=y (also called one-way property ) 2nd-preimage resistance: given preimage x, computationally infeasible to find preimage x' such that h(x)=h(x') (also called weak collision resistance ) collision resistance: computationally infeasible to find preimages i,j such that h(i)=h(j) (also called strong collision resistance ) 35

Birthday Attack Birthday Paradox: chances that 2+ people share birthday in group of 23 is > 50%. General formulation function f() whose output is uniformly distributed over H possible outputs Number of experiments Q(H) until we find a collision is approximately: E.g., Why is this relevant to hash sizes? 36

Practical Implications Choosing two messages that have the same hash h(x) = h(x ) is more practical than you might think. Example attack: secretary is asked to write a bad letter, but wants to replace with a good letter. Boss signs the letter after reading Dear Anthony, # This letter is& " %! I am writing $ to introduce! "# you to to you $ %&! "# Mr. -- $ %& Alfred! "# P. -- $ %& Barton, the " # new! newly appointed $ %&! "# chief senior $ %& jewellery buyer for! "# our the $ %& Northern " # European! Europe $ %&! "# area division $ %&. He! "# will take has taken $ %& over! "# the -- $ %& responsibility for " # all! the whole of $ %& our interests in! "# watches and jewellery jewellery and watches $ %& in the " # area! region $ %&. Please! "# afford give $ %& him! "# every all the $ %& help he! "# may need needs $ %& to " # seek out! find $ %& the most " # modern! up to date $ %& lines for the! "# top high $ %& end of the market. He is " # empowered! authorized $ %& to receive on our behalf! "# samples specimens $ %& of the # latest& " %! newest $! "# watch and jewellery jewellery and watch $ %& products,! "# up subject $ %& to a! "# limit maximum $ %& of ten thousand dollars. He will " # carry! hold $ %& a signed copy of this! "# letter document $ %& as proof of identity. An order with his signature, which is " # appended! attached $ %& # authorizes& " %! allows you to charge the cost to this company at the " # above $! head office $ %& address. We " # fully! -- $ %& expect that our " # level! volume $ %& of orders will increase in the " # following! next $ %& year and " # trust! hope $ %& that the new appointment will! "# be prove $ %& # advantageous& " %! an advantage to both our companies. $ 37 Figure 11.7 A Letter in 2 37 Variations (from Stallings, Crypto and Net Security)

Some common cryptographic hash functions MD5 (-bit digest) [don t use this] SHA-1 (160-bit digest) [stop using this*] SHA-256 (256-bit digest) SHA-512 (512-bit digest) SHA-3 [recent competition winner] 38

General Structure of Hash Y 0 Y 1 Y L 1 b b b IV = CV 0 n f n CV1 f n n CV L 1 f n CV L IV = Initial value CV i = chaining variable Y i = ith input block f = compression algorithm L n b = number of input blocks = length of hash code = length of input block (from Stallings, Crypto and Net Security) 39

Comparison of SHA Parameters Message Digest Size SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 160 224 256 384 512 Message Size < 2 64 < 2 64 < 2 64 < 2 < 2 Block Size 512 512 512 1024 1024 Word Size 32 32 32 64 64 Number of Steps 80 64 64 80 80 Note: All sizes are measured in bits. 40 (from Stallings, Crypto and Net Security)

SHA-512 L bits Message N 1024 bits 1000000... 0 bits L 1024 bits 1024 bits 1024 bits M 1 M 2 M N F F F + + + IV = H 0 H 1 H 2 H N 512 bits 512 bits 512 bits hash code + = word-by-word addition mod 264 (from Stallings, Crypto and Net Security) 41

SHA-512 Function M i H i 1 message schedule 64 a b c d e f g h W 0 K 0 Round 0 W t a b c d e f g h Round t K t a b c d e f g h W 79 K 79 Round 79 + + + + + + + + H i 42 (from Stallings, Crypto and Net Security)

Prof. Pedantic decides to use SHA256 to authenticate messages Protocol: Sender: Input: message M Output: M SHA256(M) Receiver: Input: M SHA256(M) (from the Sender) Computes hash over M and checks that it matches value from sender why is this terrible?...and how can it be improved? 43

Message Extension Attack Why is MAC k (M) = H(k M) bad? How can Eve append M to M? Goal: compute H(k M M ) without knowing k Solution: Use H(k M) as IV for next f iteration in H() 44

A Better MAC Objectives Use available hash functions without modification Easily replace embedded hash function as more secure ones are found Preserve original performance of hash function Easy to use 45

HMAC K + ipad = 0x363636 b bits b bits b bits S i Y 0 Y 1 Y L 1 HMAC(k,M) = H(k opad H(k ipad M)) Attacker cannot extend MAC as before Prove it to yourself K + IV opad n bits = 0x5C5C5C Hash n bits H(S i M) b bits pad to b bits S o IV n bits Hash n bits HMAC(K, M) (from Stallings, Crypto and Net Security) 46

Using hashes as authenticators Consider the following scenario Prof. Smart E. Pants has not decided if she will cancel the next lecture. When she does decide, she communicates to Bob the student through Mallory, her evil TA. She does not care if Bob shows up to a cancelled class, but she does not want students to not show up if the class hasn t been cancelled Prof. Pants does not trust Mallory to deliver the message. Prof. Smart E. Pants and Bob use the following protocol: Prof. Pants invents a secret t Prof. Pants gives Bob h(t), where h() is a crypto hash function If she cancels class, she gives t to Mallory to give to Bob If does not cancel class, she does nothing If Bob receives the token t, he knows that Prof. Pants sent it 47

Hash Authenticators Why is this protocol secure? t acts as an authenticated value (authenticator) because Mallory could not have produced t without inverting h() Note: Mallory can convince Bob that class is occurring when it is not by simply not delivering t (but we assume Bob is smart enough to come to that conclusion when the room is empty) Note that it is important that Bob gets the original value h(t) from Alice directly (was provably authentic) 48

Hash chain Now, consider the case where Alice wants to do the same protocol, only for all 26 classes (the semester) Alice and Bob use the following protocol: 1. Alice invents a secret t 2. Alice gives Bob H 26 (t), where H 26 () is 26 repeated uses of H(). 3. If she cancels class on day d, she gives H (26-D) (t) to Mallory, e.g., If cancels on day 1, she gives Mallory H 25 (t) If cancels on day 2, she gives Mallory H 24 (t). If cancels on day 25, she gives Mallory H 1 (t) If cancels on day 26, she gives Mallory t 4. If Alice does not cancel class, she does nothing If Bob receives the token t, he knows that Alice sent it 49

Hash Chain (cont.) Why is this protocol secure? On day d, H (26-d) (t) acts as an authenticated value (authenticator) because Mallory could not create t without inverting H() because for any H k (t) she has k>(26-d) That is, Mallory potentially has access to the hash values for all days prior to today, but that provides no information on today s value, as they are all post-images of today s value Note: Mallory can again convince Bob that class is occurring by not delivering H (26-d) (t) Chain of hash values are ordered authenticators Important that Bob got the original value H 26 (t) from Alice directly (was provably authentic) 50

PRNG using Hashes V +1 Hash functions can also be used to build pseudorandom number generator (PRNGs) for generating a stream of pseudo random bits Two uses: Create random values: Seed should only be known to the user Stream encryption: Seed known to sender and receiver K Cryptographic hash function (a) PRNG using cryptographic hash function V HMAC Pseudorandom output Pseudorandom output 51 (b) PRNG using HMAC (from Stallings, Crypto and Net Security)