Unit 8 Review. Secure your network! CS144, Stanford University

Similar documents
Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 1 Applied Cryptography (Part 1)

CIS 4360 Secure Computer Systems Symmetric Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

symmetric cryptography s642 computer security adam everspaugh

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Data Integrity. Modified by: Dr. Ramzi Saifan

CS155. Cryptography Overview

Recall from last lecture To a first approximation, attackers control network Today s lecture: How to defend against this

CS155. Cryptography Overview

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Practical Aspects of Modern Cryptography

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

David Wetherall, with some slides from Radia Perlman s security lectures.

Introduction to Cryptography. Lecture 6

CS408 Cryptography & Internet Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Computer Security CS 526

Encryption. INST 346, Section 0201 April 3, 2018

Cryptographic Systems

Summary on Crypto Primitives and Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography. Steven M. Bellovin September 27,

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Message Authentication Codes and Cryptographic Hash Functions

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Cryptographic hash functions and MACs

Cryptography (Overview)

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CSC/ECE 774 Advanced Network Security

CS 161 Computer Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Spring 2010: CS419 Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

n-bit Output Feedback

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

symmetric cryptography s642 computer security adam everspaugh

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CSC574: Computer & Network Security

Content of this part

Symmetric Encryption 2: Integrity

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

CS 161 Computer Security

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CSC 774 Network Security

Information Security CS526

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

APNIC elearning: Cryptography Basics

CS 161 Computer Security

Kurose & Ross, Chapters (5 th ed.)

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Message authentication codes

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Crypto: Symmetric-Key Cryptography

COMP4109 : Applied Cryptography

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Cryptographic Hash Functions

UNIT - IV Cryptographic Hash Function 31.1

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CSCE 715: Network Systems Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Feedback Week 4 - Problem Set

Cryptography Overview

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSC 580 Cryptography and Computer Security

Cryptography Functions

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Overview. SSL Cryptography Overview CHAPTER 1

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 4: Authentication and Hashing

Ref:

Cryptography Overview

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CS 161 Computer Security

Computational Security, Stream and Block Cipher Functions

Cryptographic Checksums

Network Security Essentials Chapter 2

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

1 Achieving IND-CPA security

Symmetric Encryption. Thierry Sans

Security. Communication security. System Security

Lecture 1: Course Introduction

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Block Cipher Modes of Operation

Data Integrity & Authentication. Message Authentication Codes (MACs)

Appendix A: Introduction to cryptographic algorithms and protocols

CSC 474/574 Information Systems Security

Stream Ciphers. Stream Ciphers 1

Transcription:

Unit 8 Review Secure your network! 1

Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite insecure networks -- cryptography Secure small parts of network despite insecurity of wider network Design systems to scale well in response to attacks Two approaches: cryptography and scalable system design 2

Cryptography Internet 3 A set of mathematical principles and ideas for securing communication Be careful: easy to mess up! Often misused! Need to understand what it guarantees and what it doesn t How cryptography helps Confidentiality: we can communicate privately (encryption) Integrity: protect from tampering (hashes, signatures, MACs) Authenticity: you are whom you say you are (certificates, MACs, signatures)

Confidentiality I want to tell you something secretly, so no-one else knows what I said My credit card number is... Perfect confidentiality: one-time pad You and I share a perfectly random key of zeroes and ones, K, nobody else has it I XOR my message M with K, producing C, send C to you (C = M K) You XOR C with K, you have reconstructed M (M = C K) Advantages: informationally theoretic secure and fast Given any C, any M is equally likely Disadvantage: need a K as long as all data I might ever send Ways to exchange a small K such that there are 2 k possible Cs 4

Integrity I want to make sure you received my message unchanged/untampered I recalculated his grade and it is a C..., program to run on your computer I want to make sure you sent the message Nick says: I said it was alright if he handed in the assignment late Cryptographic hash: H(M) Turn arbitrary length input into fixed length hash Collision-resistance: given x y, intractable to find H(x) = H(y) Message authentication code: MAC(M,K) Use key K to generate MAC(M,K), use K to check MAC(M,K) Intractable to generate MAC(M,K) unless you have K 5

Authenticity I want to be sure you are whom you say you are This is the provost... I need your credit card number. You should send all of my traffic through this third party We ve exchanged a secret K beforehand: MAC( This is the..., K) If we haven t: chain of of trust We can trust Verisign by design (root of trust) Verisign says here s a secret for Stanford Stanford says here s a secret for the provost 6

Symmetric Encryption Both parties, Alice and Bob, share a secret key K Given a message M and a key K M is known as the plaintext or cleartext, what we re trying to keep secret Encrypt: E(K, M) C, C is known as the ciphertext Decrypt: D(K, C) M Attacker cannot derive M from C without K (or trying every K...) E and D take the same key K, hence the name symmetric encryption Examples: AES, Blowfish, DES, RC4 7

One-Time Pad Generate a perfectly random stream of bits K E(K, M) = M K D(K, C) = C K (K K == 0) Perfect secrecy Informationally-theoretic secure: given C but not K, M could be anything! Fast: XORing is cheap and fast Totally impractical Need a very big key, same size as all data 8

Idea: Computational Security Distribute small K (e.g., 128 bits, 256 bits) securely Use K to encrypt much larger M Given C = E(K, M), may be only one possible M If M has redundancy But believed computationally intractable to find Could try all possible K, but 2 128 is a lot of work! 9

Security (1983) Shafi Goldwasser and Silvio Micali, 2013 Turing Award By formalizing the concept that cryptographic security had to be computational rather than absolute, they created mathematical structures that turned cryptography from an art into a science. Define security in terms of computational complexity: e.g., it would take 1,000,000 computers 1,000,000 years to read your secret message 10

Ciphers Stream ciphers: pseudo-random pad Generate a pseudo-random sequence of bits based on key Encrypt/decrypt by XORing like one-time pad BUT NOT A ONE-TIME PAD! Immediately mistrust anyone who says so! Have run into many problems in practice, so I d recommend avoiding them - Example: 802.11 WEP shown broken in ~2001, replaced by WPA in 2003, WPA2 in 2004 Block ciphers Operate on fixed sized blocks (64 bits, 128 bits, etc.) Maps plaintext blocks to ciphertext blocks Today, should use generally AES: many other algorithms 11

Using Block Ciphers Messages are typically longer than one block ECB (electronic code book) mode Break plaintext into blocks, encrypt each block separately m1 m2 m3 m4 Enc Enc Enc Enc c1 c2 c3 c4 Attacker can t decrypt any of the blocks; message secure Can re-use keys, every block encrypted with cipher will be secure 12

WRONG! Attacker will learn of repeated plaintext blocks If transmitting a sparse file, will know where non-zero regions lie Example: military instructions Most days, send encrypted nothing to report One day, send attack today, attacker will know plans are being made source ECB desired output 13 http://en.wikipedia.org/wiki/block_cipher_mode_of_operation

Cipher Block Chaining (CBC) Mode m1 m2 m3 m4 IV Enc Enc Enc Enc c1 c2 c3 c4 Choose initialization vector (IV) for each message, can be publicly known Can be 0 iff key only ever used to encrypt one message Choose randomly for each message if key re-used C 1 = E(K, M 1 IV), C i = E(K, M i C i-1 ) 14

Cipher Block Chaining (CBC) Mode m1 m2 m3 m4 IV Enc Enc Enc Enc c1 c2 c3 c4 Choose initialization vector (IV) for each message, can be publicly known Can be 0 iff key only ever used to encrypt one message Choose randomly for each message if key re-used C 1 = E(K, M 1 IV), C i = E(K, M i C i-1 ) source ECB CBC 15

Many Other Modes! Cipher Feedback (CFB) mode: C i = M i E(K, C i-1 ) Useful for message that are not multiple of block size Output Feedback (OFB) mode Repeatedly encrypt IV & use result like stream cipher Counter (CTR) mode: C i = M i E(K, i) Useful if you want to encrypt in parallel, also means encryption same as decryption (IoT) Quiz: given a shared secret key, can you transmit files secured from adversaries over a network solely by encrypting them in CBC mode? 16

Secrecy Is Not Enough Encryption protects someone from reading plaintext An adversary can still modify messages Flip a bit in the plaintext Lead you to accept garbage data Integrity: protecting messages from tampering and modification Node actually advertised that routing vector Person actually made that bid Endpoint actually sent that message to terminate the connection Confidentiality without integrity is rare (and a sign of a poor design), while integrity without confidentiality is common Exception: encrypted storage (not on a network, no MitM) 17

Two Integrity Examples Cryptographic hashes Way to verify that data has not been modified Requires no secrets: anyone can generate one Useful in data storage Message authentication codes (MACs) Way to verify that data has not been modified Also verifies generator has secret key: authenticity Useful in networks 18

Cryptographic Hash Hash: computed fixed length output from arbitrary length input Typical sizes 160-412 bits Very cheap to compute, faster than network Cryptographic hash: also collision-resistant Intractable to find x y such that H(x) = H(y) Of course, many such collisions exist: (2 (230-256) GB blocks have same 256-bit hash) But no-one has been able to find one, even after analyzing the algorithm for years Use SHA-256 or SHA-512 today (SHA-2) Historically, most popular hash was SHA-1, but it s nearly broken October 2, 2012: Keccak algorithm chosen by NIST for SHA-3 - Goal: alternative, dissimilar hash function to SHA-2 Designed by NSA 19 Designed by Bertoni et al.

HMAC Anyone can generate a cryptographic hash: MACs want to also provide assurance generator has shared secret Simple approach: generate MAC from hash and secret, HMAC(K,M) = SHA-2(K, M) Send {M, HMAC(K,M)} Simple: we have a cryptographically strong MAC! 20

WRONG Anyone If can I have generate {M, a cryptographic HMAC(K,M)}, hash: MACs want to also provide assurance generator has shared secret Simple I approach: can generate MAC {M, from HMAC(K,M )}, hash and secret, HMAC(K,M) = SHA-2(K, M) where M has data appended to M Send {M, HMAC(K,M)} Simple: we have a cryptographically strong MAC! 21

HMAC, Revisited HMAC(K,M) = H(K opad, H(K ipad, M)) H is a cryptographic hash such as SHA-3 ipad is 0x36 repeated 64 times, opad 0x5c repeated 64 times Why does previous attack not work? H K opad H K ipad M 22

Encryption and MACs Should I encrypt the MAC, or MAC the encrypted data? M encrypt MAC or encrypt M MAC Encrypting the MAC is not always secure MACing encrypted data is always secure 23

Popular Public Key Algorithms Encryption: RSA, Rabin, ElGamal Signature: RSA, Rabin. ElGamal, Schnorr, DSA,... Warning: message padding critically important Basic idea behind RSA encryption is simple (modular exponentiation of large integers) But simple transformations of message to numbers is not secure Many keys support both signing and encryption But they use different algorithms Common error: Sign by encrypting with private key 24

Confidentiality Three (randomized) algorithms Generate: G(1k ) K, K -1 (randomized) Encrypt: E(K,m) {m} K (randomized) Decrypt: D(K -1, {m}k ) m Provides confidentiality: can t derive m from {m}k without K -1 K can be made public: can t derive K -1 from K Everyone can share the same K ( public key) Encrypt must be randomized Same plaintext sent multiple times must generate different ciphertexts Otherwise can easily guess plaintext for small message space ( yes, no ) 25

Integrity: Signatures Three (randomized) algorithms Generate: G(1k ) K, K -1 (randomized) Sign: S(K -1,m) {m}k -1 (can be randomized) Verify: V(K, {m} K -1, m) {yes, no} Provides integrity like a MAC Cannot produce valid ({m} K -1, m) pair without K -1 But only need K to verify, cannot derive K -1 from K So K can be publicly known 26

The Catch Cost of public key algorithms is significant Algorithm Encrypt Decrypt Sign Verify RSA 1024 0.08ms 1.46ms 1.48ms 0.07ms RSA 2048 0.16ms 6.08ms 6.05ms 0.16ms DSA 1024 0.45ms 0.83ms LUC 2048 0.18ms 9.89ms 9.92ms 0.18ms DLIES 2048 4.11ms 3.86ms In contrast, symmetric algorithms can operate at line speed 27 http://www.cryptopp.com/benchmarks.html

Problem Want to communicate securely with a server, e.g. www.amazon.com Using public key cryptography, given a public key K, we can verify that another program has the associated private key K -1 - Verify: V(K, {m}k -1, m) {yes, no} Use public key cryptography to exchange symmetric keys Problem: key management How do we get the server s public key? How can we be sure it s the server s public key? 28

Certificate Certificate: document signed by a private key K1-1 that binds a public key K2 to an identity/name N The public key of www.ebay.com is... The public key of axess.stanford.edu is... If we trust the signing party and know their public key, we can use K2 when communicating with N axess.stanford.edu signed by K1 K2 29

Bad Certificate! 30

Bootstrapping Trust Everyone trusts a few signing authorities and knows their public keys Hard-baked into your browser or OS Examples: Verisign, Microsoft, Google Root authorities sign certificates (e.g., for Stanford) Can then use those certificates to sign further certificates Chain of trust - GeoTrust to Google to www.google.com Certificate only says that someone testifies that a host has this key! Have to trust every step along chain This is how TLS/HTTPS works today (the padlock in your browser bar) 31

Hybrid Schemes Use public key to encrypt symmetric key Negotiate secret session key Use public key crypto to establish 4 symmetric keys Client sends server {{m 1}K1, HMAC(K2, {m1}k1)} Server sends client {{m2}k3, HMAC(K4, {m2}k3)} Common pitfall: signing underspecified messages E.g., always specify intended recipient in signed messages Should also specify expiration, or better yet fresh data Otherwise like signing a blank check to anyone for all time... 32

TLS Handshake Client supported ciphers, client random not confidential Server chosen ciphers, server random, certificate not confidential compute keys encrypted pre-master secret encrypted with server public key MAC of handshake messsages encrypted with session key compute keys MAC of handshake messages encrypted with session key 33

Establishing Session Keys Both client and server add randomness Client sends pre-master secret encrypted with server s public key Use randomness and pre-master secret to generate master secret Use master secret and random numbers to generate session keys Client to server write (encryption) Client to server MAC Server to client write (encryption) Server to client MAC Client initialization vector Server initialization vector Support for resuming sessions with same master secret (but new keys) 34

Client IV Server IV Client write Server write Client MAC Server MAC Session Key Details Client Random Premaster Secret (48B) Master Secret (48B) Code Block Server Random PRF PRF 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback