document10

Chapter 10: Cipher TechniquesSome ProblemsTypes of CiphersNetworksExamples

Introduction to Computer Security

OverviewProblemsWhat can go wrong if you naively use ciphersCipher typesStream or block ciphers?NetworksLink vs end-to-end useExamplesPrivacy-Enhanced Electronic Mail (PEM)Security at the Network Layer (IPsec)


ProblemsUsing cipher requires knowledge of environment, and threats in the environment, in which cipher will be usedIs the set of possible messages small?Do the messages exhibit regularities that remain after encipherment?Can an active wiretapper rearrange or change parts of the message?


Attack #1: PrecomputationSet of possible messages M smallPublic key cipher f usedIdea: precompute set of possible ciphertexts f(M), build table (m, f(m))When ciphertext f(m) appears, use table to find mAlso called forward searches


ExampleCathy knows Alice will send Bob one of two messages: enciphered BUY, or enciphered SELLUsing public key eBob, Cathy precomputes m1 = { BUY } eBob, m2 = { SELL } eBobCathy sees Alice send Bob m2Cathy knows Alice sent SELL


May Not Be ObviousDigitized soundSeems like far too many possible plaintextsInitial calculations suggest 232 such plaintextsAnalysis of redundancy in human speech reduced this to about 100,000 ( 217)This is small enough to worry about precomputation attacks


Misordered BlocksAlice sends Bob messagenBob = 77, eBob = 17, dBob = 53Message is LIVE (11 08 21 04)Enciphered message is 44 57 21 16Eve intercepts it, rearranges blocksNow enciphered message is 16 21 57 44Bob gets enciphered message, deciphers itHe sees EVIL


NotesDigitally signing each block wont stop this attackTwo approaches:Cryptographically hash the entire message and sign itPlace sequence numbers in each block of message, so recipient can tell intended orderThen you sign each block


Statistical RegularitiesIf plaintext repeats, ciphertext may tooExample using DES:input (in hex):3231 3433 3635 3837 3231 3433 3635 3837corresponding output (in hex):ef7c 4bb2 b4ce 6f3b ef7c 4bb2 b4ce 6f3bFix: cascade blocks together (chaining)More details later


What These MeanUse of strong cryptosystems, well-chosen (or random) keys not enough to be secureOther factors:Protocols directing use of cryptosystemsAncillary information added by protocolsImplementation (not discussed here)Maintenance and operation (not discussed here)


Stream, Block CiphersE encipherment functionEk(b) encipherment of message b with key kIn what follows, m = b1b2 , each bi of fixed lengthBlock cipherEk(m) = Ek(b1)Ek(b2) Stream cipherk = k1k2 Ek(m) = Ek1(b1)Ek2(b2) If k1k2 repeats itself, cipher is periodic and the kength of its period is one cycle of k1k2


ExamplesVigenre cipherbi = 1 character, k = k1k2 where ki = 1 characterEach bi enciphered using ki mod length(k)Stream cipherDESbi = 64 bits, k = 56 bitsEach bi enciphered separately using kBlock cipher


Stream CiphersOften (try to) implement one-time pad by xoring each bit of key with one bit of messageExample:m = 00101k = 10010c = 10111But how to generate a good key?


Synchronous Stream Ciphersn-stage Linear Feedback Shift Register: consists ofn bit register r = r0rn1n bit tap sequence t = t0tn1Use:Use rn1 as key bitCompute x = r0t0 rn1tn1Shift r one bit to right, dropping rn1, x becomes r0


Operationr0rn1bicir0rn1ri = ri1,0 < i nr0t0 + + rn1tn1


Example4-stage LFSR; t = 1001rkinew bit computationnew r0010001001001 = 000010001101000011 = 110001000011000001 = 111001100011100001 = 111101110011101001 = 111111111111101011 = 001110011101011 = 11011Key sequence has period of 15 (010001111010110)


NLFSRn-stage Non-Linear Feedback Shift Register: consists ofn bit register r = r0rn1Use:Use rn1 as key bitCompute x = f(r0, , rn1); f is any functionShift r one bit to right, dropping rn1, x becomes r0Note same operation as LFSR but more general bit replacement function


Example4-stage NLFSR; f(r0, r1, r2, r3) = (r0 & r2) | r3rkinew bit computationnew r11000(1 & 0) | 0 = 0011001100(0 & 1) | 0 = 0001100111(0 & 1) | 1 = 1100110011(1 & 0) | 1 = 1110011000(1 & 0) | 0 = 0011001100(0 & 1) | 0 = 0001100111(0 & 1) | 1 = 11001Key sequence has period of 4 (0011)


Eliminating LinearityNLFSRs not commonNo body of theory about how to design them to have long periodAlternate approach: output feedback modeFor E encipherment function, k key, r register:Compute r= Ek(r); key bit is rightmost bit of rSet r to r and iterate, repeatedly enciphering register and extracting key bits, until message encipheredVariant: use a counter that is incremented for each encipherment rather than a registerTake rightmost bit of Ek(i), where i is number of encipherment


Self-Synchronous Stream CipherTake key from message itself (autokey)Example: Vigenre, key drawn from plaintextkeyXTHEBOYHASTHEBAplaintextTHEBOYHASTHEBAGciphertextQALFPNFHSLALFCTProblem:Statistical regularities in plaintext show in keyOnce you get any part of the message, you can decipher more


Another ExampleTake key from ciphertext (autokey)Example: Vigenre, key drawn from ciphertextkeyXQXBCQOVVNGNRTTplaintextTHEBOYHASTHEBAGciphertextQXBCQOVVNGNRTTMProblem:Attacker gets key along with ciphertext, so deciphering is trivial


VariantCipher feedback mode: 1 bit of ciphertext fed into n bit registerSelf-healing property: if ciphertext bit received incorrectly, it and next n bits decipher incorrectly; but after that, the ciphertext bits decipher correctlyNeed to know k, E to decipher ciphertext kEk(r)rEmici


Block CiphersEncipher, decipher multiple bits at onceEach block enciphered independentlyProblem: identical plaintext blocks produce identical ciphertext blocksExample: two database records MEMBER: HOLLY INCOME $100,000 MEMBER: HEIDI INCOME $100,000Encipherment: ABCQZRME GHQMRSIB CTXUVYSS RMGRPFQN ABCQZRME ORMPABRZ CTXUVYSS RMGRPFQN


SolutionsInsert information about blocks position into the plaintext block, then encipherCipher block chaining:Exclusive-or current plaintext block with previous ciphertext block:c0 = Ek(m0 I)ci = Ek(mi ci1) for i > 0where I is the initialization vector


Multiple EncryptionDouble encipherment: c = Ek(Ek(m))Effective key length is 2n, if k, k are length nProblem: breaking it requires 2n+1 encryptions, not 22n encryptionsTriple encipherment:EDE mode: c = Ek(Dk(Ek(m))Problem: chosen plaintext attack takes O(2n) time using 2n ciphertextsTriple encryption mode: c = Ek(Ek(Ek(m))Best attack requires O(22n) time, O(2n) memory


Networks and CryptographyISO/OSI modelConceptually, each host has peer at each layerPeers communicate with peers at same layer


Link and End-to-End ProtocolsLink ProtocolEnd-to-End (or E2E) Protocol


EncryptionLink encryptionEach host enciphers message so host at next hop can read itMessage can be read at intermediate hostsEnd-to-end encryptionHost enciphers message so host at other end of communication can read itMessage cannot be read at intermediate hosts


ExamplesTELNET protocolMessages between client, server enciphered, and encipherment, decipherment occur only at these hostsEnd-to-end protocolPPP Encryption Control ProtocolHost gets message, deciphers itFigures out where to forward itEnciphers it in appropriate key and forwards itLink protocol


Cryptographic ConsiderationsLink encryptionEach host shares key with neighborCan be set on per-host or per-host-pair basisWindsor, stripe, seaview each have own keysOne key for (windsor, stripe); one for (stripe, seaview); one for (windsor, seaview)End-to-endEach host shares key with destinationCan be set on per-host or per-host-pair basisMessage cannot be read at intermediate nodes


Traffic AnalysisLink encryptionCan protect headers of packetsPossible to hide source and destinationNote: may be able to deduce this from traffic flowsEnd-to-end encryptionCannot hide packet headersIntermediate nodes need to route packetAttacker can read source, destination


Example ProtocolsPrivacy-Enhanced Electronic Mail (PEM)Applications layer protocolIP Security (IPSec)Network layer protocol


Goals of PEMConfidentialityOnly sender and recipient(s) can read messageOrigin authenticationIdentify the sender preciselyData integrityAny changes in message are easy to detectNon-repudiation of originWhenever possible


Message Handling SystemUserAgentsMessageTransferAgents


Design PrinciplesDo not change related existing protocolsCannot alter SMTPDo not change existing softwareNeed compatibility with existing softwareMake use of PEM optionalAvailable if desired, but email still works without themSome recipients may use it, others notEnable communication without prearrangementOut-of-bands authentication, key exchange problematic


Basic Design: KeysTwo keysInterchange keys tied to sender, recipients and is static (for some set of messages)Like a public/private key pairMust be available before messages sentData exchange keys generated for each messageLike a session key, session being the message


Basic Design: SendingAliceBob{ m } ks || { ks } kBConfidentiality m message ks data exchange key kB Bobs interchange key


Basic Design: IntegrityAliceBobm { h(m) } kAIntegrity and authentication: m message h(m) hash of message m Message Integrity Check (MIC) kA Alices interchange keyNon-repudiation: if kA is Alices private key, this establishesthat Alices private key was used to sign the message


Basic Design: EverythingAliceBob{ m } ks || { h(m) } kA || { ks } kB Confidentiality, integrity, authentication: Notations as in previous slides If kA is private key, get non-repudiation too


Practical ConsiderationsLimits of SMTPOnly ASCII characters, limited length linesUse encoding procedureMap local char representation into canonical formatFormat meets SMTP requirementsCompute and encipher MIC over the canonical format; encipher message if neededMap each 6 bits of result into a character; insert newline after every 64th characterAdd delimiters around this ASCII message


ProblemRecipient without PEM-compliant software cannot read itIf only integrity and authentication used, should be able to read itMode MIC-CLEAR allows thisSkip step 3 in encoding procedureProblem: some MTAs add blank lines, delete trailing white space, or change end of line characterResult: PEM-compliant software reports integrity failure


PEM vs. PGPUse different ciphersPGP uses IDEA cipherPEM uses DES in CBC modeUse different certificate modelsPGP uses general web of trustPEM uses hierarchical certification structureHandle end of line differentlyPGP remaps end of line if message tagged text, but leaves them alone if message tagged binaryPEM always remaps end of line


IPsecNetwork layer securityProvides confidentiality, integrity, authentication of endpoints, replay detectionProtects all messages sent along a pathdestgw2gw1srcIPIP+IPsecIPsecurity gateway


IPsec Transport ModeEncapsulate IP packet data areaUse IP to send IPsec-wrapped data packetNote: IP header not protectedencapsulateddata bodyIPheader


IPsec Tunnel ModeEncapsulate IP packet (IP header and IP data)Use IP to send IPsec-wrapped packetNote: IP header protectedencapsulateddata bodyIPheader


IPsec ProtocolsAuthentication Header (AH)Message integrityOrigin authenticationAnti-replayEncapsulating Security Payload (ESP)ConfidentialityOthers provided by AH


IPsec ArchitectureSecurity Policy Database (SPD)Says how to handle messages (discard them, add security services, forward message unchanged)SPD associated with network interfaceSPD determines appropriate entry from packet attributesIncluding source, destination, transport protocol


ExampleGoalsDiscard SMTP packets from host 192.168.2.9Forward packets from 192.168.19.7 without changeSPD entriessrc 192.168.2.9, dest 10.1.2.3 to 10.1.2.103, port 25, discardsrc 192.168.19.7, dest 10.1.2.3 to 10.1.2.103, port 25, bypassdest 10.1.2.3 to 10.1.2.103, port 25, apply IPsecNote: entries scanned in orderIf no match for packet, it is discarded


IPsec ArchitectureSecurity Association (SA)Association between peers for security servicesIdentified uniquely by dest address, security protocol (AH or ESP), unique 32-bit number (security parameter index, or SPI)UnidirectionalCan apply different services in either directionSA uses either ESP or AH; if both required, 2 SAs needed


SA Database (SAD)Entry describes SA; some fields for all packets:AH algorithm identifier, keys When SA uses AHESP encipherment algorithm identifier, keys When SA uses confidentiality from ESPESP authentication algorithm identifier, keysWhen SA uses authentication, integrity from ESPSA lifetime (time for deletion or max byte count)IPsec mode (tunnel, transport, either)


SAD FieldsAntireplay (inbound only)When SA uses antireplay featureSequence number counter (outbound only)Generates AH or ESP sequence numberSequence counter overflow fieldStops traffic over this SA if sequence counter overflowsAging variablesUsed to detect time-outs


IPsec ArchitecturePacket arrivesLook in SPDFind appropriate entryGet dest address, security protocol, SPIFind associated SA in SADUse dest address, security protocol, SPIApply security services in SA (if any)


SA Bundles and NestingSequence of SAs that IPsec applies to packetsThis is a SA bundleNest tunnel mode SAsThis is iterated tunneling


Example: Nested TunnelsGroup in A.org needs to communicate with group in B.orgGateways of A, B use IPsec mechanismsBut the information must be secret to everyone except the two groups, even secret from other people in A.org and B.orgInner tunnel: a SA between the hosts of the two groupsOuter tunnel: the SA between the two gateways


Example: SystemshostA.A.orggwA.A.orggwB.B.orghostB.B.orgSA in tunnel mode(outer tunnel)SA in tunnel mode(inner tunnel)


Example: PacketsPacket generated on hostAEncapsulated by hostAs IPsec mechanismsAgain encapsulated by gwAs IPsec mechanismsAbove diagram shows headers, but as you go left, everything to the right would be enciphered and authenticated, etc.IP headerfromhostATransportlayerheaders,dataESP headerfromhostAAH headerfromhostAIP headerfromhostAESP headerfromgwAAH headerfromgwAIP headerfromgwA


AH ProtocolParameters in AH headerLength of headerSPI of SA applying protocolSequence number (anti-replay)Integrity value checkTwo stepsCheck that replay is not occurringCheck authentication data


SenderCheck sequence number will not cycleIncrement sequence numberCompute IVC of packetIncludes IP header, AH header, packet dataIP header: include all fields that will not change in transit; assume all others are 0AH header: authentication data field set to 0 for thisPacket data includes encapsulated data, higher level protocol data


RecipientAssume AH header foundGet SPI, destination addressFind associated SA in SADIf no associated SA, discard packetIf antireplay not usedVerify IVC is correctIf not, discard


Recipient, Using AntireplayCheck packet beyond low end of sliding windowCheck IVC of packetCheck packets slot not occupiedIf any of these is false, discard packetcurrent window


AH MiscellanyAll implementations must support:HMAC_MD5HMAC_SHA-1May support other algorithms


ESP ProtocolParameters in ESP headerSPI of SA applying protocolSequence number (anti-replay)Generic payload data fieldPadding and length of paddingContents depends on ESP services enabled; may be an initialization vector for a chaining cipher, for exampleUsed also to pad packet to length required by cipherOptional authentication data field


SenderAdd ESP headerIncludes whatever padding neededEncipher resultDo not encipher SPI, sequence numbersIf authentication desired, compute as for AH protocol except over ESP header, payload and not encapsulating IP header


RecipientAssume ESP header foundGet SPI, destination addressFind associated SA in SADIf no associated SA, discard packetIf authentication usedDo IVC, antireplay verification as for AHOnly ESP, payload are considered; not IP headerNote authentication data inserted after encipherment, so no deciphering need be done


RecipientIf confidentiality usedDecipher enciphered portion of ESP heaserProcess paddingDecipher payloadIf SA is transport mode, IP header and payload treated as original IP packetIf SA is tunnel mode, payload is an encapsulated IP packet and so is treated as original IP packet


ESP MiscellanyMust use at least one of confidentiality, authentication servicesSynchronization material must be in payloadPackets may not arrive in order, so if not, packets following a missing packet may not be decipherableImplementations of ESP assume classical cryptosystemImplementations of public key systems usually far slower than implementations of classical systemsNot required


More ESP MiscellanyAll implementations must support (encipherment algorithms):DES in CBC modeNULL algorithm (identity; no encipherment)All implementations must support (integrity algorithms):HMAC_MD5HMAC_SHA-1NULL algorithm (no MAC computed)Both cannot be NULL at the same time


Which to Use: PEM, IPsecWhat do the security services apply to?If applicable to one application and application layer mechanisms available, use thatPEM for electronic mailIf more generic services needed, look to lower layersIPsec for network layer, either end-to-end or link mechanisms, for connectionless channels as well as connectionsIf endpoint is host, IPsec sufficient; if endpoint is user, application layer mechanism such as PEM needed


Key PointsKey management critical to effective use of cryptosystemsDifferent levels of keys (session vs. interchange)Keys need infrastructure to identify holders, allow revokingKey escrowing complicates infrastructureDigital signatures provide integrity of origin and contentMuch easier with public key cryptosystems than with classical cryptosystems


document10

Documents