confidentiality using conventional encryption

1Confidentiality

Cryptography & Network Security H. Yoon

Confidentiality Using Conventional Encryption

• Where should cryptographic functionality be located?

• How can we make communications confidential?

• How do we distribute keys?

• What is the role of random numbers?

2Confidentiality


Placement of Encryption Function• Networks are vulnerable to active and passive attacks

– Many potential locations for confidentiality attacks

» By network tapping or other means

» Passive inductive attacks on electrical signaling

» Phone and wiring closets may be accessible to outsiders

» Satellite links are easy to monitor

» etc

Placement of encryption function

Points of Vulnerability

3Confidentiality


Link vs. End-to-End EncryptionPlacement of encryption function

• The most powerful and most common approach to securing the points of vulnerability is encryption

• If encryption is to be used to counter these attacks, need to decide what to encrypt and where the encryption should be located

• Two fundamental alternatives:– Link encryption– End-to-end encryption

4Confidentiality


Link vs. End-to-End EncryptionPlacement of encryption function

5Confidentiality


Logical Placement of E2E Encryption Function• Link encryption occurs at either the physical or link layers

• For end-to-end encryption, several choices are possible

• At the lowest practical layer, the encryption function could be performed at network layer

• All the user processes and applications within each end system would employ the same encryption scheme with the same key

• With this arrangement, front-end processor may be used to off-load the encryption function


6Confidentiality


Logical Placement of E2E Encryption Function

• X.25 or TCP provide end-to-end security for traffic within a fully integrated internetwork. However, such a scheme cannot deliver the necessary service for traffic that crosses internetwork boundaries, such as E-Mail, EDI, and file transfer

• In this case, the only place to achieve end-to-end encryption is at the application layer

• A drawback of application-layer encryption is that the number of entities to consider increases dramatically

• Many more secret keys need to be generated and distributed


7Confidentiality


Logical Placement of E2E Encryption FunctionPlacement of encryption function

8Confidentiality


Logical Placement of E2E Encryption FunctionPlacement of encryption function

9Confidentiality


Traffic Confidentiality

• Security from traffic analysis attack– Knowledge about the number and length of messages between nodes

may enable an opponent to determine who is talking to whom

• Types of information derivable from traffic analysis– Identities of communicating partners

– Frequency of communication

– Message patterns, e.g., length, quantity, (encrypted) content

– Correlation between messages and real world events

• Can (sometimes) be defeated through traffic padding


10Confidentiality


Countermeasure to Traffic Analysis• Link encryption approach

– Link encryption hides address information– Traffic padding is very effective

• End-to-End encryption approach – Leaves addresses in the clear– Measures available to the defender are more limited

» Pad out data units to a uniform length at either the transport or application level

» Null message can be inserted randomly into the stream


11Confidentiality


Covert Channel

• Essentially, the dual of traffic analysis

• A means of communication in a fashion unintended by the designers of the communication facility

• Usually intended to violate or defeat a security policy

• Examples– Message length

– Message content

– Message presence


12Confidentiality


Key Distribution

• For conventional encryption to work, the two parties must share the same key and that key must be protected from access by others

• Alice’s options in establishing a shared secret key with Bob include– Alice selects a key and physically delivers it to Bob

– Trusted third party key distribution center (T3P or KDC) selects a key and physically delivers it to Alice and Bob

– If Alice and Bob have previously and recently used a key, it can be used to distribute a new key

– If Alice and Bob have keys with the T3P, rekeying can be accomplished similarly

Key Distribution

13Confidentiality


Key DistributionKey Distribution

• Manual delivery is a reasonable requirement with link encryption, challenging with E2E encryption– The number of keys grows

quadratically with the number of endpoints

• T3P key(s) constitute a rich target of opportunity

• Initial (master) key distribution remains a challenge

14Confidentiality


Use of a Key Hierarchy

• Use of a key distribution center is based on the use of a hierarchy of keys– Session keys– Master keys

Key Distribution

15Confidentiality


A Key Distribution Scenario

• Assume each principal shares a unique master key with the KDC

• Alice desires a one-time session key to communicate with Bob

• Alice issues a request to the KDC for a session key to be used with Bob. Alice’s request includes a nonce to prevent replay attack

• KDC responds with a message encrypted under Alice’s key. The message contains the session key, the nonce, and the session key along with Alice’s identity encrypted under Bob’s key

• Alice forwards the data encrypted under Bob’s Key to Bob

• Alice and Bob mutually authenticate under the session key– Alice sends a nonce to Bob encrypted under the session key

– Bob applies a transformation to the nonce and sends the result back to Alice

Key Distribution

16Confidentiality


A Key Distribution ScenarioKey Distribution

17Confidentiality


Hierarchical Key Control

• Instead of a single KDC, a hierarchy of KDCs can be established; local KDCs and a golbal KDC

• Local KDCs exchange keys through a global KDC

• Can be extended to three or more layers (hierarchy)

Key Distribution

18Confidentiality


Session Key Lifetime

• Tradeoffs in the session key lifetime

• The more frequent session keys, the more secure, but the less performance (the more network load and delay)

• For connection-oriented protocols, one option is to associate a session with a connection

• For long-lived connections, must periodically rekey

• For connectionless protocols, rekey at intervals

Key Distribution

19Confidentiality


A Transparent Key Control SchemeKey Distribution

20Confidentiality


Decentralized Key DistributionKey Distribution

1. A issues a request to B for a session key and includes a nonce, N1

2. B responds with a message encrypted using the shared master key. Response includes the session key selected by B, an identifier of B, the value of f(N1), and another nonce, N2

3. Using the new session key, A returns f(N2) to B

21Confidentiality


Controlling Key Usage

• It is desirable to impose some control on the way in which keys are used– e.g. we may wish to define different types of session keys on

the basis of use, such as

» Data-encrypting key

» PIN-encrypting key

» File-encrypting key

• One technique is to associate a tag with each key– Tag is a bit-vector representing the key’s usage or type

– e.g. the extra 8 bits in each 56-bit DES key can be used as a tag

– Limited flexibility and functionality due to the limited tag size

– Because the tag is not transmitted in clear form, it can be used only at the point of decryption, limiting the ways in which key use can be controlled

• A more flexible scheme is to use a control vector

Key Distribution

22Confidentiality


Control Vector SchemeKey Distribution

– Each session key has an associated control vector

– Control vector consists of a number of fields that specify the uses and restrictions for that session key

– The length of control vector may vary

– Control vector is cryptographically coupled with the at the time of key generation at the KDC– Hash value = H = h(CV)

– Key input = Km H

– Encrypted session key = EKm H[Ks]

– When a session key is delivered to a user from the KDC, it is accompanied by the control vector in clear form

– The session key can be recovered only by using both the master key and the control vector– Ks = DKm H[EKm H [Ks]]

– Advantages (over the 8-bit tag)

– No restriction on length of control vector (arbitrarily complex controls to be imposed on key sue)

– Control vector is available in clear form at all stage of operation Key control can be exercised in multiple locations

CV: control vectorKm: master keyKs: session key

23Confidentiality


Controlling Key UsageKey Distribution

24Confidentiality


Random Number GenerationRandom Number Generation

• Use of random numbers (in cryptography)– As key stream for a one-time pad

– For session keys

– For public key

– For nonces (random numbers) in protocols to prevent replays

– Good cryptography requires good random numbers

• Random number requirements– Statistically random (uniform distribution, etc)

– Unpredictable (independent)

25Confidentiality


Sources of Randomness• Natural random noise (Natural real randomness)

– Radiation counters, radio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes, etc

– Generally need special H/W for this– Starting to see this in new CPU’s (Pentium III)

• Almost random sources– Keystroke timing– Mouse tracking– Disk latency, etc

• Published lists– e.g., Rand Co. in 1955 published a book of 1 million numbers

generated using an electronic roulette wheel– Predictable

• In practice, pseudorandom numbers are algorithmically derived from a deterministic PRNG (Pseudorandom Number Generator)

Random Number Generation

26Confidentiality


Lehmer’s algorithm

• Most widely used technique for PRNG

• Also known as linear congruential method

• Four parameters– m modulus m > 0

– a multiplier 0 a < m

– c increment 0 c < m

– X0 seed 0 X0 < m

• Xn+1 = (aXn + c) mod m

• Generates numbers in the range {0, …, m-1}

• “Good” and “bad” choices for m, a, and c– Lots of obvious bad choices


27Confidentiality


Lehmer’s algorithm - 2• Choose a very large m, e.g., 231

– Provides for a long series

– Usually the maximum integer value for a given computer

• Criteria for good RNG:– Generate the entire range (full period)

– Pass statistical tests

– Efficient implementation

• Good choices – m = 231-1, a prime value

– a = 75 = 16807

– c = 0

• Useful for applications requiring statistical randomness (Monte Carlo simulation)

• Not so useful for cryptography (easy cryptanalysis)– Xi, Xi+1, Xi+2 gives solution for m, a, and c


28Confidentiality


Cryptographically Generated RNs• Cyclic encryption

– Generate session keys from a master key

– A counter with period N is input to the encryption logic

– e.g. 56-bit counter for 56-bit DES– X0 X1 … Xn-1

– Xi’s can not be deduced since the master key is protected

– Full-period PRNG can be used instead of a simple counter

• DES OFB mode– Can be used as a PRNG (IV is the

seed)– Successive 64-bit outputs

constitute a sequence of pseudorandom numbers with good statistical properties


29Confidentiality


ANSI X9.17 PRNGRandom Number Generation

• One of the (cryptographically) strongest PRNG

• Used in financial security applications and PGP

– DTi is date/time value at the beginning of ith stage

– Vi is seed value at the beginning of ith stage

– Ri is output (PRN) of ith stage

– K1, K2 are 3DES keys

– Ri = EDEK1,K2(Vi EDEK1,K2(DTi))

– Vi+1 = EDEK1,K2(Ri EDEK1,K2(DTi))

30Confidentiality


Blum Blum Shub (BBS) PRNG

• Choose large primes p and q, s.t. p q 3 (mod 4)

• Let n = p q

• Choose s relatively prime to n

• BBS produces a sequence of bits Bi

• X0 = s2 mod n;for (i = 1; i++; ) { Xi = (Xi-1)2 mod n; Bi = Xi & 1;}

• BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG)


31Confidentiality


Blum Blum Shub PRNG- ExampleRandom Number Generation

• N=383 x 503 = 192649, s = 101355

i i

32Confidentiality


CSPRBG

• Cryptographically secure pseudorandom bit generator (CSPRBG) is defined as one that pass the next-bit test

• Next-bit test– Given k bits of output from a PRBG, there is no polynomial

time algorithm that can predict the k+1st bit with probability greater than ½ +

• For all practical purposes, the sequence is unpredictable

• The security of BBS is based on the difficulty of factoring n (i.e., given n, determining two prime factors p and q)


33Confidentiality


HW

• P. 5.3

• P. 5.4

• P. 5.5

• P. 5.9

• P. 5.10

• (For P.5.3 and P. 5.10, please look up the errata sheet)


confidentiality using conventional encryption

Documents