secure communication ranju s kartha shiji abraham

Secure Communication

Ranju S Kartha

Shiji Abraham

Modular Arithmetic

Module 1

Introduction

• of increasing importance in cryptography– AES, Elliptic Curve, IDEA, Public Key

• concern operations on “numbers”– where what constitutes a “number” and the

type of operations varies considerably

• start with concepts of groups, rings, fields from abstract algebra

A Group G• A set of elements and some generic operation/s, with

some certain relations: • Axioms:

– A1 (Closure) If {a,b} G, operated(a,b)G

– A2 (Associative) law:(a·b)·c = a·(b·c)– A3 (has identity) e: e·a = a·e = a

– A4 (has inverses) a’: a·a’= e• A G is a finite group if has a finite number of elements• A G is abelian if it is commutative,

– A5 (has commutative) a·b = b·a, for example; – The set of positive, negative, 0, integers under addition, identity is

0, inverse element is ‘–’, inverse a = -a, a-b= a+(-b) – The set of nonzero real numbers under multiplication, identity is I,

inverse element is division

• Suppose Sn is to be the set of permutations of n distinct symbols: {1,2,...,n}. Sn is a group!!:

• Suppose Sn; permutation operation and a group of Sn is Sn– A1 1·1··· Sn

– A2 2·(1·)·

(2·1) ···

– A3 identity nSn

– A4 inverse that undoes 1 is {3,2,1}, 1·{3,2,1}·{2,3,1}={1,3,2}, 1·1 ={3,2,1}·{3,2,1} = {1,2,3}

– A5 communicative!!.. {3,2,1}·{2,3,1}{2,3,1}·{3,2,1}, so Sn is a group but not abelian

Cyclic Group

• A G is cyclic if every element b G is a power of some fixed element a– ie b = ak

• a is said to be a generator of the group G– example: a3 = a.a.a and identity be:

e=a0 and a-n = (a’)n.

• The additive group of integers is an infinite cyclic group generated by the element 1. In this case, powers are interpreted additively, so that n is the nth power of 1.

• A Ring R is an abelian group with two operations (addition and multiplication), satisfies A1 to A5– A1-A5: for additiveness, identity is 0 and inverse is –a– M1: Closure under multiplication: if a,bR, then abR.– M2: Associativity of multiplication: a(bc)=(ab)c R for

all a,b,cR. – M3: Distributive: a(b+c)=ab+ac, (a+b)c=ac+bc – WITHOUT LEAVING THE SET

• M4: commutative ring if ba=ab for all a,b,abR,• M5: Multiplicative identity: 1a=a1=a for all a,1,abR

• M6: No zero divisors If a,bR and ab = 0, then either a = 0 or b = 0.

An integral domain is the one satisfies all the A1-5 and M1-6, which is then a communicative and abelian gr, and obeying M5-6.

Field

• a set of numbers with two operations:– abelian group for addition: communicative for

addition– abelian group for multiplication (ignoring 0):

communicative for addition – It is a ring

• (A1-5, M1-6), F is an integral domain.

• M7: Multiplicative inverse. For each a F, except 0, there is an element a-1F such that aa-1 = (a-1)a = 1

Modular Operations• Clock, uses a finite number of values, and loops

back from either end • Associative, Distributive, Commutative, • Identities: (0 + w)%n = w%n, (1·w)%n = w%n• additive inv (-w) • If a=mb (a,b,m all integers), b|a, b is divisor (*) • Any group of integers: Zn ={0,1, … ,n-1}• Form a commutative ring for addition• with a multiplicative identity• note some peculiarities

– if (a+b)≡(a+c)%(n) then b≡c%(n)– but (ab)≡(ac)%(n) for all a,b,c Zn

then b≡ c%(n) only if a is relatively prime to n

%8 Example

Multiplication and inverses

a%(7), residues [0] [1] [2] [3] [4] [5] [6] -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

...

Relatively prime, Euclid's GCD Algorithm

• Numbers with gcd(a,b)=1 are relatively prime– eg GCD(8,15) = 1

• an efficient way to find the GCD(a,b), uses theorem that:

gcd(a,b) = gcd(b, a % b), (*) • Euclid's Algorithm to compute GCD(a,b):

gcd(A, B)1. While(B>0){

1. r = A % B;2. A = B; 3. B = r;}

2. return A

Galois Fields• Galois fields are for polynomial eqns (group thry,

number theory, Euclidian geometry): Algebraic solution to a polynomial eqn is related to the structure of a group of permutations associated with the roots of the polynomial, and an equation could be solvable in radicals if one can find a series of normal subgroups of its Galois group which are abelian, or its Galois group is solvable. (wikipedia)

• Maths et histoire, evariste-galois.asp.htm

• The finite field of order pn is written GF(pn).

• A field Zn = {0,1,...,n-1} is a commutative ring in which every nonzero element is assumed to have a multiplicative inverse. ‘a’ is multiplicative inverse to n, iff integer is relatively prime to n.

• Definition: If n is a prime p, then GF(p) is defined as the set of integers Zp={0, 1,..., p-1}, + operations in mod(p), then we can say the set Zn of integers {0,1,...,n-1}, + operations in mod(n), is a commutative ring. “Well-behaving”: the results of operations obtained are confined in the field of GF(p)

•

• We are interested in two finite fields of pn, where p is prime, – GF(p)– GF(2n)

GF(7)

The simplest finite field is GF(2).

Extended Euclid’s algorithmEXTENDED EUCLID(m, b)1. [A1,A2,A3; B1,B2,B3][1,0,m;0,1,b]; 2. if B3==0;

return(A3=gcd(m,b)); //no inverse3. if B3==1;

return(B3=gcd(m,b)); B2=b–1%m;

4. Q = A3/B3;5. [r1,r2,r3][A1–QB1, A2–QB2, A3–QB3];6. [A1,A2,A3][B1,B2,B3];7. [B1,B2,B3][r1,r2,r3];8. goto 2

• Starting with step 0. Denote the quotient at step i by qi. • Carry out each step of the Euclidean algorithm. • After the 2nd step, calculate pi = pi-2 – pi-1 qi-2 %(n); p0 =0, p1 =1, • Continue to calculate for pi one step more beyond the last step of

the Euclidean algorithm.• If the last nonzero remainder occurs at step k, then if this

remainder is 1, x has an inverse and it is pk+2.!!!! (If the remainder is not 1, then x does not have an inverse.) Att..

(21, 26) pi = pi-2 – pi-1 qi-2 %(n); 26=1(21)+5; q0=1; p0=0; 21=4(5)+1; q1=4; p1=1;5=5(1)+0; q2=5; p2=0-1(21)%(26)=-21%26=5.

(5, 26)26=5(5)+1; q0=5; p0=0;5 =5(1)+0; q1=1; p1=1; p2 = pi-2 – pi-1 qi-2 %(n)= 0-1(5)mod(26)=21;

pi = pi-2 – pi-1 qi-2 %(n);

1759=3(550)+109;q0=3;p0=0;

550 =5(109)+5; q1=5;p1=1;

109 =21(5)+4; q2=21;p2=0-1(3)%(550)=-3.

5 =1(4)+1; q3=1;p3=1-(-3)(5)%(550)=16 =4(1)+0; q4=4;p4=-3-16(21)%(550)=-339

p5=16--339(1)%(550)=355

Inverse of 550 in GF(1759)

Inverse of 550 in GF(1759)

Ordinary Polynomial Arithmetic

Polynomial Arithmetic in Zp

• In the case of polynomial arithmetic performed on polynomials over a field, division is possible, but exact division might not be possible. To clarify, within a field, two elements a and b, the quotient a/b is also an element of the field. However, given a ring R that is not a field, division will result in a quotient and a remainder; this is not exact division.

• Consider 5, 3 within a set S. If S is the set of rational numbers, which is a field, then the result is simply expressed as 5/3 and is an element of S. Suppose that S is the field Z7. p=7. In this case, 5/3 = (5 x 3-1) mod 7 = (5 x 5) mod 7 = 4 which is an exact solution. Suppose that S is the set of integers, which is a ring but not a field. Then 5/3 produces a quotient and a remainder: 5/3 = 1 + 2/3; 5 = 1 x 3 + 2, division is not exact over the set of integers.

• Division is not always defined, if it is over a coefficient set that is not a field.

Polynomial Arithmetic in Zp if r(x) = 0, g(x)|f(x), g(x) is divisor

• If the coefficient set is the integers, then (5x2)/(3x) does not have a solution, since not in the coefficient set.

• Suppose it is performed over Z7. Then (5x2)/(3x) = 4x which is a valid polynomial over Z7.

• Suppose, degree of f(x) is n, and of g(x) is m, n ≥ m, then degree of the quotient q(x), is (m-n) and of remainder is at most (m–1). Polynomial division is possible if the coefficient set is a field. – r(x) = f(x) mod g(x)

• if f(x) has no divisors other than itself & 1 it is said irreducible (or prime) polynomial, an irreducible polynomial forms a field.

i.e f(x) = x3 + x + 1• GF(2) is of most interest in which operations

of addition and multiplication are equivalent to the XOR, and the logical AND, respectively. Further, addition and subtraction are equivalent mod 2: 1 + 1 = 1-1 = 0; 1 + 0 = 1 - 0 = 1; 0 + 1 = 0 - 1 = 1.

• eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1f(x) + g(x) = x3 + x + 1f(x) x g(x) = x5 + x2

Finite Fields Of the Form GF(2n)• Polynomials over pn, with n > 1, operations

modulo pn do not produce a field. There are structures satisfies the axioms for a field in a set with pn elements, and concentrate on GF(2n).

• Motivation Virtually all encryption algorithms, both symmetric and public key, involve arithmetic operations on integers with divisions.

• For efficiency: integers that fit exactly into a given number of bits, with no wasted bit patterns, integers in the range 0 through 2n 1, fitting into an n-bit word. Z256 versus Z251

Polynomial GCD

• gcd[a(x), b(x)] is the polynomial of maximum degree that divides both a(x) and b(x).

• gcd[a(x), b(x)] = gcd[b(x), a(x)mod(b(x))]• EUCLID[a(x), b(x)]

1. A(x) a(x); B(x) b(x)2. if B(x) = 0 return A(x) = gcd[a(x), b(x)]3. R(x) = A(x) mod B(x)4. A(x) B(x)5. B(x) R(x)6. goto 2

GCD in Z2 or in GF(2),Step1, gcd(A(x), B(x))A(x) = x6 + x5 + x4 + x3 + x2 + 1, B(x) = x4 + x2 + x + 1; D(x)= x2 + x; R(x) = x3 + x2 + 1Step 2, A(x) = x4 + x2 + x + 1; B(x) = x3 + x2 + 1, D(x) = x + 1; R(x) =0;gcd(A(x), B(x)) = x3 + x2 + 1

GF(23)

Modular Polynomial Arithmetic

• can compute in field GF(2n) – polynomials with coefficients modulo 2– whose degree is less than n– hence must reduce modulo an irreducible poly

of degree n (for multiplication only)

• form a finite field

• can always find an inverse– can extend Euclid’s Inverse algorithm to find

Example GF(23)

Computational Considerations

• since coefficients are 0 or 1, can represent any such polynomial as a bit string

• addition becomes XOR of these bit strings

• multiplication is shift & XOR– cf long-hand multiplication

• modulo reduction done by repeatedly substituting highest power with remainder of irreducible poly (also shift & XOR)

Example• why mod(x3+x+1)!!! for gf(2^3) • in GF(23) have (x2+1) is 1012 & (x2+x+1) is 1112

• so addition is– (x2+1) + (x2+x+1) = x – 101 XOR 111 = 0102

• and multiplication is– (x+1).(x2+1) = x.(x2+1) + 1.(x2+1)

= x3+x+x2+1 = x3+x2+x+1 – 011.101 = (101)<<1 XOR (101)<<0 =

1010 XOR 101 = 11112

• polynomial modulo reduction (get q(x) & r(x)) is– (x3+x2+x+1 ) mod (x3+x+1) = 1.(x3+x+1) + (x2) = x2

– 1111 mod 1011 = 1111 XOR 1011 = 01002

Summary

• have considered:– concept of groups, rings, fields– modular arithmetic with integers– Euclid’s algorithm for GCD– finite fields GF(p)– polynomial arithmetic in general and in GF(2n)

Symmetric Ciphers

Module 2

THREE SECURITY GOALSTHREE SECURITY GOALS

Taxonomy of security goals

Continued

Confidentiality is probably the most common aspect of information security. We need to protect our confidential information. An organization needs to guard against those malicious actions that endanger the confidentiality of its information.Information needs to be changed constantly. Integrity means that changes need to be done only by authorized entities and through authorized mechanisms. The information created and stored by an organization needs to be available to authorized entities. Information needs to be constantly changed, which means it must be accessible to authorized entities.

ATTACKSATTACKSThe three goals of securityThe three goals of securityconfidentiality, integrity, and confidentiality, integrity, and availabilityavailabilitycan be threatened by security attacks. can be threatened by security attacks.

Taxonomy of attacks with relation to security goals

Attacks Threatening Confidentiality

Snooping refers to unauthorized access to or interception of data.

Traffic analysis refers to obtaining some other type of information by monitoring online traffic.

e.g. IP spoofing: send packet with false source address

A

B

C

src:B dest:A payload

A

B

C

src:B dest:A user: B; password: foo

Attacks Threatening Integrity

Masquerading or spoofing happens when the attacker impersonates somebody else.

Replaying means the attacker obtains a copy of a message sent by a user and later tries to replay it.

A

B

later …..C

src:B dest:A user: B; password: foo

Masquerading or spoofing happens when the attacker impersonates somebody else.

Replaying means the attacker obtains a copy of a message sent by a user and later tries to replay it.


Repudiation means that sender of the message might later deny that she has sent the message; the receiver of the message might later deny that he has received the message.

Modification means that the attacker intercepts the message and changes it.


3.44

Attacks Threatening Availability

Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system.

attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic

1. select target

2. break into hosts around the network

3. send packets toward target from compromised hosts

target

3.45

Passive Versus Active AttacksCategorization of passive and active attacks

In a passive attack, the attacker’s goal is just to obtain information. The attack does not modify data or harm the system, and the system continues with its normal operation.

An active attack may change the data or harm the system.

SERVICES AND MECHANISMSSERVICES AND MECHANISMS

The International Telecommunication Union-The International Telecommunication Union-Telecommunication Standardization Section (ITU-T) Telecommunication Standardization Section (ITU-T) provides some security services and some mechanisms to provides some security services and some mechanisms to implement those services. Security services and implement those services. Security services and mechanisms are closely related because a mechanism or mechanisms are closely related because a mechanism or combination of mechanisms are used to provide a service..combination of mechanisms are used to provide a service..

Security Services Security Mechanism Relation between Services and Mechanisms

Topics discussed in this section:Topics discussed in this section:

3.47

Security Services

Data confidentiality protects data from disclosure attack.

Data integrity protect data from modification, insertion, deletion, and replaying attacks.

Authentication provides proof of sender, or receiver, or source of the data.

Nonrepudiation protects against repudiation by either the sender to the reveiver.

Access control provides protection again unauthorized access to data.

Security services

Security MechanismSecurity mechanisms

Appends to data a short check value

Hiding or covering data

Sender signs data, receiver verifies dataTwo entities exchange msg to prove their identity to each other

Insert bogus data into the data traffic to thwart traffic analysis

Continuously change routes b/w sender and receiver to prevent eavesddroppingA third trusted party controls communication

Prove and verify that a user has access right to resources

Relation between security services and mechanisms

Cryptography

Cryptography, a word with Greek origins, means “secret writing.” However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks.

Cryptanalysis: the art and science of decrypting messages.

Cryptology: cryptography + cryptanalysis

Symmetric Encryption

• or conventional / private-key / single-key

• sender and recipient share a common key

• all classical encryption algorithms are private-key

• was only type prior to invention of public-key in 1970’s

• and by far most widely used

Some Basic Terminology

• plaintext - original message

• ciphertext - coded message

• cipher - algorithm for transforming plaintext to ciphertext

• key - info used in cipher known only to sender/receiver

• encipher (encrypt) - converting plaintext to ciphertext

• decipher (decrypt) - recovering ciphertext from plaintext

• cryptography - study of encryption principles/methods

• cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key

• cryptology - field of both cryptography and cryptanalysis

Symmetric Cipher Model

Requirements

• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver

• mathematically have:Y = E(K, X)X = D(K, Y)

• assume encryption algorithm is known• implies a secure channel to distribute key

Cryptography

• can characterize cryptographic system by:– type of encryption operations used

• substitution• transposition• product

– number of keys used• single-key or private• two-key or public

– way in which plaintext is processed• block• stream

Cryptanalysis

• objective to recover key not just message

• general approaches:– cryptanalytic attack– brute-force attack

• if either succeed all key use compromised

Cryptanalytic Attacksciphertext only

only know algorithm & ciphertext, is statistical, know or can identify plaintext

known plaintext know/suspect plaintext & ciphertext

chosen plaintext select plaintext and obtain ciphertext

chosen ciphertext select ciphertext and obtain plaintext

chosen text select plaintext or ciphertext to en/decrypt

More Definitionsunconditional security

no matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

computational security given limited computing resources (eg time

needed for calculations is greater than age of universe), the cipher cannot be broken

Brute Force Search

• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

Classical Substitution Ciphers

• where letters of plaintext are replaced by other letters or by numbers or symbols

• or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

Caesar Cipher

• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• replaces each letter by 3rd letter on• example:

meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB

Caesar Cipher

• can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

• mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

• then have Caesar cipher as:c = E(k, p) = (p + k) mod (26)

p = D(k, c) = (c – k) mod (26)

Cryptanalysis of Caesar Cipher

only have 26 possible ciphers A maps to A,B,..Z

could simply try each in turn a brute force search given ciphertext, just try all shifts of lettersdo need to recognize when have plaintexteg. break ciphertext "GCUA VQ DTGCM"

Monoalphabetic Cipher

• rather than just shifting the alphabet • could shuffle (jumble) the letters arbitrarily • each plaintext letter maps to a different random

ciphertext letter • hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA

Monoalphabetic Cipher Security

• now have a total of 26! = 4 x 1026 keys

• with so many keys, might think is secure

• but would be !!!WRONG!!!

• problem is language characteristics

Language Redundancy and Cryptanalysis

human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common letter

followed by T,R,N,I,O,A,S

other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter

frequencies for various languages

English Letter Frequencies

Use in Cryptanalysis• key concept - monoalphabetic substitution

ciphers do not change relative letter frequencies • discovered by Arabian scientists in 9th century• calculate letter frequencies for ciphertext• compare counts/plots against known values • if caesar cipher look for common peaks/troughs

– peaks at: A-E-I triple, NO pair, RST triple– troughs at: JK, X-Z

• for monoalphabetic must identify each letter– tables of common double/triple letters help

Example Cryptanalysis

• given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

• count relative letter frequencies (see text)• guess P & Z are e and t• guess ZW is th and hence ZWP is the• proceeding with trial and error finally get:

it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow

Playfair Cipher

not even the large number of keys in a monoalphabetic cipher provides security

one approach to improving security was to encrypt multiple letters

the Playfair Cipher is an example invented by Charles Wheatstone in 1854,

but named after his friend Baron Playfair

Playfair Key Matrix

a 5X5 matrix of letters based on a keyword fill in letters of keyword (sans duplicates) fill rest of matrix with other letterseg. using the keyword MONARCHY

MM OO NN AA RR

CC HH YY BB DD

EE FF GG I/JI/J KK

LL PP QQ SS TT

UU VV WW XX ZZ

Encrypting and Decrypting

• plaintext is encrypted two letters at a time 1. if a pair is a repeated letter, insert filler like 'X’2. if both letters fall in the same row, replace

each with letter to right (wrapping back to start from end)

3. if both letters fall in the same column, replace each with the letter below it (wrapping to top from bottom)

4. otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair

Security of Playfair Cipher

security much improved over monoalphabetic since have 26 x 26 = 676 digrams would need a 676 entry frequency table to

analyse (verses 26 for a monoalphabetic) and correspondingly more ciphertext was widely used for many years

eg. by US & British military in WW1 it can be broken, given a few hundred letters since still has much of plaintext structure

Polyalphabetic Ciphers

polyalphabetic substitution ciphers improve security using multiple cipher alphabets make cryptanalysis harder with more alphabets

to guess and flatter frequency distribution use a key to select which alphabet is used for

each letter of the message use each alphabet in turn repeat from start after end of key is reached

Vigenère Cipher

• simplest polyalphabetic substitution cipher

• effectively multiple caesar ciphers

• key is multiple letters long K = k1 k2 ... kd

• ith letter specifies ith alphabet to use

• use each alphabet in turn

• repeat from start after d letters in message

• decryption simply works in reverse

Example of Vigenère Cipher

write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive

key: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Aids

• simple aids can assist with en/decryption

• a Saint-Cyr Slide is a simple manual aid – a slide with repeated alphabet – line up plaintext 'A' with key letter, eg 'C' – then read off any mapping for key letter

• can bend round into a cipher disk

• or expand into a Vigenère Tableau

Security of Vigenère Ciphers

• have multiple ciphertext letters for each plaintext letter

• hence letter frequencies are obscured

• but not totally lost

• start with letter frequencies– see if look monoalphabetic or not

• if not, then need to determine number of alphabets, since then can attach each

Kasiski Method

• method developed by Babbage / Kasiski • repetitions in ciphertext give clues to period • so find same plaintext an exact period apart • which results in the same ciphertext • of course, could also be random fluke• eg repeated “VTW” in previous example• suggests size of 3 or 9• then attack each monoalphabetic cipher

individually using same techniques as before

One-Time Pad

• if a truly random key as long as the message is used, the cipher will be secure

• called a One-Time pad• is unbreakable since ciphertext bears no

statistical relationship to the plaintext• since for any plaintext & any ciphertext there

exists a key mapping one to other• can only use the key once though• problems in generation & safe distribution of key

Transposition Ciphers

now consider classical transposition or permutation ciphers

these hide the message by rearranging the letter order

without altering the actual letters usedcan recognise these since have the same

frequency distribution as the original text

Rail Fence cipher

• write message letters out diagonally over a number of rows

• then read off cipher row by row• eg. write message out as:

m e m a t r h t g p r y e t e f e t e o a a t

• giving ciphertextMEMATRHTGPRYETEFETEOAAT

Row Transposition Ciphers

is a more complex transpositionwrite letters of message out in rows over a

specified number of columnsthen reorder the columns according to

some key before reading off the rowsKey: 4312567Column Out 3 4 2 1 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

DES and AES

Module 3

Modern Block Ciphers

now look at modern block ciphersone of the most widely used types of

cryptographic algorithms provide secrecy /authentication servicesfocus on DES (Data Encryption Standard)to illustrate block cipher design principles

Block vs Stream Ciphers

• block ciphers process messages in blocks, each of which is then en/decrypted

• like a substitution on very big characters– 64-bits or more

• stream ciphers process messages a bit or byte at a time when en/decrypting

• many current ciphers are block ciphers– better analysed– broader range of applications

Block vs Stream Ciphers

Block Cipher Principles

• most symmetric block ciphers are based on a Feistel Cipher Structure

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264 entries for a 64-bit block • instead create from smaller building blocks • using idea of a product cipher

Ideal Block Cipher

Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this• more practically Shannon suggested

combining S & P elements to obtain:• diffusion – dissipates statistical structure

of plaintext over bulk of ciphertext• confusion – makes relationship between

ciphertext and key as complex as possible

Feistel Cipher Structure

• Horst Feistel devised the feistel cipher– based on concept of invertible product cipher

• partitions input block into two halves– process through multiple rounds which– perform a substitution on left data half– based on round function of right half & subkey– then have permutation swapping halves

• implements Shannon’s S-P net concept

Feistel Cipher Structure

Data Encryption Standard (DES)

• most widely used block cipher in world • adopted in 1977 by NBS (now NIST)

– as FIPS PUB 46

• encrypts 64-bit data using 56-bit key• has widespread use• has been considerable controversy over

its security

DES History

• IBM developed Lucifer cipher– by team led by Feistel in late 60’s– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES

DES Design Controversy

• although DES standard is public• was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit)– and because design criteria were classified

• subsequent events and public analysis show in fact design was appropriate

• use of DES has flourished– especially in financial applications– still standardised for legacy application use

DES Encryption Overview

Initial Permutation IP

first step of the data computation IP reorders the input data bits even bits to LH half, odd bits to RH half quite regular in structure (easy in h/w)example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

DES Round Structure

• uses two 32-bit L & R halves• as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 F(Ri–1, Ki)

• F takes 32-bit R half and 48-bit subkey:– expands R to 48-bits using perm E– adds to subkey using XOR– passes through 8 S-boxes to get 32-bit result– finally permutes using 32-bit perm P

DES Round Structure

Substitution Boxes S

have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes

outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits

row selection depends on both data & keyfeature known as autoclaving (autokeying)

example:S(18 09 12 3d 11 17 38 39) = 5fd25e03

DES Key Schedule

forms subkeys used in each roundinitial permutation of the key (PC1) which

selects 56-bits in two 28-bit halves 16 stages consisting of:

• rotating each half separately either 1 or 2 places depending on the key rotation schedule K

• selecting 24-bits from each half & permuting them by PC2 for use in round function F

note practical use issues in h/w vs s/w

DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again

using subkeys in reverse order (SK16 … SK1)– IP undoes final FP step of encryption – 1st round with SK16 undoes 16th encrypt round– ….– 16th round with SK1 undoes 1st encrypt round – then final FP undoes initial encryption IP – thus recovering original data value

DES Example

Avalanche in DES

Avalanche Effect

• key desirable property of encryption alg

• where a change of one input or key bit results in changing approx half output bits

• making attempts to “home-in” by guessing keys impossible

• DES exhibits strong avalanche

Strength of DES – Key Size

• 56-bit keys have 256 = 7.2 x 1016 values

• brute force search looks hard

• recent advances have shown is possible– in 1997 on Internet in a few months – in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

• still must be able to recognize plaintext

• must now consider alternatives to DES

Strength of DES – Analytic Attacks

now have several analytic attacks on DES these utilise some deep structure of the cipher

by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest

generally these are statistical attacksdifferential cryptanalysis linear cryptanalysis related key attacks

Strength of DES – Timing Attacks

attacks actual implementation of cipheruse knowledge of consequences of

implementation to derive information about some/all subkey bits

specifically use fact that calculations can take varying times depending on the value of the inputs to it

particularly problematic on smartcards

Differential Cryptanalysis

• one of the most significant recent (public) advances in cryptanalysis

• known by NSA in 70's cf DES design• Murphy, Biham & Shamir published in 90’s• powerful method to analyse block ciphers • used to analyse most current block ciphers

with varying degrees of success• DES reasonably resistant to it, cf Lucifer


a statistical attack against Feistel ciphers uses cipher structure not previously used design of S-P networks has output of

function f influenced by both input & keyhence cannot trace values back through

cipher without knowing value of the key differential cryptanalysis compares two

related pairs of encryptions

Differential Cryptanalysis Compares Pairs of Encryptions

with a known difference in the input searching for a known difference in outputwhen same subkeys are used


have some input difference giving some output difference with probability p

if find instances of some higher probability input / output difference pairs occurring

can infer subkey that was used in roundthen must iterate process over many

rounds (with decreasing probabilities)


perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR

when found if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack

can then deduce keys values for the rounds right pairs suggest same key bitswrong pairs give random values

for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs

Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES

Linear Cryptanalysis

another recent development also a statistical method must be iterated over rounds, with

decreasing probabilitiesdeveloped by Matsui et al in early 90'sbased on finding linear approximationscan attack DES with 243 known plaintexts,

easier but still in practise infeasible

Linear Cryptanalysis

• find linear approximations with prob p != ½P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

• gives linear equation for key bits

• get one key bit using max likelihood alg

• using a large number of trial encryptions

• effectiveness given by: |p–1/2|

DES Design Criteria

• as reported by Coppersmith in [COPP94]

• 7 criteria for S-boxes provide for – non-linearity– resistance to differential cryptanalysis– good confusion

• 3 criteria for permutation P provide for – increased diffusion

Block Cipher Design

• basic principles still like Feistel’s in 1970’s• number of rounds

– more is better, exhaustive search best attack

• function f:– provides “confusion”, is nonlinear, avalanche– have issues of how S-boxes are selected

• key schedule– complex subkey creation, key avalanche

AES Requirements• private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations• NIST have released all submissions & unclassified

analyses• Evaluation criteria of submitted ones

– General security – effort to practically cryptanalyse– algorithm & implementation characteristics– cost – computational, software & hardware implementation

ease, minimize implementation attacks– flexibility (in en/decrypt, keying, other factors)

Rijndael • processes data as 4 groups of 4 bytes (state)• has 9/11/13 rounds in which state undergoes:

1. byte substitution (1 S-box; byte to byte substitution) 2. shift rows (permutation of bytes) 3. mix columns (subs using gf28) 4. Add Round Key (XOR state with a portion of expended K)

• initial XOR key material & incomplete last round• all operations can be combined into XOR and table lookups - hence

very fast & efficient

The AES Cipher• designed by Rijmen-Daemen in Belgium • has 128/192/256 bit keys, 128 bit data • an iterative rather than feistel cipher

– treats data in 4 groups of 4 bytes– operates an entire block in every round

• designed to be:– resistant against known attacks– speed and code compactness on many CPUs– design simplicity

InvAddRoundKey• (A B) B = A • Key is used in reverse order

AddRoundKey• Each round uses four different words from the expanded key array.• Each column in the state matrix is XORed with a different word.• The heart of the encryption. All other functions’ properties are

permanent and known to all.

Substitution Byte (Subbyte)• It is a bytewise lookup process that returns a 4-

byte word in which each byte is the result of applying the Rijndael S-box. Designed to be resistant to all known attacks

• Simple substitution of each byte using one table of 16x16 bytes containing a permutation of all 256 8-bit values

• each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits)– eg. byte {95} is replaced by row 9 col 5 byte– which is the value {2A}

• S-box is constructed using a transformation of the values in GF(28)

Shift Rows

• a circular byte shift in each row– 1st row is unchanged– 2nd row does 1 byte circular shift to left– 3rd row does 2 byte circular shift to left– 4th row does 3 byte circular shift to left

• decrypt does shifts to right

• since state is processed by columns, this step permutes bytes between the columns

Mix Columns• each column is processed separately• each byte is replaced by a value dependent on all 4 bytes in the column• effectively a matrix multiplication in GF(28) using prime poly m(x)

=x8+x4+x3+x+1

Add Round Key• XOR state with 128-bits of the round key• again processed by column (though effectively a series of byte operations)• inverse for decryption is identical since XOR is own inverse, just with

correct round key• designed to be simple

AES Round

Mathematical Review• Performing arithmetic operations on bytes requires to work

in a finite field and treat each byte as an element.• GF(28) - Finite field containing 256 elements. • Each element is a polynomial of degree 7 over Z2, hence

an element is defined by 8 binary values – a byte. • Addition – polynomial addition, over Z2, implemented using

XOR.• Multiplication – polynomial multiplication , over Z2, modulo

irreducible polynomial X8 + X4 + X3 + X + 1 Implemented using repetitive left shifts and XOR.

SubBytes - 16 X 16 table• Each byte is considered as an element in GF(28)• Called S-BoxA. 16 X 16 table contains all possible 256

elements.• Row Column Indices: Left and Right halves of the byte.• Each byte B in the state matrix is substituted with f(B).

SubBytes, S-Box computationComputing S-Box cells in three stages:-The cells are numbered in ascending order.-Each cell’s number is substituted with its multiplicative inverse over GF(28).- The cell’s bits go through the following transformation:

bi’ = bi b(i+4)mod(8) b(i+5)mod(8) b(i+6)mod(8) b(i+7)mod(8) ci

bi’ = new bit value, ci = the i’th bit of 63={11000110} irreducible polynomial

InvSubBytes• Same routine as SubBytes, but uses the inverse S-Box.

• Inverse S-box is computed by applying the inverse affine transformation and then substituting with the multiplicative inverse, of the cell’s value in the S-Box.

• The Inverse transformation:

bi’ = b(i+2)mod8 b(i+5)mod8 b(i+7)mod8 dibi’ = new bit value, di = the i’th bit of

05={00000101}.

SubBytes, crypto properties • S-Box design makes it resistant to cryptanalitic attacks. • Conditions:

– No fixed points S(a) a, no opposite fixed points IS(a) a complement.

– Invertible s box, IS[S(a)] = a;– but not self invertible, which means

S(a) IS(a), ie. S({95}) = {2A}, but IS({95}) = {AD} think S({2A})=?{95}

• To see that InvSubBytes is the inverse of SubBytes, – label the matrices in SubBytes and InvSubBytes as X and Y,

respectively, and the vector versions of constants c and d as C and D, respectively.

– For some 8-bit vector B B' = XB C. – To show that Y(XB C) D = B. – Must show YXB YC D = B.

• B’=XBC; (Y(XBC)D) = [YX][B][YC][D] = B

– Which means …

ShiftRows• Rows 2-4 in the state matrix are left shifted by different

offsets of 1-3 bytes respectively.• Strong diffusion effect. Separation of each four,

originally consecutive, bytes.

• A transformation which operates on individual columns – 32 bits/4 bytes.• Each column is treated as a 3 degree polynomial over GF(23)• Multiplied by the fixed polynomial:

a(x)=({03}X3 + {01}X2 + {01}X + {02})mod(x4+1)• a(x) was chosen so the multiplication/transformation is invertible. • Generally, multiplication in the above group mod(x4+1) doesn’t provide

inverse for each element. *coefficients multiplication is the GF(28) multiplication mentioned earlier.

MixColumn, props- The transformation is a linear code with a maximal distance between code words.- Combined with ShiftRows, after several rounds all output bits depend on all input bits.

• In GF(28), irreducible polynomial mod(x4+x3+x+1) ─ ({02} · {87}) ({03} · {6E}) {46} {A6} = {47}─ {87} ({02} · {6E}) ({03}· {46}) {A6} = {37}─ {87} {6E} ({02} · {46} ({03} · {A6}) = {94}─ ({03} · {87}) {6E} {46} ({02} · {A6} = {ED}• For the first equation,

– {02} · {87} = x*(x7 + x2+x+1) = (1 0000 1110) l because of the most left 1, (0000 1110) (0001 1011) = (0001 0101);

• and – {03} · {6E} = (x+1)*(x6 +x5 + x3+ x2+x)

= (x6 +x5 + x3+ x2+x) (x)*(x6 +x5 + x3+ x2+x), the same statement for the second side.

= {6E} ({02} · {6E}) = (0110 1110) (1101 1100) = (1011 0010).

• {02} · {87} = 0001 0101 • {03} · {6E} = 1011 0010 • {46} = 0100 0110 • {A6} = 1010 0110 • Total 0100 0111 = {47}

InvMixColumn

• Same routine as MixColumn, only instead of a(x) the inverse of a(x) is used:

a-1(x)={0B}x3{0D}x2{09}x{0E}

AES Key Expansion

• takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words

• start by copying key into first 4 words• then loop creating words that depend on

values in previous & 4 places back– in 3 of 4 cases just XOR these together– every 4th has S-box + rotate + XOR constant

of previous before XOR together

• designed to resist known attacks

AES Decryption

• AES decryption is not identical to encryption since steps done in reverse

• but can define an equivalent inverse cipher with steps as for encryption– but using inverses of each step– with a different key schedule

• works since result is unchanged when– swap byte substitution & shift rows– swap mix columns & add (tweaked) round key

Public Key Cryptography

Module 4

Private-Key Cryptography

traditional private/secret/single key cryptography uses one key

shared by both sender and receiver if this key is disclosed communications are

compromised also is symmetric, parties are equal hence does not protect sender from

receiver forging a message & claiming is sent by sender

Public-Key Cryptography

• probably most significant advance in the 3000 year history of cryptography

• uses two keys – a public & a private key

• asymmetric since parties are not equal

• uses clever application of number theoretic concepts to function

• complements rather than replaces private key crypto

Why Public-Key Cryptography?

• developed to address two key issues:– key distribution – how to have secure

communications in general without having to trust a KDC with your key

– digital signatures – how to verify a message comes intact from the claimed sender

• public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976– known earlier in classified community


• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and can

be used to encrypt messages, and verify signatures – a related private-key, known only to the recipient, used

to decrypt messages, and sign (create) signatures

• infeasible to determine private key from public• is asymmetric because

– those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Symmetric vs Public-Key

Public-Key Cryptosystems

Public-Key Applications

• can classify uses into 3 categories:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)

• some algorithms are suitable for all uses, others are specific to one

Public-Key Requirements

• Public-Key algorithms rely on two keys where:– it is computationally infeasible to find decryption key

knowing only algorithm & encryption key– it is computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is known– either of the two related keys can be used for

encryption, with the other used for decryption (for some algorithms)

• these are formidable requirements which only a few algorithms have satisfied

Public-Key Requirements• need a trapdoor one-way function

• one-way function has– Y = f(X) easy – X = f–1(Y) infeasible

• a trap-door one-way function has– Y = fk(X) easy, if k and X are known

– X = fk–1(Y) easy, if k and Y are known

– X = fk–1(Y) infeasible, if Y known but k not known

• a practical public-key scheme depends on a suitable trap-door one-way function

Security of Public Key Schemes like private key schemes brute force exhaustive

search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in

difficulty between easy (en/decrypt) and hard (cryptanalyse) problems

more generally the hard problem is known, but is made hard enough to be impractical to break

requires the use of very large numbers hence is slow compared to private key schemes

RSA

by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field

over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits) security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

RSA En/decryption

• to encrypt a message M the sender:– obtains public key of recipient PU={e,n} – computes: C = Me mod n, where 0≤M<n

• to decrypt the ciphertext C the owner:– uses their private key PR={d,n} – computes: M = Cd mod n

• note that the message M must be smaller than the modulus n (block if needed)

RSA Key Setup

• each user generates a public/private key pair by: • selecting two large primes at random: p, q • computing their system modulus n=p.q

– note ø(n)=(p-1)(q-1)

• selecting at random the encryption key e– where 1<e<ø(n), gcd(e,ø(n))=1

• solve following equation to find decryption key d – e.d=1 mod ø(n) and 0≤d≤n

• publish their public encryption key: PU={e,n} • keep secret private decryption key: PR={d,n}

Why RSA Works

• because of Euler's Theorem:– aø(n)mod n = 1 where gcd(a,n)=1

• in RSA have:– n=p.q– ø(n)=(p-1)(q-1) – carefully chose e & d to be inverses mod ø(n) – hence e.d=1+k.ø(n) for some k

• hence :Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k = M1.(1)k = M1 = M mod n

RSA Example - Key Setup

1. Select primes: p=17 & q=112. Calculate n = pq =17 x 11=1873. Calculate ø(n)=(p–1)(q-1)=16x10=1604. Select e: gcd(e,160)=1; choose e=75. Determine d: de=1 mod 160 and d < 160

Value is d=23 since 23x7=161= 10x160+16. Publish public key PU={7,187}7. Keep secret private key PR={23,187}

RSA Example - En/Decryption

sample RSA encryption/decryption is: given message M = 88 (nb. 88<187)encryption:

C = 887 mod 187 = 11

decryption:M = 1123 mod 187 = 88

Exponentiation

• can use the Square and Multiply Algorithm• a fast, efficient algorithm for exponentiation • concept is based on repeatedly squaring base • and multiplying in the ones that are needed to

compute the result • look at binary representation of exponent

• only takes O(log2 n) multiples for number n – eg. 75 = 74.71 = 3.7 = 10 mod 11– eg. 3129 = 3128.31 = 5.3 = 4 mod 11

Exponentiation

c = 0; f = 1for i = k downto 0 do c = 2 x c f = (f x f) mod n

if bi == 1 then c = c + 1 f = (f x a) mod n return f

Efficient Encryption

• encryption uses exponentiation to power e• hence if e small, this will be faster

– often choose e=65537 (216-1)– also see choices of e=3 or e=17

• but if e too small (eg e=3) can attack– using Chinese remainder theorem & 3

messages with different modulii

• if e fixed must ensure gcd(e,ø(n))=1– ie reject any p or q not relatively prime to e

Efficient Decryption

• decryption uses exponentiation to power d– this is likely large, insecure if not

• can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to get desired answer– approx 4 times faster than doing directly

• only owner of private key who knows values of p & q can use this technique

RSA Key Generation

• users of RSA must:– determine two primes at random - p, q – select either e or d and compute the other

• primes p,q must not be easily derived from modulus n=p.q– means must be sufficiently large– typically guess and use probabilistic test

• exponents e, d are inverses, so use Inverse algorithm to compute the other

RSA Security

• possible approaches to attacking RSA are:– brute force key search - infeasible given size

of numbers– mathematical attacks - based on difficulty of

computing ø(n), by factoring modulus n– timing attacks - on running of decryption– chosen ciphertext attacks - given properties of

RSA

Factoring Problem

• mathematical approach takes 3 forms:– factor n=p.q, hence compute ø(n) and then d– determine ø(n) directly and compute d– find d directly

• currently believe all equivalent to factoring– have seen slow improvements over the years

• as of May-05 best is 200 decimal digits (663) bit with LS

– biggest improvement comes from improved algorithm• cf QS to GHFS to LS

– currently assume 1024-2048 bit RSA is secure• ensure p, q of similar size and matching other constraints

Progress in Factoring

Progress in

Factoring

Timing Attacks

• developed by Paul Kocher in mid-1990’s• exploit timing variations in operations

– eg. multiplying by small vs large number – or IF's varying which instructions executed

• infer operand size based on time taken • RSA exploits time taken in exponentiation• countermeasures

– use constant exponentiation time– add random delays– blind values used in calculations

Chosen Ciphertext Attacks

• RSA is vulnerable to a Chosen Ciphertext Attack (CCA)

• attackers chooses ciphertexts & gets decrypted plaintext back

• choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis

• can counter with random pad of plaintext• or use Optimal Asymmetric Encryption

Padding (OASP)

Key Management and Distribution

• topics of cryptographic key management / key distribution are complex – cryptographic, protocol, & management issues

• symmetric schemes require both parties to share a common secret key

• public key schemes require parties to acquire valid public keys

• have concerns with doing both

Key Distribution

symmetric schemes require both parties to share a common secret key

issue is how to securely distribute this keywhilst protecting it from othersfrequent key changes can be desirableoften secure system failure due to a break

in the key distribution scheme

Key Distribution

• given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can use previous key to encrypt a new key

4. if A & B have secure communications with a third party C, C can relay key between A & B

Key Distribution Task

Key Hierarchy

Key Distribution Scenario

Key Distribution Issues

• hierarchies of KDC’s required for large networks, but must trust each other

• session key lifetimes should be limited for greater security

• use of automatic key distribution on behalf of users, but must trust system

• use of decentralized key distribution

• controlling key usage

Symmetric Key Distribution Using Public Keys

public key cryptosystems are inefficientso almost never use for direct data encryptionrather use to encrypt secret keys for

distribution

Simple Secret Key Distribution

• Merkle proposed this very simple scheme– allows secure communications– no keys before/after exist

Man-in-the-Middle Attackthis very simple scheme is vulnerable to

an active man-in-the-middle attack

Secret Key Distribution with Confidentiality and

Authentication

Hybrid Key Distribution

retain use of private-key KDCshares secret master key with each userdistributes session key using master keypublic-key used to distribute master keys

especially useful with widely distributed users

rationaleperformancebackward compatibility

Distribution of Public Keys

• can be considered as using one of:– public announcement– publicly available directory– public-key authority– public-key certificates

Public Announcement

• users distribute public keys to recipients or broadcast to community at large– eg. append PGP keys to email messages or

post to news groups or email list

• major weakness is forgery– anyone can create a key claiming to be

someone else and broadcast it– until forgery is discovered can masquerade as

claimed user

Publicly Available Directory

• can obtain greater security by registering keys with a public directory

• directory must be trusted with properties:– contains {name,public-key} entries– participants register securely with directory– participants can replace key at any time– directory is periodically published– directory can be accessed electronically

• still vulnerable to tampering or forgery

Public-Key Authority

• improve security by tightening control over distribution of keys from directory

• has properties of directory• and requires users to know public key for

the directory• then users interact with directory to obtain

any desired public key securely– does require real-time access to directory

when keys are needed– may be vulnerable to tampering

Public-Key Authority

Public-Key Certificates

certificates allow key exchange without real-time access to public-key authority

a certificate binds identity to public key usually with other info such as period of

validity, rights of use etcwith all contents signed by a trusted

Public-Key or Certificate Authority (CA)can be verified by anyone who knows the

public-key authorities public-key

Public-Key Certificates

X.509 Authentication Service

part of CCITT X.500 directory service standardsdistributed servers maintaining user info database

defines framework for authentication services directory may store public-key certificateswith public key of user signed by certification authority

also defines authentication protocols uses public-key crypto & digital signatures

algorithms not standardised, but RSA recommended

X.509 certificates are widely usedhave 3 versions

X.509 Certificate

Use

X.509 Certificates

• issued by a Certification Authority (CA), containing: – version V (1, 2, or 3) – serial number SN (unique within CA) identifying certificate – signature algorithm identifier AI– issuer X.500 name CA)– period of validity TA (from - to dates) – subject X.500 name A (name of owner) – subject public-key info Ap (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)

• notation CA<<A>> denotes certificate for A signed by CA

X.509 Certificates

Obtaining a Certificate

any user with access to CA can get any certificate from it

only the CA can modify a certificate because cannot be forged, certificates can

be placed in a public directory

CA Hierarchy

if both users share a common CA then they are assumed to know its public key

otherwise CA's must form a hierarchy use certificates linking members of hierarchy to

validate other CA's each CA has certificates for clients (forward) and

parent (backward) each client trusts parents certificates enable verification of any certificate from one CA

by users of all other CAs in hierarchy

CA Hierarchy Use

Certificate Revocation

• certificates have a period of validity• may need to revoke before expiry, eg:

1. user's private key is compromised

2. user is no longer certified by this CA

3. CA's certificate is compromised

• CA’s maintain list of revoked certificates– the Certificate Revocation List (CRL)

• users should check certificates with CA’s CRL

X.509 Version 3

• has been recognised that additional information is needed in a certificate – email/URL, policy details, usage constraints

• rather than explicitly naming new fields defined a general extension method

• extensions consist of:– extension identifier– criticality indicator– extension value

Certificate Extensions

• key and policy information– convey info about subject & issuer keys, plus

indicators of certificate policy

• certificate subject and issuer attributes– support alternative names, in alternative

formats for certificate subject and/or issuer

• certificate path constraints– allow constraints on use of certificates by

other CA’s

Public Key Infrastructure

Intrusion Detection System

Module 5

Intruders

• significant issue for networked systems is hostile or unwanted access

• either via network or local

• can identify classes of intruders:– masquerader– misfeasor– clandestine user

• varying levels of competence

Intruders

• clearly a growing publicized problem– from “Wily Hacker” in 1986/87– to clearly escalating CERT stats

• may seem benign, but still cost resources

• may use compromised system to launch other attacks

Intrusion Techniques

• aim to increase privileges on system

• basic attack methodology – target acquisition and information gathering – initial access – privilege escalation – covering tracks

• key goal often is to acquire passwords

• so then exercise access rights of owner

Password Guessing

• one of the most common attacks• attacker knows a login (from email/web page etc) • then attempts to guess password for it

– try default passwords shipped with systems– try all short passwords– then try by searching dictionaries of common words– intelligent searches try passwords associated with the user

(variations on names, birthday, phone, common words/interests) – before exhaustively searching all possible passwords

• check by login attempt or against stolen password file • success depends on password chosen by user• surveys show many users choose poorly

Password Capture

• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP,

web, email) – extracting recorded info after successful login (web

history/cache, last number dialed etc)

• using valid login/password can impersonate user• users need to be educated to use suitable

precautions/countermeasures

Intrusion Detection

• inevitably will have security failures

• so need also to detect intrusions so can– block if detected quickly– act as deterrent– collect info to improve security

• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between

Approaches to Intrusion Detection

• statistical anomaly detection– threshold– profile based

• rule-based detection– anomaly– penetration identification

Audit Records

• fundamental tool for intrusion detection

• native audit records– part of all common multi-user O/S– already present for use– may not have info wanted in desired form

• detection-specific audit records– created specifically to collect wanted info– at cost of additional overhead on system

Statistical Anomaly Detection

• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector

• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter

Audit Record Analysis

• foundation of statistical approaches

• analyze records to get metrics over time– counter, gauge, interval timer, resource use

• use various tests on these to determine if current behavior is acceptable– mean & standard deviation, multivariate,

markov process, time series, operational

• key advantage is no prior knowledge used

Rule-Based Intrusion Detection

• observe events on system & apply rules to decide if activity is suspicious or not

• rule-based anomaly detection– analyze historical audit records to identify

usage patterns & auto-generate rules for them– then observe current behavior & match

against rules to see if conforms– like statistical anomaly detection does not

require prior knowledge of security flaws

Rule-Based Intrusion Detection

• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration,

weakness patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview

& codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules

Base-Rate Fallacy

• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time

• this is very hard to do

• existing systems seem not to have a good record

Distributed Intrusion Detection

• traditional focus is on single systems

• but typically have networked systems

• more effective defense has these working together to detect intrusions

• issues– dealing with varying audit record formats– integrity & confidentiality of networked data– centralized or decentralized architecture

Distributed Intrusion Detection - Architecture

Distributed Intrusion Detection – Agent Implementation

Honeypots

• decoy systems to lure attackers– away from accessing critical systems– to collect information of their activities– to encourage attacker to stay on system so

administrator can respond

• are filled with fabricated information• instrumented to collect detailed information on

attackers activities• may be single or multiple networked systems

Password Management

• front-line defense against intruders

• users supply both:– login – determines privileges of that user– password – to identify them

• passwords often stored encrypted– Unix uses multiple DES (variant with salt)– more recent systems use crypto hash function

Managing Passwords

• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to

something they can remember • protect password file from general access• set technical policies to enforce good passwords

– minimum length (>6) – require a mix of upper & lower case letters, numbers,

punctuation – block know dictionary words

Managing Passwords

• may reactively run password guessing tools – note that good dictionaries exist for almost any

language/interest group

• may enforce periodic changing of passwords • have system monitor failed login attempts, &

lockout account if see too many in a short period • do need to educate users and get support • balance requirements with user acceptance • be aware of social engineering attacks

Proactive Password Checking

• most promising approach to improving password security

• allow users to select own password

• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)

to detect poor choices

Summary

• have considered:– problem of intrusion– intrusion detection (statistical & rule-based)– password management

secure communication ranju s kartha shiji abraham

Documents