1 / 34

Electronic Payment Systems 20-763 Lecture 4 ePayment Security I

Electronic Payment Systems 20-763 Lecture 4 ePayment Security I. ePayment Security. ePayments are impossible without security. Keep financial data secret from unauthorized parties (privacy) CRYPTOGRAPHY Verify that messages have not been altered in transit (integrity) HASH FUNCTIONS

bmaddocks
Download Presentation

Electronic Payment Systems 20-763 Lecture 4 ePayment Security I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Payment Systems20-763Lecture 4ePayment Security I

  2. ePayment Security ePayments are impossible without security • Keep financial data secret from unauthorized parties (privacy) • CRYPTOGRAPHY • Verify that messages have not been altered in transit (integrity) • HASH FUNCTIONS • Prove that a party engaged in a transaction (nonrepudiation) • DIGITAL SIGNATURES • Verify identity of users (authentication) • PASSWORDS, DIGITAL CERTIFICATES

  3. Cryptography and Hash Functions • Message digest (hash) algorithms • Secure Hash Algorithm • Passwords • Defending against attacks • Salting, nonces • Symmetric encryption • DES and variations • AES: Rijndael • Public-key algorithms • RSA • Elliptic curve cryptography (ECC) • Digital signatures Lecture 4 Security I Lecture 5 Security II

  4. MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” HASH SPACE (ALL POSSIBLE HASHED MESSAGES) • • • • • • • ? MUST NOT BE REVERSIBLE • “AF0E891B293” Hash Functions A “HASH” IS A SHORT FUNCTION OF A MESSAGE (USUALLY  160 BITS)

  5. MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” • • • • • • • • “AF0E891B293” Hash Functions HASH FUNCTIONS ARE NOT ONE-TO-ONE AND NOT REVERSIBLE MANY MESSAGES HAVE THE SAME HASH HASH SPACE (ALL POSSIBLE HASHED MESSAGES) • • • “IT’S MONDAY” “THE SKY IS BLUE”

  6. One-Way Hash Functions • For any string s, H(s), the hash of s, is of fixed length (shorter than s), sometimes called a message digest • Easy to compute • “One-way”: computationally difficult to invert: can’t find any message corresponding to a given hash • Diffusion property: Altering any bit of the message changes many bits of the hash

  7. Uses of One-Way Hash Functions • Password verification • Message authentication (message digests) • Prevention of replay attack • Digital signatures

  8. Secure Hash Algorithm SHA-1 • Federal Information Processing Standard 180-1 (NIST) • For any message shorter than 264 1019bits, produces a 160-bit message digest • Uses exclusive-OR operation  A = 0 0 1 1 0 1 1 1 1 0 0 0 1 B = 1 1 0 1 0 0 1 1 0 1 0 1 1 A  B = 1 1 1 0 0 1 0 0 1 1 0 1 0 • Exclusive-OR islossy; knowing A B does not reveal even one bit of either A or B • Regular OR: If a bit of A B is zero, then both corresponding bits of both A and B were zero

  9. Information Hiding with Exclusive-OR y • x  y = 1 if either x or y is 1 but not both: • If x  y = 1 we can’t tell which one is a 1 • Can’t trace backwards to determine values • If x  y = 1 then BOTH x and y are 1 x

  10. TAKE FIRST 16 WORDS (512 BITS) STARTING HASH FIVE 32-BIT WORDS (160 BITS) FINAL HASH (160 BITS) 111011 010111 100010 011001 100101 110010 000110 110110 011110 111011 010111 100010 111011 010111 100010 011101 110101 101011 001111 101100 100011 001111 101100 100011 011101 110101 101011 000110 110110 011110 Secure Hash Algorithm Flow LONG MESSAGE TO BE HASHED REPEAT FOR EACH 512-BIT BLOCK EXPAND TO 80 WORDS (2560 BITS) REPEAT 79 MORE TIMES …

  11. Hashed Passwords • A system must be able to verify that a password is correct • Store the plaintext passwords. TERRIBLE IDEA • Store hashed passwords. BETTER IDEA • User SHAMOS has password “MAGIC”; hash is “341JY” • System stores (SHAMOS, 341JY) • Shamos logs in by typing SHAMOS, MAGIC • System hashes “MAGIC” to form “341JY” • Looks up hash of SHAMOS password = 341JY • USER is authenticated • System never stores the passwords • Passwords can’t be hacked or stolen • Someone who finds “341JY” cannot recover “MAGIC”

  12. Weakness of Hashed Passwords • Passwords come from a small universe (~50,000 words). • Possible to compare all possible hashes against the hashed file to discover passwords • For example, take each word in the English dictionary and hash it. This will reveal “MAGIC” and “341JY” • Hash each password differently. NOT SO BAD • Defends against dictionary attack • Want to be sure that two people who have the same password have different hashes, so compromise of one password does not reveal others • Don’t store H(P), the hash of the password • Store S and H(P + S), where S, called salt, is different for each user

  13. Salting Example • A’s password is “13524”; B’s password is “13524” • A’s salt is “ABC”; B’s salt is “DEF” • The hash of A’s salted password is “1663az78fz” • System stores “A, ABC, 1663az78fz” • The hash of B’s salted password is “v134c27a8” • System stores “B, DEF, v134c27a8” • A logs on. Sends user “A”, password “13524” • System looks up A’s salt, hashes salted password, compares with stored salted password • Someone who discovers A’s salted password can’t use it • Can’t tell that A and B have the same password

  14. Nonce to Prevent Replay Attack • Time-dependent value used in challenge-response protocols to prevent replay attack • Random numbers, timestamps • System sends a nonce, e.g. “1992884665” • User sends a hash of username|password|nonce • System computes what the hash should be, verifies user • Replay fails since the nonce will be different when the attacker tries to gain access • Nonce: “for the nonce” means “for the time being,” “just for now”

  15. CODE SPACE (ALL POSSIBLE ENCRYPTED MESSAGES) MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) • • “TRANSFER $5000 TO MY SAVINGS ACCOUNT” • MUST BE REVERSIBLE (BUT ONLY IF YOU KNOW THE SECRET) • • • • • • • “1822UX S4HHG7 803TG 0J71D2 MK8A36 18PN1” Cryptography

  16. CODE SPACE (ALL POSSIBLE ENCRYPTED MESSAGES) MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) • • “TRANSFER $5000 TO MY SAVINGS ACCOUNT” • • • • • • • • “1822UX S4HHG7 803TG 0J71D2 MK8A36 18PN1” Cryptography ENCRYPTION IS SECURE IF ONLY AUTHORIZED PEOPLE KNOW HOW TO REVERSE IT ENCRYPTION IS ONE-TO-ONE AND REVERSIBLE EVERY CODE CORRESPONDS TO EXACTLY ONE MESSAGE

  17. The Encryption Process OBJECT: HIDE A MESSAGE (PLAINTEXT) BY MAKING IT UNREADABLE (CIPHERTEXT) UNREADABLE VERSION OFPLAINTEXT MATERIAL WE WANT TO KEEP SECRET MIGHT BE: TEXT DATAGRAPHICS AUDIO VIDEO SPREADSHEET . . . DATA TO THE ENCRYPTION ALGORITHM MATHEMATICAL SCRAMBLING PROCEDURE (TELLS HOW TO SCRAMBLE THIS PARTICULAR MESSAGE) SOURCE: STEIN, WEB SECURITY

  18. S P E C I A L T Y B D F G H J K M N O Q R U V W X Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z C O N S U L T I N G D S R A V G H E R M EXAMPLE: Role of the Key in Cryptography • The key is a parameter to an encryption procedure • Procedure stays the same, but produces different results based on a given key NOTE: THIS METHOD IS NOT USED IN ANY REAL CRYPTOGRAPHY SYSTEM. IT IS AN EXAMPLE INTENDED ONLY TO ILLUSTRATE THE USE OF KEYS.

  19. Symmetric Encryption SAME KEY USED FOR BOTH ENRCYPTION AND DECRYPTION SENDER AND RECIPIENT MUST BOTH KNOW THE KEY THIS IS A WEAKNESS SOURCE: STEIN, WEB SECURITY

  20. “Symmetric”: same key for both encryption and decryption SENDER AND RECIPIENT MUST BOTH KNOW THE KEY THIS IS A WEAKNESS Symmetric Encryption SOURCE: WILLIAM STALLINGS

  21. Data Encryption Standard (DES) • Symmetric, key-based encryption-decryption standard. No public keys • Block cipher: operates on 64-bit blocks • Uses 56-bit key • 16 “rounds” -- key for each round is a 48-bit function of the original 56-bit key. Each key bit participates in an average of 14 rounds • Completely symmetric. Same algorithm decrypts. • Fast implementation in hardware: 1 gigabit/second

  22. Encryption “Rounds” Key K Key Expansion KE Round Keys k1 k2 k3 kn-2 kn-1 kn X r1 r2 r3 rn-2 rn-1 rn Y Encryption Rounds r1 … rn • Key K is expanded to a set of n round keyski • Input block X undergoes n rounds of operations (each operation is based on value of the nth round key), until it reaches the final round rn • Strength of algorithm: difficulty of going backwards from the intermediate result of round m+1 to round m without knowing the round key rm. SOURCE: MEL TSAI

  23. Classical Feistel Encryption Network SOURCE: WILLIAM STALLINGS

  24. DES Encryption SOURCE: WILLIAM STALLINGS

  25. One Round of DES SOURCE: WILLIAM STALLINGS

  26. Years To Crack Symmetric Encryption Key Length SOURCE: WILLIAM STALLINGS

  27. PLAINTEXT BLOCK 2 PLAINTEXT BLOCK 1   INITIALIZATION STRING etc. DES DES CIPHERTEXT BLOCK 2 CIPHERTEXT BLOCK 1 Cipher Block Chaining Example • In ECB mode, the same input text always produces the same output. This creates risk of partial decryption.

  28. Triple DES • Security can be increased by encrypting multiple times with different keys • Double DES is not much more secure than single DES because of a “meet-in-the-middle” attack • If K1 = K2 = K3 this is just single DES K1 K2 K3 DES ENCRYPT DES DECRYPT DES ENCRYPT CIPHERTEXTBLOCK 1 PLAINTEXTBLOCK 1

  29. AES, the DES Replacement • AES = Advanced Encryption Standard • DES has weaknesses: • slow (by modern standards) • weak (can be broken by fast computers) • NIST ran a competition to replace DES • Winner: Rijndael, invented by Vincent Rijmen and Joan Daeman • No patenting allowed • Round block cipher of similar structure to DES but faster, more secure

  30. Rijndael kn ByteSub ShiftRow MixColumn AddRoundKey Result from round n-1 Pass to round n+1 Detailed view of round n • Each round consists of: • ByteSub: each 8 bits of input is replaced with a different 8 bits • ShiftRow: each row of the block matrix is cyclically shifted • MixColumn • AddRoundKey SOURCE: MEL TSAI

  31. Rijndael • Allows 128, 192, and 256-bit key sizes • Variable block length: 128, 192, or 256 bits. All nine combinations of key/block length possible. • A block is the smallest data size the algorithm will encrypt • VERY FAST, much faster than DES • Software: 8416 bytes/sec on a 20MHz 8051 • Software: 53 Mbytes/sec on a 800MHz Pentium • Hardware: currently up to 25 Gbps

  32. Major Ideas • SHA is the most important hash function • SHA has not been cracked (reversed) • Encryption algorithms are complex • must be studied carefully (by cryptographers) • subject to sophisticated attacks • Symmetric encryption is fast • DES is not secure • DES family being replaced with Rijndael • Salting defends against dictionary attacks • Nonces defend against replay attacks

  33. Q A &

  34. Meet-in-the-Middle Attack • Exhaustive search for keys to crack 2DES would seem to require testing 2112 keys • Start with (m, c), a plaintext/ciphertext pair • Encrypt a two-block plaintext m with all possible 256 single DES keys k1; sort the resulting pairs (k1, cmiddle) • Decrypt the 2-block ciphertext c with all possible 256 single DES keys k2; for each result cmiddle, check to see whether it occurs in the sorted list • If so, (k1, k2) is a possible key. enc2DES((k1, k2),m) = encDES(k2, encDES(k1,m)) = encDES(k2, cmiddle1) = c • This only requires testing 256 keys (and sorting them)

More Related