Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

Download Presentation

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

Loading in 2 Seconds...

- 133 Views
- Uploaded on
- Presentation posted in: General

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

EMBA 2009 – Information Systems and Applications

Lecture II

Information security can be roughly divided into 4 areas:

- Secrecy: keep information unrevealed
- Authentication: determine the identity of whom you are talking to
- Nonrepudiation: make sure that someone cannot deny the things he/she had done
- Integrity control: make sure the message you received has not been modified

Information security functionality can be distributed across several protocol layers:

- Physical layer: protect transmission link from wire tapping
- Data link layer: link encryption
- Network layer: firewall, packet filter
- Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality)

A number of essential concepts to begin with:

- Risk management
- threats, vulnerabilities, assets, damages and probabilities
- balancing acts
- all cryptosystems may be compromised

- Notion of chains (Achilles' heel)
- Notion of buckets (products, policies, processes and people)
- Defense in-depth
- Average vs. worst cases
- Backup, restoration and contingency plans

Passive intruder (listens only)

Active intruder (alters message)

- The model depends on a stable public algorithm and a key
- The work factor for breaking the system by exhaustive search of the key space is exponential in the key length
- Two categories: Substitution ciphers vs. transposition ciphers

DK( EK( P)) = P

Plaintext P

EK( P)

Encryption

Decryption

key K

key K

- Simplified model of traditional cryptography

- Model of traditional cryptography

- Caesar cipher
- Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …
- For example, “attack” becomes “DWDDFN”

- Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …
- Mono-alphabetic substitution

Plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM

- The key space is 26! » 4x1026
- Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)

- Relative frequency of letters in English text

M E G A B U C K

7 4 5 1 2 8 3 6

p l e a s e t r

a n s f e r o n

e m i l l i o n

d o l l a r s t

o m y s w i s s

b a n k a c c o

u n t s i x t w

o t w o a b c d

- Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column
- To break the transposition cipher
- guess a probable word or phrase (e.g., milliondollars)
- try to determine the key length, then order the columns

- Another related example regarding Newton

Plaintext

pleasetransferonemilliondollarsto

myswissbankaccountsixtwotwo

Ciphertext

AFLLSKSOSELAWAIATOOSSCTCLNMOMANT

ESILYNTWRNNTSOWDPAEDOBUOERIRICXB

- Chinese poems
- Clubs and leather stripes
- Invisible ink (steganography in general)
- Books
- Code books
- Enigma
- XOR
- Ej/vu3z8h96

- First principle
- All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message
- However, the same redundancy makes it easier for passive intruders to break the system

- Second principle
- Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to
- filter out duplicate messages within a certain time
- incoming messages that are too old are discarded

- Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to

Encoder: 8 to 3

Decoder: 3 to 8

S1

S5

S2

S6

P1

P2

P3

S3

S7

S4

S8

- Consists of sequence of transpositions and substitutions

S-box (Substitution)

Product cipher

P-box

(Permutation)

- Plaintext is encrypted in blocks of 64 bits
- DES is basically a mono-alphabetic substitution cipher using a 64-bit character

64 bit plaintext

Li-1

Ri-1

Initial transposition

K1

Iteration 1

56-bit key

K16

Li-1 Å f(Ri-1, Ki)

Iteration 16

32 bit swap

Inverse transposition

32 bits Li

32 bits Ri

64 bit ciphertext

- DES may be vulnerable to active intruders

Name

Bonus

Leslie

$0000010

Intruder may copy the block to one row above

Kimberly

$0100000

8 bytes

8 bytes

- DES chaining

P0

P1

P2

P3

C0

C1

C2

C3

IV

#

#

#

#

D

D

D

D

Exclusive

OR

Key

#

#

#

#

E

E

E

E

C0

C1

C2

C3

P0

P1

P2

P3

- Exhaustive search of key space = 256» 7x1016
- can use multiple computers to do search in parallel

- Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033
- but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because

Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)

- Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system
- Using EEE with 3 different keys is basically unbreakable nowadays

K1

K2

K1

K1

K2

K1

P

C

C

P

E

D

E

D

E

D

Encryption

Decryption

- Encryption (E) and Decryption (D) algorithms must meet the following requirements
- E and D are different
- D(E(P)) = P
- It is exceedingly difficult to deduce D from E

- Everyone has a pair of keys: public key (E) and private key (D)
- Public key is made known to the world
- Private key is to be kept private all the time

A

B

P1

EB(P1)

DB(EB(P1)) = P1

EB

DB

DA(EA(P2)) = P2

EA(P2)

P2

DA

EA

- Requirements for PKC
- easy for B (receiver) to generate KUb and KRb
- easy for A (sender) to calculate C = EKUb(M)
- easy for B to calculate M = DKRb(C) = DKRb(EKUb(M))
- infeasible for an opponent to calculate KRb from KUb
- infeasible for an opponent to calculate M from Cand KUb
- (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)

- The idea of PKC was first proposed by Diffie and Hellman in 1976.
- Two keys (public and private) are needed.
- The difficulty of calculating f-1 is typically facilitated by
- factorization of large numbers
- resolution of NP-completeness
- calculation of discrete logarithms

- High complexity confines PKC to key management and signature applications

- Comparison between conventional and public-key encryption

- Applications for PKC
- encryption/decryption
- digital signature
- key exchange

- Developed by Rivest, Shamir, and Adleman at MIT in 1978
- First compute the following parameters
- Choose two large primes, p and q (typically > 10100)
- Compute n = pxq and z = (p-1)x(q-1)
- Choose d, which is a number relatively prime to z
- Find e such that (exd) mod z = 1

- Divide the plaintext into blocks of k bits, where 2k < n
- To encrypt P, compute C = Pe mod n
- To decrypt C, compute P = Cd mod n
- Public key = (e, n), private key = (d, n)

- Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then
a p-1 1 mod p.

Example: a = 7, p = 19

72 = 49 11 mod 19

74 = 121 7 mod 19

78 = 49 11 mod 19

716 = 121 7 mod 19

a p-1 = 718 = 716+2 711 1 mod 19

- Example 1
- Select two prime numbers, p = 7 and q = 17.
- Calculate n = p q = 717 = 119.
- Calculate Φ(n) = (p-1)(q-1) = 96.
- Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5.
- Determine d such that d e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.

- The security of RSA
- brute force: This involves trying all possible private keys.
- mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes.
- timing attacks: These depend on the running time of the decryption algorithm.

- To avoid brute force attacks, a large key space is required.
- To make n difficult to factor
- p and q should differ in length by only a few digits (both in the range of 1075 to 10100)
- both (p-1) and (q-1) should contain a large prime factor
- gcd(p-1,q-1) should be small
- should avoid e < n and d < n1/4

- To make n difficult to factor (cont’d)
- p and q should best be strong primes, where p isa strong prime if
- there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1
- there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1

- e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated

- p and q should best be strong primes, where p isa strong prime if

- Major threats
- the continuing increase in computing power (100 or even 1000 MIPS machines are easily available)
- continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)

- The security of RSA is based on the difficulty of factoring large numbers
- It takes 4x109 years for factoring a 200-digit number
- It takes 1025 years for factoring a 500-digit number

- RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms

- For the same length of keys, faster than RSA
- For the same degree of security, shorter keys are required than RSA
- Standardized in IEEE P1363
- Confidence level not yet as high as that in RSA
- Much more difficult to explain than RSA

- Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA

- The distribution of public keys
- public announcement
- publicly available directory
- public-key authority
- public-key certificates

- The use of public-key encryption to distribute secret keys
- simple secret key distribution
- secret key distribution with confidentiality and authentication

- Public announcement

- Public announcement (cont’d)
- advantages: convenience
- disadvantages: forgery of such a public announcement by anyone

- Publicly available directory

- Publicly available directory (cont’d)
- elements of the scheme
- {name, public key} entry for each participant in the directory
- in-person or secure registration
- on-demand entry update
- periodic publication of the directory
- availability of secure electronic access from the directory to participants

- advantages: greater degree of security

- elements of the scheme

- Publicly available directory (cont’d)
- disadvantages
- need of a trusted entity or organization
- need of additional security mechanism from the directory authority to participants
- vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised)
- vulnerability of the directory records

- disadvantages

- Public-key authority

- Public-key authority (cont’d)
- stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory
- each participant can verify the identity of the authority
- participants can verify identities of each other
- disadvantages
- bottleneck effect of the public-key authority
- vulnerability of the directory records

- Public-key certificates

- Public-key certificates (cont’d)
- to use certificates that can be used by participants to exchange keys without contacting a public-key authority
- requirements on the scheme
- any participant can read a certificate to determine the name and public key of the certificate’s owner
- any participant can verify that the certificate originated from the certificate authority and is not counterfeit
- only the certificate authority can create & update certificates
- any participant can verify the currency of the certificate

- Public-key certificates (cont’d)
- advantages
- to use certificates that can be used by participants to exchange keys without contacting a public-key authority
- in a way that is as reliable as if the key were obtained directly from a public-key authority
- no on-line bottleneck effect

- disadvantages: need of a certificate authority

- advantages

- Simple secret key distribution

- Simple secret key distribution (cont’d)
- advantages
- simplicity
- no keys stored before and after the communication
- security against eavesdropping

- disadvantages
- lack of authentication mechanism between participants
- vulnerability to an active attack (opponent active only in the process of obtaining Ks)
- leak of the secret key upon such active attacks

- advantages

- Secret key distribution with confidentiality and authentication

- Secret key distribution with confidentiality and authentication (cont’d)
- provides protection against both active and passive attacks
- ensures both confidentiality and authentication in the exchange of a secret key
- public keys should be obtained a priori
- more complicated

- First public-key algorithm published
- Limited to key exchange
- Dependent for its effectiveness on the difficulty of computing discrete logarithm

- Diffie-Hellman key exchange
- n, g: large prime number with additional conditions
- n and g may be made public

- x, y: large (say, 512-bit) numbers

- n, g: large prime number with additional conditions

1

n, g, gx mod n

Alice

Bob computes (gx mod n)y

= gxy mod n

Bob

Alice computes (gy mod n)x

= gxy mod n

2

gy mod n

- gxy mod n = the secret key
- it is very difficult to find x given gx mod n

- Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1.
- If a is a primitive root of the prime number p, then the numbers
a mod p, a2 mod p, …, ap-1 mod p

are distinct and consists of the integers from 1 to p-1 in some permutation.

- Not every number has a primitive root.

- For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that
b = ai mod p, where 0 i (p-1).

- The exponent is referred to as the discrete algorithm, or index, of b for the base a, mod p.
- This value is denoted as inda,p(b).

- Example:
q = 97 and a primitive root a = 5 is selected.

XA = 36 and XB = 58 (both 97).

YA = 536 = 50 mod 97 and

YB = 558 = 44 mod 97.

K = (YB) XA mod 97 = 4436 mod 97 = 75 mod 97.

K = (YA) XB mod 97 = 5058 mod 97 = 75 mod 97.

75 cannot easily be computed by the opponent.

- How the algorithm works

- q, a, YA and YB are public.
- To attack the secrete key of user B, the opponent must compute
XB = inda,q(YB). [YB = aXB mod q.]

- The effectiveness of this algorithm therefore depends on the difficulty of solving discrete logarithm.

- Bucket brigade attack

Alice

picks x

Trudy

picks z

Bob

picks y

1

n, g, gx mod n

2

n, g, gz mod n

Trudy

Alice

Bob

3

gz mod n

4

gy mod n

- (gxz mod n) becomes the secret key between Alice and Trudy, while (gyz mod n) becomes the secret key between Trudy and Bob

- Authorization
- verifies what a process is permitted to do

- Authentication
- verifies the identity of the process that you are talking to
- public and private keys are used for authentication, and for establishing the session key (a secret key)
- all data communicated is then encrypted using secret key cryptography

- Challenge-response protocol

1

A

Challenge

2

Response

RB

KAB = shared secret key between Alice and Bob

KAB(RB)

3

Challenge

Alice

After step 3, Bob verifies Alice’s identity

Bob

4

Response

RA

KAB(RA)

5

Session key if needed

After step 5, Alice verifies Bob’s identity

KAB(KS)

6

- Can we reduce the number of messages exchanged, e.g.,

Challenge

A, RA

1

Response/

Challenge

RB, KAB(RA)

Alice

Bob

2

Response

KAB(RB)

3

- Only three, instead of five, messages are exchanged

- The shortened protocol can be defeated by a reflection attack

A, RT

1

RB, KAB(RT)

First session

2

Trudy

A, RB

3

Bob

Second session

4

RB2, KAB(RB)

KAB(RB)

5

First session

- Need a trusted Key Distribution Center (KDC)
- Wide-mouth frog: simplest KDC authentication protocol

1

A, KA(B, KS)

Alice

KDC

2

Bob

KB(A, KS)

- Replay attack
- an intruder can just replay message 2 (and any following messages) to Bob later, and Bob has no way to tell if it is a second connection from Alice

- Assume both sides already know each other’s public keys
- This is not a trivial assumption as explained previously

EB(A, RA)

1

EA(RA, RB, KS)

Alice

Bob

2

Alice verified Bob’s identity

Ks(RB)

3

Bob verified Alice’s identity

- What is needed is a system by which one party can send a “signed” message to another party such that
- The receiver can verify the claimed identity of the sender
- The sender cannot later repudiate the contents of the message
- The receiver cannot possibly have concocted the message itself

- Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key

A, KA(B, RA, t, P)

Alice

Bob

BB

KB(A, RA, t, P, KBB(A, t, P))

- Bob has KBB(A, t, P), which is proof that Alice sent message P at time t
- To guard against replaying attack
- A message is discarded if its timestamp is too old
- For a recent message, it is discarded if RA is duplicate

- Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property)

Alice’s computer

Alice’s

private key

DA

Bob’s

public key

EB

EB(DA(P))

DA(P)

P

Bob’s computer

Transmission

line

Bob’s

private key

DB

Alice’s

public key

EA

DA(P)

P

- Bob has P and DA(P), which is proof that Alice sent P

- It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time
- Message Digest (MD): hash plaintext to a fixed-length bit string such that
- Given P, it is easy to compute MD(P)
- Given MD(P), it is effectively impossible to find P
- No one can generate two messages that have the same message digest

m bits

P

MD(P)

- Public-key message digest

P, DA(MD(P))

Alice

Bob

- Most widely used message digest functions
- MD5
- SHA (Secure Hash Algorithm)

- An m-bit MD system may be possibly broken in Q (2m/2) time (referred as birthday attack in text)

- What do you think are the major security threats in the Internet? What are possible measures and strategies to address such threats?
- What products, policies and processes of your company are worth recommending?