slide1
Download
Skip this Video
Download Presentation
Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

Loading in 2 Seconds...

play fullscreen
1 / 85

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University. EMBA 2009 – Information Systems and Applications Lecture II. Information Security. Information security can be roughly divided into 4 areas:. Secrecy: keep information unrevealed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University' - fabienne


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Information SecurityFrank Yeong-Sung LinDepartment of Information ManagementNational Taiwan University

EMBA 2009 – Information Systems and Applications

Lecture II

information security
Information Security

Information security can be roughly divided into 4 areas:

  • Secrecy: keep information unrevealed
  • Authentication: determine the identity of whom you are talking to
  • Nonrepudiation: make sure that someone cannot deny the things he/she had done
  • Integrity control: make sure the message you received has not been modified
information security cont d
Information Security (cont’d)

Information security functionality can be distributed across several protocol layers:

  • Physical layer: protect transmission link from wire tapping
  • Data link layer: link encryption
  • Network layer: firewall, packet filter
  • Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality)
information security cont d1
Information Security (cont’d)

A number of essential concepts to begin with:

  • Risk management
    • threats, vulnerabilities, assets, damages and probabilities
    • balancing acts
    • all cryptosystems may be compromised
  • Notion of chains (Achilles\' heel)
  • Notion of buckets (products, policies, processes and people)
  • Defense in-depth
  • Average vs. worst cases
  • Backup, restoration and contingency plans
traditional cryptography
Traditional Cryptography

Passive intruder (listens only)

Active intruder (alters message)

  • The model depends on a stable public algorithm and a key
  • The work factor for breaking the system by exhaustive search of the key space is exponential in the key length
  • Two categories: Substitution ciphers vs. transposition ciphers

DK( EK( P)) = P

Plaintext P

EK( P)

Encryption

Decryption

key K

key K

traditional cryptography cont d
Traditional Cryptography (cont’d)
  • Simplified model of traditional cryptography
traditional cryptography cont d1
Traditional Cryptography (cont’d)
  • Model of traditional cryptography
substitution cipher
Substitution Cipher
  • Caesar cipher
    • Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …
      • For example, “attack” becomes “DWDDFN”
  • Mono-alphabetic substitution

Plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM

  • The key space is 26! » 4x1026
  • Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)
substitution cipher cont d
Substitution Cipher (cont’d)
  • Relative frequency of letters in English text
transposition ciphers
Transposition Ciphers

M E G A B U C K

7 4 5 1 2 8 3 6

p l e a s e t r

a n s f e r o n

e m i l l i o n

d o l l a r s t

o m y s w i s s

b a n k a c c o

u n t s i x t w

o t w o a b c d

  • Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column
  • To break the transposition cipher
    • guess a probable word or phrase (e.g., milliondollars)
    • try to determine the key length, then order the columns
  • Another related example regarding Newton

Plaintext

pleasetransferonemilliondollarsto

myswissbankaccountsixtwotwo

Ciphertext

AFLLSKSOSELAWAIATOOSSCTCLNMOMANT

ESILYNTWRNNTSOWDPAEDOBUOERIRICXB

other interesting ciphers
Other Interesting Ciphers
  • Chinese poems
  • Clubs and leather stripes
  • Invisible ink (steganography in general)
  • Books
  • Code books
  • Enigma
  • XOR
  • Ej/vu3z8h96
two fundamental cryptographic principles
Two Fundamental Cryptographic Principles
  • First principle
    • All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message
    • However, the same redundancy makes it easier for passive intruders to break the system
  • Second principle
    • Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to
      • filter out duplicate messages within a certain time
      • incoming messages that are too old are discarded
secret key algorithms

Encoder: 8 to 3

Decoder: 3 to 8

S1

S5

S2

S6

P1

P2

P3

S3

S7

S4

S8

Secret-Key Algorithms
  • Consists of sequence of transpositions and substitutions

S-box (Substitution)

Product cipher

P-box

(Permutation)

data encryption standard des
Data Encryption Standard (DES)
  • Plaintext is encrypted in blocks of 64 bits
  • DES is basically a mono-alphabetic substitution cipher using a 64-bit character

64 bit plaintext

Li-1

Ri-1

Initial transposition

K1

Iteration 1

56-bit key

K16

Li-1 Å f(Ri-1, Ki)

Iteration 16

32 bit swap

Inverse transposition

32 bits Li

32 bits Ri

64 bit ciphertext

des chaining
DES Chaining
  • DES may be vulnerable to active intruders

Name

Bonus

Leslie

$0000010

Intruder may copy the block to one row above

Kimberly

$0100000

8 bytes

8 bytes

  • DES chaining

P0

P1

P2

P3

C0

C1

C2

C3

IV

#

#

#

#

D

D

D

D

Exclusive

OR

Key

#

#

#

#

E

E

E

E

C0

C1

C2

C3

P0

P1

P2

P3

breaking des
Breaking DES
  • Exhaustive search of key space = 256» 7x1016
    • can use multiple computers to do search in parallel
  • Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033
    • but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because

Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)

triple des encryption
Triple DES Encryption
  • Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system
  • Using EEE with 3 different keys is basically unbreakable nowadays

K1

K2

K1

K1

K2

K1

P

C

C

P

E

D

E

D

E

D

Encryption

Decryption

public key algorithms
Public-Key Algorithms
  • Encryption (E) and Decryption (D) algorithms must meet the following requirements
    • E and D are different
    • D(E(P)) = P
    • It is exceedingly difficult to deduce D from E
  • Everyone has a pair of keys: public key (E) and private key (D)
    • Public key is made known to the world
    • Private key is to be kept private all the time

A

B

P1

EB(P1)

DB(EB(P1)) = P1

EB

DB

DA(EA(P2)) = P2

EA(P2)

P2

DA

EA

principles of public key cryptosystems cont d
Principles of Public-Key Cryptosystems (cont’d)
  • Requirements for PKC
    • easy for B (receiver) to generate KUb and KRb
    • easy for A (sender) to calculate C = EKUb(M)
    • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M))
    • infeasible for an opponent to calculate KRb from KUb
    • infeasible for an opponent to calculate M from Cand KUb
    • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)
principles of public key cryptosystems cont d2
Principles of Public-Key Cryptosystems (cont’d)
  • The idea of PKC was first proposed by Diffie and Hellman in 1976.
  • Two keys (public and private) are needed.
  • The difficulty of calculating f-1 is typically facilitated by
    • factorization of large numbers
    • resolution of NP-completeness
    • calculation of discrete logarithms
  • High complexity confines PKC to key management and signature applications
principles of public key cryptosystems cont d5
Principles of Public-Key Cryptosystems (cont’d)
  • Comparison between conventional and public-key encryption
principles of public key cryptosystems cont d6
Principles of Public-Key Cryptosystems (cont’d)
  • Applications for PKC
    • encryption/decryption
    • digital signature
    • key exchange
rsa algorithms
RSA Algorithms
  • Developed by Rivest, Shamir, and Adleman at MIT in 1978
  • First compute the following parameters
    • Choose two large primes, p and q (typically > 10100)
    • Compute n = pxq and z = (p-1)x(q-1)
    • Choose d, which is a number relatively prime to z
    • Find e such that (exd) mod z = 1
  • Divide the plaintext into blocks of k bits, where 2k < n
    • To encrypt P, compute C = Pe mod n
    • To decrypt C, compute P = Cd mod n
    • Public key = (e, n), private key = (d, n)
the rsa algorithm cont d
The RSA Algorithm (cont’d)
  • Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then

a p-1 1 mod p.

Example: a = 7, p = 19

72 = 49  11 mod 19

74 = 121  7 mod 19

78 = 49  11 mod 19

716 = 121  7 mod 19

a p-1 = 718 = 716+2 711  1 mod 19

the rsa algorithm cont d3
The RSA Algorithm (cont’d)
  • Example 1
    • Select two prime numbers, p = 7 and q = 17.
    • Calculate n = p  q = 717 = 119.
    • Calculate Φ(n) = (p-1)(q-1) = 96.
    • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5.
    • Determine d such that d  e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.
the rsa algorithm cont d5
The RSA Algorithm (cont’d)
  • The security of RSA
    • brute force: This involves trying all possible private keys.
    • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes.
    • timing attacks: These depend on the running time of the decryption algorithm.
the rsa algorithm cont d6
The RSA Algorithm (cont’d)
  • To avoid brute force attacks, a large key space is required.
  • To make n difficult to factor
    • p and q should differ in length by only a few digits (both in the range of 1075 to 10100)
    • both (p-1) and (q-1) should contain a large prime factor
    • gcd(p-1,q-1) should be small
    • should avoid e < n and d < n1/4
the rsa algorithm cont d7
The RSA Algorithm (cont’d)
  • To make n difficult to factor (cont’d)
    • p and q should best be strong primes, where p isa strong prime if
      • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1
      • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1
    • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated
the rsa algorithm cont d9
The RSA Algorithm (cont’d)
  • Major threats
    • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available)
    • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)
rsa algorithms cont d
RSA Algorithms (cont’d)
  • The security of RSA is based on the difficulty of factoring large numbers
    • It takes 4x109 years for factoring a 200-digit number
    • It takes 1025 years for factoring a 500-digit number
  • RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms
elliptic curve cryptography ecc
Elliptic Curve Cryptography (ECC)
  • For the same length of keys, faster than RSA
  • For the same degree of security, shorter keys are required than RSA
  • Standardized in IEEE P1363
  • Confidence level not yet as high as that in RSA
  • Much more difficult to explain than RSA
elliptic curve cryptography cont d
Elliptic Curve Cryptography (cont’d)
  • Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA
key management
Key Management
  • The distribution of public keys
    • public announcement
    • publicly available directory
    • public-key authority
    • public-key certificates
  • The use of public-key encryption to distribute secret keys
    • simple secret key distribution
    • secret key distribution with confidentiality and authentication
key management cont d
Key Management (cont’d)
  • Public announcement
key management cont d1
Key Management (cont’d)
  • Public announcement (cont’d)
    • advantages: convenience
    • disadvantages: forgery of such a public announcement by anyone
key management cont d2
Key Management (cont’d)
  • Publicly available directory
key management cont d3
Key Management (cont’d)
  • Publicly available directory (cont’d)
    • elements of the scheme
      • {name, public key} entry for each participant in the directory
      • in-person or secure registration
      • on-demand entry update
      • periodic publication of the directory
      • availability of secure electronic access from the directory to participants
    • advantages: greater degree of security
key management cont d4
Key Management (cont’d)
  • Publicly available directory (cont’d)
    • disadvantages
      • need of a trusted entity or organization
      • need of additional security mechanism from the directory authority to participants
      • vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised)
      • vulnerability of the directory records
key management cont d5
Key Management (cont’d)
  • Public-key authority
key management cont d6
Key Management (cont’d)
  • Public-key authority (cont’d)
    • stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory
    • each participant can verify the identity of the authority
    • participants can verify identities of each other
    • disadvantages
      • bottleneck effect of the public-key authority
      • vulnerability of the directory records
key management cont d7
Key Management (cont’d)
  • Public-key certificates
key management cont d8
Key Management (cont’d)
  • Public-key certificates (cont’d)
    • to use certificates that can be used by participants to exchange keys without contacting a public-key authority
    • requirements on the scheme
      • any participant can read a certificate to determine the name and public key of the certificate’s owner
      • any participant can verify that the certificate originated from the certificate authority and is not counterfeit
      • only the certificate authority can create & update certificates
      • any participant can verify the currency of the certificate
key management cont d9
Key Management (cont’d)
  • Public-key certificates (cont’d)
    • advantages
      • to use certificates that can be used by participants to exchange keys without contacting a public-key authority
      • in a way that is as reliable as if the key were obtained directly from a public-key authority
      • no on-line bottleneck effect
    • disadvantages: need of a certificate authority
key management cont d10
Key Management (cont’d)
  • Simple secret key distribution
key management cont d11
Key Management (cont’d)
  • Simple secret key distribution (cont’d)
    • advantages
      • simplicity
      • no keys stored before and after the communication
      • security against eavesdropping
    • disadvantages
      • lack of authentication mechanism between participants
      • vulnerability to an active attack (opponent active only in the process of obtaining Ks)
      • leak of the secret key upon such active attacks
key management cont d12
Key Management (cont’d)
  • Secret key distribution with confidentiality and authentication
key management cont d13
Key Management (cont’d)
  • Secret key distribution with confidentiality and authentication (cont’d)
    • provides protection against both active and passive attacks
    • ensures both confidentiality and authentication in the exchange of a secret key
    • public keys should be obtained a priori
    • more complicated
diffie hellman key exchange
Diffie-Hellman Key Exchange
  • First public-key algorithm published
  • Limited to key exchange
  • Dependent for its effectiveness on the difficulty of computing discrete logarithm
diffie hellman key exchange cont d
Diffie-Hellman Key Exchange (cont’d)
  • Diffie-Hellman key exchange
    • n, g: large prime number with additional conditions
      • n and g may be made public
    • x, y: large (say, 512-bit) numbers

1

n, g, gx mod n

Alice

Bob computes (gx mod n)y

= gxy mod n

Bob

Alice computes (gy mod n)x

= gxy mod n

2

gy mod n

  • gxy mod n = the secret key
  • it is very difficult to find x given gx mod n
diffie hellman key exchange cont d1
Diffie-Hellman Key Exchange (cont’d)
  • Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1.
  • If a is a primitive root of the prime number p, then the numbers

a mod p, a2 mod p, …, ap-1 mod p

are distinct and consists of the integers from 1 to p-1 in some permutation.

  • Not every number has a primitive root.
diffie hellman key exchange cont d2
Diffie-Hellman Key Exchange (cont’d)
  • For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that

b = ai mod p, where 0  i  (p-1).

  • The exponent is referred to as the discrete algorithm, or index, of b for the base a, mod p.
  • This value is denoted as inda,p(b).
diffie hellman key exchange cont d4
Diffie-Hellman Key Exchange (cont’d)
  • Example:

q = 97 and a primitive root a = 5 is selected.

XA = 36 and XB = 58 (both  97).

YA = 536 = 50 mod 97 and

YB = 558 = 44 mod 97.

K = (YB) XA mod 97 = 4436 mod 97 = 75 mod 97.

K = (YA) XB mod 97 = 5058 mod 97 = 75 mod 97.

75 cannot easily be computed by the opponent.

diffie hellman key exchange cont d7
Diffie-Hellman Key Exchange (cont’d)
  • q, a, YA and YB are public.
  • To attack the secrete key of user B, the opponent must compute

XB = inda,q(YB). [YB = aXB mod q.]

  • The effectiveness of this algorithm therefore depends on the difficulty of solving discrete logarithm.
attack on diffie hellman key exchange
Attack on Diffie-Hellman Key Exchange
  • Bucket brigade attack

Alice

picks x

Trudy

picks z

Bob

picks y

1

n, g, gx mod n

2

n, g, gz mod n

Trudy

Alice

Bob

3

gz mod n

4

gy mod n

  • (gxz mod n) becomes the secret key between Alice and Trudy, while (gyz mod n) becomes the secret key between Trudy and Bob
authentication protocols
Authentication Protocols
  • Authorization
    • verifies what a process is permitted to do
  • Authentication
    • verifies the identity of the process that you are talking to
    • public and private keys are used for authentication, and for establishing the session key (a secret key)
    • all data communicated is then encrypted using secret key cryptography
authentication based on a shared secret key
Authentication Based on a Shared Secret Key
  • Challenge-response protocol

1

A

Challenge

2

Response

RB

KAB = shared secret key between Alice and Bob

KAB(RB)

3

Challenge

Alice

After step 3, Bob verifies Alice’s identity

Bob

4

Response

RA

KAB(RA)

5

Session key if needed

After step 5, Alice verifies Bob’s identity

KAB(KS)

6

authentication based on a shared secret key cont d
Authentication Based on a Shared Secret Key (cont’d)
  • Can we reduce the number of messages exchanged, e.g.,

Challenge

A, RA

1

Response/

Challenge

RB, KAB(RA)

Alice

Bob

2

Response

KAB(RB)

3

  • Only three, instead of five, messages are exchanged
authentication based on a shared secret key cont d1
Authentication Based on a Shared Secret Key (cont’d)
  • The shortened protocol can be defeated by a reflection attack

A, RT

1

RB, KAB(RT)

First session

2

Trudy

A, RB

3

Bob

Second session

4

RB2, KAB(RB)

KAB(RB)

5

First session

authentication using a key distribution center
Authentication Using a Key Distribution Center
  • Need a trusted Key Distribution Center (KDC)
  • Wide-mouth frog: simplest KDC authentication protocol

1

A, KA(B, KS)

Alice

KDC

2

Bob

KB(A, KS)

  • Replay attack
    • an intruder can just replay message 2 (and any following messages) to Bob later, and Bob has no way to tell if it is a second connection from Alice
authentication using public key
Authentication Using Public-Key
  • Assume both sides already know each other’s public keys
    • This is not a trivial assumption as explained previously

EB(A, RA)

1

EA(RA, RB, KS)

Alice

Bob

2

Alice verified Bob’s identity

Ks(RB)

3

Bob verified Alice’s identity

digital signatures
Digital Signatures
  • What is needed is a system by which one party can send a “signed” message to another party such that
    • The receiver can verify the claimed identity of the sender
    • The sender cannot later repudiate the contents of the message
    • The receiver cannot possibly have concocted the message itself
secret key signatures
Secret-Key Signatures
  • Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key

A, KA(B, RA, t, P)

Alice

Bob

BB

KB(A, RA, t, P, KBB(A, t, P))

  • Bob has KBB(A, t, P), which is proof that Alice sent message P at time t
  • To guard against replaying attack
    • A message is discarded if its timestamp is too old
    • For a recent message, it is discarded if RA is duplicate
public key signatures
Public-Key Signatures
  • Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property)

Alice’s computer

Alice’s

private key

DA

Bob’s

public key

EB

EB(DA(P))

DA(P)

P

Bob’s computer

Transmission

line

Bob’s

private key

DB

Alice’s

public key

EA

DA(P)

P

  • Bob has P and DA(P), which is proof that Alice sent P
message digests
Message Digests
  • It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time
  • Message Digest (MD): hash plaintext to a fixed-length bit string such that
    • Given P, it is easy to compute MD(P)
    • Given MD(P), it is effectively impossible to find P
    • No one can generate two messages that have the same message digest

m bits

P

MD(P)

message digests cont d
Message Digests (cont’d)
  • Public-key message digest

P, DA(MD(P))

Alice

Bob

  • Most widely used message digest functions
    • MD5
    • SHA (Secure Hash Algorithm)
  • An m-bit MD system may be possibly broken in Q (2m/2) time (referred as birthday attack in text)
discussions
Discussions
  • What do you think are the major security threats in the Internet? What are possible measures and strategies to address such threats?
  • What products, policies and processes of your company are worth recommending?
ad