Information Security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 85

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University. EMBA 2009 – Information Systems and Applications Lecture II. Information Security. Information security can be roughly divided into 4 areas:. Secrecy: keep information unrevealed

Download Presentation

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information SecurityFrank Yeong-Sung LinDepartment of Information ManagementNational Taiwan University

EMBA 2009 – Information Systems and Applications

Lecture II


Information Security

Information security can be roughly divided into 4 areas:

  • Secrecy: keep information unrevealed

  • Authentication: determine the identity of whom you are talking to

  • Nonrepudiation: make sure that someone cannot deny the things he/she had done

  • Integrity control: make sure the message you received has not been modified


Information Security (cont’d)

Information security functionality can be distributed across several protocol layers:

  • Physical layer: protect transmission link from wire tapping

  • Data link layer: link encryption

  • Network layer: firewall, packet filter

  • Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality)


Information Security (cont’d)

A number of essential concepts to begin with:

  • Risk management

    • threats, vulnerabilities, assets, damages and probabilities

    • balancing acts

    • all cryptosystems may be compromised

  • Notion of chains (Achilles' heel)

  • Notion of buckets (products, policies, processes and people)

  • Defense in-depth

  • Average vs. worst cases

  • Backup, restoration and contingency plans


Traditional Cryptography

Passive intruder (listens only)

Active intruder (alters message)

  • The model depends on a stable public algorithm and a key

  • The work factor for breaking the system by exhaustive search of the key space is exponential in the key length

  • Two categories: Substitution ciphers vs. transposition ciphers

DK( EK( P)) = P

Plaintext P

EK( P)

Encryption

Decryption

key K

key K


Traditional Cryptography (cont’d)

  • Simplified model of traditional cryptography


Traditional Cryptography (cont’d)

  • Model of traditional cryptography


Substitution Cipher

  • Caesar cipher

    • Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …

      • For example, “attack” becomes “DWDDFN”

  • Mono-alphabetic substitution

Plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM

  • The key space is 26! » 4x1026

  • Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)


Substitution Cipher (cont’d)

  • Relative frequency of letters in English text


Transposition Ciphers

M E G A B U C K

7 4 5 1 2 8 3 6

p l e a s e t r

a n s f e r o n

e m i l l i o n

d o l l a r s t

o m y s w i s s

b a n k a c c o

u n t s i x t w

o t w o a b c d

  • Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column

  • To break the transposition cipher

    • guess a probable word or phrase (e.g., milliondollars)

    • try to determine the key length, then order the columns

  • Another related example regarding Newton

Plaintext

pleasetransferonemilliondollarsto

myswissbankaccountsixtwotwo

Ciphertext

AFLLSKSOSELAWAIATOOSSCTCLNMOMANT

ESILYNTWRNNTSOWDPAEDOBUOERIRICXB


Other Interesting Ciphers

  • Chinese poems

  • Clubs and leather stripes

  • Invisible ink (steganography in general)

  • Books

  • Code books

  • Enigma

  • XOR

  • Ej/vu3z8h96


Two Fundamental Cryptographic Principles

  • First principle

    • All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message

    • However, the same redundancy makes it easier for passive intruders to break the system

  • Second principle

    • Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to

      • filter out duplicate messages within a certain time

      • incoming messages that are too old are discarded


Encoder: 8 to 3

Decoder: 3 to 8

S1

S5

S2

S6

P1

P2

P3

S3

S7

S4

S8

Secret-Key Algorithms

  • Consists of sequence of transpositions and substitutions

S-box (Substitution)

Product cipher

P-box

(Permutation)


Data Encryption Standard (DES)

  • Plaintext is encrypted in blocks of 64 bits

  • DES is basically a mono-alphabetic substitution cipher using a 64-bit character

64 bit plaintext

Li-1

Ri-1

Initial transposition

K1

Iteration 1

56-bit key

K16

Li-1 Å f(Ri-1, Ki)

Iteration 16

32 bit swap

Inverse transposition

32 bits Li

32 bits Ri

64 bit ciphertext


DES Chaining

  • DES may be vulnerable to active intruders

Name

Bonus

Leslie

$0000010

Intruder may copy the block to one row above

Kimberly

$0100000

8 bytes

8 bytes

  • DES chaining

P0

P1

P2

P3

C0

C1

C2

C3

IV

#

#

#

#

D

D

D

D

Exclusive

OR

Key

#

#

#

#

E

E

E

E

C0

C1

C2

C3

P0

P1

P2

P3


Breaking DES

  • Exhaustive search of key space = 256» 7x1016

    • can use multiple computers to do search in parallel

  • Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033

    • but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because

Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)


Triple DES Encryption

  • Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system

  • Using EEE with 3 different keys is basically unbreakable nowadays

K1

K2

K1

K1

K2

K1

P

C

C

P

E

D

E

D

E

D

Encryption

Decryption


Public-Key Algorithms

  • Encryption (E) and Decryption (D) algorithms must meet the following requirements

    • E and D are different

    • D(E(P)) = P

    • It is exceedingly difficult to deduce D from E

  • Everyone has a pair of keys: public key (E) and private key (D)

    • Public key is made known to the world

    • Private key is to be kept private all the time

A

B

P1

EB(P1)

DB(EB(P1)) = P1

EB

DB

DA(EA(P2)) = P2

EA(P2)

P2

DA

EA


Principles of Public-Key Cryptosystems


Principles of Public-Key Cryptosystems (cont’d)

  • Requirements for PKC

    • easy for B (receiver) to generate KUb and KRb

    • easy for A (sender) to calculate C = EKUb(M)

    • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M))

    • infeasible for an opponent to calculate KRb from KUb

    • infeasible for an opponent to calculate M from Cand KUb

    • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)


Principles of Public-Key Cryptosystems (cont’d)


Principles of Public-Key Cryptosystems (cont’d)

  • The idea of PKC was first proposed by Diffie and Hellman in 1976.

  • Two keys (public and private) are needed.

  • The difficulty of calculating f-1 is typically facilitated by

    • factorization of large numbers

    • resolution of NP-completeness

    • calculation of discrete logarithms

  • High complexity confines PKC to key management and signature applications


Principles of Public-Key Cryptosystems (cont’d)


Principles of Public-Key Cryptosystems (cont’d)


Principles of Public-Key Cryptosystems (cont’d)

  • Comparison between conventional and public-key encryption


Principles of Public-Key Cryptosystems (cont’d)

  • Applications for PKC

    • encryption/decryption

    • digital signature

    • key exchange


Principles of Public-Key Cryptosystems (cont’d)


Principles of Public-Key Cryptosystems (cont’d)


Principles of Public-Key Cryptosystems (cont’d)


RSA Algorithms

  • Developed by Rivest, Shamir, and Adleman at MIT in 1978

  • First compute the following parameters

    • Choose two large primes, p and q (typically > 10100)

    • Compute n = pxq and z = (p-1)x(q-1)

    • Choose d, which is a number relatively prime to z

    • Find e such that (exd) mod z = 1

  • Divide the plaintext into blocks of k bits, where 2k < n

    • To encrypt P, compute C = Pe mod n

    • To decrypt C, compute P = Cd mod n

    • Public key = (e, n), private key = (d, n)


The RSA Algorithm (cont’d)

  • Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then

    a p-1 1 mod p.

    Example: a = 7, p = 19

    72 = 49  11 mod 19

    74 = 121  7 mod 19

    78 = 49  11 mod 19

    716 = 121  7 mod 19

    a p-1 = 718 = 716+2 711  1 mod 19


The RSA Algorithm (cont’d)


The RSA Algorithm (cont’d)


The RSA Algorithm (cont’d)

  • Example 1

    • Select two prime numbers, p = 7 and q = 17.

    • Calculate n = p  q = 717 = 119.

    • Calculate Φ(n) = (p-1)(q-1) = 96.

    • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5.

    • Determine d such that d  e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.


The RSA Algorithm (cont’d)


The RSA Algorithm (cont’d)

  • The security of RSA

    • brute force: This involves trying all possible private keys.

    • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes.

    • timing attacks: These depend on the running time of the decryption algorithm.


The RSA Algorithm (cont’d)

  • To avoid brute force attacks, a large key space is required.

  • To make n difficult to factor

    • p and q should differ in length by only a few digits (both in the range of 1075 to 10100)

    • both (p-1) and (q-1) should contain a large prime factor

    • gcd(p-1,q-1) should be small

    • should avoid e < n and d < n1/4


The RSA Algorithm (cont’d)

  • To make n difficult to factor (cont’d)

    • p and q should best be strong primes, where p isa strong prime if

      • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1

      • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1

    • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated


The RSA Algorithm (cont’d)


The RSA Algorithm (cont’d)

  • Major threats

    • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available)

    • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)


The RSA Algorithm (cont’d)


The RSA Algorithm (cont’d)


RSA Algorithms (cont’d)

  • The security of RSA is based on the difficulty of factoring large numbers

    • It takes 4x109 years for factoring a 200-digit number

    • It takes 1025 years for factoring a 500-digit number

  • RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms


The RSA Algorithm (cont’d)


Elliptic Curve Cryptography (ECC)

  • For the same length of keys, faster than RSA

  • For the same degree of security, shorter keys are required than RSA

  • Standardized in IEEE P1363

  • Confidence level not yet as high as that in RSA

  • Much more difficult to explain than RSA


Elliptic Curve Cryptography (cont’d)

  • Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA


Elliptic Curve Cryptography (cont’d)


Key Management

  • The distribution of public keys

    • public announcement

    • publicly available directory

    • public-key authority

    • public-key certificates

  • The use of public-key encryption to distribute secret keys

    • simple secret key distribution

    • secret key distribution with confidentiality and authentication


Key Management (cont’d)

  • Public announcement


Key Management (cont’d)

  • Public announcement (cont’d)

    • advantages: convenience

    • disadvantages: forgery of such a public announcement by anyone


Key Management (cont’d)

  • Publicly available directory


Key Management (cont’d)

  • Publicly available directory (cont’d)

    • elements of the scheme

      • {name, public key} entry for each participant in the directory

      • in-person or secure registration

      • on-demand entry update

      • periodic publication of the directory

      • availability of secure electronic access from the directory to participants

    • advantages: greater degree of security


Key Management (cont’d)

  • Publicly available directory (cont’d)

    • disadvantages

      • need of a trusted entity or organization

      • need of additional security mechanism from the directory authority to participants

      • vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised)

      • vulnerability of the directory records


Key Management (cont’d)

  • Public-key authority


Key Management (cont’d)

  • Public-key authority (cont’d)

    • stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory

    • each participant can verify the identity of the authority

    • participants can verify identities of each other

    • disadvantages

      • bottleneck effect of the public-key authority

      • vulnerability of the directory records


Key Management (cont’d)

  • Public-key certificates


Key Management (cont’d)

  • Public-key certificates (cont’d)

    • to use certificates that can be used by participants to exchange keys without contacting a public-key authority

    • requirements on the scheme

      • any participant can read a certificate to determine the name and public key of the certificate’s owner

      • any participant can verify that the certificate originated from the certificate authority and is not counterfeit

      • only the certificate authority can create & update certificates

      • any participant can verify the currency of the certificate


Key Management (cont’d)

  • Public-key certificates (cont’d)

    • advantages

      • to use certificates that can be used by participants to exchange keys without contacting a public-key authority

      • in a way that is as reliable as if the key were obtained directly from a public-key authority

      • no on-line bottleneck effect

    • disadvantages: need of a certificate authority


Key Management (cont’d)

  • Simple secret key distribution


Key Management (cont’d)

  • Simple secret key distribution (cont’d)

    • advantages

      • simplicity

      • no keys stored before and after the communication

      • security against eavesdropping

    • disadvantages

      • lack of authentication mechanism between participants

      • vulnerability to an active attack (opponent active only in the process of obtaining Ks)

      • leak of the secret key upon such active attacks


Key Management (cont’d)

  • Secret key distribution with confidentiality and authentication


Key Management (cont’d)

  • Secret key distribution with confidentiality and authentication (cont’d)

    • provides protection against both active and passive attacks

    • ensures both confidentiality and authentication in the exchange of a secret key

    • public keys should be obtained a priori

    • more complicated


Diffie-Hellman Key Exchange

  • First public-key algorithm published

  • Limited to key exchange

  • Dependent for its effectiveness on the difficulty of computing discrete logarithm


Diffie-Hellman Key Exchange (cont’d)

  • Diffie-Hellman key exchange

    • n, g: large prime number with additional conditions

      • n and g may be made public

    • x, y: large (say, 512-bit) numbers

1

n, g, gx mod n

Alice

Bob computes (gx mod n)y

= gxy mod n

Bob

Alice computes (gy mod n)x

= gxy mod n

2

gy mod n

  • gxy mod n = the secret key

  • it is very difficult to find x given gx mod n


Diffie-Hellman Key Exchange (cont’d)

  • Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1.

  • If a is a primitive root of the prime number p, then the numbers

    a mod p, a2 mod p, …, ap-1 mod p

    are distinct and consists of the integers from 1 to p-1 in some permutation.

  • Not every number has a primitive root.


Diffie-Hellman Key Exchange (cont’d)

  • For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that

    b = ai mod p, where 0  i  (p-1).

  • The exponent is referred to as the discrete algorithm, or index, of b for the base a, mod p.

  • This value is denoted as inda,p(b).


Diffie-Hellman Key Exchange (cont’d)


Diffie-Hellman Key Exchange (cont’d)

  • Example:

    q = 97 and a primitive root a = 5 is selected.

    XA = 36 and XB = 58 (both  97).

    YA = 536 = 50 mod 97 and

    YB = 558 = 44 mod 97.

    K = (YB) XA mod 97 = 4436 mod 97 = 75 mod 97.

    K = (YA) XB mod 97 = 5058 mod 97 = 75 mod 97.

    75 cannot easily be computed by the opponent.


Diffie-Hellman Key Exchange (cont’d)

  • How the algorithm works


Diffie-Hellman Key Exchange (cont’d)


Diffie-Hellman Key Exchange (cont’d)

  • q, a, YA and YB are public.

  • To attack the secrete key of user B, the opponent must compute

    XB = inda,q(YB). [YB = aXB mod q.]

  • The effectiveness of this algorithm therefore depends on the difficulty of solving discrete logarithm.


Attack on Diffie-Hellman Key Exchange

  • Bucket brigade attack

Alice

picks x

Trudy

picks z

Bob

picks y

1

n, g, gx mod n

2

n, g, gz mod n

Trudy

Alice

Bob

3

gz mod n

4

gy mod n

  • (gxz mod n) becomes the secret key between Alice and Trudy, while (gyz mod n) becomes the secret key between Trudy and Bob


Authentication Protocols

  • Authorization

    • verifies what a process is permitted to do

  • Authentication

    • verifies the identity of the process that you are talking to

    • public and private keys are used for authentication, and for establishing the session key (a secret key)

    • all data communicated is then encrypted using secret key cryptography


Authentication Based on a Shared Secret Key

  • Challenge-response protocol

1

A

Challenge

2

Response

RB

KAB = shared secret key between Alice and Bob

KAB(RB)

3

Challenge

Alice

After step 3, Bob verifies Alice’s identity

Bob

4

Response

RA

KAB(RA)

5

Session key if needed

After step 5, Alice verifies Bob’s identity

KAB(KS)

6


Authentication Based on a Shared Secret Key (cont’d)

  • Can we reduce the number of messages exchanged, e.g.,

Challenge

A, RA

1

Response/

Challenge

RB, KAB(RA)

Alice

Bob

2

Response

KAB(RB)

3

  • Only three, instead of five, messages are exchanged


Authentication Based on a Shared Secret Key (cont’d)

  • The shortened protocol can be defeated by a reflection attack

A, RT

1

RB, KAB(RT)

First session

2

Trudy

A, RB

3

Bob

Second session

4

RB2, KAB(RB)

KAB(RB)

5

First session


Authentication Using a Key Distribution Center

  • Need a trusted Key Distribution Center (KDC)

  • Wide-mouth frog: simplest KDC authentication protocol

1

A, KA(B, KS)

Alice

KDC

2

Bob

KB(A, KS)

  • Replay attack

    • an intruder can just replay message 2 (and any following messages) to Bob later, and Bob has no way to tell if it is a second connection from Alice


Authentication Using Public-Key

  • Assume both sides already know each other’s public keys

    • This is not a trivial assumption as explained previously

EB(A, RA)

1

EA(RA, RB, KS)

Alice

Bob

2

Alice verified Bob’s identity

Ks(RB)

3

Bob verified Alice’s identity


Digital Signatures

  • What is needed is a system by which one party can send a “signed” message to another party such that

    • The receiver can verify the claimed identity of the sender

    • The sender cannot later repudiate the contents of the message

    • The receiver cannot possibly have concocted the message itself


Secret-Key Signatures

  • Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key

A, KA(B, RA, t, P)

Alice

Bob

BB

KB(A, RA, t, P, KBB(A, t, P))

  • Bob has KBB(A, t, P), which is proof that Alice sent message P at time t

  • To guard against replaying attack

    • A message is discarded if its timestamp is too old

    • For a recent message, it is discarded if RA is duplicate


Public-Key Signatures

  • Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property)

Alice’s computer

Alice’s

private key

DA

Bob’s

public key

EB

EB(DA(P))

DA(P)

P

Bob’s computer

Transmission

line

Bob’s

private key

DB

Alice’s

public key

EA

DA(P)

P

  • Bob has P and DA(P), which is proof that Alice sent P


Message Digests

  • It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time

  • Message Digest (MD): hash plaintext to a fixed-length bit string such that

    • Given P, it is easy to compute MD(P)

    • Given MD(P), it is effectively impossible to find P

    • No one can generate two messages that have the same message digest

m bits

P

MD(P)


Message Digests (cont’d)

  • Public-key message digest

P, DA(MD(P))

Alice

Bob

  • Most widely used message digest functions

    • MD5

    • SHA (Secure Hash Algorithm)

  • An m-bit MD system may be possibly broken in Q (2m/2) time (referred as birthday attack in text)


Message Digests (cont’d)


Discussions

  • What do you think are the major security threats in the Internet? What are possible measures and strategies to address such threats?

  • What products, policies and processes of your company are worth recommending?


  • Login