Information Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 85

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on
  • Presentation posted in: General

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University. EMBA 2009 – Information Systems and Applications Lecture II. Information Security. Information security can be roughly divided into 4 areas:. Secrecy: keep information unrevealed

Download Presentation

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information security frank yeong sung lin department of information management national taiwan university

Information SecurityFrank Yeong-Sung LinDepartment of Information ManagementNational Taiwan University

EMBA 2009 – Information Systems and Applications

Lecture II


Information security

Information Security

Information security can be roughly divided into 4 areas:

  • Secrecy: keep information unrevealed

  • Authentication: determine the identity of whom you are talking to

  • Nonrepudiation: make sure that someone cannot deny the things he/she had done

  • Integrity control: make sure the message you received has not been modified


Information security cont d

Information Security (cont’d)

Information security functionality can be distributed across several protocol layers:

  • Physical layer: protect transmission link from wire tapping

  • Data link layer: link encryption

  • Network layer: firewall, packet filter

  • Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality)


Information security cont d1

Information Security (cont’d)

A number of essential concepts to begin with:

  • Risk management

    • threats, vulnerabilities, assets, damages and probabilities

    • balancing acts

    • all cryptosystems may be compromised

  • Notion of chains (Achilles' heel)

  • Notion of buckets (products, policies, processes and people)

  • Defense in-depth

  • Average vs. worst cases

  • Backup, restoration and contingency plans


Traditional cryptography

Traditional Cryptography

Passive intruder (listens only)

Active intruder (alters message)

  • The model depends on a stable public algorithm and a key

  • The work factor for breaking the system by exhaustive search of the key space is exponential in the key length

  • Two categories: Substitution ciphers vs. transposition ciphers

DK( EK( P)) = P

Plaintext P

EK( P)

Encryption

Decryption

key K

key K


Traditional cryptography cont d

Traditional Cryptography (cont’d)

  • Simplified model of traditional cryptography


Traditional cryptography cont d1

Traditional Cryptography (cont’d)

  • Model of traditional cryptography


Substitution cipher

Substitution Cipher

  • Caesar cipher

    • Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, …

      • For example, “attack” becomes “DWDDFN”

  • Mono-alphabetic substitution

Plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM

  • The key space is 26! » 4x1026

  • Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)


Substitution cipher cont d

Substitution Cipher (cont’d)

  • Relative frequency of letters in English text


Transposition ciphers

Transposition Ciphers

M E G A B U C K

7 4 5 1 2 8 3 6

p l e a s e t r

a n s f e r o n

e m i l l i o n

d o l l a r s t

o m y s w i s s

b a n k a c c o

u n t s i x t w

o t w o a b c d

  • Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column

  • To break the transposition cipher

    • guess a probable word or phrase (e.g., milliondollars)

    • try to determine the key length, then order the columns

  • Another related example regarding Newton

Plaintext

pleasetransferonemilliondollarsto

myswissbankaccountsixtwotwo

Ciphertext

AFLLSKSOSELAWAIATOOSSCTCLNMOMANT

ESILYNTWRNNTSOWDPAEDOBUOERIRICXB


Other interesting ciphers

Other Interesting Ciphers

  • Chinese poems

  • Clubs and leather stripes

  • Invisible ink (steganography in general)

  • Books

  • Code books

  • Enigma

  • XOR

  • Ej/vu3z8h96


Two fundamental cryptographic principles

Two Fundamental Cryptographic Principles

  • First principle

    • All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message

    • However, the same redundancy makes it easier for passive intruders to break the system

  • Second principle

    • Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to

      • filter out duplicate messages within a certain time

      • incoming messages that are too old are discarded


Secret key algorithms

Encoder: 8 to 3

Decoder: 3 to 8

S1

S5

S2

S6

P1

P2

P3

S3

S7

S4

S8

Secret-Key Algorithms

  • Consists of sequence of transpositions and substitutions

S-box (Substitution)

Product cipher

P-box

(Permutation)


Data encryption standard des

Data Encryption Standard (DES)

  • Plaintext is encrypted in blocks of 64 bits

  • DES is basically a mono-alphabetic substitution cipher using a 64-bit character

64 bit plaintext

Li-1

Ri-1

Initial transposition

K1

Iteration 1

56-bit key

K16

Li-1 Å f(Ri-1, Ki)

Iteration 16

32 bit swap

Inverse transposition

32 bits Li

32 bits Ri

64 bit ciphertext


Des chaining

DES Chaining

  • DES may be vulnerable to active intruders

Name

Bonus

Leslie

$0000010

Intruder may copy the block to one row above

Kimberly

$0100000

8 bytes

8 bytes

  • DES chaining

P0

P1

P2

P3

C0

C1

C2

C3

IV

#

#

#

#

D

D

D

D

Exclusive

OR

Key

#

#

#

#

E

E

E

E

C0

C1

C2

C3

P0

P1

P2

P3


Breaking des

Breaking DES

  • Exhaustive search of key space = 256» 7x1016

    • can use multiple computers to do search in parallel

  • Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033

    • but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because

Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)


Triple des encryption

Triple DES Encryption

  • Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system

  • Using EEE with 3 different keys is basically unbreakable nowadays

K1

K2

K1

K1

K2

K1

P

C

C

P

E

D

E

D

E

D

Encryption

Decryption


Public key algorithms

Public-Key Algorithms

  • Encryption (E) and Decryption (D) algorithms must meet the following requirements

    • E and D are different

    • D(E(P)) = P

    • It is exceedingly difficult to deduce D from E

  • Everyone has a pair of keys: public key (E) and private key (D)

    • Public key is made known to the world

    • Private key is to be kept private all the time

A

B

P1

EB(P1)

DB(EB(P1)) = P1

EB

DB

DA(EA(P2)) = P2

EA(P2)

P2

DA

EA


Principles of public key cryptosystems

Principles of Public-Key Cryptosystems


Principles of public key cryptosystems cont d

Principles of Public-Key Cryptosystems (cont’d)

  • Requirements for PKC

    • easy for B (receiver) to generate KUb and KRb

    • easy for A (sender) to calculate C = EKUb(M)

    • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M))

    • infeasible for an opponent to calculate KRb from KUb

    • infeasible for an opponent to calculate M from Cand KUb

    • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)


Principles of public key cryptosystems cont d1

Principles of Public-Key Cryptosystems (cont’d)


Principles of public key cryptosystems cont d2

Principles of Public-Key Cryptosystems (cont’d)

  • The idea of PKC was first proposed by Diffie and Hellman in 1976.

  • Two keys (public and private) are needed.

  • The difficulty of calculating f-1 is typically facilitated by

    • factorization of large numbers

    • resolution of NP-completeness

    • calculation of discrete logarithms

  • High complexity confines PKC to key management and signature applications


Principles of public key cryptosystems cont d3

Principles of Public-Key Cryptosystems (cont’d)


Principles of public key cryptosystems cont d4

Principles of Public-Key Cryptosystems (cont’d)


Principles of public key cryptosystems cont d5

Principles of Public-Key Cryptosystems (cont’d)

  • Comparison between conventional and public-key encryption


Principles of public key cryptosystems cont d6

Principles of Public-Key Cryptosystems (cont’d)

  • Applications for PKC

    • encryption/decryption

    • digital signature

    • key exchange


Principles of public key cryptosystems cont d7

Principles of Public-Key Cryptosystems (cont’d)


Principles of public key cryptosystems cont d8

Principles of Public-Key Cryptosystems (cont’d)


Principles of public key cryptosystems cont d9

Principles of Public-Key Cryptosystems (cont’d)


Rsa algorithms

RSA Algorithms

  • Developed by Rivest, Shamir, and Adleman at MIT in 1978

  • First compute the following parameters

    • Choose two large primes, p and q (typically > 10100)

    • Compute n = pxq and z = (p-1)x(q-1)

    • Choose d, which is a number relatively prime to z

    • Find e such that (exd) mod z = 1

  • Divide the plaintext into blocks of k bits, where 2k < n

    • To encrypt P, compute C = Pe mod n

    • To decrypt C, compute P = Cd mod n

    • Public key = (e, n), private key = (d, n)


The rsa algorithm cont d

The RSA Algorithm (cont’d)

  • Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then

    a p-1 1 mod p.

    Example: a = 7, p = 19

    72 = 49  11 mod 19

    74 = 121  7 mod 19

    78 = 49  11 mod 19

    716 = 121  7 mod 19

    a p-1 = 718 = 716+2 711  1 mod 19


The rsa algorithm cont d1

The RSA Algorithm (cont’d)


The rsa algorithm cont d2

The RSA Algorithm (cont’d)


The rsa algorithm cont d3

The RSA Algorithm (cont’d)

  • Example 1

    • Select two prime numbers, p = 7 and q = 17.

    • Calculate n = p  q = 717 = 119.

    • Calculate Φ(n) = (p-1)(q-1) = 96.

    • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5.

    • Determine d such that d  e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.


The rsa algorithm cont d4

The RSA Algorithm (cont’d)


The rsa algorithm cont d5

The RSA Algorithm (cont’d)

  • The security of RSA

    • brute force: This involves trying all possible private keys.

    • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes.

    • timing attacks: These depend on the running time of the decryption algorithm.


The rsa algorithm cont d6

The RSA Algorithm (cont’d)

  • To avoid brute force attacks, a large key space is required.

  • To make n difficult to factor

    • p and q should differ in length by only a few digits (both in the range of 1075 to 10100)

    • both (p-1) and (q-1) should contain a large prime factor

    • gcd(p-1,q-1) should be small

    • should avoid e < n and d < n1/4


The rsa algorithm cont d7

The RSA Algorithm (cont’d)

  • To make n difficult to factor (cont’d)

    • p and q should best be strong primes, where p isa strong prime if

      • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1

      • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1

    • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated


The rsa algorithm cont d8

The RSA Algorithm (cont’d)


The rsa algorithm cont d9

The RSA Algorithm (cont’d)

  • Major threats

    • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available)

    • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)


The rsa algorithm cont d10

The RSA Algorithm (cont’d)


The rsa algorithm cont d11

The RSA Algorithm (cont’d)


Rsa algorithms cont d

RSA Algorithms (cont’d)

  • The security of RSA is based on the difficulty of factoring large numbers

    • It takes 4x109 years for factoring a 200-digit number

    • It takes 1025 years for factoring a 500-digit number

  • RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms


The rsa algorithm cont d12

The RSA Algorithm (cont’d)


Elliptic curve cryptography ecc

Elliptic Curve Cryptography (ECC)

  • For the same length of keys, faster than RSA

  • For the same degree of security, shorter keys are required than RSA

  • Standardized in IEEE P1363

  • Confidence level not yet as high as that in RSA

  • Much more difficult to explain than RSA


Elliptic curve cryptography cont d

Elliptic Curve Cryptography (cont’d)

  • Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA


Elliptic curve cryptography cont d1

Elliptic Curve Cryptography (cont’d)


Key management

Key Management

  • The distribution of public keys

    • public announcement

    • publicly available directory

    • public-key authority

    • public-key certificates

  • The use of public-key encryption to distribute secret keys

    • simple secret key distribution

    • secret key distribution with confidentiality and authentication


Key management cont d

Key Management (cont’d)

  • Public announcement


Key management cont d1

Key Management (cont’d)

  • Public announcement (cont’d)

    • advantages: convenience

    • disadvantages: forgery of such a public announcement by anyone


Key management cont d2

Key Management (cont’d)

  • Publicly available directory


Key management cont d3

Key Management (cont’d)

  • Publicly available directory (cont’d)

    • elements of the scheme

      • {name, public key} entry for each participant in the directory

      • in-person or secure registration

      • on-demand entry update

      • periodic publication of the directory

      • availability of secure electronic access from the directory to participants

    • advantages: greater degree of security


Key management cont d4

Key Management (cont’d)

  • Publicly available directory (cont’d)

    • disadvantages

      • need of a trusted entity or organization

      • need of additional security mechanism from the directory authority to participants

      • vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised)

      • vulnerability of the directory records


Key management cont d5

Key Management (cont’d)

  • Public-key authority


Key management cont d6

Key Management (cont’d)

  • Public-key authority (cont’d)

    • stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory

    • each participant can verify the identity of the authority

    • participants can verify identities of each other

    • disadvantages

      • bottleneck effect of the public-key authority

      • vulnerability of the directory records


Key management cont d7

Key Management (cont’d)

  • Public-key certificates


Key management cont d8

Key Management (cont’d)

  • Public-key certificates (cont’d)

    • to use certificates that can be used by participants to exchange keys without contacting a public-key authority

    • requirements on the scheme

      • any participant can read a certificate to determine the name and public key of the certificate’s owner

      • any participant can verify that the certificate originated from the certificate authority and is not counterfeit

      • only the certificate authority can create & update certificates

      • any participant can verify the currency of the certificate


Key management cont d9

Key Management (cont’d)

  • Public-key certificates (cont’d)

    • advantages

      • to use certificates that can be used by participants to exchange keys without contacting a public-key authority

      • in a way that is as reliable as if the key were obtained directly from a public-key authority

      • no on-line bottleneck effect

    • disadvantages: need of a certificate authority


Key management cont d10

Key Management (cont’d)

  • Simple secret key distribution


Key management cont d11

Key Management (cont’d)

  • Simple secret key distribution (cont’d)

    • advantages

      • simplicity

      • no keys stored before and after the communication

      • security against eavesdropping

    • disadvantages

      • lack of authentication mechanism between participants

      • vulnerability to an active attack (opponent active only in the process of obtaining Ks)

      • leak of the secret key upon such active attacks


Key management cont d12

Key Management (cont’d)

  • Secret key distribution with confidentiality and authentication


Key management cont d13

Key Management (cont’d)

  • Secret key distribution with confidentiality and authentication (cont’d)

    • provides protection against both active and passive attacks

    • ensures both confidentiality and authentication in the exchange of a secret key

    • public keys should be obtained a priori

    • more complicated


Diffie hellman key exchange

Diffie-Hellman Key Exchange

  • First public-key algorithm published

  • Limited to key exchange

  • Dependent for its effectiveness on the difficulty of computing discrete logarithm


Diffie hellman key exchange cont d

Diffie-Hellman Key Exchange (cont’d)

  • Diffie-Hellman key exchange

    • n, g: large prime number with additional conditions

      • n and g may be made public

    • x, y: large (say, 512-bit) numbers

1

n, g, gx mod n

Alice

Bob computes (gx mod n)y

= gxy mod n

Bob

Alice computes (gy mod n)x

= gxy mod n

2

gy mod n

  • gxy mod n = the secret key

  • it is very difficult to find x given gx mod n


Diffie hellman key exchange cont d1

Diffie-Hellman Key Exchange (cont’d)

  • Define a primitive root of of a prime number p as one whose powers generate all the integers from 1 to p-1.

  • If a is a primitive root of the prime number p, then the numbers

    a mod p, a2 mod p, …, ap-1 mod p

    are distinct and consists of the integers from 1 to p-1 in some permutation.

  • Not every number has a primitive root.


Diffie hellman key exchange cont d2

Diffie-Hellman Key Exchange (cont’d)

  • For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that

    b = ai mod p, where 0  i  (p-1).

  • The exponent is referred to as the discrete algorithm, or index, of b for the base a, mod p.

  • This value is denoted as inda,p(b).


Diffie hellman key exchange cont d3

Diffie-Hellman Key Exchange (cont’d)


Diffie hellman key exchange cont d4

Diffie-Hellman Key Exchange (cont’d)

  • Example:

    q = 97 and a primitive root a = 5 is selected.

    XA = 36 and XB = 58 (both  97).

    YA = 536 = 50 mod 97 and

    YB = 558 = 44 mod 97.

    K = (YB) XA mod 97 = 4436 mod 97 = 75 mod 97.

    K = (YA) XB mod 97 = 5058 mod 97 = 75 mod 97.

    75 cannot easily be computed by the opponent.


Diffie hellman key exchange cont d5

Diffie-Hellman Key Exchange (cont’d)

  • How the algorithm works


Diffie hellman key exchange cont d6

Diffie-Hellman Key Exchange (cont’d)


Diffie hellman key exchange cont d7

Diffie-Hellman Key Exchange (cont’d)

  • q, a, YA and YB are public.

  • To attack the secrete key of user B, the opponent must compute

    XB = inda,q(YB). [YB = aXB mod q.]

  • The effectiveness of this algorithm therefore depends on the difficulty of solving discrete logarithm.


Attack on diffie hellman key exchange

Attack on Diffie-Hellman Key Exchange

  • Bucket brigade attack

Alice

picks x

Trudy

picks z

Bob

picks y

1

n, g, gx mod n

2

n, g, gz mod n

Trudy

Alice

Bob

3

gz mod n

4

gy mod n

  • (gxz mod n) becomes the secret key between Alice and Trudy, while (gyz mod n) becomes the secret key between Trudy and Bob


Authentication protocols

Authentication Protocols

  • Authorization

    • verifies what a process is permitted to do

  • Authentication

    • verifies the identity of the process that you are talking to

    • public and private keys are used for authentication, and for establishing the session key (a secret key)

    • all data communicated is then encrypted using secret key cryptography


Authentication based on a shared secret key

Authentication Based on a Shared Secret Key

  • Challenge-response protocol

1

A

Challenge

2

Response

RB

KAB = shared secret key between Alice and Bob

KAB(RB)

3

Challenge

Alice

After step 3, Bob verifies Alice’s identity

Bob

4

Response

RA

KAB(RA)

5

Session key if needed

After step 5, Alice verifies Bob’s identity

KAB(KS)

6


Authentication based on a shared secret key cont d

Authentication Based on a Shared Secret Key (cont’d)

  • Can we reduce the number of messages exchanged, e.g.,

Challenge

A, RA

1

Response/

Challenge

RB, KAB(RA)

Alice

Bob

2

Response

KAB(RB)

3

  • Only three, instead of five, messages are exchanged


Authentication based on a shared secret key cont d1

Authentication Based on a Shared Secret Key (cont’d)

  • The shortened protocol can be defeated by a reflection attack

A, RT

1

RB, KAB(RT)

First session

2

Trudy

A, RB

3

Bob

Second session

4

RB2, KAB(RB)

KAB(RB)

5

First session


Authentication using a key distribution center

Authentication Using a Key Distribution Center

  • Need a trusted Key Distribution Center (KDC)

  • Wide-mouth frog: simplest KDC authentication protocol

1

A, KA(B, KS)

Alice

KDC

2

Bob

KB(A, KS)

  • Replay attack

    • an intruder can just replay message 2 (and any following messages) to Bob later, and Bob has no way to tell if it is a second connection from Alice


Authentication using public key

Authentication Using Public-Key

  • Assume both sides already know each other’s public keys

    • This is not a trivial assumption as explained previously

EB(A, RA)

1

EA(RA, RB, KS)

Alice

Bob

2

Alice verified Bob’s identity

Ks(RB)

3

Bob verified Alice’s identity


Digital signatures

Digital Signatures

  • What is needed is a system by which one party can send a “signed” message to another party such that

    • The receiver can verify the claimed identity of the sender

    • The sender cannot later repudiate the contents of the message

    • The receiver cannot possibly have concocted the message itself


Secret key signatures

Secret-Key Signatures

  • Assumes a central authority, say Big Brother (BB), that knows everyone’s secret key

A, KA(B, RA, t, P)

Alice

Bob

BB

KB(A, RA, t, P, KBB(A, t, P))

  • Bob has KBB(A, t, P), which is proof that Alice sent message P at time t

  • To guard against replaying attack

    • A message is discarded if its timestamp is too old

    • For a recent message, it is discarded if RA is duplicate


Public key signatures

Public-Key Signatures

  • Assumes both D(E(P)) = P and E(D(P)) = P (RSA algorithm has such property)

Alice’s computer

Alice’s

private key

DA

Bob’s

public key

EB

EB(DA(P))

DA(P)

P

Bob’s computer

Transmission

line

Bob’s

private key

DB

Alice’s

public key

EA

DA(P)

P

  • Bob has P and DA(P), which is proof that Alice sent P


Message digests

Message Digests

  • It is often desirable to send signed plaintext documents because encrypting the complete document may take too much time

  • Message Digest (MD): hash plaintext to a fixed-length bit string such that

    • Given P, it is easy to compute MD(P)

    • Given MD(P), it is effectively impossible to find P

    • No one can generate two messages that have the same message digest

m bits

P

MD(P)


Message digests cont d

Message Digests (cont’d)

  • Public-key message digest

P, DA(MD(P))

Alice

Bob

  • Most widely used message digest functions

    • MD5

    • SHA (Secure Hash Algorithm)

  • An m-bit MD system may be possibly broken in Q (2m/2) time (referred as birthday attack in text)


Message digests cont d1

Message Digests (cont’d)


Discussions

Discussions

  • What do you think are the major security threats in the Internet? What are possible measures and strategies to address such threats?

  • What products, policies and processes of your company are worth recommending?


  • Login