Outline

Outline • PART 1: • Encryption • DES • AES • RPC SEC Using GSS API • Instructor Request • PART 2: • Public Key Infrastructure • Digital Signature • Secure Sockets Layer

Data Encryption Standard (DES)

DES • Developed in the early 1970’s • NSA involved in design • Based on IBM’s Lucifer Feistel Cipher • Selected in 1976 as an official Federal Information Processing Standard for the US • 64 bit blocks • 56 bit key • 16 rounds

Block Cipher • Plaintext encrypted in blocks • Encryption consists of multiple rounds • Each round uses output of previous round as input • Key is used in all round

Feistel Cipher • Type of Block Cipher Left half Right half Key function New L-half New R-half

DES Overview • 64 bit block of input • 64 bit key • Only 56 bits are used • Every 8th bit ignored • 56 bit key is manipulated to obtain 16 different 48 bit ‘stage keys’ • Stage keys are used during each round of encryption

DES Stage Key Generation • The 64 bit stage key is permutated • Only 56 bits are used

DES Stage Key Continued • Example 64 bit KEY = CSE-8343 • 01000011 01010011 01000101 00101101 00111000 00110011 00110100 00110011 • Permutated 56 bit Key • 0000000 0000001 1111111 0001111 1010001 1010011 0000011 0000010

DES Stage Key Continued • Split the permutated key into halves • 0000000 0000001 1111111 0001111 • 1010001 1010011 0000011 0000010 • For each round (1-16), perform the following left shifts on both halves:

DES Rounds 1 and 2 Key Example • Round 1 • 0000000000001111111100011110 • 0100011010011000001100000101 • Round 2 • 0000000000011111111000111100 • 1000110100110000011000001010 • 16 Rounds are required • Only Rounds 1 and 2 are shown here • Convert each round’s 56 bit key to a permutated 48 bit key using the following permutation table:

Initial Permutation of Message • Message broken into 64 bit blocks I hope we get an A! 0100100100100000011010000110111101110000011001010010000001110111 • Permutated Message: 1011110110010000101010001010100100000000111111100000110110001000

Left and Right Half of Message • Permutated message broken into L and R L = 10111101100100001010100010101001 R = 00000000111111100000110110001000 • Right half of message fed into F function. • Expands R (32 bits expanded to 48 bits) • XOR round key (48 bits) with Expanded R • Run result through the S-BOX step • Permutate the S-BOX result • Result become next round’s Left half • Output of F Function XOR with Left half of message • Output of XOR becomes next round’s Right Half

Expand Function • Expand 32 bits to 48 bits using the following box

Substitution Box • After Expand Function and XOR with Key we have 48 bits. • Divide 48 bits into 8 sets of 6 bits. • xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx • Each set of 6 bits is used to lookup new value in Substitution box. Result is new 32 bits. • Example, 100110 gets converted to 1110 (Decimal 14) • 100110 = Row 2 • 100100 = Column 2

Permutate Result • Permutate the 32 bit result of the Substitution Box

DES Continued • Repeat the steps for all 16 rounds. • Each rounds uses new round key. • After 16th step completes, permutate the final result.

DES Summary • Decryption of a DES cipher is the same steps, in reverse • DES relies on Substitution Box for security • NO BACK DOOR REVEALED AFTER 40 YEARS • Only way to attack DES is by brute force • ONE to ONE mapping of Plaintext to Ciphertext • On average, a brute force of DES will take: • 2^(55) = 36,028,797,018,963,968 attempts • 3DES created to increase brute force complexity • Uses back to back to back DES encryption • 168 bit key is used (56 bits per encryption)

Advanced Encryption Standard (AES)

AES Introduction • 3DES is slow, requires 3x the work as DES • 3DES only uses 64 bit blocks • The National Institute of Standards and Technology requested new algorithm • Must be better or at least equal security of 3DES • Must be more efficient than 3DES • Must accept variable key lengths • Rijndael algorithm selected as new AES

AES Specifics • Block Cipher • 128 bit blocks are used • NOT a Feistel structure • Uses keys of 128, 192 or 256 bit • 128 bit key uses 10 rounds per 128 bit block • 192 bit key uses 12 rounds per 128 bit block • 256 bit key uses 14 rounds per 128 bit block

128 bit AES Overview Plaintext • Key Expansion Algorithm: • Takes 128 bit (16 byte) key • Produces 44 words (32 bit each) • round 0 : • Add Round Key. • rounds 1-9 : • S-Box; Shift Rows; Mix Columns; Add Round Key. • round 10 : • S-Box; Shift Rows; Add Round Key. w[0,3] Add round key Substitute Bytes Expand Key Round 1 Shift Rows Mix Columns w[4,7] Add round key . . . Substitute Bytes Round 9 Shift Rows Mix Columns w[36,39] Add Round Key Round 10 Substitute Bytes Shift Rows w[40,43] Add Round Key Ciphertext

AES Key Expansion Continued KeyExpansion(byte key[16], word w[44]) { word temp; for (i = 0; i < 4; i++) w[i] = (key[4*i], key[4*i+1], key[4*i+3], key[4*i+3]); for(i = 4; i < 44; i++) } temp = w[i-1]; if ( i mod 4 = 0 ) temp = SubWord(RotWord(temp)) XOR Rcon[i/4]; w[i] = w[i-4] XOR temp; } }

AES Key Expansion Continued • RotWordperforms a one byte circular left shift on a word. For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] • SubWordperforms a byte substitution on each byte of input word using an S-box. • SubWord(RotWord(temp)) is XORed with Rcon[j] – the round constant.

AES Key Expansion Continued • Round Constant is different for each round (j) • Rcon[j] = (RC[j],0,0,0) • where RC[1] = 1, RC[j] = 2 * RC[j-1]

AES Substitute Bytes Plaintext • For each 8 bit byte: • C= Inverse of byte • Output S = (MC) XOR B • M is S box matrix • B is implementation dependent, usually decimal 99 (1100011) w[0,3] Add round key Substitute Bytes Expand Key Round 1 Shift Rows Mix Columns w[4,7] Add round key . . . Substitute Bytes Round 9 Shift Rows Mix Columns w[36,39] Add Round Key Round 10 Substitute Bytes Shift Rows w[40,43] Add Round Key Ciphertext

AES Shift Rows Plaintext • For each 8 byte column in a 4x4 byte matrix, substitute cells as below: w[0,3] Add round key Substitute Bytes Expand Key Round 1 Shift Rows Mix Columns w[4,7] Add round key . . . Substitute Bytes Round 9 Shift Rows Mix Columns w[36,39] Add Round Key Round 10 Substitute Bytes Shift Rows w[40,43] Add Round Key Ciphertext

AES Mix Columns Plaintext • For each 4 byte column C of each 4x4 byte matrix: w[0,3] Add round key Substitute Bytes Expand Key Round 1 Shift Rows Mix Columns w[4,7] Add round key . . . Substitute Bytes Round 9 Shift Rows Mix Columns w[36,39] Add Round Key Round 10 Substitute Bytes Shift Rows w[40,43] Add Round Key Ciphertext

AES Add Round Key Plaintext • For resulting 128 bit output, XOR with 128 bit round key word w[x, x+3] w[0,3] Add round key Substitute Bytes Expand Key Round 1 Shift Rows Mix Columns w[4,7] Add round key . . . Substitute Bytes Round 9 Shift Rows Mix Columns w[36,39] Add Round Key Round 10 Substitute Bytes Shift Rows w[40,43] Add Round Key Ciphertext

AES Summary • Decryption is not identical to encryption • See structure to the right • AES is fast and secure • Brute force of AES 128 bit would take on average 2^(127) = 170,141,183,460,469,000,000,000,000,000,000,000,000 attempts! • Would require 30 gigawatts of power for one year. • 256 bit AES would take a device that could check a billion billion2^(18) AES keys per second about 3x10^(51) years!! w[0,3] Round 10 Add round key Expand Key Inverse sub bytes Inverse shift rows Inverse mix cols Round 9 w[4,7] Add round key Inverse sub bytes Inverse shift rows . . . Inverse mix cols Round 1 w[36,39] Add round key Inverse sub bytes Inverse shift rows w[40,43] Add round key Ciphertext

RPCSEC GSS API

Remote Procedure Calls • Used by a client to execute a procedure on a server. • Example – Remote File Systems, inter / intra process communication.

Remote Procedure Calls Request Response Source: Diagram from Pei - CS244B-DFS-1.ppt

GSS API • Generic Security Services Application Program Interface • Programming interface for C and Java • Used by NSF Version 4 to provide confidentiality and integrity • Does not provide security • Provides an interface to security implementations • Based around the idea of tokens, usually using Kerberos • Used by Client / Server type of applications

GSS API • GSS API defines ~ 50 procedures • GSS_Acquire_cred- obtains the user's identity proof, often a secret cryptographic key • GSS_Import_name- converts a username or hostname into a form that identifies a security entity • GSS_Init_sec_context- generates a client token to send to the server, usually a challenge • GSS_Accept_sec_context- processes a token from GSS_Init_sec_context and can generate a response token to return • GSS_Seal- cryptographically signs and optionally encrypts the specified input_message • GSS_Unseal- converts a previously sealed message back to a usable form, verifying the embedded signature • GSS_Sign- generates a cryptographic signature and places the signature in a token for transfer to the peer application.

Function Definintions // Allows an application to acquire a handle for a pre-existing // credential by name. OM_uint32 gss_acquire_cred ( OM_uint32 * minor_status, gss_name_t desired_name, // Name of principle whose credentials should be aquired OM_uint32 time_req, // Number of seconds credentials should remain valid gss_OID_set desired_mechs, // Set of secuirty mechanisms to use, or GSS_C_NULL_OID_SET int cred_usage, // Option enum specifying when to use credentials gss_cred_id_t * output_cred_handle, // The returned credential handle gss_OID_set * actual_mechs, // The security mechanisms that the credential is valid for OM_int32 * time_rec) // Number of seconds credential will be valid for // Converts a printable name to internal form. OM_uint32 gss_import_name ( OM_uint32 * minor_status, // Mechanism specific status code gss_buffer_t input_name_buffer, // Buffer containing printable name to convert gss_OID input_name_type, // Object Id specifying type of printable name. gss_name_t * output_name) // returned name in internal form

Function Definintions // generates a client token to send to the server OM_uint32 gss_init_sec_context ( OM_uint32 * minor_status, gss_cred_id_t claimant_cred_handle, // handle for credentials claimed gss_ctx_id_t * context_handle, // context handle for new context gss_name_t target_name, // Name of target gss_OID mech_type, // Object ID of desired security mechanism int req_flags, // Four flags used to control credential handling int time_req, // Number of seconds for context to remain valid gss_channel_bindings_t input_chan_bindings, // Allows application to securely bind channel gss_buffer_t input_token // Token received from peer application gss_OID * actual_mech_type, // actual mechanism used gss_buffer_t output_token, // token to be sent to peer application int * ret_flags, // contains six independent flags descirbing credential options used OM_uint32 * time_rec ) // number of seconds for which the context will remain valid

Function Definintions // Allows a remotely initiated security context between the application // and a remote peer to be established. OM_uint32 gss_accept_sec_context ( OM_uint32 * minor_status, // gss_ctx_id_t * context_handle, // context handle for new context gss_cred_id_t verifier_cred_handle, // credential handle claimed by context gss_buffer_t input_token_buffer // token obtained from remote application gss_channel_bindings_t input_chan_bindings, // allows application to securely bind channel gss_name_t * src_name, // authenticated name of context initiator gss_OID * mech_type, // security mechanism used gss_buffer_t output_token, // token to be passed to peer application int * ret_flags, // contains six independent flags descirbing credential options used OM_uint32 * time_rec, // number of seconds for which the context remains valid gss_cred_id_t * delegated_cred_handle) // credential handle for credentials received from context initiator

Function Definintions // cryptographically signs and optionally encrypts the specified input_message OM_uint32 gss_seal ( OM_uint32 * minor_status, // implementation specific status code gss_ctx_id_t context_handle, // identifies the context on which the message will be sent int conf_req_flag, // flag indicating confidentiality and integrity protection requested int qop_req // specifies required quality of protection gss_buffer_t input_message_buffer, // message to be sealed int * conf_state, // confidentiality indicator flag gss_buffer_t output_message_buffer) // buffer to receive sealed message // converts a previously sealed message back to a usable form, verifying the embedded signature OM_uint32 gss_unseal ( OM_uint32 * minor_status, // implementation specific status code gss_ctx_id_t context_handle, // identifies the context on which the message arrived gss_buffer_t input_message_buffer, // sealed message gss_buffer_t output_message_buffer, // buffer to receive unsealed message int * conf_state, // flag indicating confidentiality and / or integrity protection int * qop_state) // quality of protection gained from signature

Function Definintions // generates a cryptographic signature and places the signature in a token for transfer to the peer application. OM_uint32 gss_sign ( OM_uint32 * minor_status, // implementation specific status code gss_ctx_id_t context_handle, // identifies the context on which the message will be sent int qop_req, // specifies requested quality of protection gss_buffer_t message_buffer, // message to be signed gss_buffer_t msg_token) // buffer to receive token

RPC Security Kerberos Kerberos GSS API GSS API GSS_Acquire_cred GSS_Import_name GSS_Acquire_cred GSS_Import_name (Client) (Server)

RPC Security Kerberos Kerberos GSS API GSS API GSS_Init_sec_context GSS_Accept_sec_context challenge (Server) response (Client)

RPC Security Kerberos Kerberos GSS API GSS API GSS_Seal GSS_Unseal RPC (mount) (Server) response (Client)

Security (Part 2)

PKI • RFC 2822 (Internet Security Glossary) defines PKI as the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. • Principal objective of PKI is to enable secure, convenient, and efficient acquisition of public keys. • IETF Public Key Infrastructure X.509 (PKIX) working group has set up a model based on PKIX that is suitable for deploying a certificate-based architecture on the Internet.

Elements of PKIX model • End entity - Subject field of public key certificate that denotes end users, devices, servers, routers etc • Certification Authority (CA)- Issuer of certificates and Certificate Revocation Lists (CRL) • Registration Authority (RA)- Optional component that performs administrative functions such as end entity registration. CA could also do this. • CRL Issuer- Optional component that CA can delegate to publish CRL • Repository-Method and storage of certificates and CRL so that they can be retrieved by end entity.

Asymmetric Encryption • Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using different keys : • Public Key • Private key • Asymmetric encryption transforms plaintext into ciphertext using one of the two keys and an encryption algorithm. Using the paired key and a decryption algorithm, plaintext is recovered from ciphertext

PKI Continued • Most widely used Public-key cryptosystem is RSA. Difficulty of attacking RSA is based on difficulty of finding prime factors of a composite number. RSA is computationally complex as well. • Symmetric cryptosystems use the same key for encryption and decryption. The key is called secret key or shared secret key used by sender and receiver. • Most widely used symmetric cryptographic algorithm is Data Encryption Standard(DES)

Comparison

Secure Channel • Message Authentication is achieved when both sender and receiver are able to authenticate each other • Message Integrity means that message is protected against surreptitious modification • Message Confidentiality means that message cannot be intercepted and read by eavesdroppers. It is established by encrypting the message • Non-repudiation: Prevents sender/receiver from denying a legitimate transmission that occured • Availability: Communication channel to be available. Protect against Denial of Service attack • All of the above are to work together in a secure channel of communication

Uses of Public-key Cryptosystems Digital Signature • Sender signs a message with its private key. Signing achieved by cryptographic algorithm applied to message or to a small block of data that is a function of the message Key Exchange • Sender and Receiver co-operate to exchange a Session Key. Different approaches possible involving private keys of both parties Encryption and Decryption • Sender encrypts the message with receiver’s public key.

Outline

Outline

Presentation Transcript

Outline

Outline

Outline

Outline

Outline

Outline

Outline

outline

outline

OUTLINE

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline:

Outline

Outline

OUTLINE: