1 / 60

Computer Security Set of slides 5

Computer Security Set of slides 5. Dr Alexei Vernitski. Man-in-the-middle attack. Alice. Bob. Alice and Bob work in the same company. They want to use the RSA cipher to communicate privately. Man-in-the-middle attack. Alice. Bob. Bob sends to Alice his public key by e-mail.

lark
Download Presentation

Computer Security Set of slides 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer SecuritySet of slides 5 Dr Alexei Vernitski

  2. Man-in-the-middle attack Alice Bob Alice and Bob work in the same company. They want to use the RSA cipher to communicate privately

  3. Man-in-the-middle attack Alice Bob Bob sends to Alice his public key by e-mail

  4. Man-in-the-middle attack Alice Bob Alice encrypts her message using the key that she has received from Bob and sends an encrypted message to Bob by e-mail

  5. Man-in-the-middle attack Eve Alice Bob But after that, the system administrator Eve will be able to decrypt Alice’s message. How did Eve break the cipher?

  6. Man-in-the-middle attack Alice Bob Bob sends to Alice his public key by e-mail, and he thinks that she has received this key. Alice thinks that she receives a message from Bob. But in reality…

  7. Man-in-the-middle attack Eve Alice Bob Eve intercepts Bob’s message with his public key and replaces Bob’s public key by Eve’s public key.

  8. Man-in-the-middle attack Eve Alice Bob Alice thinks that she sends a message encrypted with Bob’s public key, but this is Eve’s public key. Therefore, Eve can read this message

  9. Man-in-the-middle attack Eve Alice Bob Guess what else Eve should do if she wants to continue reading Alice’s secret messages to Bob?

  10. Man-in-the-middle attack Eve Alice Bob Eve should decrypt Alice’s message using Eve’s key, encrypt it using Bob’s key and forward it to Bob

  11. Man-in-the-middle attack The “man-in-the-middle” attack (or “the Mig-in-the-middle” attack, or password spoofing) can also be used in user authentication Valid user Attacker Authenticator

  12. Message authentication • Suppose I am sending a message to a remote correspondent. • How can I prove that this message comes from me? • Public key cryptography can be applied

  13. Public-key cryptography (as used for encryption) Public key Encrypted text Plaintext Private key

  14. Public-key cryptography (as used for message authentication) Public key message signature Private key

  15. Message authentication • Alice publishes her public key (remember about the man-in-the-middle attack!) • Alice sends a message to Bob • Alice applies her private key to the message and sends the result (the signature) to Bob • Bob applies Alice’s public key to the signature and sees that it coincides with the message • Because only Alice knows her private key, only she could have generated the signature.

  16. PGP • Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. • It includes public-key ciphers • Also, it includes a possibility to create signatures (hashes, digests)

  17. Many names of checksums Depending on the applications and on the algorithms used, names differ: • cryptographic checksums, • hash functions, • electronic digests, • commitment protocols, • data integrity assurance, • one-way functions.

  18. Checksum-calculating algorithm Data100000… bits Checksum up to 100 bits

  19. Integrity • Checksums are used to check the integrity of the data, that is, that the data have not been changed (by accident or by an intruder).

  20. Protection against noise Suppose we are sending data to a remote computer noise Data Data? Checksum Checksum

  21. Error detection • People studying codes would say that the data with their checksum is an error-detecting code for the data.

  22. Example: parity bit in ASCII(why there are 8 bits in a byte?) This bitis a XORof all others These 7 bits encode a character

  23. Protection against an intruder On Friday, we calculate the checksum of our data and store it separately from the data Checksumalgorithm Data Checksum

  24. Protection against an intruder On Sunday, an intruder changes the data Checksumalgorithm Changed data Checksum

  25. Protection against an intruder On Monday, we calculate the checksum of the data and, thanks to this, notice that the data has been tampered with Checksumalgorithm Changed data Checksumis different

  26. Simple checksums • The sum of all bytes of the data is a checksum.In fact, this is the original checksum (hence comes the word checksum). • The size of the data is a checksum(For example, computer viruses often change the size of infected files)

  27. A cryptographic checksum • We do not want the checksum to reveal any useful information about the original data • On the contrary, we want the checksum to reveal as little as possible about the original data • In particular, when the data is changed, we do not want the checksum to reveal any details of what has changed

  28. Example: an application of cryptographic checksums • “The star of Saturn is not a single star, but is a composite of three, which almost touch each other” Galileo

  29. An application of cryptographic checksums • Galileo planned to publish this new discovery in his next book • But in the meantime, how could he preserve his priority? • He has published an anagram: smaismrmilmepoetaleumibunenugttauiras

  30. An application of cryptographic checksums • Galileo has published an anagram: smaismrmilmepoetaleumibunenugttauiras • Later, he has published the original message: Altissimum planetam tergeminum observavi • Everyone could check that the first published message is an anagram of the second.

  31. An application of cryptographic checksums • In the meantime, Kepler had spent much time trying to guess the original message, because he was sure it would be something like “I have discovered two moons of Mars”. • In fact, they have been discovered only 250 years later.

  32. A cryptographic checksum Easy direction Altissimum planetam… smaismrm… Difficult direction

  33. Checksums • Studying checksums is an important part of computer science. • As we have seen, it has applications in data transmission and computer security. • Especially, we are interested in cryptographic (that is, ‘one-way’) checksums.

  34. Cryptographic checksums Easy message checksum Hard

  35. Cryptographic checksums • With cryptographic checksums, it is difficult for the attacker to guess what message corresponds to a given checksum • With cryptographic checksums, it is more difficult for the attacker to experiment and counterfeit a message

  36. MD5 • MD5 is the most frequently used cryptographic checksum • For any given file, the algorithm MD5 calculates the file’s 128-bit checksum. • The type of calculations involved in calculating the checksum are more or less of the same nature as in DES. • So-called ‘sponge construction’ is used

  37. MD5 weaknesses • The most popular algorithm for computing checksums is MD5. • New successful attacks against it have been reported in the last two years. • They are versions of the so-called ‘birthday attack’ • What new cryptographic checksum algorithms can one use instead of MD5?

  38. Birthday attack: a simple example • Suppose I want to write a message “I shall come” and confirm this with checksum • At the same time, I want to be able to claim that what I have said was “I shall not come”, with the same checksum

  39. Write many versions of ‘yes’: I shall come I shall come soon Arriving any minute Get your computer to help you with more versions… Write many versions of ‘no’: I shall not come I shall never come Don’t wait for me Get your computer to help you with more versions… Birthday attack: a simple example

  40. Birthday attack The checksum space ‘no’ ‘yes’

  41. User authentication • Suppose a user logs into a client computer, and his/her password is stored on the server • How can we compare securely the password entered by the user and the stored password? • How can we protect the user from someone who steals his/her password from the server?

  42. User authentication • The password must not be sent from the client computer to the server • The password must not be sent from the server to the client computer • The password should not be stored on the server

  43. User authentication • Secure solution: we store cryptographic checksums of user passwords on the server • The client computer calculates the checksum of the password entered by the user, and sends it to the server (or vice versa)

  44. server Login and a checksum of the password client Login and password The attacker will not obtain the password by analysing the traffic

  45. Birthday attack The server stores checksums of all users’ passwords 3. Comparethem with the checksums on the server 1. Generatemany random passwords The checksum of one of the artificial passwords might coincide with the checksum of one of the real passwords 2. Generate theirchecksums

  46. Birthday attack The checksum space Artificial passwords Real passwords

  47. Login and a checksum of the password, which corresponds to that of a real password server Login and a wrong password client The attacker does not know the real password, but can use the artificial password to log in as a valid user

  48. Rainbow attack (against passwords stored as hashes)

  49. Passwords stored as hashes password Hash algorithm (a complicated function) hash

  50. A simplified model: the format of hash is the same as the format of password Password (for example, 8 letters) Hash algorithm Hash(for example, 8 letters)

More Related