Loading in 2 Seconds...

EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell

Loading in 2 Seconds...

- By
**tuyen** - Follow User

- 115 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell' - tuyen

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### EE515/IS523 Think Like an AdversaryLecture 3Cryptography in a Nutshell

### Basic Cryptography

Yongdae Kim

Recap

- http://syssec.kaist.ac.kr/courses/ee515
- E-mail policy
- Include [ee515] or [is523] in the subject of your e-mail
- Student Survey
- http://bit.ly/SiK9M3
- News posting
- KLMS http://edu3.kaist.ac.kr/course/view.php?id=14461
- Match making, criticism
- KLMS
- Text only posting, email!

In a Nutshell

- Security by Obscurity is not secure!
- Conservative modeling for adversary
- State-sponsored, Hacktivists, Hacker+Criminals, Researchers ;-)
- Care for the weakest link.
- Plan for unknown attacks.
- Check for environmental changes
- All stages are important
- Attacker modeling, design, implementation, deployment, operation
- Check News!
- Cyber Warfare?

Security & Risk

- We only have finite resources for security…
- If we only have $20K, which should we buy?

Product A

Prevents Attacks: U,W,Y,Z

Cost $10K

Product B

Prevents Attacks: V,X

Cost $20K

Risk

- The risk due to a set of attacks is the expected (or average) cost per unit of time.
- One measure of risk is Annualized Loss

Expectancy, or ALE:

ALE of attack A

Σ

( pA

×

LA )

attack A

Annualized attack

incidence

Cost per attack

Risk Reduction

- A defense mechanism may reduce the risk of a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR):
- The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost.

Σ

(pA

×

LA – p’A×L’A)

attack A

Yongdae Kim

Attacks

Normal Flow

Destination

Source

Interruption: Availability

Interception: Confidentiality

Destination

Destination

Source

Source

Modification: Integrity

Fabrication: Authenticity

Destination

Destination

Source

Source

Taxonomy of Attacks

- Passive attacks
- Eavesdropping
- Traffic analysis
- Active attacks
- Masquerade
- Replay
- Modification of message content
- Denial of service

Big picture

Trusted third party

(e.g. arbiter, distributor

of secret information)

Bob

Alice

Information

Channel

Message

Message

Secret

Information

Secret

Information

Eve

Terminology for Encryption

- A denotes a finite set called the alphabet
- M denotes a set called the message space
- M consists of strings of symbols from an alphabet
- An element of M is called a plaintext
- C denotes a set called the ciphertext space
- C consists of strings of symbols from an alphabet
- An element of C is called a ciphertext
- K denotes a set called the key space
- An element of K is called a key
- Ee is an encryption function where e K
- Dd called a decryption function where d K

Encryption

- Why do we use key?
- Or why not use just a shared encryption function?

Adversary

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

insecure channel

m

m

Plaintext source

destination

Alice

Bob

SKE with Secure channel

Adversary

d Secure channel

Key source

e

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

Digital Signatures

- Primitive in authentication and non-repudiation
- Signature
- Process of transforming the message and some secret information into a tag
- Nomenclature
- M is set of messages
- S is set of signatures
- SA: M ! S for A, kept private
- VA is verification transformation from M to S for A, publicly known

Key Establishment, Management

- Key establishment
- Process to whereby a shared secret key becomes available to two or more parties
- Subdivided into key agreement and key transport.
- Key management
- The set of processes and mechanisms which support key establishment
- The maintenance of ongoing keying relationships between parties

Symmetric key Encryption

- Symmetric key encryption
- if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e
- Usually e = d
- Block cipher
- breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time
- Stream cipher
- encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

Hash function and MAC

- A hash function is a function h
- compression
- ease of computation
- Properties
- one-way: for a given y, find x’ such that h(x’) = y
- collision resistance: find x and x’ such that h(x) = h(x’)
- Examples: SHA-1, MD-5
- MAC (message authentication codes)
- both authentication and integrity
- MAC is a family of functions hk
- ease of computation (if k is known !!)
- compression, x is of arbitrary length, hk(x) has fixed length
- computation resistance
- Example: HMAC

Applications of Hash Function

- File integrity
- Digital signature

Sign = SSK(h(m))

- Password verification

stored hash = h(password)

- File identifier
- Hash table
- Generating random numbers

Hash function and MAC

- A hash function is a function h
- compression
- ease of computation
- Properties
- one-way: for a given y, find x’ such that h(x’) = y
- collision resistance: find x and x’ such that h(x) = h(x’)
- Examples: SHA-1, MD-5
- MAC (message authentication codes)
- both authentication and integrity
- MAC is a family of functions hk
- ease of computation (if k is known !!)
- compression, x is of arbitrary length, hk(x) has fixed length
- computation resistance
- Example: HMAC

MAC construction from Hash

- Prefix
- M=h(k||x)
- appending y and deducing h(k||x||y) form h(k||x) without knowing k
- Suffix
- M=h(x||k)
- possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2)
- STATE OF THE ART: HMAC (RFC 2104)
- HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding
- The outer hash operates on an input of two blocks
- Provably secure

How to use MAC?

- A & B share a secret key k
- A sends the message x and the MAC M←Hk(x)
- B receives x and M from A
- B computes Hk(x) with received M
- B checks if M=Hk(x)

PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob

Digital Signature

- Integrity
- Authentication
- Non-repudiation

I did not have intimate relations with that woman,…, Ms. Lewinsky

WJ Clinton

Digital Signature with Appendix

- Schemes with appendix
- Requires the message as input to verification algorithm
- Rely on cryptographic hash functions rather than customized redundancy functions
- DSA, ElGamal, Schnorr etc.

Authentication

- How to prove your identity?
- Prove that you know a secret information
- When key K is shared between A and Server
- A S: HMACK(M) where M can provide freshness
- Why freshness?
- Digital signature?
- A S: SigSK(M) where M can provide freshness
- Comparison?

Encryption and Authentication

- EK(M)
- Redundancy-then-Encrypt: EK(M, R(M))
- Hash-then-Encrypt: EK(M, h(M))
- Hash and Encrypt: EK(M), h(M)
- MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)
- MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

Challenge-response authentication

- Alice is identified by a secret she possesses
- Bob needs to know that Alice does indeed possess this secret
- Alice provides responseto a time-variant challenge
- Response depends on both secret and challenge
- Using
- Symmetric encryption
- One way functions

Challenge Response using SKE

- Alice and Bob share a key K
- Taxonomy
- Unidirectional authentication using timestamps
- Unidirectional authentication using random numbers
- Mutual authentication using random numbers
- Unilateral authentication using timestamps
- Alice Bob: EK(tA, B)
- Bob decrypts and verified that timestamp is OK
- Parameter Bprevents replay of same message in B A direction

Challenge Response using SKE

- Unilateral authentication using random numbers
- Bob Alice: rb
- Alice Bob: EK(rb, B)
- Bob checks to see if rb is the one it sent out
- Also checks “B” - prevents reflection attack
- rb must be non-repeating
- Mutual authentication using random numbers
- Bob Alice: rb
- Alice Bob: EK(ra, rb, B)
- Bob Alice: EK(ra, rb)
- Alice checks that ra, rb are the ones used earlier

Challenge-response using OWF

- Instead of encryption, used keyed MAC hK
- Check: compute MAC from known quantities, and check with message
- SKID3
- Bob Alice: rb
- Alice Bob: ra, hK(ra, rb, B)
- Bob Alice: hK(ra, rb, A)

Key Establishment, Management

- Key establishment
- Process to whereby a shared secret key becomes available to two or more parties
- Subdivided into key agreement and key transport.
- Key management
- The set of processes and mechanisms which support key establishment
- The maintenance of ongoing keying relationships between parties

Download Presentation

Connecting to Server..