“He, who wants to defend everything, defends nothing.” --- Frederick, the Great
Security planning(contd) Components of security planning: • Step 1: assessing the threat, • Step 2: writing a security policy: a statement of what is allowed and what is not allowed; assigning security responsibilities. • Step 3: Choosing • the mechanism, • tools and • methodologies to implement the policy
Focus of a PlanReference: Thomas Calabrese,”Information Security Intelligence,” Thomson Delmar learning, 2004, pp 4 • Scope: restricting the scope as much as possible: • reduce size of target: • disable unneeded services • Prioritization and Continuous vigilance by monitoring and analysis • Access Control: limit access of attacker to target systems • Multi-layer security: security in depth • hardening the OS and applications • Use technologies, which cannot be hacked easily
Names of Security Technologies • Confidentiality: encrypting sensitive data • Integrity (no tampering of data): Hashing, Digital Signatures • Authentication* (not an impostor): Digital certificates • Non-repudiation: Trusted Digital 3rd party signatures The basis of the above technologies: CRYPTOGRAPHY.
Authentication “Privacy is the best-known benefit of cryptography; …Cryptography also provides authenticity, which enables communicators to be sure of the identities of the people with whom they are communicating. In a business transaction, authentication verifies that the person acting in one instance is the same person who acted in another -- that the person who is writing a check, for example, is the same person who opened the account and put the money in it.” -Whitfield Diffie and Susan Landau, “Privacy on the Line: The Politics of Wiretapping and Encryption”, MIT Press, May 2007
“Using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.“ --- Professor Eugene Spafford Purdue University
CRYPTOGRAPHY • Cryptography (from two words in Greek): means secret writing. • CRYPTOGRAPHY: used to process data (cleartext) into unintelligible form (ciphertext), • reversibly/irreversibly • without data loss • usually one-to-one in size /compression • Encryption vs Decryption • Cryptoanalysis: obtaining cleartext from ciphertext through breaking of a cryptographic code
Cryptography Services, provided by cryptographic tools: • Encryption or Enciphering Encryption Algorithm Ciphertext Plaintext Key
Decryption • Decryption or Deciphering Decryption Algorithm Plaintext Ciphertext Key
Why encrypt? • A few valid reasons for (reversibly) encrypting data are: • To prevent casual browsers from viewing sensitive data files • To prevent accidental disclosure of sensitive data • To prevent privileged users (e.g., system administrators) from viewing private data files • To complicate matters for intruders who attempt to search through a system's files
Kerckhoff’s principle The security of an encryption scheme should depend upon only the secrecy of the key, and NOT on the secrecy of the algorithm.
Classification • Two types of Encryption Algorithms • Reversible • Irreversible • Two types of Keys • Symmetric • Asymmetric
Types of Cryptographic Algorithms: Reversible with Symmetric key: • Secret Key • Example: DES, AES (Rijndael) Reversible with Asymmetric key: • Public Key • Example: RSA Irreversible without any key: • Message Digest (Hash or cryptographic checksum) Example : SHA 256 Irreversible with a symmetric key: • Message Authentication Codes
Reversible Encryption Reversible ENCRYPTION: cleartext ENCRYPTION DEVICE encryption key cleartext • can be used only when the same type of encryption software/equipment is available at both the ends ciphertext Decryption key Decryption Device
Cryptanalysis continued Cryptanalysis : It tries to locate the structures and patterns of the plaintext in the ciphertext. None of the cryptological methods can completely eliminate the patterns and structures of the plaintext in the ciphertext. Polyalphabetic cipher where the substitution differs from character to character in response to a key, which is • as long as the message, and which is, • truly random can eliminate such patterns. But the key?
CRYPTANALYSIS: Consider the case of Reversible Symmetric Key encryption.
Cryptanalysis Methods: Finding the Key Assumption: The hacker always knows the ciphertext and the encryption algorithm. More is the information available to a hacker Easier is the analysis for finding the Key TYPES OF ATTACKS: The type is dependent on the amount of INFORMATION available to a Hacker: 1.ciphertext only Analysis for key: Most difficult 2.Known plaintext-ciphertext pairs 3.Chosen plaintext-ciphertext pairs 4.Chosen ciphertext-plaintext pairs 5.Chosen text (both 3 and 4) Analysis for key: Easiest
Two Definitions • UNCONDITIONALLY SECURE: An encryption algorithm for which no amount of ciphertext can make it possible for one to determine uniquely the corresponding plaintext. There is no such algorithm available. • COMPUTATIONALLY SECURE: An encryption algorithm is said to be computationally secure if • The cost of breaking the cipher is more than the intrinsic value of the information, or, • the time required to break the cipher is more than the time over which the information is required to be confidential.
Exhaustive Key Search Key Size No. of Average Time Possible keys at 1 decryption per microsecond 32 232 =4.3x109 231= 35.8m 56 256 = 7.2x1016 1142 y 128 2128 = 3.4 x1038 5.4x1024 y 26P 26!=4x1026 4x1026 =6.4x1012y
Large numbers and computational security -- as worked out by Dr Lawrie Brown • It can be shown from energy consumption considerations that the maximum number of possible elementary operations in 1000 years is about: 3 x 1048. • Similarly if 10 atoms are needed to store a bit of information, the greatest possible number of bits storable in a volume of say the moon is: 1045. • If for deciphering a cipher requires more operations than 3 x 1048, or needs more storage than 1045, it is pretty reasonable to say it is computationally secure. Reference: Notes of Dr Lawrie Brown, Australian Defence Force Academy available at http://www.williamstallings.com/Crypto3e.html
Some Large Numbers • DES* 56 bits: 7.2x1016keys • Time to next ice age 14,000 yrs • Age of planet 109yrs • Age of universe 1010yrs • Time until sun goes nova 1014yrs • Number of atoms in universe 1077 *DES is a symmetric key standard for encryption. Ref (for cryptography): Professor Schulzrinne, Columbia Univ
Exhaustive Key Search (continued) • A calculation in 1995 showed that: • 56-bit key broken in 1 week with 120,000 processors ($6.7M); • 56-bit key broken in 1 month with 28,000 processors ($1.6M); • 64-bit key broken in 1 week with 3.1x 107 processors ($1.7B); • 128-bit key broken in 1week with 5.6x 1026processors
Brute Force Cryptoanalysis • 1999: 56-bit key broken in 22.5 h with 1,800 chips ($250,000) (245 109 keys/s, or 4.08 microsecond for one key -- see eff.org); helped by distributed.net • 1998: 56-bit key broken, on dedicated h/w, in a few days • 1997: 56-bit key broken, by using a large number of machines in parallel on the Internet, in a few months
Birthday paradox • A result from probability theory: Consider an element that has an equal probability of assuming any one of the N values. The probability of a collision is more than 50% after choosing 1.2√N values. Function Random input One of k equally likely values The same output can be expected after 1.2k1/2 inputs. Thus in a group of 23, two or more persons are likely to share the same birthday. (Put k = 365) Birthday attacks are used to find collisions of Hash functions
Birthday Bound • A 64 bit key has 264 = 18x1018 different key values. • A Key is selected at random. • So after seeing 1.2x 232 = 5.16x109 transactions, a hacker can expect the same key to be used. • For an n-bit case, 2n/2 is called the Birthday Bound
Example of a Birthday Attack:Replacing part of the message attack Assume • A 64 bit key • The first statement in a message is always the same. A hacker • listens to and stores all encrypted messages. • When the FIRST encrypted sentence turns out to be the same, he replaces the rest of the new message by the old message, that he has in his memory. By Birthday Paradox, this is likely to happen after 232 transactions.
Example of a“Meet in the Middle” attack • Generate 232 keys. • Store encrypted messages of the first sentence. • Compare the first sentence of every encrypted message on the net with each of the stored messages. • On getting a match, the Hacker knows the key. So he can now replace the remaining message by whatever he wants.
Message Digests/ Checksum Used for confirming Integrity of data • CRC* not sufficient *Cyclic Redundancy Check
Irreversible Encryption Fingerprinting Data Hash Functions Encryption Algorithm Hash Plaintext Collisions in the output?
Cryptographic Hash Functions (H) • H : A transformation m = variable size input h = hash value : a fixed size string, also known as message digest or fingerprint or compression function. H(m) m h
Message Digest Variable Length Message Fixed Length Digest Hashing Algorithm
Uses of Hash Functions • Integrity check • for getting a document time- stamped without revealing its contents to the time stamp service • Authentication through Digital Signatures • For generation of pseudo-random numbers to generate several keys from a single shared secret Typical output of a Hash: 128 to 512 bits
A Cryptographic Hash function Properties of Cryptographic Hash functions : • One-way functions ‘Hard’ to invert : Computationally infeasible to find some input m such that H(m) = h. • Collision-resistant: a very large number of collisions exist. But these cannot be found. • Should be a random mapping from all possible input values to the set of possible output values
Message Digest • Consider an algorithm that generates outputs which are randomly distributed. • Let the MD (output) be of n bits • 2n No of possible outputs. • Since these are randomly distributed, the probability is that after 1.2 (2n )1/2 digests are computed, we may find the same value. ( Remember Birthday Paradox) • Thus for n = 128, it would be (1.2)264 .
Definitions WEAKLY COLLISION FREE HASH FUNCTION: Given a message m1. It is computationally infeasible to find m2 such that • m1 is not equal to m2, and, • H(m1) = H(m2). STRONGLY COLLISION FREE HASH FUNCTION: No message is given. It is computationally infeasible to find any two messages m1 and m2 such that H(m1) = H(m2).
Hash Functions: Collision-free Example Example: Consider a Hash of 128 bits. Weak: The probability of finding a message m2 corresponding to a given hash value H(m1) is 2-128. Strong:The probability of finding two messages with the same hash value (with no constraint on any of the two messages) is 2-64.
Properties of Cryptographic Hash functions (continued) • H(m) is easy to compute. • The input can be of any length. • The output has a fixed length. Notes 1: Consider a transformation of a sequence of length n1 to a sequence of length n2, where n1 > n2. In such a case, there must exist multiple input sequences that map to the same fixed-length hash value.
Notes on hash functions (continued) 1. In the definitions of hash functions, it is only required that ‘to find x’ should be computationally infeasible, even though we know that x exists. 2. Computationally Infeasible (CI) means that the time complexity of the algorithm should grow faster than any polynomial. So CI means that it may take an extremely long time to compute x on even the fastest machine of the day.
Popular Hash Functions • Iterative functions: • Split the message to equal sized blocks m1, m2,…… mk (Use padding for the last block.) • Hi = h(Hi-1, mi), with H0 as a fixed value • MD2 , MD4 and MD5 developed by Rivest. • MD2 (1989 ): Optimized for 8 bit machine; • MD4 (1990) , MD5 (1991) : Optimized for 32-bit machines . • MD2, MD4 and MD5 : produce a 128-bit hash value. • 2004: Muller showed that MD2 is vulnerable to PRE-IMAGE attack ( Attempt to find a message, that has a specific hash value): So not a one-way function
Popular Hash Function: MD5 • MD4: • Den Boer and Bosselaers ( in a paper in 1991) discovered weaknesses. • was cracked by Dobbertin. He devised a method to generate collisions in MD4. • MD5 (Ref: RFC 1321) was supposed to be more secure. probability of MD5 collision 1/3x1038 • 1994: A non-fatal flaw discovered. • SHA1 (Secure Hash Algorithm) : Produces a 160 bit hash value from a message of less than 264 bits;
Popular Hash Function: SHA 1 • SHA 1:designed by NSA and standardized by NIST as a part of the Capstone project. (based on MD5 and 2 to 3 times slower than MD5) (Ref: RFC 3174 and FIPS 180-1) • Aug 2004: reported generating collisions in MD4 using "hand calculation", and in the family of MD4/MD5/SHA/RIPEMD. So its usage is now not recommended.* *Reference:Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu,” Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD,” Cryptology ePrint Archive: Report 2004/199,http://eprint.iacr.org/2004/199.pdf
Popular Hash Functions: To be used today • SHA 256, SHA 384 and SHA 512(Ref: FIPS 180-2) designed for use with AES with 128, 196 and 256 bits. Slower than SHA1; may take nearly as much time as encryption by AES. SHA384 uses SHA 512 method and discards the remaining bits. So though it takes the same time as SHA 512, it is less secure. Others: Snerfu: generates 128 bit or 256 bit hash; Haval: produces 128, 160, 192, 224 or 256 bit hash.
Reversible Symmetric-Key Encryption Used for confidentiality of data
Secret Key/ Symmetric Cryptography • Also called Private/Secret key Encryption • Simpler and faster (than asymmetric)
Symmetric Key Encryption Sender-end Message by sender Encrypted Message Pr-key Internet Message at receiver Pr-key Encrypted Message Receiver-end
“Public-key cryptography was not only "the most revolutionary new concept in the field since. . .the Renaissance but it was generated totally outside of the government's domain -- by a privacy fanatic, no less!” -- David Kahn quoted by Steven Levy in “Crypto Rebels”, Wired News, May/June 1993
Reversible Asymmetric-Key Encryption Used for digital signatures
Public Key/ Asymmetric Cryptography • invented in 1976 by Whitfield Diffie* and Martin Hellman • two keys: private (d), public (e) Both are mathematically related. REQUIREMENTS: Computationally infeasible • to derive one key from the other; • to find out the private key from a chosen plaintext attack • much slower (about 1000 times) than secret key cryptography *Vice president and Sun fellow; chief security officer, Sun Microsystems Inc.
public-key cryptography (continued) • public-key cryptography system requires • a trusted system for distributing public keys RSA (Rivest, Shamir and Adelman) Algorithm is well known for the public key system. APPLICATIONS • a digital signature system to authenticate that a message is really from whom it purports to be from • Pretty Good Privacy system, an e-mail system, uses the public key system for security.
History again Who ‘was’ Diffie? • Mid-sixties: Whitfield Diffie: son of a historian became a member of hackers Community at MIT; passionate about privacy “The user's privacy depended on the degree to which the administrators were willing to protect the password file. You may have protected files, but if a subpoena was served to the system manager, it wouldn't do you any good," Diffie notes with withering accuracy. "The administrators would sell you out, becausethey'd have no interest in going to jail."