Create Presentation
Download Presentation

Download

Download Presentation

Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

188 Views
Download Presentation

Download Presentation
## Information Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Information SecurityFrank Yeong-Sung LinDepartment of**Information ManagementNational Taiwan University EMBA 2009 – Information Systems and Applications Lecture II**Information Security**Information security can be roughly divided into 4 areas: • Secrecy: keep information unrevealed • Authentication: determine the identity of whom you are talking to • Nonrepudiation: make sure that someone cannot deny the things he/she had done • Integrity control: make sure the message you received has not been modified**Information Security (cont’d)**Information security functionality can be distributed across several protocol layers: • Physical layer: protect transmission link from wire tapping • Data link layer: link encryption • Network layer: firewall, packet filter • Application layer: authentication, non-repudiation, integrity control, (and secrecy/confidentiality)**Information Security (cont’d)**A number of essential concepts to begin with: • Risk management • threats, vulnerabilities, assets, damages and probabilities • balancing acts • all cryptosystems may be compromised • Notion of chains (Achilles' heel) • Notion of buckets (products, policies, processes and people) • Defense in-depth • Average vs. worst cases • Backup, restoration and contingency plans**Traditional Cryptography**Passive intruder (listens only) Active intruder (alters message) • The model depends on a stable public algorithm and a key • The work factor for breaking the system by exhaustive search of the key space is exponential in the key length • Two categories: Substitution ciphers vs. transposition ciphers DK( EK( P)) = P Plaintext P EK( P) Encryption Decryption key K key K**Traditional Cryptography (cont’d)**• Simplified model of traditional cryptography**Traditional Cryptography (cont’d)**• Model of traditional cryptography**Substitution Cipher**• Caesar cipher • Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, … • For example, “attack” becomes “DWDDFN” • Mono-alphabetic substitution Plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM • The key space is 26! » 4x1026 • Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)**Substitution Cipher (cont’d)**• Relative frequency of letters in English text**Transposition Ciphers**M E G A B U C K 7 4 5 1 2 8 3 6 p l e a s e t r a n s f e r o n e m i l l i o n d o l l a r s t o m y s w i s s b a n k a c c o u n t s i x t w o t w o a b c d • Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column • To break the transposition cipher • guess a probable word or phrase (e.g., milliondollars) • try to determine the key length, then order the columns • Another related example regarding Newton Plaintext pleasetransferonemilliondollarsto myswissbankaccountsixtwotwo Ciphertext AFLLSKSOSELAWAIATOOSSCTCLNMOMANT ESILYNTWRNNTSOWDPAEDOBUOERIRICXB**Other Interesting Ciphers**• Chinese poems • Clubs and leather stripes • Invisible ink (steganography in general) • Books • Code books • Enigma • XOR • Ej/vu3z8h96**Two Fundamental Cryptographic Principles**• First principle • All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message • However, the same redundancy makes it easier for passive intruders to break the system • Second principle • Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to • filter out duplicate messages within a certain time • incoming messages that are too old are discarded**Encoder: 8 to 3**Decoder: 3 to 8 S1 S5 S2 S6 P1 P2 P3 S3 S7 S4 S8 Secret-Key Algorithms • Consists of sequence of transpositions and substitutions S-box (Substitution) Product cipher P-box (Permutation)**Data Encryption Standard (DES)**• Plaintext is encrypted in blocks of 64 bits • DES is basically a mono-alphabetic substitution cipher using a 64-bit character 64 bit plaintext Li-1 Ri-1 Initial transposition K1 Iteration 1 56-bit key K16 Li-1 Å f(Ri-1, Ki) Iteration 16 32 bit swap Inverse transposition 32 bits Li 32 bits Ri 64 bit ciphertext**DES Chaining**• DES may be vulnerable to active intruders Name Bonus Leslie $0000010 Intruder may copy the block to one row above Kimberly $0100000 8 bytes 8 bytes • DES chaining P0 P1 P2 P3 C0 C1 C2 C3 IV # # # # D D D D Exclusive OR Key # # # # E E E E C0 C1 C2 C3 P0 P1 P2 P3**Breaking DES**• Exhaustive search of key space = 256» 7x1016 • can use multiple computers to do search in parallel • Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033 • but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)**Triple DES Encryption**• Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system • Using EEE with 3 different keys is basically unbreakable nowadays K1 K2 K1 K1 K2 K1 P C C P E D E D E D Encryption Decryption**Public-Key Algorithms**• Encryption (E) and Decryption (D) algorithms must meet the following requirements • E and D are different • D(E(P)) = P • It is exceedingly difficult to deduce D from E • Everyone has a pair of keys: public key (E) and private key (D) • Public key is made known to the world • Private key is to be kept private all the time A B P1 EB(P1) DB(EB(P1)) = P1 EB DB DA(EA(P2)) = P2 EA(P2) P2 DA EA**Principles of Public-Key Cryptosystems (cont’d)**• Requirements for PKC • easy for B (receiver) to generate KUb and KRb • easy for A (sender) to calculate C = EKUb(M) • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M)) • infeasible for an opponent to calculate KRb from KUb • infeasible for an opponent to calculate M from Cand KUb • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)**Principles of Public-Key Cryptosystems (cont’d)**• The idea of PKC was first proposed by Diffie and Hellman in 1976. • Two keys (public and private) are needed. • The difficulty of calculating f-1 is typically facilitated by • factorization of large numbers • resolution of NP-completeness • calculation of discrete logarithms • High complexity confines PKC to key management and signature applications**Principles of Public-Key Cryptosystems (cont’d)**• Comparison between conventional and public-key encryption**Principles of Public-Key Cryptosystems (cont’d)**• Applications for PKC • encryption/decryption • digital signature • key exchange**RSA Algorithms**• Developed by Rivest, Shamir, and Adleman at MIT in 1978 • First compute the following parameters • Choose two large primes, p and q (typically > 10100) • Compute n = pxq and z = (p-1)x(q-1) • Choose d, which is a number relatively prime to z • Find e such that (exd) mod z = 1 • Divide the plaintext into blocks of k bits, where 2k < n • To encrypt P, compute C = Pe mod n • To decrypt C, compute P = Cd mod n • Public key = (e, n), private key = (d, n)**The RSA Algorithm (cont’d)**• Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then a p-1 1 mod p. Example: a = 7, p = 19 72 = 49 11 mod 19 74 = 121 7 mod 19 78 = 49 11 mod 19 716 = 121 7 mod 19 a p-1 = 718 = 716+2 711 1 mod 19**The RSA Algorithm (cont’d)**• Example 1 • Select two prime numbers, p = 7 and q = 17. • Calculate n = p q = 717 = 119. • Calculate Φ(n) = (p-1)(q-1) = 96. • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5. • Determine d such that d e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.**The RSA Algorithm (cont’d)**• The security of RSA • brute force: This involves trying all possible private keys. • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes. • timing attacks: These depend on the running time of the decryption algorithm.**The RSA Algorithm (cont’d)**• To avoid brute force attacks, a large key space is required. • To make n difficult to factor • p and q should differ in length by only a few digits (both in the range of 1075 to 10100) • both (p-1) and (q-1) should contain a large prime factor • gcd(p-1,q-1) should be small • should avoid e < n and d < n1/4**The RSA Algorithm (cont’d)**• To make n difficult to factor (cont’d) • p and q should best be strong primes, where p isa strong prime if • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1 • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1 • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated**The RSA Algorithm (cont’d)**• Major threats • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available) • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)**RSA Algorithms (cont’d)**• The security of RSA is based on the difficulty of factoring large numbers • It takes 4x109 years for factoring a 200-digit number • It takes 1025 years for factoring a 500-digit number • RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms**Elliptic Curve Cryptography (ECC)**• For the same length of keys, faster than RSA • For the same degree of security, shorter keys are required than RSA • Standardized in IEEE P1363 • Confidence level not yet as high as that in RSA • Much more difficult to explain than RSA**Elliptic Curve Cryptography (cont’d)**• Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA**Key Management**• The distribution of public keys • public announcement • publicly available directory • public-key authority • public-key certificates • The use of public-key encryption to distribute secret keys • simple secret key distribution • secret key distribution with confidentiality and authentication**Key Management (cont’d)**• Public announcement**Key Management (cont’d)**• Public announcement (cont’d) • advantages: convenience • disadvantages: forgery of such a public announcement by anyone