Encrypting the Internet

278 Views

Download Presentation
## Encrypting the Internet

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Encrypting the Internet**Phil Karn 18 April 2000 karn@qualcomm.com http://people.qualcomm.com/karn**Overview**• Threat models • Cryptography basics • Layer tradeoffs • Cryptographic protocols on the Internet • Crypto politics**Threat ModelsI.e, What are you worried about?**• Message confidentiality • Message authentication/integrity • Traffic analysis • Denial of service • Maintaining anonymity • Enforcing transparency**Confidentiality**• Preventing an eavesdropper from understanding the contents of a message • Cryptography’s traditional role**Authentication/Integrity**• Verifying who sent a message, and that it has not been modified en route • Major role for public key cryptography • digital signatures can be verified with public key**Traffic Analysis**• Gleaning information from traffic patterns even if the contents are not decipherable • A threat often overlooked or ignored in civilian applications • Difficult to do at upper layers • a traditional function of bulk link encryption**Denial of Service**• An attacker might sabotage a network even if he cannot read or forge legitimate messages • overloading a network (e.g, Internet MS-DOS) • jamming a radio channel (e.g., Captain Midnight) • Limited role for crypto in a public network • conditional access to resources, controls, etc**Enforcing Subnetwork Transparency**• Some ISPs violate layering, or impose policy constraints on user content or protocols • transparent web proxies • server & Napster bans on college campuses and cable modems • Higher layer crypto can thwart this • e.g., tunneling IP in a TCP connection to port 443 (SSL) • Carrier can still monitor traffic levels • which is the better way anyway**Cryptography Basics**• Crypto = secret, graphy = writing • only someone with the key can understand an encrypted message • Used in ancient times • Modern cryptography began during WW2 • first machine-aided cryptanalysis (Enigma) • Invention of public key crypto in 1970s • finally made conventional crypto practical**Properties of a Good Modern Cipher**• Large key to resist brute-force search • Published, reviewed algorithm • security depends entirely on secrecy of key • security cannot depend on algorithm secrecy • Resistance to chosen-plaintext attack • attacker cannot determine key even if given ability to encrypt plaintext of the attacker’s choosing • implies resistance to known-plaintext and known-ciphertext attacks**Types of Cryptography**• Symmetric • same key for both encryption and decryption • DES, IDEA, AES candidates • Asymmetric (Public Key) • key pairs: private and public • based on factorization or discrete log problem • RSA, Diffie-Hellman, etc • much slower than symmetric • digital signature capability**DES: a typical symmetric block cipher**plaintext DES ciphertext 64 bits 64 bits 56 bits key**Brute force keysearching**• For a 56-bit key, there are 256 or 72,057,594,037,927,936 possibilities • This seems like a lot, but even in 1976 it seemed too small given Moore’s Law • this was the major objection to DES • EFF’s Deep Crack machine has made this a reality**Deep Crack**• The name is a play on Deep Blue, the IBM chess playing computer, which in turn played on Deep Thought, CMU’s chess playing computer named after the computer in Douglas Adams’ The Hitchhiker’s Guide to the Galaxy (aren’t you glad you asked?) • All crunch a long time and produce very little output**Deep Crack**• Sponsored by John Gilmore, EFF co-founder. Cost: $210K • 6 cabinets x 5 boards/cabinet x 64 custom ASICS/board x 24 keysearch engines/ASIC • Total of 1800 functional chips • Tests 90,000,000,000 keys/sec • Can search the whole keyspace in <5 days • Complete plans published in book form to exploit my paper-format export loophole**Alternatives to DES**• Triple DES • encrypt three times with 2 or 3 distinct keys • no brute-force attack for the forseeable future • IDEA • 64-bit block cipher with 128-bit key • Used in PGP, SSH**More DES alternatives**• RC4/RC5 • proprietary ciphers designed by Ron Rivest, owned by RSA Data Security Inc • widely implemented in web browsers • variable key lengths to meet export limits • NIST AES (Advanced Encryption Standard) • now fielding candidates, >=15 so far**Encryption for Authentication**• A more recent application for cryptography • Vital for electronic commerce • Provides two related features: • proof that whoever sent a message possesses a particular key • integrity protection - confidence that a legitimate message has not been modified in transit**Sample authentication scheme**challenge DES response 64 bits 64 bits 56 bits key**Challenge-response protocols**• Prove possession of a secret key without revealing that key on an open channel • Handy for computer logins, cellular phone accesses, etc**Cryptographic hash functions**• Block ciphers like DES can be used as hash functions, but they’re slow and clumsy • Other functions have been specifically designed as hashes: • MD5 • SHA-1 • CAVE**Generic hash function**data, variable amount fixed-size hash 128 bits (MD5) 160 bits (SHA-1)**Properties of hash functions**• Computing a hash is fast • Finding an input that produces a given hash is (hopefully) extremely hard • So is finding two inputs that hash to the same result • Hash functions are also known as one-way functions because of this property**Hash functions for confidentiality**• Hash functions were custom-designed for authentication applications • But they can still be used as building-blocks for confidentiality! • Dan Bernstein’s Snuffle is the subject of his lawsuit pending in the 9th Cir since Dec 1997 • I designed one that’s described in Applied Cryptography**Public key cryptography**• All of the ciphers described so far have been symmetric ciphers, I.e., the same key is used to encrypt and to decrypt • Until the mid 1970s, all ciphers were symmetric • Public key ciphers are also called asymmetric-key • different keys to encrypt and decrypt**Why public key?**• Use insecure channel to agree on shared secret key for symmetric cipher • Allow anyone to send you a message without having to first agree on a shared secret key • avoids n2 key management problem • Provide digital signatures • a unique capability**Public key theory**• Public key ciphers are generally based on mathematical problems known to be “hard” • discrete logarithm • factoring • The reverse operations are easy • discrete exponentiation • multiplication**Discrete logarithm**• Computing the expressiony = gx mod pwhere x and p are suitably large integers (e.g., 1Kbit) is relatively easy • Finding the value of x that produced a given y is much harder!**Diffie-Hellman key exchange**• The first public key scheme invented • patent expired in 1997 • Not actually a public key encryption scheme, but a key agreement scheme • Based on discrete log problem • Used in CDMA over-the-air service activation to generate A-key**Alice**Generates secret integer x Computes gx mod p, sends to Bob Computes (gy)x mod p Use result as symmetric key Bob Generates secret integer y Computes gy mod p, sends to Alice Computes (gx)y mod p Use result as symmetric key Diffie-Hellman in detail**RSA**• The major public key scheme, discovered ~1977 • patent expires Sep 20, 2000 • Based on the difficulty of factoring as opposed to multiplication • thought to be related to discrete log • Can encrypt or decrypt • different keys for each • encryption key can be published, decryption key kept secret**RSA in detail**• User’s public key is {n,e} • e is a small number, typically 3 or 17 • n is the product of two randomly chosen secret prime numbers, p*q. Typically 1024 bits long • To encrypt, computeC = Me mod n**RSA decryption**• User’s secret key is {n,d} • n is same value as in public key, so only d is secret • User computesM = Cd mod n • The math is hairy, but to compute d it is believed that you must know p,q, the factorization of n**RSA Signatures**• Nothing says M has to be secret and C has to be public • If you reverse the algorithm, you can get a message that anybody can decrypt, but only you could have encrypted.**Generating a digital signature**message Hash function ()d mod n digital signature**Verifying a digital signature**message digital signature Hash function ()e mod n compare**Public Key Management**• Although public keys can be openly published, how do you know that a particular key in the directory really belongs to who you think it does? • This is the thorniest problem in public key cryptography!**Certificates**• PK cryptography can solve its own problem • Use PK signatures to vouch for the authenticity of others’ keys • Two general approaches • X.509 Certification Authorities • centralized, hierarchical, authoritarian • used in secure web transactions • PGP “web of trust” • decentralized, flat, democratic**Other PK algorithms**• Digital Signature Standard (DSS) • promoted by the government largely because it cannot be used for encryption • used by PGP 5.0 to avoid RSA patent • Elliptic Curves • not actually an algorithm, but a different way to implement existing algorithms like Diffie-Hellman with supposedly less computational effort for a given degree of security**Crypto - Necessary But Not Sufficient**• Many (most?) vulnerabilities in practice due to: • software bugs • e.g., buffer overflows • configuration errors • especially insecure installation defaults • Trojan horses • e.g., Microsoft Word macros, innumerable Windows viruses • Old bugs are exploited much more than new ones • many machines run old software versions**The Internet Reference Model**Application Host-to-Host (end-to-end) Internet Subnet**The Internet Reference Model**• Application Layer • covers OSI application & presentation layers • HTTP, Telnet, FTP, SMTP, POP, DNS, etc • End-to-End Layer • OSI transport & session layers • TCP & UDP • Internet Layer • OSI network (upper part) • IP • Subnet Layer • OSI network (lower part), link, physical**The Major Internet Protocols**HTTP POP UDP TCP PPP SMTP Telnet DNS FTP DHCP ICMP IP ATM ARP other subnets Enet**The End-to-End Principle**• Saltzer, Reed and Clark, 1981: • many traditional low-level network functions are better done at the endpoints, I.e., at higher protocol levels • some functions can sometimes be justified within the network as a performance enhancement • IMHO, one of the most important CS papers of all time • http://people.qualcomm.com/karn/library.html has links**Encryption in the Internet**• Encryption in the subnetwork • Encryption just above IP • IPSEC • PPTP • Encryption above TCP • SSH • TLS • SSL • Encryption in the application • PGP, S/MIME, etc**Encryption in the Subnet**• Link encryptors widely available • but beware of single-DES • Easy to deploy incrementally • Transparent to routers, hosts & applications • Good resistance to traffic analysis • No defense against compromised routers or hosts**Encryption Above IP**• Layer inserted between IP and transport • IPSec (IP Security) on IETF standards track • many vendors, including open source (FreeSWAN) • Protects transport header along with application • Can be used end-to-end, or to carry other IP packets in “tunnel” mode • Increased header overhead, esp with authentication • IP fragmentation issues • no VJ TCP/IP header compression • unavoidable for strong packet-level security**IP Security (IPSEC)**• Started in IETF circa 1992 • architecture similar to earlier govt network layer security work for ISO CLNP • Unusually long gestation period • reflects creeping featurism, committee design, excessive generality (imho) • Most useful for virtual private networks, “road warrier” access to closed corporate network through firewall**IPSec Packet Format**IP Header IPSEC Header End-to-end Header & Data Two types of IPSec packets: Authentication Header (AH), protocol number 51 Encapsulating Security Protocol (ESP), proto 50 Both carry the original IP protocol field Note “end-to-end header and data” can be another IP datagram! This is tunnel mode**Authentication Header (AH)**• Provides cryptographic authentication (not encryption) of layers above IP plus selected fields in IP header (the ones that don’t change) • Doesn’t actually specify the algorithm • one (keyed MD5) is mandatory to implement for interoperability • others may be used between consenting parties packet data shared secret hash function authentication value