15 349 introduction to computer and network security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
15-349 Introduction to Computer and Network Security PowerPoint Presentation
Download Presentation
15-349 Introduction to Computer and Network Security

Loading in 2 Seconds...

play fullscreen
1 / 36

15-349 Introduction to Computer and Network Security - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

15-349 Introduction to Computer and Network Security. Iliano Cervesato 7 September 2008 – Beyond Encryption. Where we are. Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

15-349 Introduction to Computer and Network Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. 15-349Introduction to Computer and Network Security Iliano Cervesato 7 September 2008 – Beyond Encryption

    2. Where we are • Course intro • Cryptography • Intro to crypto • Modern crypto • Symmetric encryption • Asymmetric encryption • Beyond encryption • Cryptographic protocols • Attacking protocols • Program/OS security & trust • Networks security • Beyond technology

    3. Outline • Hash functions • Collision and preimage resistance • Message digests • Message authentication codes • Digital Signatures • RSA signature • El Gamal signature and DSA • Public-key infrastructure • Certificate chains • Web of trust • Revocation • Recent innovations in cryptography

    4. Attacks on RSA • Small d for fast decryption • But easy to crack if d < (n1/4)/3 [Wiener] • d should be at least 1080 • Small e for fast encryption • If m sent to more than e recipients, then m easily extracted • Popular e = 216 + 1 • Same message should not be sent more than 216 + 1 times • Modify message (still dangerous) • Timing attacks • Time to compute md mod n for many m can reveal d • Homomorphic properties of RSA • If ci = mie mod n (i=1,2), then c1c2 = (m1m2)e mod n • Easy chosen plaintext attack • Eliminated in standards based on RSA

    5. Key length • Public-key crypto has very long keys • 1024, 2048, 4096 are common • Is it more secure than symmetric crypto? • 56, 128, 192, 256 • Key lengths don’t compare! • 1024  80 bit • 2048  112 bit • 3072  128 bit • 7680  192 bit • 15,360  256 bit • Performance • RSA is very slow • Exponentiations • Very large numbers • DES, AES are very fast • Just bit operations

    6. Cryptographic Hashing f : {0,1}n’ {0,1}n is a hash function if • f is a one-way function • n is short • n’ may be unbounded Two families • Non-keyed • h : {0,1}* {0,1}n (e.g. n = 160) • h(m) is the message digest of m • Used for password protection, digital signatures, … • Keyed • hk : {0,1}* {0,1}n (e.g. n = 96) • Used for message integrity

    7. One-way functions – review • Easy to compute • f(i)  o • Evaluation in P • Linear • Hard to invert • f-1(o)  I • Inverse is NP-complete • Foundations of • Hashing Easy – P f input output Hard – NP

    8. Preimage Resistance h : {0,1}* {0,1}n is PR if • Given random y • It is hard to find m s.t. h(m) = y Applications: • Protect password files • /etc/passwd in Unix

    9. h(file1)h(file2) Second Preimage Resistance h : {0,1}* {0,1}n is 2PR if • Given random m • It is hard to find m’ s.t. h(m) = h(m’) Applications: • Virus protection • E.g. Tripwire • file and h(files) mustbe kept separate • 2PR implies PR file1file2

    10. Collision Resistance h : {0,1}* {0,1}n is CR if • It is hard to find m and m’ s.t. h(m) = h(m’) Applications: • Digital signatures • Sigk(h(m)) • Assume attacker knows m and m’ s.t. h(m) = h(m’) • Ask principal to sign m • Has automatically signature on h(m’) • CR implies 2PR (implies PR) • Easier to construct CR than 2PR • From now on, we focus on CR

    11. Birthday Paradox There is a 0.5 probability that 2 people have the same birthday in a room of 25 • Given r1, … rn [0, 1, …, B] independent integers • If n  1.2B, then Prob[ i  j : ri = rj] > ½ • For message digest 64 bits long • Collision can be found with around 232 tries • Typical digest size is 160 bits (SHA-1) • Collision time is 280 tries

    12. padding n’ m1 m2 m3 m4 m5 m: n’ n’ n’ n’ n’ F F F F F IV h(m) n n n n n n Usually n = 160 bits and n’ = 512 bits Compression function Constructions Always iterated • Merkle-Damgard method • If F (compression function) is CR, then Merkle-Damgard hash is CR • Enough to construct a CR compression function • Based on block ciphers (typically slow) • Customized design (faster)

    13. Actual Compression Functions • Based on block ciphers (e.g. DES) • Given block cipher Ek(m) • F(m,hi) = Emki-1(m) • If Ek(m) is ideal cipher, finding collisions takes 2n/2 tries • Best possible, but black-box security • Customized compression functions On 200MHz Pentium

    14. Keyed Hash Functions hk : {0,1}* {0,1}n • k needed to evaluate function • Main application: • Message authentication codes (MAC) • Guarantees message integrity • hk(m) is a cryptographic checksum • Ensures that m has not been tampered with

    15. Example MAC A B k k • Network • Adversary can’t build MAC for m’  m • Note: MAC used for integrity, not secrecy • Digital signature work, but are too slow • File system • MAC verified when file is accessed • pwd needed to modify file m, hk(m) • Send m, hk(m) • Receive m, hk(m) MAC file hpwd(file)

    16. Constructing MACs 2 methods • Cryptographic MACs • CBC-MAC • Based on block ciphers • HMAC • Based on non-keyed hashfunctions • Information-theoretic MACs • Based on universal hashing Performance On 200MHz Pentium

    17. padding n m1 m3 m2 m: K = (k, k’, IV) k’ n n n k IV n n n Ek Ek Ek n Ek’ n Ek hK(m) Usually n = 64 bits CBC-MAC • Most commonly used in banking industry • If E is a MAC, then CBC-E is also a MAC • Note: no birthday attack • MACS can be shorter then message digests (optional)

    18. Hash-Based MACs h non-keyed hash function • Attempt: MACk(m) = h(k m) • Extension attack with Merkle-Damgard method: • MACk(m m’) = h(MACk(m) m’) • Attempt: MACk(m) = h(m k) • Birthday attack • Envelope method • MACk,k’(m) = h(k m k’) • Preferred method: HMAC • HMACk(m) = h(k pad1 h(k pad2 m)) • If compression function in h is a MAC and h is CR, then HMAC is a MAC • IPSec and SSL use 96 bit HMAC Hash-basedMAC

    19. Digital Signatures • Paper signature guarantees non-repudiation for • Identity • Contract signing • Digital signature • binds a secret k to a document m • s = f(m,k) • s can be generated only knowing k • s can be verified by anyone knowing m • Should guaranty • Non-repudiation • Non-malleability • Signature cannot be cut and pasted to other documents • Non-forgeability

    20. Ok if s = Sigk(m) No otherwise Verk-1(s,m) = Signature Process Public data A1 k1v … Ai kiv … A wants to signm and send it to B • h makes signature short A B kAs kBs • s = SigkAs(h(m)) • Send m,s m,s • Receive m,s • ExecuteVerkAv(s, h(m))

    21. Attacks on Digital Signatures • Signature break • Adversary can recover ks from kv and intercepted messages • Selective forgery • Adversary can forge signature s for message m of his choice • Existential forgery • Adversary can forge signature s for arbitrary message m

    22. Constructions Signature schemes based on • RSA • E.g.: PKCS#1, Fiat-Shamir, … • Easy to verify but hard to generate • Ok for certificates • Relatively long (1024 bit) • DL • El Gamal , DSS, … • Hard to verify, but easy to generate • Ok for smart cards • Short (320 bit) • General 1-way functions • Lamport, Merkle, … • Impractical

    23. Naïve RSA Signature ni = piqi eidi = 1 mod f(ni) Public data A1 n1 ,e1 … Ai ni ,ei… A wants to sendsigned m  ZnA to B • Signature = RSA decryption • Achieves confidentiality as well • Verification = RSA encryption A B pA,qA,dA pB,qB,dB mdA mod nA • Send mdA mod nA • Receive mdA mod nA • (mdA)eAmod nA= mkf(nA)+1mod nA= mmod nA

    24. Attacks on Naïve RSA Signature • Existential forgery • Verd(se,s) = Ok for any s • Blinding attack Adversary wants A’s signature on m • Pick r ZnA • Get A to sign m’ = mre mod nA • A returns s’ = (mre)d mod nA • Deduce then s = s’/r = md mod nA • Then (m, s) is a valid signature pair

    25. RSA Signatures – PKCS#1 ni = piqi eidi = 1 mod f(ni) Public data A1 n1 ,e1 … Ai ni ,ei… A wants to sendsigned m  ZnA to B • PD = 00 01 11 11 … 11 00 (864 bit) • h(m) is 160 bit • Security is unproved • ISO standards use other PD’s A B pA,qA,dA pB,qB,dB • Compute s =(PD h(m))dA mod nA • Send m,s m,s • Receive m,s • Check if(mdA)eAmod nA= (PD h(m))dA mod nA

    26. El Gamal Signature Public data A1 p1 ,g1,g1a1… Ai pi ,gi,giai… secret m  ZpB to B A wants to send • Why does it work? • Exercise A B aA aB • Choose random r • Compute- k = gr mod pA- r-1 mod (pA-1)- s = r-1(h(m) –kaA) mod (pA-1) • Send m,k,s m,k,s • Receive m,k,s • Check1 kpA-1gkks = gh(m) mod pA

    27. DSS – Digital Signature Standard qi | pi – 1giqi= 1mod piyi = giaimod pi Public data A1 p1 ,q1 ,g1 ,y1 … Ai pi ,qi ,gi ,yi … A wants to send signed m  ZnA to B • p is 1042 bits • q is 160 bits • Signature k,s is only 360 bits • Fast verification methods exist A aA • Pick random r Z*qA • Compute- k = (gAr mod pA) mod qA- s = r-1(h(m)+kaA) mod qA • Send m,k,s B aB m,k,s • Receive m,k,s • Check1 k,s<pAk = gAs-1h(m) (yAs-1w mod pA) mod qA

    28. Hashing vs. MAC vs. Signatures • Hashing: private checksum • Produce footprint of a message • Must be stored separated from message • MAC: cryptographic checksum • Footprint protected with shared key • Can be transmitted over public channel • Digital signature: taking responsibility • Footprint protected with private key • No shared secrets with verifier

    29. n’i = p’iq’i e’id’i = 1 mod f(n’i) Fake data … B  n’B ,e’B… me’B mod n’B • Send me’B mod n’B I p’B,q’B,d’B me’B mod n’B • Recover m A Simple Attack on RSA Public data … B  nB ,eB… A wants to sendsecret m to B Intruder wantsto know m A B pA,qA,dA pB,qB,dB Intruder recovers m • How is the public table implemented?

    30. Certification of Published Data A1 A generates public/privatekey pair (k,k-1) and wantsto publish k on public table • A sends k to CA • Certification Authority • CA verifies that A knows k-1 • Challenge-response exchange • CA generates Ck and sends it to A • Certificate • A forwards Ck when using k • Either A volunteers Ck (push) • or sends it on demand (pull) • CA not needed on-line k Ck A5 A2 CA A4 A3 Trusted Like choosing phone number or license plate

    31. Certificates Ck = (A,kA,texp,priv,…,sigCA) • texp = expiration date • priv = privileges • … = possibly more information • Everyone knows the verification key of CA • Single point of failure • Vulnerability as number of principals grows

    32. Hierarchical Certification root CA2 … CA1 CA5 • Certificate chains • Contain certificates ofall the nodes to the root • Exchanged certificates limited to first common ancestor • Root signature is trusted and recognizable • Redundancy can reduce vulnerability • Used in SET • Developed by Visa/Mastercard • Root key distributed among 4 sites CA17 … … CA11 CA51 … … … … A B

    33. “Web of Trust” U3 U2 U4 U1 • No central authority • Users give ratings of keys they used • Validity (binding to other user) • Trust (none, partial, complete) • Used in PGP A B

    34. Certificate Revocation Certificates may be revoked • A’s key is stolen • Employee leaves the company • Wait till texp • May be too late • Certification Revocation List • Push CRL to all users • Overhead; can be blocked • Check each time with certification authority • Requires CA online • Validate certificates at fixed intervals

    35. Symmetric keys KDC on-line, used at every session KDC knows secret key If KDC compromised, past and future messages exposed Fast Public key CA off-line except for key generation CA knows only public key If CA compromised, only future messages exposed Slow A1 A1 k1 A5 k Ck A2 k5 A5 A2 KDC k2 CA k4 k3 A4 A3 A4 A3 Comparing KDC and CA

    36. New Trends in Cryptography • Elliptic-curve cryptography • Groups (like Z*n) with very hard crypto-analysis • Fast and small keys (190 bit ~ 1024 bit of RSA) • Complex underlying mathematics • Quantum cryptography • Measuring particle properties destroys them • E.g. polarization • No eavesdropping without perturbing transmission