Download Presentation
October 2, 2003

Loading in 2 Seconds...

1 / 79

# October 2, 2003 - PowerPoint PPT Presentation

October 2, 2003. Introduction to Computer Security Lecture 6 Cryptography. Overview of the DES. A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher performs both substitution and transposition (permutation) on the bits

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

## PowerPoint Slideshow about 'October 2, 2003' - ratana

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### October 2, 2003

Introduction to

Computer Security

Lecture 6

Cryptography

INFSCI 2935: Introduction of Computer Security

Overview of the DES
• A block cipher:
• encrypts blocks of 64 bits using a 64 bit key
• outputs 64 bits of ciphertext
• A product cipher
• performs both substitution and transposition (permutation) on the bits
• basic unit is the bit
• Consists of 16 rounds (iterations) each with a round key generated from the user-supplied key

INFSCI 2935: Introduction to Computer Security

DES
• Round keys are 48 bits each
• Extracted from 64 bits
• Permutation applied
• Deciphering involves using round keys in reverse

INFSCI 2935: Introduction to Computer Security

input

IP

L

R

0

0

Å

f

K

1

L

= R

R

= L

Å

(R

, K

)

f

1

0

1

0

0

1

L

= R

R

= L

Å

(R

, K

)

f

16

15

16

15

15

16

-1

IP

output

DES Encryption

INFSCI 2935: Introduction to Computer Security

R

(32 bits)

K

(48 bits)

i-1

i

Expansion

Permutation

Å

R

(48 bits)

6 bits into each

i

-1

S7

S1

S2

S3

S4

S5

S6

S8

4 bits out of each

P

32 bits

The f function

INFSCI 2935: Introduction to Computer Security

Controversy
• Considered too weak
• Diffie, Hellman said in a few years technology would allow DES to be broken in days
• Design using 1999 technology published
• Design decisions not public
• S-boxes may have backdoors

INFSCI 2935: Introduction to Computer Security

Undesirable Properties
• 4 weak keys
• They are their own inverses
• 12 semi-weak keys
• Each has another semi-weak key as inverse
• Complementation property
• DESk(m) = c DESk´(m´) = c´
• S-boxes exhibit irregular properties
• Distribution of odd, even numbers non-random
• Outputs of fourth box depends on input to third box
• Reasons for structure were suspicious

INFSCI 2935: Introduction to Computer Security

Differential Cryptanalysis
• A form of chosen plaintext attack
• Involves encrypting many texts that are only slightly different from one another and comparing results
• Requires 247 plaintext, ciphertext pairs
• Revealed several properties
• Small changes in S-boxes reduce the number of pairs needed
• Making every bit of the round keys independent does not impede attack
• Linear cryptanalysis improves result
• Requires 243 plaintext, ciphertext pairs

INFSCI 2935: Introduction to Computer Security

init. vector

m1

m2

DES

DES

c1

c2

sent

sent

DES Modes
• Electronic Code Book Mode (ECB):
• Encipher each block independently
• Cipher Block Chaining Mode (CBC)
• XOR each block with previous ciphertext block
• Uses an initialization vector for the first one

INFSCI 2935: Introduction to Computer Security

init. vector

c1

c2

DES

DES

m1

m2

CBC Mode Decryption
• CBC has self healing property
• If one block of ciphertext is altered, the error propagates for at most two blocks

INFSCI 2935: Introduction to Computer Security

Self-Healing Property
• Initial message
• 3231343336353837 3231343336353837 3231343336353837 3231343336353837
• Received as (underlined 4c should be 4b)
• ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f4256 33e60b451b09603d
• Which decrypts to
• efca61e19f4836f1 3231333336353837 3231343336353837 3231343336353837
• Incorrect bytes underlined; plaintext “heals” after 2 blocks

INFSCI 2935: Introduction to Computer Security

Current Status of DES
• Design for computer system, associated software that could break any DES-enciphered message in a few days published in 1998
• Several challenges to break DES messages solved using distributed computing
• NIST selected Rijndael as Advanced Encryption Standard, successor to DES
• Designed to withstand attacks that were successful on DES

INFSCI 2935: Introduction to Computer Security

Public Key Cryptography
• Two keys
• Private key known only to individual
• Public key available to anyone
• Idea
• Confidentiality:
• encipher using public key,
• decipher using private key
• Integrity/authentication:
• encipher using private key,
• decipher using public one

INFSCI 2935: Introduction to Computer Security

Requirements
• Given the appropriate key, it must be computationally easy to encipher or decipher a message
• It must be computationally infeasible to derive the private key from the public key
• It must be computationally infeasible to determine the private key from a chosen plaintext attack

INFSCI 2935: Introduction to Computer Security

Diffie-Hellman
• Compute a common, shared key
• Called a symmetric key exchange protocol
• Based on discrete logarithm problem
• Given integers n and g and prime number p, compute k such that n = gk mod p
• Solutions known for small p
• Solutions computationally infeasible as p grows large – hence, choose large p

INFSCI 2935: Introduction to Computer Security

Algorithm
• Constants known to participants
• prime p; integer g other than 0, 1 or p–1
• Alice: (private = kA, public = KA)
• Bob: (private = kB, public = KB)
• KA = gkA mod p
• KB = gkB mod p
• To communicate with Bob,
• Anne computes SA, B= KBkA mod p
• To communicate with Alice,
• Bob computes SB, A = KAkB mod p
• SA, B = SB, A ?

INFSCI 2935: Introduction to Computer Security

Example
• Assume p = 53 and g = 17
• Alice chooses kA = 5
• Then KA = 175 mod 53 = 40
• Bob chooses kB= 7
• Then KB= 177 mod 53 = 6
• Shared key:
• KBkA mod p = 65 mod 53 = 38
• KAkB mod p = 407 mod 53 = 38

Let p = 5, g = 3

kA = 4, kB = 3

KA = ?, KB = ?,

S = ?,

INFSCI 2935: Introduction to Computer Security

RSA
• Relies on the difficulty of determining the number of numbers relatively prime to a large integer n
• Totient function (n)
• Number of + integers less than n and relatively prime to n
• Relatively prime means with no factors in common with n
• Example: (10) = 4
• 1, 3, 7, 9 are relatively prime to 10
• (77) ?
• (p) ?
• When p is a prime number
• (pq) ?
• When p and q are prime numbers

INFSCI 2935: Introduction to Computer Security

Algorithm
• Choose two large prime numbers p, q
• Let n = pq; then (n) = (p–1)(q–1)
• Choose e < n relatively prime to (n).
• Compute d such that ed mod (n) = 1
• Public key: (e, n); private key: d (or (d, n))
• Encipher: c = me mod n
• Decipher: m = cd mod n

INFSCI 2935: Introduction to Computer Security

Confidentiality using RSA

Y

X

Encryption

Message

Source

X

Decryption

Message

Source

Bob

Alice

kB

KB

Key Source

INFSCI 2935: Introduction to Computer Security

Example: Confidentiality
• Take p = 7, q = 11, so n = 77 and (n) = 60
• Say Bob chooses (KB) e = 17, making (kB) d = 53
• 17 x 53 mod 60 = ?
• Alice wants to send Bob secret message HELLO [07 04 11 11 14]
• 0717 mod 77 = 28
• 0417 mod 77 = 16
• 1117 mod 77 = 44
• 1117 mod 77 = 44
• 1417 mod 77 = 42
• Alice sends ciphertext [28 16 44 44 42]

INFSCI 2935: Introduction to Computer Security

Example
• Bob receives [28 16 44 44 42]
• Bob uses private key (kB), d = 53, to decrypt the message:
• 2853 mod 77 = 07 H
• 1653 mod 77 = 04 E
• 4453 mod 77 = 11 L
• 4453 mod 77 = 11 L
• 4253 mod 77 = 14 O
• No one else could read it, as only Bob knows his private key and that is needed for decryption

INFSCI 2935: Introduction to Computer Security

Authentication using RSA

Y

X

Encryption

Message

Source

X

Decryption

Message

Source

Bob

Alice

KA

kA

Key Source

INFSCI 2935: Introduction to Computer Security

Example: Origin Integrity/Authentication
• Take p = 7, q = 11, so n = 77 and (n) = 60
• Alice chooses (KA) e = 17, making (kA) d = 53
• Alice wants to send Bob message HELLO [07 04 11 11 14] so Bob knows it is what Alice sent and there was no changes in transit
• 0753 mod 77 = 35
• 0453 mod 77 = 09
• 1153 mod 77 = 44
• 1153 mod 77 = 44
• 1453 mod 77 = 49
• Alice sends [35 09 44 44 49]

INFSCI 2935: Introduction to Computer Security

Example
• Bob receives 35 09 44 44 49
• Bob uses Alice’s public key (KA), e = 17, n = 77, to decrypt message:
• 3517 mod 77 = 07 H
• 0917 mod 77 = 04 E
• 4417 mod 77 = 11 L
• 4417 mod 77 = 11 L
• 4917 mod 77 = 14 O
• Alice sent it as only she knows her private key, so no one else could have enciphered it
• If (enciphered) message’s blocks (letters) altered in transit, would not decrypt properly

INFSCI 2935: Introduction to Computer Security

Encryption

X

Confidentiality + Authentication

Encryption

Message

Source

X

Z

Decryption

Y

Decryption

X

Message

Source

Bob

Alice

kB

kA

KA

KB

Key Source

Key Source

INFSCI 2935: Introduction to Computer Security

Example: Confidentiality + Authentication
• Alice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked)
• Alice’s keys: public (17, 77); private: 53
• Bob’s keys: public: (37, 77); private: 13
• Alice enciphers HELLO [07 04 11 11 14]:
• (0753 mod 77)37 mod 77 = 07
• (0453 mod 77)37 mod 77 = 37
• (1153 mod 77)37 mod 77 = 44
• (1153 mod 77)37 mod 77 = 44
• (1453 mod 77)37 mod 77 = 14
• Alice sends [07 37 44 44 14]

INFSCI 2935: Introduction to Computer Security

Example: Confidentiality + Authentication
• Alice’s keys: public (17, 77); private: 53
• Bob’s keys: public: (37,77); private: 13
• Bob deciphers (07 37 44 44 14):
• (0713 mod 77)17 mod 77 = 07 H
• (3713 mod 77)17 mod 77 = 04 E
• (4413 mod 77)17 mod 77 = 11 L
• (4413 mod 77)17 mod 77 = 11 L
• (1413 mod 77)17 mod 77 = 14 O

INFSCI 2935: Introduction to Computer Security

Security Services
• Confidentiality
• Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key
• Authentication
• Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner

INFSCI 2935: Introduction to Computer Security

More Security Services
• Integrity
• Enciphered letters cannot be changed undetectably without knowing private key
• Non-Repudiation
• Message enciphered with private key came from someone who knew it

INFSCI 2935: Introduction to Computer Security

Warnings
• Encipher message in blocks considerably larger than the examples here
• If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems)
• Attacker cannot alter letters, but can rearrange them and alter message meaning
• Example: reverse enciphered message of text ON to get NO

INFSCI 2935: Introduction to Computer Security

Cryptographic Checksums
• Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n).
• k is smaller then n except in unusual circumstances
• Keyed CC: requires a cryptographic key

h = CK(M)

• Keyless CC: requires no cryptographic key
• Message Digest or One-way Hash Functions

h = H(M)

• Can be used for message authentication
• Hence, also called Message Authentication Code (MAC)

INFSCI 2935: Introduction to Computer Security

Mathematical characteristics
• Every bit of the message digest function potentially influenced by every bit of the function’s input
• If any given bit of the function’s input is changed, every output bit has a 50 percent chance of changing
• Given an input file and its corresponding message digest, it should be computationally infeasible to find another file with the same message digest value

INFSCI 2935: Introduction to Computer Security

Definition
• Cryptographic checksum function h: AB:
• For any xA, h(x) is easy to compute
• Makes hardware/software implementation easy
• For any yB, it is computationally infeasible to find xA such that h(x) = y
• One-way proerpty
• It is computationally infeasible to find x, x´ A such that x ≠ x´ and h(x) = h(x´)

3’. Alternate form (Stronger): Given any xA, it is computationally infeasible to find a different x´ A such that h(x) = h(x´).

INFSCI 2935: Introduction to Computer Security

Collisions
• If x ≠ x´ and h(x) = h(x´), x and x´ are a collision
• Pigeonhole principle: if there are n containers for n+1 objects, then at least one container will have 2 objects in it.
• Application: suppose n = 5 and k = 3. Then there are 32 elements of A and 8 elements of B, so at least one element of B has at least 4 corresponding elements of A

INFSCI 2935: Introduction to Computer Security

Keys
• Keyed cryptographic checksum: requires cryptographic key
• DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum.
• Keyless cryptographic checksum: requires no cryptographic key
• MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru

INFSCI 2935: Introduction to Computer Security

Message Digest
• MD2, MD4, MD5 (Ronald Rivest)
• Produces 128-bit digest;
• MD2 is probably the most secure, longest to compute (hence rarely used)
• MD4 is a fast alternative; MD5 is modification of MD4
• SHA, SHA-1 (Secure Hash Algorithm)
• Related to MD4; used by NIST’s Digital Signature
• Produces 160-bit digest
• SHA-1 may be better
• SHA-256, SHA-384, SHA-512
• 256-, 384-, 512 hash functions designed to be use with the Advanced Encryption Standards (AES)
• Example:
• MD5(There is \$1500 in the blue bo) = f80b3fde8ecbac1b515960b9058de7a1
• MD5(There is \$1500 in the blue box) = a4a5471a0e019a4a502134d38fb64729

INFSCI 2935: Introduction to Computer Security

Hash Message Authentication Code (HMAC)
• Make keyed cryptographic checksums from keyless cryptographic checksums
• h keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k´ is cryptographic key of length b bytes
• If short, pad with 0 bytes; if long, hash to length b
• ipad is 00110110 repeated b times
• opad is 01011100 repeated b times
• HMAC-h(k, m) = h(k´  opad || h(k´  ipad || m))
•  exclusive or, || concatenation

INFSCI 2935: Introduction to Computer Security

Security Levels
• Unconditionally Secure
• Unlimited resources + unlimited time
• Still the plaintext CANNOT be recovered from the ciphertext
• Computationally Secure
• Cost of breaking a ciphertext exceeds the value of the hidden information
• The time taken to break the ciphertext exceeds the useful lifetime of the information

INFSCI 2935: Introduction to Computer Security

Key Points
• Two main types of cryptosystems: classical and public key
• Classical cryptosystems encipher and decipher using the same key
• Or one key is easily derived from the other
• Public key cryptosystems encipher and decipher using different keys
• Computationally infeasible to derive one from the other

INFSCI 2935: Introduction to Computer Security

Key Management

INFSCI 2935: Introduction of Computer Security

Issues
• Authentication and distribution of keys
• Session key
• Key exchange protocols
• Kerberos
• Mechanisms to bind an identity to a key
• Generation, maintenance and revoking of keys

INFSCI 2935: Introduction to Computer Security

Notation
• XY : { Z || W } kX,Y
• X sends Y the message produced by concatenating Z and W enciphered by key kX,Y, which is shared by users X and Y
• AT : { Z } kA || { W } kA,T
• A sends T a message consisting of the concatenation of Z enciphered using kA, A’s key, and W enciphered using kA,T, the key shared by A and T
• r1, r2 nonces (nonrepeating random numbers)

INFSCI 2935: Introduction to Computer Security

Session, Interchange Keys
• Alice wants to send a message m to Bob
• Assume public key encryption
• Alice generates a random cryptographic key ks and uses it to encipher m
• To be used for this message only
• Called a session key
• She enciphers ks with Bob’s public key kB
• kB enciphers all session keys Alice uses to communicate with Bob
• Called an interchange key
• Alice sends { m } ks{ ks} kB

INFSCI 2935: Introduction to Computer Security

Benefits
• Limits amount of traffic enciphered with single key
• Standard practice, to decrease the amount of traffic an attacker can obtain
• Makes replay attack less effective
• Prevents some attacks
• Example: Alice will send Bob message that is either “BUY” or “SELL”.
• Eve computes possible ciphertexts {“BUY”} kB and {“SELL”} kB.
• Eve intercepts enciphered message, compares, and gets plaintext at once

INFSCI 2935: Introduction to Computer Security

Key Exchange Algorithms
• Goal: Alice, Bob use a shared key to communicate secretely
• Criteria
• Key cannot be sent in clear
• Attacker can listen in
• Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper
• Alice, Bob may trust third party
• All cryptosystems, protocols publicly known
• Only secret data is the keys, ancillary information known only to Alice and Bob needed to derive keys
• Anything transmitted is assumed known to attacker

INFSCI 2935: Introduction to Computer Security

Classical Key Exchange
• How do Alice, Bob begin?
• Alice can’t send it to Bob in the clear!
• Assume trusted third party, Cathy
• Alice and Cathy share secret key kA
• Bob and Cathy share secret key kB
• Use this to exchange shared key ks

INFSCI 2935: Introduction to Computer Security

Simple Key Exchange Protocol

{ request for session key to Bob } kA

Alice

Cathy

{ ks }kA , { ks }kB

Alice

Cathy

{ ks } kB

Alice

Bob

{m}ks

Alice

Bob

Eve

INFSCI 2935: Introduction to Computer Security

Problems
• How does Bob know he is talking to Alice?
• Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t
• Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key
• Protocols must provide authentication and defense against replay

INFSCI 2935: Introduction to Computer Security

Needham-Schroeder

Alice || Bob || r1

Alice

Cathy

{ Alice || Bob || r1 || ks , { Alice || ks } kB } kA

Alice

Cathy

{ Alice || ks } kB

Alice

Bob

{ r2 } ks

Alice

Bob

{ r2 – 1 } ks

Alice

Bob

INFSCI 2935: Introduction to Computer Security

Argument: Alice talking to Bob
• Second message
• Enciphered using key only she, Cathy know
• So Cathy enciphered it
• Response to first message
• As r1 in it matches r1 in first message
• Third message
• Alice knows only Bob can read it
• As only Bob can derive session key from message
• Any messages enciphered with that key are from Bob

INFSCI 2935: Introduction to Computer Security

Argument: Bob talking to Alice
• Third message
• Enciphered using key only he, Cathy know
• So Cathy enciphered it
• Names Alice, session key
• Cathy provided session key, says Alice is other party
• Fourth message
• Uses session key to determine if it is replay from Eve
• If not, Alice will respond correctly in fifth message
• If so, Eve can’t decipher r2 and so can’t respond, or responds incorrectly

INFSCI 2935: Introduction to Computer Security

Problem withNeedham-Schroeder
• Assumption: all keys are secret
• Question: suppose Eve can obtain session key. How does that affect protocol?
• In what follows, Eve knows ks

{ Alice || ks } kB [Replay]

Eve

Bob

{ r3 } ks [Eve intercepts]

Eve

Bob

{ r3 – 1 } ks

Eve

Bob

INFSCI 2935: Introduction to Computer Security

Solution: Denning-Sacco Modification
• In protocol above, Eve impersonates Alice
• Problem: replay in third step
• First in previous slide
• Solution: use time stamp T to detect replay
• Needs synchronized clocks
• Weakness: if clocks not synchronized, may either reject valid messages or accept replays
• Parties with either slow or fast clocks vulnerable to replay
• Resetting clock does not eliminate vulnerability

INFSCI 2935: Introduction to Computer Security

Needham-Schroeder with Denning-Sacco Modification

Alice || Bob || r1

Alice

Cathy

{ Alice || Bob || r1 || ks || { Alice || T || ks } kB } kA

Alice

Cathy

{ Alice || T || ks } kB

Alice

Bob

{ r2 } ks

Alice

Bob

{ r2 – 1 } ks

Alice

Bob

INFSCI 2935: Introduction to Computer Security

Otway-Rees Protocol
• Corrects problem
• That is, Eve replaying the third message in the protocol
• Does not use timestamps
• Not vulnerable to the problems that Denning-Sacco modification has
• Uses integer n to associate all messages with a particular exchange

INFSCI 2935: Introduction to Computer Security

The Protocol

n || Alice || Bob || { r1 || n || Alice || Bob } kA

Alice

Bob

n || Alice || Bob || { r1 || n || Alice || Bob } kA ||

{ r2 || n || Alice || Bob } kB

Cathy

Bob

n || { r1 || ks } kA || { r2 || ks } kB

Cathy

Bob

n || { r1 || ks } kA

Alice

Bob

INFSCI 2935: Introduction to Computer Security

Argument: Alice talking to Bob
• Fourth message
• If n matches first message, Alice knows it is part of this protocol exchange
• Cathy generated ks because only she, Alice know kA
• Enciphered part belongs to exchange as r1 matches r1 in encrypted part of first message

INFSCI 2935: Introduction to Computer Security

Argument: Bob talking to Alice
• Third message
• If n matches second message, Bob knows it is part of this protocol exchange
• Cathy generated ks because only she, Bob know kB
• Enciphered part belongs to exchange as r2 matches r2 in encrypted part of second message

INFSCI 2935: Introduction to Computer Security

Replay Attack
• Eve acquires old ks, message in third step
• n || { r1 || ks } kA || { r2 || ks } kB
• Eve forwards appropriate part to Alice
• Alice has no ongoing key exchange with Bob: n matches nothing, so is rejected
• Alice has ongoing key exchange with Bob: n does not match, so is again rejected
• If replay is for the current key exchange, and Eve sent the relevant part before Bob did, Eve could simply listen to traffic; no replay involved

INFSCI 2935: Introduction to Computer Security

Kerberos
• Authentication system
• Based on Needham-Schroeder with Denning-Sacco modification
• Central server plays role of trusted third party (“Cathy”)
• Ticket (credential)
• Issuer vouches for identity of requester of service
• Authenticator
• Identifies sender
• Alice must
• Authenticate herself to the system
• Obtain ticket to use server S

INFSCI 2935: Introduction to Computer Security

Overview
• User u authenticates to Kerberos server
• Obtains ticket Tu,TGS for ticket granting service (TGS)
• User u wants to use service s:
• User sends authenticator Au, ticket Tu,TGS to TGS asking for ticket for service
• TGS sends ticket Tu,s to user
• User sends Au, Tu,s to server as request to use s
• Details follow

INFSCI 2935: Introduction to Computer Security

Ticket
• Credential saying issuer has identified ticket requester
• Example ticket issued to user u for service s

Tu,s = s || { u || u’s address || valid time || ku,s } ks

where:

• ku,s is session key for user and service
• Valid time is interval for which the ticket is valid
• u’s address may be IP address or something else
• Note: more fields, but not relevant here

INFSCI 2935: Introduction to Computer Security

Authenticator
• Credential containing identity of sender of ticket
• Used to confirm sender is entity to which ticket was issued
• Example: authenticator user u generates for service s

Au,s = { u || generation time || kt } ku,s

where:

• kt is alternate session key
• Generation time is when authenticator generated
• Note: more fields, not relevant here

INFSCI 2935: Introduction to Computer Security

Protocol

user || TGS

user

Cathy

{ ku,TGS } ku || Tu,TGS

Cathy

user

service || Au,TGS || Tu,TGS

user

TGS

user || { ku,s } ku,TGS || Tu,s

user

TGS

Au,s || Tu,s

user

service

{ t + 1 } ku,s

user

service

INFSCI 2935: Introduction to Computer Security

Analysis
• First two steps get user ticket to use TGS
• User u can obtain session key only if u knows key shared with Cathy
• Next four steps show how u gets and uses ticket for service s
• Service s validates request by checking sender (using Au,s) is same as entity ticket issued to
• Step 6 optional; used when u requests confirmation

INFSCI 2935: Introduction to Computer Security

Problems
• Relies on synchronized clocks
• If not synchronized and old tickets, authenticators not cached, replay is possible
• Tickets have some fixed fields
• Dictionary attacks possible
• Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes

INFSCI 2935: Introduction to Computer Security

Public Key Key Exchange
• Here interchange keys known
• eA, eB Alice and Bob’s public keys known to all
• dA, dB Alice and Bob’s private keys known only to owner
• Simple protocol
• ks is desired session key

{ ks } eB

Alice

Bob

INFSCI 2935: Introduction to Computer Security

Problem and Solution
• Vulnerable to forgery or replay
• Because eB known to anyone, Bob has no assurance that Alice sent message
• Simple fix uses Alice’s private key
• ks is desired session key

{ { ks } dA } eB

Alice

Bob

INFSCI 2935: Introduction to Computer Security

Notes
• Can include message enciphered with ks
• Assumes Bob has Alice’s public key, and vice versa
• If not, each must get it from public server
• If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys)

INFSCI 2935: Introduction to Computer Security

Man-in-the-Middle Attack

send me Bob’s public key

Eve intercepts request

Alice

Cathy

send me Bob’s public key

Cathy

Eve

eB

Cathy

Eve

eE

Eve

Alice

{ ks } eE

Eve intercepts message

Bob

Alice

{ ks } eB

Bob

Eve

INFSCI 2935: Introduction to Computer Security

Key Generation
• Goal: generate difficult to guess keys
• Problem statement: given a set of K potential keys, choose one randomly
• Equivalent to selecting a random number between 0 and K–1 inclusive
• Why is this hard: generating random numbers
• Actually, numbers are usually pseudo-random, that is, generated by an algorithm

INFSCI 2935: Introduction to Computer Security

What is “Random”?
• Sequence of cryptographically ransom numbers: a sequence of numbers n1, n2, … such that for any integer k > 0, an observer cannot predict nk even if all of n1, …, nk–1 are known
• Best: physical source of randomness
• Electromagnetic phenomena
• Characteristics of computing environment such as disk latency
• Ambient background noise

INFSCI 2935: Introduction to Computer Security

What is “Pseudorandom”?
• Sequence of cryptographically pseudorandom numbers: sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm
• Very difficult to do this well
• Linear congruential generators [nk = (ank–1 + b) mod n] broken (a, b and n are relatively prime)
• Polynomial congruential generators [nk = (ajnk–1j + … + a1nk–1 a0) mod n] broken too
• Here, “broken” means next number in sequence can be determined

INFSCI 2935: Introduction to Computer Security

Best Pseudorandom Numbers
• Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits
• Examples: DES, MD5, SHA-1
• Use on UNIX-based systems:

(date; ps gaux) | md5

where “ps gaux” lists all information about all processes on system

INFSCI 2935: Introduction to Computer Security

Digital Signature
• Construct that authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”)
• Sender cannot deny having sent message (service is “nonrepudiation”)
• Limited to technical proofs
• Inability to deny one’s cryptographic key was used to sign
• One could claim the cryptographic key was stolen or compromised
• Legal proofs, etc., probably required;

INFSCI 2935: Introduction to Computer Security

Common Error
• Classical: Alice, Bob share key k
• Alice sends m || { m }k to Bob

This is a digital signature

WRONG

• This is not adigital signature
• Why? Third party cannot determine whether Alice or Bob generated message

INFSCI 2935: Introduction to Computer Security

Classical Digital Signatures
• Require trusted third party
• Alice, Bob each share keys with trusted party Cathy
• To resolve dispute, judge gets { m }kAlice, { m }kBob, and has Cathy decipher them; if messages matched, contract was signed

{ m }kAlice

Alice

Bob

{ m }kAlice

Bob

Cathy

{ m }kBob

Cathy

Bob

INFSCI 2935: Introduction to Computer Security

Public Key Digital Signatures
• Alice’s keys are dAlice, eAlice
• Alice sends Bob

m || { m }dAlice

• In case of dispute, judge computes

{ { m }dAlice }eAlice

• and if it is m, Alice signed message
• She’s the only one who knows dAlice!

INFSCI 2935: Introduction to Computer Security