Ee515 is523 think like an adversary lecture 3 cryptography in a nutshell
Download
1 / 37

EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell. Yongdae Kim. Recap. http://syssec.kaist.ac.kr/courses/ee515 E-mail policy Include [ee515] or [is523] in the subject of your e-mail Student Survey http://bit.ly/SiK9M3 News posting

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell' - tuyen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ee515 is523 think like an adversary lecture 3 cryptography in a nutshell

EE515/IS523 Think Like an AdversaryLecture 3Cryptography in a Nutshell

Yongdae Kim


Recap
Recap

  • http://syssec.kaist.ac.kr/courses/ee515

  • E-mail policy

    • Include [ee515] or [is523] in the subject of your e-mail

  • Student Survey

    • http://bit.ly/SiK9M3

  • News posting

    • KLMS http://edu3.kaist.ac.kr/course/view.php?id=14461

  • Match making, criticism

    • KLMS

  • Text only posting, email!


In a nutshell
In a Nutshell

  • Security by Obscurity is not secure!

  • Conservative modeling for adversary

  • State-sponsored, Hacktivists, Hacker+Criminals, Researchers ;-)

  • Care for the weakest link.

  • Plan for unknown attacks.

  • Check for environmental changes

  • All stages are important

  • Attacker modeling, design, implementation, deployment, operation

  • Check News!

  • Cyber Warfare?


Security risk
Security & Risk

  • We only have finite resources for security…

  • If we only have $20K, which should we buy?

Product A

Prevents Attacks: U,W,Y,Z

Cost $10K

Product B

Prevents Attacks: V,X

Cost $20K


Ee515 is523 think like an adversary lecture 3 cryptography in a nutshell
Risk

  • The risk due to a set of attacks is the expected (or average) cost per unit of time.

  • One measure of risk is Annualized Loss

    Expectancy, or ALE:

ALE of attack A

Σ

( pA

×

LA )

attack A

Annualized attack

incidence

Cost per attack


Risk reduction
Risk Reduction

  • A defense mechanism may reduce the risk of a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR):

  • The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost.

Σ

(pA

×

LA – p’A×L’A)

attack A


Basic cryptography

Basic Cryptography

Yongdae Kim


The main players

Eve

Yves?

The main players

Bob

Alice


Attacks
Attacks

Normal Flow

Destination

Source

Interruption: Availability

Interception: Confidentiality

Destination

Destination

Source

Source

Modification: Integrity

Fabrication: Authenticity

Destination

Destination

Source

Source


Taxonomy of attacks
Taxonomy of Attacks

  • Passive attacks

    • Eavesdropping

    • Traffic analysis

  • Active attacks

    • Masquerade

    • Replay

    • Modification of message content

    • Denial of service


Big picture
Big picture

Trusted third party

(e.g. arbiter, distributor

of secret information)

Bob

Alice

Information

Channel

Message

Message

Secret

Information

Secret

Information

Eve


Terminology for encryption
Terminology for Encryption

  • A denotes a finite set called the alphabet

  • M denotes a set called the message space

    • M consists of strings of symbols from an alphabet

    • An element of M is called a plaintext

  • C denotes a set called the ciphertext space

    • C consists of strings of symbols from an alphabet

    • An element of C is called a ciphertext

  • K denotes a set called the key space

    • An element of K is called a key

  • Ee is an encryption function where e  K

  • Dd called a decryption function where d  K


Encryption
Encryption

  • Why do we use key?

    • Or why not use just a shared encryption function?

Adversary

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

insecure channel

m

m

Plaintext source

destination

Alice

Bob


Ske with secure channel
SKE with Secure channel

Adversary

d Secure channel

Key source

e

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Pke with insecure channel
PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Public key should be authentic

e

e’

Ee’(m)

Public key should be authentic!

  • Need to authenticate public keys

Ee(m)

e

Ee(m)


Digital signatures
Digital Signatures

  • Primitive in authentication and non-repudiation

  • Signature

    • Process of transforming the message and some secret information into a tag

  • Nomenclature

    • M is set of messages

    • S is set of signatures

    • SA: M ! S for A, kept private

    • VA is verification transformation from M to S for A, publicly known


Key establishment management
Key Establishment, Management

  • Key establishment

    • Process to whereby a shared secret key becomes available to two or more parties

    • Subdivided into key agreement and key transport.

  • Key management

    • The set of processes and mechanisms which support key establishment

    • The maintenance of ongoing keying relationships between parties



Symmetric key encryption
Symmetric key Encryption

  • Symmetric key encryption

    • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e

    • Usually e = d

  • Block cipher

    • breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time

  • Stream cipher

    • encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time


Hash function and mac
Hash function and MAC

  • A hash function is a function h

    • compression

    • ease of computation

    • Properties

      • one-way: for a given y, find x’ such that h(x’) = y

      • collision resistance: find x and x’ such that h(x) = h(x’)

    • Examples: SHA-1, MD-5

  • MAC (message authentication codes)

    • both authentication and integrity

    • MAC is a family of functions hk

      • ease of computation (if k is known !!)

      • compression, x is of arbitrary length, hk(x) has fixed length

      • computation resistance

    • Example: HMAC



Applications of hash function
Applications of Hash Function

  • File integrity

  • Digital signature

    Sign = SSK(h(m))

  • Password verification

    stored hash = h(password)

  • File identifier

  • Hash table

  • Generating random numbers


Hash function and mac1
Hash function and MAC

  • A hash function is a function h

    • compression

    • ease of computation

    • Properties

      • one-way: for a given y, find x’ such that h(x’) = y

      • collision resistance: find x and x’ such that h(x) = h(x’)

    • Examples: SHA-1, MD-5

  • MAC (message authentication codes)

    • both authentication and integrity

    • MAC is a family of functions hk

      • ease of computation (if k is known !!)

      • compression, x is of arbitrary length, hk(x) has fixed length

      • computation resistance

    • Example: HMAC


Mac construction from hash
MAC construction from Hash

  • Prefix

    • M=h(k||x)

    • appending y and deducing h(k||x||y) form h(k||x) without knowing k

  • Suffix

    • M=h(x||k)

    • possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2)

  • STATE OF THE ART: HMAC (RFC 2104)

    • HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding

    • The outer hash operates on an input of two blocks

    • Provably secure


How to use mac
How to use MAC?

  • A & B share a secret key k

  • A sends the message x and the MAC M←Hk(x)

  • B receives x and M from A

  • B computes Hk(x) with received M

  • B checks if M=Hk(x)


Pke with insecure channel1
PKE with insecure channel

Passive

Adversary

e Insecure channel

Key source

d

Encryption

Ee(m) = c

Decryption

Dd(c) = m

c

Insecure channel

m

m

Plaintext source

destination

Alice

Bob


Digital signature
Digital Signature

  • Integrity

  • Authentication

  • Non-repudiation

I did not have intimate relations with that woman,…, Ms. Lewinsky

WJ Clinton


Digital signature with appendix
Digital Signature with Appendix

  • Schemes with appendix

    • Requires the message as input to verification algorithm

    • Rely on cryptographic hash functions rather than customized redundancy functions

    • DSA, ElGamal, Schnorr etc.


Digital signature with appendix1

Mh x S

VA

u 2{True, False}

Digital Signature with Appendix

M

Mh

S

SA,k

h

m

mh

s*

s* = SA,k(mh)

u = VA(mh, s*)


Authentication
Authentication

  • How to prove your identity?

    • Prove that you know a secret information

  • When key K is shared between A and Server

    • A  S: HMACK(M) where M can provide freshness

    • Why freshness?

  • Digital signature?

    • A  S: SigSK(M) where M can provide freshness

  • Comparison?


Encryption and authentication
Encryption and Authentication

  • EK(M)

  • Redundancy-then-Encrypt: EK(M, R(M))

  • Hash-then-Encrypt: EK(M, h(M))

  • Hash and Encrypt: EK(M), h(M)

  • MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)

  • MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))


Challenge response authentication
Challenge-response authentication

  • Alice is identified by a secret she possesses

    • Bob needs to know that Alice does indeed possess this secret

    • Alice provides responseto a time-variant challenge

    • Response depends on both secret and challenge

  • Using

    • Symmetric encryption

    • One way functions


Challenge response using ske
Challenge Response using SKE

  • Alice and Bob share a key K

  • Taxonomy

    • Unidirectional authentication using timestamps

    • Unidirectional authentication using random numbers

    • Mutual authentication using random numbers

  • Unilateral authentication using timestamps

    • Alice  Bob: EK(tA, B)

    • Bob decrypts and verified that timestamp is OK

    • Parameter Bprevents replay of same message in B  A direction


Challenge response using ske1
Challenge Response using SKE

  • Unilateral authentication using random numbers

    • Bob  Alice: rb

    • Alice  Bob: EK(rb, B)

    • Bob checks to see if rb is the one it sent out

      • Also checks “B” - prevents reflection attack

    • rb must be non-repeating

  • Mutual authentication using random numbers

    • Bob  Alice: rb

    • Alice  Bob: EK(ra, rb, B)

    • Bob  Alice: EK(ra, rb)

    • Alice checks that ra, rb are the ones used earlier


Challenge response using owf
Challenge-response using OWF

  • Instead of encryption, used keyed MAC hK

  • Check: compute MAC from known quantities, and check with message

  • SKID3

    • Bob  Alice: rb

    • Alice  Bob: ra, hK(ra, rb, B)

    • Bob  Alice: hK(ra, rb, A)


Key establishment management1
Key Establishment, Management

  • Key establishment

    • Process to whereby a shared secret key becomes available to two or more parties

    • Subdivided into key agreement and key transport.

  • Key management

    • The set of processes and mechanisms which support key establishment

    • The maintenance of ongoing keying relationships between parties