CSE 543 - Computer Security Lecture 3 - Principles September 4, - PowerPoint PPT Presentation

CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1

Data Encryption Standard (DES) • Introduced by the US NBS (now NIST) in 1972 • Signaled the beginning of the modern area of cryptography • Block cipher – Fixed sized input • 8-byte input and a 8-byte key (56-bits+8 parity bits) CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Cryptanalysis of DES • DES has an effective 56-bit key length – Wiener: $1,000,000 - 3.5 hours (never built) – July 17, 1998, the EFF DES Cracker, which was built for less than $250,000 < 3 days – January 19, 1999, Distributed.Net (w/EFF), 22 hours and 15 minutes (over many machines) – We all assume that NSA and agencies like it around the world can crack (recover key) DES in milliseconds • What now? Give up on DES? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Variants of DES • DESX (XOR with separate keys ~= 60-bits) – Linear cryptanalysis • Triple DES (three keys ~= 112-bits) – keys k1, k2, k3 • c = E( D( E( p, k1), k2), k3) k 1 k 2 k 3 p c E D E CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Advanced Encryption Standard (AES) • Result of international NIST bakeoff between cryptographers – Intended as replacement for DES – Rijndael (pronounced “Rhine-dall”) – Currently implemented in many devices and software, but not yet fully embraced – Cryptography community is actively vetting the the theory and implementations (stay tuned) CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Public Key Cryptography • Public Key cryptography – Each key pair consists of a public and private component: k + (public key), k - (private key) D ( E (p, k + ), k - ) = p D ( E (p, k - ), k + ) = p • Public keys are distributed (typically) through public key certificates – Anyone can communicate secretly with you if they have your certificate – E.g., SSL-base web commerce CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

How do you use such cryptosystems? • Can ’ t use a secret by myself CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Needham and Schroeder • This is where they come in – Symmetric and public key systems are being invented (DES, Diffie-Hellman, RSA) – Network computation is somewhat common – Want to setup a general approach to secure network communication CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Authenticated Interactive Communication • Scenario – Two principals, A and B – Principal A wants to send a secure message to principal B – They have never met • What do we need to proceed? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Trusted Third Party • Authentication Server • What is it entrusted to do? – Maintains a database of keys for each principal • K AS where A is the principal and S is the authentication server – Generate information necessary for principal A to initiate a communication with principal B • A --> AS: A, B, I A • AS --> A: {I A , B, K AB , {K AB , A}K BS }K AS • A --> B: {K AB , A}K BS • B --> A: {I B }K AB • A --> B: {I B - 1}K AB CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What Do The Messages Mean? • First and Second Messages – A --> AS: A, B, I A – AS --> A: {I A , B, K AB , {K AB , A}K BS }K AS – A --> B: {K AB , A}K BS – B --> A: {I B }K AB – A --> B: {I B - 1}K AB • A asks to communicate with B • AS provides A with the basis to set it up – Session key: K AB – Ticket: {K AB , A}K BS – Protected by the key that is shared between A and the server: K AS • Why is it OK for the first message to be ‘ in the clear ’ ? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What do the messages mean? • Third message – A --> AS: A, B, I A – AS --> A: {I A , B, K AB , {K AB , A}K BS }K AS – A --> B: {K AB , A}K BS – B --> A: {I B }K AB – A --> B: {I B - 1}K AB • What does this message contain? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What do the messages mean? • Fourth and Fifth Messages – A --> AS: A, B, I A – AS --> A: {I A , B, K AB , {K AB , A}K BS }K AS – A --> B: {K AB , A}K BS – B --> A: {I B }K AB – A --> B: {I B - 1}K AB • A and B now have the key: K AB • They need to prove that they can really use it – Why does A believe that B really has the key? – Why does B believe that A really has the key? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Other Protocols • Public key: discuss next week • One-way communication CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

One-way communication • Goal: Enable secrecy and integrity when the sender is no longer ‘ online ’ • With symmetric key: – Encrypt email with session key (obtained from AS) – Put ticket in the email header – A --> B: {K AB , A}K BS • Why is this sufficient? • How do we ensure freshness? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Trustworthiness • How do you ensure their trustworthiness? • Do you need to do anything on the clients to ensure the security of the protocol? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Alternatives • Can you devise a shorter protocol? – with the same properties – or slightly weaker, but perhaps useful properties CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page