Security Cryptography � Arise from “resources sharing” � Plaintext; Encryption algorithm; keys; Ciphertext; � Resources are encapsulated by process; Decryption algorithm � users access them through process’s interface. � Three points: � Clients are authorized to do some operation on resources. � two general operations: substitution, transposition � Confidentiality: protection against disclosure to � The number of keys used. unauthorized individuals • Same key: symmetric, single-key, secret-key, or � Integrity: protection against modification or conventional encryption. corruption • Two keys: asymmetric, two-key, or public-key � Availability: protection against interference with encryption the means to access the resources. � The way used to process the plaintext • block cipher; stream cipher � Situation � Two requirements for using conventional � distributed systems are open encryption: � the attackers are quite knowledgeable � Strong encryption algorithm � secret has limit lifetime, the design of your security systems are available to attackers � secret key must be secure � Only small portion of people are trustable � Attacks � Interruption; Interception; Modification; Fabrication � Passive attacks, active attacks 1 2 1
DES Encrypt Alg. S-box function � 1. perform initial permutation (IP) on one input � two sub-operations: block. IP(Input Block) � (L 0 ,R 0 ) � It adds the round key by XOR to the half block � 2. Then 16 iterations of same operation. R i-1 . This provides randomness. � R i-1 � L i � Then it performs eight non-linear permutation � XOR(L i-1 , f(R i-1 ,k i )) � R i functions on it to provide the non-linear property . � k i is ‘round key’; f is called “S-box Function”. It is used to achieve a big degree of “ message � Non-linear property can avoid DC attacks. diffusion ”. DC attacks a cipher by exploring the linear � 3. Finally, swap the left-half block and right-half difference between two plaintext messages block and perform an inverse initial permutation on and the linear difference between their it. corresponding ciphertext messages. � IP -1 (R 16 ,L 16 ) � output block. � “DES cracker”, 1998 � Decryption algorithm � a longer key: Triple DES � uses same three steps. � Drawbacks: slow in software, smaller block � The only different is the order of round keys: size. k 16 , k 15 , … , k 1 . � check the correctness 3 4 2
The Advanced Encryption Standard Cipher operation modes � Rijndael Cipher: block cipher with a � electronic codebook (ECB); variable block size and variable key size � cipher block chaining (CBC) mode; {128, 192, 256}. � output feedback (OFB) mode; � cipher feedback (CFB) mode; � At each round, four different � counter (CTR) mode transformations: � Notations: � SubBytes(): non-linear property � E(): the encryption algorithm � ShiftRows(): message diffusion � D(): the decryption algorithm � MixColumns(): message diffusion � n: the block size; � AddRounedKey(): randomness � P 1 ,P 2 ,…, P m : a sequence of message segments. � C 1 ,C 2 ,…,C m : the output sequence of ciphertext message segments; � LSB u (B), MSB v (B): the least u significant bits of the block B, and the most v signification bits of block B. � A||B: concatenation of A and B. � Electronic codebook (ECB) mode � En: E(Pi) � Ci; De: D(Ci) � Pi, i=1,…, m � encrypt each message segment independently, unique ciphertext for a segment � Possible attack on some fixed pattern: stable frequency 5 6 � deterministic 3
� CBC mode Key channel establishment � “initial vector” (IV). An IV is a random n-bit block. IV is not secrete. � Authentication servers � En: IV � C 0 ; E(XOR(P i ,C i-1 )) � C i , i=1,…, m � Public-key techniques � De: IV � C 0 ; XOR(D(C i ),C i-1 ) � P i , i=1, …, m � The quantum key distribution technique. � the ciphertext messages sent to the receiver will include the IV. � CFB Mode � Trent: authentication server. � En: IV � I 1 ; LSB n-s (I i-1 )||C i-1 , i=2, …, m; E(I i ) � O i , i=1, � Alice and Bob: two principals want to …, m; XOR(P i , MSB s (O i )) � C i , i=1,…, m communicate with each other. � De: IV � I 1 ; LSB n-s (I i-1 )||C i-1 , i=2, …, m; E(I i ) � O i , i=1, …, m; XOR(C i , MSB s (O i )) � P i , i=1,…, m � Malice: attacker � the encryption function of the underlying block cipher is � K AT : a key shared between Alice and Trent; used at the encryption side and the decryption side � K BT : is the key shared between Bob and Trent. � OFB Mode � The first protocol: “From Alice to Bob” � En: IV � I 1 ; O i-1 � I i , i=2,…,m;E(I i ) � O i , i=1, …, m; � 1.Alice sends to Trent: Alice, Bob, {K} KAT XOR(P i , O i ) � C i , i=1,…, m � 2. Trent sends to Bob: Alice, Bob, {K} KBT � De: identical to En � 3. Bob sends to Alice: {Hi Alice, I’m Bob!} K . � CTR Mode � Drawback: Bob may not trust Alice � En: XOR(P i , E(Ctr i )) � C i , i=1,…, m � Fix: “session key from Trent” � De: XOR(C i , E(Ctr i )) � P i , i=1,…, m � 1.Alice sends to Trent: Alice, Bob � Ctr 1 : initial random value. Ctr i =Ctr i-1 +1 � 2.Trent sends to Alice: {K} KAT ,{K} KBT ; � the algorithms at sender and receiver sides are same � 3.Alice to Bob: Trent, Alice, {K} KBT 7 8 � 4. Bob sends to Alice: {Hi Alice, I’m Bob!} K . 4
� Problem: no protection on the identities � Message replay attack on Message Authentication Protocol � Attack : Malice can interrupt it and modifies Bob’s � Malice has old ciphertext messages: {Bob,K’} KAT , and identity with his identity, and then the key {Alice,K’} KBT , and knows the old key K’. generated will be known to Alice and Malice. � Two mechanisms to check if the message received � To fix it, Alice can encrypt Bob’s identity with her is an old message. key. But not encrypt her identity, why? � challenge-response, or handshake, or Needham- � this fix is not enough, another attack is that Malice Schroeder Symmetric-key Authentication protocol interrupts the Alice’s request message and sends a � Timestamp: DES Authentication Verifiers message: Alice, {Malice} KAT to Trent. Why Malice has {Malice} KAT ? � challenge-response � Also at the last step, Malice needs send an ACK with � 1. Alice sends to Trent: Alice, Bob, N A ; (N A : random Bob’s identity. Why Malice knows it’s Bob in the first number) message? � 2. Trent sends to Alice: {N A , Bob, K, {Alice, K} KBT } KAT ; � Yet another attack is: Malice modifies the message from � 3. Alice sends to Bob: Trent, {Alice, K} KBT ; Trent to Alice into {K’} KAT � 4. Bob sends to Alice: {I’m Bob! N B } K ; � Message Authentication Protocol: prevent � 5. Alice sends to Bob: {I’m Alice! N B -1} K ; modifying messages. � Attack on this protocol: Malice interrupts the � main idea: a binding between the session keys and its messages 3,4,5, and replaces them with his own intended users. version. � 1. Alice sends to Trent: Alice, Bob; � 3’. Malice to Bob: Trent, {K’, Alice} KBT � 2. Trent sends to Alice: {Bob, K} KAT , {Alice, K} KBT ; � Fix: challenge-response between Trent and Bob � 3. Alice decrypts {Bob, K} KAT , checks Bob’s identity , (more message flow) and sends to Bob: Trent, {Alice, K} KBT ; � 4. Bob decrypts {Alice, K} KBT , checks Alice’s identity , and sends an encrypted Ack message to Alice. 9 1 0 5
� Timestamp � RSA: block cipher; block value: [0,n-1] � En: C=P e (mod n); De: P=C d (mod n). � 1. Alice sends to Trent: Alice, Bob; � 2. Trent sends to Alice: {Bob, K,T, {Alice,K,T} KBT } KAT ; � Public-key: {e,n}; private-key is {d,n} � 3. Alice sends to Bob: {Alice, K,T} KBT ; � Key generation � 4,5. same as in “Challenge Response” protocol. • 1. Select two prime numbers, for example p=7, and q=17. • 2. Calculate n=p*q=119. � One problem is good-quality time value and • 3. Calculate \phi(n)=96. reasonable window size. • 4. Select e s.t. e is relatively prime to \phi(n) and <= \phi(n), in this case, e=5. • 5. Determine d such that d*e=1 (mod 96) and d <= 96. The correct value for d is 77 because 77*5=385=4*96+1. � Huge computation � Public key techniques � mathematical functions � DH Key exchange � smaller trust base � two public numbers: a prime number q and an integer a, � 100 or 1000 times processing power for secret-key where a is a primitive root of q. � Applications: digital signature (RSA); key exchange � User A selects a random integer X A < q and calculates its (DH key exchange, RSA) ; encryption/decryption public key Y A = a XA mod q. (RSA) . � Similarly, B selcts X B and calculates its public key Y B � The Man-in-the-Middle Attack � Fix: authentication service 1 1 1 2 6
Recommend
More recommend