Encrypting the Internet - PowerPoint PPT Presentation

About This Presentation

Title:

Encrypting the Internet

Description:

Encrypting the Internet Phil Karn 18 April 2000 karn_at_qualcomm.com http://people.qualcomm.com/karn Overview Threat models Cryptography basics Layer tradeoffs ... – PowerPoint PPT presentation

Number of Views:102

Avg rating:3.0/5.0

Slides: 63

Provided by: nob892

Category:

more less

Transcript and Presenter's Notes

Title: Encrypting the Internet

1
Encrypting the Internet

Phil Karn
18 April 2000
karn_at_qualcomm.com
http//people.qualcomm.com/karn

2
Overview

Threat models
Cryptography basics
Layer tradeoffs
Cryptographic protocols on the Internet
Crypto politics

3
Threat ModelsI.e, What are you worried about?

Message confidentiality
Message authentication/integrity
Traffic analysis
Denial of service
Maintaining anonymity
Enforcing transparency

4
Confidentiality

Preventing an eavesdropper from understanding the
contents of a message
Cryptographys traditional role

5
Authentication/Integrity

Verifying who sent a message, and that it has not
been modified en route
Major role for public key cryptography
digital signatures can be verified with public key

6
Traffic Analysis

Gleaning information from traffic patterns even
if the contents are not decipherable
A threat often overlooked or ignored in civilian
applications
Difficult to do at upper layers
a traditional function of bulk link encryption

7
Denial of Service

An attacker might sabotage a network even if he
cannot read or forge legitimate messages
overloading a network (e.g, Internet MS-DOS)
jamming a radio channel (e.g., Captain Midnight)
Limited role for crypto in a public network
conditional access to resources, controls, etc

8
Enforcing Subnetwork Transparency

Some ISPs violate layering, or impose policy
constraints on user content or protocols
transparent web proxies
server Napster bans on college campuses and
cable modems
Higher layer crypto can thwart this
e.g., tunneling IP in a TCP connection to port
443 (SSL)
Carrier can still monitor traffic levels
which is the better way anyway

9
Cryptography Basics

Crypto secret, graphy writing
only someone with the key can understand an
encrypted message
Used in ancient times
Modern cryptography began during WW2
first machine-aided cryptanalysis (Enigma)
Invention of public key crypto in 1970s
finally made conventional crypto practical

10
Properties of a Good Modern Cipher

Large key to resist brute-force search
Published, reviewed algorithm
security depends entirely on secrecy of key
security cannot depend on algorithm secrecy
Resistance to chosen-plaintext attack
attacker cannot determine key even if given
ability to encrypt plaintext of the attackers
choosing
implies resistance to known-plaintext and
known-ciphertext attacks

11
Types of Cryptography

Symmetric
same key for both encryption and decryption
DES, IDEA, AES candidates
Asymmetric (Public Key)
key pairs private and public
based on factorization or discrete log problem
RSA, Diffie-Hellman, etc
much slower than symmetric
digital signature capability

12
DES a typical symmetric block cipher
13
Brute force keysearching

For a 56-bit key, there are 256 or
72,057,594,037,927,936 possibilities
This seems like a lot, but even in 1976 it seemed
too small given Moores Law
this was the major objection to DES
EFFs Deep Crack machine has made this a reality

14
Deep Crack

The name is a play on Deep Blue, the IBM chess
playing computer, which in turn played on Deep
Thought, CMUs chess playing computer named after
the computer in Douglas Adams The Hitchhikers
Guide to the Galaxy (arent you glad you asked?)
All crunch a long time and produce very little
output

15
Deep Crack

Sponsored by John Gilmore, EFF co-founder. Cost
210K
6 cabinets x 5 boards/cabinet x 64 custom
ASICS/board x 24 keysearch engines/ASIC
Total of 1800 functional chips
Tests 90,000,000,000 keys/sec
Can search the whole keyspace in lt5 days
Complete plans published in book form to exploit
my paper-format export loophole

16
Alternatives to DES

Triple DES
encrypt three times with 2 or 3 distinct keys
no brute-force attack for the forseeable future
IDEA
64-bit block cipher with 128-bit key
Used in PGP, SSH

17
More DES alternatives

RC4/RC5
proprietary ciphers designed by Ron Rivest, owned
by RSA Data Security Inc
widely implemented in web browsers
variable key lengths to meet export limits
NIST AES (Advanced Encryption Standard)
now fielding candidates, gt15 so far

18
Encryption for Authentication

A more recent application for cryptography
Vital for electronic commerce
Provides two related features
proof that whoever sent a message possesses a
particular key
integrity protection - confidence that a
legitimate message has not been modified in
transit

19
Sample authentication scheme
20
Challenge-response protocols

Prove possession of a secret key without
revealing that key on an open channel
Handy for computer logins, cellular phone
accesses, etc

21
Cryptographic hash functions

Block ciphers like DES can be used as hash
functions, but theyre slow and clumsy
Other functions have been specifically designed
as hashes
MD5
SHA-1
CAVE

22
Generic hash function
data, variable amount
fixed-size hash 128 bits (MD5) 160 bits (SHA-1)
23
Properties of hash functions

Computing a hash is fast
Finding an input that produces a given hash is
(hopefully) extremely hard
So is finding two inputs that hash to the same
result
Hash functions are also known as one-way
functions because of this property

24
Hash functions for confidentiality

Hash functions were custom-designed for
authentication applications
But they can still be used as building-blocks for
confidentiality!
Dan Bernsteins Snuffle is the subject of his
lawsuit pending in the 9th Cir since Dec 1997
I designed one thats described in Applied
Cryptography

25
Public key cryptography

All of the ciphers described so far have been
symmetric ciphers, I.e., the same key is used to
encrypt and to decrypt
Until the mid 1970s, all ciphers were symmetric
Public key ciphers are also called asymmetric-key
different keys to encrypt and decrypt

26
Why public key?

Use insecure channel to agree on shared secret
key for symmetric cipher
Allow anyone to send you a message without having
to first agree on a shared secret key
avoids n2 key management problem
Provide digital signatures
a unique capability

27
Public key theory

Public key ciphers are generally based on
mathematical problems known to be hard
discrete logarithm
factoring
The reverse operations are easy
discrete exponentiation
multiplication

28
Discrete logarithm

Computing the expressiony gx mod pwhere x and
p are suitably large integers (e.g., 1Kbit) is
relatively easy
Finding the value of x that produced a given y is
much harder!

29
Diffie-Hellman key exchange

The first public key scheme invented
patent expired in 1997
Not actually a public key encryption scheme, but
a key agreement scheme
Based on discrete log problem
Used in CDMA over-the-air service activation to
generate A-key

30
Diffie-Hellman in detail

Alice
Generates secret integer x
Computes gx mod p, sends to Bob
Computes (gy)x mod p
Use result as symmetric key

Bob
Generates secret integer y
Computes gy mod p, sends to Alice
Computes (gx)y mod p
Use result as symmetric key

31
RSA

The major public key scheme, discovered 1977
patent expires Sep 20, 2000
Based on the difficulty of factoring as opposed
to multiplication
thought to be related to discrete log
Can encrypt or decrypt
different keys for each
encryption key can be published, decryption key
kept secret

32
RSA in detail

Users public key is n,e
e is a small number, typically 3 or 17
n is the product of two randomly chosen secret
prime numbers, pq. Typically 1024 bits long
To encrypt, computeC Me mod n

33
RSA decryption

Users secret key is n,d
n is same value as in public key, so only d is
secret
User computesM Cd mod n
The math is hairy, but to compute d it is
believed that you must know p,q, the
factorization of n

34
RSA Signatures

Nothing says M has to be secret and C has to be
public
If you reverse the algorithm, you can get a
message that anybody can decrypt, but only you
could have encrypted.

35
Generating a digital signature
36
Verifying a digital signature
message
digital signature
Hash function
()e mod n
compare
37
Public Key Management

Although public keys can be openly published, how
do you know that a particular key in the
directory really belongs to who you think it
does?
This is the thorniest problem in public key
cryptography!

38
Certificates

PK cryptography can solve its own problem
Use PK signatures to vouch for the authenticity
of others keys
Two general approaches
X.509 Certification Authorities
centralized, hierarchical, authoritarian
used in secure web transactions
PGP web of trust
decentralized, flat, democratic

39
Other PK algorithms

Digital Signature Standard (DSS)
promoted by the government largely because it
cannot be used for encryption
used by PGP 5.0 to avoid RSA patent
Elliptic Curves
not actually an algorithm, but a different way to
implement existing algorithms like Diffie-Hellman
with supposedly less computational effort for a
given degree of security

40
Crypto - Necessary But Not Sufficient

Many (most?) vulnerabilities in practice due to
software bugs
e.g., buffer overflows
configuration errors
especially insecure installation defaults
Trojan horses
e.g., Microsoft Word macros, innumerable Windows
viruses
Old bugs are exploited much more than new ones
many machines run old software versions

41
The Internet Reference Model
Application
Host-to-Host (end-to-end)
Internet
Subnet
42
The Internet Reference Model

Application Layer
covers OSI application presentation layers
HTTP, Telnet, FTP, SMTP, POP, DNS, etc
End-to-End Layer
OSI transport session layers
TCP UDP
Internet Layer
OSI network (upper part)
IP
Subnet Layer
OSI network (lower part), link, physical

43
The Major Internet Protocols
SMTP
Telnet
DNS
FTP
DHCP
ICMP
IP
ARP
ATM
other subnets
Enet
44
The End-to-End Principle

Saltzer, Reed and Clark, 1981
many traditional low-level network functions are
better done at the endpoints, I.e., at higher
protocol levels
some functions can sometimes be justified within
the network as a performance enhancement
IMHO, one of the most important CS papers of all
time
http//people.qualcomm.com/karn/library.html has
links

45
Encryption in the Internet

Encryption in the subnetwork
Encryption just above IP
IPSEC
PPTP
Encryption above TCP
SSH
TLS
SSL
Encryption in the application
PGP, S/MIME, etc

46
Encryption in the Subnet

Link encryptors widely available
but beware of single-DES
Easy to deploy incrementally
Transparent to routers, hosts applications
Good resistance to traffic analysis
No defense against compromised routers or hosts

47
Encryption Above IP

Layer inserted between IP and transport
IPSec (IP Security) on IETF standards track
many vendors, including open source (FreeSWAN)
Protects transport header along with application
Can be used end-to-end, or to carry other IP
packets in tunnel mode
Increased header overhead, esp with
authentication
IP fragmentation issues
no VJ TCP/IP header compression
unavoidable for strong packet-level security

48
IP Security (IPSEC)

Started in IETF circa 1992
architecture similar to earlier govt network
layer security work for ISO CLNP
Unusually long gestation period
reflects creeping featurism, committee design,
excessive generality (imho)
Most useful for virtual private networks, road
warrier access to closed corporate network
through firewall

49
IPSec Packet Format
Two types of IPSec packets Authentication Header
(AH), protocol number 51 Encapsulating Security
Protocol (ESP), proto 50 Both carry the original
IP protocol field Note end-to-end header and
data can be another IP datagram! This is tunnel
mode
50
Authentication Header (AH)

Provides cryptographic authentication (not
encryption) of layers above IP plus selected
fields in IP header (the ones that dont change)
Doesnt actually specify the algorithm
one (keyed MD5) is mandatory to implement for
interoperability
others may be used between consenting parties

packet data
shared secret
hash function
authentication value
51
Encapsulating Security Protocol (ESP)

ESP encrypts and/or authenticates everything
above the IPSec layer
ESP does not protect fields in the outer IP
header
if you want to protect an IP header, cover it
with ESP and wrap it in another IP packet
ESP arguably makes AH unnecessary
even the guy who originally proposed AH agrees
but these things tend to get lives of their own...

52
IPSec Key Management

Both AH and ESP presume a secret key shared by
the two parties
To establish this key, a key management protocol
called ISAKMP/IKE is defined
Diffie-Hellman key exchanges signed with RSA, etc
lots and lots of options to please everybody
Manual key establishment is still possible if you
dont want all that complexity

53
Encryption Above TCP

Most important Internet applications run atop TCP
web browsing, remote login, mail transfer, etc
Much easier to install without OS vendor help
usually runs in user space
SSL included in Netscape and IE
TCP/IP usually implemented in OS kernel,
requiring kernel modifications for IPSec
Fine-grained (per user) security easy to do
fine-grained security in IPSec significantly
complicated spec and delayed implementation by
years
No protection for transport headers

54
Encryption Protocols Above TCP

Secure Sockets Layer (SSL)
developed by Netscape to secure web transactions
very widely deployed in web servers and browsers
but actually a general purpose transport layer
security protocol
formal X.509 public key certificates
Secure Shell (SSH)
developed by Tatu Ylonen for UNIX environments
originally open source, taken commercial
scp/ssh/slogin replace insecure rcp/rsh/rlogin
TCP port forwarding facility
simplified public key management
man-in-middle attack on first connect

55
Application-layer Encryption

Some Internet applications (esp. email) implement
network-like functionality, making end-to-end
security unattainable at any lower layer
PGP is most popular email encryption
protocol/software
public key web of trust
also popular for clearsigning software
distributions

56
Encryption Layer Choices

No one correct answer
Often desirable to encrypt at multiple layers
link layer to thwart traffic analysis
IP layer to build virtual private networks
transport or application layer for end-to-end
protection
Architectural issues
Network address translators (NAT) and IPSEC

57
Crypto Politics

Crypto doesnt distinguish between good and
bad users (as the government defines them)
Long regulated for export as a munition by the US
government
but domestic use never restricted
US Clipper proposal in 1993
require use of secret algorithm with govt back
door
Significant export relaxation January 2000
after years of proposed legislation, court
challenges and lobbying

58
Bernstein Case