Confidentiality Using Conventional Encryption

1
Confidentiality Using Conventional Encryption

• Where should cryptographic functionality be
  located?
• How can we make communications confidential?
• How do we distribute keys?
• What is the role of random numbers?

2
Placement of Encryption Function
Placement of encryption function

• Networks are vulnerable to active and passive
  attacks
• Many potential locations for confidentiality
  attacks
• By network tapping or other means
• Passive inductive attacks on electrical signaling
• Phone and wiring closets may be accessible to
  outsiders
• Satellite links are easy to monitor
• etc

Points of Vulnerability
3
Link vs. End-to-End Encryption
Placement of encryption function

• The most powerful and most common approach to
  securing the points of vulnerability is
  encryption
• If encryption is to be used to counter these
  attacks, need to decide what to encrypt and where
  the encryption should be located
• Two fundamental alternatives
• Link encryption
• End-to-end encryption

4
Link vs. End-to-End Encryption
Placement of encryption function
5
Placement of encryption function
Logical Placement of E2E Encryption Function

• Link encryption occurs at either the physical or
  link layers
• For end-to-end encryption, several choices are
  possible
• At the lowest practical layer, the encryption
  function could be performed at network layer
• All the user processes and applications within
  each end system would employ the same encryption
  scheme with the same key
• With this arrangement, front-end processor may be
  used to off-load the encryption function

6
Placement of encryption function
Logical Placement of E2E Encryption Function

• X.25 or TCP provide end-to-end security for
  traffic within a fully integrated internetwork.
  However, such a scheme cannot deliver the
  necessary service for traffic that crosses
  internetwork boundaries, such as E-Mail, EDI, and
  file transfer
• In this case, the only place to achieve
  end-to-end encryption is at the application layer
• A drawback of application-layer encryption is
  that the number of entities to consider increases
  dramatically
• Many more secret keys need to be generated and
  distributed

7
Placement of encryption function
Logical Placement of E2E Encryption Function
8
Placement of encryption function
Logical Placement of E2E Encryption Function
9
Traffic Confidentiality
Traffic Confidentiality

• Security from traffic analysis attack
• Knowledge about the number and length of messages
  between nodes may enable an opponent to determine
  who is talking to whom
• Types of information derivable from traffic
  analysis
• Identities of communicating partners
• Frequency of communication
• Message patterns, e.g., length, quantity,
  (encrypted) content
• Correlation between messages and real world
  events
• Can (sometimes) be defeated through traffic
  padding

10
Countermeasure to Traffic Analysis
Traffic Confidentiality

• Link encryption approach
• Link encryption hides address information
• Traffic padding is very effective
• End-to-End encryption approach
• Leaves addresses in the clear
• Measures available to the defender are more
  limited
• Pad out data units to a uniform length at either
  the transport or application level
• Null message can be inserted randomly into the
  stream

11
Covert Channel
Traffic Confidentiality

• Essentially, the dual of traffic analysis
• A means of communication in a fashion unintended
  by the designers of the communication facility
• Usually intended to violate or defeat a security
  policy
• Examples
• Message length
• Message content
• Message presence

12
Key Distribution
Key Distribution

• For conventional encryption to work, the two
  parties must share the same key and that key must
  be protected from access by others
• Alices options in establishing a shared secret
  key with Bob include
• Alice selects a key and physically delivers it to
  Bob
• Trusted third party key distribution center (T3P
  or KDC) selects a key and physically delivers it
  to Alice and Bob
• If Alice and Bob have previously and recently
  used a key, it can be used to distribute a new
  key
• If Alice and Bob have keys with the T3P, rekeying
  can be accomplished similarly

13
Key Distribution
Key Distribution

• Manual delivery is a reasonable requirement with
  link encryption, challenging with E2E encryption
• The number of keys grows quadratically with the
  number of endpoints
• T3P key(s) constitute a rich target of
  opportunity
• Initial (master) key distribution remains a
  challenge

14
Use of a Key Hierarchy
Key Distribution

• Use of a key distribution center is based on the
  use of a hierarchy of keys
• Session keys
• Master keys

15
A Key Distribution Scenario
Key Distribution

• Assume each principal shares a unique master key
  with the KDC
• Alice desires a one-time session key to
  communicate with Bob
• Alice issues a request to the KDC for a session
  key to be used with Bob. Alices request
  includes a nonce to prevent replay attack
• KDC responds with a message encrypted under
  Alices key. The message contains the session
  key, the nonce, and the session key along with
  Alices identity encrypted under Bobs key
• Alice forwards the data encrypted under Bobs Key
  to Bob
• Alice and Bob mutually authenticate under the
  session key
• Alice sends a nonce to Bob encrypted under the
  session key
• Bob applies a transformation to the nonce and
  sends the result back to Alice

16
A Key Distribution Scenario
Key Distribution
17
Hierarchical Key Control
Key Distribution

• Instead of a single KDC, a hierarchy of KDCs can
  be established local KDCs and a golbal KDC
• Local KDCs exchange keys through a global KDC
• Can be extended to three or more layers
  (hierarchy)

                 
 
18
Session Key Lifetime
Key Distribution

• Tradeoffs in the session key lifetime
• The more frequent session keys, the more secure,
  but the less performance (the more network load
  and delay)
• For connection-oriented protocols, one option is
  to associate a session with a connection
• For long-lived connections, must periodically
  rekey
• For connectionless protocols, rekey at intervals

19
A Transparent Key Control Scheme
Key Distribution
20
Decentralized Key Distribution
Key Distribution

1. A issues a request to B for a session key and
   includes a nonce, N1
2. B responds with a message encrypted using the
   shared master key. Response includes the session
   key selected by B, an identifier of B, the value
   of f(N1), and another nonce, N2
3. Using the new session key, A returns f(N2) to B

21
Controlling Key Usage
Key Distribution

• It is desirable to impose some control on the way
  in which keys are used
• e.g. we may wish to define different types of
  session keys on the basis of use, such as
• Data-encrypting key
• PIN-encrypting key
• File-encrypting key
• One technique is to associate a tag with each key
• Tag is a bit-vector representing the keys usage
  or type
• e.g. the extra 8 bits in each 56-bit DES key can
  be used as a tag
• Limited flexibility and functionality due to the
  limited tag size
• Because the tag is not transmitted in clear form,
  it can be used only at the point of decryption,
  limiting the ways in which key use can be
  controlled
• A more flexible scheme is to use a control vector

22
Key Distribution
Control Vector Scheme

• Each session key has an associated control vector
• Control vector consists of a number of fields
  that specify the uses and restrictions for that
  session key
• The length of control vector may vary
• Control vector is cryptographically coupled with
  the at the time of key generation at the KDC
• Hash value H h(CV)
• Key input Km ? H
• Encrypted session key EKm ? HKs
• When a session key is delivered to a user from
  the KDC, it is accompanied by the control vector
  in clear form
• The session key can be recovered only by using
  both the master key and the control vector
• Ks DKm ? HEKm ? H Ks
• Advantages (over the 8-bit tag)
• No restriction on length of control vector
  (arbitrarily complex controls to be imposed on
  key sue)
• Control vector is available in clear form at all
  stage of operation ? Key control can be exercised
  in multiple locations

CV control vector Km master key Ks session
key
23
Key Distribution
Controlling Key Usage
24
Random Number Generation
Random Number Generation

• Use of random numbers (in cryptography)
• As key stream for a one-time pad
• For session keys
• For public key
• For nonces (random numbers) in protocols to
  prevent replays
• Good cryptography requires good random numbers
• Random number requirements
• Statistically random (uniform distribution, etc)
• Unpredictable (independent)

25
Sources of Randomness
Random Number Generation

• Natural random noise (Natural real randomness)
• Radiation counters, radio noise, thermal noise in
  diodes, leaky capacitors, mercury discharge
  tubes, etc
• Generally need special H/W for this
• Starting to see this in new CPUs (Pentium III)
• Almost random sources
• Keystroke timing
• Mouse tracking
• Disk latency, etc
• Published lists
• e.g., Rand Co. in 1955 published a book of 1
  million numbers generated using an electronic
  roulette wheel
• Predictable
• In practice, pseudorandom numbers are
  algorithmically derived from a deterministic PRNG
  (Pseudorandom Number Generator)

26
Lehmers algorithm
Random Number Generation

• Most widely used technique for PRNG
• Also known as linear congruential method
• Four parameters
• m modulus m gt 0
• a multiplier 0 ? a lt m
• c increment 0 ? c lt m
• X0 seed 0 ? X0 lt m
• Xn1 (aXn c) mod m
• Generates numbers in the range 0, , m-1
• Good and bad choices for m, a, and c
• Lots of obvious bad choices

27
Lehmers algorithm - 2
Random Number Generation

• Choose a very large m, e.g., 231
• Provides for a long series
• Usually the maximum integer value for a given
  computer
• Criteria for good RNG
• Generate the entire range (full period)
• Pass statistical tests
• Efficient implementation
• Good choices
• m 231-1, a prime value
• a 75 16807
• c 0
• Useful for applications requiring statistical
  randomness (Monte Carlo simulation)
• Not so useful for cryptography (easy
  cryptanalysis)
• Xi, Xi1, Xi2 gives solution for m, a, and c

28
Cryptographically Generated RNs
Random Number Generation

• Cyclic encryption
• Generate session keys from a master key
• A counter with period N is input to the
  encryption logic
• e.g. 56-bit counter for 56-bit DES
• X0 ? X1 ? ? Xn-1
• Xis can not be deduced since the master key is
  protected
• Full-period PRNG can be used instead of a simple
  counter
• DES OFB mode
• Can be used as a PRNG (IV is the seed)
• Successive 64-bit outputs constitute a sequence
  of pseudorandom numbers with good statistical
  properties

29
ANSI X9.17 PRNG
Random Number Generation

• One of the (cryptographically) strongest PRNG
• Used in financial security applications and PGP
• DTi is date/time value at the beginning of ith
  stage
• Vi is seed value at the beginning of ith stage
• Ri is output (PRN) of ith stage
• K1, K2 are 3DES keys
• Ri EDEK1,K2(Vi ? EDEK1,K2(DTi))
• Vi1 EDEK1,K2(Ri ? EDEK1,K2(DTi))

30
Blum Blum Shub (BBS) PRNG
Random Number Generation

• Choose large primes p and q, s.t. p ? q ? 3 (mod
  4)
• Let n p ? q
• Choose s relatively prime to n
• BBS produces a sequence of bits Bi
• X0 s2 mod nfor (i 1 i ) Xi
  (Xi-1)2 mod n Bi Xi 1
• BBS is referred to as a cryptographically secure
  pseudorandom bit generator (CSPRBG)

31
Blum Blum Shub PRNG- Example
Random Number Generation

• N383 x 503 192649, s 101355

32
CSPRBG
Random Number Generation

• Cryptographically secure pseudorandom bit
  generator (CSPRBG) is defined as one that pass
  the next-bit test
• Next-bit test
• Given k bits of output from a PRBG, there is no
  polynomial time algorithm that can predict the
  k1st bit with probability greater than ½ ?
• For all practical purposes, the sequence is
  unpredictable
• The security of BBS is based on the difficulty of
  factoring n (i.e., given n, determining two prime
  factors p and q)

33
HW
Random Number Generation

• P. 5.3
• P. 5.4
• P. 5.5
• P. 5.9
• P. 5.10
• (For P.5.3 and P. 5.10, please look up the errata
  sheet)