Lecture 1: Cryptography for Network Security - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Lecture 1: Cryptography for Network Security

Description:

Title: Data Refinement Author: The Leals Last modified by: Anish Arora Created Date: 3/1/2000 5:00:15 PM Document presentation format: On-screen Show (4:3) – PowerPoint PPT presentation

Number of Views:146
Avg rating:3.0/5.0
Slides: 57
Provided by: TheL60
Learn more at: https://cse.osu.edu
Category:

less

Transcript and Presenter's Notes

Title: Lecture 1: Cryptography for Network Security


1
Lecture 1 Cryptography for Network Security
  • Anish Arora
  • CSE5473
  • Introduction to Network Security

2
Symmetric encryption
3
Symmetric encryption requirements
  • two requirements for secure use of symmetric
    encryption
  • a strong encryption algorithm
  • a secret key known only to sender / receiver
  • y S x in notation of book Y EK(X)
  • x S y X DK(Y)
  • assume encryption algorithm is known
  • implies a secure channel to distribute key

4
Block versus stream ciphers
  • block ciphers divide messages into blocks, each
    is then en/decrypted
  • like a substitution on very big characters
  • 64-bits or more
  • would need table of 264 entries for a 64-bit
    block
  • instead create from smaller building blocks
  • using idea of a product cipher
  • substitution (S-box) provides confusion
  • permutation (P-box) provides diffusion
  • stream ciphers process messages a bit or byte at
    a time
  • typically have a (pseudo) random stream key

5
Block versus stream ciphers contd
  • key should satisfy
  • statistical uniformity of distribution of
    numbers in sequence
  • unpredictability of successive members of
    sequence
  • randomness of key destroys statistical properties
    in message
  • but must not reuse stream key
  • e.g. RC4 used in SSL and WEP
  • many current ciphers are block ciphers
  • many symmetric block ciphers use Feistel Cipher
    Structure

6
Pseudo random functions (PRFs)
  • A pseudo random function is an
  • efficiently computable function
  • that emulates a random oracle
  • and there is no efficient algorithm for
    distinguishing a PRF function, chosen randomly
    from its PRF family, from a random oracle
  • Random oracle is a function that responds to
    every query with a random response from its
    range
  • note that response is deterministic
  • note that it is impossible to implement a random
    oracle
  • Main property of PRF
  • all its outputs appear to be random
  • assuming function is chosen in random

7
Pseudo random generators (PRGs)
  • PRFs should not be confused with PRGs
  • Main property of PRG
  • a single output of a PRG appears to be random
  • Cryptographically secure (CS) PRGs are used for
    generating a pool of randomness
  • for selecting keys, seeds, nonces, one-time pads
  • sources of physical randomness may suffice
  • geiger counters, thermal noise measurement
  • observing random activity on keyboard or screen
  • CSPRGs can be constructed using crypto
    primitives, or number theoretically
  • PRFs can be generated from PRGs

8
Fesitel schema for symmetric encryption
  • Overall processing at each iteration use two
    32-bit halves L and R
  • Li Ri-1
  • Ri Li-1 ? F(Ri-1, Ki)

9
Data Encryption Standard (DES)
  • A widely used symmetric encryption scheme
  • Algorithm is referred to as Data Encryption
    Algorithm (DEA)
  • DES is a block cipher
  • Plaintext is processed in 64-bit blocks
  • Key is usually 56-bits in length
  • n rounds, in each
  • every block first undergoes key-based
    substitution
  • then all blocks are collated and undergo
    key-based permutation
  • Easy in hardware, slow in software
  • selection of block size, key size, rounds, round
    function, subkey generation scheme trades off
    security vs speed

10
The function F in DES
  • takes 32-bit R half 48-bit subkey and
  • expands R to 48-bits using perm E
  • adds to subkey
  • passes through 8 S-boxes to get 32-bit result
  • finally permutes this using 32-bit perm P

11
DEA
Decryption runs backward
12
DES History
  • IBM developed Lucifer cipher
  • by team led by Feistel
  • used 64-bit data blocks with 128-bit key
  • Then redeveloped as a commercial cipher with
    input from NSA others
  • In 1973, NBS issued request for proposals for a
    national cipher standard
  • IBM submitted their revised Lucifer which was
    eventually accepted as the DES
  • DES standard is public
  • But there has been considerable controversy over
    design
  • in choice of 56-bit key (vs original Lucifer
    128-bit)
  • and because design criteria were classified

13
Breaking DES
14
Concerns about DEA
  • Key length of only 56-bits is insufficient
  • Even with larger keys, breaking is feasible if
    you have
  • known plaintext or have repeated encryptions
  • generally these are statistical attacks
  • access to timing or power consumption information
  • use knowledge of implementation to derive subkey
    bits
  • exploit fact that calculations take varying times
    based on input value
  • particularly problematic on smartcards

15
Weaknesses in DES
  • DES has Weak and Semi-Weak Keys The round key
    construction is such that
  • Any key comprising All 0s, All 1s, Alternating 0s
    and 1a, or Alternating 1s and 0s is its own
    inverse (these are the 4 weak keys)
  • The set of keys composed of two halves each of
    the above sorts is such that each key has an
    inverse in this set (these are 12 semi-weak keys)
  • Complement key property means that brute force
    search for DES is of complexity 255, not 256

16
DES Electronic Code Book
  • In encryption via ECB, repeated 64-bit blocks are
    identically encrypted
  • ECB attackers who know the data structure (e.g.
    fields such as salary) can reorder blocks while
    preserving structure

17
Cipher Block Chaining
  • To overcome ECB weakness, add (i.e. XOR) a random
    number to each 64-bit block being encrypted, and
    additionally communicate the random number in the
    clear
  • This is inefficient
  • Approximation only communicate the initial
    random number, and derive the successive random
    numbers from the previously encrypted message
  • Initial random number is called the
    initialization vector
  • Default IVs, such as All Zeroes, can be used, but
    is insecure for repeated transmissions of the
    same message sequence

18
Cipher Block Chaining
19
A CBC threat
  • If message structure is known, intruder can
    systematically ensure that a modified message is
    delivered, by changing the previous ciphertext
  • but then the previous plaintext is deciphered in
    a way not controlled by intruder
  • An alternative to CBC is the Counter Mode (CTR)
  • precompute encryptions of a counter value and
    XOR with successive messages (this method enjoys
    parallelism)
  • to avoid reusing the same sequence of precomputed
    encryptions, prefix a nonce (which is made
    public) to the counter value sequence
  • note message blocks are not encrypted, just
    XOR-ed, unlike CBC mode

20
Multiple DES, 3DES
  • Two successive encryptions with different keys
    are better than one 56 bit key
  • E2.E1 to encrypt and D2.D1 to decrypt
  • Combinatorially, two keys yields more
    permutations than those possible with one key
  • However, meet-in-the-middle cryptanalysis reduces
    complexity of attack to 256, so net improvement
    is not large
  • 3DES uses two keys E1.D2.E1 to encrypt and
    D1.E2.D1 to decrypt
  • or three keys E3.D2.E1 to encrypt and
    D3.E2.D1 to decrypt

21
Other symmetric block ciphers
  • Blowfish
  • Easy to implement
  • High execution speed
  • Run in less than 5K of memory
  • Uses a 32 to 448 bit key
  • RC5
  • Suitable for hardware and software
  • Fast, simple, but proprietary
  • Adaptable to processors of different word lengths
  • Variable number of rounds
  • Variable-length key
  • Low memory requirement
  • High security
  • Data-dependent rotations

22
AES
  • AES, Elliptic Curve, IDEA, Public Key
    cryptography concern numbers finite fields
  • US NIST issued call for ciphers in 1997
  • 15 candidates accepted in Jun 98
  • 5 were shortlisted in Aug 99
  • Rijndael was selected as the AES in Oct 2000
  • issued as a standard in Nov 2001
  • Symmetric block cipher, 128-bit data,
    128/192/256-bit keys
  • provide full specification design details
  • both C Java implementations
  • NIST have released all submissions unclassified
    analyses
  • iterative (vs feistel) cipher, operates on entire
    block per round

23
Asymmetric encryption Public key cryptography
24
Security of public key schemes
  • brute force attacks infeasible since keys used
    are too large (gt 512bits)
  • security relies on a large computation difference
    in difficulty between easy (en/decrypt) and hard
    (cryptanalyse) problems
  • the hard problem is generally known, its just
    made too hard to do in practice
  • requires the use of very large numbers
  • hence is slow compared to private key schemes

25
Background
  • Asymmetric cryptography invented by Diffie and
    Helman 76
  • 3 categories of uses
  • encryption/decryption (provide secrecy)
  • digital signatures (provide authentication)
  • key exchange (of session keys)

26
Authentication using public keys
27
RSA
  • by Rivest, Shamir Adleman of MIT in 1977
  • best known widely used public-key scheme
  • based on exponentiation in a finite (Galois)
    field over integers modulo a prime
  • exponentiation takes O((log n)3) operations
    (easy)
  • uses large integers (e.g. 1024 bits)
  • security due to cost of factoring large numbers
  • factorization takes O(e log n log log n)
    operations (hard)

28
RSA
  • To encrypt a message M the sender
  • obtain public key of recipient KUe,N
  • computes CMe mod N, where 0MltN
  • To decrypt the ciphertext C the receiver
  • uses its private key KRd,p,q
  • computes MCd mod N
  • Message M is smaller than modulus N (so block if
    needed)

29
RSA key generation
  • 1 determine two primes at random - p, q
  • primes p,q must not be easily derived from mod
    Np.q
  • means must be sufficiently large
  • typically guess and use probabilistic test
  • 2 select either e or d and compute the other
  • exponents e, d are inverses in mod (p-1).(q-1)
  • the goal is that selection of d should be random
    and unpredictable
  • e is computed using extended Euclidean algorithm
  • its okay for e to be predictable (e.g. small),
    so encr. fast
  • but e should not be too small, e.g. 3

30
RSA Example
  • Select primes p17 q11
  • Compute n pq 1711187
  • Compute ø(n)(p1)(q-1)1610160
  • Select e gcd(e,160)1 choose e7
  • Determine d de1 mod 160 and d lt 160
  • i.e. d23 since 237161 101601
  • Publish public key KU7,187
  • Keep secret private key KR23,17,11

31
RSA Example (contd.)
  • sample RSA encryption/decryption is
  • given message M 88 (note 88lt187)
  • encryption
  • C 887 mod 187 11
  • decryption
  • M 1123 mod 187 88

32
RSA Key Setup
  • Each user generates a public/private key pair by
  • selecting two large primes at random - p, q
  • computing their system modulus Np.q
  • note ø(N)(p-1)(q-1)
  • selecting at random the encryption key e
  • where 1lteltø(N), gcd(e,ø(N))1
  • solve following equation to find decryption key d
  • e.d1 mod ø(N) and 0dN
  • publish their public encryption key KUe,N
  • keep secret private decryption key KRd,p,q

33
Fermats Little Theorem
  • Theorem If n is prime,
  • an-1 1 mod n
  • Proof a mod n, 2a mod n, (n-1)a mod n
  • since n is prime , a is not divisible by n
  • 1, 2, n
  • gt
  • a x 2a x x (n-1)a (n-1)! mod n
  • an-1 1 mod n

34
Why RSA Works
  • because of Euler's Theorem
  • aø(n)mod N 1 where gcd(a,N)1
  • in RSA have
  • Np.q
  • ø(N)(p-1)(q-1)
  • carefully chosen e d to be inverses mod ø(N)
  • hence e.d1k.ø(N) for some k
  • hence Cd (Me)d M1k.ø(N) M1.(Mø(N))q
    M1.(1)q M1 M mod N

35
Security of RSA
  • Factoring numbers is hard
  • Breaking (p-1)(q-1) or d is not easier than
    factoring n
  • i.e. there is an easy way to factor n once
    (p-1)(q-1) is broken
  • likewise if d is broken

36
Small M
  • M0 and M1 are obviously not secure on
    encryption, even if e is very large
  • Likewise, for other small M, Me would be smaller
    than N and Me mod N can be precomputed and
    checked by the passive eavesdropper
  • Even if Alice adds a large salt s to M, the
    attacker can compute the encryption of s as well
    as its successors (s1 ...) to guess M

37
Avoiding Message Guessing
  • Add random padding to make M large and
    unpredictable
  • Public Key Cryptographic Standard replace M with
    M
  • M0 padding 10 gt64 random bits
    00000000 M
  • OAEP Scheme Optimal asymmetric encryption
    padding
  • sender XORs message with output of the
    cryptographic hash function with random input
    recipient obtains random and XORs out
    cryptographic hash
  • David Evans

38
Exponentiation
  • can use the Square and Multiply Algorithm
  • a fast, efficient algorithm for exponentiation
  • concept is based on repeatedly squaring base
  • and multiplying in the ones that are needed to
    compute the result
  • look at binary representation of exponent
  • only takes O(log2 n) multiples for number n
  • e.g. 75 74.71 3.7 10 mod 11
  • e.g. 3129 3128.31 5.3 4 mod 11

39
RSA (contd.)
  • Due to Rivest, Shamir Adleman of MIT in 1977
  • Best known widely used public-key scheme
  • Based on exponentiation in a finite (Galois)
    field over integers modulo a prime
  • exponentiation takes O((log n)3) operations
    (easy)
  • Uses large integers (e.g. 1024 bits)
  • Security due to cost of factoring large numbers
  • factorization takes O(e log n log log n)
    operations (hard)
  • barring dramatic breakthrough 1024 bit RSA
    secure
  • Timing attacks possible
  • exploit time taken in exponentiation to infer
    operands
  • countermeasures
  • use constant exponentiation time, add random
    delays

40
Hash functions
  • a hash function produces a fingerprint of some
    file/message/data
  • h H(M)
  • condenses a variable-length message M
  • to a fixed-sized fingerprint
  • usually assume that the hash function is public,
    not keyed
  • cf. MAC which is keyed
  • hash used to detect changes to message, e.g. by
    creating a digital signature or fingerprint of a
    message
  • cryptographically secure hashes also used to
    generate PRFs, e.g. to derive keys

41
Requirements for hash functions
  • can be applied to any sized message M
  • produces fixed-length output h
  • is easy to compute hH(M) for any message M
  • given h is infeasible to find x s.t. H(x)h
  • one-way property
  • given x is infeasible to find y s.t. H(y)H(x)
  • weak collision resistance
  • is infeasible to find any x,y s.t. H(y)H(x)
  • strong collision resistance

42
Simple hash functions
  • there are several proposals for simple functions,
    based on XOR of message blocks
  • e.g. longitudinal redundancy check
  • xor of columns of n-bit block arranged in rows
  • e.g. above circular left shift of hash after
    each row
  • effect of rotated XOR (RXOR) is to randomize the
    input
  • but these lack weak collision resistance
  • simply add a block to obtain desired hash
  • need a stronger cryptographic function, which
    tolerates strong collision resistance as well

43
More on weak collision resistance
  • How big should our hash function be?
  • If attacker can perform 263 hashes, hash function
    should have 64 bits is output so that probability
    that the attacker can find another message with
    the same hash is less than 0.5
  • Assuming hash function distribution is uniform
  • Prob (one guess gives same hash) 2-64
  • Prob (the guess does not give same hash) 1- 2-64
  • Prob (2L hash guesses dont give the same hash)
    (1- 2-64)263

44
Birthday attacks imply need longer hash values
  • You might think a 64-bit hash is secure, but by
    Birthday Paradox is not
  • Given k people, what is the probability that
    there are two people with the same birthday
  • If birthdays uniformly distributed over 365
    days,
  • probability of no duplicates 365x364x x
    (365-k1) / 365k
  • 365!/((365-k)! x 365k)

45
Birthday attacks imply need longer hash values
  • birthday attack on strong-collision resistance
    works thus
  • opponent generates 2m/2 variations of a valid
    message all with essentially the same meaning
  • opponent also generates 2m/2 variations of a
    desired fraudulent message
  • two sets of messages are compared to find pair
    with same hash (probability gt 0.5 by birthday
    paradox)
  • have user sign the valid message, then substitute
    the forgery which will have a valid signature
  • conclusion is that need to use longer hash values
  • also, you might wish to change every message you
    sign !

46
Hash algorithms
  • similarities in evolution of hash functions
    block ciphers
  • increasing power of brute-force attacks led to
    evolution in algorithms
  • from DES to AES in block ciphers
  • from MD4 MD5 to SHA-1 in hash algorithms
  • likewise tend to use common iterative structure
    as do block ciphers
  • iteration of collision-resistant round
    compression function preserves collision
    resistance
  • good round functions should have an avalanche
    effect
  • small changes in input should have large changes
    in output

47
Block ciphers as hash functions
  • can use block ciphers as hash functions
  • using H00 and zero-pad of final block
  • compute Hi EMi Hi-1
  • and use final block as the hash value
  • similar to cipher block chaining but without a
    key
  • but resulting hash should not be too small
    (64-bit)
  • like block ciphers have brute-force attacks, and
    a number of analytic attacks on iterated hash
    functions

48
MD5
  • designed by Ronald Rivest (the R in RSA)
  • latest in a series of MD2, MD4
  • produces a 128-bit hash value
  • until recently was the most widely used hash
    algorithm
  • in recent times had both brute-force
    cryptanalytic concerns
  • specified as Internet standard RFC1321

49
MD5 overview
  • pad message so its length is 448 mod 512
  • append a 64-bit length value to message
  • initialise 4-word (128-bit) MD buffer (A,B,C,D)
  • process message in 16-word (512-bit) blocks
  • using 4 rounds of 16-bit operations on message
    block buffer
  • add output to buffer input to form new buffer
    value
  • output hash value is the final buffer value

50
MD5 overview
51
MD4
  • precursor to MD5
  • also produces a 128-bit hash of message
  • has 3 rounds of 16 steps vs 4 in MD5
  • design goals
  • collision resistant (hard to find collisions)
  • direct security (no dependence on "hard"
    problems)
  • fast, simple, compact
  • favours little-endian systems (e.g., PCs)

52
Strength of MD5
  • MD5 hash is dependent on all message bits
  • Rivest claimed security is as strong as can be
    with 128 bit code
  • known attacks are
  • Berson 92 attacked any 1 round using differential
    cryptanalysis (but cant extend)
  • Boer Bosselaers 93 found a pseudo collision
    (again unable to extend)
  • Dobbertin 96 created collisions on MD compression
    function (but initial constants prevent exploit)
  • conclusion was that MD5 should be vulnerable soon
  • In 2004, an attack was found

53
Secure Hash Algorithm (SHA)
  • SHA was designed by NIST NSA in 1993, revised
    1995 as SHA-1
  • US standard for use with DSA signature scheme
  • standard is FIPS 180-1 1995, also Internet
    RFC3174
  • nb. the algorithm is SHA, the standard is SHS
  • produces 160-bit hash values
  • now the generally preferred hash algorithm
  • SHA-1 is now regarded as broken (with a
    theoretical attack of 251)
  • This year SHA-3 is being finalized
  • based on design of MD4 with key differences

54
SHA overview
  • pad message so its length is 448 mod 512
  • append a 64-bit length value to message
  • initialise 5-word (160-bit) buffer (A,B,C,D,E) to
  • (67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
  • process message in 16-word (512-bit) chunks
  • expand 16 words into 80 words by mixing
    shifting
  • use 4 rounds of 20 bit operations on message
    block buffer
  • add output to input to form new buffer value
  • output hash value is the final buffer value

55
SHA-1 verses MD5
  • brute force attack is harder (160 vs 128 bits for
    MD5)
  • was regarded as less vulnerable to attacks
    (compared to MD4/5), but this is no longer true
  • a little slower than MD5 (80 vs 64 steps)
  • both designed as simple and compact
  • optimised for big endian CPU's (vs MD5 which is
    optimised for little endian CPUs)

56
Revised secure hash standard
  • NIST has issued a revision FIPS 180-2
  • adds 3 additional hash algorithms
  • SHA-256, SHA-384, SHA-512
  • designed for compatibility with increased
    security provided by the AES cipher
  • structure detail is similar to SHA-1
  • hence analysis should be similar

57
Reading on Crypto
  • Comparable to the extent covered in class, read
  • Chapter 3 3.1-3.4, 3.6
  • Chapter 5 5.1
  • Chapter 6 6.2-6.5
  • Chapter 7 7.4
  • Chapter 9 9.1-9.2
  • Chapter 11 11.4-11.5
  • Chapter 12 12.1-12.2
Write a Comment
User Comments (0)
About PowerShow.com