Title: EEC-484/584 Computer Networks
1EEC-484/584Computer Networks
- Lecture 18
- Wenbing Zhao
- wenbing_at_ieee.org
- (Part of the slides are based on materials
supplied by Prentice-Hall)
2Outline
- Reminder
- IST tour 12/6 2pm (MW), 12/7 4pm(TTh)Rhodes
Tower 10th floor lobby - Quiz5 12/11 2-4pm (MW) 12/12 4-6pm (TTh)
- Project 2 due 12/12 midnight
- Public key algorithm
- Digital signature
- Message digest and secure hash functions
- Public key infrastructure
- Cipher modes
3Public-Key Algorithms
- Distributing keys gt the weakest link in most
cryptosystems - No matter how strong a cryptosystem was, if an
intruder could steal the key, the system was
worthless - Cryptologists always took for granted that the
encryption key and decryption key were the same - Diffie and Hellman (1976) proposed a radically
new kind of cryptosystem encryption and
decryption keys were different - D(E(P)) P
- It is exceedingly difficult to deduce D from E
- E cannot be broken by a chosen plaintext attack
4Public-Key Algorithms
- Public-key cryptography
- Encryption algorithm and the encryption key can
be made public - How to establish a secure channel
- Alice and Bob have never had previous contact
- Alice sends Bob EB(P) (message P encrypted using
Bobs public encryption key EB) - Bob receives the encrypted message and retrieves
the plaintext by using his private key P
DB(EB(P)) - Bobs then sends a reply EA(R) to Alice
5RSA
- Rivest, Shamir, Adleman, 1978 a good method for
public-key cryptography - RSA method
- Choose two large primes, p and q (typically 1024
bits) - Compute n p ? q and z (p-1) ? (q-1)
- Choose a number relatively prime to z and call it
d - Find e such that e ? d 1 mod z
- To encrypt a message, P, Compute C Pe (mod n)
- To decrypt C, compute P Cd (mod n)
- The public key consists of the pair (e, n)
- The private key consists of the pair (d, n)
6RSA
- An example of the RSA algorithm
- P 3, q 11 gt n 33 and z 20
- A suitable value for d 7
- e can be found by solving the eq. 7e 1 (mod 20)
gt e 3 - C P3 (mod 33), P C7 (mod 33)
7Digital Signatures
- Requirement on digital signatures one party can
send a signed message to another party in such a
way that the following conditions hold - The receiver can verify the claimed identity of
the sender - The sender cannot later repudiate the contents of
the message - The receiver cannot possibly have concocted the
message himself
8Symmetric-Key Signatures
- Big Brother (BB) a central authority that knows
everything and whom everyone trusts - Each user chooses a secret key and shares it with
BB - Digital signatures with Big Brother
9Public-Key Signatures
- Digital signatures using public-key cryptography
- Requires E(D(P)) P (in addition to D(E(P)) P)
10Message Digests
- Message digest (MD) using a one-way hash
function that takes an arbitrarily long piece of
plaintext and from it computes a fixed-length bit
string - Given P, it is easy to compute MD(P)
- Given MD(P), it is effectively impossible to find
P - Given P no one can find P such that MD(P)
MD(P) - A change to the input of even 1 bit produces a
very different output
11Hash Functions MD5 and SHA-1
- Hash function mangling bits in a sufficiently
complicated way that every output bit is affected
by every input bit - MD5 is the fifth in a series of message digests
designed by Ronald Rivest (1992) - MD5 generates a 128-bit fixed value
- SHA-1 Secure Hash Algorithm 1, developed by
National Security Agency (NSA) and blessed by
NIST - SHA-1 generates 160-bit message digest
12Digital Signatures Using Message Digests
13Message Authentication Code
- MACs are used between two parties that share a
secret key in order to validate information
transmitted between these parties - The MAC mechanism that is based on cryptographic
hash functions is called HMAC. Basic idea - Append the key to the plaintext and generate a
digest using a hash function - Ship the plaintext together with the digest
14Management of Public Keys
- Problem statement
- Certificates
- X.509
- Public key infrastructure
15Problems with Public-Key Management
- If Alice and Bob do not know each other, how do
they get each others public keys to start the
communication process ? - It is essential Alice gets Bobs public key, not
someone elses - A way for Trudy to subvert public-key encryption
16Certificates
- Certification Authority (CA) an organization
that certifies public keys - It certifies the public keys belonging to people,
companies, or even attributes - CA does not need to be on-line all the time (in
ideal scenarios) - A possible certificate and its signed hash
17X.509
- Devised and approved by ITU
- The basic fields of an X.509 certificate
18Public-Key Infrastructures
- A Public-Key Infrastructure (PKI) is needed for
reasons of - Availability, Scalability, Ease of management
- A PKI has multiple components
- Users, CAs, Certificates, Directories
- A PKI provides a way of structuring these
components and define standards for the various
documents and protocols - A simple form of PKI is hierarchical CAs
19Public-Key Infrastructures
- Hierarchical PKI
- A chain of trust/certification path A chain of
certificates going back to the root
20Public-Key Infrastructures
- Revocation sometimes certificates can be
revoked, due to a number of reasons - Reinstatement a revoked certificate could
conceivably be reinstated - Each CA periodically issues a CRL (Certificate
Revocation List) giving the serial numbers of all
certificates that it has revoked - A user who is about to use a certificate must now
acquire the CRL to see if the certificate has
been revoked - Having to deal with revocation (and possibly
reinstatement) eliminates one of the best
properties of certificates, namely, that they can
be used without having to contact a CA
21Cipher Modes
- Despite all the complexity, AES and DES (or any
block cipher) is basically a monoalphabetic
substitution cipher using big characters - Whenever the same plaintext block goes in the
front end, the same ciphertext block comes out
the back end - If you encrypt the plaintext abcdefgh 100 times
with same DES key, you get the same ciphertext
100 times - An intruder can exploit this property to help
subvert the cipher
22Electronic Code Book Mode
- In ECB mode, each plaintext block is encrypted
independently with the block cipher - ECB allows easy parallelization to yield higher
performance. However, no processing is possible
before a block is seen
23Electronic Code Book Mode - Problems
- In ECB, plaintext patterns are not concealed
- Each identical block of plaintext gives an
identical block of ciphertext. The plaintext can
be easily manipulated by removing, repeating, or
interchanging blocks - Example
24Cipher Block Chaining Mode
- To avoid the ECB mode problem replacing a block
will cause the plaintext decrypted starting at
the replaced to become garbage - Exclusive OR the encrypted text with the next
block of plaintext before encryption C0 E(P0
XOR IV), C1 E(P1 XOR C0), etc. - Drawback must wait until full 64-bit (128-bit)
block to arrive to decrypt
25Cipher Block Chaining Mode
- Exclusive OR the encrypted text with the next
block of plaintext before encryption C0 E(P0
XOR IV), C1 E(P1 XOR C0), etc.
Initialization Vector
Encryption
Decryption
26Cipher Feedback Mode
- To enable byte-by-byte encryption
- When plaintext byte n (Pn) arrives, DES algorithm
operates a 64-bit register to generate a 64-bit
ciphertext (128-bit register needed for AES) - Leftmost byte of that ciphertext is extracted and
XORed with Pn - That byte is transmitted on the transmission line
- The shift register is shifted left 8 bits,
causing Cn-8 to fall off the left end, and Cn is
inserted in the position just vacated at the
right end by C9 - Drawback One byte of transmission error will
ruin 8 bytes of data
27Cipher Feedback Mode
Decryption
Encryption
28Stream Cipher Mode
- To be insensitive to transmission error, an
arbitrarily large sequence of output blocks,
called the keystream, is treated like a one-time
pad and XORed with the plaintext to get the
ciphertext - It works by encrypting an IV, using a key to get
an output block - The output block is then encrypted, using the key
to get a second output block - This block is then encrypted to get a third
block, and so on
29Stream Cipher Mode
- The keystream is independent of the data
- It can be computed in advance
- It is completely insensitive to transmission
errors
Encryption
Decryption
30Stream Cipher Mode
- It is essential never to use the same (key, IV)
pair twice with a stream cipher because doing so
will generate the same keystream each time - Using the same keystream twice exposes the
ciphertext to a keystream reuse attack - Stream cipher mode is also called output feedback
mode
31Keystream Reuse Attack
- Plaintext block, P0, is encrypted with the
keystream to get P0 XOR K0 - Later, a second plaintext block, Q0, is encrypted
with the same keystream to get Q0 XOR K0 - An intruder who captures both ciphertext blocks
can simply XOR them together to get P0 XOR Q0,
which eliminates the key - The intruder now has the XOR of the two plaintext
blocks - If one of them is known or can be guessed, the
other can also be found - In any event, the XOR of two plaintext streams
can be attacked by using statistical properties
of the message
32Counter Mode
- To allow random access to encrypted data
- The IV plus a constant is encrypted, and the
resulting ciphertext XORed with the plaintext - By stepping the IV by 1 for each new block, it is
easy to decrypt a block anywhere in the file
without first having to decrypt all of its
predecessors