EEC-484/584 Computer Networks

1
EEC-484/584Computer Networks

• Lecture 18
• Wenbing Zhao
• wenbing_at_ieee.org
• (Part of the slides are based on materials
  supplied by Prentice-Hall)

2
Outline

• Reminder
• IST tour 12/6 2pm (MW), 12/7 4pm(TTh)Rhodes
  Tower 10th floor lobby
• Quiz5 12/11 2-4pm (MW) 12/12 4-6pm (TTh)
• Project 2 due 12/12 midnight
• Public key algorithm
• Digital signature
• Message digest and secure hash functions
• Public key infrastructure
• Cipher modes

3
Public-Key Algorithms

• Distributing keys gt the weakest link in most
  cryptosystems
• No matter how strong a cryptosystem was, if an
  intruder could steal the key, the system was
  worthless
• Cryptologists always took for granted that the
  encryption key and decryption key were the same
• Diffie and Hellman (1976) proposed a radically
  new kind of cryptosystem encryption and
  decryption keys were different
• D(E(P)) P
• It is exceedingly difficult to deduce D from E
• E cannot be broken by a chosen plaintext attack

4
Public-Key Algorithms

• Public-key cryptography
• Encryption algorithm and the encryption key can
  be made public
• How to establish a secure channel
• Alice and Bob have never had previous contact
• Alice sends Bob EB(P) (message P encrypted using
  Bobs public encryption key EB)
• Bob receives the encrypted message and retrieves
  the plaintext by using his private key P
  DB(EB(P))
• Bobs then sends a reply EA(R) to Alice

5
RSA

• Rivest, Shamir, Adleman, 1978 a good method for
  public-key cryptography
• RSA method
• Choose two large primes, p and q (typically 1024
  bits)
• Compute n p ? q and z (p-1) ? (q-1)
• Choose a number relatively prime to z and call it
  d
• Find e such that e ? d 1 mod z
• To encrypt a message, P, Compute C Pe (mod n)
• To decrypt C, compute P Cd (mod n)
• The public key consists of the pair (e, n)
• The private key consists of the pair (d, n)

6
RSA

• An example of the RSA algorithm
• P 3, q 11 gt n 33 and z 20
• A suitable value for d 7
• e can be found by solving the eq. 7e 1 (mod 20)
  gt e 3
• C P3 (mod 33), P C7 (mod 33)

7
Digital Signatures

• Requirement on digital signatures one party can
  send a signed message to another party in such a
  way that the following conditions hold
• The receiver can verify the claimed identity of
  the sender
• The sender cannot later repudiate the contents of
  the message
• The receiver cannot possibly have concocted the
  message himself

8
Symmetric-Key Signatures

• Big Brother (BB) a central authority that knows
  everything and whom everyone trusts
• Each user chooses a secret key and shares it with
  BB
• Digital signatures with Big Brother

9
Public-Key Signatures

• Digital signatures using public-key cryptography
• Requires E(D(P)) P (in addition to D(E(P)) P)

10
Message Digests

• Message digest (MD) using a one-way hash
  function that takes an arbitrarily long piece of
  plaintext and from it computes a fixed-length bit
  string
• Given P, it is easy to compute MD(P)
• Given MD(P), it is effectively impossible to find
  P
• Given P no one can find P such that MD(P)
  MD(P)
• A change to the input of even 1 bit produces a
  very different output

11
Hash Functions MD5 and SHA-1

• Hash function mangling bits in a sufficiently
  complicated way that every output bit is affected
  by every input bit
• MD5 is the fifth in a series of message digests
  designed by Ronald Rivest (1992)
• MD5 generates a 128-bit fixed value
• SHA-1 Secure Hash Algorithm 1, developed by
  National Security Agency (NSA) and blessed by
  NIST
• SHA-1 generates 160-bit message digest

12
Digital Signatures Using Message Digests
13
Message Authentication Code

• MACs are used between two parties that share a
  secret key in order to validate information
  transmitted between these parties
• The MAC mechanism that is based on cryptographic
  hash functions is called HMAC. Basic idea
• Append the key to the plaintext and generate a
  digest using a hash function
• Ship the plaintext together with the digest

14
Management of Public Keys

• Problem statement
• Certificates
• X.509
• Public key infrastructure

15
Problems with Public-Key Management

• If Alice and Bob do not know each other, how do
  they get each others public keys to start the
  communication process ?
• It is essential Alice gets Bobs public key, not
  someone elses
• A way for Trudy to subvert public-key encryption

16
Certificates

• Certification Authority (CA) an organization
  that certifies public keys
• It certifies the public keys belonging to people,
  companies, or even attributes
• CA does not need to be on-line all the time (in
  ideal scenarios)
• A possible certificate and its signed hash

17
X.509

• Devised and approved by ITU
• The basic fields of an X.509 certificate

18
Public-Key Infrastructures

• A Public-Key Infrastructure (PKI) is needed for
  reasons of
• Availability, Scalability, Ease of management
• A PKI has multiple components
• Users, CAs, Certificates, Directories
• A PKI provides a way of structuring these
  components and define standards for the various
  documents and protocols
• A simple form of PKI is hierarchical CAs

19
Public-Key Infrastructures

• Hierarchical PKI
• A chain of trust/certification path A chain of
  certificates going back to the root

20
Public-Key Infrastructures

• Revocation sometimes certificates can be
  revoked, due to a number of reasons
• Reinstatement a revoked certificate could
  conceivably be reinstated
• Each CA periodically issues a CRL (Certificate
  Revocation List) giving the serial numbers of all
  certificates that it has revoked
• A user who is about to use a certificate must now
  acquire the CRL to see if the certificate has
  been revoked
• Having to deal with revocation (and possibly
  reinstatement) eliminates one of the best
  properties of certificates, namely, that they can
  be used without having to contact a CA

21
Cipher Modes

• Despite all the complexity, AES and DES (or any
  block cipher) is basically a monoalphabetic
  substitution cipher using big characters
• Whenever the same plaintext block goes in the
  front end, the same ciphertext block comes out
  the back end
• If you encrypt the plaintext abcdefgh 100 times
  with same DES key, you get the same ciphertext
  100 times
• An intruder can exploit this property to help
  subvert the cipher

22
Electronic Code Book Mode

• In ECB mode, each plaintext block is encrypted
  independently with the block cipher
• ECB allows easy parallelization to yield higher
  performance. However, no processing is possible
  before a block is seen

23
Electronic Code Book Mode - Problems

• In ECB, plaintext patterns are not concealed
• Each identical block of plaintext gives an
  identical block of ciphertext. The plaintext can
  be easily manipulated by removing, repeating, or
  interchanging blocks
• Example

24
Cipher Block Chaining Mode

• To avoid the ECB mode problem replacing a block
  will cause the plaintext decrypted starting at
  the replaced to become garbage
• Exclusive OR the encrypted text with the next
  block of plaintext before encryption C0 E(P0
  XOR IV), C1 E(P1 XOR C0), etc.
• Drawback must wait until full 64-bit (128-bit)
  block to arrive to decrypt

25
Cipher Block Chaining Mode

• Exclusive OR the encrypted text with the next
  block of plaintext before encryption C0 E(P0
  XOR IV), C1 E(P1 XOR C0), etc.

Initialization Vector
Encryption
Decryption
26
Cipher Feedback Mode

• To enable byte-by-byte encryption
• When plaintext byte n (Pn) arrives, DES algorithm
  operates a 64-bit register to generate a 64-bit
  ciphertext (128-bit register needed for AES)
• Leftmost byte of that ciphertext is extracted and
  XORed with Pn
• That byte is transmitted on the transmission line
• The shift register is shifted left 8 bits,
  causing Cn-8 to fall off the left end, and Cn is
  inserted in the position just vacated at the
  right end by C9
• Drawback One byte of transmission error will
  ruin 8 bytes of data

27
Cipher Feedback Mode
Decryption
Encryption
28
Stream Cipher Mode

• To be insensitive to transmission error, an
  arbitrarily large sequence of output blocks,
  called the keystream, is treated like a one-time
  pad and XORed with the plaintext to get the
  ciphertext
• It works by encrypting an IV, using a key to get
  an output block
• The output block is then encrypted, using the key
  to get a second output block
• This block is then encrypted to get a third
  block, and so on

29
Stream Cipher Mode

• The keystream is independent of the data
• It can be computed in advance
• It is completely insensitive to transmission
  errors

Encryption
Decryption
30
Stream Cipher Mode

• It is essential never to use the same (key, IV)
  pair twice with a stream cipher because doing so
  will generate the same keystream each time
• Using the same keystream twice exposes the
  ciphertext to a keystream reuse attack
• Stream cipher mode is also called output feedback
  mode

31
Keystream Reuse Attack

• Plaintext block, P0, is encrypted with the
  keystream to get P0 XOR K0
• Later, a second plaintext block, Q0, is encrypted
  with the same keystream to get Q0 XOR K0
• An intruder who captures both ciphertext blocks
  can simply XOR them together to get P0 XOR Q0,
  which eliminates the key
• The intruder now has the XOR of the two plaintext
  blocks
• If one of them is known or can be guessed, the
  other can also be found
• In any event, the XOR of two plaintext streams
  can be attacked by using statistical properties
  of the message

32
Counter Mode

• To allow random access to encrypted data
• The IV plus a constant is encrypted, and the
  resulting ciphertext XORed with the plaintext
• By stepping the IV by 1 for each new block, it is
  easy to decrypt a block anywhere in the file
  without first having to decrypt all of its
  predecessors