1 / 33

Confidentiality Using Conventional Encryption

Where should cryptographic functionality be located? How can we make communications confidential? How do we distribute keys? What is the role of random numbers?. Confidentiality Using Conventional Encryption. Networks are vulnerable to active and passive attacks

nerice
Télécharger la présentation

Confidentiality Using Conventional Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Where should cryptographic functionality be located? How can we make communications confidential? How do we distribute keys? What is the role of random numbers? Confidentiality Using Conventional Encryption

  2. Networks are vulnerable to active and passive attacks Many potential locations for confidentiality attacks By network tapping or other means Passive inductive attacks on electrical signaling Phone and wiring closets may be accessible to outsiders Satellite links are easy to monitor etc Placement of encryption function Placement of Encryption Function Points of Vulnerability

  3. The most powerful and most common approach to securing the points of vulnerability is encryption If encryption is to be used to counter these attacks, need to decide what to encrypt and where the encryption should be located Two fundamental alternatives: Link encryption End-to-end encryption Placement of encryption function Link vs. End-to-End Encryption

  4. Placement of encryption function Link vs. End-to-End Encryption

  5. Placement of encryption function Logical Placement of E2E Encryption Function • Link encryption occurs at either the physical or link layers • For end-to-end encryption, several choices are possible • At the lowest practical layer, the encryption function could be performed at network layer • All the user processes and applications within each end system would employ the same encryption scheme with the same key • With this arrangement, front-end processor may be used to off-load the encryption function

  6. Placement of encryption function Logical Placement of E2E Encryption Function • X.25 or TCP provide end-to-end security for traffic within a fully integrated internetwork. However, such a scheme cannot deliver the necessary service for traffic that crosses internetwork boundaries, such as E-Mail, EDI, and file transfer • In this case, the only place to achieve end-to-end encryption is at the application layer • A drawback of application-layer encryption is that the number of entities to consider increases dramatically • Many more secret keys need to be generated and distributed

  7. Placement of encryption function Logical Placement of E2E Encryption Function

  8. Placement of encryption function Logical Placement of E2E Encryption Function

  9. Security from traffic analysis attack Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom Types of information derivable from traffic analysis Identities of communicating partners Frequency of communication Message patterns, e.g., length, quantity, (encrypted) content Correlation between messages and real world events Can (sometimes) be defeated through traffic padding Traffic Confidentiality Traffic Confidentiality

  10. Link encryption approach Link encryption hides address information Traffic padding is very effective End-to-End encryption approach Leaves addresses in the clear Measures available to the defender are more limited Pad out data units to a uniform length at either the transport or application level Null message can be inserted randomly into the stream Traffic Confidentiality Countermeasure to Traffic Analysis

  11. Essentially, the dual of traffic analysis A means of communication in a fashion unintended by the designers of the communication facility Usually intended to violate or defeat a security policy Examples Message length Message content Message presence Traffic Confidentiality Covert Channel

  12. For conventional encryption to work, the two parties must share the same key and that key must be protected from access by others Alice’s options in establishing a shared secret key with Bob include Alice selects a key and physically delivers it to Bob Trusted third party key distribution center (T3P or KDC) selects a key and physically delivers it to Alice and Bob If Alice and Bob have previously and recently used a key, it can be used to distribute a new key If Alice and Bob have keys with the T3P, rekeying can be accomplished similarly Key Distribution Key Distribution

  13. Manual delivery is a reasonable requirement with link encryption, challenging with E2E encryption The number of keys grows quadratically with the number of endpoints T3P key(s) constitute a rich target of opportunity Initial (master) key distribution remains a challenge Key Distribution Key Distribution

  14. Use of a key distribution center is based on the use of a hierarchy of keys Session keys Master keys Key Distribution Use of a Key Hierarchy

  15. Assume each principal shares a unique master key with the KDC Alice desires a one-time session key to communicate with Bob Alice issues a request to the KDC for a session key to be used with Bob. Alice’s request includes a nonce to prevent replay attack KDC responds with a message encrypted under Alice’s key. The message contains the session key, the nonce, and the session key along with Alice’s identity encrypted under Bob’s key Alice forwards the data encrypted under Bob’s Key to Bob Alice and Bob mutually authenticate under the session key Alice sends a nonce to Bob encrypted under the session key Bob applies a transformation to the nonce and sends the result back to Alice Key Distribution A Key Distribution Scenario

  16. Key Distribution A Key Distribution Scenario

  17. Instead of a single KDC, a hierarchy of KDCs can be established; local KDCs and a golbal KDC Local KDCs exchange keys through a global KDC Can be extended to three or more layers (hierarchy) Key Distribution Hierarchical Key Control

  18. Tradeoffs in the session key lifetime The more frequent session keys, the more secure, but the less performance (the more network load and delay) For connection-oriented protocols, one option is to associate a session with a connection For long-lived connections, must periodically rekey For connectionless protocols, rekey at intervals Key Distribution Session Key Lifetime

  19. Key Distribution A Transparent Key Control Scheme

  20. A issues a request to B for a session key and includes a nonce, N1 B responds with a message encrypted using the shared master key. Response includes the session key selected by B, an identifier of B, the value of f(N1), and another nonce, N2 Using the new session key, A returns f(N2) to B Key Distribution Decentralized Key Distribution

  21. It is desirable to impose some control on the way in which keys are used e.g. we may wish to define different types of session keys on the basis of use, such as Data-encrypting key PIN-encrypting key File-encrypting key One technique is to associate a tag with each key Tag is a bit-vector representing the key’s usage or type e.g. the extra 8 bits in each 56-bit DES key can be used as a tag Limited flexibility and functionality due to the limited tag size Because the tag is not transmitted in clear form, it can be used only at the point of decryption, limiting the ways in which key use can be controlled A more flexible scheme is to use a control vector Key Distribution Controlling Key Usage

  22. Key Distribution Control Vector Scheme • Each session key has an associated control vector • Control vector consists of a number of fields that specify the uses and restrictions for that session key • The length of control vector may vary • Control vector is cryptographically coupled with the at the time of key generation at the KDC • Hash value = H = h(CV) • Key input = Km H • Encrypted session key = EKm  H[Ks] • When a session key is delivered to a user from the KDC, it is accompanied by the control vector in clear form • The session key can be recovered only by using both the master key and the control vector • Ks = DKm  H[EKm  H [Ks]] • Advantages (over the 8-bit tag) • No restriction on length of control vector (arbitrarily complex controls to be imposed on key sue) • Control vector is available in clear form at all stage of operation  Key control can be exercised in multiple locations CV: control vector Km: master key Ks: session key

  23. Key Distribution Controlling Key Usage

  24. Use of random numbers (in cryptography) As key stream for a one-time pad For session keys For public key For nonces (random numbers) in protocols to prevent replays Good cryptography requires good random numbers Random number requirements Statistically random (uniform distribution, etc) Unpredictable (independent) Random Number Generation Random Number Generation

  25. Natural random noise (Natural real randomness) Radiation counters, radio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes, etc Generally need special H/W for this Starting to see this in new CPU’s (Pentium III) Almost random sources Keystroke timing Mouse tracking Disk latency, etc Published lists e.g., Rand Co. in 1955 published a book of 1 million numbers generated using an electronic roulette wheel Predictable In practice, pseudorandom numbers are algorithmically derived from a deterministic PRNG (Pseudorandom Number Generator) Random Number Generation Sources of Randomness

  26. Most widely used technique for PRNG Also known as linear congruential method Four parameters m modulus m > 0 a multiplier 0  a < m c increment 0  c < m X0 seed 0  X0 < m Xn+1 = (aXn + c) mod m Generates numbers in the range {0, …, m-1} “Good” and “bad” choices for m, a, and c Lots of obvious bad choices Random Number Generation Lehmer’s algorithm

  27. Choose a very large m, e.g., 231 Provides for a long series Usually the maximum integer value for a given computer Criteria for good RNG: Generate the entire range (full period) Pass statistical tests Efficient implementation Good choices m = 231-1, a prime value a = 75 = 16807 c = 0 Useful for applications requiring statistical randomness (Monte Carlo simulation) Not so useful for cryptography (easy cryptanalysis) Xi, Xi+1, Xi+2 gives solution for m, a, and c Random Number Generation Lehmer’s algorithm - 2

  28. Cyclic encryption Generate session keys from a master key A counter with period N is input to the encryption logic e.g. 56-bit counter for 56-bit DES X0 X1  …  Xn-1 Xi’s can not be deduced since the master key is protected Full-period PRNG can be used instead of a simple counter DES OFB mode Can be used as a PRNG (IV is the seed) Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good statistical properties Random Number Generation Cryptographically Generated RNs

  29. One of the (cryptographically) strongest PRNG Used in financial security applications and PGP DTi is date/time value at the beginning of ith stage Vi is seed value at the beginning of ith stage Ri is output (PRN) of ith stage K1, K2 are 3DES keys Ri = EDEK1,K2(Vi EDEK1,K2(DTi)) Vi+1 = EDEK1,K2(Ri EDEK1,K2(DTi)) Random Number Generation ANSI X9.17 PRNG

  30. Choose large primes p and q, s.t. p  q  3 (mod 4) Let n = p  q Choose s relatively prime to n BBS produces a sequence of bits Bi X0 = s2 mod n;for (i = 1; i++; ) { Xi = (Xi-1)2 mod n; Bi = Xi & 1;} BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG) Random Number Generation Blum Blum Shub (BBS) PRNG

  31. N=383 x 503 = 192649, s = 101355 Random Number Generation i i Blum Blum Shub PRNG- Example

  32. Cryptographically secure pseudorandom bit generator (CSPRBG) is defined as one that pass the next-bit test Next-bit test Given k bits of output from a PRBG, there is no polynomial time algorithm that can predict the k+1st bit with probability greater than ½ +  For all practical purposes, the sequence is unpredictable The security of BBS is based on the difficulty of factoring n (i.e., given n, determining two prime factors p and q) Random Number Generation CSPRBG

  33. P. 5.3 P. 5.4 P. 5.5 P. 5.9 P. 5.10 (For P.5.3 and P. 5.10, please look up the errata sheet) Random Number Generation HW

More Related