Créer une présentation
Télécharger la présentation

Télécharger la présentation
## EEC-484/584 Computer Networks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**EEC-484/584Computer Networks**Lecture 16 Wenbing Zhao wenbing@ieee.org**Outline**• Reminder • Quiz#5 4/30 4-6pm • Final Revised Wiki Page due 5/5 midnight • Presentation: request for waiver will be handled FCFS • Waiver request must have a revision summary and a url to your revised wiki page • Cipher modes • Public key algorithm • Digital signature • Message digest and secure hash functions • Public key infrastructure EEC-484/584: Computer Networks**Stream Cipher Mode**• To be insensitive to transmission error, an arbitrarily large sequence of output blocks, called the keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext • It works by encrypting an IV, using a key to get an output block • The output block is then encrypted, using the key to get a second output block • This block is then encrypted to get a third block, and so on EEC-484/584: Computer Networks**Stream Cipher Mode**• The keystream is independent of the data • It can be computed in advance • It is completely insensitive to transmission errors Decryption Encryption EEC-484/584: Computer Networks**Stream Cipher Mode**• It is essential never to use the same (key, IV) pair twice with a stream cipher because doing so will generate the same keystream each time • Using the same keystream twice exposes the ciphertext to a keystream reuse attack • Stream cipher mode is also called output feedback mode EEC-484/584: Computer Networks**Keystream Reuse Attack**• Plaintext block, P0, is encrypted with the keystream to get P0 XOR K0 • Later, a second plaintext block, Q0, is encrypted with the same keystream to get Q0 XOR K0 • An intruder who captures both ciphertext blocks can simply XOR them together to get P0 XOR Q0, which eliminates the key • The intruder now has the XOR of the two plaintext blocks • If one of them is known or can be guessed, the other can also be found • In any event, the XOR of two plaintext streams can be attacked by using statistical properties of the message EEC-484/584: Computer Networks**Counter Mode**• To allow random access to encrypted data • The IV plus a constant is encrypted, and the resulting ciphertext XORed with the plaintext • By stepping the IV by 1 for each new block, it is easy to decrypt a block anywhere in the file without first having to decrypt all of its predecessors EEC-484/584: Computer Networks**Public-Key Algorithms**• Distributing keys => the weakest link in most cryptosystems • No matter how strong a cryptosystem was, if an intruder could steal the key, the system was worthless • Cryptologists always took for granted that the encryption key and decryption key were the same • Diffie and Hellman (1976) proposed a radically new kind of cryptosystem: encryption and decryption keys were different • D(E(P)) = P • It is exceedingly difficult to deduce D from E • E cannot be broken by a chosen plaintext attack EEC-484/584: Computer Networks**Public-Key Algorithms**• Public-key cryptography: • Encryption algorithm and the encryption key can be made public • How to establish a secure channel • Alice and Bob have never had previous contact • Alice sends Bob EB(P) (message P encrypted using Bob’s public encryption key EB) • Bob receives the encrypted message and retrieves the plaintext by using his private key P = DB(EB(P)) • Bobs then sends a reply EA(R) to Alice EEC-484/584: Computer Networks**RSA**• Rivest, Shamir, Adleman, 1978: a good method for public-key cryptography • RSA method: • Choose two large primes, p and q (typically 1024 bits) • Compute n = pq and z = (p-1) (q-1) • Choose a number relatively prime to z and call it d • Find e such that ed = 1 mod z • To encrypt a message, P, Compute C = Pe (mod n) • To decrypt C, compute P = Cd (mod n) • The public key consists of the pair (e, n) • The private key consists of the pair (d, n) EEC-484/584: Computer Networks**RSA**• An example of the RSA algorithm • P = 3, q = 11 => n = 33 and z = 20 • A suitable value for d = 7 • e can be found by solving the eq. 7e = 1 (mod 20) => e = 3 • C = P3 (mod 33), P = C7 (mod 33) EEC-484/584: Computer Networks**Digital Signatures**• Requirement on digital signatures: one party can send a signed message to another party in such a way that the following conditions hold: • The receiver can verify the claimed identity of the sender • The sender cannot later repudiate the contents of the message • The receiver cannot possibly have concocted the message himself EEC-484/584: Computer Networks**Symmetric-Key Signatures**• Big Brother (BB): a central authority that knows everything and whom everyone trusts • Each user chooses a secret key and shares it with BB • Digital signatures with Big Brother EEC-484/584: Computer Networks**Public-Key Signatures**• Digital signatures using public-key cryptography • Requires E(D(P)) = P (in addition to D(E(P)) = P) EEC-484/584: Computer Networks**Message Digests**• Message digest (MD):using a one-way hash function that takes an arbitrarily long piece of plaintext and from it computes a fixed-length bit string • Given P, it is easy to compute MD(P) • Given MD(P), it is effectively impossible to find P • Given P no one can find P’ such that MD(P’) = MD(P) • A change to the input of even 1 bit produces a very different output EEC-484/584: Computer Networks**Hash Functions: MD5 and SHA-1**• Hash function: mangling bits in a sufficiently complicated way that every output bit is affected by every input bit • MD5is the fifth in a series of message digests designed by Ronald Rivest (1992) • MD5 generates a 128-bit fixed value • SHA-1: Secure Hash Algorithm 1, developed by National Security Agency (NSA) and blessed by NIST • SHA-1 generates 160-bit message digest EEC-484/584: Computer Networks**Digital Signatures Using Message Digests**EEC-484/584: Computer Networks**Message Authentication Code**• MACs are used between two parties that share a secret key in order to validate information transmitted between these parties • The MAC mechanism that is based on cryptographic hash functions is called HMAC. Basic idea: • Append the key to the plaintext and generate a digest using a hash function • Ship the plaintext together with the digest EEC-484/584: Computer Networks**Management of Public Keys**• Problem statement • Certificates • X.509 • Public key infrastructure EEC-484/584: Computer Networks**Problems with Public-Key Management**• If Alice and Bob do not know each other, how do they get each other’s public keys to start the communication process ? • It is essential Alice gets Bob’s public key, not someone else’s • A way for Trudy to subvert public-key encryption EEC-484/584: Computer Networks**Certificates**• Certification Authority (CA): an organization that certifies public keys • It certifies the public keys belonging to people, companies, or even attributes • CA does not need to be on-line all the time (in ideal scenarios) • A possible certificate and its signed hash EEC-484/584: Computer Networks**X.509**• Devised and approved by ITU • The basic fields of an X.509 certificate EEC-484/584: Computer Networks**Public-Key Infrastructures**• A Public-Key Infrastructure (PKI) is needed for reasons of • Availability, Scalability, Ease of management • A PKI has multiple components • Users, CAs, Certificates, Directories • A PKI provides a way of structuring these components and define standards for the various documents and protocols • A simple form of PKI is hierarchical CAs EEC-484/584: Computer Networks**Public-Key Infrastructures**• Hierarchical PKI • A chain of trust/certification path: A chain of certificates going back to the root EEC-484/584: Computer Networks**Public-Key Infrastructures**• Revocation: sometimes certificates can be revoked, due to a number of reasons • Reinstatement: a revoked certificate could conceivably be reinstated • Each CA periodically issues a CRL (Certificate Revocation List) giving the serial numbers of all certificates that it has revoked • A user who is about to use a certificate must now acquire the CRL to see if the certificate has been revoked • Having to deal with revocation (and possibly reinstatement) eliminates one of the best properties of certificates, namely, that they can be used without having to contact a CA EEC-484/584: Computer Networks