1 / 42

Network Security (contd.)

Network Security (contd.). Bijendra Jain (bnj@cse.iitd.ernet.in). Lecture 3: Public-key cryptography. Public-key cryptography. Public-key cryptography is not necessarily more secure than private-key cryptography Private-key cryptography is not obsolete—it still is exceptionally useful

hadley-emerson
Télécharger la présentation

Network Security (contd.)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security (contd.) Bijendra Jain (bnj@cse.iitd.ernet.in) Tutorial on Network Security: Sep 2003

  2. Lecture 3: Public-key cryptography Tutorial on Network Security: Sep 2003

  3. Public-key cryptography • Public-key cryptography is not necessarily more secure than private-key cryptography • Private-key cryptography is not obsolete—it still is exceptionally useful • Distribution of keys in public-key cryptography is not trivial-- Public-key cryptography has attempted to address this issue head-on Tutorial on Network Security: Sep 2003

  4. Public-key cryptography • Public-key cryptography requires the use of two keys: • One for encryption • A related one for decryption • One key is kept private, while the other is made public • Can either key be used for encryption, and the other for decryption: • YES, for RSA Tutorial on Network Security: Sep 2003

  5. Public-key cryptography: confidentiality • Used for Confidentiality: Tutorial on Network Security: Sep 2003

  6. Public-key cryptography: confidentiality • Used for confidentiality: Tutorial on Network Security: Sep 2003

  7. Public-key cryptography: authentication • Used for authentication: Tutorial on Network Security: Sep 2003

  8. Public-key cryptography: authentication • Used for authentication: Tutorial on Network Security: Sep 2003

  9. Confidentiality and authentication • Used for : Tutorial on Network Security: Sep 2003

  10. Public-key cryptography • Easy for B to generate keys, (private) KRB and (public) KUB • Easy for sender A to encrypt C = EKUB (M), given M and KUB • Easy for receiver B to decrypt M = DKRB (C), given C and KRB • Given KUB it is infeasible for others to determine KRB • Given KUB and ciphertext C it is infeasible for others to decipher M • (optionally) encryption and decryption can be applied in any order • Function E (or D) is “one-way function with trap-door” • The inverse of E (or D) is infeasible, unless additional information (trap-door) is available Tutorial on Network Security: Sep 2003

  11. RSA algorithm • Approach first suggested by Diffie and Hellman • Invented by Rivest, Shamir, Adleman at MIT, first published in 1978 • Algorithms are patented • Block cipher, where plaintext is < n • Permits any key length • typically 128 through 1014 is common Tutorial on Network Security: Sep 2003

  12. RSA algorithm • Consider n, and blocks of size k bits s.t. 2k < n  2k+1. • Encryption and decryption algorithms: C = Memod n M = Cdmod n = Medmod n where sender knows public key KU = {e, n} receiver knows private key KR = {d, n} • For this to be a public-key crypto system: • M = Med mod n for some e, d, n for all M < n • Easy to calculate Me mod n, and Cd mod n • Infeasible to determine d, given e and n Tutorial on Network Security: Sep 2003

  13. RSA algorithm • Key generation • Select any prime numbers p, q • Compute n = p*q • Compute phi = (p-1)*(q-1) • Select e, such that 1< e < phi, and gcd(phi, e) = 1 • Find d such that ed = 1 mod phi • Public key KU = {e, n} • Private key KR = {d, n} • Encryption, decryption algorithms: for any plaintext M < n C = Me (mod n) M = Cd (mod n) • Can be shown that M = Cdmod n = Medmod n Tutorial on Network Security: Sep 2003

  14. RSA: example Let p = 7, q = 17 N = p*q = 119 Phi = (p-1)*(q-1) = 96 Select e = 5 (note e is relatively prime to 96, and < 96) Find d =77 (note d*e = 1 mod 96, and d < 96) KU = {5, 119}, KR = {77, 119} Let M = 19 (note M < 119) Encryption step: C = 19**5 = 2476099 mod 119 = 66 Decryption step: M = 66**77 = 127………. mod 119 = 19 Tutorial on Network Security: Sep 2003

  15. RSA: computational aspects • Computing C = Me (mod n) • use the following two properties: 1. A * B mod n = (A mod n)*(B mod n) mod n Or, e.g., 195mod 119 = (192mod 119) * (193mod 119) mod 119 2. A**8 = (A**4)**2 = ((A**2)**2)**2 Or, 19**9 = (19**8)*(19**1) = (((19**2)**2)**2)*(19**1) Tutorial on Network Security: Sep 2003

  16. RSA: key generation • Selecting two primes: p, q • Should be very large • Since M < n = p*q • Infeasible to calculate factors p, q of n by exhaustive search • Finding large primes • Pick a large number randomly, and then test • Selecting e, relative prime to phi = (p-1)*(q-1) • Pick an e, and test for relative primality • Extended Euclid’s algorithm computes gcd, and inverse, d Tutorial on Network Security: Sep 2003

  17. RSA: its strength • Brute force • Factor n to obtain p and q • Then calculate phi = (p-1)*(q-1), and then invert e to obtain d • “Factor” n to obtain phi • Then invert e to obtain d • Progress towards meeting challenges • Ciphers using RSA with keys of size up to 431 bits have been deciphered • Effort involved was only 500 MIPS-years (1 MIPS machine working for 1 year – a 200 MHz Pentium is 50 MIPS) • A 2048 bit RSA is expected to require 1014 MIPS-years • Today, and for the near future, consider RSA key size of 1024 to 2048 • Additionally consider selecting p and q appropriately, such as p and q are of approx. same length, etc. Tutorial on Network Security: Sep 2003

  18. RSA: distribution of public keys • Public announcements • Directory on the web, where data is secured • Public-key authority • Certificates Tutorial on Network Security: Sep 2003

  19. RSA: distribution of public keys • Public announcements • Public key is “public” • User can share his/her public with others • Popular with PGP • However, one may even send “false” keys Tutorial on Network Security: Sep 2003

  20. RSA: distribution of public keys • Publicly accessible directory • By a trusted and well known “authority” • Individual users “register” their public key using some other means • Public keys are secure • For instance on the web, or printed directory • Individual users control, update their public keys, and do so in a secure manner • Weaknesses: • Break into the authority’s database • Alter the key during communication Tutorial on Network Security: Sep 2003

  21. 1. REQ (KUB, T1) Initiator A X, PK authority 2. ENCKUX(KUB, REQ (KUB, T1)) 3. ENCKUB(IDA, N1) 7. ENCKUB(N2) 6. ENCKUA(IDB, N1, N2) 4. REQ (KUA, T2) Initiator B X, PK authority 5. ENCKUX(KUA, REQ (KUA, T2)) RSA: distribution of public keys • Public-key authority • Very similar to publicly accessible directory • Different: user can request/obtain public key in secure manner Tutorial on Network Security: Sep 2003

  22. RSA: distribution of public keys • Public-key certificates • Certificates need not be issued each time • Sender provides public key with a certificate • Receiver checks the certificate, thereby confirms public key • A certificate: • Anyone can read, determine the owner’s public key • Anyone can verify that certificate is signed by authority • Only certificate can create certificate • Anyone can check “currency” of certificate Tutorial on Network Security: Sep 2003

  23. RSA: Certificates CERTA = ENCPUX (IDA, KUA, TA, DURA) where • PUX is public key of certification authority • IDA is user ID • KUA is public key of A • TA is time of issuance of certificate • DURA is the duration for which the certificate is valid Tutorial on Network Security: Sep 2003

  24. Lecture 4:Message Authentication Tutorial on Network Security: Sep 2003

  25. Message authentication • Source of Message • Protection against masquerading • Integrity of message • Protection against modification • Integrity of sequence of messages • Protection against deletion, addition and re-ordering • Integrity of timing • Protection against delay and replay Tutorial on Network Security: Sep 2003

  26. Using private-key encryption • Encrypt message using private-key encryption system • Basically provides confidentiality • Authentication and Integrity check are difficult, but possible • Particularly if it is some bit sequence • Use an FCS (frame check sequence), as in TCP • Integrity of a sequence of TCP messages can also be ensured • Does not provide for non-repudiation Tutorial on Network Security: Sep 2003

  27. Using public-key encryption • Similar, except that it only provides for authentication • Again, the transmitted message must have some structure (FCS, for example) Tutorial on Network Security: Sep 2003

  28. Message Authentication Codes • Integrity check is not difficult any more • Based on private-key encryption • Transmitted message in (M, MAC) MAC = CK(M) where: • C is MAC algorithm, • K is the shared key • Provides for message integrity, user authentication, but not non-repudiation Tutorial on Network Security: Sep 2003

  29. Message Authentication Codes • Algorithm C differs: • from encryption in that it is NOT reversible • From FCS, etc. in that it is not easy to design a new message with same FCS • From use of hash functions, in that encryption and “hashing” is simultaneous • Algorithm C is more difficult to crack Tutorial on Network Security: Sep 2003

  30. Message Data sent || Message || E() Data sent MAC() fcs() K K Message authentication codes • Authentication based on MAC-- superior since it is efficient • Authentication based on appending an FCS, then encrypting • FCS is a bad idea, anyway Tutorial on Network Security: Sep 2003

  31. Message || Data sent H() Message Data sent || H() E() E() K K Message authentication: alternatives Tutorial on Network Security: Sep 2003

  32. E() Message Data sent || H() KR Digital Signature Tutorial on Network Security: Sep 2003

  33. Message Data sent || || H() Secret K Message authentication: alternatives • This approach completely does away with encryption • Efficient • Strength depends completely on how good is the hashing function Tutorial on Network Security: Sep 2003

  34. MAC codes • MAC is also known as cryptographic checksum • Transmitted message in (M, MAC) MAC = CK(M) where: • C is MAC algorithm, • MAC is n bit long • M is variable length message • K is k-bit shared key • MAC requirements: • Given M, CK(M) it should be computationally infeasible to obtain M’ s.t. MAC = CK(M) = CK(M’) • MAC = CK(M) should be uniformly distributed, or for random M, M’ Prob (CK(M) = CK(M’) = 2-n • Similarly if M’ is obtained by carrying out simple transformations Tutorial on Network Security: Sep 2003

  35. MAC Codes • 64 bit DAA (Data Authentication Algorithm) is based on DES: O1 = EK(D1) O2 = EK(O1 D2) O3 = EK(O2 D3) … … ON = EK(ON-1 DN) Tutorial on Network Security: Sep 2003

  36. E() Message Data sent || H() KR Hash functions • Requirements of a hash function: • Can be applied to block of data of any size • Produces a fixed length digest • Easy to compute h = H(M) • One-way function: given h, it must be computationally infeasible to compute M such that h = H(M) • Weak collision: Given M, it must be computationally infeasible to compute M’ such that H(M’) = H(M) • Strong collision: computationally infeasible to find M, M’ such that H(M’) = H(M) Tutorial on Network Security: Sep 2003

  37. Hash functions • Simple hash function: O1 = D1 O2 = O1 D2 O3 = O2 D3 … … ON = ON-1 DN • MD4, MD5 Tutorial on Network Security: Sep 2003

  38. Y0 Y1 … … … YL HMD5 HMD5 HMD5 HMD5 IV CV1 CV2 CVL-1 CVL MD5 • Develop in 1992, by Ron Rivest • 128 bit hash code • Processes 512 bits at a time (add padding bits if necessary) • 4 rounds of 16 steps each, involving gcd, and + mod 232 operations Tutorial on Network Security: Sep 2003

  39. MD4 • Similar to MD5, developed earlier in 1990 by Ron Rivest • 128 bit hash code, processes 512 bits at a time • 3 rounds of 16 steps each, involving gcd, and + mod 232 operations • faster Tutorial on Network Security: Sep 2003

  40. SHA-1 hash function • Developed by NIST in 1995 • Based on MD4 • 160 bit hash • Operates on blocks of length 512 bit • More secure against brute force attacks • Appears to be secure against cryptanalysis • MD5 and SHA-1 are equally fast, simple Tutorial on Network Security: Sep 2003

  41. HMAC • Truly a MAC • Required for IPSec • Based on hash functions • Any “good” hash function can be used • The “IV” can be kept secret (becomes the key) • MD5 or SHA-1 can be used Tutorial on Network Security: Sep 2003

  42. Thanks Tutorial on Network Security: Sep 2003

More Related