1 / 48

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

School of Computer Science. CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012. Monday, Jan. 30, 2012. Assignment Q.3 - Vernam Cipher. Plaintext V E R N A M Numeric eq. 21 4 17 13 0 12 + Key. 76 48 16 82 44 3

jaser
Télécharger la présentation

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. School of Computer Science CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012 Monday, Jan. 30, 2012 CS 448/648 – Computer Security

  2. Assignment Q.3 - Vernam Cipher Plaintext V E R N A M Numeric eq. 21 4 17 13 0 12 + Key. 76 48 16 82 44 3 = sum 97 52 33 95 44 15 = mod 26 19 0 7 17 18 15 Ciphertext t a h r s p CS 448/648 – Computer Security

  3. Assignment Q.4 – The reverse Ciphertextt a hrsp Numeric eq. 19 0 7 17 18 15 - Key. 76 48 16 82 44 3 = result -57 -48 -9 -65 -26 12 =mod 26 21 4 17 13 0 12 Plaintext V E R N A M • Mod 26 must produce remainder 0~25 • -57 % 26 = (-3) * 26 + 21 • -9 % 26 = (-1) * 26 + 17 CS 448/648 – Computer Security

  4. Attacking WPS with Reaver-wps • http://code.google.com/p/reaver-wps/ • Thanks, Michael! • http://www.ehacking.net/2012/01/reaver-wps-wpawpa2-cracking-tutorial.html • Evolution in wireless security • WEP  WPA  WPA2 • WPA / WPA2 • PSK vs. Enterprise mode • Brute force attack by Reaver-wps • WPS (Wi-Fi Protected Setup) eases PSK mode Key configuration • User enters PIN, then the actual random number key is configured • PIN = 7 digit, but the protocol flaw reduces it to 11,000 options  only 1 to 10 hours to crack PIN (if there is no lock-out feature) • Mitigation • Do not use WPS, instead use PIN directly • Use 802.1x (enterprise mode) CS 448/648 – Computer Security

  5. Review Quiz at the end of next class CS 448/648 – Computer Security

  6. Data Encryption Standard (DES) • Most widely used block cipher in the world • A Feistel Cipher • Block cipher with 16 iterations • Combination of substitution and transposition • Encrypts a 64-bit block of plain text using a 56-bit key • Three phases • Permute the 64 bits in the block • Apply a given operation 16 times on the 64 bits • Permute the 64 bits using the inverse of the original permutation 1st phase Round 1 . . . key 2nd phase Round 16 3rd phase CS 448/648 – Computer Security

  7. Is the 56-bit key secure enough? • No • In 1997, using 3,500 machines in parallel, DES key is found in 4 months • In 1998, a DES-cracker machine ($100,000) found the key in 4 days • In 1999, less than 24 hours • Now? After 12 years…. • http://www.sciengines.com/copacobana/ or cloud • The short key was controversial from the moment it was introduced • How can we increase the key size? • Repeat DES multiple times • Double DES • Using two keys, encrypt twice, E(k2, E(k1, m)) • But wait! The security is not same as 112-bit key (Meet-in-the-middle attack) CS 448/648 – Computer Security

  8. Meet-in-the-middle attack • c= E(k2, E(k1, p)) • Assume attacker knows two pair of c and p • Attacker computes E(ki, p)) for all possible keys ki and stores them in a table • Memory space = 256 * p = 64,000,000,000,000,000 *p (64 peta entries) • Attacker then computes D(ki, c)) for each kiand compares the result with the table entries • Time complexity • 256 for E + 256 for D = 257 not 2112 ! Then sort by ciphertext CS 448/648 – Computer Security

  9. Triple DES • TDEA, or 3DES (in 1999) • E(k3, E(k2, E(k1, m))) • EEE • Key length = 168 bits, but the effective security is 112 bits due to meet-in-the middle attack • Best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory (1998) • E(k3, D(k2, E(k1, m))) • EDE • Why? For backward compatibility with single-key DES (k1=k2) • Drawbacks • Relatively sluggish in software • Block size of 64-bit is too small CS 448/648 – Computer Security

  10. AES (Advanced Encryption Standard) • Rijndael was selected in Oct 2000 • Named after two inventors, Rijmen + Daemen, from Belgium • US picked a foreign-designed cipher as its standard! • Approved on November 2001 • AES = A Block cipher • Block size = 128 bits, Key size = 128, 192, 256 • Note: Original Rijndael allows key and block size in any multiple of 32 bits (128 ~256 bits) • Number of cycle is flexible = 10, 12, 14 • Not a Feistel network, but a S-P network • All S-boxes (8-bit) are identical • 6 times faster than DES CS 448/648 – Computer Security

  11. Random number generators • Seed: a fixed value • Context specific values: User ID, application ID CS 448/648 – Computer Security

  12. RC4 • Designed by Ron Rivest of RSA Security in 1987 (Rivest Cipher 4) • Stream cipher • Encrypt one bytes at a time • Almost random number: Period of cipher is greater than 10100 • You can use it as a random number generator • Very fast • 8-16 machine instructions per output byte • Popular method, including WEP, WPA and SSL. • thanks to its impressive speed and simplicity. CS 448/648 – Computer Security

  13. How does it work? • Key scheduling algorithm (KSA) • A variable length key, between 40 and 256 bits, is used to initialize the 256-byte state vector (S) • Pseudo Random Generation Algorithm (PRGA) • To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: • A permutation of all 256 possible bytes (S). • Two 8-bit index-pointers (denoted "i" and "j"). • A byte k is generated from S, and S is again permuted CS 448/648 – Computer Security

  14. Modes of Operation

  15. Encrypting Large Messages • Block size in DES = 64 bits (128 bits in AES) • How do you encrypt a message > 64 bits (128 bits in AES) ? • Message is broken into 64-bit blocks (128 bits in AES) • several modes to encrypt • ECB (Electronic Code Book) • Simply divide the plaintext into 64 bit blocks and encrypt independently • Less secure • CBC (Cipher Block Chaining) • The ciphertext becomes input to next block • Most commonly used CS 448/648 – Computer Security

  16. 1. Electronic Code Book (ECB) • Each block is encrypted independently of the other • Easy to use in parallel , higher performance. • But identical blocks of plaintext  same cipher text • Repetitions in message may appear in the ciphertext • Easier cryptanalysis • Uses: secure transmission of a few block of data CS 448/648 – Computer Security

  17. Block1 Block2 Block3 Block4 IV + + + + DES DES DES DES Cipher1 Cipher2 Cipher3 Cipher4 2. Cipher Block Chaining (CBC) • Message blocks are linked together • Each previous cipher blocks is chained with current plaintext block • A change in the message affects all ciphertext blocks after the change (good!) • But difficult to parallelize • Uses Initialization Vector (IV) to start process • IV: a random number generated by sender and sent together with the ciphertext • Uses: bulk data encryption CS 448/648 – Computer Security

  18. ECB vs. CBC ECB CBC original http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation CS 448/648 – Computer Security

  19. Discussions on Symmetric Key Algorithms

  20. Other symmetric block ciphers • IDEA (International Data Encryption Algorithm) • 1992 in Switzerland • Blowfish • By Bruce Schneier in 1993 • CAST-128 (RFC 2144) • Patent by Entrust, but royalty-free • Skipjack • Originally designed for Clipper • GOST • Russian alternative to DES CS 448/648 – Computer Security

  21. Influence of Feistel Cipher • Feistel or modified Feistel: • Lucifer, DES, Triple DES, Blowfish, Twofish (one of the five finalists for AES), CAST-128, RC5, TEA, XTEA, Camellia, FEAL, KASUMI, LOKI97, MAGENTA, MISTY1 • Generalized Feistel: • CAST-256, RC2, RC6, Skipjack, MacGuffin CS 448/648 – Computer Security

  22. Speed comparison RSA Enc ~ 1024 bit/8 * 1000/0.18 = 711 KB/sec RSA Dec ~ 1024 bit/8 * 1000/4.77 = 27 KB/sec http://www.cryptopp.com/benchmarks.html CS 448/648 – Computer Security

  23. Chapter 3 Public-Key Cryptography and Message Authentication

  24. Message Authentication • Message authentication is concerned with • protecting the integrity of a message (or data) • validating identity of originator • non-repudiation of origin (dispute resolution) • How to achieve it • With message encryption • Encrypt the whole message with symmetric key encryption • Without message encryption • Message authentication code (MAC) • One-way hash function CS 448/648 – Computer Security

  25. With Message Encryption • Symmetric key encryption seems OK, but • Vulnerable to ordering and slow • Cases where confidentiality is not needed or not preferred, e.g., • Broadcast message to multiple locations • Encryption/decryption causes heavy load • Checking integrity of computer programs (used to detect virus) CS 448/648 – Computer Security

  26. Without Message Encryption 1 • Message Authentication Code (MAC) • Small block appended to the message • Sender computes MAC and sends it along with the message • Receiver computes MAC on the message and see whether the result coincides with the received MAC Compromised msg Plaintext NO Plaintext = digest’ Internet MAC MAC CS 448/648 – Computer Security

  27. Without Message Encryption 1 • Problem • Somebody can alter the message and recreate MAC • Solution • Use a key when generating MAC • e.g., Encrypt the message with DES, and use the last 32 digits as MAC CS 448/648 – Computer Security

  28. Without Message Encryption 2 • Hash function: A transformation of a message of arbitrary length into a fixed-length number • e.g., last 4 digits of the SS# • h = H (M) • Hash function creates a fingerprint (message digest) of a message • Used to detect changes to message • Examples • CRC-32 • XOR of every block of message • Good for data integrity, but useless for security CS 448/648 – Computer Security

  29. One-way Hash Function • Secure hash or cryptographic hash • One-way • easy to generate a code, but computationally infeasible to find data mapping to specific hash value • Collision Free • computationally infeasible to find two data to same hash value • Note • in h = f (M), M is called preimage • M can be multiple CS 448/648 – Computer Security

  30. One way hash function requirements CS 448/648 – Computer Security

  31. One-way Hash Example • http://en.wikipedia.org/wiki/Cryptographic_hash_function Notice randomness CS 448/648 – Computer Security

  32. One-way (Secure) hash functions • SHA • Developed by NIST in 1993 and SHA-1 in 1995 • 160 bit Message digest • Every bit of hash code is a function of every bit of input • SHA-2 (SHA-224, 256, 384, and 612) in 2002 • MD5 (RFC 1321) • Developed by Ron Rivest in 1991 • Generates 128-bit MD • RIPEMD-160 • Developed under EUROPEAN RACE Integrity Primitives Evaluation project (1996) • Generates 160-bit MD CS 448/648 – Computer Security

  33. Make your own hash! • http://www.fileformat.info/tool/hash.htm • Examine SHA-1 and MD5 • How many bits are there in the results? • Compare the result with another site • http://www.pazera-software.com/online-tools/online-hash-generator.html?str=sample%20string CS 448/648 – Computer Security

  34. Collision Probability Number of people Attack on Hash - Finding Hash Collision • Birthday attack (n = number of people) • Finding at least two people having the same birthday • P(A) = 1 – P(B), where P(B) = no collision • P(B) = • P(A) = • H = number of unique output (=365) • When H=365, 50.72% at 23 people • What is the number of people to have a collision with chance p? • When p = 0.5, CS 448/648 – Computer Security

  35. Level of Safety • For n-bit hash, the possible outcomes are 2n (= H). • Since it would take roughly trials to find a collision with 50% chance, (or 2n/2) messages should be checked before finding two messages with the same hash value (level of safety) • It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision, H(m)=H(m’). • Level of safety for SHA-1 : 280 (half of 160 bits) • Level of safety for MD5 : 264 (half of 128 bits) • N = number of bits in digest CS 448/648 – Computer Security

  36. MD5 Hash Vulnerability • In 2004, researchers presented a collision for MD5 consisting of 2 input blocks • It became possible to generate infinite number of two documents having the same hash value • Strong collision resistance is broken • Weak collision resistance still holds • In 2005, researchers demonstrated construction of two X.509 certificates with different public keys and the same MD5 hash CS 448/648 – Computer Security

  37. More Hash Vulnerability • In Feb 2005, attack on SHA-1 found collision on 269 instead of 280 • In Aug, 2005, it was improved to 263 • MD5 requires only 242 now • Collisions can be found within seconds on one machine • Now considered cryptographically broken • http://www.kb.cert.org/vuls/id/836068 CS 448/648 – Computer Security

  38. Search for new secure hash • SHA-2 with larger bits are OK, but subject to the same attacks • NIST Hash Competition • Search for SHA-3 • Round 1: 14 chosen in June 2009 • Round 2: 5 chosen in December 2010 • Winner will be announced in 2012 • http://en.wikipedia.org/wiki/NIST_hash_function_competition CS 448/648 – Computer Security

  39. Message Authentication Code (MAC) • Why don’t we use one-way hash as MAC? • Hash-based MAC (HMAC) • Faster than block cipher algorithms • But hash functions do not take keys  need to add key • Keyed Hash • Using a shared secret key, generate a Message Authentication Code (MAC) • HMAC (RFC 2104, in 1996) • HMAC (Key, message) • Any hash function can be used • Used for IP security, TLS, SSL CS 448/648 – Computer Security

  40. Public Key Cryptography (Asymmetric Key Algorithm)

  41. Sending a confidential message • Consider sending a protected message to an unknown party. e.g., • Sending a tax return • Private email • Shopping on a web site • Better encrypting them • Let’s use a symmetric key algorithm Plaintext Plaintext Internet Encrypt with secret key Decrypt with secret key Ciphertext Symmetric key cryptography CS 448/648 – Computer Security

  42. Key Distribution Problem • But they need shared keys • How do two parties securely get keys initially? • A new key must be distributed whenever a key is compromised, a new entity is added, or a key expires • Send them by…. • Email • Internet is insecure • Secure channel over Internet • Need a key to set up a secure connection  Chicken and egg! • Off-line medium • Floppy disk, piece of paper, telephone, etc. • High latency, wastes human time CS 448/648 – Computer Security

  43. Another Problem with Shared Secret Keys • Communication between two parties with shared secret keys • Requires keys • Adding one more use requires n new keys CS 448/648 – Computer Security

  44. Public Key Algorithm • Proposed by Diffie and Hellman in 1976 • Each use has a public key (kPUB) and a private key (kPRIV) • One key is kept secret, the other is public • Now only two keys are needed per user • P = D(kPRIV, E(kPUB, P)and • P = D(kPUB, E(kPRIV, P)with RSA Plaintext Plaintext Internet Encrypt with public key Decrypt with private key Ciphertext Asymmetric key cryptography CS 448/648 – Computer Security

  45. Public Key Algorithms • RSA (1978) • By Rivest, Shamir,Adleman • Flexible key length (512-bits, 1024-bits common) • Diffie-Hellman (1976) • Does not transmit symmetric session keys • Instead, it combines the receiver’s private key and the sender’s public key to generate symmetric session key • Elliptic Curve (1985) • Neal Koblitz (UW) and Victor Miller (IBM Watson) • Since then many were developed • To this date, usages are • 1st: RSA • 2nd: DH • 3rd: Elliptic curves CS 448/648 – Computer Security

  46. OK, then what is the new problem? • So, you can now • secretly send and receive confidential data over the Internet, and • need only one pair of public key and private key for everyone (only 2n keys) • But using a public key/private key for data encryption takes too long • 100-10,000 times of symmetric key encryption • E.g., DES in software is 100 times faster than RSA, 1,000 to 10,000 times in hardware • Use the public key to exchange only the session key! • Encrypt the shared secret key using a public key • Then use a symmetric key algorithm for encrypting actual (large) message CS 448/648 – Computer Security

  47. Speed comparison RSA Enc ~ 1024 bit/8 * 1000/0.18 = 711 KB/sec RSA Dec ~ 1024 bit/8 * 1000/4.77 = 27 KB/sec http://www.cryptopp.com/benchmarks.html CS 448/648 – Computer Security

  48. Next class • Public key algorithms • RSA • Don’t forget Quiz! • Up to this class • 10 questions (mostly multiple choice) CS 448/648 – Computer Security

More Related