480 likes | 633 Vues
School of Computer Science. CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012. Monday, Jan. 30, 2012. Assignment Q.3 - Vernam Cipher. Plaintext V E R N A M Numeric eq. 21 4 17 13 0 12 + Key. 76 48 16 82 44 3
E N D
School of Computer Science CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012 Monday, Jan. 30, 2012 CS 448/648 – Computer Security
Assignment Q.3 - Vernam Cipher Plaintext V E R N A M Numeric eq. 21 4 17 13 0 12 + Key. 76 48 16 82 44 3 = sum 97 52 33 95 44 15 = mod 26 19 0 7 17 18 15 Ciphertext t a h r s p CS 448/648 – Computer Security
Assignment Q.4 – The reverse Ciphertextt a hrsp Numeric eq. 19 0 7 17 18 15 - Key. 76 48 16 82 44 3 = result -57 -48 -9 -65 -26 12 =mod 26 21 4 17 13 0 12 Plaintext V E R N A M • Mod 26 must produce remainder 0~25 • -57 % 26 = (-3) * 26 + 21 • -9 % 26 = (-1) * 26 + 17 CS 448/648 – Computer Security
Attacking WPS with Reaver-wps • http://code.google.com/p/reaver-wps/ • Thanks, Michael! • http://www.ehacking.net/2012/01/reaver-wps-wpawpa2-cracking-tutorial.html • Evolution in wireless security • WEP WPA WPA2 • WPA / WPA2 • PSK vs. Enterprise mode • Brute force attack by Reaver-wps • WPS (Wi-Fi Protected Setup) eases PSK mode Key configuration • User enters PIN, then the actual random number key is configured • PIN = 7 digit, but the protocol flaw reduces it to 11,000 options only 1 to 10 hours to crack PIN (if there is no lock-out feature) • Mitigation • Do not use WPS, instead use PIN directly • Use 802.1x (enterprise mode) CS 448/648 – Computer Security
Review Quiz at the end of next class CS 448/648 – Computer Security
Data Encryption Standard (DES) • Most widely used block cipher in the world • A Feistel Cipher • Block cipher with 16 iterations • Combination of substitution and transposition • Encrypts a 64-bit block of plain text using a 56-bit key • Three phases • Permute the 64 bits in the block • Apply a given operation 16 times on the 64 bits • Permute the 64 bits using the inverse of the original permutation 1st phase Round 1 . . . key 2nd phase Round 16 3rd phase CS 448/648 – Computer Security
Is the 56-bit key secure enough? • No • In 1997, using 3,500 machines in parallel, DES key is found in 4 months • In 1998, a DES-cracker machine ($100,000) found the key in 4 days • In 1999, less than 24 hours • Now? After 12 years…. • http://www.sciengines.com/copacobana/ or cloud • The short key was controversial from the moment it was introduced • How can we increase the key size? • Repeat DES multiple times • Double DES • Using two keys, encrypt twice, E(k2, E(k1, m)) • But wait! The security is not same as 112-bit key (Meet-in-the-middle attack) CS 448/648 – Computer Security
Meet-in-the-middle attack • c= E(k2, E(k1, p)) • Assume attacker knows two pair of c and p • Attacker computes E(ki, p)) for all possible keys ki and stores them in a table • Memory space = 256 * p = 64,000,000,000,000,000 *p (64 peta entries) • Attacker then computes D(ki, c)) for each kiand compares the result with the table entries • Time complexity • 256 for E + 256 for D = 257 not 2112 ! Then sort by ciphertext CS 448/648 – Computer Security
Triple DES • TDEA, or 3DES (in 1999) • E(k3, E(k2, E(k1, m))) • EEE • Key length = 168 bits, but the effective security is 112 bits due to meet-in-the middle attack • Best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory (1998) • E(k3, D(k2, E(k1, m))) • EDE • Why? For backward compatibility with single-key DES (k1=k2) • Drawbacks • Relatively sluggish in software • Block size of 64-bit is too small CS 448/648 – Computer Security
AES (Advanced Encryption Standard) • Rijndael was selected in Oct 2000 • Named after two inventors, Rijmen + Daemen, from Belgium • US picked a foreign-designed cipher as its standard! • Approved on November 2001 • AES = A Block cipher • Block size = 128 bits, Key size = 128, 192, 256 • Note: Original Rijndael allows key and block size in any multiple of 32 bits (128 ~256 bits) • Number of cycle is flexible = 10, 12, 14 • Not a Feistel network, but a S-P network • All S-boxes (8-bit) are identical • 6 times faster than DES CS 448/648 – Computer Security
Random number generators • Seed: a fixed value • Context specific values: User ID, application ID CS 448/648 – Computer Security
RC4 • Designed by Ron Rivest of RSA Security in 1987 (Rivest Cipher 4) • Stream cipher • Encrypt one bytes at a time • Almost random number: Period of cipher is greater than 10100 • You can use it as a random number generator • Very fast • 8-16 machine instructions per output byte • Popular method, including WEP, WPA and SSL. • thanks to its impressive speed and simplicity. CS 448/648 – Computer Security
How does it work? • Key scheduling algorithm (KSA) • A variable length key, between 40 and 256 bits, is used to initialize the 256-byte state vector (S) • Pseudo Random Generation Algorithm (PRGA) • To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: • A permutation of all 256 possible bytes (S). • Two 8-bit index-pointers (denoted "i" and "j"). • A byte k is generated from S, and S is again permuted CS 448/648 – Computer Security
Encrypting Large Messages • Block size in DES = 64 bits (128 bits in AES) • How do you encrypt a message > 64 bits (128 bits in AES) ? • Message is broken into 64-bit blocks (128 bits in AES) • several modes to encrypt • ECB (Electronic Code Book) • Simply divide the plaintext into 64 bit blocks and encrypt independently • Less secure • CBC (Cipher Block Chaining) • The ciphertext becomes input to next block • Most commonly used CS 448/648 – Computer Security
1. Electronic Code Book (ECB) • Each block is encrypted independently of the other • Easy to use in parallel , higher performance. • But identical blocks of plaintext same cipher text • Repetitions in message may appear in the ciphertext • Easier cryptanalysis • Uses: secure transmission of a few block of data CS 448/648 – Computer Security
Block1 Block2 Block3 Block4 IV + + + + DES DES DES DES Cipher1 Cipher2 Cipher3 Cipher4 2. Cipher Block Chaining (CBC) • Message blocks are linked together • Each previous cipher blocks is chained with current plaintext block • A change in the message affects all ciphertext blocks after the change (good!) • But difficult to parallelize • Uses Initialization Vector (IV) to start process • IV: a random number generated by sender and sent together with the ciphertext • Uses: bulk data encryption CS 448/648 – Computer Security
ECB vs. CBC ECB CBC original http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation CS 448/648 – Computer Security
Other symmetric block ciphers • IDEA (International Data Encryption Algorithm) • 1992 in Switzerland • Blowfish • By Bruce Schneier in 1993 • CAST-128 (RFC 2144) • Patent by Entrust, but royalty-free • Skipjack • Originally designed for Clipper • GOST • Russian alternative to DES CS 448/648 – Computer Security
Influence of Feistel Cipher • Feistel or modified Feistel: • Lucifer, DES, Triple DES, Blowfish, Twofish (one of the five finalists for AES), CAST-128, RC5, TEA, XTEA, Camellia, FEAL, KASUMI, LOKI97, MAGENTA, MISTY1 • Generalized Feistel: • CAST-256, RC2, RC6, Skipjack, MacGuffin CS 448/648 – Computer Security
Speed comparison RSA Enc ~ 1024 bit/8 * 1000/0.18 = 711 KB/sec RSA Dec ~ 1024 bit/8 * 1000/4.77 = 27 KB/sec http://www.cryptopp.com/benchmarks.html CS 448/648 – Computer Security
Chapter 3 Public-Key Cryptography and Message Authentication
Message Authentication • Message authentication is concerned with • protecting the integrity of a message (or data) • validating identity of originator • non-repudiation of origin (dispute resolution) • How to achieve it • With message encryption • Encrypt the whole message with symmetric key encryption • Without message encryption • Message authentication code (MAC) • One-way hash function CS 448/648 – Computer Security
With Message Encryption • Symmetric key encryption seems OK, but • Vulnerable to ordering and slow • Cases where confidentiality is not needed or not preferred, e.g., • Broadcast message to multiple locations • Encryption/decryption causes heavy load • Checking integrity of computer programs (used to detect virus) CS 448/648 – Computer Security
Without Message Encryption 1 • Message Authentication Code (MAC) • Small block appended to the message • Sender computes MAC and sends it along with the message • Receiver computes MAC on the message and see whether the result coincides with the received MAC Compromised msg Plaintext NO Plaintext = digest’ Internet MAC MAC CS 448/648 – Computer Security
Without Message Encryption 1 • Problem • Somebody can alter the message and recreate MAC • Solution • Use a key when generating MAC • e.g., Encrypt the message with DES, and use the last 32 digits as MAC CS 448/648 – Computer Security
Without Message Encryption 2 • Hash function: A transformation of a message of arbitrary length into a fixed-length number • e.g., last 4 digits of the SS# • h = H (M) • Hash function creates a fingerprint (message digest) of a message • Used to detect changes to message • Examples • CRC-32 • XOR of every block of message • Good for data integrity, but useless for security CS 448/648 – Computer Security
One-way Hash Function • Secure hash or cryptographic hash • One-way • easy to generate a code, but computationally infeasible to find data mapping to specific hash value • Collision Free • computationally infeasible to find two data to same hash value • Note • in h = f (M), M is called preimage • M can be multiple CS 448/648 – Computer Security
One way hash function requirements CS 448/648 – Computer Security
One-way Hash Example • http://en.wikipedia.org/wiki/Cryptographic_hash_function Notice randomness CS 448/648 – Computer Security
One-way (Secure) hash functions • SHA • Developed by NIST in 1993 and SHA-1 in 1995 • 160 bit Message digest • Every bit of hash code is a function of every bit of input • SHA-2 (SHA-224, 256, 384, and 612) in 2002 • MD5 (RFC 1321) • Developed by Ron Rivest in 1991 • Generates 128-bit MD • RIPEMD-160 • Developed under EUROPEAN RACE Integrity Primitives Evaluation project (1996) • Generates 160-bit MD CS 448/648 – Computer Security
Make your own hash! • http://www.fileformat.info/tool/hash.htm • Examine SHA-1 and MD5 • How many bits are there in the results? • Compare the result with another site • http://www.pazera-software.com/online-tools/online-hash-generator.html?str=sample%20string CS 448/648 – Computer Security
Collision Probability Number of people Attack on Hash - Finding Hash Collision • Birthday attack (n = number of people) • Finding at least two people having the same birthday • P(A) = 1 – P(B), where P(B) = no collision • P(B) = • P(A) = • H = number of unique output (=365) • When H=365, 50.72% at 23 people • What is the number of people to have a collision with chance p? • When p = 0.5, CS 448/648 – Computer Security
Level of Safety • For n-bit hash, the possible outcomes are 2n (= H). • Since it would take roughly trials to find a collision with 50% chance, (or 2n/2) messages should be checked before finding two messages with the same hash value (level of safety) • It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision, H(m)=H(m’). • Level of safety for SHA-1 : 280 (half of 160 bits) • Level of safety for MD5 : 264 (half of 128 bits) • N = number of bits in digest CS 448/648 – Computer Security
MD5 Hash Vulnerability • In 2004, researchers presented a collision for MD5 consisting of 2 input blocks • It became possible to generate infinite number of two documents having the same hash value • Strong collision resistance is broken • Weak collision resistance still holds • In 2005, researchers demonstrated construction of two X.509 certificates with different public keys and the same MD5 hash CS 448/648 – Computer Security
More Hash Vulnerability • In Feb 2005, attack on SHA-1 found collision on 269 instead of 280 • In Aug, 2005, it was improved to 263 • MD5 requires only 242 now • Collisions can be found within seconds on one machine • Now considered cryptographically broken • http://www.kb.cert.org/vuls/id/836068 CS 448/648 – Computer Security
Search for new secure hash • SHA-2 with larger bits are OK, but subject to the same attacks • NIST Hash Competition • Search for SHA-3 • Round 1: 14 chosen in June 2009 • Round 2: 5 chosen in December 2010 • Winner will be announced in 2012 • http://en.wikipedia.org/wiki/NIST_hash_function_competition CS 448/648 – Computer Security
Message Authentication Code (MAC) • Why don’t we use one-way hash as MAC? • Hash-based MAC (HMAC) • Faster than block cipher algorithms • But hash functions do not take keys need to add key • Keyed Hash • Using a shared secret key, generate a Message Authentication Code (MAC) • HMAC (RFC 2104, in 1996) • HMAC (Key, message) • Any hash function can be used • Used for IP security, TLS, SSL CS 448/648 – Computer Security
Public Key Cryptography (Asymmetric Key Algorithm)
Sending a confidential message • Consider sending a protected message to an unknown party. e.g., • Sending a tax return • Private email • Shopping on a web site • Better encrypting them • Let’s use a symmetric key algorithm Plaintext Plaintext Internet Encrypt with secret key Decrypt with secret key Ciphertext Symmetric key cryptography CS 448/648 – Computer Security
Key Distribution Problem • But they need shared keys • How do two parties securely get keys initially? • A new key must be distributed whenever a key is compromised, a new entity is added, or a key expires • Send them by…. • Email • Internet is insecure • Secure channel over Internet • Need a key to set up a secure connection Chicken and egg! • Off-line medium • Floppy disk, piece of paper, telephone, etc. • High latency, wastes human time CS 448/648 – Computer Security
Another Problem with Shared Secret Keys • Communication between two parties with shared secret keys • Requires keys • Adding one more use requires n new keys CS 448/648 – Computer Security
Public Key Algorithm • Proposed by Diffie and Hellman in 1976 • Each use has a public key (kPUB) and a private key (kPRIV) • One key is kept secret, the other is public • Now only two keys are needed per user • P = D(kPRIV, E(kPUB, P)and • P = D(kPUB, E(kPRIV, P)with RSA Plaintext Plaintext Internet Encrypt with public key Decrypt with private key Ciphertext Asymmetric key cryptography CS 448/648 – Computer Security
Public Key Algorithms • RSA (1978) • By Rivest, Shamir,Adleman • Flexible key length (512-bits, 1024-bits common) • Diffie-Hellman (1976) • Does not transmit symmetric session keys • Instead, it combines the receiver’s private key and the sender’s public key to generate symmetric session key • Elliptic Curve (1985) • Neal Koblitz (UW) and Victor Miller (IBM Watson) • Since then many were developed • To this date, usages are • 1st: RSA • 2nd: DH • 3rd: Elliptic curves CS 448/648 – Computer Security
OK, then what is the new problem? • So, you can now • secretly send and receive confidential data over the Internet, and • need only one pair of public key and private key for everyone (only 2n keys) • But using a public key/private key for data encryption takes too long • 100-10,000 times of symmetric key encryption • E.g., DES in software is 100 times faster than RSA, 1,000 to 10,000 times in hardware • Use the public key to exchange only the session key! • Encrypt the shared secret key using a public key • Then use a symmetric key algorithm for encrypting actual (large) message CS 448/648 – Computer Security
Speed comparison RSA Enc ~ 1024 bit/8 * 1000/0.18 = 711 KB/sec RSA Dec ~ 1024 bit/8 * 1000/4.77 = 27 KB/sec http://www.cryptopp.com/benchmarks.html CS 448/648 – Computer Security
Next class • Public key algorithms • RSA • Don’t forget Quiz! • Up to this class • 10 questions (mostly multiple choice) CS 448/648 – Computer Security