1 / 36

15-349 Introduction to Computer and Network Security

15-349 Introduction to Computer and Network Security. Iliano Cervesato 7 September 2008 – Beyond Encryption. Where we are. Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols

paley
Télécharger la présentation

15-349 Introduction to Computer and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 15-349Introduction to Computer and Network Security Iliano Cervesato 7 September 2008 – Beyond Encryption

  2. Where we are • Course intro • Cryptography • Intro to crypto • Modern crypto • Symmetric encryption • Asymmetric encryption • Beyond encryption • Cryptographic protocols • Attacking protocols • Program/OS security & trust • Networks security • Beyond technology

  3. Outline • Hash functions • Collision and preimage resistance • Message digests • Message authentication codes • Digital Signatures • RSA signature • El Gamal signature and DSA • Public-key infrastructure • Certificate chains • Web of trust • Revocation • Recent innovations in cryptography

  4. Attacks on RSA • Small d for fast decryption • But easy to crack if d < (n1/4)/3 [Wiener] • d should be at least 1080 • Small e for fast encryption • If m sent to more than e recipients, then m easily extracted • Popular e = 216 + 1 • Same message should not be sent more than 216 + 1 times • Modify message (still dangerous) • Timing attacks • Time to compute md mod n for many m can reveal d • Homomorphic properties of RSA • If ci = mie mod n (i=1,2), then c1c2 = (m1m2)e mod n • Easy chosen plaintext attack • Eliminated in standards based on RSA

  5. Key length • Public-key crypto has very long keys • 1024, 2048, 4096 are common • Is it more secure than symmetric crypto? • 56, 128, 192, 256 • Key lengths don’t compare! • 1024  80 bit • 2048  112 bit • 3072  128 bit • 7680  192 bit • 15,360  256 bit • Performance • RSA is very slow • Exponentiations • Very large numbers • DES, AES are very fast • Just bit operations

  6. Cryptographic Hashing f : {0,1}n’ {0,1}n is a hash function if • f is a one-way function • n is short • n’ may be unbounded Two families • Non-keyed • h : {0,1}* {0,1}n (e.g. n = 160) • h(m) is the message digest of m • Used for password protection, digital signatures, … • Keyed • hk : {0,1}* {0,1}n (e.g. n = 96) • Used for message integrity

  7. One-way functions – review • Easy to compute • f(i)  o • Evaluation in P • Linear • Hard to invert • f-1(o)  I • Inverse is NP-complete • Foundations of • Hashing Easy – P f input output Hard – NP

  8. Preimage Resistance h : {0,1}* {0,1}n is PR if • Given random y • It is hard to find m s.t. h(m) = y Applications: • Protect password files • /etc/passwd in Unix

  9. h(file1)h(file2) Second Preimage Resistance h : {0,1}* {0,1}n is 2PR if • Given random m • It is hard to find m’ s.t. h(m) = h(m’) Applications: • Virus protection • E.g. Tripwire • file and h(files) mustbe kept separate • 2PR implies PR file1file2

  10. Collision Resistance h : {0,1}* {0,1}n is CR if • It is hard to find m and m’ s.t. h(m) = h(m’) Applications: • Digital signatures • Sigk(h(m)) • Assume attacker knows m and m’ s.t. h(m) = h(m’) • Ask principal to sign m • Has automatically signature on h(m’) • CR implies 2PR (implies PR) • Easier to construct CR than 2PR • From now on, we focus on CR

  11. Birthday Paradox There is a 0.5 probability that 2 people have the same birthday in a room of 25 • Given r1, … rn [0, 1, …, B] independent integers • If n  1.2B, then Prob[ i  j : ri = rj] > ½ • For message digest 64 bits long • Collision can be found with around 232 tries • Typical digest size is 160 bits (SHA-1) • Collision time is 280 tries

  12. padding n’ m1 m2 m3 m4 m5 m: n’ n’ n’ n’ n’ F F F F F IV h(m) n n n n n n Usually n = 160 bits and n’ = 512 bits Compression function Constructions Always iterated • Merkle-Damgard method • If F (compression function) is CR, then Merkle-Damgard hash is CR • Enough to construct a CR compression function • Based on block ciphers (typically slow) • Customized design (faster)

  13. Actual Compression Functions • Based on block ciphers (e.g. DES) • Given block cipher Ek(m) • F(m,hi) = Emki-1(m) • If Ek(m) is ideal cipher, finding collisions takes 2n/2 tries • Best possible, but black-box security • Customized compression functions On 200MHz Pentium

  14. Keyed Hash Functions hk : {0,1}* {0,1}n • k needed to evaluate function • Main application: • Message authentication codes (MAC) • Guarantees message integrity • hk(m) is a cryptographic checksum • Ensures that m has not been tampered with

  15. Example MAC A B k k • Network • Adversary can’t build MAC for m’  m • Note: MAC used for integrity, not secrecy • Digital signature work, but are too slow • File system • MAC verified when file is accessed • pwd needed to modify file m, hk(m) • Send m, hk(m) • Receive m, hk(m) MAC file hpwd(file)

  16. Constructing MACs 2 methods • Cryptographic MACs • CBC-MAC • Based on block ciphers • HMAC • Based on non-keyed hashfunctions • Information-theoretic MACs • Based on universal hashing Performance On 200MHz Pentium

  17. padding n m1 m3 m2 m: K = (k, k’, IV) k’ n n n k IV n n n Ek Ek Ek n Ek’ n Ek hK(m) Usually n = 64 bits CBC-MAC • Most commonly used in banking industry • If E is a MAC, then CBC-E is also a MAC • Note: no birthday attack • MACS can be shorter then message digests (optional)

  18. Hash-Based MACs h non-keyed hash function • Attempt: MACk(m) = h(k m) • Extension attack with Merkle-Damgard method: • MACk(m m’) = h(MACk(m) m’) • Attempt: MACk(m) = h(m k) • Birthday attack • Envelope method • MACk,k’(m) = h(k m k’) • Preferred method: HMAC • HMACk(m) = h(k pad1 h(k pad2 m)) • If compression function in h is a MAC and h is CR, then HMAC is a MAC • IPSec and SSL use 96 bit HMAC Hash-basedMAC

  19. Digital Signatures • Paper signature guarantees non-repudiation for • Identity • Contract signing • Digital signature • binds a secret k to a document m • s = f(m,k) • s can be generated only knowing k • s can be verified by anyone knowing m • Should guaranty • Non-repudiation • Non-malleability • Signature cannot be cut and pasted to other documents • Non-forgeability

  20. Ok if s = Sigk(m) No otherwise Verk-1(s,m) = Signature Process Public data A1 k1v … Ai kiv … A wants to signm and send it to B • h makes signature short A B kAs kBs • s = SigkAs(h(m)) • Send m,s m,s • Receive m,s • ExecuteVerkAv(s, h(m))

  21. Attacks on Digital Signatures • Signature break • Adversary can recover ks from kv and intercepted messages • Selective forgery • Adversary can forge signature s for message m of his choice • Existential forgery • Adversary can forge signature s for arbitrary message m

  22. Constructions Signature schemes based on • RSA • E.g.: PKCS#1, Fiat-Shamir, … • Easy to verify but hard to generate • Ok for certificates • Relatively long (1024 bit) • DL • El Gamal , DSS, … • Hard to verify, but easy to generate • Ok for smart cards • Short (320 bit) • General 1-way functions • Lamport, Merkle, … • Impractical

  23. Naïve RSA Signature ni = piqi eidi = 1 mod f(ni) Public data A1 n1 ,e1 … Ai ni ,ei… A wants to sendsigned m  ZnA to B • Signature = RSA decryption • Achieves confidentiality as well • Verification = RSA encryption A B pA,qA,dA pB,qB,dB mdA mod nA • Send mdA mod nA • Receive mdA mod nA • (mdA)eAmod nA= mkf(nA)+1mod nA= mmod nA

  24. Attacks on Naïve RSA Signature • Existential forgery • Verd(se,s) = Ok for any s • Blinding attack Adversary wants A’s signature on m • Pick r ZnA • Get A to sign m’ = mre mod nA • A returns s’ = (mre)d mod nA • Deduce then s = s’/r = md mod nA • Then (m, s) is a valid signature pair

  25. RSA Signatures – PKCS#1 ni = piqi eidi = 1 mod f(ni) Public data A1 n1 ,e1 … Ai ni ,ei… A wants to sendsigned m  ZnA to B • PD = 00 01 11 11 … 11 00 (864 bit) • h(m) is 160 bit • Security is unproved • ISO standards use other PD’s A B pA,qA,dA pB,qB,dB • Compute s =(PD h(m))dA mod nA • Send m,s m,s • Receive m,s • Check if(mdA)eAmod nA= (PD h(m))dA mod nA

  26. El Gamal Signature Public data A1 p1 ,g1,g1a1… Ai pi ,gi,giai… secret m  ZpB to B A wants to send • Why does it work? • Exercise A B aA aB • Choose random r • Compute- k = gr mod pA- r-1 mod (pA-1)- s = r-1(h(m) –kaA) mod (pA-1) • Send m,k,s m,k,s • Receive m,k,s • Check1 kpA-1gkks = gh(m) mod pA

  27. DSS – Digital Signature Standard qi | pi – 1giqi= 1mod piyi = giaimod pi Public data A1 p1 ,q1 ,g1 ,y1 … Ai pi ,qi ,gi ,yi … A wants to send signed m  ZnA to B • p is 1042 bits • q is 160 bits • Signature k,s is only 360 bits • Fast verification methods exist A aA • Pick random r Z*qA • Compute- k = (gAr mod pA) mod qA- s = r-1(h(m)+kaA) mod qA • Send m,k,s B aB m,k,s • Receive m,k,s • Check1 k,s<pAk = gAs-1h(m) (yAs-1w mod pA) mod qA

  28. Hashing vs. MAC vs. Signatures • Hashing: private checksum • Produce footprint of a message • Must be stored separated from message • MAC: cryptographic checksum • Footprint protected with shared key • Can be transmitted over public channel • Digital signature: taking responsibility • Footprint protected with private key • No shared secrets with verifier

  29. n’i = p’iq’i e’id’i = 1 mod f(n’i) Fake data … B  n’B ,e’B… me’B mod n’B • Send me’B mod n’B I p’B,q’B,d’B me’B mod n’B • Recover m A Simple Attack on RSA Public data … B  nB ,eB… A wants to sendsecret m to B Intruder wantsto know m A B pA,qA,dA pB,qB,dB Intruder recovers m • How is the public table implemented?

  30. Certification of Published Data A1 A generates public/privatekey pair (k,k-1) and wantsto publish k on public table • A sends k to CA • Certification Authority • CA verifies that A knows k-1 • Challenge-response exchange • CA generates Ck and sends it to A • Certificate • A forwards Ck when using k • Either A volunteers Ck (push) • or sends it on demand (pull) • CA not needed on-line k Ck A5 A2 CA A4 A3 Trusted Like choosing phone number or license plate

  31. Certificates Ck = (A,kA,texp,priv,…,sigCA) • texp = expiration date • priv = privileges • … = possibly more information • Everyone knows the verification key of CA • Single point of failure • Vulnerability as number of principals grows

  32. Hierarchical Certification root CA2 … CA1 CA5 • Certificate chains • Contain certificates ofall the nodes to the root • Exchanged certificates limited to first common ancestor • Root signature is trusted and recognizable • Redundancy can reduce vulnerability • Used in SET • Developed by Visa/Mastercard • Root key distributed among 4 sites CA17 … … CA11 CA51 … … … … A B

  33. “Web of Trust” U3 U2 U4 U1 • No central authority • Users give ratings of keys they used • Validity (binding to other user) • Trust (none, partial, complete) • Used in PGP A B

  34. Certificate Revocation Certificates may be revoked • A’s key is stolen • Employee leaves the company • Wait till texp • May be too late • Certification Revocation List • Push CRL to all users • Overhead; can be blocked • Check each time with certification authority • Requires CA online • Validate certificates at fixed intervals

  35. Symmetric keys KDC on-line, used at every session KDC knows secret key If KDC compromised, past and future messages exposed Fast Public key CA off-line except for key generation CA knows only public key If CA compromised, only future messages exposed Slow A1 A1 k1 A5 k Ck A2 k5 A5 A2 KDC k2 CA k4 k3 A4 A3 A4 A3 Comparing KDC and CA

  36. New Trends in Cryptography • Elliptic-curve cryptography • Groups (like Z*n) with very hard crypto-analysis • Fast and small keys (190 bit ~ 1024 bit of RSA) • Complex underlying mathematics • Quantum cryptography • Measuring particle properties destroys them • E.g. polarization • No eavesdropping without perturbing transmission

More Related