1 / 62

Fundamentals of Security

Fundamentals of Security. Security Primitives. Mechanisms to Secure a Connection. These are the principles use to secure information: Substitution Diffusion Confusion Opportunity T hese are some good, old examples to introduce these concepts:. Substitution Principle.

shakti
Télécharger la présentation

Fundamentals of Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fundamentals of Security Security Primitives

  2. Mechanisms to Secure a Connection • These are the principles use to secure information: • Substitution • Diffusion • Confusion • Opportunity • These are some good, old examples to introduce these concepts:

  3. Substitution Principle • The Roman cipher or Caesar cipher • Based in Text Substitution Principle • 2,000 years old example • The wheel contains the letters with the replacements

  4. Substitution and Confusion • Enigma Machine • Use to cipher German communications during WWII • This was the most famous machine, but there were other machines in use • Machine had a set of rotors and plugs that were changed frequently hence changing the ciphering code • Message would be typed in keyboard, then a complex system of rotors scrambled the message to obtain a cipher-message • To decrypt a message, the receiver must have the encrypted message, and must know which rotors were used to encrypt the message • Polish researchers discovered how the machine worked (they got one) Source: http://russells.freeshell.org/enigma/

  5. Enigma Machine • Encryption Process • Cipher machine had a plug board, a light board, a keyboard, a set of rotors, and a reflector. • The output of the machine depended of the setting of the cabling plugs and the set of rotors. • Every rotor contained a one-to-one mappings of all the letters. • The pluggable cables added extra remapping for pairs of letters before the encryption process started and after it ended. • When a key was pressed, an electrical circuit was activated. • The electrical current would travel thru the plug board, then through the several rotors, and then through the reflector. The reflector would reverse the path back to the rotors, through the plug board and finally the encrypted letter would be lit on the light display. • After a letter was coded, the rotors automatically rotate or increased in the same fashion than a gas odometer. • Reference: http://russells.freeshell.org/enigma/ Picture Source: http://www.cryptomuseum.com/crypto/enigma/

  6. Enigma Machine • The Rotors and the Plugs mappings provided the Substitution Function • The changes of the rotors provided the Confusion Function since the Rotor positions changed for every letter • The Operators had an Operation Book that delivered instructions for what setting to use for any day of operations. Orders were issued to the fleet to change the settings to a particular page of the manual. • This is an example of the concept of Opportunity. By changing the settings frequently the opportunity of being decoded is reduced. • Reference:http://www.cryptomuseum.com/crypto/enigma/#2 Picture Source: http://www.cryptomuseum.com/crypto/enigma/

  7. Enigma Machine • Notice that the word HELLO repeated 4 times (16 characters) yield a code of 16 characters which does not follow a pattern Source: http://russells.freeshell.org/enigma/ • Now, if the 16 characters were to yield, lest say 64 characters, that would be diffusion

  8. Enigma Machine • Decryption Process • Two things were needed: a) the encrypted message and b) the initial settings (rotors and plugs) of the machine that ciphered the message • To decrypt a message, the receiver would set up the machine identically to the way the sender initially had it and would type in the encrypted message. • The output of typing in the encrypted message would be the original message. • In principle, a ciphered message could be tested with every combination of rotors and plugs until a valid deciphered message could be obtained. (example of brute force attack) • However, with at least three rotors and 26 pluggable letters when will we get the right combination by doing this manually? • The point was that it was extremely difficult to decode a message without the knowledge of the original state of the machine where the message was ciphered. • The starting “Key” had to be known • Source: http://russells.freeshell.org/enigma/ Picture Source: http://www.cryptomuseum.com/crypto/enigma/

  9. Fundamental Theoretical Work • A “Communication Theory of Secrecy Systems” (1949) written by the great Claude Shannon is considered the foundational work for modern cryptography. • Shannon studied the properties of confusion and diffusion in a systematic way using information theory. • A secure cipher results from the implementation of these principles.

  10. Principles Stand the Same • The concepts of substitution, diffusion, and confusion, opportunity are still the fundamentals for Ciphering Communications • Computational power is available to create more sophisticated schemes

  11. Cryptography • Greek • κρύπτω, "concealment, secretly“ • γράφω, "to write down"

  12. Security Field Jargon • Alice and Bob; two communicating parties • Carol and Dave are third and fourth party • Mallory is a malicious party • Eve is an eavesdropper • Trent is a trusted third party

  13. Cryptography Basics • The initial unencrypted data is referred to as plaintext or clear-text • It is encrypted into ciphertext, which will be, in turn, decrypted back into usable plaintext Cipher Block Decipher Block Plain text Ciphertext Plain text

  14. Basic Cryptography Primitives • Hash Function One way mathematical function • Symmetric Ciphers Based on transposition and substitution • Asymmetric Ciphers Factorization (RSA) Discrete logarithm Elliptic curve theory

  15. Some Derivations of the Primitives • Hash Functions: uses a mathematical transformation to irreversibly produce a code • Secret Key Cryptography (SKC): uses a single key for both encryption and decryption • Public Key Cryptography (PKC): uses one key for encryption and another for decryption • Hybrid Systems: combination of asymmetric and symmetric.

  16. Message Digest Hash

  17. Hash • Message digest or checksum. • Hashes are digests(not encryption). • You can not obtain the original data from the digest. You can not get the burger back once it is digested

  18. The Concept of Hash • Hashing is the transformation of a string of characters into another, usually fixed-length, value or digest which serves as a digital fingerprint of the data. • A complex algorithm substitutes and transposes the data to create these digests. • The original data can not be inferred from the hash or digest. • The receiving end performs the same operation on the (clear text) data. • The receiving end calculates the hash digest which should match the received hash. • Otherwise, the data was changed during transit. (maybe it was tampered with)

  19. Hash • Hash result is of fixed size (for example 128 bits) regardless the size of the input data Hi 128 bits hash digest 128 bits hash digest Hello 128 bits hash digest Hoi, Hoi Hello, blah, blah, blah A million words here 128 bits hash digest

  20. Why Hashing • The main role of a cryptographic hash function is in the provision of digital signatures. • Additionally, a digest can be made public without revealing the contents of the document from which it is derived. • This is also used in digital time stamping where, using hash functions, one can get a document time stamped without revealing its contents to the time stamping service.

  21. Hash Application • For example, passwords are stored as Hashes • The clear text passwords are protected if the file containing the passwords is stolen TelecomS144 Secret Password Hash Function An Algorithm $2px34zvpr4jfc552 Result = Hash or Digest Password Store

  22. Hash Application *Source: http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

  23. Well known Applications • Fast search in databases: • Hashing is used to index items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value. • Hiding Passwords: • Passwords are not saved as clear-texts but rather hashes • Error checking: • Sort of a checksum function • Verification of messages: • Hashing is to validate or authenticate ciphered data in encryption algorithms Source: http://searchsqlserver.techtarget.com

  24. Sample Code MD5 Algorithm • Libraries of the hashing algorithms are publicly available.

  25. Example of Two Digests

  26. Data on which the first digest was calculated Open Shortest Path First OSPF Header OSPF Version: 2 Message Type: Hello Message (1) Packet Length: 44 Source OSPF Router: 1.1.1.1 (1.1.1.1) Area ID: 0.0.0.0 (Backbone) Packet Checksum: 0x0000 (none) Auth Type: Cryptographic Auth Key ID: 0 Auth Data Length: 16 Auth Crypto Sequence Number: 0x47ae229c Auth Data: E729BB2A9A6A3EFBE322727B285F1E88

  27. Data on which the second digest was calculated OSPF Hello Packet Network Mask: 255.255.255.252 Hello Interval: 10 seconds Options: 0x12 (L, E) 0... .... = DN: DN-bit is NOT set .0.. .... = O: O-bit is NOT set ..0. .... = DC: Demand circuits are NOT supported ...1 .... = L: The packet contains LLS data block .... 0... = NP: Nssa is NOT supported .... .0.. = MC: NOT multicast capable .... ..1. = E: ExternalRoutingCapability Router Priority: 1 Router Dead Interval: 40 seconds Designated Router: 0.0.0.0 Backup Designated Router: 0.0.0.0 OSPF LLS Data Block Checksum: 0x0000 LLS Data Length: 36 bytes Extended options TLV Type: 1 Length: 4 Options: 0x00000001 (LR) .... .... .... .... .... .... .... ..0. = RS: Restart Signal (RS-bit) is NOT set .... .... .... .... .... .... .... ...1 = LR: LSDB Resynchrinization (LR-bit) is SET Crypo Authentication TLV Type: 2 Length: 20 Sequence number 0x47ae229c Auth Data: E1C53815A5E02A91F01C0AD4D99CCDFA

  28. The previous Digests prove... • Different data length and content. • Both hash outputs have the same length. • The original data can not be derived from the digests. • The digest prove that the data is original or legit.

  29. Hash Design • Hash functions are designed to be fast. • It is extremely improbable that two pieces of different data can yield the same hash. • If that were to ever happen, it would be referred to as a hash collision.

  30. Common Hash (Message Digest) Algorithms • Secure Hash Algorithm (SHA) • Message Digest MD5

  31. Hash Algorithms • MD5 Message Digest Algorithm 128 bits, 1991 • SHA-1 algorithm 160 bits, whose output space is four billions times larger than that produced by MD5's. • There are several other SHA: SHA-256, SHA-384, etc.

  32. MD-5 • Developed by Rivest. • They are meant for digital signature applications where a large message has to be "compressed" in a secure manner before being signed with the private key. • Algorithm take a message of arbitrary length and produce a 128-bit message digest.

  33. What the hash proves • Injective Property: the equality of two hash values ideally strongly suggests, but does not guarantee, the equality of the two inputs. • If a hash value is calculated for a piece of data, and then just one bit of that data is changed, a hash function with a strong mixing property usually produces a completely different hash value.

  34. Ciphering with Symmetric Keys Symmetric Key Encrypting

  35. Main Idea • There is only one key that ciphers the communications. • This key is secret and it is shared by both sides, Alice and Bob.

  36. Example • A Secure Tunnel is established between two computers across the Internet. • The travelling data is ciphered and deciphered by an algorithm that uses a secret key known only to the two ends.

  37. Types of symmetric-key algorithms • Stream Ciphers • Stream ciphers encrypt the bits of the message one at a time • Block Ciphers • Take a number of bits (a block) and encrypt that as a single unit. • For example: Advanced Encryption Standard AES (aka Rijndael) of 128-bit blocks

  38. Characteristics • Speed • Symmetric-key algorithms are generally much less computationally intensive than asymmetric key algorithms. • In practice, asymmetric key algorithm are typically hundreds to thousands times slower than a symmetric key algorithm.

  39. Key generation • Symmetric keys can be manually introduced. Typically this is a weaker method. • Pseudorandom key generators are used to generate stronger symmetric cipher session keys.

  40. Secret Key Management • One disadvantage of symmetric-key algorithms is the requirement of a shared secret key, with one copy at each end. • To limit the impact of a potential discovery by a cryptographic adversary, they should be changed regularly and kept secure during distribution and in service. (opportunity) • The process of selecting, distributing and storing keys is known as “key management”; it is difficult to achieve reliably and securely. • To ensure secure communications between everyone in a population of n nodes a total of n(n − 1)/2 keys are needed

  41. Feistel Cipher • Many modern block ciphers are based on a construction proposed by Horst Feistel • Symmetric Block Cipher developed by IBM • DES was based on Feistel cipher. AES superseded DES • Feistel ciphers combine multiple rounds of repeated operations: • Bit-shuffling (often called permutation boxes or P-boxes) • Simple non-linear functions (substitutions) • Linear mixing (XOR operation) • Claude Shannon definition of “confusion and diffusion” • Bit shuffling creates the diffusion, while substitution creates the confusion.

  42. Secret Key Cryptography Summary • A single key is used for both encryption and decryption. • The sender uses the key (or some set of rules) to encrypt the plaintext and sends the cipher-text to the receiver. • The receiver applies the same key (or rule-set) to decrypt the message and recover the plaintext. • Because a single key is used for both functions, secret key cryptography is also called symmetric encryption. • The key must be known to both the sender and the receiver; that is the secret • The biggest difficulty with this approach is the distribution of the key

  43. Introduction to PKI Asymmetric Keys

  44. Asymmetric Keys • Asymmetric Key Ciphering is a method in which the two end nodes in the communication process have their own keys. • Each node has a Pair of Keys. • Public Key: one key can be made public. • Private Key: the other key is never revealed to anyone. • Data ciphered with one of the keys (either key) can only be deciphered with the other key in the pair.

  45. Asymmetric Key Process • Computer Alice generates a pair of keys. • Blue key represents the private key. • Golden key represents the public key. A

  46. Asymmetric Key Process • Computer Alice advertises its public key to Bob. • Now Bob knows Alice public key. A B Public of Alice Public Secret

  47. Asymmetric Key Process • Alice has data to send to Bob. • Alice will cipher or encrypt the data before sending it. • Bob needs to decipher the data once it is received. • What key is used to cipher the data in Alice side? Encrypted data xybn1zv9zc09cdf09dfg258240fdsnweofoiihjvnoirejreirejfigrelilsdnlor The clear text data is “Hello World” A B Public Secret

  48. Asymmetric Key Process • Alice ciphers with her Private Key. • If Alice were to cipher with her Public no one could decipher that. • Bob deciphers with Alice’s Public key Encrypted data xybn1zv9zc09cdf09dfg258240fdsnweofoiihjvnoirejreirejfigrelilsdnlor The clear text data is “Hello World” A B Public of Alice Secret

  49. Asymmetric Key Process • Problem: Evil guy sees the cipher data travelling. • Can Evil guy decipher the data? Encrypted data xybn1zv9zc09cdf09dfg258240fdsnweofoiihjvnoirejreirejfigrelilsdnlor The clear text data is “Hello World” A B Public of Alice Secret

More Related