900 likes | 1.11k Views
Week 5 - Friday. CS363. Last time. What did we talk about last time? Secure programs. Questions?. Project 1. Assignment 2. Security Presentation. Alexander Barrow. Week 1 Review. Terminology. A vulnerability is a weakness in a security system
E N D
Week 5 - Friday CS363
Last time • What did we talk about last time? • Secure programs
Security Presentation Alexander Barrow
Terminology • A vulnerability is a weakness in a security system • A threat is a set of circumstances that can cause loss or harm • Performing an attack is exploiting a vulnerability • A control is a protection against an attack by reducing a vulnerability “A threat is blocked by control of a vulnerability.”
Method, opportunity, motive • As with traditional crime, an attacker must have these three things:
Confidentiality • You don’t want other people to be able to read your stuff • Some of your stuff, anyway • Cryptography, the art of encoding information so that it is only readable by those knowing a secret (key or password), is a principle tool used here • Confidentiality is also called secrecy or privacy
Integrity • You don’t want people to mess up your stuff • You want to know: • That your important data cannot be easily changed • That outside data you consider trustworthy cannot be easily changed either • There are many different ways that data can be messed up, and every application has different priorities
Availability • You want to be able to use your stuff • Many attacks are based on denial of service, simply stopping a system from functioning correctly • Availability can mean any of the following: • The service is present in usable form • There is enough capacity for authorized users • The service is making reasonable progress • The service completes in an acceptable period of time
Methods of defense • There are five common ways of dealing with attacks, many of which can be used together
Controls • Many different controls can be used to achieve the five methods of defense
Terminology • A system popularized by Ron Rivest uses Alice and Bob as the two parties communicating • Carl or another “C” name can be used if three people are involved • Trent is a trusted third party • Eve is used for an evil user who often eavesdrops • Mallory is used for a malicious user who is usually trying to modify messages
More terminology • Encryption takes a message and hides its meaning • Decryption is the reverse process • Encode and encipher can mean the same as encrypt • Decode and decipher can mean the same decrypt • A system for encrypting and decrypting messages is a cryptosystem • Plaintext (often represented as P) is the original message • Ciphertext (often represented as C) is the encrypted version • E() and D() are used as functions to represent the encryption and decryption processes • C = E(P) • P = D(C)
Encryption algorithms • The algorithms for encryption often rely on a secret piece of information, called a key • We can notate the use of a specific key in either of the two following ways: • C = EK(P) • C = E(K, P) • In symmetric (or private key) encryption, the encryption key and the decryption key are the same • In asymmetric (or public key) encryption, the encryption key and the decryption key are different
Symmetric vs. asymmetric Symmetric Encryption Key K Encryption Decryption CiphertextC Plaintext P Plaintext P Asymmetric Encryption Encryption Key KE Decryption Key KD Encryption Decryption CiphertextC Plaintext P Plaintext P
Cryptography and cryptanalysis • Cryptography means “secret writing” • A cryptographer is someone who specializes in using cryptography to make messages secret • A cryptanalyst is someone who is trying to break the cryptography and discover the plaintext or the key • A cryptanalyst could: • Break a single message • Find patterns in the encryption that allow future messages to be decrypted • Discover information in the messages without fully decrypting them • Discover the key • Find weaknesses in the implementation of the encryption • Find weaknesses in the encryption that may or may not be able to lead to breaks in the future
Cryptanalysis • There are two kinds of security for encryption schemes • Unconditionally secure • No matter how much time or energy an attacker has, it is impossible to determine the plaintext • Computationally secure • The cost of breaking the cipher exceeds the value of the encrypted information • The time required to break the cipher exceeds the useful lifetime of the information • We focus on computationally secure, because there is only one practical system that is unconditionally secure • "I want them to remain secret for as long as men are capable of evil" -Avi from Cryptonomicon
Attacks • Cryptography is supposed to prevent people from reading certain messages • Thus, we measure a cryptosystem based on its resistance to an adversary or attacker • Kinds of attacks: • Ciphertext only: Attacker only has access to an encrypted message, with a goal of decrypting it • Known plaintext: Attacker has access to a plaintext and its matching ciphertext, with a goal of discovering the key • Chosen plaintext: Attacker may ask to encrypt any plaintext, with a goal of discovering the key • Others, less common
Substitution ciphers • Substitution ciphers cover a wide range of possible ciphers, including the shift cipher • In a substitution cipher, each element of the plaintext is substituted for some corresponding element of the ciphertext • Monoalphabetic substitution ciphers always use the same substitutions for a letter (or given sequence of letters) • Polyalphabetic substitution ciphers use different substitutions throughout the encryption process
Example: Simple Monoalphabetic Substitution Cipher • We can map to a random permutation of letters • For example: • E(“MATH IS GREAT”) = “UIYP TQ ABZIY” • 26! possible permutations • Hard to check every one
Frequency Attack • English language defeats us • Some letters are used more frequently than others: ETAOINSHRDLU • Longer texts will behave more and more consistently • Make a histogram, break the cipher • Digram analysis can help too
Vigenère cipher • The Vigenère cipher is a form of polyalphabetic substitution cipher • In this cipher, we take a key word and repeat it, over and over, until it is as long as the message • Then, we add the repetitions of keywords to our message mod 26
Vigenère example • Key: BENCH • Plaintext: A LIMERICK PACKS LAUGHS ANATOMICAL
Cryptanalysis of Vigenère • The index of coincidence measures the differences in the frequencies in the ciphertext • It is the probability that two randomly chosen letters from the ciphertext are the same • IC =
Kasiski method • If the IC indicates that a period of more than 1 is being used, look for repeated sequences • Look at the gaps between long sequences • Try to find the GCD of gaps between long sequences • If you have a reasonable guess for the length of the key, break the ciphertext into groups based on the corresponding letter of the key • If the IC is high (in the range of a single letter), then you have probably found the key length
After the length is known… • The rest is easy • Try various shifts for each letter of the key so that high frequency letters (E, T, A) occur with high frequency and low frequency letters (Q, X, Z) occur with low frequency • Guess and check
One-Time Pad • A One-Time Pad is similar to the Vigenère cipher, except that the key is as long as the message • What will this do to the index of coincidence? • Any given ciphertext could be decrypted into any plaintext, provided that you have the right key
One-Time Pad example • Key: THISISTHESECRETPASSWORD • Plaintext: SOMEBODY SHOUTED MCINTYRE
Perfect secrecy • A One-Time Pad has the property of perfect secrecy or Shannon secrecy • Perfect secrecy means that P(M) = P(M|C) • Thus, learning the ciphertext tells you nothing about the plaintext
One-Time Pad weaknesses • You can only use it one time • Otherwise, recovering the key is trivial • Completely vulnerable to known plaintext attack • The key is as long as the message • If you have a way of sending a key that long securely, why not send the message the same way? • Generating keys with appropriate levels of randomness presents a problem
Block ciphers • A block cipher is a symmetric key cipher that works on a block of data of a given size • For compatibility with hardware, block sizes are often powers of two: 64 bits, 128 bits, 256 bits, etc. • Block ciphers are a fundamental part of many modern cryptosystems • To encrypt a message longer than a single block: • First break the message into blocks • Then, each block could be encrypted individually • Or data from the first block can be used in the encryption of the second, and so on
DES • Data Encryption Standard • DES is a typical block cipher • It was chosen as the government's standard for encryption in 1976 (but has since been deprecated) • DES works on blocks 64 bits in size • DES uses a 56 bit key • NSA helped design it… amidst some controversy
DES internals • DES has 16 rounds • The book calls them cycles • In each round, the input is broken into 2 halves, manipulated, and combined with part of the key Input Permutation f Left0 Right0 Key1 Left1 Right1 + Left0 Right0
S-boxes • DES uses bitwise operations as well as lookup tables • DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4
The function from the F circle • The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them • 16 bits are repeated • These 48 bits are XORed with the round key • The resulting 48 bits are substituted through S-boxes which produces a 32 bit result • The final 32 bits are permuted
NSA controversy • The NSA tinkered with DES • They shortened the key length from the original 128 bits of Lucifer to 56 • They changed the S-boxes • People were concerned that the NSA had introduced a trapdoor so that they could read messages • Eventually, the NSA released information about the choice of S-boxes: • No S-box is a linear or affine function of its input • Changing 1 bit of the S-box input changes at least 2 bits of its output • If a single bit is held constant, changing the others should not radically change the total number of 1s or 0s in the output
DES strengths • DES is fast • Easy to implement in software or hardware • Encryption is the same as decryption • Triple DES is still standard for many financial applications • Resistant to differential and linear cryptanalysis (247 and 243 known pairs required, respectively)
DES weaknesses • Short key size • Brute force attack by EFF in 1998 in 56 hours then in 1999 in just over 22 hours • Brute force attack by University of Bochum and Kiel in 9 days in 2006 (but, using a machine costing only $10,000) • If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key
Double DES attack Encrypt P1 Decrypt C1 • Two pairs of plaintexts and ciphertexts are needed • Encrypt P1 with all possible keys and save them • Decrypt C1 with all possible keys • If the result matches anything in the list, use the key to encrypt P2 • If that matches C2, you win! • On the left, I show all the decryptions, but only the encryptions need to be stored
Triple DES • Although susceptible to a brute force attack, DES has no other major weaknesses • Double DES can be defeated by an extension of the brute force attack • What about triple DES? • Let EK(X) and DK(X) be encryption and decryption using DES with key K • Triple DES uses keys K1, K2, and K3 • C = EK1(DK2(EK3(M))) • Setting K1 = K2= K3 allows for compatibility with single DES systems • Triple DES is still a standard for financial transactions with no known practical attacks
AES • Advanced Encryption Standard • Block cipher designed to replace DES • Block size of 128-bits • Key sizes of 128, 192, and 256 bits • Like DES, has a number of rounds (10, 12, or 14 depending on key size) • Originally called Rijndael, after its Belgian inventors • Competed with 14 other algorithms over a 5 year period before being selected by NIST
AES internals • AES keeps an internal state of 128 bits in a 4 x 4 table of bytes • There are four operations on the state: • Substitute bytes • Shift rows • Mix columns • Add round key
AES rounds • AES supports key sizes of 128, 192, and 256 bits • Rijndael supports unlimited key size, in principle, as well as other block sizes • 128 bit keys use 10 rounds, 192 use 12, and 256 use 14 • Add round key First Round Normal Round Last Round