780 likes | 930 Views
Network Security Frank Yeong-Sung Lin Department of Information Management National Taiwan University. Network Security. Network security can be roughly divided into 4 areas:. Secrecy: keep information unrevealed Authentication: determine the identity of whom you are talking to
E N D
Network SecurityFrank Yeong-Sung LinDepartment of Information ManagementNational Taiwan University
Network Security Network security can be roughly divided into 4 areas: • Secrecy: keep information unrevealed • Authentication: determine the identity of whom you are talking to • Nonrepudiation: make sure that someone cannot deny the things he/she had done • Integrity control: make sure the message you received has not been modified
Network Security (cont’d) Network security functionality can be distributed across several protocol layers: • Physical layer: protect transmission link from wire tapping • Data link layer: link encryption • Network layer: firewall, packet filter • Application layer: authentication, nonrepudiation, integrity control, (and secrecy)
Traditional Cryptography Passive intruder (listens only) Active intruder (alters message) • The model depends on a stable public algorithm and a key • The work factor for breaking the system by exhaustive search of the key space is exponential in the key length • Two categories: Substitution ciphers vs. transposition ciphers DK( EK( P)) = P Plaintext P EK( P) Encryption Decryption key K key K
Traditional Cryptography (cont’d) • Simplified model of traditional cryptography
Traditional Cryptography (cont’d) • Model of traditional cryptography
Substitution Cipher • Caesar cipher • Every letter is shifted by k positions, e.g., k = 3 and “a” becomes “D”, b becomes “E”, … • For example, “attack” becomes “DWDDFN” • Monoalphabetic substitution Plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM • The key space is 26! » 4x1026 • Still the cipher may be broken easily by taking advantage of the frequency statistics of English text (e.g., e, a, th, er, and, the appear very often)
Substitution Cipher (cont’d) • Relative frequency of letters in English text
Transposition Ciphers M E G A B U C K 7 4 5 1 2 8 3 6 p l e a s e t r a n s f e r o n e m i l l i o n d o l l a r s t o m y s w i s s b a n k a c c o u n t s i x t w o t w o a b c d • Plaintext is written horizontally, while the ciphertext is read out by column, starting with the lowest key column • To break the transposition cipher • guess a probable word or phrase (e.g., milliondollars) • try to determine the key length, then order the columns Plaintext pleasetransferonemilliondollarsto myswissbankaccountsixtwotwo Ciphertext AFLLSKSOSELAWAIATOOSSCTCLNMOMANT ESILYNTWRNNTSOWDPAEDOBUOERIRICXB
Two Fundamental Cryptographic Principles • First principle • All encrypted messages must contain redundancy to prevent active intruders from tricking the receiver into acting on a false message • However, the same redundancy makes it easier for passive intruders to break the system • Second principle • Some measures must be taken to prevent active intruders from playing old messages, e.g., use time stamp to • filter out duplicate messages within a certain time • incoming messages that are too old are discarded
Encoder: 8 to 3 Decoder: 3 to 8 S1 S5 S2 S6 P1 P2 P3 S3 S7 S4 S8 Secret-Key Algorithms • Consists of sequence of transpositions and substitutions S-box (Substitution) Product cipher P-box (Permutation)
Data Encryption Standard (DES) • Plaintext is encrypted in blocks of 64 bits • DES is basically a monoalphabetic substitution cipher using a 64-bit character 64 bit plaintext Li-1 Ri-1 Initial transposition K1 Iteration 1 56-bit key K16 Li-1 Å f(Ri-1, Ki) Iteration 16 32 bit swap Inverse transposition 32 bits Li 32 bits Ri 64 bit ciphertext
DES Chaining • DES may be vulnerable to active intruders Name Bonus Leslie $0000010 Intruder may copy the block to one row above Kimberly $0100000 8 bytes 8 bytes • DES chaining P0 P1 P2 P3 C0 C1 C2 C3 IV # # # # D D D D Exclusive OR Key # # # # E E E E C0 C1 C2 C3 P0 P1 P2 P3
Breaking DES • Exhaustive search of key space = 256» 7x1016 • can use multiple computers to do search in parallel • Running DES twice consecutively with two different 56-bit keys creates a key space of 2112» 5x1033 • but it still can be broken by the “meet-in-the-middle” attack in Q (257) time, because Ci = EK2 (EK1 (Pi)) DK2(Ci) = EK1(Pi)
Triple DES Encryption • Using EDE (2 encryption and 1 decryption) instead of EEE is for backward compatibility (when K1 = K2) with single-stage DES system • Using EEE with 3 different keys is basically unbreakable nowadays K1 K2 K1 K1 K2 K1 P C C P E D E D E D Encryption Decryption
Public-Key Algorithms • Encryption (E) and Decryption (D) algorithms must meet the following requirements • E and D are different • D(E(P)) = P • It is exceedingly difficult to deduce D from E • Everyone has a pair of keys: public key (E) and private key (D) • Public key is made known to the world • Private key is to be kept private all the time A B P1 EB(P1) DB(EB(P1)) = P1 EB DB DA(EA(P2)) = P2 EA(P2) P2 DA EA
Principles of Public-Key Cryptosystems (cont’d) • Requirements for PKC • easy for B (receiver) to generate KUb and KRb • easy for A (sender) to calculate C = EKUb(M) • easy for B to calculate M = DKRb(C) = DKRb(EKUb(M)) • infeasible for an opponent to calculate KRb from KUb • infeasible for an opponent to calculate M from Cand KUb • (useful but not necessary) M = DKRb(EKUb(M)) = EKUb(DKRb(M)) (true for RSA and good for authentication)
Principles of Public-Key Cryptosystems (cont’d) • The idea of PKC was first proposed by Diffie and Hellman in 1976. • Two keys (public and private) are needed. • The difficulty of calculating f-1 is typically facilitated by • factorization of large numbers • resolution of NP-completeness • calculation of discrete logarithms • High complexity confines PKC to key management and signature applications
Principles of Public-Key Cryptosystems (cont’d) • Comparison between conventional and public-key encryption
Principles of Public-Key Cryptosystems (cont’d) • Applications for PKC • encryption/decryption • digital signature • key exchange
RSA Algorithms • Developed by Rivest, Shamir, and Adleman at MIT in 1978 • First compute the following parameters • Choose two large primes, p and q (typically > 10100) • Compute n = pxq and z = (p-1)x(q-1) • Choose d, which is a number relatively prime to z • Find e such that (exd) mod z = 1 • Divide the plaintext into blocks of k bits, where 2k < n • To encrypt P, compute C = Pe mod n • To decrypt C, compute P = Cd mod n • Public key = (e, n), private key = (d, n)
The RSA Algorithm (cont’d) • Format’s Little Theorem: If p is prime and a is a positive integer not divisible by p, then a p-1 1 mod p. Example: a = 7, p = 19 72 = 49 11 mod 19 74 = 121 7 mod 19 78 = 49 11 mod 19 716 = 121 7 mod 19 a p-1 = 718 = 716+2 711 1 mod 19
The RSA Algorithm (cont’d) • Example 1 • Select two prime numbers, p = 7 and q = 17. • Calculate n = p q = 717 = 119. • Calculate Φ(n) = (p-1)(q-1) = 96. • Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case, e = 5. • Determine d such that d e = 1 mod 96 and d < 96.The correct value is d = 77, because 775 = 385 = 496+1.
The RSA Algorithm (cont’d) • The security of RSA • brute force: This involves trying all possible private keys. • mathematical attacks: There are several approaches, all equivalent in effect to factoring the product of two primes. • timing attacks: These depend on the running time of the decryption algorithm.
The RSA Algorithm (cont’d) • To avoid brute force attacks, a large key space is required. • To make n difficult to factor • p and q should differ in length by only a few digits (both in the range of 1075 to 10100) • both (p-1) and (q-1) should contain a large prime factor • gcd(p-1,q-1) should be small • should avoid e < n and d < n1/4
The RSA Algorithm (cont’d) • To make n difficult to factor (cont’d) • p and q should best be strong primes, where p isa strong prime if • there exist two large primes p1 and p2 such that p1|p-1 and p2|p+1 • there exist four large primes r1, s1, r2 and s2 such that r1|p1-1, s1|p1+1, r2|p2-1 and s2|p2+1 • e should not be too small, e.g. for e = 3 and C = M3 mod n, if M3 < n then M can be easily calculated
The RSA Algorithm (cont’d) • Major threats • the continuing increase in computing power (100 or even 1000 MIPS machines are easily available) • continuing refinement of factoring algorithms (from QS to GNFS and to SNFS)
RSA Algorithms (cont’d) • The security of RSA is based on the difficulty of factoring large numbers • It takes 4x109 years for factoring a 200-digit number • It takes 1025 years for factoring a 500-digit number • RSA is too slow to actually encrypt large volumes of data, so it is primarily used for distributions of one-time session key for use with DES algorithms
Key Management • The distribution of public keys • public announcement • publicly available directory • public-key authority • public-key certificates • The use of public-key encryption to distribute secret keys • simple secret key distribution • secret key distribution with confidentiality and authentication
Key Management (cont’d) • Public announcement
Key Management (cont’d) • Public announcement (cont’d) • advantages: convenience • disadvantages: forgery of such a public announcement by anyone
Key Management (cont’d) • Publicly available directory
Key Management (cont’d) • Publicly available directory (cont’d) • elements of the scheme • {name, public key} entry for each participant in the directory • in-person or secure registration • on-demand entry update • periodic publication of the directory • availability of secure electronic access from the directory to participants • advantages: greater degree of security
Key Management (cont’d) • Publicly available directory (cont’d) • disadvantages • need of a trusted entity or organization • need of additional security mechanism from the directory authority to participants • vulnerability of the private key of the directory authority (global-scaled disaster if the private key of the directory authority is compromised) • vulnerability of the directory records
Key Management (cont’d) • Public-key authority
Key Management (cont’d) • Public-key authority (cont’d) • stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory • each participant can verify the identity of the authority • participants can verify identities of each other • disadvantages • bottleneck effect of the public-key authority • vulnerability of the directory records