390 likes | 495 Views
Network Security. Network Entities: Friends and Enemies. Insecure medium. well-known in network security world Bob, Alice want to communicate 'securely' Trudy, the intruder may intercept, delete, add messages. Routers – exchange tables. Email applications – exchange secure emails.
E N D
Network Security Network Entities: Friends and Enemies Insecure medium • well-known in network security world • Bob, Alice want to communicate 'securely' • Trudy, the intruder may intercept, delete, add messages Routers– exchange tables Email applications – exchange secure emails Client-server – establish secure transport connection
What is network security? DESIRABLE PROPERTIES OF SECURE CONNECTION Secrecy: only sender, intended receiver should understand message contents • sender encrypts messages • receiver decrypts messages Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to be sure message did not get altered (in transit), or get altered without detection 1 2 3
What is network security? DESIRABLE PROPERTIES OF SECURE CONNECTION Availability and Access Control: • communication can occur in the first place • Prevent Denial-of-Service attacks (DoS) • ensures network entities can gain access to resources if they have access rights and perform accesses in a well-defined manner • Firewall– controls access to and from the network by regulating which packet can pass into and out of the network 4
Network Security CYCLE IN ACHIEVING NETWORK SECURITY Protect: network communication and network resources Detect: breaches of secure communication & attacks on infrastructure Respond: deployment of additional protection mechanisms 1 2 3
Public Key Cryptography Is it possible to communicate with encryption without having a shared secret key known in advance? symmetric key crypto • requires sender, receiver know shared secret key • Q: how to agree on key in first place (particularly if never met)? • Typical problem in the Internet public key cryptography • radically different approach [Diffie-Hellman76, RSA78] • sender, receiver donotshare a secret key • encryption key is public • (it is known to all) • decryption key private • (known only to receiver)
Public key cryptography Figure 7.7 goes here
1 d (e (m)) = m B B 2 need public and private keys for d ( ) and e ( ) . . B B Public key encryption algorithms Two inter-related requirements: need d ( ) and e ( ) such that . . B B RSA: Rivest, Shamir, Adleman algorithm
RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p -1)(q -1) 3. Choose e (with e< n) that has no common factors with z. (e, z are 'relatively prime'). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: edmod z = 1 ). 5. Public key is (n, e). Private key is (n, d). In mathematics, a prime number (or a prime) is a natural number that has exactly two (distinct) natural number divisors, which are 1 and the prime number itself. The first 30 prime numbers are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, and 113
1.To encryptbit pattern, m, compute e e (i.e., remainder when m is divided by n) c = m mod n d m = c mod n d e m = (m mod n) mod n RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 2.To decrypt received bit pattern, c, compute d (i.e., remainder when c is divided by n) Magic happens!
e c = m mod n d d c m = c mod n d c RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z) (equivalently, ed mod z = 1). e m m letter encrypt: l 17 248832 12 c letter decrypt: 17 12 l = 481968572106750915091411825223072000 - too big !! (inttype)
How to solve this problem: Cd=1729: break it into powers that are multiples of 2. 1729=1716 .178 .174. 17 174 mod 35 = 11 ;hence,174 mod 35 = 11 mod 35, So 11 can substitute 174, 178, and 1716in the expression: 1729 mod 35 = 114 . 112 . 11 . 17 mod 35 Also 112 mod 35 = 16 1729 mod 35 = 162. 16 . 11 . 17 mod 35 This is equivalent to calculating x, y and z as follows: x = n4 mod 35 y = x2 mod 35 z = y2 mod 35 m = z . y . x . c mod 35 (smaller !!) Alternatively: use a similar method to the one used in CRC. Remember that (c.c.c) mod n = (c.c) (c mod n) ….
How to solve this problem: Repeated Squaring: calculate y = x emod n intrepeatSquare( intx, inte, intn) { y=1;//initialize y to 1, very important while (e > 0) { if (( e % 2 ) == 0) { x = (x*x) % n; e = e/2; } else { y = (x*y) % n; e = e-1; } } return y; //the result is stored in y } Let’s see the program in action!
Real example of RSA keys 1024-bit RSA encryption key (in hex format): n= A9E167983F39D55FF2A093415EA6798985C8355D9A915BFB1D01DA197026170F BDA522D035856D7A986614415CCFB7B7083B09C991B81969376DF9651E7BD9A9 3324A37F3BBBAF460186363432CB07035952FC858B3104B8CC18081448E64F1C FB5D60C4E05C1F53D37F53D86901F105F87A70D1BE83C65F38CF1C2CAA6AA7EB e=010001 d= 67CD484C9A0D8F98C21B65FF22839C6DF0A6061DBCEDA7038894F21C6B0F8B35 DE0E827830CBE7BA6A56AD77C6EB517970790AA0F4FE45E0A9B2F419DA8798D6 308474E4FC596CC1C677DCA991D07C30A0A2C5085E217143FC0D073DF0FA6D14 9E4E63F01758791C4B981C3D3DB01BDFFA253BA3C02C9805F61009D887DB0319 This is the real thing! http://www.di-mgt.com.au/rsa_alg.html#realexample
Sample Keys N=77 e = 7; d = 43; e = 13; d = 37; e = 17; d = 53; e = 19; d = 79;
d e m = (m mod n) mod n y mod (p-1)(q-1) y x mod n = x mod n e d ed (m mod n) mod n = m mod n ed mod (p-1)(q-1) = m mod n 1 = m mod n = m RSA: Why: Given:Number theory result: If p,q prime, n = pq, then (using number theory result above) Recall: Z = (p-1)(q-1) We choose a value for d so that: ed-1 exactly divisible by z (equivalently, ed mod z = 1). (since we choseed to be divisible by (p-1)(q-1) with remainder 1 )
RSA: how strong is it?? RSA Challenges: • Prize offered to anyone who can break an RSA key of a certain size • (See www.rsasecurity.com/rsalabs ) • US$200,000.00 for whoever solves a 2048 bits factorization problem. No one claimed the prize so far... (no longer offered) • Last challenge solved: • RSA-576 $10,000 Factored in 2003 by J. Franke et al. • Using a powerful parallel machine and very clever algorithms • Currently RSA-1024 is commonly used in practice • RSA key's size matters, see next...
RSA: how strong is it?? Common sense calculation: • Brute force factorization • Try all the prime number P that are smaller than the Key • When Key mod P = 0, then we have found the factors • How long can it take depends on the RSA key size • Suppose we have a key of 200 bits and the factors are approximately of the same order of digits • Each key will have ~10100 trial divisions to do • A 1Gflops machine could do 109 trials per second • Say we have 109 machines in a cluster (massively parallel mach.) • As we have only ~108 seconds/year, it would take • 1074 years !!! • Remember that the Earthis ~109years old
RSA:how to implement it? A simplistic approach: • Translate each byte to a decimal number • Use the RSA algorithm for each character • Problem 1: only a few possible numbers will be used • e.g., 256 possible characters may be mapped into non-existing character if the key is large • Problem 2: easy to break encryption due to language characteristics • e.g., English uses double character such as 'll', 'rr' etc. • A 'dictionary' attack could decrypt the message without ever finding the factorization • In practice the string becomes a large binary number...
RSA: Applications • Very slow if the message is long • Useful for short messages (e.g. Small message digest) • Useful for sending a symmetric key to be used for a symmetric-key cryptosystem • In practice, RSA is used in digital signatures and authentication purposes
RSA IMPLEMENTATION TIPS
Client - Server clientWindows.cpp serverWindows.cpp CLIENT SERVER Encrypted message Decrypted message Uses its private key to decrypt the message Uses the public key for encryption socket socket TCP (Transport Control Protocol) • –requires connection establishment • server uses the listen() function • server uses the accept() function
Client - Server clientWindows.cpp serverWindows.cpp CLIENT SERVER Encrypted message Decrypted message Uses its private key to decrypt the message Uses the public key for encryption socket socket Port: 1234 Sample run: Client 127.0.0.1 1234 Server 1234 Server’sPort number for listening listening at Port 1234 You should run the server first, before running the client. You can test your client and server using the same machine by using the example run above.
Reading characters from stdin CLIENT • get string from stdin • char*gets(char* send_buffer) • stops reading characters when it encounters: • a new line character (not copied into send_buffer) • a NULL-termination character (‘\0’) is automatically appended • if an error occurs, a NULL pointer is returned • strlen() – counts the number of characters excluding the NULL-character A 0 A 0 B 1 1 B strlen()=3 C 2 C 2 ‘\n’ 3 3 ‘\0’ 4 4 ‘\0’ ‘\0’ User entry from keyboard send_buffer
Define your own encryption, decryption keys • What are the values for p, q ? • Keep in mind that the result of the encryption and decryption operations is bounded by the computed variable n. e ENCRYPTION: c = mmod n d DECRYPTION: m= c mod n e.g. Try this: e = 17, n = 253, d = 13
Define your own encryption, decryption keys • What are the values for p, q ? • Keep in mind that the result of the encryption and decryption operations is bounded by the computed variable n. e ENCRYPTION: c = mmod n d DECRYPTION: m= c mod n • n affects the size of your valid character set. • Therefore, you might want to perform some character mapping to suit the range of values returned by the encryption and decryption operations.
3 Sets of encryption, decryption keys • What are the values for p, q ? • Keep in mind that the result of the encryption and decryption operations is bounded by the computed variable n. e ENCRYPTION: c = mmod n d DECRYPTION: m= c mod n • Note: The assignment requires at least 3 sets of encryption and decryption keys.
Encryption Operation Keep in mind that the result of the encryption and decryption operations is bounded by the computed variable n. e ENCRYPTION: c = mmod n d DECRYPTION: m= c mod n User-defined Character Set 7 The encryption algorithm will assign a new index number to any given character a 62 b RSA 9 c ... ... 100 0 210 1 25 2 ... ... We would prefer indexes to be jumbled 253 space 199 ^ 255 #
Character Mapping • You should be able to map a characterto its equivalent user-defined index numberand vice-versa. • Character-to-index mapping and vice-versa is required in both clientand serverapplications. User-defined Character Set 7 a 62 b RSA 9 c The encryption algorithm will assign a new index number to any given character ... ... 100 0 range 210 1 25 2 ... ... 253 space 199 ^ 255 #
RSA Encryption CLIENT • Encryption is performed on the index of the character, and not on the character itself. • Note that we are doing this to simplify the problem. e ENCRYPTION: c = mmod n User entry A 101 22 0 1 B 61 244 C 200 17 2 3 ‘\0’ User-defined mapping RSA-encrypted number 4 ‘\0’ send_buffer
RSA Encryption • Therefore, we need to perform character mapping on the result of the encryption operation (new index number of the character). • This is done character by character. CLIENT e ENCRYPTION: c = mmod n User-defined mapping User entry A 101 22 $ 0 0 1 1 B 61 244 ¥ C 200 17 § 2 2 3 3 ‘\0’ ‘\r’ User-defined mapping RSA-encrypted number 4 4 ‘\0’ ‘\n’ send_buffer send_buffer
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets time time
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets Send public key: e, and n time time
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets Send public key: e, and n • Receive public key: e, and n • Get user input • Use public key to encrypt message. time time
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets Send public key: e, and n • Receive public key: e, and n • Get user input • Use public key to encrypt message. • Send encrypted message time time
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets Send public key: e, and n • Receive public key: e, and n • Get user input • Use public key to encrypt message. • Send encrypted message Receive encrypted message Check validity of characters Decrypt message time time
RSA SERVER CLIENT Port 1024 Port 1120 Active open Passive open TCP connection to Port 1024 established Determine which key set to use from predefined 3 key sets Send public key: e, and n • Receive public key: e, and n • Get user input • Use public key to encrypt message. • Send encrypted message • Receive encrypted message • Check validity of characters • Decrypt message • display original message • display decrypted message time time