420 likes | 610 Views
Network Security (contd.). Bijendra Jain (bnj@cse.iitd.ernet.in). Lecture 3: Public-key cryptography. Public-key cryptography. Public-key cryptography is not necessarily more secure than private-key cryptography Private-key cryptography is not obsolete—it still is exceptionally useful
E N D
Network Security (contd.) Bijendra Jain (bnj@cse.iitd.ernet.in) Tutorial on Network Security: Sep 2003
Lecture 3: Public-key cryptography Tutorial on Network Security: Sep 2003
Public-key cryptography • Public-key cryptography is not necessarily more secure than private-key cryptography • Private-key cryptography is not obsolete—it still is exceptionally useful • Distribution of keys in public-key cryptography is not trivial-- Public-key cryptography has attempted to address this issue head-on Tutorial on Network Security: Sep 2003
Public-key cryptography • Public-key cryptography requires the use of two keys: • One for encryption • A related one for decryption • One key is kept private, while the other is made public • Can either key be used for encryption, and the other for decryption: • YES, for RSA Tutorial on Network Security: Sep 2003
Public-key cryptography: confidentiality • Used for Confidentiality: Tutorial on Network Security: Sep 2003
Public-key cryptography: confidentiality • Used for confidentiality: Tutorial on Network Security: Sep 2003
Public-key cryptography: authentication • Used for authentication: Tutorial on Network Security: Sep 2003
Public-key cryptography: authentication • Used for authentication: Tutorial on Network Security: Sep 2003
Confidentiality and authentication • Used for : Tutorial on Network Security: Sep 2003
Public-key cryptography • Easy for B to generate keys, (private) KRB and (public) KUB • Easy for sender A to encrypt C = EKUB (M), given M and KUB • Easy for receiver B to decrypt M = DKRB (C), given C and KRB • Given KUB it is infeasible for others to determine KRB • Given KUB and ciphertext C it is infeasible for others to decipher M • (optionally) encryption and decryption can be applied in any order • Function E (or D) is “one-way function with trap-door” • The inverse of E (or D) is infeasible, unless additional information (trap-door) is available Tutorial on Network Security: Sep 2003
RSA algorithm • Approach first suggested by Diffie and Hellman • Invented by Rivest, Shamir, Adleman at MIT, first published in 1978 • Algorithms are patented • Block cipher, where plaintext is < n • Permits any key length • typically 128 through 1014 is common Tutorial on Network Security: Sep 2003
RSA algorithm • Consider n, and blocks of size k bits s.t. 2k < n 2k+1. • Encryption and decryption algorithms: C = Memod n M = Cdmod n = Medmod n where sender knows public key KU = {e, n} receiver knows private key KR = {d, n} • For this to be a public-key crypto system: • M = Med mod n for some e, d, n for all M < n • Easy to calculate Me mod n, and Cd mod n • Infeasible to determine d, given e and n Tutorial on Network Security: Sep 2003
RSA algorithm • Key generation • Select any prime numbers p, q • Compute n = p*q • Compute phi = (p-1)*(q-1) • Select e, such that 1< e < phi, and gcd(phi, e) = 1 • Find d such that ed = 1 mod phi • Public key KU = {e, n} • Private key KR = {d, n} • Encryption, decryption algorithms: for any plaintext M < n C = Me (mod n) M = Cd (mod n) • Can be shown that M = Cdmod n = Medmod n Tutorial on Network Security: Sep 2003
RSA: example Let p = 7, q = 17 N = p*q = 119 Phi = (p-1)*(q-1) = 96 Select e = 5 (note e is relatively prime to 96, and < 96) Find d =77 (note d*e = 1 mod 96, and d < 96) KU = {5, 119}, KR = {77, 119} Let M = 19 (note M < 119) Encryption step: C = 19**5 = 2476099 mod 119 = 66 Decryption step: M = 66**77 = 127………. mod 119 = 19 Tutorial on Network Security: Sep 2003
RSA: computational aspects • Computing C = Me (mod n) • use the following two properties: 1. A * B mod n = (A mod n)*(B mod n) mod n Or, e.g., 195mod 119 = (192mod 119) * (193mod 119) mod 119 2. A**8 = (A**4)**2 = ((A**2)**2)**2 Or, 19**9 = (19**8)*(19**1) = (((19**2)**2)**2)*(19**1) Tutorial on Network Security: Sep 2003
RSA: key generation • Selecting two primes: p, q • Should be very large • Since M < n = p*q • Infeasible to calculate factors p, q of n by exhaustive search • Finding large primes • Pick a large number randomly, and then test • Selecting e, relative prime to phi = (p-1)*(q-1) • Pick an e, and test for relative primality • Extended Euclid’s algorithm computes gcd, and inverse, d Tutorial on Network Security: Sep 2003
RSA: its strength • Brute force • Factor n to obtain p and q • Then calculate phi = (p-1)*(q-1), and then invert e to obtain d • “Factor” n to obtain phi • Then invert e to obtain d • Progress towards meeting challenges • Ciphers using RSA with keys of size up to 431 bits have been deciphered • Effort involved was only 500 MIPS-years (1 MIPS machine working for 1 year – a 200 MHz Pentium is 50 MIPS) • A 2048 bit RSA is expected to require 1014 MIPS-years • Today, and for the near future, consider RSA key size of 1024 to 2048 • Additionally consider selecting p and q appropriately, such as p and q are of approx. same length, etc. Tutorial on Network Security: Sep 2003
RSA: distribution of public keys • Public announcements • Directory on the web, where data is secured • Public-key authority • Certificates Tutorial on Network Security: Sep 2003
RSA: distribution of public keys • Public announcements • Public key is “public” • User can share his/her public with others • Popular with PGP • However, one may even send “false” keys Tutorial on Network Security: Sep 2003
RSA: distribution of public keys • Publicly accessible directory • By a trusted and well known “authority” • Individual users “register” their public key using some other means • Public keys are secure • For instance on the web, or printed directory • Individual users control, update their public keys, and do so in a secure manner • Weaknesses: • Break into the authority’s database • Alter the key during communication Tutorial on Network Security: Sep 2003
1. REQ (KUB, T1) Initiator A X, PK authority 2. ENCKUX(KUB, REQ (KUB, T1)) 3. ENCKUB(IDA, N1) 7. ENCKUB(N2) 6. ENCKUA(IDB, N1, N2) 4. REQ (KUA, T2) Initiator B X, PK authority 5. ENCKUX(KUA, REQ (KUA, T2)) RSA: distribution of public keys • Public-key authority • Very similar to publicly accessible directory • Different: user can request/obtain public key in secure manner Tutorial on Network Security: Sep 2003
RSA: distribution of public keys • Public-key certificates • Certificates need not be issued each time • Sender provides public key with a certificate • Receiver checks the certificate, thereby confirms public key • A certificate: • Anyone can read, determine the owner’s public key • Anyone can verify that certificate is signed by authority • Only certificate can create certificate • Anyone can check “currency” of certificate Tutorial on Network Security: Sep 2003
RSA: Certificates CERTA = ENCPUX (IDA, KUA, TA, DURA) where • PUX is public key of certification authority • IDA is user ID • KUA is public key of A • TA is time of issuance of certificate • DURA is the duration for which the certificate is valid Tutorial on Network Security: Sep 2003
Lecture 4:Message Authentication Tutorial on Network Security: Sep 2003
Message authentication • Source of Message • Protection against masquerading • Integrity of message • Protection against modification • Integrity of sequence of messages • Protection against deletion, addition and re-ordering • Integrity of timing • Protection against delay and replay Tutorial on Network Security: Sep 2003
Using private-key encryption • Encrypt message using private-key encryption system • Basically provides confidentiality • Authentication and Integrity check are difficult, but possible • Particularly if it is some bit sequence • Use an FCS (frame check sequence), as in TCP • Integrity of a sequence of TCP messages can also be ensured • Does not provide for non-repudiation Tutorial on Network Security: Sep 2003
Using public-key encryption • Similar, except that it only provides for authentication • Again, the transmitted message must have some structure (FCS, for example) Tutorial on Network Security: Sep 2003
Message Authentication Codes • Integrity check is not difficult any more • Based on private-key encryption • Transmitted message in (M, MAC) MAC = CK(M) where: • C is MAC algorithm, • K is the shared key • Provides for message integrity, user authentication, but not non-repudiation Tutorial on Network Security: Sep 2003
Message Authentication Codes • Algorithm C differs: • from encryption in that it is NOT reversible • From FCS, etc. in that it is not easy to design a new message with same FCS • From use of hash functions, in that encryption and “hashing” is simultaneous • Algorithm C is more difficult to crack Tutorial on Network Security: Sep 2003
Message Data sent || Message || E() Data sent MAC() fcs() K K Message authentication codes • Authentication based on MAC-- superior since it is efficient • Authentication based on appending an FCS, then encrypting • FCS is a bad idea, anyway Tutorial on Network Security: Sep 2003
Message || Data sent H() Message Data sent || H() E() E() K K Message authentication: alternatives Tutorial on Network Security: Sep 2003
E() Message Data sent || H() KR Digital Signature Tutorial on Network Security: Sep 2003
Message Data sent || || H() Secret K Message authentication: alternatives • This approach completely does away with encryption • Efficient • Strength depends completely on how good is the hashing function Tutorial on Network Security: Sep 2003
MAC codes • MAC is also known as cryptographic checksum • Transmitted message in (M, MAC) MAC = CK(M) where: • C is MAC algorithm, • MAC is n bit long • M is variable length message • K is k-bit shared key • MAC requirements: • Given M, CK(M) it should be computationally infeasible to obtain M’ s.t. MAC = CK(M) = CK(M’) • MAC = CK(M) should be uniformly distributed, or for random M, M’ Prob (CK(M) = CK(M’) = 2-n • Similarly if M’ is obtained by carrying out simple transformations Tutorial on Network Security: Sep 2003
MAC Codes • 64 bit DAA (Data Authentication Algorithm) is based on DES: O1 = EK(D1) O2 = EK(O1 D2) O3 = EK(O2 D3) … … ON = EK(ON-1 DN) Tutorial on Network Security: Sep 2003
E() Message Data sent || H() KR Hash functions • Requirements of a hash function: • Can be applied to block of data of any size • Produces a fixed length digest • Easy to compute h = H(M) • One-way function: given h, it must be computationally infeasible to compute M such that h = H(M) • Weak collision: Given M, it must be computationally infeasible to compute M’ such that H(M’) = H(M) • Strong collision: computationally infeasible to find M, M’ such that H(M’) = H(M) Tutorial on Network Security: Sep 2003
Hash functions • Simple hash function: O1 = D1 O2 = O1 D2 O3 = O2 D3 … … ON = ON-1 DN • MD4, MD5 Tutorial on Network Security: Sep 2003
Y0 Y1 … … … YL HMD5 HMD5 HMD5 HMD5 IV CV1 CV2 CVL-1 CVL MD5 • Develop in 1992, by Ron Rivest • 128 bit hash code • Processes 512 bits at a time (add padding bits if necessary) • 4 rounds of 16 steps each, involving gcd, and + mod 232 operations Tutorial on Network Security: Sep 2003
MD4 • Similar to MD5, developed earlier in 1990 by Ron Rivest • 128 bit hash code, processes 512 bits at a time • 3 rounds of 16 steps each, involving gcd, and + mod 232 operations • faster Tutorial on Network Security: Sep 2003
SHA-1 hash function • Developed by NIST in 1995 • Based on MD4 • 160 bit hash • Operates on blocks of length 512 bit • More secure against brute force attacks • Appears to be secure against cryptanalysis • MD5 and SHA-1 are equally fast, simple Tutorial on Network Security: Sep 2003
HMAC • Truly a MAC • Required for IPSec • Based on hash functions • Any “good” hash function can be used • The “IV” can be kept secret (becomes the key) • MD5 or SHA-1 can be used Tutorial on Network Security: Sep 2003
Thanks Tutorial on Network Security: Sep 2003