480 likes | 608 Views
EE 122: (More) Network Security. November 5, 2003. EECS 122: Introduction to Computer Networks Network Security II. Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1776. Today’s Lecture: 20. 2.
E N D
EE 122: (More) Network Security November 5, 2003
EECS 122: Introduction to Computer Networks Network Security II Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1776
Today’s Lecture: 20 2 17,18 Application 19, 20 10,11 6 Transport 14, 15, 16 7, 8, 9 Network (IP) 21, 22, 23 Link Physical 25
Security Requirements • Authentication • Ensures that the sender and the receiver are who they are claiming to be • Data integrity • Ensure that data is not changed from source to destination • Confidentiality • Ensures that data is red only by authorized users • Non-repudiation • Ensures that the sender has strong evidence that the receiver has received the message, and the receiver has strong evidence of the sender identity, strong enough such that the sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message (not discussed in this lecture)
Outline • Cryptographic Algorithms (Confidentiality and Integrity) • Authentication • System examples
Cryptographic Algorithms • Security foundation: cryptographic algorithms • Secret key cryptography, Data Encryption Standard (DES) • Public key cryptography, RSA algorithm • Message digest, MD5
Symmetric Key • Both the sender and the receiver use the same secret keys Plaintext Plaintext Internet Encrypt with secret key Decrypt with secret key Ciphertext
Data Encryption Standard (DES) • DES encrypts a 64-bit block of plain text using a 64-bit key • Three phases • Permute the 64 bits in the block • Apply a given operation 16 times on the 64 bits • Permute the 64 bits using the inverse of the original permutation 1st phase IP(input) Round 1 . . . key 2nd phase Round 16 3rd phase IP-1(input)
Initial Permutation (IP) • IP: bit 58 of input becomes 1st bit, it 50 becomes 2nd bit, etc 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 • IP-1: inverse of IP, e.g., IP(1) = 58, IP-1 (58) = 1 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
2nd Phase: Operation In Each Round 0 63 • Key K is 64 bits • 16 rounds • Each round i select a 48 bit key Kifrom the original 64 bit key K. Perform (F is a given function): 63 32 31 0 Li-1 Ri-1 Ki F + Li Ri
Encrypting Larger Messages • Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext Block1 Block2 Block3 Block4 IV + + + + DES DES DES DES Cipher1 Cipher2 Cipher3 Cipher4
DES Properties • Provide confidentiality • No mathematical proof, but practical evidence suggests that decrypting a message without knowing the key requires exhaustive search • To increase security use triple-DES, i.e., encrypt the message three times
Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman) • Sender uses a public key • Advertised to everyone • Receiver uses a private key Plaintext Plaintext Internet Encrypt with public key Decrypt with private key Ciphertext
Generating Public and Private Keys • Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q • Chose encryption key e such that e and (p-1)*(q-1) are relatively prime • Compute decryption key d, where d = e-1mod ((p-1)*(q-1)) (equivalent to d*e = 1 mod ((p-1)*(q-1))) • Public key consist of pair (n, e) • Private key consists of pair (d, n)
RSA Encryption and Decryption • Encryption of message block m: • c = memod n • Decryption of ciphertext c: • m = cd mod n
Example (1/2) • Choose p = 7 and q = 11 n = p*q = 77 • Compute encryption key e: (p-1)*(q-1) = 6*10 = 60 chose e = 13 (13 and 60 are relatively prime numbers) • Compute decryption key d such that 13*d = 1 mod 60 d = 37 (37*13 = 481)
Example (2/2) • n = 77; e = 13; d = 37 • Send message block m = 7 • Encryption: c = me mod n = 713 mod 77 = 35 • Decryption: m = cd mod n = 3537 mod 77 = 7
RSA Proof Sketch (1/4) • mod properties. Suppose a = b mod k, and c = d mod k. Then 1) a + c = (b + d) mod k 2) a*c = (b*d) mod k
RSA Proof Sketch (2/4) • Theorem: Assume a and d are relatively primes, (a, d) = 1. Then a*b = a*c mod d implies b = c mod d Proof: Since (a, d) = 1, there exists m and n such that a*m + d*n = 1 a*m = -d*n + 1 a*m = 1 mod d (1) Then, we have a*b = (a*c) mod d (a*m*b) = (a*m*c) mod d (using mod additive property) a = c mod d (from (1))
RSA Proof Sketch (3/4) • Euler Theorem: Let Φ(d) be the number of numbers less than d relative prime to d, and suppose (a, d) = 1. Then aΦ(d) = 1 mod d. Proof: Let a1, a2, .., aΦ(d) by the prime numbers to a. Then for all i(ai, 1) = 1, (a, d) = 1, and (a*ai, d) = 1. Note that (a*ai mod d) are Φ(d) relatively prime numbers (< d) to d. Thus, lists a1, a2, …, aΦ(d)and (a*a1) mod n, (a*a2) mod n, …, (a*aΦ(d)) mod d, contain the same numbers! Using mod properties we have: (a*a1)*(a*a2)* .. *(a*aΦ(d)) = (a1*a2*… *aΦ(d)) mod d aΦ(d) (a1*a2*… *aΦ(d)) = (a1*a2*… *aΦ(d)) mod d (from prev. Theorem) aΦ(d) = 1 mod d
RSA Proof Sketch (4/4) • Theorem: Suppose (1) p and q are primes, (2) n = pq, (3) e*d = 1 mod (p-1)(q-1), and (4) c = me mod n. Then m = cd mod n Proof: Assume m = 1 mod p and m = 1 mod q (Otherwise much longer proof) Since p and q are primes Φ(p) = p -1, Φ(q) = q -1, and Φ(p*q) = (p-1)*(q-1). Since m = 1 mod (p*q) = 1 mod n, from Euler Theorem mΦ(n) = 1 mod n m(p-1)(q-1) = 1 mod pq ce mod n = m(e*d) mod n = c(k*(p-1)(q-1) + 1) mod pq = mk*(p-1)(q-1))* m mod pq = m mod pq = m (since m < p*q)
Properties • Confidentiality • A receiver A computes n, e, d, and sends out (n, e) • Everyone who wants to send a message to A uses (n, e) to encrypt it • How difficult is to recover d ? (Someone that can do this can decrypt any message sent to A!) • Recall that d = e-1mod ((p-1)*(q-1)) • So to find d, you need to find primes factors p and q • This is provable very difficult
Message Digest (MD) 5 • Can provide data integrity • Used to verify the authentication of a message • Idea: compute a hash on the message and send it along with the message • Receiver can apply the same hash function on the message and see whether the result coincides with the received hash
MD 5 (cont’d) • Basic property: digest operation very hard to invert • In practice someone cannot alter the message without modifying the digest Plaintext corrupted msg Plaintext NO = digest’ Internet Digest (MD5) Digest (MD5) digest
Message Digest Operation • Transformation contains complex operations (see textbook) Initial digest (constant) Message (padded) 512 bits 512 bits 512 bits Transformation Transformation . . . Transformation Message digest
Outline • Cryptographic Algorithms (Confidentiality and Integrity) • Authentication • System examples
Authentication • Goal: Make sure that the sender an receiver are the ones they claim to be • Two solutions based on secret key cryptography (e.g., DES) • Three-way handshaking • Trusted third party • One solution based on public key cryptography (e.g., RSA) • Public key authentication
clientId, E(x, CHK) E(x+1, SHK), E(y,SHK) E(y+1, CHK) E(SK,SHK) Simple Three-Way Handshaking client server • E(m,k) – encrypt message m with key k • D(m,k) – decrypt m with key k • CHK and SHK – client and server shared secrete keys • SK – session key used for data communication • This reduces the number of messages containing CHK and SHK • Question: how are CHK and SHK communicated in the first place?
Trusted Third Party • Trust a third party entity, authentication server • Scenario: A wants to communicate with B • Assumption: both A and B share secrete keys with S: KA and KB • Notations: • T: timestamp (also serves the purpose of a random number) • L: lifetime of the session • K: session’s key
A,B E((T,L,K,B),KA) E((T,L,K,A),KB) E((A,T),KA) E((T,L,K,A),KB) E(T+1,K) Trusted Third Party (cont’d) S A B
E(x, PublicB) x Public Key Authentication • Based on public key cryptography • Each side need only to know the other side’s public key • No secrete key need to be shared • A encrypts a random number x and B proves that it knows x • A can authenticate itself to be in the same way A B
Outline • Cryptographic Algorithms (Confidentiality and Integrity) • Authentication • System examples
Public Key Infrastructure (PKI) • System managing public key distribution on a wide-scale • Trust distribution mechanism • Allow any arbitrary level of trust
PKI Properties • Authentication via Digital Certificates • Confidentiality via Encryption • Integrity via Digital Signatures • Non–Repudiation via Digital Signatures
Digital Certificate • Signed data structure that binds an entity with its corresponding public key • Signed by a recognized and trusted authority, i.e., Certification Authority (CA) • Provide assurance that a particular public key belongs to a specific entity
Certification Authority • People, processes responsible for creation, delivery and management of digital certificates • Organized in an hierarchy Root CA CA-1 CA-2
Registration Authority • People, processes and/or tools that are responsible for • Authenticating the identity of new entities (users or computing devices) • Requiring certificates from CA’s.
Certificate Repository • A database which is accessible to all users of a PKI, contains: • Digital certificates, • Certificate revocation information • Policy information
private key public key Alice Alice private key public key Bob Bob Example • Alice generates her own key pair. • Bob generates his own key pair. • Both sent their public key to a CA and receive a digital certificate
public key Bob private key Alice public key Alice private key Bob Example • Alice gets Bob’s public key from the CA • Bob gets Alice’s public key from the CA
Alice use private key to sign: use public key cryptography to provide integrity Alice Private Alice Public Example Alice Bob Message Hash Hash Message ? Encryption Decryption = Hash
Certificate Revocation • Process of publicly announcing that a certificate has been revoked and should no longer be used. • Approaches: • Use certificates that automatically time out • Use certificate revocation list • Use list that itemizes all revoked certificates in an on-line directory
Pretty Good Privacy (PGP) • Provide • Authentication • Confidentiality • Application examples: file transfers, e-mail • Authentication weaker than PKI, but • Freely available • Not controlled by a government or standard organization
PGP Services • Authentication Digital signature; uses DSS/SHA or RSA/SHA • Confidentiality Encryption, e.g., three-key triple DES or RSA • Also provides • Compression Zip • E-mail compatibility Radix-64 conversion • Segmentation
PGP: Public Key Management • No rigid public key management scheme • Problem: how to get public key reliable • Possible solution: physically or by phone. Secure but unpractical • PGP solution: build a ”web of trust” • Assume you know several variably trusted users • Each of these indvidual can sign certificates for other users • Each signature has asociated a trust field indicating the level of trust in the certificate
What do You Need To Know • Security requirements • Cryptographic algorithms • How does DES and RSA work (no proof for RSA) • Authentication algorithms • Public key management, digital certificates (high level)