530 likes | 753 Views
Introduction to Cryptography and Security Mechanisms. Dr Keith Martin McCrea 349 01784 443099 keith.martin@rhul.ac.uk. Before we start…. Quiz 1. Which of the following statements about public key cipher systems is not true?
E N D
Introduction to Cryptography and Security Mechanisms Dr Keith Martin McCrea 349 01784 443099 keith.martin@rhul.ac.uk
Quiz 1 Which of the following statements about public key cipher systems is not true? A Public key cipher systems are normally slower than symmetric cipher systems B Public key cipher systems are more difficult to design than symmetric cipher systems C Public key cipher systems involve simpler key management issues than symmetric cipher systems D Public key cipher systems are less vulnerable to exhaustive key search attacks than symmetric cipher systems
Quiz 2 Which of the following functions is not believed to be a one-way function? A Squaring a number B Multiplying two prime numbers together C Multiplying two prime numbers together and reducing modulo n D Encrypting a number using the RSA encryption function
Quiz 3 If a user of RSA accidentally “deleted” their private key then which of the following statements is most accurate? A The user would need to generate a new RSA public / private key pair B Knowledge of the user’s public key (n,e) would be sufficient to recover the private key C Knowledge of the user’s public key (n,e) would be sufficient to generate a new, but different, private key D The user could recover their private key but would need more information than knowledge of only their public key (n,e)
Introduction to Cryptography and Security Mechanisms:Unit 8Cryptographic Services Dr Keith Martin McCrea 349 01784 443099 keith.martin@rhul.ac.uk
Learning Outcomes • Recognise the various services that cryptography can provide • Compare two different notions of authentication • Identify a number of techniques for offering unilateral entity authentication • Use symmetric cryptographic techniques to provide data integrity • Explain the concept of a cryptographic protocol • Describe techniques of providing message freshness in a cryptographic protocol • Analyse a simple cryptographic protocol
Sections • Cryptographic services • Entity authentication • Data integrity • Cryptographic protocols
Ambiguous terminology There are two pieces of terminology whose use we should be careful with: • What is an “entity”? • What is “authentication”?
Types of service • Entity authentication • the assurance that a given entity is involved and currently active in a communication session (sometimes referred to as identification). • Data integrity • the assurance that data has not been altered in an unauthorised (or accidental) manner since the time that the data was last created, transmitted or stored by an authorised user. • Data origin authentication • the assurance that a given entity was the original source of some data (sometimes referred to as message authentication). • Non-repudiation • the assurance that an entity cannot deny any previous commitments or actions (normally with respect to origin of data).
Two questions • In what situations might providing data origin authentication be more appropriate than providing entity authentication? • Does data origin authentication imply data integrity?
Entity authentication Entity authentication is one of the most vital services that can be provided by cryptography. Because entity authentication provides identity assurance in “real time”, it can only truly be achieved for an instant in time. In what ways could the fact that entity authentication is an instantaneous process be exploited by an attacker? How might you try to counter these attacks?
Uses of entity authentication • Access control • An entity, often human user, must provide assurance of their identity in real time in order to have access to either physical or virtual resources. • As part of a more complex cryptographic process • Typically established at the start of a connection: an entity must provide assurance of their identity in real time in order for the extended process to complete satisfactorily. • For example, the process of establishing a symmetric key that two users can use to immediately communicate with one another commonly involves mutual entity authentication in order to provide the two users with sufficient assurance that they have agreed a key with the “correct” person.
Types of entity authentication • Unilateral entity authenticationis assurance of the identity of one entity to another (and not vice-versa). • Mutual entity authentication occurs if both communicating entities provide each other with assurance of their identity. • The most common ways of providing entity authentication are by using (a combination of) the following: • something that you have • something that you are • something that you know Can you think of any other ways of providing entity authentication?
Something you have • Dumb tokens • Any physical device without a memory that can be used as a type of electronic key. • Dumb tokens typically operate with a reader that extracts some information from the token and then indicates whether the information authenticates the entity or not. • A good example of a dumb token is a plastic card with a magnetic stripe. The security of the card is based entirely on the difficulty of extracting the information from the magnetic stripe. • It is common to combine the use of a dumb token with another entity authentication technique, such as one based on something you know.
Something you have • Smart tokens • A wide range of technologies (that includes smart cards). • Some smart tokens resemble pocket calculators and can be used to calculate responses to cryptographic challenges. • All types of smart token, including smart cards, require an interface to a computer system of some sort. This interface could be a human being (in the case of a calculator being used to compute a response to a challenge), a processor connected to a reader, or an air interface (such as in the case of “contactless” smart cards that just require the smart card to be presented close to a reader, but not passed directly through it). • As with dumb tokens, smart tokens are often also implemented alongside another entity authentication technique based on something that you know.
Something you have • Smart cards • A plastic card that contains a chip, which gives the card a limited amount of memory and processing power. • A smart card can store secret data more securely, and can also engage in cryptographic processes that require some computations to be performed (e.g. challenge/response). • Smart cards have limited memory and processing power, thus restricting the types of operation that they can comfortably perform. (This will undoubtedly improve). • Many European banks already routinely issue customers with smart cards. In the U.K., all new Visa cards contain a chip as well as a magnetic stripe. • Smart cards are also widely used in some countries for electronic ticketing applications, particularly for transportation.
Something you are • Biometrics • Techniques for human user entity authentication that are based on physical characteristics of the human body. • A biometric control typically converts a physical characteristic into a digital template that is stored on a database. When the user physically presents themselves for entity authentication, the physical characteristic is measured by a reader, digitally encoded, and then compared with the template. • Static (unchanging) measurements include fingerprints, hand geometry, face recognition, retina scans and iris scans. • Dynamic (changing) measurements include handwriting measurements and voice recognition. • There are many implementation issues and as yet entity authentication is not widely provided using these techniques. • More discussion of biometrics, and a closer examination of the implementation issues in Network Security.
Something you know Most cryptographic implementations of entity authentication are based on something you know. Many of the other types of technique are implemented in combination with a technique based on something you know. From a security perspective, what advantages does basing an entity authentication technique on something you know have over the techniques already covered? Are there any possible disadvantages?
Passwords Passwords are probably the most popular technique for providing entity authentication, despite concerns about how secure they actually are. Password security is considered in greater detail in the module Computer Security. However, for now, write down as many general problems as you can think of with the technique of using passwords to provide entity authentication.
= ? Cryptographic password protection User Device Identity I Table containing entries I, F(P) 1 Password P 2 3 F 4 F(P) Decision
Example one way function Encryption algorithm Password P OWF(P) OWF(P) = EK (P) P encryption key K (not secret) Since the key K is not secret, why can’t anyone reverse this process?
Improving use of passwords Even when they are “protected”, passwords often offer limited security. What techniques could we employ to make password based entity authentication more secure?
Challenge/response mechanisms Device Smart Token User PIN challenge 2 Random Number Generator 1 challenge 3 Key Key A A A 6 4 response = ? 5 7 Decision
Challenge/response questions • From the perspective of the device, what exactly is the basis for assurance that the user is who they claim to be? • To what extent is this better than a scheme based on “normal” passwords?
Zero knowledge mechanisms • The entity authentication techniques that we have looked at thus far are all based on some degree of trust between the entities involved: • e.g. user needs to agree on password with device • challenge/response requires a shared key • There are situations where entity authentication (identification) is necessary, but where the two entities concerned are potential adversaries and do not share any information. • A requirement of a zero knowledge mechanism is that one entity A must be able to provide assurance of their identity to another entity B in such a way that it is impossible for B to later impersonate A, even after B has observed and verified many different successful authentication attempts.
Zero knowledge mechanisms choice of entrances to inner cave A B main cave entrance
Entity authentication mechanisms • Passwords • Dynamic passwords (challenge / response) • Zero knowledge mechanisms • Cryptographic authentication protocols
Active attacks • Recall the following list of active attacks: • Alteration or replacement of a message • Deletion of a message • Insertion of a false message • Replay of an old message • Changing the order of a message • Falsifying the origin of a message How many of these active attacks could be prevented by encrypting a message using symmetric cryptography?
Data integrity mechanisms Although there are some direct data integrity mechanisms, in general data integrity is bundled together with data origin authentication since it is uncommon to want data integrity and not the stronger concept of data origin authentication. We will consider two different types of data integrity mechanism, both of which also provide data origin authentication: Message Authentication Codes (MACs) are symmetric mechanisms that we consider now. Digital signatures are asymmetric mechanisms that we consider in the next unit.
Message Authentication Codes (Padded) message divided into blocks M1 M2 M3 Mn 1 2 3 K E K E E E K K MAC C1 C2 M1 M2 M3 .., Mn MAC 4
MAC questions • What is the basis on which security of the MAC is determined? • Could you send more than the last “block” of ciphertext as the MAC (for example, also include the previous ciphertext block Cn-1)? • Could you send just part of the last ciphertext block as the MAC?
MAC properties • Which of the following can be addressed by use of a MAC? • Alteration or replacement of a message • Deletion of a message • Insertion of a false message • Replay of an old message • Changing the order of a message • Falsifying the origin of a message • A dispute over whether a message has been altered or whether its origin has been falsified • A dispute over whether a message was sent
Need for protocols In most practical scenarios, the desired security goals are more complex than just “the message should be confidential” or “the data should be accompanied by an integrity check”. Often we want several security properties all at once. Cryptographic protocols are the methods by which the toolkit of cryptographic services are implemented together as a package in order to achieve more precise and sophisticated security goals. We will only examine very simple protocol here – but look out for examples of real protocols in other modules.
Identifying security requirements Alice and Bob trust one another, and have access to a common network. They have already shared a symmetric key. Bob wants to periodically check that Alice is still connected to the network, and that all is well at her end. The solution appears to be quite straightforward – from time to time Bob will send a message to Alice saying “Are you OK?”, and he will await Alice’s reply “Yes, I’m OK”. Assuming that the network is “hostile”, what security assurances Bob might reasonably require in order to be sure that any response that he gets back from Alice is genuine and that she really is still OK.
Security requirement Explanation Mutual entity authentication During the key agreement process Alice and Bob are able to verify each other’s identity to make sure that they knew who they were agreeing a key with Mutual data origin authentication At all times during the process Alice and Bob are able to be sure that information being exchanges has come from the other party and not an attacker Mutual key agreement At the end of the process Alice and Bob should have agreed upon a symmetric key Key confidentiality The symmetric key that is finally agreed upon should at no time have been accessible to any other party than Alice and Bob Key freshness At the end of the process Alice and Bob should be happy that the key that they have agreed upon is a fresh one, and not one used before Mutual key confirmation At the end of the process Alice and Bob should have some evidence that they have both ended up with the same key and that there have been no mistakes made at either end Joint key control At the end of the process Alice and Bob should be happy that they both had approximately equal involvement in the choice of key, and that neither of them could have deliberately chosen a particular key Key establishment requirements
Cryptographic protocols Cryptographic protocolsare specified procedures for exchanging messages between a number of entities in order to achieve specific security goals. These procedures are normally defined by a sequence of steps that have to be followed in a specific order, most of which consist of a message that has to be passed from one of the entities to another. • Can you think of any examples of non-cryptographic protocols that exist in other areas of life? • What is the difference between a cryptographic algorithm and a cryptographic protocol?
Model of a cryptographic protocol A B M1 M2 M3 M4 After any step in the protocol, the protocol will only proceed if the last receiving party was happy with the received message. If they are not happy then the protocol terminates.
A is satisfied that B is satisfied that M2 and M4 were sent by B and not changed by anyone during transmission M1 and M3 were sent by A and not changed by anyone during transmission M2 and M4 were fresh, and not replays of old messages from a previous protocol run M1 and M3 were fresh, and not replays of old messages from a previous protocol run M2 and M4 were intended for A and not for anyone else that B might be communicating with at the time the protocol was run M1 and M3 were intended for B and not for anyone else that A might be communicating with at the time the protocol was run M2 and M4 were only generated after M1 and M3 (respectively) were received by B M3 was only generated after M2 was received by A Sample protocol requirements The challenge is to design a cryptographic protocol whose protocol requirements achieve the security requirements
Cryptographic protocol ingredients Cryptographic protocols are built using a toolkit of cryptographic primitives, which are the basic mechanisms that can be combined to achieve more sophisticated goals. What cryptographic primitives can you already name?
Freshness mechanisms • Timestamps • A time-stamp is a process that generates some data that identifies the “time” that the data was created. This “time” might be based on either conventional clock-based time or some notion of logical time (sequence numbers). • Nonces • A nonce (“number used once”) is a number that is introduced into a cryptographic protocol as a sort of one-time identification of that protocol message or protocol run. Normally a nonce is a randomly generated number. It provides a notion of freshness under the assumption that it is a new number that has never been used before, and never will be again, and so its inclusion in a message means that the message is as fresh and new as the nonce is.
Clock-based mechanisms The idea of a clock-based time-stamp for guaranteeing message freshness is a very attractive one. Alice includes the time on her clock when she sends the message to Bob. When Bob receives the message he checks the time on his clock, and if it “matches” then he accepts the message as fresh. • Identify three potential problems with the simple clock-based freshness mechanism described above. • How you might address these problems?
Alice Alice looks up her database to find the latest value N of the sequence number NAB Alice sends her message to Bob along with N Alice increments her value of NAB (in other words, she adds 1 to it) and stores the new value on her database Bob Bob compares the sequence number N sent by Alice with the latest value of the sequence number NAB on his database If N > NAB then Bob accepts the latest message as fresh and he sets his stored value of NAB to N If N NAB then Bob rejects the latest message Logical time stamps What happens if the N that Bob receives is much larger than NAB - surely if sequence numbers are normally increased by one then something is wrong?
Nonces • Assume nonces are produced by a random number generator. • Suppose: • Alice generates a nonce using a random number generator and then sends it in plaintext to Bob. • Bob sends it straight back. • Precisely what can Alice deduce about the message that she receives back from Bob? • If the nonce is randomly generated, is the nonce guaranteedto be fresh? • If Alice generates a nonce for use in a protocol with Bob, then if this nonce appears in later protocol messages, can Bob be sure that the messages are fresh?
A simple protocol A B rB || Are you OK? rB || Bob || Yes, I’m OK MACK ( rB || Bob || Yes, I’m OK )
Properties of simple protocol • Write down an explanation as to why the simple the protocol provides the following security requirements: • Bob wants data origin authentication of Alice’s responses • Bob wants freshness assurance of Alice’s responses • Bob wants to be sure that Alice’s response was intended for him • Bob wants to be sure that Alice is replying to the current request message