260 likes | 341 Views
Security Definition. Unconditional Security The system cannot be defeated, no matter how much power is available by the adversary. Computational security
E N D
Security Definition • Unconditional Security • The system cannot be defeated, no matter how much power is available by the adversary. • Computational security • The perceived level of computation required to defeat the system using the best known attack exceeds, by a comfortable margin, the computational resources of the hypothesized adversary. • e.g., given limited computing resources, it takes the age of universe to break cipher.
Security Definition • Provable security • The difficulty of defeating the system can be shown to be essentially as difficult as solving a well-known and supposedly difficult problem (e.g., integer factorization) • Ad hoc security • Claims of security generally remain questionable • Unforeseen attacks remain a threat
Secret Key Cryptographic Algorithms • DES (Data Encryption Standard) • 3DES (Triple DES) • IDEA (International Data Encryption Algorithm) • AES (Advanced Encryption Standard)
DES (Data Encryption Standard) • Authors: NSA & IBM, 1977 • Data block size: 64-bit (64-bit input, 64-bit output) • Key size: 56-bit key • Encryption is fast • DES chips • DES software: a 500-MIP CPU can encrypt at about 30K octets per second • Security • No longer considered secure: 56 bit keys are vulnerable to exhaustive search
DES operation Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation
Triple-DES (3DES) • C = DESk3(DESk2(DESk1(P))). • Data block size: 64-bit • Key size: 168-bit key; effective key size: 112 (due to man-in-the-middle attack) • Encryption is slower than DES • Securer than DES
IDEA (International Data Encryption Algorithm) • Authors: Lai & Massey, 1991 • Data block size: 64-bit • Key size: 128-bit • Encryption is slower than DES • Security • Nobody has yet published results on how to break it • Having patent protection
AES (Advanced Encryption Standard) • Authors: Daemen & Rijmen • Block size:128-bit • Key size: 128-bit, 192-bit, 256-bit • Encryption is fast • Security • As of 2005, no successful attacks are recognized. • NSA stated it secure enough for non-classified data.
Other SKC Algorithms • RC2 • Block size: 64 bits; key size: variable • Vulnerable to a chosen plaintext attack • RC4 • Stream cipher • Key size: variable (typically 40-256 bits) • No longer considered secure: the key stream generated by RC4 is slightly biased in favor of certain sequences of bytes. • RC5 • Block size: variable (32, 64, 128 bits); key size: variable (0-2040bits) • Not secure when key size <= 64 bits • RC6 • Derived from RC5 • Block size: variable; key size: variable
Some Hash functions • Message digest (MD) algorithms • MD2, MD4, MD5, MD6; Author: Ron Rivest • 128-bit hash value • Some collisions are found. • Secure hash algorithm (SHA) family • SHA-0, SHA-1 • 160-bit hash value • Reported “being broken”: collisions can be found with a complexity lower than the brute-force search • SHA-2 • SHA-224, SHA-256, SHA-384, SHA-512.
PKC Algorithm: RSA • Its security is based on the difficulty of factoring • Choose two large prime numbers, p and q. • Compute n=p*q and z=(p-1)*(q-1). • Find d and e (both less than n), such that e has no common factors with z, and e*d-1 is divisible by z. • Encryption: c=me mod n; decryption: m=cd mod n. • The best known algorithm for solving the problem is sub-exponential (less than exponential), but super-polynomial (more than any fixed degree polynomial) • Key size should be large (e.g., 1024 bits) • Encryption/decryption involves exponentiation operations on large numbers.
PKC Algorithm: ECC (Elliptic Curve Cryptography) • Its security is based on the difficulty of solving the discrete logarithm problem for the group of an elliptic curve over some finite field. • Encryption/decryption operations are slower for an ECC system than for a factorization system or modulo integer discrete log system of the same size. • Why ECC outperform RSA? • Till now, the mathematicians do not (yet?) have sub-exponential algorithms for breaking the ECC system. • Key size can be smaller (e.g., 160 bits) than RSA (1024 bits).
Key Establishment • DH (Diffie-Hellmen) Scheme Alice Bob Pick y Pick x n, g, gx mod n gy mod n Compute: (gxmod n)y =gxy mod n Compute: (gymod n)x =gxy mod n
Key Establishment • DH (Diffie-Hellmen) Scheme: Man-in-the-middle attack gxu mod n gvy mod n Alice Bob Pick y Pick x n, g, gx mod n n, g, gv mod n gy mod n gu mod n Judy gvy mod n gxu mod n
KB-KDC KX-KDC KY-KDC KZ-KDC KP-KDC KB-KDC KA-KDC KA-KDC KP-KDC Key Distribution Center (KDC) • Alice, Bob need shared symmetric key. • KDC: server shares different secret key with each registered user (many users) • Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for communicating with KDC. KDC
Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R1 KA-KDC(A,B) KA-KDC(R1, KB-KDC(A,R1) ) Alice knows R1 Bob knows to use R1 to communicate with Alice KB-KDC(A,R1) Alice and Bob communicate: using R1 as session key for shared symmetric encryption
+ + digital signature (encrypt) K K B B K CA Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, router) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information
+ + digital signature (decrypt) K K B B K CA Certification Authorities • When Alice wants Bob’s public key: • gets Bob’s certificate (Bob or elsewhere). • apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key CA public key +
A certificate contains • Serial number (unique to issuer) • info about certificate owner, including algorithm and key value itself (not shown) • info about certificate issuer • valid dates • digital signature by issuer
Group Key management: A naïve approach • Distribution • Open a secure channel with each of the members. • Send the group key • Complexity order = N [O(N)] • Rekeying when membership changes • Send the new group key, separately to each of the remaining members. • complexity O(N)
Group key Group Controller Logical entities N number of members d tree degree ln ( N ) depth + 1 ln ( d ) members Tree-Based Algorithms • 2 types of keys • SEKs (Session Encryption Key) • KEKs (Key Encryption Key) • A Group Controller constructs a tree based hierarchy of KEKs
Logical Key Hierarchy (LKH) • Updates the group key and the key encryption key by means of the ciphering of key-nodes in a hierarchical tree where members are located at the leaves. • Achieve rekeying with only O(logN) messages instead of O(N) showed by trivial approach. • Different ciphering algorithms can be used (DESede, AES…)
K0 GKCs N secure channels K11 K12 K21 K22 K23 K24 K31 K32 K33 K34 K35 K36 K37 K38 M1 M2 M3 M4 M5 M6 M7 M8 Logical Key Hierarchy (LKH) • Initialization
K0 K’0 K34 { K0’} K34 { K11’} K34 { K22’} K21 { K0’} K21 { K11’} GKCs K12 { K0’} K11 K’11 K12 K21 K22 K’22 K23 K24 K31 K32 K34 K35 K36 K37 K38 M1 M2 M3 M4 M5 M6 M7 M8 Logical Key Hierarchy (LKH) • Leaving Member Rekeying Messages ln ( N ) ln ( d )
Rekeying messages ln ( N ) ln ( d ) K0 K’0 K31 { K21’} K31 { K11’} K31 { K0’} K21 { K21’} K11 { K11’} K0{ K0’} GKCs K11 K’11 K12 K21 K’21 K22 K23 K24 K31 K32 K33 K34 K35 K36 K37 K38 M1 M2 M3 M4 M5 M6 M7 M8 Logical Key Hierarchy (LKH) • Joining Member