Pattern Recognition and Applications Lab CRYPTOGRAPHY
Giorgio Giacinto
University of Cagliari, Italy Spring Semester 2019-2020 Department of Electrical and Electronic Engineering Cryptography and Security
• Used to hide the content of a message
• Goals – Confidentiality – Authenticity – Integrity
• The text is modified by an encryption function – An interceptor should not be able to understand all or part of the message content
http://pralab.diee.unica.it 2 Encryption/Decryption Process
Key Key (Optional) (Optional)
Original Plaintext Encryption Ciphertext Decryption Plaintext
http://pralab.diee.unica.it 3 Keys and Locks
http://pralab.diee.unica.it 4 Keys
L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M
http://pralab.diee.unica.it 5 Keys
L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M
http://pralab.diee.unica.it 6 Steganography
-
=
http://pralab.diee.unica.it https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1 7 Definitions
• Cryptography algorithm C = E(K,M) A function E with two inputs – a message M – a key K that outputs – the encrypted message C
The algorithm is based on a shared secret between the sender and the receiver K The Encryption Key
http://pralab.diee.unica.it 8 Symmetric and Asymmetric Cryptography • Symmetric cryptography – The algorithm relies on one key the key is the shared secret between the sender and the receiver
• Asymmetric cryptography – The algorithm relies on two keys one key is secret, not shared with anyone – the private key the other key is public – anyone can have it
http://pralab.diee.unica.it 9 Cryptosystems
Key
Original Plaintext Encryption Ciphertext Decryption Plaintext
(a) Symmetric Cryptosystem
Rivest-Shamir-Adelman
Encryption Decryption Key Key
Original Plaintext Encryption Ciphertext Decryption Plaintext
(b) Asymmetric Cryptosystem
http://pralab.diee.unica.it 10 Cryptographic primitives
• Substitution – Each character of the plain text is substituted by another character according to some rule – This technique aims at the confusion of the message content in the ciphertext
• Transposition – The message is subdivided into parts, and their position is modified according to some rule – This technique aims at the diffusion of the message content in the ciphertext
http://pralab.diee.unica.it 11 Stream and Block ciphers
Key Stream Ciphers (Optional) each byte is encrypted separately
…ISSOPMI wdhuw… Plaintext Encryption Ciphertext
Key Block Ciphers • Speed of transformation (Optional) .. XN OI TP ES a group of symbols • Low error propagation is encrypted • Low diffusion as a single block • Susceptibility to malicious insertions and modifications Plaintext IH Ciphertext Encryption
• Slowness of encryption • Padding • Error propagation po ba • High diffusion qc http://pralab.diee.unica.it • Immunity to insertion of symbols kd 12 em .. Substitution Ciphers
http://pralab.diee.unica.it The Imitation Game (2014)
http://pralab.diee.unica.it 14 Caesar Cipher
• Each character in the plaintext is substituted by the character 3 positions ahead
ci = E(pi) = pi + 3 for example computer security becomes frpsxwhu vhfxulwb
http://pralab.diee.unica.it 15 Other substitutions
• A word is selected as a key to set the substitution of the first letters of the alphabet (e.g., chiefly). ABCDEFGHIJKLMNOPQRSTUVWXYZ CHIEFLYABDGJKLMNOPQRSTUWXZ
• Substitution by using as a key a permutation of the alphabet one letter in 3, mod 26 ABCDEFGHIJKLMNOPQRSTUVWXYZ ADGJMPSVYBEHKNQTWZCFILORUX
http://pralab.diee.unica.it 16 Other substitutions
• OTP (One Time Pad) – a pad of sheets of papers with one-time keys – the encryption of a message of N characters in length will need as many keys as to cover all the N characters – the sender will encrypt the message according to some substitution rule involving each character of the message and the corresponding character of the key • for example, the Vigenère table
http://pralab.diee.unica.it 17 Transpositions
http://pralab.diee.unica.it Column-based Transpositions
• We can convert this text THIS IS A SAMPLE MESSAGE into a five-columns sequence of characters T H I S I S A S A M P L E M E S S A G E
The resulting encrypted messages is TSPS HALS ISEA SAMG IMEE
http://pralab.diee.unica.it 19 A useful tool for encoding and encryption https://cryptii.com
http://pralab.diee.unica.it 20 “Secure” encryption algorithms
http://pralab.diee.unica.it Shannon and the definition of “good” ciphers Communication Theory of Secrecy Systems (1949) 1. The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption 2. The set of keys and the enciphering algorithm should be free from complexity 3. The implementation of the process should be as simple as possible 4. Errors in ciphering should not propagate and cause corruption of further information in the message 5. The size of the enciphered text should be no larger than the text of the original message
http://pralab.diee.unica.it 22 Cryptanalysis
• Goal: break an encryption – break (decrypt) a single message – recognize patterns in encrypted messages – infer some meaning without even breaking the encryption, such as from the frequency of messages – easily deduce the key to break one message and perhaps subsequent ones – find weaknesses in the implementation or environment of use of encryption by the sender – find general weaknesses in an encryption algorithm An algorithm is called breakable when given enough time and data an analyst can determine the algorithm http://pralab.diee.unica.it 23 Inputs to cryptanalysis
• Ciphertext Only – Look for patterns, similarities, and discontinuities among many messages that are encrypted alike
• Plaintext and Ciphertext pair – Full or Partial Plaintext • known-plaintext or probable-plaintext – Ciphertext of Any Plaintext • chosen-plaintext
http://pralab.diee.unica.it 24 Breaking Enigma
The Imitation Game (2014)
http://pralab.diee.unica.it https://www.youtube.com/watch?v=_C25CwNlVjA 25 Trustworthy cryptosystems
• Based on sound mathematical foundations
• Analyzed by competent experts and found to be sound
• Stood the “test of time”
http://pralab.diee.unica.it 26 Symmetric Encryption Algorithms
http://pralab.diee.unica.it Symmetric Encryption
Secret key shared by Secret key shared by sender and recipient sender and recipient
K K
Transmitted X ciphertext Y = E[K, X] X = D[K, Y]
Plaintext Plaintext Encryption algorithm Decryption algorithm input output (e.g., DES) (reverse of encryption algorithm)
Figure 2.1 Simplified Model of Symmetric Encryption http://pralab.diee.unica.it 28 Standard and Commercial algorithms
• Block ciphers – DES (Data Encryption Standard) – 3DES (Triple DES) – AES (Advanced Encryption Standard) – Blowfish (1993, Bruce Schneier)
• Stream ciphers – RC4 (1987, Ron Rivest)
http://pralab.diee.unica.it 29 DES
• In 1972 the U.S. National Bureau of Standards (NBS, nowadays NIST) called for proposals for producing a public encryption algorithm.
• In the second call, in 1974, the most promising proposal was IBM’s Lucifer. IBM developed for NBS the Data Encryption Standard (DES) based on Lucifer.
• DES was officially adopted as a U.S. federal standard in November 1977. DES was later accepted as an international standard by ISO.
http://pralab.diee.unica.it 30 The complete DES
Input
Initial Permutation
L0 R0 Key Shifted 64-bit blocks Substitution Key Permuted
Permutation 64-bit key Cycle 1
L1 = R 0 R1 Key Shifted
Substitution Key Permuted
Permutation Cycle 2
L2 = R 1 R2 . .
L15 = R 14 R15 Key Shifted
Substitution Key Permuted
Permutation Cycle 16
L16 = R 15 R16
Inverse Initial Permutation
Output
The algorithm at work http://pralab.diee.unica.it http://page.math.tu-berlin.de/~kant/teaching/hess/krypto-ws2006/des.htm 31 A cycle in DES
Left Data Half Right Data Half Key Shifted 32 bits 32 bits 56 bits
Expansion Permutation 48 bits Key Permuted 48 bits
Substitution, Permuted Choice 32 bits
Permutation
New Left Data Half New Right Data Half (Old Right Half)
http://pralab.diee.unica.it 32 DES variants
http://pralab.diee.unica.it 33 Security of DES
• Diffie and Hellman in 1977 argued that a 56-bit key is too short given the increasing power of computers
• In 1998 researchers built a “DES cracker” machine for approximately $200,000 U.S. that could find a DES key in four days (later improved to a few hours)
• In 1995 the NIST began the search for a new, strong, and more flexible algorithm The result was the Advanced Encryption Standard - AES
http://pralab.diee.unica.it 34 AES
• In 1997 NIST called for cryptographers to develop a new encryption system – unclassified – publicly disclosed – royalty free for use worldwide – symmetric block cipher of at least 128 bit – keys 128, 192, and 256 bits long • In Aug 1998, 15 algorithms chosen from the submissions • In Aug 1999, 5 finalists • In 2001 the winning algorithm became the official U.S. standard
http://pralab.diee.unica.it 35 AES
Name of the algorithm: Rijndael S S S S 1. Byte Sub derived from the creators’ names Rijmen e Daemen
2. Shift Row Substitutions, transpositions, shifts, XOR, additions
Repeat Example source code n Times http://www.hoozi.com/posts/advanced-encryption-standard- aes-implementation-in-cc-with-comments-part-1-encryption/
3. Mix Columns
k k k k 4. Add Round Key
http://pralab.diee.unica.it 36 DES vs. AES
http://pralab.diee.unica.it 37 RC2, RC4, RC5, and RC6
• Authored by Ronald Rivest – one of the inventor of the RSA algorithm and founder of RSA laboratories • RC2 (publicly released in 1996) – Block cipher designed as a a simple and fast algorithm • RC4 (popular before 2000) – Stream cipher, widely used in wireless network (WEP and WPA) • RC5 (1994) – Block cipher • RC6 – A modification of RC5 to compete in the AES competition http://pralab.diee.unica.it 38 openssl crypto library
• openssl (http://www.openssl.org) is an open source project that provides a full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • The crypto library implements a wide range of cryptographic algorithms used in various Internet standards
http://pralab.diee.unica.it 39 openssl symmetric ciphers
• encryption of a message using triple-DES openssl des3 -salt -in file.txt -out file.des3
• decryption of a message using triple-DES openssl des3 -d -salt -in file.des3 -out file.txt
http://pralab.diee.unica.it 40 Message Digests
http://pralab.diee.unica.it 41 One-Way Hash Function
• Convert input to a digest – It is infeasible to start with a digest
value and infer the input M Encrypted for authenticity
• They do not have obvious collisions
– it is infeasible to find a pair of Hash inputs that produce the same digest function
Message digest
http://pralab.diee.unica.it 42 Bank Transfers mid 19th century
• One-way coding the amount of money to be transferred between two parties produces a test key for integrity – Sum of the numbers in the tables according to the positions of the digits in the amount to be transferred
• Example – Coding € 243.561,00 53 (no millions) + 70 (200.000) + 91 (40.000) + 87 (3.000) = 301
http://pralab.diee.unica.it 43 Message Digests
• One-way hash functions are cryptographic functions with multiple uses – They are used in conjunction with asymmetric algorithms for both encryption and digital signatures – They are used in integrity checking – They are used in authentication – They are used in communications protocols
• They are based on one-way random functions
http://pralab.diee.unica.it 44 Properties of Current Hash Standards
Collisions in MD5: https://www.mscs.dal.ca/~selinger/md5collision/ http://pralab.diee.unica.it 45 Asymmetric ciphers The RSA algorithm
http://pralab.diee.unica.it Symmetric key distribution
• How can the shared secret symmetric key be exchanged by two parties?
• In 1976 Diffie and Hellman proposed a novel cryptographic mechanism – each user is given two keys • one key is private, i.e., the owner must keep it secret • the other key is public, i.e., anyone must have it
– the pair of private and public keys is generated by a specific key generation algorithm
Recipients of the 2015 ACM A.M. Turing Award http://pralab.diee.unica.it 47 Public Key to Exchange Secret Keys
1 4 ., ., 5 abc 6 def 2 4 ab gh c i p 7 q 5 rs j d 3 7 kl e pqrs 8 f tuv 9 wxy 8 z tu v m 6 n o
w 9 x y z
1 Bill, give me your public key
Here is my key, Amy 2
3 Here is a symmetric key we can use
http://pralab.diee.unica.it 48 Cryptography based on discrete logarithms
• A primitive root modulo p is a number whose powers generate all the nonzero numbers mod p • For example, if we work modulo 7 we find that - 51 = 5 (mod 7) - 52 = 25 ≡ 4 (mod 7) - 53 ≡ 4 x 5≡ 6 (mod 7) - 54 ≡ 6 x 5≡ 2 (mod 7) - 55 ≡ 2 x 5≡ 3 (mod 7) - 56 ≡ 3 x 5≡ 1 (mod 7) • 5 is called a primitive root modulo 7 – Given any y, we can always solve the equation y = 5x (mod 7) x is then called the discrete logarithm of y modulo 7. • For large random prime numbers p – the discrete logarithm cannot be computed – the mapping �: � → �� mod � is a one-way function – � � + � = � � � � – � �� = � � � http://pralab.diee.unica.it 49 Diffie-Hellmann protocol
• Original version of the algorithm – Alice and Bob agree on using two numbers p and g • p is a prime number • g is a primitive root mod p – Alice chooses a secret integer x and sends to Bob A = gx mod p – Bob chooses a secret integer y and sends to Alice B = gy mod p – Alice will compute Bx mod p, Bob will compute AY mod p that will be the shared secret, as Bx mod p = AY mod p = gxy mod p
http://pralab.diee.unica.it 50 Diffie-Hellman Example
Have • Prime number q = 353 • Primitive root a = 3 A and B each compute their public keys after selecting their secret keys, XA=97 and XB=233, respectively 97 • A computes YA = 3 mod 353 = 40 233 • B computes YB = 3 mod 353 = 248 Then exchange and compute secret key XA 97 • For A: K = (YB) mod 353 = 248 mod 353 = 160 XB 233 • For B: K = (YA) mod 353 = 40 mod 353 = 160
Attacker must solve • 3z mod 353 = 40 which is hard • Desired answer is 97, then compute key as B does http://pralab.diee.unica.it Asymmetric Cryptography
• Symmetric cryptography – two users share one secret key
• Asymmetric cryptography – each user has two keys: one public and one private
• Messages encrypted using the user’s public key can only be decrypted using the user’s private key, and vice versa
http://pralab.diee.unica.it 52 Asymmetric cryptography
kpub Public key
kpriv Private key E(k,M) Encryption D(k,M) Decryption P Plaintext
P = D(kpriv,E(kpub,P)) some algorithms also allow
P = E(kpub,D(kpriv,P))
http://pralab.diee.unica.it 53 Encryption with public key
Bobs's public key ring Joy Ted Mike Alice
Alice 's private PUa Alice's public PRa key key
Transmitted X = X ciphertext D[PRa, Y]
Y = E[PUa, X] Plaintext Plaintext Encryption algorithm Decryption algorithm input output (e.g., RSA)
Bob (a) Encryption with public key Alice
Alice's http://pralab.diee.unica.it public key 54 ring Joy Ted Mike Bob
PRb Bob's private PUb Bob's public key key
X = X Transmitted D[PUb, Y] ciphertext
Y = E[PRb, X]
Plaintext Plaintext Encryption algorithm Decryption algorithm input output (e.g., RSA)
Bob (b) Encryption with private key Alice
Figure 2.6 Public-Key Cryptography Bobs's public key ring Joy Ted Mike Alice
Alice 's private PUa Alice's public PRa key key
Transmitted X = X ciphertext D[PRa, Y]
Y = E[PUa, X] Plaintext Plaintext Encryption algorithm Decryption algorithm input output Encryption(e.g., RSA) with private key Bob (a) Encryption with public key Alice
Alice's public key ring Joy Ted Mike Bob
PRb Bob's private PUb Bob's public key key
X = X Transmitted D[PUb, Y] ciphertext
Y = E[PRb, X]
Plaintext Plaintext Encryption algorithm Decryption algorithm input output (e.g., RSA)
Bob (b) Encryption with private key Alice
http://pralab.diee.unica.it Figure 2.6 Public-Key Cryptography 55 Asymmetric Encryption with RSA
• Since its introduction in 1978, no serious flaws have yet been found • The encryption algorithm is based on the underlying problem of factoring large prime numbers – the fastest known algorithm is exponential in time • Two keys, d and e, are used for decryption and encryption, and they are interchangeable • The plaintext block P is encrypted as Pe mod n = C • The decrypting key d is chosen so that Cd mod n = P P = Cd mod n = (Pe)d mod n = (Pd)e mod n
http://pralab.diee.unica.it 56 Secret Key vs. Public Key Encryption
http://pralab.diee.unica.it 57 Asymmetric Encryption Algorithms
Most widely Block cipher in RSA (Rivest, accepted and which the plaintext Shamir, Developed in 1977 implemented and ciphertext are approach to public- integers between 0 Adleman) key encryption and n-1 for some n.
Enables two users Diffie-Hellman to securely share a Limited to the key exchange secret key for exchange of the symmetric keys algorithm encryption
Digital Provides only a Cannot be used for Signature digital signature encryption or key Standard (DSS) function with SHA-1 exchange
Elliptic curve Security like RSA, cryptography but with much (ECC) smaller keys
http://pralab.diee.unica.it RSA in openssl
• Creation of a RSA private key openssl genrsa –out key.pem
• Creation of the corresponding public key openssl rsa -in key.pem -pubout -out pubkey.pem
http://pralab.diee.unica.it 59 RSA in openssl
• openssl rsautl with the following parameters -in filename
-out filename
-inkey file filename containing the key (default: the private key)
-pubin in the case the input key is the public key
http://pralab.diee.unica.it 60 RSA in openssl
-encrypt RSA encryption of the input file with the public key
-decrypt RSA decryption of the input file with the public key
http://pralab.diee.unica.it 61 Example
• Public key encryption openssl rsautl –encrypt -inkey pubkey.pem - pubin –in
• Private key decryption openssl rsautl –decrypt –inkey key.pem –in
http://pralab.diee.unica.it 62 Certificates
http://pralab.diee.unica.it 63 Certificates
• In real life identity and authenticity are certified by trusted authorities through a hierarchy of mutual trust – Government servants issue and verify • ID cards • Passports • … • Other sources of authenticity – Stamps – Headed letters – …
http://pralab.diee.unica.it 64 Digital Certificates Trustable Identities and Public Keys • A certificate is – a public key – an identity bound together and signed by a certificate authority • A Certificate Authority (CA) is an authority that users trust to accurately verify identities before generating certificates that bind those identities to keys • A Public Key Infrastructure is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
http://pralab.diee.unica.it 65 Delegation of trust
http://pralab.diee.unica.it 66 Certificate Signing and Hierarchy To create Diana’s certificate: To create Delwyn’s certificate: Diana creates and delivers to Edward: Delwyn creates and delivers to Diana: Name: Diana Name: Delwyn Position: Division Manager Position: Dept Manager Public key: 17EF83CA ... Public key: 3AB3882C ...
Edward adds: Diana adds: Name: Diana hash value Name: Delwyn hash value Position: Division Manager 128C4 Position: Dept Manager 48CFA Public key: 17EF83CA ... Public key: 3AB3882C ...
Edward signs with his private key: Diana signs with her private key: Name: Diana hash value Name: Delwyn hash value Position: Division Manager 128C4 Position: Dept Manager 48CFA Public key: 17EF83CA ... Public key: 3AB3882C ...
Which is Diana’s certificate. And appends her certificate: Name: Delwyn hash value Position: Dept Manager 48CFA Public key: 3AB3882C ... Name: Diana hash value Position: Division Manager 128C4 Public key: 17EF83CA ...
Which is Delwyn’s certificate. http://pralab.diee.unica.it 67 Certificate Hierarchy
http://pralab.diee.unica.it 68 Structure of a digital certificate
• Users identity and public key • Signed by a certificate authority (CA) – Actalis, Comodo, DigiCert, Symantec/VeriSign, … • self-signed certificates – http://www.akadia.com/services/ssh_test_certificate.html no authority certify the authenticity, and you need to trust the entity the signed the certificate
http://pralab.diee.unica.it 69 Certificates in openssl
• Creation openssl req -new -key server.key -out server.csr – server.key is the private key associated to the server
• Self-signed x509 certificate openssl x509 -req -days 365 -in server.csr - signkey server.key -out server.crt
http://pralab.diee.unica.it 70 Random numbers
http://pralab.diee.unica.it 71 Random Numbers
• They are needed to generate: – Keys for public-key algorithms – Stream key for symmetric stream cipher – Symmetric key for use as a temporary session key or in creating a digital envelope – Handshaking to prevent replay attacks – Session key
http://pralab.diee.unica.it Random Number Requirements
Randomness Unpredictability • Criteria • Each number is statistically – Uniform distribution independent of other • Frequency of occurrence numbers in the sequence of each of the numbers • Opponent should not be should be approximately able to predict future the same elements of the sequence – Independence on the basis of earlier • No one value in the sequence can be inferred elements from the others
http://pralab.diee.unica.it Random versus Pseudorandom Algorithmic techniques for random number generation • Algorithms are deterministic and therefore produce sequences of numbers that are not statistically random
Pseudorandom numbers are • Sequences that satisfy statistical randomness tests • Likely to be predictable
True random number generator (TRNG) • Nondeterministic source to produce randomness • Mostly by measuring unpredictable natural processes • e.g. radiation, gas discharge, leaky capacitors • Increasingly provided on modern processors http://pralab.diee.unica.it Digital Signatures
http://pralab.diee.unica.it Digital Signature Properties
• Unforgeable (mandatory) – No one other than the signer can produce the signature without the signer’s private key • Authentic (mandatory) – The receiver can determine that the signature really came from the signer • Not alterable (desirable) – No signer, receiver, or any interceptor can modify the signature without the tampering being evident • Not reusable (desirable) – Any attempt to reuse a previous signature will be detected by receiver
http://pralab.diee.unica.it 76 Digital Signature
Mark only Mark fixed the sender to can make document
Authentic Unforgeable
• The general way of computing digital signatures is with public key encryption – The signer computes a signature value by using a private key – Others can use the public key to verify that the signature came from the corresponding private key
http://pralab.diee.unica.it 77 Digital signatures with public key encryption
Signature Verification
http://pralab.diee.unica.it 78 Digital signatures in openssl
• Creation of the signature for a file using the private key openssl rsautl -sign -in file -inkey key.pem -out sig
• Verification of the authenticity of the signature openssl rsautl -verify -in sig -inkey pubkey.pem -pubin
http://pralab.diee.unica.it 79 Digital signature and secret message
http://pralab.diee.unica.it 80 Digital Envelopes
http://pralab.diee.unica.it 81 Symmetric and Asymmetric Encryption
• Symmetric algorithms provide for efficient and effective way for protecting confidentiality and integrity of data at rest or in transit
• Asymmetric encryption is used for – exchanging symmetric encryption keys – signing data to show authenticity and proof of origin
http://pralab.diee.unica.it 82 Internet and Cryptography
http://pralab.diee.unica.it Link encryption
• The plaintext message is encrypted just before being sent through the physical layer – the plaintext is available in all upper layers
http://pralab.diee.unica.it 84 Link encryption: packet format
Encryption implemented at the hardware level
http://pralab.diee.unica.it 85 end-to-end encryption
• The message content is encrypted at the application or presentation layer
http://pralab.diee.unica.it 86 Packet format end-to-end encryption
Encryption implemented at the application level Key exchange protocol
http://pralab.diee.unica.it 87 Example: the Signal protocol
• The Signal protocol was developed by Open Whisper Systems (https://signal.org) in 2013 to provide end-to- end encryption for instant messaging. • It has been implemented into applications such as WhatsApp, Facebook Messenger, Google Allo. • The protocol combines – the Double Ratchet Algorithm – Prekeys – a triple Diffie–Hellman (3-DH) handshake, – uses Curve25519, AES-256 and HMAC-SHA256 as primitives
https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf http://pralab.diee.unica.it 88 Link vs. End-to-End
http://pralab.diee.unica.it 89 WiFi Security - WEP
• WEP - Wired Equivalent Privacy was designed at the same time as the original 802.11 WiFi standards • Weaknesses in WEP were first identified in 2001, four years after release – More weaknesses were discovered, until any WEP- encrypted communication could be cracked in minutes
http://pralab.diee.unica.it 90 How WEP Works
• Client and access point (AP) have a pre-shared key – AP sends a random number to the client, which the client then encrypts using the key and returns to the AP – The AP decrypts the number using the key and checks that it’s the same number to authenticate the client – Once the client is authenticated, the AP and client communicate using messages encrypted with the key
http://pralab.diee.unica.it 91 WEP Main Weaknesses
• Weak encryption key – WEP allows to be either 64- or 128-bit, but 24 of those bits are reserved for initialization vectors (IV) – Keys were either alphanumeric or hex phrases that users typed in, therefore vulnerable to dictionary attacks • Static key • Weak encryption process – A 40-bit key can be brute forced easily • Weak encryption algorithm – WEP used RC4 in a strange way, that allowed attackers to decrypt large portions of any WEP communication
http://pralab.diee.unica.it 92 WPA (WiFi Protected Access)
• WPA was designed in 2003 to replace WEP • WPA2 followed in 2004, the current standard • Non-static encryption key – WPA uses a hierarchy of keys • New keys are generated for each session, and the encryption key is automatically changed on each packet • Strong encryption – WPA supports AES • Integrity protection – WPA includes a 64-bit cryptographic integrity check • Session initiation – WPA sessions begin with authentication and a four-way handshake • separate keys for encryption and integrity on both ends
http://pralab.diee.unica.it 93 VPN - Virtual Private Network
• An encrypted tunnel for communication between two sites of the same organization over public networks • VPN usually implemented by firewalls – link encryption A1 A2 A3 A4 To other sites
Office A Firewall A
B1 B2 B3 B4
Office B Firewall B http://pralab.diee.unica.it Encrypted 94 VPN - Virtual Private Network
• VPNs also used for the secure connection of a teleworker to the remote office
To other A1 A2 A3 A4 sites
Office Firewall A
Teleworker
Encrypted http://pralab.diee.unica.it 95 Secure Shell (SSH)
• Originally developed for UNIX • Provides an authenticated, encrypted path to the OS command line over the network • Replacement for insecure utilities such as telnet, rlogin, and rsh • The protocol involves negotiation between local and remote sites for – encryption algorithm (e.g., DES or AES) – authentication
http://pralab.diee.unica.it 96 SSL and TLS
• Secure Sockets Layer (SSL) was designed by Netscape in the 1990s to protect communication between the web browser and server • In a 1999 upgrade to SSL, it was renamed Transport Layer Security (TLS) • While the protocol is still commonly called SSL, TLS is the modern, and much more secure, protocol • SSL is implemented at OSI layer 4 (transport) and provides – Server authentication – Client authentication (optional) – Encrypted communication
http://pralab.diee.unica.it 97 The TLS protocol
• A server replies to a client that wants to initiate a secure connection with its certificate • The client sends part of a symmetric key encrypted with the public key of the server • Client and server compute the remaining part of the session key – Diffie-Hellman protocol • The session key is used to encrypt the communication through a symmetric encryption algorithm
http://pralab.diee.unica.it 98 email encryption
• TLS for the confidentiality of the password between client and server • PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) for encrypting the message content – both based on public keys for authentication and the exchange of the symmetric session key – PGP relies on each user’s exchanging keys with all potential recipients (a circle of trust) – S/MIME uses hierarchically validated certificates
http://pralab.diee.unica.it 99 Anonymous browsing: the TOR project
• The receiver should not be able to identify the computer that initiated the request – The request is handled by intermediate nodes that hide the identity of the initiator – The intermediate nodes should not be aware of the path of the packets
http://pralab.diee.unica.it 100 Onion Routing The TOR network • The Tor network is an overlay network • Each onion router (OR) runs as a normal user-level process without any special privileges. • Each onion router maintains a TLS connection to every other onion router. • Each user runs local software called an onion proxy (OP) – to fetch directories, establish circuits across the network, and handle connections from user applications. • These onion proxies accept TCP streams and multiplex them across the circuits. • The onion router on the other side of the circuit connects to the requested destinations and relays data.
http://pralab.diee.unica.it 101 Key exchange and encryption in Onion routing
�!" � : Encryption with public key http://pralab.diee.unica.it � � : Cryptographic Hash function 102 Anonymous HTTP browsing TOR network
http://pralab.diee.unica.it 103 The TOR network
http://pralab.diee.unica.it 104 The TOR network
http://pralab.diee.unica.it 105