DOCSLIB.ORG

Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptography ECE560 Computer and Information Security Fall 2021 Cryptography Tyler Bletsch Duke University Some slides adapted from slideware accompanying “Computer Security: Principles and Practice” by William Stallings and Lawrie Brown REAL advice for using cryptography • I’m about to teach cryptography basics, which you should know • However, you should not reach for these functions in most real- world programming scenarios!! • Repeat after me: I’ll provide more detailed advice after we understand the theory... 2 Crypto basics summary • Symmetric (secret key) cryptography c = ciphertext p = plaintext . c = Es(p,k) k = secret key Es = Encryption function (symmetric) D = Decryption function (symmetric) . p = Ds(c,k) s • Asymmetric (public key) cryptography Ea = Encryption function (asymmetric) . c = Ea(p,kpub) Da = Decryption function (asymmetric) kpub = public key k = private key . p = Da(c,kpriv) priv . kpub and kpriv generated together, mathematically related • Message Authentication Codes (MAC) . Generate and append: H(p+k), E(H(p),k), or tail of E(p,k) H = Hash function . Check: A match proves sender knew k • Digital signatures s = signature . Generate and append: s = Ea(H(p),kpriv) . Check: Da(s,kpub)==H(p) proves sender knew kpriv 3 Symmetric (Secret Key) Encryption 4 Symmetric cryptography • The primary method for providing confidentiality of data transmitted (“in-flight”) or stored (“at-rest encryption”) • Uses one key for both encryption and decryption. Sender/receiver must already have copies of this key. Given: Plaintext p (arbitrary size) Secret key k (fixed size) Encryption function E Decryption function D Can produce ciphertext c: c = E(p,k) Can recover plaintext: p = D(c,k) 5 How to attack cryptography • Cryptanalysis – apply cleverness . Exploit weaknesses in algorithm or manner of its use . May leverage existing plaintext, ciphertext, or pairs of each . KEY ISSUE: Even if algorithm is “perfect” (unprovable), you might use the algorithm incorrectly. (This is why you don’t roll your own crypto) • Brute-force attack – apply money . Try all possible keys, stop when decrypted result seems readable • Need to try half of all keys on average . Can be done in parallel (i.e., using compute cluster) . Always possible, but if the number of possible keys is large enough, cost to crack > value of info obtained • This is called being computationally secure 6 Hypothetical bad symmetric encryption algorithm: XOR • A lot of encryption algorithms rely on properties of XOR A B A^B 0 0 0 . Can think of A^B as “Flip a bit in A if corresponding bit in B is 1” 0 1 1 . If you XOR by same thing twice, you get the data back 1 0 1 . XORing by a random bit string yields NO info about original data 1 1 0 • Each bit has a 50% chance of having been flipped >>> a=501 >>> b=199 >>> a ^= b >>> print a 306 • Could consider XOR itself to be a symmetric encryption >>> a ^= b >>> print a algorithm (but it sucks at it!) – can be illustrative to explore 501 • Simple XOR encryption algorithm: . E(p,k) = p ^ k (keep repeating k as often as needed to cover p) . D(c,k) = c ^ k (same algorithm both ways!) 7 XOR “encryption” demo Plaintext: 'Hello' Key : 'key' H e l l o Plaintext : 01001000 01100101 01101100 01101100 01101111 k e y Key repeats> k e Key : 01101011 01100101 01111001 01101011 01100101 Ciphertext: 00100011 00000000 00010101 00000111 00001010 ^ XOR result Ciphertext: 00100011 00000000 00010101 00000111 00001010 Key : 01101011 01100101 01111001 01101011 01100101 Decrypted : 01001000 01100101 01101100 01101100 01101111 ^ XOR result H e l l o 8 Types of cryptanalysis attacks • Given the encryption algorithm and ciphertext under attack, attacks we can do: Type of attack Things known to cryptanalyst Ciphertext only (just the ciphertext under attack) Known plaintext • One or more plaintext-ciphertext pairs using same key Chosen plaintext • Plaintext chosen by attacker + ciphertext encrypted with same key Chosen ciphertext • Ciphertext chosen by attacker + “plaintext” decrypted with same key Chosen text • Plaintext chosen by attacker + ciphertext encrypted with same key • Ciphertext chosen by attacker + “plaintext” decrypted with same key 9 Attacking XOR (1) • Known plaintext attack: . Given plaintext : 01001000 01100101 01101100 01101100 01101111 . Given ciphertext : 00100011 00000000 00010101 00000111 00001010 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! • Chosen plaintext attack: . Chosen plaintext : 00000000 00000000 00000000 00000000 00000000 . Given ciphertext : 01101011 01100101 01111001 01101011 01100101 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! • Chosen ciphertext attack: . Chosen ciphertext: 00000000 00000000 00000000 00000000 00000000 . Result plaintext : 01101011 01100101 01111001 01101011 01100101 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! 10 Attacking XOR (2) • Ciphertext only attack: . Ciphertext: 00100011 00000000 00010101 00000111 00001010 . "I assume the plaintext had ASCII text with lowercase letters, and in all such letters bit 6 is 1, but none of the ciphertext has bit 6 set, so I bet the key is most/all lower case letters" . "The second byte is all zeroes, which means the second byte of the key and plaintext are equal" . etc.... • Conclusion: XOR is a sucky encryption algorithm 11 Symmetric ciphers in common use Cipher Key size Block size Year introduced (1975) Now ATMs can exist thanks to this Data Encryption Standard (DES)! DES 56 64 1975 (1995) Ahh, the DES key is too small! It 3DES 112/168 64 1995 can be brute forced really fast! Hurry, duct tape three of them together! Twofish 128/192/256 128 1998 (1998) Crap, now it’s too slow! Lets have a bunch of algorithms come fight Serpent 128/192/256 128 1998 to become the American Encryption Rijndael 128/192/256 128 1998 Standard (AES)! (2001) This guy won and is now called AES. • Triple DES (3DES) still around in legacy stuff like in financial systems (ATMs) • AES dominates everywhere else. • Implemented in hardware in modern CPUs – way faster than software versions of other algorithms (by 5x or more!) • Not sure what to use? Use AES • Some people like to use the other AES finalists (Twofish, Serpent) or other symmetric ciphers not listed here. That’s fine. 12 Okay, but what about that “block size” thing? • These are block ciphers – they just encrypt a block of bits. • How do you apply the cipher to data that’s bigger than just one block? • Answer: modes of operation • Simplest mode of operation: Electronic Code Book (ECB) • Each block of plaintext is encrypted with the same key Problem? 13 Demonstrating the danger of ECB • Electronic Codebook (ECB) is what you’d come up with naively: “Just apply the key to each block” • But this means that identical blocks give identical ciphertext, which can be informative to an attacker... See PoC||GTFO 4:13 for a poem about this 14 Figures from Wikipedia “Block cipher mode of operation” Solution to the “ECB problem” • Develop more sophisticated modes of operation for use with our block cipher. We’ll see several of these – there’s tradeoffs to different techniques • Some will convert our block cipher to a stream cipher . Stream cipher: A cipher where the plaintext is XOR’d with a pseudorandom bit stream derived from the key 15 Figure from https://www.researchgate.net/figure/Stream-cipher-diagram_fig2_318517979 Modes of operation: CBC • Cipher Block Chaining (CBC): . Each block of plaintext is XOR’d with previous block ciphertext . Prevents patterns from being visible even in regular data Initialization Vector (IV) • Random • Not secret (transmitted in clear) • Prevents cryptanalysis, e.g. by preventing a past-seen plaintext from producing the same ciphertext in the first block Encryption parallelizable? No Decryption parallelizable? Yes Random read access? Yes 16 Figures from Wikipedia “Block cipher mode of operation” More about the Initialization Vector • The previous slide showed an “IV” (Initialization Vector”) used to start the chain (it’s XORed with the first block of plaintext). Something like this is used in many modes. IV is random per-message; ensures first block of two ciphertexts don’t match just because plaintexts match. • The IV must be known to both the sender and receiver, typically not a secret (often included in the communication). • IV integrity is important: If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext. Other attacks, too... A more detailed discussion can be found here. 17 Modes of operation: CTR • Counter (CTR): . Encrypt an incrementing list of integers to make a keystream: turns a block cipher into a stream cipher! . Allows full parallelization and random access Note: A nonce is basically like an initialization vector. Encryption parallelizable? Yes Decryption parallelizable? Yes Random read access? Yes 18 Figures from Wikipedia “Block cipher mode of operation” Further modes of operation • Cipher feedback (CFB): Chained encryption similar to CBC, but just used to produce a keystream – works as a stream cipher • Output feedback (OFB): Very similar to CBC. Neat property: Bitflips in ciphertext become bitflips in plaintext, so error correcting codes work transparently. • Galois/counter mode (GCM): Applies lessons from finite field theory (out of scope for us). This mode performs authentication as well as providing confidentiality. Very common on the modern web. • Many more! See “Block Cipher Modes of Operation” on Wikipedia. 19 Asymmetric (Public Key) Cryptography 20 The problem • Problem with symmetric crypto: I need to The recipient transmit a needs the secret secret key • Want to be able to send a message without having pre-shared a key • Solution: What if the key to decrypt was different than the one to encrypt? 21 Asymmetric (Public Key) Cryptography • Proposed by Diffie and Hellman in 1976 • Based on math; asymmetric: . Uses two separate keys . Public key and private key .
Load more

Recommended publications
  • Public-Key Cryptography
    Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key ? private key Alice Bob Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key Goals: 1. Alice wants to send a secret message to Bob 2. Bob wants to authenticate himself Requirements for Public-Key Crypto ! Key generation: computationally easy to generate a pair (public key PK, private key SK) • Computationally infeasible to determine private key PK given only public key PK ! Encryption: given plaintext M and public key PK, easy to compute ciphertext C=EPK(M) ! Decryption: given ciphertext C=EPK(M) and private key SK, easy to compute plaintext M • Infeasible to compute M from C without SK • Decrypt(SK,Encrypt(PK,M))=M Requirements for Public-Key Cryptography 1. Computationally easy for a party B to generate a pair (public key KUb, private key KRb) 2. Easy for sender to generate ciphertext: C = EKUb (M ) 3. Easy for the receiver to decrypt ciphertect using private key: M = DKRb (C) = DKRb[EKUb (M )] Henric Johnson 4 Requirements for Public-Key Cryptography 4. Computationally infeasible to determine private key (KRb) knowing public key (KUb) 5. Computationally infeasible to recover message M, knowing KUb and ciphertext C 6. Either of the two keys can be used for encryption, with the other used for decryption: M = DKRb[EKUb (M )] = DKUb[EKRb (M )] Henric Johnson 5 Public-Key Cryptographic Algorithms ! RSA and Diffie-Hellman ! RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977. • RSA
    [Show full text]
  • A Password-Based Key Derivation Algorithm Using the KBRP Method
    American Journal of Applied Sciences 5 (7): 777-782, 2008 ISSN 1546-9239 © 2008 Science Publications A Password-Based Key Derivation Algorithm Using the KBRP Method 1Shakir M. Hussain and 2Hussein Al-Bahadili 1Faculty of CSIT, Applied Science University, P.O. Box 22, Amman 11931, Jordan 2Faculty of Information Systems and Technology, Arab Academy for Banking and Financial Sciences, P.O. Box 13190, Amman 11942, Jordan Abstract: This study presents a new efficient password-based strong key derivation algorithm using the key based random permutation the KBRP method. The algorithm consists of five steps, the first three steps are similar to those formed the KBRP method. The last two steps are added to derive a key and to ensure that the derived key has all the characteristics of a strong key. In order to demonstrate the efficiency of the algorithm, a number of keys are derived using various passwords of different content and length. The features of the derived keys show a good agreement with all characteristics of strong keys. In addition, they are compared with features of keys generated using the WLAN strong key generator v2.2 by Warewolf Labs. Key words: Key derivation, key generation, strong key, random permutation, Key Based Random Permutation (KBRP), key authentication, password authentication, key exchange INTRODUCTION • The key size must be long enough so that it can not Key derivation is the process of generating one or be easily broken more keys for cryptography and authentication, where a • The key should have the highest possible entropy key is a sequence of characters that controls the process (close to unity) [1,2] of a cryptographic or authentication algorithm .
    [Show full text]
  • Authentication and Key Distribution in Computer Networks and Distributed Systems
    13 Authentication and key distribution in computer networks and distributed systems Rolf Oppliger University of Berne Institute for Computer Science and Applied Mathematics {JAM) Neubruckstrasse 10, CH-3012 Bern Phone +41 31 631 89 51, Fax +41 31 631 39 65, [email protected] Abstract Authentication and key distribution systems are used in computer networks and dis­ tributed systems to provide security services at the application layer. There are several authentication and key distribution systems currently available, and this paper focuses on Kerberos (OSF DCE), NetSP, SPX, TESS and SESAME. The systems are outlined and reviewed with special regard to the security services they offer, the cryptographic techniques they use, their conformance to international standards, and their availability and exportability. Keywords Authentication, key distribution, Kerberos, NetSP, SPX, TESS, SESAME 1 INTRODUCTION Authentication and key distribution systems are used in computer networks and dis­ tributed systems to provide security services at the application layer. There are several authentication and key distribution systems currently available, and this paper focuses on Kerberos (OSF DCE), NetSP, SPX, TESS and SESAME. The systems are outlined and reviewed with special regard to the security services they offer, the cryptographic techniques they use, their conformance to international standards, and their availability and exportability. It is assumed that the reader of this paper is familiar with the funda­ mentals of cryptography, and the use of cryptographic techniques in computer networks and distributed systems (Oppliger, 1992 and Schneier, 1994). The following notation is used in this paper: • Capital letters are used to refer to principals (users, clients and servers).
    [Show full text]
  • Topic 3: One-Time Pad and Perfect Secrecy
    Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings • Outline • One-time pad • Perfect secrecy • Limitation of perfect secrecy • Usages of one-time pad • Readings: • Katz and Lindell: Chapter 2 CS555 Spring 2012/Topic 3 2 One-Time Pad • Fix the vulnerability of the Vigenere cipher by using very long keys • Key is a random string that is at least as long as the plaintext • Encryption is similar to shift cipher • Invented by Vernam in the 1920s CS555 Spring 2012/Topic 3 3 One-Time Pad Let Zm ={0,1,…,m-1} be the alphabet. Plaintext space = Ciphtertext space = Key space = n (Zm) The key is chosen uniformly randomly Plaintext X = (x1 x2 … xn) Key K = (k1 k2 … kn) Ciphertext Y = (y1 y2 … yn) ek(X) = (x1+k1 x2+k2 … xn+kn) mod m dk(Y) = (y1-k1 y2-k2 … yn-kn) mod m CS555 Spring 2012/Topic 3 4 The Binary Version of One-Time Pad Plaintext space = Ciphtertext space = Keyspace = {0,1}n Key is chosen randomly For example: • Plaintext is 11011011 • Key is 01101001 • Then ciphertext is 10110010 CS555 Spring 2012/Topic 3 5 Bit Operators • Bit AND 0 0 = 0 0 1 = 0 1 0 = 0 1 1 = 1 • Bit OR 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 1 • Addition mod 2 (also known as Bit XOR) 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 • Can we use operators other than Bit XOR for binary version of One-Time Pad? CS555 Spring 2012/Topic 3 6 How Good is One-Time Pad? • Intuitively, it is secure … – The key is random, so the ciphertext is completely random • How to formalize the confidentiality requirement? – Want to say “certain thing” is not learnable by the adversary (who sees the ciphertext).
    [Show full text]
  • Applications of SKREM-Like Symmetric Key Ciphers
    Applications of SKREM-like symmetric key ciphers Mircea-Adrian Digulescu1;2 February 2021 1Individual Researcher, Worldwide 2Formerly: Department of Computer Science, Faculty of Mathematics and Computer Science, University of Bucharest, Romania [email protected], [email protected], [email protected] Abstract In a prior paper we introduced a new symmetric key encryption scheme called Short Key Random Encryption Machine (SKREM), for which we claimed excellent security guarantees. In this paper we present and briey discuss some of its applications outside conventional data encryption. These are Secure Coin Flipping, Cryptographic Hashing, Zero-Leaked-Knowledge Authentication and Autho- rization and a Digital Signature scheme which can be employed on a block-chain. We also briey recap SKREM-like ciphers and the assumptions on which their security are based. The above appli- cations are novel because they do not involve public key cryptography. Furthermore, the security of SKREM-like ciphers is not based on hardness of some algebraic operations, thus not opening them up to specic quantum computing attacks. Keywords: Symmetric Key Encryption, Provable Security, One Time Pad, Zero Knowledge, Cryptographic Commit Protocol, Secure Coin Flipping, Authentication, Authorization, Cryptographic Hash, Digital Signature, Chaos Machine 1 Introduction So far, most encryption schemes able to serve Secure Coin Flipping, Zero-Knowledge Authentication and Digital Signatures, have relied on public key cryptography, which in turn relies on the hardness of prime factorization or some algebraic operation in general. Prime Factorization, in turn, has been shown to be vulnerable to attacks by a quantum computer (see [1]). In [2] we introduced a novel symmetric key encryption scheme, which does not rely on hardness of algebraic operations for its security guarantees.
    [Show full text]
  • NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Superseded)
    ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-56 (dated July 2005), has been superseded and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsSPs.html#800-56A. NIST Special Publication 800-56 Recommendation for Pair-Wise July 2005 Key Establishment Schemes Using Discrete Logarithm Cryptography Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C U R I T Y NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography DRAFT July 2005 DRAFT Abstract This Recommendation specifies key establishment schemes using discrete logarithm cryptography, based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography). Worked examples are provided in Appendix D. KEY WORDS: assurances; Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key agreement; key confirmation; key derivation; key establishment; key management; MQV. 2 NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography DRAFT July 2005 DRAFT Acknowledgements The National Institute of Standards and Technology (NIST) gratefully acknowledges and appreciates contributions by Rich Davis, Mike Hopper and Laurie Law from the National Security Agency concerning the many security
    [Show full text]
  • TRANSPORT LAYER SECURITY (TLS) Lokesh Phani Bodavula
    TRANSPORT LAYER SECURITY (TLS) Lokesh Phani Bodavula October 2015 Abstract 1 Introduction The security of Electronic commerce is completely in the hands of Cryptogra- phy. Most of the transactions through e-commerce sites, auction sites, on-line banking, stock trading and many more are exchanged over the network. SSL or TLS are the additional layers that are required in order to obtain authen- tication, privacy and integrity for all kinds of communication going through network. This paper focuses on the additional layer (TLS) which is responsi- ble for the whole communication. Transport Layer Security is a protocol that is responsible for offering privacy between the communicating applications and their users on Internet. TLS is inserted between the application layer and the network layer-where the session layer is in the OSI model TLS, however, requires a reliable transport channel-typically TCP. 2 History Instead of the end-to-end argument and the S-HTTP proposal the developers at Netscape Communications introduced an interesting secured connection concept of low-layer and high-layer security. For achieving this type of security there em- ployed a new intermediate layer between the transport layer and the application layer which is called as Secure Sockets Layer (SSL). SSL is the starting stage for the evolution of different transport layer security protocols. Technically SSL protocol is assigned to the transport layer because of its functionality is deeply inter-winded with the one of a transport layer protocol like TCP. Coming to history of Transport layer protocols as soon as the National Center for Super- computing Application (NCSA) released the first popular Web browser called Mosaic 1.0 in 1993, Netscape Communications started working on SSL protocol.
    [Show full text]
  • Public Key Infrastructure (PKI)
    Public Key Infrastructure Public Key Infrastructure (PKI) Neil F. Johnson [email protected] http://ise.gmu.edu/~csis Assumptions • Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures Copyright 1999, Neil F. Johnson 1 Public Key Infrastructure Overview • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM) Public Key Cryptosystems – Quick Review • Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext Copyright 1999, Neil F. Johnson 2 Public Key Infrastructure Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2 Chris Chris 7 5 8 9 Ellie 3 Ellie 6 David 4 David Secret Key Distribution Directory of Public Keys (certificates) Public Key Cryptosystem INSECURE CHANNEL Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm Bob’s PUBLIC
    [Show full text]
  • Introduction, Overview, One Time Pad
    University of Illinois, Urbana Champaign LECTURE CS 598DK Special Topics in Cryptography Instructor: Dakshita Khurana Scribe: Joshua Reynolds, Amit Agarwal Date: August 28, 2019 1 Introduction, Overview, One Time Pad 1.1 Introduction This introductory lecture introduces some fundamental goals of cryptography and defines the basic requirement for a useful private key (symmetric) encryption scheme. A basic problem in Cryptography is that of encryption. The encryption problem is that two parties wish to communicate a message without an eavesdropper being able to learn their secret, or even any information about that secret. This problem can be solved with private key (symmetric) encryption under the assumption that both parties already have a shared secret key. This problem can also be solved with public key (asymmetric) key encryption under various other assumptions. These primitives are among the building blocks of more complicated cryptography sys- tems and a useful medium to explore the assumptions made in cryptographic systems. Encryption, in particular, is important because it allows us to communicate secrets safely through an untrusted medium like the Internet. Focusing first on private key encryption, we define the property of correctness. The second necessary property of encryption is security and is covered in part 2 of these lecture notes. 1.2 Notation This set of scribe notes will use the following notation and definitions: • A set will be denoted by a capital letter { M is the set of all possible messages { K is the set of all possible keys { C is the set of all possible ciphertexts • Set subtraction will use the /operator and jSj means the cardinality of set S • An item from a set will be denoted by a lower case letter { m is a message in plaintext (not encrypted) { ct is a ciphertext (encrypted message) { sk is a secret key used as an input in symmetric encryption and decryption • A statistical method of sampling from a set will be denoted with an arrow combined with a description of how the selection is done.
    [Show full text]
  • Solutions Problem 1. the Ipsec Architecture Documents States That
    Homework 5 - Solutions Problem 1. The IPSec architecture documents states that when two transport mode SA are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of security protocols seems appropriate: performing the ESP protocol before performing the AH protocol. Why is this approach recommended rather than authentication before encryption? Solution This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service attacks. It also allows for the possibility of parallel processing of packets at the receiver, i.e., decryption can take place in parallel with authentication. Problem 2. Consider the following threats to web security and describe how each is countered by a particular feature of IPSec. a. Brute force cryptoanalitic attack. An exhaustive search of the key space for a conventional encryption algorithm. b. Known plaintext dictionary. Many messages will have predictable plaintext such as HTTP DET command. An attacker can construct a dictionary containing every possible encryption of the known plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. This attack is especially effective against small key sizes (e.g. 40-bit keys). c. Replay attack. Earlier SSL handshake messages are replayed. d. Man in the middle. An attacker interposes during key exchange, acting as the client to the server and a server to the client.
    [Show full text]
  • Analysing and Patching SPEKE in ISO/IEC
    1 Analysing and Patching SPEKE in ISO/IEC Feng Hao, Roberto Metere, Siamak F. Shahandashti and Changyu Dong Abstract—Simple Password Exponential Key Exchange reported. Over the years, SPEKE has been used in several (SPEKE) is a well-known Password Authenticated Key Ex- commercial applications: for example, the secure messaging change (PAKE) protocol that has been used in Blackberry on Blackberry phones [11] and Entrust’s TruePass end-to- phones for secure messaging and Entrust’s TruePass end-to- end web products. It has also been included into international end web products [16]. SPEKE has also been included into standards such as ISO/IEC 11770-4 and IEEE P1363.2. In the international standards such as IEEE P1363.2 [22] and this paper, we analyse the SPEKE protocol as specified in the ISO/IEC 11770-4 [24]. ISO/IEC and IEEE standards. We identify that the protocol is Given the wide usage of SPEKE in practical applications vulnerable to two new attacks: an impersonation attack that and its inclusion in standards, we believe a thorough allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, analysis of SPEKE is both necessary and important. In and a key-malleability attack that allows a man-in-the-middle this paper, we revisit SPEKE and its variants specified in (MITM) to manipulate the session key without being detected the original paper [25], the IEEE 1363.2 [22] and ISO/IEC by the end users. Both attacks have been acknowledged by 11770-4 [23] standards.
    [Show full text]
  • Why Passwords Stink White Paper | Why Passwords Stink
    WHITE PAPER WHY PASSWORDS STINK WHITE PAPER | WHY PASSWORDS STINK 01 INTRODUCTION 02 PASSWORDS ARE FUNDAMENTALLY INSECURE 03 THE PROBLEM WITH PASSWORDS IS THAT THEY CONTENTS ARE “SHARED SECRETS” 04 CURRENT ALTERNATIVES AREN’T THE ANSWER 05 A SOLUTION TO THE PASSWORD ISSUE 06 INTRODUCING BEYOND IDENTITY 07 CONCLUSION 02 WHITE PAPER | WHY PASSWORDS STINK There are hundreds of billions of passwords in the world today, with more being created every day. In fact, the average business user maintains an astounding average of 191 passwords.1 Unfortunately, these passwords represent a fundamentally weak link in most organizations because INTRODUCTION they will always be insecure. This white paper examines why that is, investigates some alternative solutions, and introduces a new method of authentication using asymmetric keys and certificates to eliminate passwords altogether. 01 1 https://www.securitymagazine.com/articles/88475-average-business-user-has-191-passwords 03 WHITE PAPER | WHY PASSWORDS STINK Let’s face it: Passwords stink! For employees and customers, they cause friction and frustration when logging in – Who can remember the 16-character combination of letters, symbols, and digits that are indicative of strong passwords, much less come up with them in the first place? When PASSWORDS ARE a password gets lost or stolen (and they invariably do), it places a burden on the help desk. In fact, 20-50% of help FUNDAMENTALLY desk calls are for password resets, with the average call costing the organization $70.2 INSECURE For CISOs, passwords represent corporate assets that can be targeted by bad actors. And that’s a problem because they often transit networks in the clear, are stored in databases that can be and often are hacked, are shared 02 among colleagues, and are reused across multiple apps – making them easy targets for malware, phishing attacks, and other credential-stealing schemes.
    [Show full text]