AdvancedAdvanced TopicsTopics inin NetworkNetwork SecuritySecurity
Lecture #11
Instructor : Sheau-Dong Lang [email protected]
School of Electrical Engineering & Computer Science University of Central Florida
1
Joohan Lee ConfidentialityConfidentiality vs.vs. AuthenticationAuthentication Confidentiality The protection of data from unauthorized disclosure Encryption Æ protection against papassivessive attack Authentication The assurance that the communicating entity is the one that it claims to be Requirements - must be able to verify that: Message came from the apparent source or author Contents have not been altered It was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) 2
Joohan Lee AttacksAttacks andand SolutionsSolutions
Disclosure Æ confidentiality Release of message contents to any person not possessing the appropriate cryptogcryptographicraphic key Traffic analysis Æ confidentiality Discovery of the patterns of traffic between parties (e.g) frequency and duration of connecconnections,tions, number and length of messages Masquarade Æ authentication Insertion of messages into the network from a fraudulent source Content modification Æ authentication Sequence modification Æ authentication Timing modification Æ authentication Delay or replay of messages Source repudiation Æ authentication (digital signature) Denial of transmission of message by sourcsourcee Destination repudiation Æ authentication (digital signature + protocol) Denial of receipt of message by destination 3
Joohan Lee AuthenticationAuthentication andand DigitalDigital SignatureSignature
Message authentication A procedure to verify that received messages come from the alleged source and have not been altered
Digital Signature An authentication technique that also includes measures to counter repudiation by the source
4
Joohan Lee ApproachesApproaches toto MessageMessage AuthenticationAuthentication
Message Encryption Authentication Using Conventional Encryption Only the sender and receiver should share a key The ciphertext of the entire message serves as its authenticator
Hash Functions Message AuthenticAuthenticationation without Message Encryption An authentication tag is ggenerateenerated and appended to each message Use hash function that maps a message of any length into a fixed- length hash value, which serves as the authenticator
Message Authentication Code Calculate the MAC as a function of the message and the key Use of hash function and a secret key that serves as the authenticator 5
Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption
Message encryption by itself also provides a measure of authentication If symmetric encryption is used then: Receiver knows sender must have created it since only sender and receiver know the key used Know contents cannot have been altered If message has suitable structure, redundancy or a checksum to detect any changes
6
Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption
7
Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption
(problem) Contents of delivered ciphertext How ttoo decide if incoming ciphertext decrypts to intelligible plaintext Messages can be English text, binary object files, digitized X-rays,… Opponent can achieve a certain level of disruption without knowing the private key
(Solu(Solution)tion) To force the plaintext to have some structure that is easily recognized but that cannot be replicated without knowing recourse to the encryption function
8
Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption
Append an error-detection code such as frame check sequences or checksum to each message before encryption Any sort of structuring added to tthehe transmitttransmitteded message serves to strengthening the authentication capability
9
Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption
Encrypt all the TCP segment including checksum for the TCP header and the sequence number Assures that the opponent does not delay, misorder, or delete any segments How? Æ If the opponent changes part of the TCP segment, the checksum or sequence number will be compromised What if the attacker changes other part except for the checksum? Æ then, it will be detected by checking the checksum at tthehe destination
10
Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption
TCP segment 11
Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption
If public-key encryption is used: Encryption provides no confidence of sender since anyone potentially knows public-key However if SendeSenderr signs message using their private-key then encrypts with recipient’s public key Have both secrecy and authentication Again need to recognize corrupted messages Can provide both confidentiality and authentication at cost of two public-key uses on message
12
Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption
13
Joohan Lee SecretSecret KeyKey AssuranceAssurance Authentication Use secret keys for authentication Challenge and response A way to know whether the sender/receiver is the genuine
14
Joohan Lee Alice sends a challenge: She picks a number between 1 and 100, say 34, and challenges Bob to correctly encrypt 34. Only 34 the seceret key Alice shares with challenge Bob will correctly encrypt 34 Alice Bob 34 Bob Responds: He encrypts 34. Say 34 encrypts to"%2". He sends %2 back to Alice %2 response Alice Bob
Alice finishes authenticating Bob: 34 encrypted to %2 She also encrypts 34 to %2 and is authenticated assured it's Bob. Only their shared secret key encrypts 34 to %2 Alice Bob 76 Bob also authenticates Alice: Bob challenges Alice in a similar way challenging with different a3 response number Alice Bob 15
Joohan Lee SecretSecret KeyKey AssuranceAssurance
An Authentication Attacks What if somebody is listening to the challenges and responses and recorded them Impersonating Bob as if he knows the pair of challenges and responses without knowing the shared private keys
Solution Use of random number to choose different challenge number every time
16
Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC)
Generated by an algorithm that creates a small fixed-sized block Depending on both message and some key Like encryption though it need not be reversible Mac function is a many-to-one function Appended to a message as a signature Receiver performs same computation on message and checks it matches the MAC Provides assurance that message is unaltered and comes from the sender
17
Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC)
18
Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC)
N N bits: size of the message = 2N possible message n bits: size of MAC = 2n possible MACs k bits: size of key = 2k possible keys Usually, 2N >> 2n and considering additional complexity of keys, authentication function is much harder to break than encryption
(eg) 100-bit messages and 10-bit MAC Each MAC value is generated by a total of 2100 / 210 = 290 different messages Æ means each MAC can represent 290 different messages
19
Joohan Lee MessageMessage AuthenticationAuthentication CodesCodes
As shown the MAC provides authentication (Fig 11.4a) Can we also use encryption for secrecy? Generally use separate keys for each Can compute MAC either before or after encryption “Before” (based on plaintext) is generally regarded as better than “after” (based on ciphertext)
Note that a MAC is not a digital signature Because both sender and receiver share the same key
20
Joohan Lee MessageMessage AuthenticationAuthentication CodesCodes
Encryption provides basic authentication, then why use a MAC? Sometimes only authentication is needed Broadcast announcement Heavy load of message communication Cannot afford decryption/encryption Sometimes need authenticauthenticationation to persist longer than the encryption (eg. archival use) Check integrity of program (e.g) NIST database of software with MAC
21
Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC)
MAC is calculated on plaintext
MAC is calculated on ciphertext22
Joohan Lee MACMAC PropertiesProperties
A MAC is a cryptographic checksum
MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator Is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
23
Joohan Lee RequirementsRequirements forfor MACsMACs
Consider a symmetric/asymmetric encryption k (k-1) For k-bit key, on average 2k/2 = 2(k-1) attempts needed for brute force attack In the case of MAC, it’s entirely different N: message size, k : key size, n : MAC size k 2k MACs can be produced for the same input message M, but only 2n (< 2k) different MACs values Æ The same MAC can be produced out of 2(N-n) different messages Æ Different keys may produce the same MAC, on average 2(k-n) keys will produce a match Æ The attacker has no way of knowing which is the correct key
24
Joohan Lee RequirementsRequirements forfor MACsMACs
The attacker must iterate Round 1
Given: M1, MAC1 = Ck(M1) k Compute MACi = Cki(M1) for all 2 keys Number of matches ≈ 2(k-n) Round 2
Given: M2, MAC2 = Ck(M2) k-n Compute MACi = Cki(M2) for the remaining 2 keys Number of matches ≈ 2(k-2n) Iterate until they find key
25
Joohan Lee RequirementsRequirements forfor MACsMACs
How many rounds are needed? α is the needed number of rounds if k = α×n (k: key size, α: number of rounds, n: MAC size) (e.g.) k=80bits, n=32bits (80-32) 48 First round: ≈2(80-32) = 248 possible keys produced (48-32) 16 Second round: ≈2(48-32) = 216 possible keys produced Third round: should produce only a single key
26
Joohan Lee RequirementsRequirements forfor MACsMACs
Other attacks that do not require the discovery of the key
Message M = (X1 || X2 || … || Xm) : concatenation of 64-bit blocks
Δ(M) = X1 ⊕ X2 ⊕…⊕ Xm
Ck(M) = Ek[Δ(M)] : E is an DES encryption with a 56 bit key
If the attacattackerker has M||Ck(M), an original message plus a MAC, 56 Brute-force attempt to determine the key k requires 256 encryptions Possible attack Corrupt the original message without affecaffectingting the associated MAC Considerations: The plaintext M is sent witwithh an encrypted MAC If we can chachangenge M such that it will still produce the same MAC, then it will be accepted as authentic by the receiver 27
Joohan Lee RequirementsRequirements forfor MACsMACs
Example
X1 X2 … Xm-1
Y1 Y2 … Ym-1
Replace each Xi with any desired Yi for 1≤ i ≤m-1
Ym = Y1 ⊕ Y2 ⊕ … ⊕ Ym-1 ⊕ Δ(M) we already know M and therefore can calculate Δ(M)
Now, new message M’ = (Y1 || Y2 || … || Ym) is sent with the original MAC: M’||Ck(M) Logic behind Remember that A ⊕ B=C, then C ⊕ B = A
Therefore, Δ(M) = Y1 ⊕ Y2 ⊕ … ⊕ Ym-1 ⊕ Ym Æ The receiver will get the correct MAC 28
Joohan Lee RequirementsRequirements forfor MACsMACs
Taking into types of attacks, the MAC function need to satisfy the following properties Knowing a message and MAC, it should be computationally infeasible to find another message with the same MAC MACs should be uniformly distributed such that for randomly
chosen messages, M and M’, the probability that Ck(M)=Ck(M’) is 2-n where n is the MAC size MAC should depend equally on all bits of the message
29
Joohan Lee UsingUsing SymmetricSymmetric CiphersCiphers forfor MACsMACs
Can use any block cipher chaining mode and use final block as a MAC Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block
30
Joohan Lee MessageMessage AuthenticationAuthentication CodeCode BasedBased onon DESDES Data Authentication Algorithm: NIST FIPS PUB 113, ANSI standard (X9.17) DES Cipher Block Chaining mode is used to generate the encrypted message and MAC
DAC is either entire block ON or the left most M bits of the block (16≤M≤64) 31
Joohan Lee OneOne--wayway HashHash FunctionFunction
Condenses arbitrary message to a fixed size usually assume that the hash function is public and not keyed MAC takes a key as input while hash function does not Hash used to detect changes to message The hash code is referred to as a message digest or hash value Most often to create a digitdigitalal signature
32
Joohan Lee OneOne--wayway HashHash FunctionFunction
Authentication and confidentiality
Authentication
Digital signature 33
Joohan Lee OneOne--wayway HashHash FunctionFunction
Digital signature and confidentiality
Authentication (using secret value s)
Authentication and confidentiality 34
Joohan Lee HashHash FunctionFunction PropertiesProperties
A Hash Function produces a fingerprint of some file/message/data h = H(M) condenses a variable-length message M to a fixed-sized fingerprint Hash function itself is not considered to be secret Æ need to protect the hash value
35
Joohan Lee RequirementsRequirements ofof aa HashHash FunctionFunction
(1) Can be applied to any sized message M (2) produces fixed-length output h (3) Is easy to compute h=H(M) for any message M (4) Given h,it is infeasible to find x s.t. H(x)=h One-way property: Looking at the hash value it’s infeasible to find the original message (5) Given x,it is infeasible to find y s.t. H(y)=H(x) Weak collision resistance: make it impossible to replace the original message with another that produces the same hash value Prevent forgery (6) It is infeasible to find any pair x,y s.t. H(y)=H(x) Strong collision resistance: make it resistant to the birthday attack
36
Joohan Lee SimpleSimple HashHash FunctionFunction
One-bit circular shift on the hash value after each block is processed would improve
37
Joohan Lee Two simple hash functions
38
Joohan Lee SimpleSimple HashHash FuncionFuncion 64bit XOR with encrypting entire message in Cipher Block Chaining (CBC) mode (proposed NIST standard)
hash code C = XN+1 = X1 ⊕ X2 ⊕ … ⊕ XN
with a message consisting of 64-bit blocks X1, X2, …, XN
Encrypt entire message plus hash code using CBC to produce
Y1, Y2, …, YN+1 ciphertexts Decryption
X1 = IV ⊕ DK (Y1) …
Xi = Yi-1 ⊕ DK (Yi)
XN+1 = YN ⊕ DK (YN+1)
XN+1 = X1 ⊕ X2 ⊕ … ⊕ XN (XN+1 is the hash code)
= (IV ⊕ DK (Y1)) ⊕ (Y1 ⊕ DK (Y2)) ⊕ … ⊕ (YN-1 ⊕ DK (YN)) (Problem) ThThee code would not change if the ciphertext blocks were permuted 39
Joohan Lee AttackingAttacking HashHash FunctionsFunctions Example: 64bit hash function To find a message that can substitute the original message s.t it produces the same hash value, on average 263 trials are needed There is a different type of attack called Birthday attacks that need not that many trials Note that we don’t crack the password but try to replace the original message M with another message M’ that will produce the same hash value Birthday Attacks Consider the following authentication method using a hash function using m-bit hash code and encrypting it with A’s private key
40
Joohan Lee Why should the opponent try 263 messages to find a match with the original message? Math behind Given a hash function H, with n possible outputs and a specific value H(x), if H is applied to k random inputs, what must be the value of k so that the probability that at least one input y satisfies H(y) = H(x) is 0.5 For a single value of y, the probability that H(y) = H(x) is 1/n Remember that x is already chosen value Conversely, the probability that H(y) ≠H(x) is 1-1/n If we generate k random values of y, then the probability that none of them match is the product of the probabilities that each individual value does not match, (1-1/n)k k The probability that there is at least one match is 1-(1-1/n)k The binomial theorem (1-a)k=1 - ka + k(k-1)a2/2! + k(k-1)(k-2)a3/3! + … For very small value of a, this can be approximated as (1-ka) The probability of at least one match is approximated as 1-(1-1/n)k ≈ 1-(1-k/n) = k/n For probability of 0.5, 0.5=k/n Æ k = n/2 For m-bit hash code, the number of possible codes is 2m (=n) and the value of k that produces a probability of 0.5 is k = 2(m-1) 41
Joohan Lee AppendixAppendix Binomial Theorem The binomial theorem states that for positive integers n,
Therefore, (1-a)k=1 - ka + k(k-1)a2/2! + k(k-1)(k-2)a3/3! + … For very small value of a, this can be approximated as (1-ka)
42
Joohan Lee AttackingAttacking HashHash FunctionsFunctions What if we can achieve the same goal with less efforts? For the same 64-bit hash code, the level of effort required can be reduced to only the order of 232 in Birthday Attack
Birthday Attacks (m-bit hash) m/ Opponent generates 2 2 variations of a valid message all with essentially the same meaning (remember that the message itself is not encrypted) m/ Opponent also generates 2 2 variations of a desired fraudulent message Two sets of messages are compared to find pair with same hash (probability of success > 0.5 by birthday paradox) If no match found, additional valid and fraudulent messages are generated until a match is found Have user sign the valid message, then substitute the forgery which will have a valid signature 43
Joohan Lee BirthdayBirthday AttackAttack The Birthday Paradox Probability results are sometimes counterintuitive Problem Definition : What is the minimum value of k such that the probability is greater than 0.5 that at least two people in a group of k people have the same birthday? Assumption : each birthday is equally likely P(n,k) = Pr[at least one duplicate in k items, with each item able to take on one of n equally likely values between 1 and n] Æ look for the smallest value of k s.t. P(365, k) >=0.5 Q(n,k) = Pr[no duplicates in k items, with each item able to take on one of n] !365 P − k)!365( !365 kQ ),365( kn == = 365k 365k − k 365)!365( k
Hence, P(365,k) = 1 – Q(365, k) 44
Joohan Lee BirthdayBirthday AttackAttack P(365,k) = 1 – Q(365, k)
45
Joohan Lee BirthdayBirthday AttackAttack The General Case of Duplication Problem Definition : Given a random variable that is an integer uniformly distributed between 1 and n and a selection of k instance (k<=n) of the random variable, what is prob. P(n,k), that there is at least one duplicate? n! knP 1),( −= − )!( nkn k × nn − × × − kn + )1(...)1( knP 1),( −= n k ⎡n − n − 21 kn +− 1⎤ knP 1),( −= × ...×× ⎣⎢ n n n ⎦⎥ ⎡⎛ 1 ⎞ ⎛ 2 ⎞ ⎛ k −1⎞⎤ knP ⎢⎜11),( −−= ⎟ ⎜1−× ⎟ ⎜1... −×× ⎟⎥ ⎣⎝ ⎠ ⎝ nn ⎠ ⎝ n ⎠⎦
46
Joohan Lee BirthdayBirthday AttackAttack Useful Inequality )1( ≤− ex − x
47
Joohan Lee BirthdayBirthday AttackAttack The General Case of Duplication 1 2 k −1 ⎡⎛ − ⎞ ⎛ − ⎞ ⎛ − ⎞⎤ ⎜ n ⎟ ⎜ n ⎟ ⎜ n ⎟ 1),( −> ⎢⎜ ⎟ × ⎜eeknP ⎟ ...×× ⎜e ⎟⎥ ⎣⎢⎝ ⎠ ⎝ ⎠ ⎝ ⎠⎦⎥ 1),( −> eknP []−+++− nknn )/)1((...)/2()/1(
1),( −> eknP −×− 2/))1(( nkk What if P(n,k) > 0.5
kk −× )1( 1 − 1−= e 2n 2
kk −× )1( 2 = e 2n
kk −× )1( )2ln( = 2n 48
Joohan Lee BirthdayBirthday AttackAttack For large k, we can replace kx(k-1) by k2 k 2 )2ln( = 2n Therefore, k = 18.1)2(ln2 ≈= nnn
Hence, with a hash function H with m bits (2m possible outcomes), if H is applied to k random inputs, what must be the value of k so that there is the probability of at least one duplicate (i.e. H(x) = H(y))? Æ Using the above approximation,
m k m == 22 2
49
Joohan Lee 50
Joohan Lee AttackingAttacking HashHash FunctionsFunctions
Conclusion is that we need to use larger MACs For 64-bit hash code, the level of effort required is only on the order of 232 However, the difficulty lies in generating the variations that convey the same meaning: what if the message is binary executable file or image files?
51
Joohan Lee