Detecting Eavesdropping
A Solution
Network Security (N. Dulay & M. Classical Cryptography (2.1) Huth) Quantum Cryptography
Quantum Computing Can we use quantum effects to Quantum Cryptography detect passive eavesdropping?
Algorithms for key distribution, coin Particles (e.g. Photons) exist in N flipping, bit commitment, oblivious places at once with different transfer, etc probabilities.
In 1994 Peter Schor devised a We can measure position or velocity quantum computing algorithm to but not both factorise large numbers in polynomial time! Quantum world is uncertain.
(Un)fortunately no-one is yet able But we can use this uncertainty to how to build a suitable quantum generate a key! computer.
Network Security (N. Dulay & M. Classical Cryptography (2.2) Huth) Polarisation: Noddy's guide
Photons vibrate in some direction Polarised when many photons e.g. vibrate in the same direction Polarisation filters only allow Up and down photons polarised in a defined direction (angle) through, e.g 100% Left and right
0% At some angle 50%
Network Security (N. Dulay & M. Classical Cryptography (2.3) Huth) Wiesner's Quantum Money
Each note has a printed serial number and a set of "photon-stores" that hold differently polarised photons. Only the Bank knows the polarisations for any serial number. We can produce counterfeit notes if we can measure the correct polarisations. But to do this we need to guess the correct orientations.
DoC Bank £100 22AC320FR00
Network Security (N. Dulay & M. Classical Cryptography (2.4) Huth) Wiesner's Quantum Money
Filter Result
100%
0%
50% ?
50% ?
Network Security (N. Dulay & M. Classical Cryptography (2.5) Huth) Basis
Polarisation measured in a basis. If polarisation is read in a matching basis -> we learn Basis consists of 2 orthogonal polarisation directions, e.g. If read in wrong basis -> we learn a random polarisation!
Rectilinear
Okay
Diagonal
Random
Network Security (N. Dulay & M. Classical Cryptography (2.6) Huth) Bennett & Brassard Protocol
Alice sends pulses to Bob. Bob uses polarisation detectors with randomly set basis Bob tells Alice his settings. Alice tells Bob which settings were correct. Settings map to 0 and 1’s, e.g. — and / map to 0, while | and \ map to 1. Alice and Bob only use those settings as a secret key (or 1-time pad key)
1 1 0 0 0 1 1 1 0
0/1 1 0/1 0/1 0/1 1 1 0/1 0 Network Security (N. Dulay & M. Classical Cryptography (2.7) Huth) Protocol Continued
Eavesdropper Eve also does not know To detect Eve, Alice and Bob only correct polarisations, so like Bob will need to compare a few bits in pick wrong basis 50% of the time. their message. Knowing Bob's settings after the event does not help, because she will have measured half of them If errors found then we have an incorrectly. Eavesdropper.
Worse still, Eve will introduce If no errors: Use rest of errors, which Alice & Bob can detect, message since Eve’s wrong guesses will change polarisation of pulses
Network Security (N. Dulay & M. Classical Cryptography (2.8) Huth) Reading
Simon Singh, The Code Book, Chapter 8
Quantum Computing Course (482), Next term
Network Security (N. Dulay & M. Classical Cryptography (2.9) Huth) ClassicalClassical CryptographyCryptography
Michael Huth [email protected]
www.doc.ic.ac.uk/~mrh/430/
Network Security (N. Dulay & M. Classical Cryptography (2.10) Huth) Why Cryptography?
CONFIDENTIALITY Keep information secret
AUTHENTICATION Receiver can verify who sender was
INTEGRITY Detect modified messages
NON-REPUDIATION Sender cannot later falsely deny sending a message. Receiver cannot falsely deny receiving it.
Network Security (N. Dulay & M. Classical Cryptography (2.11) Huth) Encryption
Plaintext (P) Encrypt (E) Ciphertext (C) hello world JHN+K9[ C = E (P)
Ciphertext (C) Decrypt (D) Plaintext (P)
P = D (C)
P = D (E (P))
Network Security (N. Dulay & M. Classical Cryptography (2.12) Huth) Encryption with a Secret Key
Key (k)
Plaintext (P) Encrypt (E) Ciphertext (C)
C = Ek (P) Key (k)
Ciphertext (C) Decrypt (D) Plaintext (P)
Kerchoff’s Principle - P = Dk (C) Secrecy should lie in keeping a key secret. Assume algorithm is P = Dk (Ek (P)) known.
Network Security (N. Dulay & M. Classical Cryptography (2.13) Huth) Encryption with 2 Keys
Key1 (k1)
Plaintext (P) Encrypt (E) Ciphertext (C)
C = Ek1 (P) Key2 (k2)
Ciphertext (C) Decrypt (D) Plaintext (P)
P = Dk2 (C)
P = Dk2 (Ek1 (P))
Network Security (N. Dulay & M. Classical Cryptography (2.14) Huth) Steganography
Dear George, 3rd March Conceal existence of message, e.g. 1st letter Greetings to all at Oxford. Many thanks for your of each word, least sig. letter and for the Summer examination package. bit of graphic image All Entry Forms and Fees Forms should be ready for final dispatch to the Syndicate by Friday Useless once method 20th or at the very least, I’m told, by the 21st. discovered Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please Peter Wayner, Disappearing don’t let these wretched 16+ proposals destroy Cryptography, 2nd ed, your basic O and A pattern. Certainly this Morgan Kaufmann, sort of change, if implemented immediately, 2002 would bring chaos.
Network Security (N. Dulay & M. Classical Cryptography (2.15) Huth) Steganography **
Dear George, 3rd March
Greetings to all at Oxford. Many thanks for your letter and for the Summer examination package. All Entry Forms and Fees Forms should be ready for final dispatch to the Syndicate by Friday 20th or at the very least, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos.
Network Security (N. Dulay & M. Classical Cryptography (2.16) Huth) Codes
Pre-arranged set of secret EXAMPLE codes/meanings. Mobius -> Launch missiles BEST if used once only. Security weakens with each use Zebra -> Don’t Launch if intercepted
Only small set of pre-arranged messages. What if we wanted to communicate “Launch half the missiles” or “Disarm missiles”?
Network Security (N. Dulay & M. Classical Cryptography (2.17) Huth) One-time Pad
Use a random key as long as the EXAMPLE message. Must not reuse the key sequence ever again. Key is number of places to shift letter Both parties must have key sequence K 321424 Hotline between USA and USSR was rumoured to use a one-time pad. P launch C OCVREL Destroy key sequence after use Suggest a good 1-time pad Advantages? function for binary data?
Disadvantages?
Network Security (N. Dulay & M. Classical Cryptography (2.18) Huth) Substitution Ciphers
Each letter (or group) is replaced by BRUTE FORCE ATTACK another letter (group)
MONOALPHABETIC CIPHER CHEUD Each character is replaced by a 1 bgdtc corresponding character 2 afcsb 3 zebra CAESAR CIPHER Circularly shift each letter three 4 ydapz positions along in the alphabet, ... e.g. zebra -> CHEUD 25 digve ROT13 Algorithm known Like Caesar but rotate 13 places. Only 25 keys Used to hide offensive jokes, What if Plaintext language is not solutions to puzzles etc easily recognisable?
Network Security (N. Dulay & M. Classical Cryptography (2.19) Huth) Substitution Ciphers
GENERAL MONOALPHABETIC CIPHERS ATTACKING GENERAL Use a random mapping, e.g: MONOALPHABETIC CIPHERS abcedfghijklmnopqrstuvwxyz Consider nature of Plaintext, e.g. statistical properties. ESFNCRTBZLMVAYXUPKDJOWQGIH Frequency of letters increases no of keys to 26! > 4*10^26 e 12.75% t 9.25% HOMOPHONIC CIPHERS r 8.50% n 7.75% Each character has several ciphertext mappings, as many as its relative Frequency of common words frequency Repeating letters POLYGRAM CIPHERS 2-letter combinations (digrams): th, in, Map groups of characters, e.g. aly -> RTQ er, re, an 3-letter combinations (trigrams): the, POLYALPHABETIC CIPHERS ing, and, ion Vary monoalphabetic cipher during ciphering/deciphering procedure
Network Security (N. Dulay & M. Classical Cryptography (2.20) Huth) Rotor Machine
E.g. ENIGMA MACHINE. Polyalphabetic Cipher
Several interconnected substitution rotating cylinders.
Example: Input Rotor1 Rotor2 Rotor3 Output A A->F F->X X->N N Rotor 3 now shifts (its substitutions change) A A->F F->X X->W W Rotor 3 now shifts (its substitutions change) ... After 26 shifts by Rotor 3, it will be back to its original, substitution Rotor 2 now shifts. A A->F F->B B->S S
With 3 rotors and 26 letters we have a period = 26^3 = 17,576 substitution alphabets
Network Security (N. Dulay & M. Classical Cryptography (2.21) Huth) Transposition Ciphers
Rearrange order of characters ATTACK ON COLUMNAR (permutation) CIPHER SIMPLE COLUMNAR CIPHER Ciphertext has same letter Using a grid, write plaintext frequencies as plaintext -> Easy horizontally, read ciphertext. vertically.
P launchmissilesnow MULTIPLE TRANSPOSITION CIPHERS launch Pass a plaintext through two or missil more transposition ciphers -> esnow Much harder to attack.
C LMEAISUSNNSOCIWHL
Network Security (N. Dulay & M. Classical Cryptography (2.22) Huth) Cryptanalysis
Discover” key, and/or plaintext if not known We assume algorithm is known (Kerckoff’s principle)
CIPHERTEXT ONLY ATTACK E C known
KNOWN PLAINTEXT ATTACK
P known E C known CHOSEN PLAINTEXT ATTACK
P chosen E C generated CHOSEN CIPHERTEXT ATTACK
generated D C chosen
Network Security (N. Dulay & M. Classical Cryptography (2.23) Huth) Cryptanalysis
EXAMPLES OF ATTACK PRACTICAL CRYPTANALYSIS Passive Attacks Acquire a key by any means, e.g.
Active Attacks Theft Brute Force Birthday Bribery (“Purchase-Key” attack) Man-in-the-Middle Blackmail Replay Cut & Paste Torture Time Resetting Many more... Hypnosis
Network Security (N. Dulay & M. Classical Cryptography (2.24) Huth) Cryptographic Strength
UNCONDITIONALLY SECURE No matter how much ciphertext is available, it is still not enough to infer the plaintext (even with infinite computational power). Only ONE- TIME PADS with random keys are unconditionally secure. Known as PERFECT SECRECY for encryption systems.
PROVABLY SECURE Cryptosystem shown to be as difficult to defeat as some supposedly difficult (number-theoretic) problem, e.g. factorisation of large primes. Has an equivalence proof.
COMPUTATIONALLY INFEASIBLE (PRACTICALLY SECURE) Belief that cryptosystem cannot be broken with “available” resources; formalizations thereof exist already, e.g. “secure for any adversary with computational power in randomized polynomial time”
Network Security (N. Dulay & M. Classical Cryptography (2.25) Huth) Cost & Timeliness
£ COST TO BREAK > £ VALUE OF INFORMATION
TIME TO BREAK > USEFUL LIFETIME OF INFORMATION
Network Security (N. Dulay & M. Classical Cryptography (2.26) Huth) Reading
Stallings. Chapter 2.
Network Security (N. Dulay & M. Classical Cryptography (2.27) Huth) Cryptographic Design Vulnerabilities
Bruce Schneier IEEE Computer, Sept 98, p29-33
Network Security (N. Dulay & M. Classical Cryptography (2.28) Huth) Security, ha ha ha
Lock with 4 pins, each with 10 positions
Burglar may need to try 10,000 combinations to guarantee success (brute-force attack)
What if 10 pins? -> 10 billion positions
Great, but....
Network Security (N. Dulay & M. Classical Cryptography (2.29) Huth) A burglar could....
Smash the windows Kick in the doors Masquerade as a policeman Threaten owner with violence etc....
Better locks can’t help with these attacks
Same is true for cryptography. Good/strong cryptography is important but not a panacea
Network Security (N. Dulay & M. Classical Cryptography (2.30) Huth) Marketing hype
“128-bit keys mean strong security” “40-bit keys are weak” “triple-DES is much stronger than single DES”
Be wary of products making such statements/claims.
Many products are buzzword-compliant, they use strong cryptography but aren’t particularly secure
Network Security (N. Dulay & M. Classical Cryptography (2.31) Huth) Attacks against Design
Cryptosystems use algorithms for encryption, digital signatures, one-way hash functions, random-numbers etc.
Break any one and you can usually break the whole system!
Cryptographic functions often have very narrow usage
It’s very difficult to design a secure cryptosystem, even with good software engineers, e.g. Microsoft’s Point-to- Point-Tunneling Protocol (PPTP) used an inappropriate mode for the RC4 encryption algorithm rendering it insecure
Network Security (N. Dulay & M. Classical Cryptography (2.32) Huth) Attacks against Implementation
Many cryptosystems fail because of mistakes in implementation, e.g. don’t securely destroy unencrypted text after encryption, have code that allows buffer overflow, are poor error checking and recovery,
“Trivial” code-optimisations can break security
Implementation trade-offs e.g. to enhance usability at the expense of security
Systems that allow old keys to be recovered in an emergency
Network Security (N. Dulay & M. Classical Cryptography (2.33) Huth) Attacks against Hardware
Highly secure environments deploy tamper-resistant hardware, e.g. tokencards, smartcards
Techniques/hardware to defeat them are also being developed, e.g. timing attack on RSA private keys measured relative times of cryptographic operations. Attacks that measure power consumption, radiation emissions, introduce faults and analyse effects
Cost to Defeat Tamper Resistance >> Value of Data
Network Security (N. Dulay & M. Classical Cryptography (2.34) Huth) Attacks against Trust Models
Who or what in the system is trusted, in what way, and to what extend?
Some commerce systems can be broken by a merchant and a customer colluding or two different customers colluding
Many systems make poor assumptions, eg, desktop is secure, network is secure, employees are trusted
Design choices are sometimes ignored when it comes time to sell a product/system.
Network Security (N. Dulay & M. Classical Cryptography (2.35) Huth) Attacks “on” Users
Pass on password to colleagues
Use same password on different systems
Write random passwords on paper
Don’t report missing smartcard
Don’t change (weak) default settings
Users need to be educated
Network Security (N. Dulay & M. Classical Cryptography (2.36) Huth) Attacks against Failure Recovery
Recovering the key for one file, should not allow every file to be read
Reverse-engineering one smart card should not reveal secret info in others
Options which switch off security, or make it less secure
Version rollback attack to insecure version
Network Security (N. Dulay & M. Classical Cryptography (2.37) Huth) Attacks against Cryptography
Proprietary algorithms/protocols -> invariably weak. Cryptanalysts are very good at breaking published algorithms, even better against proprietary ones!
Keeping the algorithm secret doesn’t make much difference against determined opponents, algorithms can be reverse- engineered
Network Security (N. Dulay & M. Classical Cryptography (2.38) Huth) Conclusion
A good security product must defend against every possible attack, even attacks that haven’t been invented yet!
Attackers often only need find one flaw in order to defeat a system.
In addition, they can collude & conspire.
They can wait for technology to give them the edge.
But don’t worry - Cryptography is a lot fun !!
Network Security (N. Dulay & M. Classical Cryptography (2.39) Huth) Optional but Recommended Reading
Links to these papers and documents are provided on the 430 course home page.
. PriceWaterHouseCoopers’ 2010 Survey on the Global State of Information Security . Ciphertext-only Crytanalysis of the Enigma, by James J. Gillogly
Network Security (N. Dulay & M. Classical Cryptography (2.40) Huth) Notes on Tutorial for Classical Cryptography
Michael Huth [email protected]
www.doc.ic.ac.uk/~mrh/430/
Network Security (N. Dulay & M. Classical Cryptography (2.41) Huth) Why is Keyless Encryption bad?
Every group has own algorithm Can’t use Off-the-Shelf algorithm, no implementation choices Change group - change algorithm Key comprise - change algorithm Poor quality control - little or no peer review No standards Easy to reverse-engineer algorithm
Kerchoff’s principle - Assume algorithm is known, Secrecy should lie in keeping key secret.
Network Security (N. Dulay & M. Classical Cryptography (2.42) Huth) What Encryption doesn’t handle **
Destructive Attacks, Replay attacks Traitors Unencrypted documents, e.g. before encryption or after Interception incl. Traffic decryption Analysis
Modification of encryption Successful cryptanalysis program
Lost or Stolen keys or passwords
Network Security (N. Dulay & M. Classical Cryptography (2.43) Huth) Steganography
The supply of game for London is going steadily up. Head keep Hudson, we believe, has been now told to receive all orders for fly paper and for preservations of your hen-pheasant's life.
"The Gloria Scott" Arthur Conan Doyle.
Network Security (N. Dulay & M. Classical Cryptography (2.44) Huth) DECRYPT
BRUTE FORCE ATTACK WKXPEVXS Determine key for: E Q V
C=E(P)=
P=D(C)=
Network Security (N. Dulay & M. Classical Cryptography (2.45) Huth) Freemason Cipher
A B C J D E F K L G H I M
N • O • P • W • Q • R • S • X • • Y • T • U • V • Z
Network Security (N. Dulay & M. Classical Cryptography (2.46) Huth) Decipher
• •
? ? ? ?
Network Security (N. Dulay & M. Classical Cryptography (2.47) Huth) Transposition Ciphers
SNPLTDFKAUOS
Network Security (N. Dulay & M. Classical Cryptography (2.48) Huth) End-to-End Encryption
C C P Ek Dk P
Node1 Node2 Node3 Node4 (Host) (Host)
Network Security (N. Dulay & M. Classical Cryptography (2.49) Huth) Link-to-Link Encryption
C1 C2 C3
P Ek1 Dk1 Ek2 Dk2 Ek3 Dk3 P
Node1 Node2 Node3 Node4 (Host) (Host)
Network Security (N. Dulay & M. Classical Cryptography (2.50) Huth) Link-to-Link vs End-to-End
Msg exposed in sending host & Msg encrypted in sending host & rec intermediate nodes eiving nodes
Applied by sending host, host Applied by sending process, process responsible for encryption responsible for encryption
Transparent to processes Process applies encryption
All messages usually encrypted Process decides when to encrypt
Can be done in hardware Usually done in software
Requires one key per link pair Requires one key per process pair
Provides host/node authentication Provides application/user authentica tion More ciphertext Traffic analysis easier Can hide more IP headers
Network Security (N. Dulay & M. Classical Cryptography (2.51) Huth) Link-to-Link & End-to-End Encryption
Encryption/decryption devices End-to-End N P2 Link-to-Link Host
P1 N N P3
Host Host
N
Network Security (N. Dulay & M. Classical Cryptography (2.52) Huth)