Course Overview Course Requirements EECS 498-7/8 ◊ www.citi.umich.edu/u/honey/security ◊ Cryptography and Network Security: Computer Security ◊ Monday & Friday, 9:00 – 10:30 Principles and Practice (Third Edition) Wednesday, 9:00 - 10:00 William Stallings 1005 Dow Prentice-Hall ISBN 0130914290 4 credits ◊ Weekly (or more) homework + programming ◊ EECS Technical Elective? Peter Honeyman assignments: 50% ◊ Presumably -- working on it. Center for Information Technology Integration ◊ Exams: 25% ea. Outline of Lectures Outline of Lectures Computer Security ◊ Models of security ◊ Number theory ◊ Host security & network security ◊ Asymmetric key cryptography ◊ Classical encryption ◊ Equally important ◊ Message authentication ◊ Substitution and transposition ciphers ◊ Often no clear boundary between them ◊ Digital signatures ◊ Symmetric key cryptography ◊ Examples ◊ Applications ◊ DES, AES, others ◊ Morris’ Internet worm ◊ Kerberos ◊ Confidentiality ◊ Mitnick’s attack on Shimomura ◊ SSL, X.509, and PKI ◊ Credit card theft from e-commerce sites ◊ Key distribution ◊ IPSec ◊ Random number generation ◊ Distributed denial of service attacks 1 X.800 Security Services X.800 Security Services X.800 Security Services ◊ Authentication ◊ Data confidentiality ◊ Data integrity ◊ ◊ Peer entity identification ◊ Protection from unauthorized disclosure Protection from unauthorized modification, insertion, deletion, replay ◊ Guards against masquerade and unauthorized replay ◊ Granularity ◊ Granularity ◊ Data origin ◊ Session ◊ Session, message, or field(s) ◊ Useful in connectionless communication ◊ Message ◊ Connection-oriented or connectionless ◊ Fields in a message ◊ Access control ◊ Detection and/or recovery ◊ Traffic analysis ◊ Prevent unauthorized use of resources ◊ Presupposes some sort of authentication X.800 Security Services X.800 Security Mechanisms Security Attacks ◊ Nonrepudiation ◊ Encryption ◊ Passive attacks ◊ Origin (sender) ◊ Digital signature ◊ Interception ◊ Traffic analysis ◊ Destination (receiver) ◊ Access control ◊ Data integrity ◊ Active attacks ◊ Availability ◊ Authentication exchange ◊ Masquerade ◊ Security? Reliability? ◊ Replay ◊ Traffic padding ◊ Content modification ◊ Routing control ◊ Denial of service ◊ Notarization 2 Model for Network Security Model for Network Security Designing a Security Service ◊ Principals ◊ Sender injects message, receiver extracts it ◊ Select an algorithm for the security-related ◊ Sender and receiver communicate over information transformation (cipher) ◊ Sender channel ◊ Generate the security-related information to be ◊ Receiver ◊ Sender and receiver provide security-related used by the algorithm (keys) ◊ Adversary information ◊ Select a method for distribution of security-related ◊ Trusted third party ◊ Possibly shared with or generated by T3P information (key distribution) ◊ Security-related transformation is applied to ◊ Select a protocol for the communicating principals message that uses the security algorithm (cryptographic ◊ Adversary may control information channel protocol) Classical Encryption Symmetric Key Cryptography Dimensions of Cryptography ◊ Symmetric, or single-key encryption ◊ Sender combines plaintext and key to produce ◊ Type of operations used in cipher ciphertext ◊ Substitution ◊ Model: Fig 2.1, p. 25 ◊ Called enciphering or encryption ◊ Transposition key ◊ Y = E(K, X) or Y = EK(X) ◊ Number of keys ◊ Receiver combines ciphertext and key to recover laintextplaintextpl Kdksfvkmv.dp [shk laintextplaintextpl aintextplaintextplai munhgsee22g49ghl;, aintextplaintextplai ◊ Symmetric vs. asymmetric ntextplaintextplaint ,g00f9kfckmcvlvvpn ntextplaintextplaint extplaintextplaintex ,.ddejrt6yo7074kdn extplaintextplaintex ciphertext tplaintextplaintext syug253tdbhbdjnfije tplaintextplaintext plaintextplaintextpl 88uyy4e6wews3srcf plaintextplaintextpl ◊ Plaintext processing aintextplaintextplai encrypt dbghk,k,lophp0u=k;’l decrypt aintextplaintextplai ◊ Called deciphering or decryption ntextplaintextplaint ’,.gkmfcubdyew6534 ntextplaintextplaint extplaintextplaintex uhd7dubfncvlfr0of9 extplaintextplaintex tplaintextplaintextp r5954r9d82512e5e tplaintextplaintextp ◊ Block cipher laintextplaintextplai 67ewppee[l;fmdfpk[f laintextplaintextplai ◊ X = D(K, Y) or X = DK(Y) ntextplaintextplaint fpfgmglndw83fxo93 ntextplaintextplaint extplaintextplaintex ckldoed0d23dcbndx extplaintextplaintex ◊ Stream cipher ◊ Cryptography is the study of ciphers 3 Cryptosystem Model Goals of Cryptanalysis Cryptanalytic Attacks ◊ Fig. 2.2, p. 26 augments earlier model in two ways ◊ Recover plaintext ◊ In all cases, cryptanalyst has complete knowledge of ◊ Key distribution via secure channel the cipher and some ciphertext to be decoded ◊ Adversary cryptanalyzes ciphertext ◊ Recover key ◊ Ciphertext only ◊ Adversary has complete information about the ◊ Most common attack encryption and decryption methods ◊ Known plaintext ◊ Only the key is secret ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Kerckhoff’s principle, 1883 ◊ Surprisingly easy to obtain or infer plaintext ◊ Necessary for any practical cipher ◊ Chosen plaintext ◊ Alternatively, refer to all the secret information as the key ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Example: gzip | dd conv=swab | tr -c ◊ Cryptanalyst (somehow) was able to select the plaintext and force its encryption Cryptanalysis Unconditionally Secure Cipher Computationally Secure Cipher ◊ Chosen ciphertext ◊ A cipher is unconditionally secure if no ◊ A cipher is computationally secure if ◊ Cryptanalyst has plaintext-ciphertext pair(s) amount of ciphertext suffices to determine ◊ The cost of breaking the cipher exceeds the value of the encrypted information, or ◊ Cryptanalyst (somehow) was able to select the uniquely the plaintext ◊ The time required to break the cipher exceeds ciphertext and force its decryption ◊ Shannon showed that there is only one cipher that the useful lifetime of the information ◊ Chosen text is unconditionally secure ◊ Key size plays an important role ◊ It is not practical in most instances ◊ Cryptanalyst is able to produce chosen plaintext ◊ So does computational power and chosen ciphertext pairs ◊ Table 2.2, p. 26 4 Exhaustive Search and Key Size Computationally Secure Cipher Substitution Ciphers Key @ 1 per msec @ 1 per picosec ◊ Note that DES can no longer be considered ◊ Plaintext characters are replaced by other plaintext characters according to some rule 32 bits 35.8 min 2.15 ms computationally secure ◊ Caesar cipher: E(C) = P + 3 (mod 26), D(P) = C - 3 ◊ Cracking DES: Secrets of Encryption 56 bits 1,142 years 10.01 hours (mod 26) Research, Wiretap Politics & Chip Design, ◊ ROT13: E(C) = P + 13 (mod 26), D = E 128 bits 5.4 ¥ 1024 5.4 ¥ 1018 Electronic Frontier Foundation, John Gilmore ◊ General Caesar cipher: E(C) = P + k (mod 26) years years (Editor), O'Reilly & Associates, ISBN: ◊ k is the key Substitution 6.4 ¥ 1012 6.4 ¥ 106 years ◊ Cryptanalysis: try k = 0, …, 25 years 1565925203 ◊ Works for known (or probable) plaintext Caesar Ciphers Monoalphabetic Substitution Cipher Polygram Substitution Cipher ◊ Cryptanalysis is easy because ◊ Let S = {A, B, …, Z} ◊ Playfair ◊ E(P P ) = C C through key-based 5 ¥ 5 transformation ◊ Algorithm is known i i+1 i i+1 ◊ Let P: S Æ S be a permutation table ◊ Only 26 keys to try ◊ Cryptanalysis: digram frequency ◊ Key space is now 26! ª 288 ◊ Known or probable plaintext ◊ Hill cipher ◊ Much too large to search ◊ Defeating cryptanalysis ◊ C = KP, where C and P are d-dimensional column vectors and K is a nonsingular d ¥ d matrix ◊ ◊ But this is still easy to cryptanalyze through Pre-scramble plaintext, e.g., compress it -1 ◊ P = K C ◊ Increase the key space letter frequency analysis ◊ Hides d-1 letter sequence analysis ◊ E(C) = P + k (mod 26), k = 0, …, 1,000,000? :-) ◊ ETAOINSHRDLU or something like that ◊ Easily broken with known plaintext 5 Polyalphabetic Substitution Cipher Periodic Substitution Ciphers Periodic Substitution Ciphers ◊ E: S Æ 2S, pick one ◊ Special class of polyalphabetic substitution ciphers ◊ Vigenère autokey system: after key is ◊ Typically a set of monoalphabetic substitution ◊ Example: Vigenère cipher exhausted, use plaintext for running key rules is used ◊ Each key letter determines one of 26 Caesar ciphers ◊ Can still detect regularities, e.g., E encrypted ◊ C = E(P ) = P + k ◊ Key determines which rule to use i i i i mod(key length) with E ◊ Given a sufficient amount of ciphertext, common sequences are repeated, exposing the period ◊ Frequently occurring letters in the key will be used to encrypt frequently occur plaintext letters Vernam Cipher Transposition Rotor Machines ◊ Key length equal to plaintext length ◊ Rail-fence technique ◊ Enigma, ca. WWII ◊ Ri-ec ehiu ◊ A.k.a. “one-time pad” alfnetcnqe ◊ Each rotor corresponds to a substitution ◊ Generalization: columnar technique ◊ Plaintext and ciphertext are statistically cipher ◊ Cuathq independent omrenu ◊ A one-rotor machine produces a ln cie ◊ Unconditionally secure (Shannon, 1948) ◊ Augment with permuted rows polyalphabetic cipher with period 26 ◊ Generalization: multiple transpositions ◊ Key generation and distribution are difficult ◊ Output of each rotor is input to next rotor ◊ Does not change letter frequencies 6 Rotor Machines Chapter 2 Homework Chapter 3 ◊ After each symbol, the “fast” rotor is ◊ Pick any five problems ◊ Simplified DES rotated ◊ Extra credit for more than five ◊ Block cipher principles ◊ After a full rotation, the adjacent rotor is ◊ DES rotated ◊ Block cipher modes of operation ◊ An n rotor machine