AdvancedAdvanced TopicsTopics inin NetworkNetwork SecuritySecurity Lecture #11 Instructor : Sheau-Dong Lang [email protected] School of Electrical Engineering & Computer Science University of Central Florida 1 Joohan Lee ConfidentialityConfidentiality vs.vs. AuthenticationAuthentication Confidentiality The protection of data from unauthorized disclosure Encryption Æ protection against papassivessive attack Authentication The assurance that the communicating entity is the one that it claims to be Requirements - must be able to verify that: Message came from the apparent source or author Contents have not been altered It was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) 2 Joohan Lee AttacksAttacks andand SolutionsSolutions Disclosure Æ confidentiality Release of message contents to any person not possessing the appropriate cryptogcryptographicraphic key Traffic analysis Æ confidentiality Discovery of the patterns of traffic between parties (e.g) frequency and duration of connecconnections,tions, number and length of messages Masquarade Æ authentication Insertion of messages into the network from a fraudulent source Content modification Æ authentication Sequence modification Æ authentication Timing modification Æ authentication Delay or replay of messages Source repudiation Æ authentication (digital signature) Denial of transmission of message by sourcsourcee Destination repudiation Æ authentication (digital signature + protocol) Denial of receipt of message by destination 3 Joohan Lee AuthenticationAuthentication andand DigitalDigital SignatureSignature Message authentication A procedure to verify that received messages come from the alleged source and have not been altered Digital Signature An authentication technique that also includes measures to counter repudiation by the source 4 Joohan Lee ApproachesApproaches toto MessageMessage AuthenticationAuthentication Message Encryption Authentication Using Conventional Encryption Only the sender and receiver should share a key The ciphertext of the entire message serves as its authenticator Hash Functions Message AuthenticAuthenticationation without Message Encryption An authentication tag is ggenerateenerated and appended to each message Use hash function that maps a message of any length into a fixed- length hash value, which serves as the authenticator Message Authentication Code Calculate the MAC as a function of the message and the key Use of hash function and a secret key that serves as the authenticator 5 Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption Message encryption by itself also provides a measure of authentication If symmetric encryption is used then: Receiver knows sender must have created it since only sender and receiver know the key used Know contents cannot have been altered If message has suitable structure, redundancy or a checksum to detect any changes 6 Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption 7 Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption (problem) Contents of delivered ciphertext How ttoo decide if incoming ciphertext decrypts to intelligible plaintext Messages can be English text, binary object files, digitized X-rays,… Opponent can achieve a certain level of disruption without knowing the private key (Solu(Solution)tion) To force the plaintext to have some structure that is easily recognized but that cannot be replicated without knowing recourse to the encryption function 8 Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption Append an error-detection code such as frame check sequences or checksum to each message before encryption Any sort of structuring added to tthehe transmitttransmitteded message serves to strengthening the authentication capability 9 Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption Encrypt all the TCP segment including checksum for the TCP header and the sequence number Assures that the opponent does not delay, misorder, or delete any segments How? Æ If the opponent changes part of the TCP segment, the checksum or sequence number will be compromised What if the attacker changes other part except for the checksum? Æ then, it will be detected by checking the checksum at tthehe destination 10 Joohan Lee AuthenticationAuthentication UsingUsing ConventionalConventional EncryptionEncryption TCP segment 11 Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption If public-key encryption is used: Encryption provides no confidence of sender since anyone potentially knows public-key However if SendeSenderr signs message using their private-key then encrypts with recipient’s public key Have both secrecy and authentication Again need to recognize corrupted messages Can provide both confidentiality and authentication at cost of two public-key uses on message 12 Joohan Lee AuthenticationAuthentication UsingUsing MessageMessage EncryptionEncryption 13 Joohan Lee SecretSecret KeyKey AssuranceAssurance Authentication Use secret keys for authentication Challenge and response A way to know whether the sender/receiver is the genuine 14 Joohan Lee Alice sends a challenge: She picks a number between 1 and 100, say 34, and challenges Bob to correctly encrypt 34. Only 34 the seceret key Alice shares with challenge Bob will correctly encrypt 34 Alice Bob 34 Bob Responds: He encrypts 34. Say 34 encrypts to"%2". He sends %2 back to Alice %2 response Alice Bob Alice finishes authenticating Bob: 34 encrypted to %2 She also encrypts 34 to %2 and is authenticated assured it's Bob. Only their shared secret key encrypts 34 to %2 Alice Bob 76 Bob also authenticates Alice: Bob challenges Alice in a similar way challenging with different a3 response number Alice Bob 15 Joohan Lee SecretSecret KeyKey AssuranceAssurance An Authentication Attacks What if somebody is listening to the challenges and responses and recorded them Impersonating Bob as if he knows the pair of challenges and responses without knowing the shared private keys Solution Use of random number to choose different challenge number every time 16 Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC) Generated by an algorithm that creates a small fixed-sized block Depending on both message and some key Like encryption though it need not be reversible Mac function is a many-to-one function Appended to a message as a signature Receiver performs same computation on message and checks it matches the MAC Provides assurance that message is unaltered and comes from the sender 17 Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC) 18 Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC) N N bits: size of the message = 2N possible message n bits: size of MAC = 2n possible MACs k bits: size of key = 2k possible keys Usually, 2N >> 2n and considering additional complexity of keys, authentication function is much harder to break than encryption (eg) 100-bit messages and 10-bit MAC Each MAC value is generated by a total of 2100 / 210 = 290 different messages Æ means each MAC can represent 290 different messages 19 Joohan Lee MessageMessage AuthenticationAuthentication CodesCodes As shown the MAC provides authentication (Fig 11.4a) Can we also use encryption for secrecy? Generally use separate keys for each Can compute MAC either before or after encryption “Before” (based on plaintext) is generally regarded as better than “after” (based on ciphertext) Note that a MAC is not a digital signature Because both sender and receiver share the same key 20 Joohan Lee MessageMessage AuthenticationAuthentication CodesCodes Encryption provides basic authentication, then why use a MAC? Sometimes only authentication is needed Broadcast announcement Heavy load of message communication Cannot afford decryption/encryption Sometimes need authenticauthenticationation to persist longer than the encryption (eg. archival use) Check integrity of program (e.g) NIST database of software with MAC 21 Joohan Lee MessageMessage AuthenticationAuthentication CodeCode (MAC)(MAC) MAC is calculated on plaintext MAC is calculated on ciphertext22 Joohan Lee MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator Is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult 23 Joohan Lee RequirementsRequirements forfor MACsMACs Consider a symmetric/asymmetric encryption k (k-1) For k-bit key, on average 2k/2 = 2(k-1) attempts needed for brute force attack In the case of MAC, it’s entirely different N: message size, k : key size, n : MAC size k 2k MACs can be produced for the same input message M, but only 2n (< 2k) different MACs values Æ The same MAC can be produced out of 2(N-n) different messages Æ Different keys may produce the same MAC, on average 2(k-n) keys will produce a match Æ The attacker has no way of knowing which is the correct key 24 Joohan Lee RequirementsRequirements forfor MACsMACs The attacker must iterate Round 1 Given: M1, MAC1 = Ck(M1)