Internet Design Decisions and Security Secure Communication with an Origin as a small and cooperative network Insecure Internet Infrastructure (=> largely trusted infrastructure) Global Addressing (=> every sociopath is your next-door neighbor*) Connection-less datagram service (=> can’t verify source, hard to protect bandwidth) * Dan Geer Internet Design Decisions and Security Our “Narrow” Focus Yes: Anyone can connect Protecting network resources and limiting (=> ANYONE can connect) connectivityy( (Last time) Millions of hosts run nearly identical software Creating a “secure channel” for communication (=> single exploit can create epidemic) (today) Most Internet users know about as much as No: Senator Stevens aka “the tubes guy” Preventing software vulnerabilities & malware, or (=> God help us all…) “social engineering”. Secure Communication with an Untrusted Secure Communication with an Untrusted Infrastructure Infrastructure Mallory Bob Bob ISP D ISP D ISP B ISP B ISP C ISP C ISP A ISP A Alice Alice Secure Communication with an Untrusted What do we need for a secure Infrastructure communication channel? Authentication (Who am I talking to?) ISP D ISP B Confidentiality (Is my data hidden?) ISP C ISP A Integrity (Has my data been modified?) Alice Hello, I’m “Bob” Availability (Can I reach the destination?) What is cryptography? What is cryptography? "cryptography is about communication in the Tools to help us build secure communication presence of adversaries." channels that provide: - Ron Rivest 1) Authentication “t“cryptograp hiihy is using ma thdthth and other crazy 2) In tegrit y tricks to approximate magic” 3) Confidentiality - UkUnknown 441TA441 TA Cryptography As a Tool The Great Divide Symmetric Crypto Asymmetric Crypto (Private key) (Public key) Using cryptography securely is not simple (S)(E.g., AES) (E.g., RSA) Designing cryptographic schemes correctly is near impossible. Shared secret between parties? Yes No TdToday we want tt to gi ve you an idea o f wh htat can be done with cryptography. Ta ke a securit y course if you thi n k you may Speed of crypto Fast Slow use it in the future (e.g. 18-487) operations Symmetric Key: Confidentiality Symmetric Key: Confidentiality Motivating Example: One-time Pad (OTP) is secure but usually impactical You and a friend share a key K of L random bits, and Key is as long at the message want to secretly share message M also L bits long. Keys cannot be reused (why?) Scheme: You send her the xor(M,K) and then she “decrypts” In practice, two types of ciphers are used using xor(M,K) again. that require constant length keys: Stream Ciphers: Block Ciphers: 1) Do you get the right message to your friend? Ex: RC4, A5 Ex: DES , AES , Blowfish 2) Can an adversary recover the message M? 3) Can adversary recover the key K? Symmetric Key: Confidentiality Symmetric Key: Confidentiality Stream Ciphers (ex: RC4) Block Ciphers (ex: AES) (fixed block size, Block 1 Block 2 Block 3 Block 4 e.g. 128 bits) Alice: PRNG Pseudo-Random stream of L bits XOR K A-B Message of Length L bits Round #1 Round #2 Round #n = Encrypted Ciphertext Alice: K A-B Block 1 Block 2 Block 3 Block 4 Bob uses KA-B as PRNG seed, and XORs encrypted text to get the message back (just like OTP). Bob breaks the ciphertext into blocks, feeds it through dtiiiKdecryption engine using KA-B tthto recover the message. Cryptographic Hash Functions Symmetric Key: Integrity Consistent hash(X) always yields same result Hash Message Authentication Code (HMAC) One-way Step #1: Message gg,iven Y, can’t find X s.t. hash( ()X) = Y Alice creates Hash Fn MAC MAC Collision resistant K A-B given hash(W) = Z, can’t find X such that hash(X) = Z Alice Transmits Message & MAC S#2Step #2 S#3Step #3 Bob computes MAC with message and K to verify. MAC Message A-B Fixed Size Message of arbitrary length Hash Fn Hash Why is this secure? How do properties of a hash function help us? Symmetric Key: Authentication Symmetric Key: Authentication What if Mallory overhears the hash sent by Bob, and You already know how to do this! then “replays” it later? (hint: think about how we showed integrity) ISP D ISP B I am Bob Hash Fn A43FF234 ISP C K A-B ISP A HllI’Hello, I’m whoops! Bob. Here’s Alice receives the hash, computes a hash with KA-B , and she A43FF234 knows the sender is Bob the hash to “prove” it Symmetric Key: Authentication Symmetric Key: Authentication A “Nonce” A “Nonce” A random bitstring used only once. Alice sends nonce to A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result. Bob as a “challenge”. Bob Replies with “fresh” MAC result. Nonce Nonce ?!?! Alice Bob Alice Nonce Mallory Hash B4FE64 If Alice sends Mallory a nonce, K B4FE64 A-B she cannot compute the Performs same corresponding MAC without K A-B hash with KA-B and compares results Symmetric Key Crypto Review Diffie-Hellman key exchange Confidentiality: Stream & Block Ciphers An early (1976) way to create a shared Integrity: HMAC secret. Authentication: HMAC and Nonce Everyone knows a prime, p, and a generator, g. Questions?? Alice and Bob want to share a secret, but only have internet to communicate over. Are we done? Not Really: 1) Number of keys scales as O(n2) 2) How to securely share keys in the first place? DH key exchange DH key exchange & Man-In-The-Middle Everyone: large prime p and generator g Create secret: a SdBbSend Bob: ga mod p c ga mod p g mod p Create secret: b Bob Alice Send Alice: gb mod p gc mod p gb mod p Compute: (gb mod p)a Compute: (ga mod p)b Voila: They both know gab which is secret! Asymmetric Key Crypto: Asymmetric Key Crypto: It is believed to be computationally unfeasible Instead of shared keys, each person has a -1 “key pair” to derive KB from KB or to find any way to get -1 KB Bob’s public key M from KB(M) other than using KB . -1 KB Bob’s private key => KB can safely be made public. -1 Note: We will not explain the computation that KB(m) entails, but rather The keys are inverses, so: KB (KB (m)) = m trea t these func tions as blac k boxes w ith the des ire d proper ties. Asymmetric Key: Confidentiality Asymmetric Key: Sign & Verify If we are given a message M, and a value S Bob’s public suchthtKh that KB(S) = M, w ha t can we conc lu de ? KB key Bob’s private -1 KB key The message must be from Bob, because it must be -1 -1 the case that S = KB (M), and only Bob has KB ! encryption ciphertext decryption plaintext algorithm algorithm message This gives us two primitives: KB (()m) m=Km = K -1 (K (m)) B B -1 Sign (M) = KB (M) = Signature S Verify (S, M) = test( KB(S) == M ) Asymmetric Key: Integrity & Authentication Asymmetric Key Review: We can use Sign() and Verify() in a similar Confidentiality: Encrypt with Public Key of manner as our HMAC in symmetric schemes. Receiver Integrity: Sign message with private key of S = Sign(M) Message M Integrity: the sender RiReceiver must on lhkVif(MS)ly check Verify(M, S) Authentication: Entity being authenticated signs a nonce with private key, signature is Nonce Authentication: then verified with the public key S = Sign(Nonce) But, these operations are computationally expensive* Verify(Nonce, S) One last “little detail”… Symmetric Key Distribution How do I ggyet these keys in the first p lace?? How does Andrew do this? Remember: Symmetric key primitives assumed Alice and Bob Andrew Uses Kerberos, which relies on a had already shared a key. Key Distribution Center (KDC) to establish Asymmetric key primitives assumed Alice knew Bob’s public key. shared symmetric keys. This may work with friends, but when was the last time you saw Amazon.com walking down the street? Key Distribution Center (KDC) Key Distribution Center (KDC) Alice, Bob need shared symmetric key. Q: How does KDC allow Bob, Alice to determine shared KDC: server shares different secret key with each symmetric secret key to communicate with each other? registered user (many users) KDC generates Alice, Bob know own symmetric keys, KA-KDC KB-KDC , KA-KDC(A,B) R1 for communicating with KDC. KDC Alice KA-KDC(R1, KB-KDC(A,R1) ) Bob knows to KP-KDC knows KA-KDC use R1 to KX-KDC R1 K (A,R1) communicate K K B-KDC P-KDC B-KDC with Alice KY-KDC KZ-KDC Alice and Bob communicate: using R1 as KB-KDC KA-KDC session key for shared symmetric encryption How Useful is a KDC? Certification Authorities Certification authority (CA): binds public key to Must always be online to support secure particu lar en tity, E. communication An entity E registers its public key with CA. KDC can expose our session keys to others! E provides “proof of identity ” to CA. CA creates certificate binding E to its public key. Centralized trust and point of failure. Certificate contains E’s public key AND the CA’s signature of E’s public key. In practice, the KDC model is mostly used Bob’s CA public generates K key B within s ing le organ iza tions (e.g. Ker beros ) KB S = Sign(KB) CA certificate = Bob’s but not more widely. private public key and Bob’s K-1 iden tify ing key CA signatu re by CA information Certification Authorities Certificate Contents info algorithm and key value itself (not shown) When Alice wants Bob’s public key: Gets Bob ’s certificate (Bob or elsewhere).