Network Security • Classic properties of secure systems: Network Security Principles, •Confidentiality • Encrypt message so only sender and receiver can Symmetric Key Cryptography, understand it. Public Key Cryptography • Authentication • Both sender and receiver need to verify the identity of the other party in a communication: are Modified by Xiuzhen Cheng you really who you claim to be? Originally provided by Professor •Authorization • Does a party with a verified identity have Rick Han ([email protected]) at permission to access (r/w/x/…) information? Gets the University of Colorado at into access control policies. Boulder Network Security (2) Cryptography • Classic properties of secure systems: (cont.) plaintext ciphertext plaintext •Integrity Encryption Decryption • During a communication, can both sender and receiver detect whether a message has been • Encryption algorithm also called a cipher altered? • Cryptography has evolved so that modern • Non-Repudiation encryption and decryption use secret keys • Originator of a communication can’t deny later • Only have to protect the keys! => Key distribution that the communication never took place problem • Availability • Cryptographic algorithms can be openly published • Guaranteeing access to legitimate users. plaintext ciphertext plaintext Prevention of Denial-of-Service (DOS) attacks. Encryption Decryption Key KA Key KB Cryptography (2) Cryptography (3) • Cryptography throughout history: • Cryptanalysis – Type of attacks: • Julius Caesar cipher: replaced each character by a • Brute force: try every key character cyclically shifted to the left. • Ciphertext-only attack: Weakness? • Attacker knows ciphertext of several messages • Easy to attack by looking at frequency of characters encrypted with same key (but doesn’t know plaintext). • Possible to recover plaintext (also possible to deduce • Mary Queen of Scots: put to key) by looking at frequency of ciphertext letters death for treason after Queen • Known-plaintext attack: Elizabeth’s I’s spymaster cracked • Attacker observes pairs of plaintext/ciphertext her encryption code encrypted with same key. • WWII: Allies break German • Possible to deduce key and/or devise algorithm to Enigma code and Japanese naval decrypt ciphertext. code • Enigma code machine (right) 1 Principles of Confusion and Cryptography (4) Diffusion • Cryptanalysis – Type of attacks: plaintext ciphertext plaintext • Chosen-plaintext attack: Encryption Decryption • Attacker can choose the plaintext and look at the paired ciphertext. • Attacker has more control than known-plaintext attack and may be able to gain more info about key Key KA Key KB • Adaptive Chosen-Plaintext attack: • Terms courtesy of Claude Shannon, father of • Attacker chooses a series of plaintexts, basing the next Information Theory plaintext on the result of previous encryption • Differential cryptanalysis – very powerful attacking tool • “Confusion” = Substitution • But DES is resistant to it •a -> b • Cryptanalysis attacks often exploit the •Caesar cipher redundancy of natural language • “Diffusion” = Transposition or Permutation • Lossless compression before encryption removes •abcd-> dacb redundancy •DES Principles of Confusion and Principles of Confusion and Diffusion (2) Diffusion (3) • “Confusion” : a classical Substitution Cipher • “Diffusion” : a classical Transposition cipher Courtesy: Courtesy: Andreas Andreas Steffen Steffen • Modern substitution ciphers take in N bits and • modern Transposition ciphers take in N bits and substitute N bits using lookup table: called S- permute using lookup table : called P-Boxes Boxes Symmetric-Key Cryptography Symmetric-Key Cryptography (2) plaintext ciphertext plaintext Encryption Decryption • DES • 64-bit input is permuted • 16 stages of identical Key KA Key KB=KA operation • differ in the 48-bit Secure Key Distribution key extracted from 56-bit key - complex •R2= “R1 is encrypted • Both sender and receiver keys are the same: KA=KB with K1 and XOR’d • The keys must be kept secret and securely with L1” distributed – we’ll study this later •L2=R1, … • Thus, also called “Secret Key Cryptography” • Final inverse permutation • Data Encryption Standard (DES) stage 2 Symmetric-Key Cryptography (3) Symmetric-Key Cryptography (4) • Data Encryption Standard (DES) • DES is an example of a block cipher • Encodes plaintext in 64-bit chunks using a 64-bit key • Divide input bit stream into n-bit sections, encrypt (56 bits + 8 bits parity) only that section, no dependency/history between • Uses a combination of diffusion and confusion to sections achieve security •abcdÆ dbac • Was cracked in 1997 • Parallel attack – exhaustively search key space • Triple-DES: put the output of DES back as input into Courtesy: DES again with a different key, loop again: 3*56 = 168 Andreas bit key Steffen • Decryption in DES – it’s symmetric! Use KA again as • In a good block cipher, each output bit is a input and then the same keys except in reverse order function of all n input bits and all k key bits • Advanced Encryption Standard (AES) successor Symmetric-Key Cryptography (5) Symmetric-Key Cryptography (6) • Electronic Code Book (ECB) mode for block • Cipher Block Chaining (CBC) mode for block ciphers of a long digital sequence ciphers • Inhibits replay attacks and codebook building: identical • Vulnerable to replay attacks: if an attacker thinks block input plaintext Pi =Pk won’t result in same output code due to memory-based chaining C2 corresponds to $ amount, then substitute another Ck • IV = Initialization Vector – use only once • Attacker can also build a codebook of <Ck, guessed Pk> pairs Symmetric-Key Cryptography (7) Symmetric-Key Cryptography (8) • Stream ciphers • RC4 stream cipher by Ron Rivest of RSA Data Security Inc. – used in 802.11b’s security • Block ciphers vs. stream ciphers • Stream ciphers work at bit-level and were originally implemented in hardware => fast! • Block ciphers work at word-level and were originally implemented in software => not as fast • Error in a stream cipher only affects one bit • Rather than divide bit stream into discrete blocks, as • Error in a block cipher in CBC mode affects two block ciphers do, XOR each bit of your plaintext blocks continuous stream with a bit from a pseudo-random • Distinction is blurring: sequence • Stream ciphers can be efficiently implemented in software • At receiver, use same symmetric key, XOR again to • Block ciphers getting faster extract plaintext 3 Symmetric-Key Cryptography (9) Symmetric Key Distribution • Symmetric key is propagated to both endpoints A & B via Diffie-Hellman key exchange algorithm •Key distribution • A & B agree on a large prime modulus n, a “primitive • Public key via trusted Certificate element” g, and a one-way function f(x)=gx mod n Authorities • n and g are publicly known • Symmetric key? • A chooses a large random int a and sends B AA=ga mod n • Diffie-Helman Key Exchange • B chooses a large random int b and sends A BB= gb • Public key, then secret key (e.g. SSL) mod n • Symmetric Key distribution via a KDC (Key • A & B compute secret key S = gba mod n Distribution Center) •Since x=f-1(y) is difficult to compute, then observer who knows AA, BB, n, g and f will not be able to deduce the product ab and hence S is secure Symmetric Key Distribution (2) Symmetric Key Distribution (3) • Symmetric Key distribution via a KDC (Key Distribution Center) • KDC is a server (trusted 3rd party) sharing a different symmetric key with each registered user • Alice wants to talk with Bob, and sends encrypted request to KDC, K (Alice,Bob) A-KDC m= • KDC generates a one-time shared secret key R1 • KDC encrypts Alice’s identity and R1 with Bob’s secret key, let m= KB-KDC(Alice,R1) • KDC sends to Alice both R1 and m, encrypted with Alice’s key: i.e. KA-KDC(R1, KB-KDC(Alice,R1)) • Kerberos authentication basically follows this • Alice decrypts message, extracting R1 and m. Alice KDC trusted 3rd party approach sends m to Bob. • In Kerberos, the message m is called a ticket and • Bob decrypts m and now has the session key R1 has an expiration time Public-Key Cryptography Public-Key Cryptography (2) plaintext ciphertext plaintext plaintext ciphertext plaintext Encryption Decryption Encryption Decryption Key KPUBLIC Key KPRIVATE Key KPUBLIC Key KPRIVATE • For over 2000 years, from Caesar to 1970s, Public Key Distribution Secure Key encrypted communication required both sides to share a common secret key => key distribution problems! • Diffie and Hellman in 1976 invented asymmetric public • Host (receiver) who wants data sent to it in key cryptography – elegant, revolutionary! encrypted fashion advertises a public encryption key • Sender’s key differs from receiver’s key Kpublic • Sender encrypts with public key • Simplifies key distribution – just protect Kprivate • Useful for authentication as well as encryption • Receiver decrypts with private key 4 Public-Key Cryptography (3) Public-Key Cryptography (4) plaintext ciphertext plaintext • Decryption algorithm has the property that only a Encryption Decryption private key Kprivate can decrypt the ciphertext • Based on the difficulty of factoring the product of two prime #’s Key KPUBLIC Key KPRIVATE • Example: RSA algorithm (Rivest, Shamir, Adleman) • Choose 2 large prime #’s p and q Public Key Distribution Secure Key • n=p*q should be about 1024 bits long • z=(p-1)*(q-1) • Decryption algorithm has the property that • Choose e<n with no common factors with z • only a private key Kprivate can decrypt the • Find d such that (e*d) mod