Transcript Background - comp

Some Backgrounds on
Network Security
Rocky K. C. Chang
12 February 2003
1
Purposes of network security
• Four main purposes (or services):
– Secrecy (or confidentiality): Prevent others from reading
information shared between two participants.
– Authentication: Verifying someone’s or something’s identity.
– Message integrity: Assure that the message received has not
be altered since it was generated by a legitimate source.
– Nonrepudiation: A sender should not be able to falsely deny
later that he sent a message.
• Two approaches:
– Secrecy of the cryptographic algorithm (restricted algorithm)
– The cryptographic algorithm is not a secret, but the key is.
2
Types of attacks
• Passive attacks (eavesdropping), e.g.,
– ciphertext-only attacks
– known-plaintext attacks
– chosen-plaintext attacks
• Active attacks, e.g.,
–
–
–
–
–
pretend to be someone else
introduce new messages in the protocol
delete existing messages
substituting one message for another
replay old messages
3
Scope of consideration
• Scope:
– Concern mainly communication between two parties (group
communication security will be discussed later).
– Concern attacks against protocols, not those against
cryptographic algorithms or cryptographic techniques used
to implement the algorithms.
• Other network security issues
– Infrastructure security, i.e. attacks on routers, DNS root
servers, etc.
– Worms and viruses
– Distributed DDoS attacks (DoS attacks will be considered
though)
– System security
4
Three cryptographic functions
• Hash functions: require 0 key
• Secret key functions: require 1 key
• Public key functions: require 2 keys
Secret key
functions
Secrecy
service
Public key
functions
Authentication
service
Hash
functions
Message
integrity service
Nonrepudiation
service
5
Secret key (symmetric) cryptography
• Given:
– Alice and Bob agree on a secret key cryptosystem.
– Alice and Bob agree on a key (secret).
• Encryption and decryption using the key.
– M --> EK(M) --> DK(EK(M)) --> M
• Problems:
– Keys must be distributed in secret.
– Compromising keys means compromising all aspects of
security.
– The number of keys is not scalable to the user population
size.
6
Secret key cryptography algorithms
• Data Encryption Standard (DES), International Data Encryption
Algorithm (IDEA), and Advanced Encryption Standard (AES)
• Example: an 64-bit DES
– There is no mathematical proof that DES is secure.
– Two techniques used: confusion and diffusion.
– The only approach is to search the entire key space.
• When more than 64 bits are required, use a cipher block
chaining (CBC).
– The ciphertext for block i is XORed with the plaintext for block i+1
before running it through DES.
– An initialization vector (IV) is used in lieu of the nonexisting block 0.
– The IV is randomly generated by a sender and it is sent along with the
encrypted message.
• Triple-DES, i.e., encrypt the data three times.
7
DES algorithm
Initial permutation
Round 1
Round 2
…
56-bit
key
Round 16
Final permutation
8
Cipher block chaining
IV
Block1
Block2
Block3
Block4
+
+
+
+
DES
DES
DES
DES
Cipher1
Cipher2
Cipher3
Cipher4
9
Security uses of secret key cryptography
• Secrecy, authentication, and message integrity services
• Assumption: both client and
server already share a secret
key.
• Approach:
– Each side generate a random
number encrypted with the
secret key.
– See whether the other side can
decrypt it.
• Successful if CHK = SHK
(client and server handshaking
keys)
• SK: Session key
Client
Server
Clien
tId, E
( x, C
HK)
)
1
E(x +
,
HK
S
,
y
(
,E
SHK)
E(y +
1 , CH
K)
)
HK
S
,
K
(S
E
10
Secret key based authentication
• This approach is based on a
trusted third party (authentication server), e.g., Kerberos
protocol.
• Assumptions: A shares a secret
key with S, and so is B with S.
• Notations in the messages:
S
A
B
–
–
–
–
T: Timestamp
L: Lifetime
K: Session key for A and B
KA, KB: A’s secret key shared
with S and B’s secret key shared
with S, respectively.
– A, B: The participants’ identities
11
Secret key based message integrity
• Produce a small, fixed-sized “checksum” based on the
message under protection.
– This cryptographic checksum is referred to as message
integrity code (MIC) or message authentication code
(MAC).
• E.g., apply the DES with CBC to the message, and
then to use the CBC residue as the message integrity
code (MIC).
– The residue is the last block of the CBC output.
– The plaintext message plus the MIC would be sent to the
receiver.
– The receiver needs to reproduce the “checksum” and
compares it with the MIC.
12
Hash functions
• A hash, or message digest, is a one-way function that
produces a short, fixed-sized output.
• Properties:
– One-way functions are relatively easy to compute, i.e., given
x and compute h(x).
– However, given h(x), it is significantly harder to compute x.
– It is computationally infeasible to find two inputs that hash
to the same value.
• Provide mainly message integrity service, and help in
generating digital signatures.
13
Hash algorithms
• Message Digest (MD-n, n = 1, …, 5), and Secure Hash
Algorithm (SHA-1)
Initial “ digest”
(constant)
Message (padded)
512 bits
512 bits
…
512 bits
Transform
…
Transform
Transform
128-bit Message digest
14
Keyed message integrity protocols
• Just hash a message under protection is inadequate.
• Message integrity protocols can be based on secret key
encryption.
– Assume that Alice and Bob share a secret key k.
– Alice sends M + MD5(M + k), where + refers to the
concatenation of two messages.
– Bob applies MD5 to M + k, and compares it with the MIC.
• Message integrity protocols can be based on public
key encryption.
– Alice sends M + MD5(M + k) + EPri(A)(k), where k is a
random number picked by Alice.
– Bob recovers k by DPub(A)(EPri(A)(k)).
15
Public key (asymmetric) cryptography
• Given:
– Alice and Bob agree on a public key cryptosystem.
– Alice owns a pair of public key and private key, and Bob
knows Alice’s public key, which is not a secret.
• Encryption using the public key and decryption using
the private key.
– Bob sends a message intended only for Alice to see.
– M --> EPub(A)(M) --> DPri(A)(EPub(A)(M)) --> M.
• Problems:
– Public-key algorithms are slow. Symmetric algorithms are at
least 1000 times faster.
– Vulnerable to chosen-plaintext attacks.
16
Public key cryptography algorithms
• RSA (Rivest, Shamir, And Aldeman), Elliptic Curve
Cryptography (ECC), ElGamal (ElG), Digital
Signature Standard (DSS), Diffie-Hellman (DH)
– RSA and ECC do encryption and digital signatures
– ElG and DSS do digital signatures
– DH allows an establishment of a shared secret.
• It is computationally hard to deduce the private key
from the public key.
– For example, the choice of the public and private keys in
RSA is based on a multiplication of two large prime
numbers.
17
Public key based authentication
• A picks a random number and encrypts it with B’s
public key.
• Unlike the secret key approach, Bob only needs to
remember its own private key for authentication.
• Moreover, Alice does not need to keep any secret in
order to verify Bob.
A
B
18
Digital signatures
• Digital signatures, similar to handwritten signatures,
are used as a proof of authorship.
• A digital signature is a special case of an MIC, where
the code can only be generated by the authorized
participant.
• The digital signatures must be
–
–
–
–
–
verifiable,
nonforgeable,
unalterable,
not reusable, and
nonrepudiable.
19
Public key based digital signatures
• Private key algorithms cannot achieve the
nonrepudiable objective.
• To digitally sign a document using RSA, a sender
uses its private key to produce the signature, and the
receiver uses the public key to verify it.
– In RSA, both the private key and public key can be used
for encryption (not with DSS).
– Alice encrypts M using its private key: EPri(A)(M).
– Alice sends M and EPri(A)(M) to Bob.
– Bob decrypts M using Alice’s public key,
DPub(A)(EPri(A)(M)), and compares the result with M.
20
RSA digital signatures
•
•
•
•
•
Verifiable (use Alice’s public key)
Nonforgeable (only Alice has the private key)
Unalterable (do not produce the same document)
Not reusable (pertain to that document), and
Nonrepudiable
21
RSA digital signatures with MD5
• In practice, public key algorithms are too slow to sign
long documents, and the signature is also too long.
• Instead of signing the whole document, a sender signs
the checksum produced by a hash function, such as
MD5.
– Alice signs the hash value of the document and send M +
EPri(A)(MD5(M)).
– Bob computes the hash by running MD5(M).
– Bob decrypts EPri(A)(MD5(M)).
– Bob compares MD5(M) and DPub(A)(EPri(A)(MD5(M))).
22
Digital signatures with encryption
• The security of encryption can be combined with the
authenticity of digital signatures.
– Alice signs a message M and sends SA(M), where the
signing can be based on any method discussed before.
– Alice encrypts the signed message with Bob’s public key:
EPub(B)(SA(M)).
– Bob decrypts the received message: DPri(B)(EPub(B)(SA(M))).
– Bob verifies the signed message SA(M).
• Signing before encrypting is a prudent practice.
– You know what you are signing.
– Signatures cannot be removed from an encrypted message.
23
Remaining issues
• For the private key approach, how does a pair of
participants generates and manages their shared secret
key?
– Use RSA key exchange with digital signatures.
– Diffie-Hellman key exchange
• For the public key approach, how can one obtain
another’s true public key or how can one reliably
advertise one’s public key to others?
– Digital certificates
– Certification authority (a trusted third party approach)
24
Internet security
• IP layer: IP security (IPSec)---Encapsulating Security
Payload (ESP) and Authentication Header (AH)
– AH mainly provides access control, connectionless message
integrity, and anti-replay protection.
– ESP, in addition to the services provided by AH, provides
also secrecy.
• Transport layer: Secure Socket Layer (SSL) and
Transport Layer Security (TLS)
– Provide secrecy and message integrity between two
communicating applications.
– This is a generic security protocol supporting any
applications, for example, HTTP/TLS/TCP.
25
Internet security
• Application-specific:
– SET for payment-card transactions
– Privacy Enhanced Mail (PEM) and Pretty Good Privacy
(PGP) for email security
– Secure HTTP (S-HTTP) for WWW (RFC 2660)
– DNSSEC for DNS
• Others:
–
–
–
–
–
Multicast group security
Multimedia security
Mobile and wireless network security
Enterprise security (virtual private network)
Remote access security
26
Acknowledgments
• This set of notes is based on
– C. Kaufman, R. Perlman, and M. Speciner, Network
Security: Private Communication in Public World, Second
Edition, Prentice Hall PTR, 2002.
– L. Peterson and B. Davie, Computer Networks: A Systems
Approach, Morgan Kaufmann, 2000.
– B. Schneier. Applied Cryptography, Second Edition, Wiley,
1996.
27