02/14/081/32 an introduction to cryptography for homeland security jay ligatti university of south...
TRANSCRIPT
02/14/0802/14/08 11/32/32
An Introduction to An Introduction to Cryptography for Cryptography for
Homeland SecurityHomeland Security
Jay LigattiJay Ligatti
University of South FloridaUniversity of South Florida
02/14/0802/14/08 22/32/32
OutlineOutline
1.1. Communication problemsCommunication problems
2.2. Cryptographic solutionsCryptographic solutions
3.3. Cryptography and homeland Cryptography and homeland securitysecurity
4.4. Limitations of cryptographyLimitations of cryptography
5.5. Research challengesResearch challenges
02/14/0802/14/08 33/32/32
A Common ScenarioA Common Scenario
Members of a team need to Members of a team need to communicatecommunicate
Hello Bob
02/14/0802/14/08 44/32/32
A Common ScenarioA Common Scenario
Messages need to be secureMessages need to be secure
Hello Bob
Hello Alice, operation X begins in 36 hours
02/14/0802/14/08 55/32/32
A Common ScenarioA Common Scenario However, communication needs to go through a medium However, communication needs to go through a medium
accessible by an accessible by an adversaryadversary (a non-privileged entity) (a non-privileged entity)
Easy to think of transmission medium as the Internet, but could Easy to think of transmission medium as the Internet, but could be, e.g., be, e.g., – copper phone linescopper phone lines– radio wavesradio waves– courier on the groundcourier on the ground
Hello Bob
Hello Alice, operation X begins in 36 hours
02/14/0802/14/08 66/32/32
ProblemsProblems Adversary may discover secrets by Adversary may discover secrets by passivelypassively
monitoringmonitoring the communication the communication– E.g., operation X begins in 36 hoursE.g., operation X begins in 36 hours– E.g., Alice and Bob are communicating, so some operation E.g., Alice and Bob are communicating, so some operation
is likely to begin soon (this is called is likely to begin soon (this is called traffic analysistraffic analysis)) Adversary may prevent communication by Adversary may prevent communication by
destroyingdestroying informationinformation en route en route– E.g., convince Internet routers not to forward packetsE.g., convince Internet routers not to forward packets– E.g., destroy courier on the groundE.g., destroy courier on the ground
Adversary may disrupt knowledge by Adversary may disrupt knowledge by activelyactively tampering with or forgingtampering with or forging information en route information en route– E.g., overwrite 36 with 72 to desynchronize Alice from BobE.g., overwrite 36 with 72 to desynchronize Alice from Bob– E.g., send a message to Alice impersonating Bob:E.g., send a message to Alice impersonating Bob:
“Hello again Alice, cancel operation X” “Hello again Alice, cancel operation X”
02/14/0802/14/08 77/32/32
ProblemsProblems
These are difficult problems!These are difficult problems!
We don’t have perfect solutions to any of We don’t have perfect solutions to any of them!them!
We do have some very convincing solutions, We do have some very convincing solutions, especially for:especially for:– Preventing passive discovery of secretsPreventing passive discovery of secrets
E.g., E.g., operation X begins in 36 hoursoperation X begins in 36 hours
– Detecting active tampering with/forging Detecting active tampering with/forging informationinformation E.g., overwrite 36 with 72 to desynchronize Alice from BobE.g., overwrite 36 with 72 to desynchronize Alice from Bob E.g., send a message to Alice impersonating Bob:E.g., send a message to Alice impersonating Bob:
“Hello again Alice, cancel operation X” “Hello again Alice, cancel operation X”
02/14/0802/14/08 88/32/32
OutlineOutline
1.1. Communication problemsCommunication problems
2.2. Cryptographic solutionsCryptographic solutions
3.3. Cryptography and homeland Cryptography and homeland securitysecurity
4.4. Limitations of cryptographyLimitations of cryptography
5.5. Research challengesResearch challenges
02/14/0802/14/08 99/32/32
CryptographyCryptography CryptographyCryptography is used to prevent passive discovery of, is used to prevent passive discovery of,
and to detect active tampering with, information en and to detect active tampering with, information en routeroute
Definition: Cryptography is the study of hiding Definition: Cryptography is the study of hiding informationinformation– Cryptanalysis is the study of finding hidden informationCryptanalysis is the study of finding hidden information– Cryptology = cryptography + cryptanalysisCryptology = cryptography + cryptanalysis
Basic cryptographic tool is a Basic cryptographic tool is a ciphercipher– Cipher is an Cipher is an algorithmalgorithm (think (think reciperecipe) for hiding information in a ) for hiding information in a
new message M and retrieving hidden information from Mnew message M and retrieving hidden information from M
Here’s how it works...Here’s how it works...
02/14/0802/14/08 1010/32/32
Ciphering Step 1: Key Ciphering Step 1: Key EstablishmentEstablishment
Communicating parties need to share a Communicating parties need to share a secret keysecret key (think of it as a password with about 40 keyboard (think of it as a password with about 40 keyboard characters)characters)
How do Alice and Bob obtain a shared, secret key?How do Alice and Bob obtain a shared, secret key?– No completely satisfactory answer!No completely satisfactory answer!– Alice (or Bob) could create the key and then travel (or send a trusted Alice (or Bob) could create the key and then travel (or send a trusted
courier) to Bob (or Alice) to share the keycourier) to Bob (or Alice) to share the key– More practically, but generally less securely, Alice and Bob could use More practically, but generally less securely, Alice and Bob could use
a special key-exchange protocol (see Wikipedia entry on Diffie-a special key-exchange protocol (see Wikipedia entry on Diffie-Hellman)Hellman)
vD)w’45#...vD)w’45#...key
vD)w’45#...vD)w’45#...key
02/14/0802/14/08 1111/32/32
Ciphering Step 2: EncryptionCiphering Step 2: Encryption Cipher begins with Cipher begins with plaintextplaintext (original message) and (original message) and
the keythe key
Cipher shuffles around the encodings of the plaintext Cipher shuffles around the encodings of the plaintext and key in very complicated ways to produce a and key in very complicated ways to produce a ciphertextciphertext (message with hidden information) (message with hidden information)– This is called This is called encryptingencrypting the plaintext the plaintext
vD)w’45#..vD)w’45#....
Operation X begins in 36 hours
cipher
plaintext
key
>W<$%YoPjS s-5eoy5...
ciphertext
02/14/0802/14/08 1212/32/32
Ciphering Step 2: EncryptionCiphering Step 2: Encryption TT
–
– Mostly, complicated Mostly, complicated repetitions of repetitions of substitutingsubstituting some characters for other some characters for other characters in the plaintext characters in the plaintext and then and then rearrangingrearranging (permuting) the characters(permuting) the characters
– Both the substitutions and Both the substitutions and the rearrangements are the rearrangements are guided by the secret keyguided by the secret key
– For low-level details of one For low-level details of one cipher, Google “DES”cipher, Google “DES”
here is no “magic” in the encryption procedurehere is no “magic” in the encryption procedureFixed sequence of steps, precisely definedFixed sequence of steps, precisely defined
02/14/0802/14/08 1313/32/32
Ciphering Step 3: Message Ciphering Step 3: Message TransmissionTransmission
One party sends ciphertext to anotherOne party sends ciphertext to another
Even if ciphertext is intercepted, it would take adversary a Even if ciphertext is intercepted, it would take adversary a very long time to figure out the plaintext (as far as we very long time to figure out the plaintext (as far as we know)know)– Best publicly known techniques for modern ciphers require Best publicly known techniques for modern ciphers require
trying trying every possible keyevery possible key until one “unlocks” the ciphertext until one “unlocks” the ciphertext– Typically, there are about as many possible keys as there are Typically, there are about as many possible keys as there are
elementary particles in the observable universe...elementary particles in the observable universe...
>W<$%YoPjS s-5eoy5...
ciphertext
>W<$%YoPjS s-5eoy5... ?????
vD)w’45#...vD)w’45#...key
vD)w’45#...vD)w’45#...key
02/14/0802/14/08 1414/32/32
Ciphering Step 4: DecryptionCiphering Step 4: Decryption
The key-holding receiver can re-shuffle around the The key-holding receiver can re-shuffle around the encodings of the ciphertext and key to obtain the encodings of the ciphertext and key to obtain the original plaintextoriginal plaintext– This is called This is called decryptingdecrypting the ciphertext the ciphertext
Low-level details very similar to encryption Low-level details very similar to encryption ((substitutionssubstitutions and and rearrangementsrearrangements of characters) of characters)
Efficient decryption because key is knownEfficient decryption because key is known
vD)w’45#..vD)w’45#....
cipherkey
>W<$%YoPjS s-5eoy5...
ciphertext
Operation X begins in 36 hours
plaintext
02/14/0802/14/08 1515/32/32
Tampering/Forgery Tampering/Forgery DetectionDetection
If adversary without the shared key attempts to If adversary without the shared key attempts to tamper with or forge a ciphertext, she’ll almost tamper with or forge a ciphertext, she’ll almost certainly send a ciphertext that decrypts to certainly send a ciphertext that decrypts to nonsensenonsense
Hello again Alice, cancel operation X
ciphertext
vD)w’45#...vD)w’45#...key
cipher
{P#I% TO\s-...
plaintext
?????
This must notbe from Bob!
02/14/0802/14/08 1616/32/32
Key Properties of Key Properties of CiphersCiphers
1.1. Inverse Inverse relation between encryption and decryptionrelation between encryption and decryptionD(E(p,k),k) = pD(E(p,k),k) = p
2.2. ConfusionConfusion– Relationship between key and ciphertext should be very complexRelationship between key and ciphertext should be very complex– Makes it difficult to obtain key from ciphertextMakes it difficult to obtain key from ciphertext
3.3. DiffusionDiffusion– Even the most minor changes to the plaintext should cause Even the most minor changes to the plaintext should cause
changes throughout the entire ciphertextchanges throughout the entire ciphertext– Makes it difficult to infer any part of plaintext from ciphertext Makes it difficult to infer any part of plaintext from ciphertext
alonealone(even if adversary already knows how other plaintexts get (even if adversary already knows how other plaintexts get encrypted)encrypted)
– For example...For example...
02/14/0802/14/08 1717/32/32
Example of Diffusion in the Popular Example of Diffusion in the Popular AESAES (Advanced Encryption Standard) (Advanced Encryption Standard)
CipherCipher
Every ciphertext character depends on every plaintext characterEvery ciphertext character depends on every plaintext character Diffusion prevents adversary from easily inferring Diffusion prevents adversary from easily inferring parts of parts of the the
plaintext from the ciphertextplaintext from the ciphertext(because every plaintext change may alter the entire ciphertext)(because every plaintext change may alter the entire ciphertext)
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000100000000000000000000000000000001
Key
Plaintext 1
Plaintext 2AES cipher
dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087
530f8afbc74536b9a963b4f1c4cb738b530f8afbc74536b9a963b4f1c4cb738b
Ciphertext 1
Ciphertext 2
02/14/0802/14/08 1818/32/32
OutlineOutline
1.1. Communication problemsCommunication problems
2.2. Cryptographic solutionsCryptographic solutions
3.3. Cryptography and homeland Cryptography and homeland securitysecurity
4.4. Limitations of cryptographyLimitations of cryptography
5.5. Research challengesResearch challenges
02/14/0802/14/08 1919/32/32
The Dual Role of DefenseThe Dual Role of Defense
1.1. Members of defense and response Members of defense and response teams may need to communicate teams may need to communicate securely in the presence of securely in the presence of adversariesadversaries– E.g., groups may want to discuss targets E.g., groups may want to discuss targets
of investigations without adversaries of investigations without adversaries learning of (and tipping off) those targetslearning of (and tipping off) those targets
– E.g., rescue teams controlling remote E.g., rescue teams controlling remote robots may not want adversaries robots may not want adversaries tampering with the human-robot tampering with the human-robot communicationscommunications
02/14/0802/14/08 2020/32/32
The Dual Role of DefenseThe Dual Role of Defense
2.2. To monitor threats, defense teams will also To monitor threats, defense teams will also generally want to take on adversarial roles in generally want to take on adversarial roles in suspicious, potentially encrypted communicationssuspicious, potentially encrypted communications
– Hot topic of debate: When, and to what extent, should Hot topic of debate: When, and to what extent, should this occur?this occur?
Cryptography can both help and hinder homeland Cryptography can both help and hinder homeland securitysecurity
– Another big debate: Is cryptography a net benefit or net Another big debate: Is cryptography a net benefit or net hindrance for homeland security (now and in the hindrance for homeland security (now and in the future)?future)?
02/14/0802/14/08 2121/32/32
OutlineOutline
1.1. Communication problemsCommunication problems
2.2. Cryptographic solutionsCryptographic solutions
3.3. Cryptography and homeland Cryptography and homeland securitysecurity
4.4. Limitations of cryptographyLimitations of cryptography
5.5. Research challengesResearch challenges
02/14/0802/14/08 2222/32/32
Limitation 1Limitation 1 Adversaries can circumvent cryptography by Adversaries can circumvent cryptography by
monitoring monitoring plaintextplaintext inputs and outputs of inputs and outputs of communication channelscommunication channels
encrypt
plaintext
ciphertext
decrypt
plaintext
ciphertext
Intercept Alice’s and/or Bob’s plaintext
02/14/0802/14/08 2323/32/32
Limitation 1Limitation 1 Example: Adversary installs a keystroke logger Example: Adversary installs a keystroke logger
((keyloggerkeylogger) on Alice/Bob’s computer) on Alice/Bob’s computer Keyloggers capture and transmit all keyboard activity Keyloggers capture and transmit all keyboard activity
before what’s being typed gets encryptedbefore what’s being typed gets encrypted
Adversary can install a Adversary can install a keylogging programkeylogging program on on Alice/Bob’s machine by: Alice/Bob’s machine by: – CD/disk/download (with direct access to target machine)CD/disk/download (with direct access to target machine)– Remotely connecting to and exploiting a flaw on target Remotely connecting to and exploiting a flaw on target
machine machine (to install keylogger without Alice/Bob’s knowledge)(to install keylogger without Alice/Bob’s knowledge)
– Packaging keylogger program as something benign and Packaging keylogger program as something benign and convincing target to execute it convincing target to execute it E.g., send keylogger as email attachment and entice target to E.g., send keylogger as email attachment and entice target to
open itopen it
02/14/0802/14/08 2424/32/32
Limitation 1Limitation 1 Alternatively, adversary can quietly install Alternatively, adversary can quietly install
keylogging hardware keylogging hardware on Alice/Bob’s machineon Alice/Bob’s machine
E.g., small device inserted between a computer’s E.g., small device inserted between a computer’s keyboard port and the keyboard cablekeyboard port and the keyboard cable
[photo source: www.alibaba.com]
02/14/0802/14/08 2525/32/32
Limitation 1Limitation 1 Alternatively, adversary can Alternatively, adversary can acoustically record acoustically record
Alice/Bob’s typing!Alice/Bob’s typing!– Each keyboard key has slightly different acoustic signatureEach keyboard key has slightly different acoustic signature– Adversary records typing and analyzes recordingAdversary records typing and analyzes recording
Or adversary can Or adversary can videotapevideotape Alice/Bob’s Alice/Bob’s screen screen !! Or adversary can Or adversary can videotapevideotape and analyze the and analyze the reflectionsreflections of of
the screen images on Alice/Bob’s face!the screen images on Alice/Bob’s face! Or adversary can Or adversary can analyzeanalyze the the radiationradiation emanating from emanating from
Alice/Bob’s monitor to determine what it is showing!Alice/Bob’s monitor to determine what it is showing! ...... Point: A powerful adversary has many avenues for Point: A powerful adversary has many avenues for
monitoring communications of specific targets, even in monitoring communications of specific targets, even in the presence of strong cryptographythe presence of strong cryptography
02/14/0802/14/08 2626/32/32
Limitation 2Limitation 2
Installing and using cryptography software Installing and using cryptography software takes some effort and knowledgetakes some effort and knowledge
Easier not to worry about itEasier not to worry about it Sensitive unencrypted data does get stolenSensitive unencrypted data does get stolen
– In May 2006, the Department of Veterans Affairs In May 2006, the Department of Veterans Affairs lost a laptop containing plaintext personal data on lost a laptop containing plaintext personal data on more than 26 million U.S. military members more than 26 million U.S. military members
– Led to a major overhaul in VA security Led to a major overhaul in VA security procedures, including encrypting data on laptopsprocedures, including encrypting data on laptops[http://www.usa.gov/veteransinfo.shtml][http://www.usa.gov/veteransinfo.shtml]
02/14/0802/14/08 2727/32/32
Limitation 3Limitation 3
Cryptography is a Cryptography is a communicationscommunications technology, with technology, with applications in computer securityapplications in computer security
Cryptography Cryptography does not “solve” does not “solve” computer securitycomputer security
Most computer-security problems arise from Most computer-security problems arise from unrelated issuesunrelated issues– Programs are shipped with insecure default settingsPrograms are shipped with insecure default settings– Programs contain errors that attackers can exploitPrograms contain errors that attackers can exploit– Users execute malicious software because it seems benignUsers execute malicious software because it seems benign
02/14/0802/14/08 2828/32/32
OutlineOutline
1.1. Communication problemsCommunication problems
2.2. Cryptographic solutionsCryptographic solutions
3.3. Cryptography and homeland Cryptography and homeland securitysecurity
4.4. Limitations of cryptographyLimitations of cryptography
5.5. Research challengesResearch challenges
02/14/0802/14/08 2929/32/32
Challenge 1Challenge 1 Cryptography is a large research fieldCryptography is a large research field Just to mention a few topics of interest...Just to mention a few topics of interest...
1.1. Formal analysis of cryptographic protocolsFormal analysis of cryptographic protocols– Adversaries can sometimes gain a surprising amount of Adversaries can sometimes gain a surprising amount of
information by monitoring and disrupting communications information by monitoring and disrupting communications – Can we formally prove that an entire communication Can we formally prove that an entire communication
session will be secure?session will be secure?– Application: Voting protocolsApplication: Voting protocols
Team members may vote on best of several alternativesTeam members may vote on best of several alternatives How to design system to guarantee accurate vote How to design system to guarantee accurate vote
counting with privacy?counting with privacy?
02/14/0802/14/08 3030/32/32
Challenges 2-4Challenges 2-4
2.2. Tractability of cryptanalysisTractability of cryptanalysis– Can we prove the difficulty of obtaining keys from ciphertexts?Can we prove the difficulty of obtaining keys from ciphertexts?– What is the simplest cipher that makes cryptanalysis What is the simplest cipher that makes cryptanalysis
impractical?impractical?
3.3. Key exchangeKey exchange– Is there a secure way to exchange secret keys in the presence Is there a secure way to exchange secret keys in the presence
of powerful adversaries? What’s the best we can do?of powerful adversaries? What’s the best we can do?
4.4. Multiparty communicationsMultiparty communications– In what ways do standard (two-party) cryptographic solutions In what ways do standard (two-party) cryptographic solutions
apply to communications between more than two parties?apply to communications between more than two parties?
02/14/0802/14/08 3131/32/32
SummarySummary Cryptography’s goal: make it very difficult Cryptography’s goal: make it very difficult
for adversaries to access and modify for adversaries to access and modify information information en routeen route
Exactly how difficult is an open questionExactly how difficult is an open question
In any case, powerful adversaries can In any case, powerful adversaries can sometimes use sophisticated surveillance sometimes use sophisticated surveillance and computer-attack techniques to and computer-attack techniques to circumvent cryptographycircumvent cryptography
02/14/0802/14/08 3232/32/32
EndEnd
Thanks / Questions?
Acknowledgment: This educational work was supported by NSF CAREER award CNS-0742736. Any opinions expressed are those of the author and do not necessarily reflect the views of the NSF.