1 the elements of cryptography chapter 7 panko, corporate computer and network security copyright...
TRANSCRIPT
1
The Elements of Cryptography
Chapter 7
Panko, Corporate Computer and Network SecurityCopyright 2004 Prentice-Hall
2
Figure 7-1: Cryptographic System
ConfidentialityAuthentication
Message IntegrityAnti-Replay Protection
Client PC with Cryptographic
SystemSoftware
Server withCryptographic
SystemSoftware
Secure Communication
ProvidedAutomatically
3
Figure 7-2: Plaintext, Encryption, Ciphertext, and Decryption
Network
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
EncryptionKey
Ciphertext “11011101” Plaintext“Hello”
DecryptionMethod &
Key
DecryptionKey
Interceptor
Party A
Party B
Note:Interceptor Cannot ReadCiphertext Without the
Decryption Key
4
Figure 7-3: Key Length and Number of Possible Keys
1
Key Lengthin Bits
2
4
8
16
256
65,536
16
4
2
Number of Possible Keys
40 1,099,511,627,776
56 72,057,594,037,927,900
112 5,192,296,858,534,830,000,000,000,000,000,000
5
Figure 7-3: Key Length and Number of Possible Keys
Key Lengthin Bits
112
168
256
512
1.15792E+77
1.3408E+154
3.74144E+50
5.1923E+33
Number of Possible Keys
6
Figure 7-3: Key Length and Number of Possible Keys
Notes: Shaded keys, with lengths of more than 100 bits, are considered strong symmetric keys today.
Unshaded keys, with lengths of less than 100 bits, are considered weak symmetric keys today.
Public key/private key pairs must be much longer to be strong because of the disastrous consequences of learning someone’s private key and because private keys cannot be changed rapidly.
7
Figure 7-4: Symmetric Key Encryption for Confidentiality
Network
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
SymmetricKey
Ciphertext “11011101” Plaintext“Hello”
DecryptionMethod &
Key
SameSymmetric
Key
Interceptor
Party A
Party B
Note:A single key is used to
encrypt and decryptin both directions.
8
Figure 7-5: Data Encryption Standard (DES)
DES EncryptionProcess
64-Bit CiphertextBlock
64-Bit DES Symmetric Key(56 bits + 8 redundant bits)64-Bit Plaintext
Block
9
Figure 7-6: DES-CBC (DES-Cipher Block Chaining)
First64-Bit Plaintext Block
DES EncryptionProcess
Second64-Bit Plaintext Block
First64-Bit Ciphertext Block
InitializationVector (IV)
DES EncryptionProcess
Second64-Bit Ciphertext Block
DES Key
DES Key
10
Figure 7-7: Triple DES (3DES)
Sender Receiver
Encrypts plaintext with the1st key
Decrypts ciphertext withthe 3d key
Decrypts output of firststep with the 2nd key
Encrypts output of thefirst step with the 2nd key
Encrypts output of secondstep with the 3d key; givesthe ciphertext to be sent
Decrypts output of secondstep with the 1st key; givesthe original plaintext
168-Bit Encryption with Three 56-Bit Keys
11
Figure 7-7: Triple DES (3DES)
Sender Receiver
Encrypts plaintext with the1st key
Decrypts ciphertext withthe 1st key
Decrypts output with the 2nd key
Encrypts output with the2nd key
Encrypts output with the1st key
Decrypts output with the1st key
112-Bit Encryption With Two 56-Bit Keys
12
Figure 7-7: Triple DES (3DES)
Sender Receiver
Encrypts plaintext withthe key
Decrypts ciphertext withthe key
Encrypts output with thekey (undoes first step)
Encrypts output with thekey
56-Bit Encryption With One 56-Bit Key(For Compatibility With Receivers
Who Can Handle Only Normal DES)
13
Figure 7-8: DES, 3DES, and AES
DES
56
Weak
Moderate
Moderate
3DES
112 or 168
Strong
High
High
AES
128, 192, 256
Strong
Modest
Modest
Key Length (bits)
Strength
ProcessingRequirements
RAM Requirements
14
Symmetric Key Encryption
RC4 Only 40-bit encryption
Very weak
Used in wired equivalent privacy security for 802.11 initially
New
15
Figure 7-9: Public Key Encryption for Confidentiality
Party A Party B
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
EncryptedMessage
EncryptedMessage
16
Figure 7-10: Strong Keys for Symmetric and Public Key Encryption
Strong Symmetric Keys Strong Public and Private Keys
Limited damage if cracked, so can be shorter
Changed frequently, so canbe shorter
Serious damage if cracked, somust be longer
Rarely changed, so must belonger
17
Figure 7-10: Strong Keys for Symmetric and Public Key Encryption
Strong Symmetric Keys Strong Public and Private Keys
100 bits or more todayLonger for high-value transactionsLonger tomorrow as cracking power increasesDES: 56-bits (weak), but 3DES gives 112-bit or 168-bit securityAES: Key lengths of 128, 192, or 256; yet places a light load on processor and RAM so can be used by mobile devicesIDEA: 128 bits
1,024 or 2,048 bits for RSA encryption today
512 bits for ECC encryption today
Longer tomorrow as cracking power increases
18
Figure 7-11: MS-CHAP Challenge-Response Authentication Protocol
2.Verifier sends Challenge Message
Challenge
Applicant(Client)
Verifier(Server)
1.Verifier creates
Challenge Message
Note: Both the client and the serverknow the client’s password.
19
Figure 7-11: MS-CHAP Challenge-Response Authentication Protocol
3.
Applicant (Supplicant)creates a Response Message:
(a) Adds password toChallenge Message
(b) Hashes the resultant bitstring (does not encrypt)
(c) The hash is theResponse Message
ChallengePassword
Response
Hashing(Not Encryption)
20
Figure 7-11: MS-CHAP Challenge-Response Authentication Protocol
4.Applicant sends Response Message without encryption
Transmitted Response
21
Figure 7-11: MS-CHAP Challenge-Response Authentication Protocol
ChallengePassword
Expected Response
Hashing
5.
Verifier adds password to theChallenge Message it sent.
Hashes the combination.This is the expectedResponse Message.
22
Figure 7-11: MS-CHAP Challenge-Response Authentication Protocol
Expected ResponseTransmitted Response =?
6.If the two Response Messages are equal, the
applicant knows the password and is authenticated.Sever logs Client in.
7.Note that only hashing is involved.
There is no encryption.
23
Hashing
Hashing is a one-way function. It cannot be reversed From the hash, you cannot compute the original
message
Hashing is repeatable If two parties apply the same hashing method to the
same bit string, they will get the same hash
24
Figure 7-12: Encryption Versus Hashing
Encryption
Uses a key as aninput to an encryption method
Output is similar inlength to input
Reversible; ciphertextcan be decryptedback to plaintext
Use of Key
Length of Result
Reversibility
Hashing
Key is usually addedto text; the two arecombined, and thecombination is hashed
Output is of a fixedshort length, regardless of input
One-way function; hashcannot be “de-hashed” back to the original string
25
Figure 7-13: Digital Signature for Message-by-Message Authentication
To Create the Digital Signature:
1. Hash the plaintext to create abrief message digest; this is NOT the Digital Signature.
2. Sign (encrypt) the messagedigest with the sender’s private
key to create the digital signature.
3. Transmit the plaintext + digitalsignature, encrypted withsymmetric key encryption.
Plaintext
MD
DS
DS Plaintext
Hash
Sign (Encrypt)with Sender’sPrivate Key
26
Figure 7-13: Digital Signature for Message-by-Message Authentication
4. Encrypted withSession Key
DS Plaintext
Sender Receiver
27
Figure 7-13: Digital Signature for Message-by-Message Authentication
To Test the Digital Signature
5. Hash the received plaintextwith the same hashing algorithm
the sender used. This givesthe message digest.
6. Decrypt the digital signaturewith the sender’s public key.
This also should give themessage digest.
7. If the two match, themessage is authenticated.
Received Plaintext
MD
DS
MD
5. 6.
HashDecrypt withTrue Party’sPublic Key
7.Are they equal?
28
Figure 7-14: Public Key Deception
Impostor
“I am the True Person.”
“Here is TP’s public key.”(Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Imposter’s public key,so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now hasTP’s public key
Believes True Personis authenticated
based on Impostor’s public key
“True Person,here is a message encrypted
with your public key.”
CriticalDeception
29
Figure 7-15: Important X.509 Digital Certificate Fields
Field Description
VersionNumber
Version number of the X.509. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard.
Issuer Name of the Certificate Authority (CA).
SerialNumber
Unique serial number for the certificate, set by the CA.
30
Figure 7-15: Important X.509 Digital Certificate Fields
Field Description
Subject The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party.
Public KeyThe public key of the subject—the public key of the true party.
Public KeyAlgorithm
The algorithm the subject uses to sign messages with digital signatures.
31
Figure 7-15: Important X.509 Digital Certificate Fields
Field Description
ValidPeriod
The period before which and after which the certificate should not be used.Note: Certificate may be revoked before the end of this period.
DigitalSignature
The digital signature of the certificate, signed by the CA with the CA’s own private key.Provides authentication and certificate integrity.User must know the CA’s public key independently.
32
Figure 7-15: Important X.509 Digital Certificate Fields
Field Description
SignatureAlgorithmIdentifier
The digital signature algorithm the CA uses to signits certificates.
33
Figure 7-16: Digital Signature and Digital Certificate in Authentication
Digital Certificate
Authentication
Public Key ofTrue Party
Signature to BeTested with
Public Key ofTrue Party
Digital Signature
34
Figure 7-17: Public Key Infrastructure (PKI) with a Certificate Authority
Create &Distribute
(1) Private Keyand
(2) Digital Certificate
4.Certificate
for Lee
3.Request Certificate
for Lee
5.Certificate
for Lee
6. Request CertificateRevocation List (CRL)
7. Copy of CRL
Verifier(Brown)
Applicant (Lee)
Verifier(Cheng)
CertificateAuthority
PKI Server
35
Certificate Authority (CA)
CAs are not regulated in any country today Anyone can be a CA
Even an organized crime syndicate
Some, such as VeriSign, are widely trusted
Companies can be their own CAs Assign keys and certificates to their internal
computers
This gets around the need to trust public CAs
36
Figure 7-18: Public Key Distribution for Symmetric Session Keys
Party A Party B
1. CreateSymmetric
Session Key
37
Figure 7-18: Public Key Distribution for Symmetric Session Keys
Party A Party B
2. EncryptSession Key with
Party B’s Public Key
4. DecryptSession Key with
Party B’s Private Key
3. Send the SymmetricSession Key Encrypted
for Confidentiality
5. Subsequent Encryption withSymmetric Session Key
38
Figure 7-19: Diffie-Hellman Key Agreement
Party X Party Y
1. Agree on Diffie-Hellman Groupp (prime) and g (generator)
2.GeneratesRandom
Number x
2.GeneratesRandom
Number y
39
Figure 7-19: Diffie-Hellman Key Agreement
Party X Party Y
3.Computes
x’=g^x mod p
3.Computes
y’=g^y mod p4.
Exchange x’ and y’Without Security
40
Figure 7-19: Diffie-Hellman Key Agreement
Party X Party Y
5.Compute Key=
y’^x mod p=g^(xy) mod p
5.Compute Key=
x’^y mod p=g^(xy) mod p6. Subsequent Encryption
with SymmetricSession Key
41
Figure 7-20: Replay Attacks
Replay Attacks Retransmit an intercepted message
Message is encrypted so that replay attacker cannot read it
Why Replay Attacks Repetition might work—for instance, replaying an
encrypted username and password might result in access to a poorly designed system
42
Figure 7-20: Replay Attacks
Preventing Replay Attacks
Insert a time stamp in messages and accept messages only if they are very recent
Insert a sequence number in each message
Insert a nonce (random number selected for the occasion) in a request message; only accept a reply message with the same nonce. Other party does not accept a request message with a previous nonce
43
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Bits (Q-Bits)
In ordinary computers, each bit is either a zero or a one at any time
In quantum computers, each quantum bit (q-bit) can be both a zero and a one at any moment
When decohered, the q-bit becomes a classic one or zero randomly
44
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Key Distribution (QKD)
Two particles representing q-bits can be entangled so that both will be up or down when read
The two entangled particles are sent to the two communicating parties
Both will always read the bit the same way—as a one or a zero
45
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Key Distribution (QKD)
They will both read the stream of decohered q-bits as a key
Easy to detect interception of q-bits en route by an eavesdropper
QKD is becoming commercially viable
46
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Key Cracking
For determining private keys from public keys An array of N q-bits can represent all possible
keys of length N Operations can be performed on all possible
keys simultaneously Results are put in a results register Decoherence gives one result randomly from all
possible results
47
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Key Cracking
This single result can be used to compute the private key
Not instantaneous, but much faster than exhaustive key search
48
Figure 7-21: Quantum Computing and Steganography
Quantum Computing Quantum Key Cracking
Not practical today
We can only build quantum computers with a few q-bits
Quantum computers with 1000 or more q-bits are some time off
49
Figure 7-21: Quantum Computing and Steganography
Steganography Steganography means hidden writing
Hiding a message in an image Every image is made of pixels There often is about one byte per pixel for each
color: red, green, and blue One bit in each byte is the least significant—
changing it will alter the color by only 1/256 The process steals the least significant bit from
each byte
50
Figure 7-21: Quantum Computing and Steganography
Steganography Hiding a message in an image
The message is written into these bits
The message may be encrypted before writing it into the bits
The picture will look unchanged
51
Figure 7-21: Quantum Computing and Steganography
Steganography
Digital Watermarking
Using steganography to hide identifying information in a document
To prove copyright ownership
To identify different copies of a document
52
Figure 7-22: Cryptographic Goals and Methods
Confidentiality Authentication
Applicable. Senderencrypts with key shared with the receiver.
Not applicable.SymmetricKeyEncryption
Applicable. Senderencrypts with receiver’spublic key.
Applicable. Senderencrypts with ownprivate key.
PublicKeyEncryption
Not applicable.Applicable. Used in MS-CHAP andHMACs discussed in thenext chapter.
Hashing
Recap:Not in Book
53
Topics Covered
Cryptographic Systems Provide protections to dialog automatically
Secure communication involves Confidentiality Authentication Message integrity Anti-replay protection
54
Topics Covered
Encryption Concepts Plaintext
Encryption with encryption method and key
Ciphertext, which is is transmitted
Decryption with decryption method and decryption key
Plaintext
55
Topics Covered
Key Random bit string of a particular length
Cryptanalysts try to crack keys
Exhaustive search is thwarted by having long keys
Symmetric key encryption uses a single key for both encryption and decryption in both directions
Public key encryption uses four different keys for encrytpion and decryption in both directions
56
Topics Covered
Symmetric Key Encryption Methods DES (56-bit block encryption method)
Weak: 100 bits needed for strong symmetric key encryption
DES-Cipher Block Chaining Encryption input has three parts
Plaintext block Key Previous ciphertext block or initialization vector
3DES Apply DES three times with 1, 2, or 3 keys With 3 keys, 168-bit encryption
57
Topics Covered
Symmetric Key Encryption Methods DES and its variants has dominated in the past
Advanced Encryption Standard (AES) New, becoming dominant rapidly Key Length
128 bits 192 bits 256 bits
Low processing and memory requirements Can even be done on hand-held devices
58
Topics Covered
Public Key Encryption Each party has a secret private key and a public
key
Sender uses the receiver’s public key to encrypt for confidentiality
Receiver uses the receiver’s private key to decrypt messages
Never say “the public key” or “the private key”—always refer to a specific party’s public or private key
59
Topics Covered
Public Key Encryption Methods RSA
Dominates public key encryption today 1,024 or 2,048 bits to be strong today
Elliptic curve cryptosystem (ECC) 512 bits to be strong today (more efficient than
RSA)
In contrast, symmetric key methodologies only need key lengths of 100 bits to be strong today
60
Topics Covered
MS-CHAP Used in initial authentication
Shared secret is the user’s password
Applicant’s computer adds password to a challenge message and hashes the combined bit string
Applicant’s computer sends the hash as the response message
Problem is that process is only as secure as the strength of the user’s password
61
Topics Covered
Hashing Often used in authentication
Hashing is NOT encryption
Hashing produces a result (hash) that is always the same small length regardless of the input
Hashing is repeatable: given the same bit string, will always give the same hash No key
Hashing is irreversible
62
Topics Covered
Digital Signatures Used in message-by-message authentication
Applicant hashes plaintext message to produce a short message digest
Applicant signs message digest (encrypts it with the Applicant’s private key) to produce the digital signature
Verifier uses the true party’s public key to test the digital signature
63
Topics Covered
Digital Certificates Verifier uses the true party’s public key to test the
digital signature—not the sender’s public key
Where does the verifier get the true party’s public key?
Digital certificates give the true party’s name and public key
Note that both a digital signature and a digital certificate (to test the digital signature) are needed in authentication. Neither alone is enough.
64
Topics Covered
Public Key Infrastructure Digital certificates
Do not vouch for the goodness of the true party—only the true party’s public key
Follow the X.509 standard
PKI Server Distributes private keys securely Distributes public keys in digital certificates Provides certification revocation list (CRL) to
ensure that digital certificate is still valid
65
Topics Covered
Certificate Authorities (CA) Manage the PKI
If the CA is set up by an attacker, cannot trust its digital certificates
Not regulated
66
Topics Covered
Confidentiality Authentication
Applicable. Senderencrypts with key shared with the receiver.
Not applicable.SymmetricKeyEncryption
Applicable. Senderencrypts with receiver’spublic key.
Applicable. Senderencrypts with ownprivate key.
PublicKeyEncryption
Not applicable.Applicable. Used in MS-CHAP andHMACs discussed in thenext chapter.
Hashing
Recap:Not in Book
67
Topics Covered
Key Distribution Symmetric keys must be distributed securely
between the two parties
Session keys are only used during a single communication session to prevent cryptanalysts from getting enough traffic to crack the key
68
Topics Covered
Public Key Distribution One party randomly generates a symmetric session
key
Encrypts the key with the other party’s public key
Both have the symmetric session key, use it
Diffie-Hellman Key Agreement Mathematical way to exchange information to allow
the two parties to compute the same symmetric session key
69
Topics Covered
Replay Attacks Attacker resends message
May be effective even if the attacker cannot decrypt the message
To thwart replay attacks, use Time stamps Sequence numbers Different nonces for each command/response
cycle