class 2 cryptography refresher cis 755: advanced computer security spring 2015 eugene vasserman...
TRANSCRIPT
Class 2Cryptography Refresher
CIS 755: Advanced Computer SecuritySpring 2015
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S15/
Administrative stuff
• Schedule updated–More changes soon, but they won’t be major
• Watch for quiz announcements• Periodically check main page for news and
schedule page for changes and slideshttp://www.cis.ksu.edu/~eyv/CIS755_S15/
• Paper reading and the “huh?” moment
Security basics
• “What is being secured?”–And security goal/property
• “Secure against what?”– Threat/attacker model, players and resources
• Kerckhoffs’ principle–Roughly, the only thing secret about a security
system should be the secret key• Shannon’s maxim– “The enemy knows the system”
Safety vs. security
• Think like an adversary!• Random → malicious faults• Engineering for security:
“What’s the worst that can happen?”Assume it will…
• Always, always, ALWAYS state your assumptions!
More basics
• Trusted vs. trustworthy– e.g. the recent SSL Certificate Authority fiasco
• Risk, hazard, vulnerability–Adversary, ROI, scale
• Assurance levels– “Rainbow” book series, Common Criteria
• Method of returning to secure states• Fail-closed/secure or fail-open/insecure?
Security mechanisms (incomplete list)
• Access control• Authentication• Separation of roles• Logging• Trusted components in the hands of
trustworthy parties
Always state your
assumptions!
Basic cryptographic primitives
• Confidentiality (encryption)– Symmetric (e.g. AES)– Asymmetric (e.g. RSA)
• Hash functions• Integrity and authentication– Symmetric (authentication codes)– Asymmetric (signatures)
• Key agreement• Random numbers
Encryption
• Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key
• With or without authentication• Symmetric – based on tests/best guess– e.g. AES (block cipher)
• Asymmetric – based on math assumptions– e.g. RSA
Security properties of encryption
• Semantic security• Chosen plaintext security (IND-CPA)• Chosen ciphertext security (IND-CCA)– IND-CCA2
• Security proof “games”
NEVER BUILD YOUR OWN WHEN
SOLUTION EXISTS!!!
Aside: Information theory
• Conditional vs. unconditional security–Unconditional, e.g. one-time pad–Conditional e.g. RSA, AES
• …• Symmetric encryption• Hash functions
• Remember: confusion and diffusion
Basic (but more complex) primitives
• Confidentiality (encryption)– Symmetric (e.g. AES), asymmetric (e.g. RSA)– Malleable vs. non-malleable– Deterministic vs. randomized
• Hash functions• Message authentication codes, signatures• Random numbers• Key agreement
Some basic cryptographic primitives
• Confidentiality (encryption)– Symmetric (e.g. AES) EK(M), DK(M)
–Asymmetric (e.g. RSA) EPK(M), DSK(M)
• Hash functions (e.g. SHA-3) h(M)• Integrity and authentication– Symmetric (MACs) MACK(M)
– Asymmetric (signatures) SigSK(M), VPK(M)
• Key agreement• Random numbers n = nonce
or E-1
• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit
security
• Example: WEP– IV, RC4(IV, k) (M,
c(M))– Claim: 24-bit IV + 40-
bit key = 64-bit security
• On your right: text from Jonathan Katz
Aside: composability• Is this secure against chosen-plaintext attacks?
– It is randomized…
• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)
• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter
• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging
• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other
plaintexts
• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!
• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing
• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore
easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks
• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack
• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping
Questions?