Confidentiality, Integrity & Authentication

Download Confidentiality, Integrity & Authentication

Post on 12-Jan-2016

25 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Confidentiality, Integrity & Authentication. Confidentiality - Symmetric Key Encryption Data Integrity MD-5, SHA and HMAC Public/Private Key mechanism - RSA Digital Certificate DH algorithm. 1. Symmetric Key Algorithm. Encryption - PowerPoint PPT Presentation

TRANSCRIPT

  • CN8816: Network Security*Confidentiality, Integrity & AuthenticationConfidentiality - Symmetric Key EncryptionData Integrity MD-5, SHA and HMACPublic/Private Key mechanism - RSADigital CertificateDH algorithm

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmEncryptionConfidentiality - Keeping information out of the hands of unauthorized usersTechnique: Data Encryption

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmSymmetric Key encryptionencryption and decryption use the same keyData Encryption Standard (DES) - 1977Advanced Encryption Standard (AES) - 2001

    Encryption

    Decryption

    Plain Text PCipertext CPlain Text PKsKsSame key

    CN8816: Network Security

  • 1. Symmetric Key AlgorithmElectronic Codebook (ECB) ModeThe plain text is divided into a number blocks with fixed sizeDES block size = 64 bitsAES block size = 128 bitsEach block is encrypted and decrypted independentlyConfidentiality, Integrity and AuthenticationCN8816: Network Security*B1 BnBNPlain text with paddingEnKsEnKsEnKsC1CnCN

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmDES AlgorithmData is divided into 64-bit blocksBasic operation:

    F( )+KN+1

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmBoth encryption and decryption processes consist of 16 rounds of basic operationEncryption and decryption have the same structurePermutationBasic Operation 1Basic Operation 16Inverse PermutationLeftRightKeyKey expansionk1/k16k16/k1InputOutput

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmDES3Cascading three DES blocks to support a longer key lengthSupports key lengths of 56, 112, and 168DESEncryp.DESDecryp.DESEncryp.key1key2key3plaintextciphertext

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmCipher block chaining (CBC) modeInitial Vector(IV)

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmAESUse the concept of multiplicative inversion P(x)*P-1(x) = 1Basic 8-bit multiplication operation:( P(x) * Q(x) ) mod ( x8+x4+x3+x+1)x8+x4+x3+x+1 is an irreducible polynomialWith the defined multiplication operation, all the 8-bit numbers, except zero, have their own inversesExample: the inverse of x7+x3+x2+1 is x, for (x7+x3+x2+1)*x mod ( x8+x4+x3+x+1) = 1

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmAES consists of N rounds of basic operation N= 10, 12, or 14 for the key size of 128, 192, or 256, respectivelyBasic Operation 1Basic Operation N-1KeyKey expansionk1K(N-1)InputOutput+k0Sub-byte and shift rowKN

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*1. Symmetric Key AlgorithmAESBasic operation

    CN8816: Network Security

  • 1. Symmetric Key AlgorithmSubByte ProcessingFrom Pi,j , find Inv(Pi,j)Pi,j Inv(Pi,j ) Mod (x8+x4+x3+x+1) = 1Inv(Pi,j) is then multiplied with a fixed 8x8 binary matrix and then added with a fixed binary vector

    Confidentiality, Integrity and AuthenticationCN8816: Network Security*c0 1 0 0 0 1 1 1 1 b0 1c1 1 1 0 0 0 1 1 1 b1 1c2 1 1 1 0 0 0 1 1 b2 0c3 1 1 1 1 0 0 0 1 b3 0c4 1 1 1 1 1 0 0 0 b4 0c5 0 1 1 1 1 1 0 0 b5 1c6 0 0 1 1 1 1 1 0 b6 1c7 0 0 0 1 1 1 1 1 b7 0 =+Si,j = B1 Inv(Pi,j) + B2

    CN8816: Network Security

  • 1. Symmetric Key AlgorithmShiftRowConfidentiality, Integrity and AuthenticationCN8816: Network Security*S0,0 S0,1 S0,2 S0,3

    S1,0 S1,1 S1,2 S1,3

    S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3S0,0 S0,1 S0,2 S0,3

    S1,1 S1,2 S1,3 S1,0

    S2,2 S2,3 S2,0 S2,1 S3,3 S3,0 S3,1 S3,2R0R1R2R3R0 (x) = S3,3 x3 + S2,2 x2 + S1,1 x + S0,0R1 (x) = S3,0 x3 + S2,3 x2 + S1,2 x + S0,1R2 (x) = S3,1 x3 + S2,0 x2 + S1,3 x + S0,2R3 (x) = S3,2 x3 + S2,1 x2 + S1,0 x + S0,3

    CN8816: Network Security

  • 1. Symmetric Key AlgorithmMaxColumns transformZi = a(x) Ri(x) (mod) x4 + 1a(x) = {03}x3 + {01}x2 + {01}x + {02}Zi = A Ri A =

    The product of the multiplication of the two coefficients is still limited to the finite field of 8 bitsApplying modular operation with the modulus ofx8 + x4 + x3 + x + 1Confidentiality, Integrity and AuthenticationCN8816: Network Security*02 03 01 0101 02 03 0101 01 02 0303 01 01 02

    CN8816: Network Security

  • 1. Symmetric Key AlgorithmAddRoundKey TransformationConfidentiality, Integrity and AuthenticationCN8816: Network Security*Z0,0 Z0,1 Z0,2 Z0,3

    Z1,0 Z1,1 Z1,2 Z1,3

    Z2,0 Z2,1 Z2,2 Z2,3 Z3,0 Z3,1 Z3,2 Z3,3XorK0,0 K0,1 K0,2 K0,3

    K1,0 K1,1 K1,2 K1,3

    K2,0 K2,1 K2,2 K2,3 K3,0 K3,1 K3,2 K3,3Round KeyE0,0 E0,1 E0,2 E0,3

    E1,0 E1,1 E1,2 E1,3

    E2,0 E2,1 E2,2 E2,3 E3,0 E3,1 E3,2 E3,3Encrypted output

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*2. Data IntegrityMessage DigestThe digest is the hash function of a messageA small change of the message will completely change the hash valueData: 1001011010 Hash 01101110Data: 1001010010 Hash 11011001

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*2. Data IntegrityHash algorithmsMD-5: 512-bit block, 128-bit hashSecure Hash Algorithm (SHA)SHA-1: 512-bit block, 160-bit hashSHA-224: 512-bit block, 224-bit hashSHA-256: 512-bit block, 256-bit hashSHA-384: 1024-bit block, 385-bit hashSHA-512: 1024-bit block, 512-bit hash

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*2. Data IntegritySHA-512 Message PaddingThe padding includes the padding and length fieldsThe length field holds the value of the message lengthThe padding field contains the bit pattern 10000

    Message10000 Length128Integer multiple of 1024-bit blocksPadding

    CN8816: Network Security

  • Processing overview M1 M2 Mi MN Confidentiality, Integrity and AuthenticationCN8816: Network Security*2. Data IntegrityExpansionExpansionExpansionExpansionHashingHashingHashingHashingW0W79a=H0(0)h=H7(0)a=H0(1)h=H7(1)a=H0(i-1)h=H7(i-1)a=H0(N-1)h=H7(N-1)W0W79W0W79W0W79HASHH0(N)|| ||H7(N)

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*2. Data IntegrityKeyed Hashing for Message Authentication (HMAC)Provides data integrity between two security entities sharing the secret keyKeyed hash = Hash(K+opad, Hash(K+ipad, text))K = Concatenation(Key, (M-Key_size) of zeros)ipad = 00110110 (Ox36) repeated M timesopad = 01011100 (Ox5C) repeated M timesM = Hash function message block size (in bytes)The hash function can be either MD5 or SHA

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismPublic/Private Key RSA and ECC (Elliptic Curve Cryptography)Consists of a private key and a public key pairPublic key can be known by the public

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismRSA algorithm:Select two large prime numbers, P and QSelect an odd number E such that E and (P-1)(Q-1) are relative primeFind a number D, which is the multiplicative inverse of E, such thatDE modulo (P-1)(Q-1) = 1Public key = (E, PQ) Private key = (D, PQ)Encrytion/Decryption: Cipher Text (C) = ME mod PQOrigin Text (M) = CD mod PQ = MED mod PQ

    CN8816: Network Security

  • RSAES-OAEP algorithmProvides integrity check to counter the chosen cipher attack3. Private/Public Key MechanismConfidentiality, Integrity and AuthenticationCN8816: Network Security* L Hash hash padding Ox01 secret seed O+O+MGFMGFOx00 masked seed Masked Data Block EncryptionPublic_keyciphertext

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismSession Key Encryption ApplicationSecond message authenticates BobThird message authenticates Alice

    1. Eb(A, Na)2. Ea(Na, Nb, Ks)3. Ks(Nb)Eb = encryption using Bobs public keyEa = encryption using Alices public keyKs = session keyData encrypted with Ks

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismDigital Signature ApplicationPrivate/public key pair and hash function

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismA public key is used to verify the digital signature

    CN8816: Network Security

  • Confidentiality, Integrity and AuthenticationCN8816: Network Security*3. Private/Public Key MechanismExample: PGP (Pretty Good Privacy)1. signed with the senders private key2. encrypted with the sessi

Recommended

View more >