cs549: cryptography and network security · notice© this lecture note (cryptography and network...

Cryptography and Network Security 1

CS549:Cryptography and Network Security

© by Xiang-Yang Li

Department of Computer Science, IIT


Notice©This lecture note (Cryptography and Network Security) is prepared by

Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the “Cryptography and Network Security” 2nd edition by William Stallings and the “Cryptography: Theory and Practice” by Douglas Stinson.

You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author.

The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these.


Cryptography and Network

Key Management and generationXiang-Yang Li


Key Exchange

Public key systems are much slower than private key system

Public key system is then often for short dataSignature, key distribution

Key distributionOne party chooses the key and transmits it to other user

Key agreementProtocol such two parties jointly establish secret key over public communication channelKey is the function of inputs of two users


Distribution of Public Keys

can be considered as using one of:Public announcementPublicly available directoryPublic-key authorityPublic-key certificates


Public Key Management

Simple one: publish the public keySuch as newsgroups, yellow-book, etc.But it is not secure, although it is convenient

Anyone can forge such a announcementEx: user B pretends to be A, and publish a key for AThen all messages sent to A, readable by B!

Let trusted authority maintain the keysNeed to verify the identity, when register keysUser can replace old keys, or void old keys


Possible Attacks

Observe all messages over the channelSo assume that all plaintext messages are available to all

Save messages for reuse laterSo have to avoid replay attack

Masquerade various users in the networkSo have to be able to verify the source of the message


Public Announcement

users distribute public keys to recipients or broadcast to community at large

eg. append PGP keys to email messages or post to news groups or email list

major weakness is forgeryanyone can create a key claiming to be someone else and broadcast ituntil forgery is discovered can masquerade as claimed user


Publicly Available Directory

can obtain greater security by registering keys with a public directorydirectory must be trusted with properties:

contains {name,public-key} entriesparticipants register securely with directoryparticipants can replace key at any timedirectory is periodically publisheddirectory can be accessed electronically

still vulnerable to tampering or forgery


Public-Key Authority

improve security by tightening control over distribution of keys from directoryhas properties of directoryand requires users to know public key for the directorythen users interact with directory to obtain any desired public key securely

does require real-time access to directory when keys are needed


Public-Key Authority


Cont.

More advanced distributionA sends request-for-key(B) to authority with time-stamp, that is, Ida|Idb|TimeAuthority replies with key(B) (encrypted by its private key), that is EKTta(KUb| Ida|Idb|Time)A initiates a message to B, including a random number Na, its IDA

B then ask authority to get key(A)B sends A (encrypted by A’s public key) Na and Nb

A then replies B Nb encrypted by B’s public key


Cont.

In above scheme, the authority is bottleneckNew approach: certificate

Any user can read certificate, determine name and public key of the certificate’s ownerAny user can verify the authority of certificateOnly the authority can create and update certificateAny user can verify the time-stamp of certificate

The certificate isCA=EKRauth[T,IDA, KUA]Time-stamp is to avoid reuse of voided key


Public-Key Certificatescertificates allow key exchange without real-time access to public-key authoritya certificate binds identity to public key

usually with other info such as period of validity, rights of use etcwith all contents signed by a trusted Public-Key or Certificate Authority (CA)can be verified by anyone who knows the public-key authorities public-key To validate the certificate, we need another certificate, one that matches the Issuer (of CA) in the first certificate. Then we take the RSA public key from the second (CA) certificate, use it to decode the signature on the first certificate to obtain an MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate.


X.509The structure of a X.509 v3 digital certificate is as follows:Certificate

Version Serial Number Algorithm ID Issuer Validity

Not Before Not After

Subject Subject Public Key Info

Public Key Algorithm Subject Public Key

Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional)

... Certificate Signature Algorithm Certificate Signature

http://en.wikipedia.org/wiki/Digital_certificate


Sample CertificateCertificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity

Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT

Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f


Security

In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys," achieved using a collision attack on the MD5 hash function Seehttp://www.win.tue.nl/~bdeweger/CollidingCertificates/ddl-full.pdf


Public-Key Certificates


Public-Key Distribution of Secret Keys

use previous methods to obtain public-keycan use for secrecy or authenticationbut public-key algorithms are slowso usually want to use private-key encryption to protect message contentshence need a session keyhave several alternatives for negotiating a suitable session


Simple Secret Key Distribution

proposed by Merkle in 1979A generates a new temporary public key pairA sends B the public key and their identityB generates a session key K sends it to A encrypted using the supplied public keyA decrypts the session key and both use

problem is that an opponent can intercept and impersonate both halves of protocol


Secret key Distribution

Simple secret key distributionA generates KUA and KRA, sends KUA to BB generates a secret key ks

B sends ks to A using A’s public key KUA

A decrypts the message to get the secret key ks

To get more security, the public/private keys can be regenerated when neededBut vulnerable to the active attack!

Attacker E can compromise the communication between A and B as follows


Cont.

AttackingA generates KUA and KRA, sends IDA, KUA to BE intercepts the message, transmits IDA, KUE to BB generates a secret key ks

B sends ks to A using A’s “public key” KUE

E intercepts the message, decrypt it and get ks

E sends A the message Ks, encrypted by KUA

A decrypts the message to get the secret key ks

Now E knows Ks, but A, B are unaware of it


Secret Key Distribution

So need confidentiality and authenticationA and B need to use a secure method to exchange their public keys

SchemesA initiates a message to B, EKUB(Na,IDa) B replies it with EKUA(Na,Nb)A then replies it with EKUB(Nb)A sends B the message EKUB (EKRA(Ks))

SecurityThe first 3 steps are used to assure that A is A, B is B


Public-Key Distribution of Secret Keys

if have securely exchanged public-keys:


Key Predistribution

Trusted Authority (TA) generates keys for all pair of users and transmits to them

Large overhead (for TA and user)Blom Scheme

Keys are chosen from a finite field Zp

P is public prime numberTA transmits k+1 elements of Zp to each user over secure channelSecure condition: any set of at most k users (not U,V) can not determine any information about Ku,v


Blom

Blom's scheme is currently used by the HDCP copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions.


Blom Scheme

Scheme (when k=1)Each user u has distinct element ru from Zp

TA choose a,b,c and defines f(x,y)=a+b(x+y)+cxy mod p

For each u, TA computes gu(x)=f(x, ru) mod p

TA transmits gu(x) to user uTwo users u and v compute the common key

f(ru, rv)= a+b(ru + rv)+c ru rv mod pHere f(ru, rv)= gv(ru)= gu(rv)


Security of Blom Scheme

Less than k users can not determine keysHowever, more than k users can compute any keys

Solving equations to get a,b,c for k=1Generally

Function f(x,y)=Sum ai,jxiyj mod pHere ai,j=aj,i


More Practice

Trent chooses a random and secret matrix Dk x k over the finite field GF(p), where p is a prime number. D is required when a new user is to be added to the key sharing group.For example, let p = 17, and D =

Trent then computes their private keys: gAlice = (D * IAlice), gBob = (D * IBob) .


Cont

Let IAlice = , and IBob = .

Trent will create Alice's and Bob's secret keys as follows

gAlice =


Cont

She computes the shared key k(Alice / Bob) = gAlice * IBob

kAlice / Bob =


Diffie-Hellman Key Predist.

Computationally secure if discrete logarithm is intractable

SchemeAssume prime number p public and an integer c publicEach user u has secret component au

User u computes bu=c au mod pTA certifies it by computing

(ID(u), bu, sigTA(ID(u), bu))The common key of two users u and v is

K=c au av mod p


Diffie Hellman

Around September 1974, Diffie (Graduate student) had been traveling USA with his wife, Mary, discussing cryptography with anyone who was available.

At the time, there was very little published material about modern methods and much was classified. Very few people were interested in the topic and Marty Hellman (at Stanford that time) even says that many of his colleagues felt that it was "born classified," like secrets about the atomic bomb, because it was so important to national security. John Gill gave the idea of exponential


Diffie-Hellman Key Exchange

Computationally secure if discrete logarithm is intractable

SchemeAssume prime number p public and an integer c publicEach user u chooses a secret component au (new!)User u computes bu=c au mod pUser v computes bv=c av mod pThe common key of two users u and v is

K=c au av mod p


Diffie-Hellman Problem

Diffie-Hellman problem definitionGiven bu=gau mod p, bv=gav mod p, how to compute gavau mod p? Here g is a primitive element of mod pThe problem is not harder than the discrete log-arithmetic problem, because the later one can always be used to solve itIt can be proved that it has the same difficulty as the ElGamal encryption system


Middle Attack

Intruder w intercept the communicationsIntruder w communications with uIntruder w communications with vThe key computed by u is

K=c au av’ mod p

u w vc au c au’

c av’ c av


Authenticated Key Agreement

Introducing the identification scheme before key exchange does not help

The attacker remains inactive until identification doneSimplified station to station protocol

Key agreement protocol itself authenticates the user’s identity at the same time the key being defined


Station-to-station Protocol

SchemeEach user has a certificate

C(v)=(Idv,verv,sigTA(Idv,verv))User u selects au and computes bu=c au mod pUser v selects av and computes

Value bv=c av mod pKey K=c au av mod p Signature yv=sigv(bu,bv)

User v sends (C(V), bv, yv) to UUser u computes K=c au av mod p, verifies yv, and C(V)User u computes yu=sigu(bu,bv), sends (C(u),yu) to VUser v verifies yu, and C(u)


MTI Agreement Protocol

SchemeAssume prime number p public and an integer c publicEach user has certificate c(u)=(Idu,bu, sigTA(Idu,bu))

Here bu= c au mod pEach user u chooses a secret component ru (new!)User u computes su=c ru mod p, sends (c(u),su)User v computes sv=c rv mod p, sends (c(v),sv)The common key of two users u and v is

K=c rvau+ ru av mod p= sv aubv

ru mod p= su avbu

rv mod p

cs549: cryptography and network security · notice© this lecture note (cryptography and network...

Documents