Analisi e Previsione del Traffico delle reti
Download
Report
Transcript Analisi e Previsione del Traffico delle reti
Politiche delle Reti e Sicurezza
Approfondimenti sulla Crittografia simmetrica
Maria Laura Maggiulli
[email protected]
Dipartimento di Informatica
Facoltà di Scienze e Tecnologie
Università di Camerino (AN)
AA. 2007-2008
Politiche delle Reti e Sicurezza 2008 UNICAM .
M.L.Maggiulli ©2004-2008
1
Chapter 6 – Contemporary
Symmetric Ciphers
"I am fairly familiar with all the forms of secret writings,
and am myself the author of a trifling monograph upon
the subject, in which I analyze one hundred and sixty
separate ciphers," said Holmes.
—The Adventure of the Dancing Men, Sir Arthur
Conan Doyle
Multiple Encryption & DES
clear a replacement for DES was needed
• theoretical attacks that can break it
• demonstrated exhaustive key search attacks
AES is a new cipher alternative
prior to this alternative was to use multiple
encryption with DES implementations
Triple-DES is the chosen form
Double-DES?
could use 2 DES encrypts on each block
•C
= EK2(EK1(P))
issue of reduction to single stage
and have “meet-in-the-middle” attack
• works whenever use a cipher twice
• since X = EK1(P) = DK2(C)
• attack by encrypting P with all keys and store
• then decrypt C with keys and match X value
• can show takes O(256) steps
Triple-DES with Two-Keys
hence must use 3 encryptions
• would seem to need 3 distinct keys
but can use 2 keys with E-D-E sequence
• C = EK1(DK2(EK1(P)))
• nb encrypt & decrypt equivalent in security
• if K1=K2 then can work with single DES
standardized in ANSI X9.17 & ISO8732
no current known practical attacks
Triple-DES with Three-Keys
although are no practical attacks on two-key
Triple-DES have some indications
can use Triple-DES with Three-Keys to avoid
even these
•C
= EK3(DK2(EK1(P)))
has been adopted by some Internet
applications, eg PGP, S/MIME
Modes of Operation
block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks with 56-bit key
need some way to en/decrypt arbitrary amounts
of data in practise
ANSI X3.106-1983 Modes of Use (now FIPS 81)
defines 4 possible modes
subsequently 5 defined for AES & DES
have block and stream modes
Electronic Codebook Book (ECB)
message is broken into independent blocks which
are encrypted
each block is a value which is substituted, like a
codebook, hence name
each block is encoded independently of the other
blocks
Ci = DESK1(Pi)
uses: secure transmission of single values
Electronic Codebook Book (ECB)
Advantages and Limitations of ECB
message repetitions may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which
become a code-book analysis problem
weakness is due to the encrypted message blocks
being independent
main use is sending a few blocks of data
Cipher Block Chaining (CBC)
message is broken into blocks
linked together in encryption operation
each previous cipher blocks is chained with
current plaintext block, hence name
use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
Message Padding
at end of message must handle a possible last short
block
• which is not as large as blocksize of cipher
• pad either with known non-data value (eg nulls)
• or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
• this may require an extra entire block over those
in message
there are other, more esoteric modes, which avoid
the need for an extra block
Advantages and Limitations of
CBC
a ciphertext block depends on all blocks before it
any change to a block affects all following
ciphertext blocks
need Initialization Vector (IV)
• which must be known to sender & receiver
• if sent in clear, attacker can change bits of first block, and
•
•
change IV to compensate
hence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of
message
Cipher FeedBack (CFB)
message is treated as a stream of bits
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bit (1,8, 64 or
128 etc) to be feed back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
uses: stream data encryption, authentication
Cipher FeedBack (CFB)
Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block
encryption after every n-bits
note that the block cipher is used in
encryption mode at both ends
errors propogate for several blocks after the
error
Output FeedBack (OFB)
message is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
uses: stream encryption on noisy channels
Output FeedBack (OFB)
Advantages and Limitations of OFB
bit errors do not propagate
more vulnerable to message stream modification
a variation of a Vernam cipher
• hence must never reuse the same sequence
(key+IV)
sender & receiver must remain in sync
originally specified with m-bit feedback
subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be
used
Counter (CTR)
a “new” mode, though proposed early on
similar to OFB but encrypts counter value
rather than any feedback value
must have a different key & counter value for
every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
uses: high-speed network encryptions
Counter (CTR)
Advantages and Limitations of CTR
efficiency
• can do parallel encryptions in h/w or s/w
• can preprocess in advance of need
• good for bursty high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
Stream Ciphers
process message bit by bit (as a stream)
have a pseudo random keystream
combined (XOR) with plaintext bit by bit
randomness of stream key completely destroys
statistically properties in message
• Ci
= Mi XOR StreamKeyi
but must never reuse stream key
• otherwise can recover messages (cf book cipher)
Stream Cipher Structure
Stream Cipher Properties
some design considerations are:
• long period with no repetitions
• statistically random
• depends on large enough key
• large linear complexity
properly designed, can be as secure as a block
cipher with same size key
but usually simpler & faster
RC4
a proprietary cipher owned by RSA DSI
another Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info
processed a byte at a time
RC4 Key Schedule
starts with an array S of numbers: 0..255
use key to well and truly shuffle
S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
RC4 Encryption
encryption continues shuffling array values
sum of shuffled pair selects "stream key" value
from permutation
XOR S[t] with next byte of message to
en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Overview
Chapter 7 – Confidentiality Using
Symmetric Encryption
John wrote the letters of the alphabet under the letters in its first
lines and tried it against the message. Immediately he knew that
once more he had broken the code. It was extraordinary the
feeling of triumph he had. He felt on top of the world. For not
only had he done it, had he broken the July code, but he now had
the key to every future coded message, since instructions as to
the source of the next one must of necessity appear in the
current one at the end of each month.
—Talking to Strange Men, Ruth Rendell
Confidentiality using Symmetric
Encryption
traditionally symmetric encryption is used to
provide message confidentiality
Placement of Encryption
have two major placement alternatives
link encryption
• encryption occurs independently on every
link
• implies must decrypt traffic between links
• requires many devices, but paired keys
end-to-end encryption
• encryption occurs between original source
and final destination
• need devices at each end with shared keys
Placement of Encryption
Placement of Encryption
when using end-to-end encryption must leave
headers in clear
• so network can correctly route information
hence although contents protected, traffic
pattern flows are not
ideally want both at once
• end-to-end protects data contents over
entire path and provides authentication
• link protects traffic flows from monitoring
Placement of Encryption
can place encryption function at various layers
in OSI Reference Model
• link encryption occurs at layers 1 or 2
• end-to-end can occur at layers 3, 4, 6, 7
• as move higher less information is
encrypted but it is more secure though
more complex with more entities and keys
Encryption vs Protocol Level
Traffic Analysis
is monitoring of communications flows
between parties
• useful both in military & commercial
spheres
• can also be used to create a covert channel
link encryption obscures header details
• but overall traffic volumes in networks and
at end-points is still visible
traffic padding can further obscure flows
• but at cost of continuous traffic
Key Distribution
symmetric schemes require both parties to
share a common secret key
issue is how to securely distribute this key
often secure system failure due to a break in
the key distribution scheme
Key Distribution
given parties A and B have various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can use
previous key to encrypt a new key
4. if A & B have secure communications with a
third party C, C can relay key between A & B
Key Hierarchy
typically have a hierarchy of keys
session key
• temporary key
• used for encryption of data between users
• for one logical session then discarded
master key
• used to encrypt session keys
• shared by user & key distribution center
Key Distribution Scenario
Key Distribution Issues
hierarchies of KDC’s required for large
networks, but must trust each other
session key lifetimes should be limited for
greater security
use of automatic key distribution on behalf of
users, but must trust system
use of decentralized key distribution
controlling key usage
Random Numbers
many uses of random numbers in cryptography
• nonces in authentication protocols to prevent replay
• session keys
• public key generation
• keystream for a one-time pad
in all cases its critical that these values be
• statistically random, uniform distribution, independent
• unpredictability of future values from previous values
Pseudorandom Number
Generators (PRNGs)
often use deterministic algorithmic techniques
to create “random numbers”
• although are not truly random
• can pass many tests of “randomness”
known as “pseudorandom numbers”
created by “Pseudorandom Number
Generators (PRNGs)”
Linear Congruential
Generator
common iterative technique using:
Xn+1 = (aXn + c) mod m
given suitable values of parameters can produce a
long random-like sequence
suitable criteria to have are:
• function generates a full-period
• generated sequence should appear random
• efficient implementation with 32-bit arithmetic
note that an attacker can reconstruct sequence
given a small number of values
have possibilities for making this harder
Using Block Ciphers as PRNGs
for cryptographic applications, can use a block
cipher to generate random numbers
often for creating session keys from master
key
Counter Mode
Xi = EKm[i]
Output Feedback Mode
Xi = EKm[Xi-1]
ANSI X9.17 PRG
Blum Blum Shub Generator
based on public key algorithms
use least significant bit from iterative equation:
• xi = xi-12 mod n
• where n=p.q, and primes p,q=3
mod 4
unpredictable, passes next-bit test
security rests on difficulty of factoring N
is unpredictable given any run of bits
slow, since very large numbers must be used
too slow for cipher use, good for key generation
Natural Random Noise
best source is natural randomness in real world
find a regular but random event and monitor
do generally need special h/w to do this
• eg. radiation counters, radio noise, audio noise, thermal
noise in diodes, leaky capacitors, mercury discharge
tubes etc
starting to see such h/w in new CPU's
problems of bias or uneven distribution in signal
• have to compensate for this when sample and use
• best to only use a few noisiest bits from each sample
Published Sources
a few published collections of random numbers
Rand Co, in 1955, published 1 million numbers
• generated using an electronic roulette wheel
• has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection
issues are that:
• these are limited
• too well-known for most uses
Summary
have considered:
• use and placement of symmetric encryption
to protect confidentiality
• need for good key distribution
• use of trusted third party KDC’s
• random number generation issues