Transcript L32 R 16-30.pptx
Data Security and Encryption (CSE348)
1
Revision Lectures 16-30
2
RSA
RSA is the best known, and by far the most widely used general public key encryption algorithm First published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78] The Rivest-Shamir-Adleman (RSA) scheme has since that time ruled supreme as the most widely accepted Implemented general-purpose approach to public-key encryption 3
RSA
It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using large integers (eg. 1024 bits) Its security is due to the cost of factoring large numbers 4
RSA
By Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n) 3 ) operations (easy) Uses large integers (eg. 1024 bits) Security due to cost of factoring large numbers nb. factorization takes O(e log n log log n ) operations (hard) 5
RSA En/decryption
• • • • The scheme developed by Rivest, Shamir, and Adleman makes use of an expression with exponentials Plaintext is encrypted in blocks with each block having a binary value less than some number n The actual RSA encryption and decryption computations are each simply a single exponentiation mod (n) 6
RSA En/decryption
• • • • • Both sender and receiver must know the value of n The sender knows the value of e, and only the receiver knows the value of d Thus, this is a public-key encryption algorithm with a public key of PU = {e, n} and a private key of PR = {d, n} The message must be smaller than the modulus The “magic” is in the choice of the modulus and exponents which makes the system work 7
RSA En/decryption
• • • To encrypt a message M the sender: – obtains public key of recipient PU={e,n} – computes: C = M e mod n , where 0≤M Public-key cryptography systems (PKCSs) Begins with a description of one of the earliest and simplest PKCS Diffie-Hellman key exchange This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman 9 That defined public-key cryptography [DIFF76b] And is generally referred to as Diffie-Hellman key exchange The concept had been previously described in a classified report in 1970 by Williamson (UK CESG) And subsequently declassified in 1987, see [ELLI99] 10 The purpose of the algorithm is to enable two users to securely exchange a key That can then be used for subsequent encryption of messages The algorithm itself is limited to the exchange of secret values A number of commercial products employ this key exchange technique 11 First public-key type scheme proposed By Diffie & Hellman in 1976 along with the exposition of public key concepts now know that Williamson (UK CESG) secretly proposed the concept in 1970 Practical method for public exchange of a secret key Used in a number of commercial products 12 The purpose of the algorithm is to enable two users to securely exchange a key That can then be used for subsequent encryption of messages The algorithm itself is limited to the exchange of secret values Which depends on the value of the public/private keys of the participants 13 Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial) And depends for its effectiveness on the difficulty of computing discrete logarithms 14 A public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants Value of key depends on the participants and their private and public key information 15 Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard 16 Darth prepares by creating two private / public keys Alice transmits her public key to Bob Darth intercepts this and transmits his first public key to Bob Darth also calculates a shared key with Alice Bob receives the public key and calculates the shared key (with Darth instead of Alice) 17 Bob transmits his public key to Alice Darth intercepts this and transmits his second public key to Alice Darth calculates a shared key with Bob Alice receives the key and calculates the shared key (with Darth instead of Bob) Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bob 18 In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms Closely related to the Diffie-Hellman technique [ELGA84, ELGA85] The ElGamal cryptosystem is used in some form in a number of standards Including the digital signature standard (DSS) and the S/MIME email standard 19 As with Diffie-Hellman, the global elements of ElGamal are a prime number q and a Which is a primitive root of q 20 User A generates a private/public key pair as shown The security of ElGamal is based on the difficulty of computing discrete logarithms To recover either x given y, or k given K 21 Public-key cryptosystem related to D-H Uses exponentiation in a finite field With security based difficulty of computing discrete logarithms, as in D-H Each user (eg. A) generates their key chooses a secret key (number): 1 < xA < q-1 compute their public key: yA = axA mod q 22 Any user B that has access to A's public key can encrypt a message as shown These steps correspond to Figure 9.1a in that Alice generates a public/private key pair Bob encrypts using Alice's public key; and Alice decrypts using her private key See text for details of why these steps result in M being recovered 23 24 K functions as a one-time key, used to encrypt and decrypt the message If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks 25 The basic idea with El Gamal encryption is to choose a random key, protect it Then use it to scramble the message by multiplying the message with it Two bits of info have to be sent: the first to recover this temporary key The second the actual scrambled message 26 See that El Gamal encryption involves 1 modulo exponentiation And a multiplication (vs 1 exponentiation for RSA) 27 • have considered: – hash functions • uses, requirements, security – hash functions based on block ciphers – SHA-1, SHA-2, SHA-3 28 • • • • Condenses arbitrary message to fixed size h = H(M) Usually assume hash function is public Hash used to detect changes to message Want a cryptographic hash function – computationally infeasible to find data mapping to specific hash (one-way property) – computationally infeasible to find two data to same hash (collision-free property) 29 30 • • • • • • SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme – – standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS Based on design of MD4 with key differences Produces 160-bit hash values Recent 2005 results on security of SHA-1 have raised concerns on its use in future applications 31 Message digest size Message size Block size Word size Number of steps SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 160 < 2 64 512 32 80 224 < 2 64 512 32 64 256 < 2 64 512 32 64 384 < 2 128 1024 64 80 512 < 2 128 1024 64 80 32 • • • SHA-1 not yet "broken” – but similar to broken MD5 & SHA-0 – so considered insecure SHA-2 (esp. SHA-512) seems secure – shares same structure and mathematical operations as predecessors so have concern NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function – goal to have in place by 2012 but not fixed 33 • • • Replace SHA-2 with SHA-3 in any use – so use same hash sizes Preserve the online nature of SHA-2 – so must process small blocks (512 / 1024 bits) Evaluation criteria – security close to theoretical max for hash sizes – cost in time & memory – characteristics: such as flexibility & simplicity 34 • • • Message authentication is concerned with: – protecting the integrity of a message – validating identity of originator – non-repudiation of origin (dispute resolution) Will consider the security requirements Then three alternative functions used: – hash function – message encryption – message authentication code (MAC) 35 • • • • • • • • disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation 36 • have considered: – message authentication requirements – message authentication using encryption – MACs – HMAC authentication using a hash function – CMAC authentication using a block cipher – Pseudorandom Number Generation (PRNG) using Hash Functions and MACs 37 • Have looked at message authentication – but does not address issues of lack of trust • Digital signatures provide the ability to: – verify author, date & time of signature – authenticate message contents – be verified by third parties to resolve disputes • Hence include authentication function with additional capabilities 38 39 Stallings Figure 13.1 is a generic model of the process of making and using digital signatures Bob can sign a message using a digital signature generation algorithm The inputs to the algorithm are the message and Bob's private key 40 Any other user, say Alice, can verify the signature using a verification algorithm Whose inputs are the message, the signature, and Bob's public key 41 • • Attacks – key-only attack – known message attack – generic chosen message attack – directed chosen message attack – adaptive chosen message attack Break success levels – total break – selective forgery – existential forgery 42 Must depend on the message signed Must use information unique to sender to prevent both forgery and denial Must be relatively easy to produce Must be relatively easy to recognize & verify Be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message Be practical save digital signature in storage 43 • have discussed: – digital signatures – ElGamal & Schnorr signature schemes – digital signature algorithm and standard 44 • Topics of cryptographic key management / key distribution are complex – cryptographic, protocol, & management issues • Symmetric schemes require both parties to share a common secret key • Public key schemes require parties to acquire valid public keys • Have concerns with doing both 45 For symmetric encryption to work Two parties to an exchange must share the same key That key must be protected from access by others Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key 46 This is one of the most critical areas in security systems On many occasions systems have been broken Not because of a poor encryption algorithm But because of poor key selection or management It is absolutely critical to get this right! 47 Symmetric schemes require both parties to share a common secret key Issue is how to securely distribute this key Whilst protecting it from others Frequent key changes can be desirable Often secure system failure due to a break in the key distribution scheme 48 Given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B 49 The strength of any cryptographic system thus depends on the key distribution technique For two parties A and B, key distribution can be achieved in a number of ways: Physical delivery (1 & 2) is simplest But only applicable when there is personal contact between recipient and key issuer 50 This is fine for link encryption where devices & keys occur in pairs But does not scale as number of parties who wish to communicate grows 3 is mostly based on 1 or 2 occurring first, and also suffers that if an attacker ever succeeds in gaining access to one key 51 Then all subsequent keys will be revealed A third party, whom all parties trust, can be used as a trusted intermediary To mediate the establishment of secure communications between them (4) Must trust intermediary not to abuse the knowledge of all session keys 52 As number of parties grow Some variant of 4 is only practical solution to the huge growth in number of keys potentially needed 53 • have considered: – symmetric key distribution using symmetric encryption – symmetric key distribution using public-key encryption – distribution of public keys • announcement, directory, authority, CA – X.509 authentication and certificates 54 • This chapter examines some of the authentication functions that have been developed to support network-based use authentication • User authentication is the fundamental building block and the primary line of defense • User authentication is the basis for most types of access control and for user accountability 55 • RFC 2828 defines user authentication as the process of verifying an identity claimed by or for a system entity • An authentication process consists of two steps: • Identification step • Verification step 56 • Identification step: Presenting an identifier to the security system • Identifiers should be assigned carefully • Because authenticated identities are the basis for other security services • Such as access control service 57 • Verification step: Presenting or generating authentication information • That corroborates the binding between the entity and the identifier 58 • In essence, identification is the means by which a user provides a claimed identity to the system • User authentication is the means of establishing the validity of the claim • User authentication is distinct from message authentication 59 Fundamental security building block basis of access control & user accountability Process of verifying an identity claimed by or for a system entity Has two steps: identification - specify identifier verification - bind entity (person) and identifier Distinct from message authentication 60 Four means of authenticating user's identity Based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign Can use alone or combined All can provide user authentication All have issues 61 Trusted key server system from MIT Provides centralised private-key third-party authentication in a distributed network allows users access to services distributed through network without needing to trust all workstations rather all trust a central authentication server Two versions in use: 4 & 5 62 • • Its first report identified requirements as: – secure – reliable – transparent – scalable implemented using an authentication protocol based on Needham-Schroeder 63 • In a more open environment, in which network connections to other machines are supported • An approach that requires the user to prove his or her identity for each service invoked • And also require that servers prove their identity to clients, is needed to protect user information and resources housed at the server 64 have considered: remote user authentication issues authentication using symmetric encryption the Kerberos trusted key server system authentication using asymmetric encryption federated identity management 65 • have considered: – IEEE 802.11 Wireless LANs • protocol overview and security – Wireless Application Protocol (WAP) • protocol overview – Wireless Transport Layer Security (WTLS) 66 • • • • IEEE 802 committee for LAN standards IEEE 802.11 formed in 1990’s – charter to develop a protocol & transmission specifications for wireless LANs (WLANs) since then demand for WLANs, at different frequencies and data rates, has exploded hence seen ever-expanding list of standards issued 67 • • Email is one of the most widely used and regarded network services Currently message contents are not secure – may be inspected either in transit – or by suitably privileged users on destination system 68 • • • • Confidentiality – protection from disclosure Authentication – of sender of message Message integrity – protection from modification Non-repudiation of origin – protection from denial by sender 69 • The Pretty Good Privacy (PGP) secure email program, is a remarkable phenomenon • Has grown explosively and is now widely used • Largely the effort of a single person, Phil Zimmermann • Who selected the best available crypto algorithms to use & integrated them into a single program 70 • PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications • It runs on a wide range of systems, in both free & commercial versions 71 • Widely used de facto secure email • Developed by Phil Zimmermann • Selected best available crypto algos to use • Integrated into a single program • On Unix, PC, Macintosh and other systems • Originally free, now also have commercial versions available 72 • • • S/MIME secures a MIME entity with a signature, encryption, or both forming a MIME wrapped PKCS object have a range of content-types: – enveloped data – signed data – clear-signed data – registration request – certificate only message 73 • have considered: – secure email – PGP – S/MIME – domain-keys identified email 74 • The Internet community has developed application specific security mechanisms in a number of application areas • That includes electronic mail (S/MIME, PGP), client/server (Kerberos) • Web access (Secure Sockets Layer), and others 75 • However users have some security concerns that cut across protocol layers • By implementing security at the IP level, an organization can ensure secure networking, not only for applications • That have security mechanisms but also for the many security-ignorant applications 76 • Have a range of application specific security mechanisms – eg. S/MIME, PGP, Kerberos, SSL/HTTPS • However there are security concerns that cut across protocol layers • Would like security implemented by the network for all applications 77 • IP-level security encompasses three functional areas: • Authentication, confidentiality, and key management • The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header • And that the packet has not been altered in transit 78 • The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties • The key management facility is concerned with the secure exchange of keys • IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet 79 • In 1994, the Internet Architecture Board (IAB) issued a report titled "Security in the Internet Architecture" (RFC 1636) • The report stated the general consensus that the Internet needs more and better security • They identified key areas for security mechanisms 80 • To provide security, the IAB included authentication and encryption as necessary security features in the next-generation IP • Which has been issued as IPv6 • Fortunately, these security capabilities were designed to be usable both with the current IPv4 and the future IPv6 81 • • • • general IP Security mechanisms provides – authentication – confidentiality – key management applicable to use over LANs, across public & private WANs, & for the Internet need identified in 1994 report – need authentication, encryption in IPv4 & IPv6 82 • have considered: – IPSec security framework – IPSec security policy – ESP – combining security associations – internet key exchange – cryptographic suites used 83 • A significant security problem for networked systems is hostile • Or at least unwanted, trespass being unauthorized login or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse • One of the two most publicized threats to security is the intruder (or hacker or cracker) 84 • Which Anderson identified three classes of: • Masquerader: An individual who is not authorized to use the computer (outsider) • Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider) 85 • Clandestine user: An individual who seizes supervisory control of the system and uses this control to avoid auditing and access controls or to suppress audit collection (either) 86 • Intruder attacks range from the benign (nonthreatening) • Simply exploring net to see what is there • To the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system) 87 • • • • Significant issue for networked systems is hostile or unwanted access Either via network or local Can identify classes of intruders: – masquerader – misfeasor – clandestine user Varying levels of competence 88 • The intruder threat has been well publicized, particularly because of the famous “Wily Hacker” incident of 1986–1987, documented by Cliff Stoll • Intruder attacks range from the benign to the serious • At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there 89 • At the serious end are individuals who are attempting to read privileged data • Perform unauthorized modifications to data, or disrupt the system • One of the results of the growing awareness of the intruder problem has been the establishment of a number of computer emergency response teams (CERTs) 90 • These cooperative ventures collect information about system vulnerabilities • And disseminate it to systems managers • The techniques and behavior patterns of intruders are constantly shifting 91 • To exploit newly discovered weaknesses and to evade detection and countermeasures • Even so, intruders typically follow one of a number of recognizable behavior patterns • And these patterns typically differ from those of ordinary users 92 • • • • Clearly a growing publicized problem – – from “Wily Hacker” in 1986/87 to clearly escalating CERT stats Range – benign: explore, still costs resources – serious: access/modify data, disrupt system Led to the development of CERTs Intruder techniques & behavior patterns constantly shifting, have common features 93 • Performing a remote root compromise of an e-mail server • Defacing a Web server • Guessing and cracking passwords • Copying a database containing credit card numbers • Viewing sensitive data, including payroll records and medical information, without authorization 94 • Running a packet sniffer on a workstation to capture usernames and passwords • Using a permission error on an anonymous FTP server to distribute pirated software and music files • Dialing into an unsecured modem and gaining internal network access 95 • Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password • Using an unattended, logged-in workstation without permission 96 • have considered: – problem of intrusion, behavior and techniques – intrusion detection (statistical & rule-based) – password management 97 • • • • • • Computer viruses have got a lot of publicity One of a family of malicious software Effects usually obvious Have figured in news reports, fiction, movies Getting more attention than deserve Are a concern though 98 99 • The terminology used for malicious software presents problems • Because of a lack of universal agreement on all terms and because of overlap • Stallings Table 21.1, and this diagram from 3/e, provide a useful taxonomy 100 • It can be divided into two categories: those that need a host program (being a program fragment eg virus) • Those that are independent programs (eg worm) • Alternatively one can also differentiate between those software threats that do not replicate (are activated by a trigger) • Those that do (producing copies of themselves) 101 • have considered: – various malicious programs – trapdoor, logic bomb, trojan horse, zombie – viruses – worms – distributed denial of service attacks 102 • A firewall is inserted between the premises network and the Internet • To establish a controlled link and to erect an outer security wall or perimeter • Forming a single choke point where security and audit can be imposed 103 A firewall: 1.defines a single choke point that keeps unauthorized users out of the protected network • Prohibits potentially vulnerable services from entering or leaving the network • and provides protection from various kinds of IP spoofing and routing attacks 104 2. Provides a location for monitoring security-related events 3. A convenient platform for several Internet functions that are not security related • such as NAT and Internet usage audits or logs 105 4. A firewall can serve as the platform for IPSec to implement virtual private networks • The firewall itself must be immune to penetration • since it will be a target of attack 106 • • • • • • • A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services – only authorized traffic is allowed Auditing and controlling access – can implement alarms for abnormal behavior Provide NAT & usage monitoring Implement VPNs using IPSec Must be immune to penetration 107 108 • Stallings Figure 22.1a illustrates the general model of firewall use on the security perimeter • As a choke point for traffic between the external less-trusted Internet and the internal more trusted private network 109 • • • • Cannot protect from attacks bypassing it – eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) Cannot protect against internal threats – eg dissatisfied or colluding employees Cannot protect against access via WLAN – if improperly secured against external use Cannot protect against malware imported via laptop, PDA, storage infected outside 110 • have considered: – firewalls – types of firewalls • packet-filter, stateful inspection, application proxy, circuit-level – basing • bastion, host, personal – location and configurations • DMZ, VPN, distributed, topologies 111 • Computer crime, or cybercrime, is a term used broadly to describe criminal activity • In which computers or computer networks are a tool, a target, or a place of criminal activity • These categories are not exclusive and many activities can be characterized as falling in one or more categories 112 • The term cybercrime has a connotation of the use of networks specifically, whereas computer crime may or may not involve networks • The U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity, as follows: 113 • Computers as targets: to acquire information stored on that computer system • To control the target system without authorization or payment (theft of service) • Or to alter the integrity of data or interfere with the availability of the computer or server 114 • Computers as storage devices: as a passive storage medium • e.g. for stolen password lists, credit card, calling card numbers, proprietary corporate information, pornographic image files, or "warez" (pirated commercial software) 115 • Computers as communications tools: often traditional crimes committed online • Examples include the illegal sale of prescription drugs, controlled substances, alcohol, and guns; fraud; and gambling 116 • A more specific list of crimes is defined in the international Convention on Cybercrime and shown in Table 18.1, in the text • Yet another categorization is used in the CERT 2006 annual E-crime Survey, the results of which are shown in Table 23.2 117 • • • “Criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity” Categorize based on computer’s role: – as target – as storage device – as communications tool More comprehensive categorization seen in Cybercrime Convention, Computer Crime Surveys 118 • reviewed a range of topics: – cybercrime and computer crime – intellectual property issues 119 • • • • Overlaps with computer security Have dramatic increase in scale of info collected and stored – motivated by law enforcement, national security, economic incentives But individuals increasingly aware of access and use of personal / private info Concerns on extent of privacy compromise have seen a range of responses 120 • reviewed a range of topics: – privacy – ethical issues 121 122Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Man-in-the-Middle Attack
Man-in-the-Middle Attack
ElGamal Cryptography
ElGamal Cryptography
ElGamal Cryptography
ElGamal Cryptography
ElGamal Message Exchange
ElGamal Message Exchange
ElGamal Message Exchange
ElGamal Message Exchange
ElGamal Message Exchange
Hash Function
Hash Functions
Cryptographic Hash Function
Secure Hash Algorithm
SHA Versions
SHA-3
SHA-3 Requirements
Message Authentication
Message Security Requirements
Message Authentication
Digital Signatures
Digital Signature Model
Digital Signature Model
Digital Signature Model
Attacks and Forgeries
Digital Signature Requirements
Digital Signatures
Key Management and Distribution
Key Distribution
Key Distribution
Key Distribution
Key Distribution
Key Distribution
Key Distribution
Key Distribution
Key Distribution
Key Management and Distribution
User Authentication
User Authentication
User Authentication
User Authentication
User Authentication
User Authentication
Means of User Authentication
Kerberos
Kerberos Requirements
Kerberos Requirements
User Authentication
Wireless Network Security
IEEE 802.11
Email Security
Email Security Enhancements
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP)
S/MIME Messages
Electronic Mail Security
IP Security
IP Security
IP Security
IP Security
IP Security
IP Security
IP Security
IP Security
IP Security
Intruders
Intruders
Intruders
Intruders
Intruders
Intruders
Intruders
Intruders
Intruders
Intruders
Examples of Intrusion
Examples of Intrusion
Examples of Intrusion
Intruders
Viruses and Other Malicious Content
Malicious Software
Malicious Software
Malicious Software
Malicious Software
What is a Firewall?
What is a Firewall?
What is a Firewall?
What is a Firewall?
What is a Firewall?
What is a Firewall?
What is a Firewall?
Firewall Limitations
Firewalls
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime / Computer Crime
Cybercrime and Computer Crime
Privacy
Privacy and Ethical Aspects
Revision Lectures 16-30
Best of Luck