Post on 31-Jan-2016
description
CSCI 6365
• Network Security and Management
• Instructor: Bin Fu, Ph.D
• Office: ENGR 3.280
• Phone: 381-3635
• Email: binfu@cs.panam.edu
• Web: http://cs.panam.edu/~binfu/
Textbook
Textbook: Cryptography and Network Security, by William Stallings, Fourth Edition
Topics
• Symmetric ciphers
• Block ciphers and DES
• Public key cryptography (RSA)
• Hash functions
• Key management
• Network Authentications
• IP security
• Web security
• Software security, etc
Exam, Assignment and Grade
• Midterm: 20%
• Final: 25%
• 4 assignments: 30%
• Attendance and Exercises in class: 25%
Chapter 1 – Introduction
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
—The Art of War, Sun Tzu
Background
• Information Security requirements have changed in recent times
• traditionally provided by physical and administrative mechanisms
• computer use requires automated tools to protect files and other stored information
• use of networks and communications links requires measures to protect data during transmission
Definitions
• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of interconnected networks
Services, Mechanisms, Attacks
• need systematic way to define requirements
• consider three aspects of information security:– security attack– security mechanism– security service
• consider in reverse order
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and providing security requirements
• for us it provides a useful, if abstract, overview of concepts we will study
Security Services
• X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers
• RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources
• X.800 defines it in 5 major categories
Security Services (X.800)
• Authentication - assurance that the communicating entity is the one claimed
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized disclosure
• Data Integrity - assurance that data received is as sent by an authorized entity
• Non-Repudiation - protection against denial by one of the parties in a communication
Security Mechanisms (X.800)
• specific security mechanisms:– encipherment, digital signatures, access
controls, data integrity, authentication exchange, traffic padding, routing control, notarization
• pervasive security mechanisms:– trusted functionality, security labels, event
detection, security audit trails, security recovery
Classify Security Attacks as
• passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Model for Network Security
Model for Network Security
• using this model requires us to: – design a suitable algorithm for the security
transformation – generate the secret information (keys) used by
the algorithm – develop methods to distribute and share the
secret information – specify a protocol enabling the principals to use
the transformation and secret information for a security service
Model for Network Access Security
Model for Network Access Security
• using this model requires us to: – select appropriate gatekeeper functions to
identify users – implement security controls to ensure only
authorised users access designated information or resources
• trusted computer systems can be used to implement this model
Summary
• have considered:– computer, network, internet security def’s– security services, mechanisms, attacks– X.800 standard– models for network (access) security
Cryptography
Theoretical impact Application impact
Cryptography
AlgebraNumber theory
Complexity theory
Security
Two parts of cryptography
• Symmetric ciphers
If the encryption is known, then decryption is known. Examples: DES, AES
• Public Key (non-symmetric cipher)
Even the encryption is know, the decryption is still unknown. Example: RSA
Basic Concepts in Cryptography
• Plaintext: Original intelligible message
• Encryption algorithm: convert plaintext into ciphertext
• Key: One of inputs to encryption algorithm. Different key determines different encryption output
• Ciphertext: output of encryption, unintelligible data
• Decryption algorithm: takes the ciphertext and key to generate plaintext
Model of Cryptosystem
Encryption DecryptionMessage Message
Key
Secure channel
Cryptanalyst
X Y X
'X
'K
K
Encryption and Decryption
• Message X • Encryption key K • Ciphertext Y
Encryption function:
Decryption function:
)(XEY K
)(YDX K
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
Caesar Cipher
• Plain to Cipher mapping
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L MN O PQ RS TUVW XYZ A BC
• Plain to Cipher mapping
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: DWWDFK DW P LGQLJ KW
Two functions
• a b c …. Z
• 0 1 2 … 25
• The encryption function is
E(p)=p+3 (mod 26)
• The Decryption function is
D(c)=(c-3) (mod 26)
Key space and security
• The number of keys for Caesar cipher is 26
• It is easy to break by brute-force attack via trying all possible keys
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Statistics for English Letters• Frequency of 26 Letters
E(12.7%) T(9.0%) A(8.1%) O(7.5%) I(6.9%) N(6.7%) S( 6.3%) H(6.0%) R(5.9%) D(4.2%) L(4.0%) C( 2.7%) U(2.7%) M(2.4%) W(2.3%) F(2.2%) G(2.0%) Y(1.9%) P(1.9%) B(1.4%)
V(0.9%) K(0.7% ) X(0.15%)J(0.15%) Q(0.09%)
Z(0.07%)
Cipher Analysis
• Select a cipher long enough
• Analysis the frequency of all letters
• Find the mapping of letters
Multiple Substitutes
• A letter may be assigned different cipher symbols
e3,7,23
• It makes it much harder to attack via statistic message
Playfair Cipher
• Key: monarchy
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
Pairing before Encryption• Pair up letters
walk(wa)(lk)
• Insert filler letter for a pair with the same letter
balloon(ba)(lx)(lo)(on)
Encryption Rules
ar RM
plaintext letters in the same row are replaced by the letter to the right (circularly)
• muCM plaintext letters in the same column are replaced by the letter to the beneath (circularly)
• bpHS plaintext letters are replaced by the letter that lie in its own row and column
Advantage of playfair over monoalphabetic
• Multiple substitutes
• Making the frequency analysis more difficulty
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
Encryption rules• Keyword: dece
• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
Polyalphabetic Cipher
• 26 letters: a b c d e f …….
a A B C D E F …….
b B C D E F G …….
c C D E F G H …….
d D E F G H I …….
e E F G H I J …….
f F G H I J K …….
……
Advantage
• Each plaintext letter may be mapped to any of the 26 letters.
Basic Properties of Mod
• For integers x, y, and k,
x=y (mod k)
if there is another integer z such that x-y=z*k
• Example: x=7, y=11, k=4
3=11 (mod 4)
• If x=y(mod k) iff x and y have the same remainder when divided by k
Mod k
• Assume
x=y(mod k) and
u=v(mod k)
we have:
x+u=y+v(mod k)
x*u=y*v(mod k)
Hill Cipher
• Take m successive plaintext letters and substitutes for them m ciphertext letters
• Each letter is assigned a numerical value
• The Substitution is via a linear transformation
Hill Cipher
26mod
3
2
1
333231
232221
131211
3
2
1
p
p
p
kkk
kkk
kkk
c
c
c
26mod
26mod
26mod
3332321313
3232221212
3132121111
pkpkpkc
pkpkpkc
pkpkpkc
Matrix Multiplication
• For two matrixes nmkjmlji bBaA
,, ,
ABC
nlkicC
,
m
jkjjiki bac
1,,,
Properties of matrix product
• Associative: (AB)C=A(BC)
• IA=AI=A, where I is the unit matrix
1 0 0 … 0
I= 0 1 0 … 0
0 0 1 … 0
……
0 0 0 … 1
Inverse of matrix
• For matrix , if there is another matrix
such that AB=I, where I is the unit
matrix. B is called the inverse of A, denoted by
nnjiaA
,
nnjibB
,
1AB
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
Conclusion
• Hill cipher is easy to break by plaintext attack.
Problems
1. Encrypt the plaintext with Polyalphabetic Cipher with the key decedece: BEEF
2. The ciphertext is from playfair encryption. Convert the it into plaintext. Show each of your steps:
SENASXFNMG
Name Email
Encryption for binary message
• iff a and b are different
• Encryption:
• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext
iii kpc
1ba
Decryption for binary message
• Decryption:
• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext
i
iiii
iiiii
p
pkkp
kkpkc
0)(
)(
Transposition techniques
• Encryption is by some permutation on the plaintext
• Plaintext: attack postponed until two am xyz
• Write the message in row:
a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
• Read by column:
aodwtsuottnaaptmcoixknlypetz
Transposition techniques
• Permute the order of columns
Key: 4 3 1 2 5 6 7
a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
• Ciphertext:
ttna aptm tsuo aodw coix knly petz
Second round
• Input: ttna aptm tsuo aodw coix knly petz
• Permute the order of columns
Key: 4 3 1 2 5 6 7
t t n a a p t
m t s u o a o
d w c o i x k
n l y p e t z
• Ciphertext:
nscy auop ttwl tmdn aoie paxt tokz
Two basic methods
• Substitution
monoalphabetic cipher
polyalbpabetic cipher
• Permutation
transposition
Block Cipher
• Block cipher: a block of plaintext is treated as a whole and used to produce a ciphertext of the same length
• Mapping can be described by a table
00 11
01 10
10 00
11 01• Key size for n bits block is
nn2
Principal of block cipher
• Diffusion
The plaintext is dissipated into long range of the ciphertext
• Confusion
Make the relationship between ciphertext and the key as complicated as possible
Diffusion
• Let each plaintext digit affect many cipher digits• Example 1: Hill cipher
• Example 2: For message M=m1, m2, m3, ……
Let the ciphertext
26mod
3
2
1
333231
232221
131211
3
2
1
p
p
p
kkk
kkk
kkk
c
c
c
k
iinn my
1
Diffusion and confusion
• Confusion makes the statistics information of plaintext be dissipated
• Confusion is usually achieved by substitution
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of x.
• It is impossible to find different x and y with f(x)=f(y)
Protocol• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
Problem
The following cipher text is from the transposition method with the key 4132. Get the plaintext back.
OCLTG NNENT OAEOH NESPI
Name:
DES
• Data Encryption Standard (DES) was established by National Bureau of Standard in 1977
• Most widely used encryption scheme, especially in financial applications
DES
• DES is a block cipher
• Each plaintext block is a 64 bits {0,1} string
• Each ciphertext block is a 64 bits {0,1} string
• The key size is 56 bits {0,1} string
• It is a combination of substitution and permutation
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
0L 0R
f
1R1L
f
2R2L
16R16L
.................
One Round Feistel Cipher
• One round
1iL 15L
f
15R
16L 16R
16k
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
Decryption
• Inverse of the DES
),()','( 141422 LRRL
),()','( 131333 LRRL
),()','( 001616 LRRL
),()','( 151511 LRRL
.....................
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
Design of f• Strict avalanche criterion:
When input bit I is inverted, any output bit j of S-box should change with probability 1/2
• Bit independent criterion:
Output bits j and k should change independently when any input bit i is inverted
• The two criterions depend on the design of S-box, which has been studied a lot:
Choice of parameters
• Block size: larger size means greater security, and less efficiency
• Key size: larger key size means greater security, and slower speed
• Number of rounds: Single round is inadequate
Choice of parameters
• Block size: larger size means greater security, and less efficiency
• Key size: larger key size means greater security, and slower speed
• Number of rounds: Single round is inadequate
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
E table
• E is a fixed expansion that maps 32 bits to 48 bits
Each entry of E determines which bit to select from 32 bits
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
P table
• P is a fixed 32 bits permutation 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
Key generation
Input 56 bits key K= for i=1,2,9,16; otherwise
for i=1 to 16 do
5621 ......kkk1iv 2iv
),()(1 00 DCKPCT
)( 1 iii vCC )( 1 iii vDD
),(2 iii DCPCK
bits28
bits48 bits28
PC1 and PC2
• PC1(K) is the permutation of 56 bits of K
• PC2(C,D) selects 48 bits from the 56 bits input through a table
Electronic Codebook Mode• ECB:
• It may be possible to substitute message
NPPP ,......,, 21
NCCC ,......,, 21
bits64 bits64 bits64
Cipher Block Chaining Mode
• Encryption: ][ 1 jjKj PCEC
Encrypt Encrypt Encrypt
1C2C kC
K K K
IV 1P2P
NP
1NC
......
IV
• IV should be a confidential message• It is used for encrypting the first block
)( 11 PIVEC K
)( 11 CDIVP K
Decryption
• Decryption of CBC
jjjjjKj PPCCCDC 111 ][
)()]([][ 11 jjjjKKjK PCPCEDCD
CBC Decryption
• Decryption:
Decrypt Decrypt Decrypt
1C 2C kC
K K K
IV
1P 2P NP1NC
......
Cipher Feedback Mode
• CFB
))((11 IVESPC Ks
))((11 IVESCP Ks
))((11 IVESPC Ks
CBF
• CFB
Encrypt Encrypt EncryptK
IV
bitss bitss bitss
K K......
bitss bitss bitss
bitss
bitss 1MC
bitss _64 bitss _64 bitss _64
bitss _64 bitss _64 bitss _64
1C 2CMC
1P 2P MPbitss bitss bitss
shift shiftshift
CBF Decryption
K
IV
Encrypt Encrypt Encrypt
bitss bitss bitss
K K......
bitss bitss bitss
bitss
bitss 1MC
bitss _64 bitss _64 bitss _64
bitss _64 bitss _64 bitss _64
1C 2C MC
2P MP
shift shiftshift
1P
Problems
a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
d) Does DES require that the function f is invertible? Why?
(note: a function f is not invertible if for some )
Name:
)()(, yfxfyx
Problem 1
Key: d e c edece: Plaintex: BEEFCiphtertext: ECAD
Explanation for the first cipher text• The key “d” determines the row number “d”• The plaintext “b” determines column number “b”• The cipher letter is at the intersection of row “d” and
column “b”, which is “E”
Encryption rules• Keyword: dece
• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
Symmetric Encryption
• The key for the decryption is the same as the key for encryption.
• Examples: DES, AES
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
Divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• c|b to denote that c is a divisor of b.
• Examples: 4|16, 2|10, 3|27
Modular
• Given two positive integer n and any integer a, there are integers r and q such that:
• r is the residue (remainder) when divided by n• is the largest integer at most x. e.g.
rqna
naqnr ,0
rna )(mod
x 38.3
Mod n
• Given integers x and n>1, x (mod n) is the remainder of x divided by n.
• Example 7 (mod 4)=3 10 (mod 3)=1
• Define if x (mod n)=y (mod n)
• iff (x-y) =n*z for some integer z
)(mod nyx
)(mod nyx
Mod n• Assume
we have:
)(mod nvyux
)(mod nyx )(mod nvu
)(mod nvyux
)(mod** nvyux
System Zn
• The set Zn={0,1,2,…,n-1}. It has two operations + and *
• For a,b in Zn, a+b is (a+b)(mod n), and a*b is (ab)(mod n)
• Z5={0,1,2,3,4}
2+3=0 (mod 5) 2*4=3 (mod 5) 4*4 =1 (mod 5)
Properties of Modular Arithmetic
• Commutative:
• Associative:
• Distributive:
• Identities
• Additive inverse (-x)
nyxwnyxw
nyxwnyxw
mod))((mod))((
mod))((mod))((
nwxnxw
nwxnxw
mod)(mod)(
mod)(mod)(
nwywxnwyx
nywxwnyxw
mod))()((mod))((
mod))()((mod))((
nwnw
nwnw
modmod)1(
modmod)0(
nnxnx mod0mod))((
Zn
• Commutative:
• Associative:
• Identities
• Additive inverse (-w)
(Zn,+) is an abelian group
nyxwnyxw mod))((mod))((
nwxnxw mod)(mod)(
nwnw modmod)0(
nnxnx mod0mod))((
Properties of Modular Arithmetic
• Commutative:• Associative:• Distributive:
• Identities
nyxwnyxw mod))((mod))((
nwxnxw mod)(mod)(
nwywxnwyx
nywxwnyxw
mod))()((mod))((
mod))()((mod))((
nwnw modmod)1(
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
Example
• gcd(1970,1066)=• gcd(1066,904)=• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
16290411066
904106611970
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
TheoremFor two positive integers a and b with c=gcd(a,b),
there are two integers p and q such that p*a+q*b=c
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
Number Theory
• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized into product of primers:
0,...,,
...
,...
21
21
2121
k
k
ek
ee
eee
ppp
pppn k
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
Proof
• Since gcd(a,m)=1, there are integers u and v such that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
Observations
• For two different primers p and q, gcd(p,q)=1 and
• If prime number p is different from each of the primers
(it is possible that for different i,and j), then
1),gcd( mqp
kqqq ,...,, 21
1)...,gcd( 21 kqqqp
ji qq
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
Where , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have
It contradicts that gcd(p,x)=1
,
,
ypn
xpnf
e
fe 0
ypx ef
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
)(mod11 pa p
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
Proof
We have )(mod)!1()!1(1 pppa p
)(mod0)!1)(1( 1 ppa p
1))!1(,gcd( pp
)(mod0)1( 1 pa p
)(mod11 pa p
Euler Function
For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1
Define to be the number of elments in
Example, ={1, 3,7,9}
For every prime number p,
)(n
*nZ
*nZ
*10Z
1)( pp
Theorem
If m and n are positive integers with gcd(m,n)=1, then
)()()( nmmn
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
Foundation for RSA public key encryption
)(mod1)( na n
Proof
Let be the elements in
Claim: is a permutation of
)(21 ,...,, naaa )(n *nZ
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
Finite Fields
• Cryptography depends on number theory and algebra
• Number theory: factorization,…
• Algebra: finite field theory,…
• AES will be built on the finite field theory
Group
A group is a set of elements with operation
• Closure: If , then • Associative: For a,b,c in G• Identity element: There is an e in G s.t.
for all a in G• Inverse element : For each a in G there is a’ in G s.t.
),( G
Gba , Gba cbacba )()(
aeaae
eaaaa ''
Infinite Group and Abelian Group
• Infinite Group: If is a group and G is an infinite set, it is called infinite group
• Abelian group: If is a group and
for all elements a,b in G
),( G
),( G abba
Group Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+) is a group.
• Let M3={0,1,2} and a+b is defined as (a+b) (mod 3)
(M3,+) is a group of 3 elements.
Ring
A ring is
• is an abelian group • Closure under multiplication: If a, b are in R, so is• Associativity of multiplication:• Distributive laws:
),,( R
),( Rba )()( cbacba
)()()( cabacba
)()()( cbcacba
Ring Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+,*) is a ring.
• Let M3={0,1,2} and a+b, a*b are defined as (a+b) (mod 3) and (ab)(mod 3) respectively
(M3,+,*) is a ring of 3 elements.
Commutative Ring
A ring is commutative if it satisfies
for all a, b in R
A ring is integral domain if it satisfies
1) It is commutative
2) It has element 1 in R such that
3) If a,b in R have , then a=0 or b=0
),,( R
abba
),,( R
aaa 110 ba
Field
A field is
• is an integral domain• Multiplicative inverse: For each a in F except 0, there is
another , called the inverse element of a, such that
),,( F
),,( F
1a
111 aaaa
ZpIf p is a primer number, (Zp, +,x) is a field.
ZpIf p is a primer number, (Zp, +,x) is a field.
Proof. For each a in {1,2,…,p-1}
a*1, a*2, …, a*(p-1) are different from each other (mod p)
The list is a permutation of 1,2,…, p-1
So, there is a*b in the list with a*b=1 (mod p)
The element is the inverse of a.
Zp
• Assume , where a,x,y are in {1,2,…p-1}
We have
Since p is a primer, we have or
It is impossible that
We have
So,
)(mod payax )(| ayaxp
)(| yxap
ap | )(| yxp
ap |)(| yxp
)(mod pyx
Zn
• (Z3,+, x) is a field
• (Z4,+,x) is not a field
Problems
• Z5=({0,1,2,3,4},+, *). The + and * operations are under mod 5. Find the inverse for each element if it exists.
• Z6=({0,1,2,3,4,5},+, *). The + and * operations are under mod 6. Find the inverse for each element if it exists.
• Is Z5 or Z6 a field?
Symmetric Encryption
• The key for the decryption is the same as the key for encryption.
• Examples: DES, AES
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
Number Theory
• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized into product of primers:
0,...,,
...
,...
21
21
2121
k
k
ek
ee
eee
ppp
pppn k
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
Proof
• Since gcd(a,m)=1, there are integers u and v such that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
Observations
• For two different primers p and q, gcd(p,q)=1 and
• If prime number p is different from each of the primers
(it is possible that for different i,and j), then
1),gcd( mqp
kqqq ,...,, 21
1)...,gcd( 21 kqqqp
ji qq
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
Where , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have
It contradicts that gcd(p,x)=1
,
,
ypn
xpnf
e
fe 0
ypx ef
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
)(mod11 pa p
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
Proof
We have )(mod)!1()!1(1 pppa p
)(mod0)!1)(1( 1 ppa p
1))!1(,gcd( pp
)(mod0)1( 1 pa p
)(mod11 pa p
Euler Function
For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1
Define to be the number of elments in
Example, ={1, 3,7,9}
For every prime number p,
)(n
*nZ
*nZ
*10Z
1)( pp
Theorem
If m and n are positive integers with gcd(m,n)=1, then
)()()( nmmn
ProofThe table below contains all elements in 1,2,…,mn-1
Each column has elements k with gcd(k,n)=1.
mn
m
)1(
.
0
1)1(
.
1
1
mn
m
......
......
......
......
)1()1(
.
)1(
1
mmn
mm
m
)(n
Proof
• For two elements a,b in each column, gcd(m,a)=gcd(m,b).
• There are columns with gcd(m,a)=1, where a is an element in the column.
)(m
A special case
• Let p and q are two different prime numbers
• and
• We have
1)( pp 1)( qq
)1)(1()()()( qpqppq
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
Foundation for RSA public key encryption
)(mod1)( na n
Proof
Let be the elements in
Claim: is a permutation of
)(21 ,...,, naaa )(n *nZ
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
Proof
If
Then
Since gcd(a,n)=1, there is an integer b,c with a*b+n*c=1
)(mod naaaa ji
)(mod0 naaaa ji )(mod0)( naaa ji
)(mod1 nab
Proof
From
We have
So,
We have proven the claim.
)(mod0)( naaba ji
)(mod0)( naaa ji
)(mod naa ji
)(mod0)( naa ji
Proof
By the Claim that is a permutation of
We have ))(mod)...()((... )(21)(21 naaaaaaaaa nn
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
))(mod...(... )(21)(
)(21 naaaaaaa nn
n
Proof
Since
We have
There are integers b and c with
1)...,gcd( )(21 naaan
1),gcd(,...,1),gcd(,1),gcd( )(21 nananan
1)...( )(21 ncbaaa n
)(mod1)...( )(21 nbaaa n
Proof
By
and
We have
))(mod...(... )(21)(
)(21 naaaaaaa nn
n
)(mod1)...( )(21 nbaaa n
)(mod)...()...( )(21)(
)(21 nbaaaabaaa nn
n
)(mod1 )( na n
A special case
• Let p and q are two prime numbers, and n=pq.
• Since
• Let a be a number with gcd(a,n)=1 , then
)1)(1()()()( qpqppq
)(mod1)1)(1()( naa qpn
)(mod1)1)(1( naa qp
Problems
1. Compute
2. Write all elements in
3. Compute and
*33Z
)7(mod380
)13( )26(
Public key
• A revolution of cryptography.
• Previous methods are mainly based on the permutation and substitution
• Public key is based on mathematical function
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
RSA Example
• Choose two primers p=7 and q=13. N=7x13=91• Compute• Choose e=5• Compute d by 72x(-2)+5x29=1 and get d=29• Public key (N, e) = ( 91,5)• Message m=3.• Ciphertext • Decryption
72126)13()7()91(
)91(mod6124335 c
)91(mod36129 dc
Problems in RSA
• How to obtain two large prime numbers p and q?
• How to choose e and d with ed=1?
• How to compute for large e and d?
))((mod N
))((mod, Ncm de
Compute
Let a and n be two positive integers
Use the recursive equation:• If n is even:• If n=2k+1 is odd:
• Let T(n) be the number of multiplications.
na
22/ )( nn aa 2)( kn aaa
2)()( 2 nTnT
)(log2)( nnT
Example
• Compute f(29)= # of multiplications• f(29)=3*f(14)*f(14)=• f(14)=f(7)*f(7)=• f(7)=3*f(3)*f(3)=• f(3)=3*f(1)*f(1)=
• The total number of multiplications is 2+1+2+2=7
2932)14(*3 f
2)7(f2)3(*3 f2)1(*3 f 2
2
1
2
Testing Primality
Design an algorithm for testing if a number is prime
Input n>0
For (i=2; i ; i=i+1){
if n=0(mod i)=0 return no
}
return yes.
Total number of steps is
n
)( nO
Testing Primality
Use Fermat Theorem:
If p is a primer, a is a positive integer with gcd(p,a)=1, then
It is necessary, but not sufficient. In other words, there exists a composite number that also has such a property
)(mod11 pa p
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1, then
Furthermore,
)(mod11 pa p
1| 1 pap
)1)(1()1( 2/)1(2/)1(1 ppp aaa
1| 2/)1( pap 1| 2/)1( papor
)(mod12/)1( pa p
,So
,So
,So
Testing Primality
If p is not a primer, for most of 0<a<p, it does not satisfy both
)(mod11 pa p
)(mod12/)1( pa p
and
Algorithm
Input integer p>0
randomly select integer
if ( )
return (definitely) “composite”
else
return “prime “
or),0( pa
)(mod12/)1( pa p 1),gcd( pa
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 5.0
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
k)5.0(
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1 , and
for some even number j
Then,
)(mod1 pa j
1| jap
)1)(1()1( 2/2/ jjj aaa
1| 2/ jap 1| 2/ japor
)(mod12/ pa j
,So
,So
,So
Testing Primality
If p is odd, a is a positive integer with gcd(p,a)=1 ,
, where q is a odd number
Consider the list:
If p is a prime number, there exists with
If p is a composite number, for a random a: 0<a<p, it has probability there exists i<k
qp k21
ki
)(mod12 pa qi
qqqq k2,...,2,2, 2
4/1)(mod12 pa qi
Algorithm
Input odd integer p>0
let
randomly select integer
for (i=0 to k-1 ) do
{ if ( )
return “prime”
}
return “composite “
),0( pa
)(mod12 pa qi
qp k21
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 4/1
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
k)( 41
A Free Book
A computational introduction to number theory and algebra
By Victor Shoup
>500 pages pdf file
Problem
How many times should you repeat the first primality algorithm so that it has <0.0001 chance to give a wrong answer?
Midterm
• October 14, 2010 (Thursday)
• Class time
• Close book
Key management
• Distribution of public key
• Use of public key encryption to distribute secret key
Public announcement of public key
• Uncontrolled public-key distribution
A
aKU
aKU
aKU
Publicly Available Directory
• Public-key publication• KU: public key. KR: private key
A
aKU
Public-key directory
B
bKU
Publicly Available Directory
• Public-key publication
A
1|| timerequest
B
Public-keyauthority
]1||Re||[ TimequestKUKR bE
2|| timerequest
]2||Re||[ TimequestKUKR aE
]||[ 1NIDE AKUb
]||[ 21 NNEKUa
][ 2NEbKU
Public-Key Certificate
• Exchange of Public-key Certificates
A
aKU
B
Certificateauthority
],,1[ aAauth KUIDTimeKRA EC
bKU
AC
BC
],,2[ bBauth KUIDTimeKRB EC
Public-Key Certificate
Simple public-key encryption to establish a session key
A BAA IDKU ||
][ sKU KEa
It is a secure for an active attack
• A generates and sends B• E intercepts , creates and sends
to B• B generates a secret key, and sends • E intercepts , learns • E sends to A
},{ aa KRKU },,{ Aa IDAKU
},,{ Aa IDAKU },{ ee KRKU
},,{ Ae IDAKU
sK ][ sKU KEe
][ sKU KEe sK
][ sKU KEa
Secret Key distribution with authentication
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]]||[[ 2 sKRKU KNEEab
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
Generation of Secret Key by A
User A computes
)(mod)( qYK AXB
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
Generation of Secret Key by B
User B computes
)(mod)( qYK BXA
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
Midterm 2008
• 90-100: 1
• 80-89: 2
• 70-79: 4
• 50-60: 2
Problem 1
1. a) What is the plaintext attack? b)Which of the following encryption methods can be easily broken by the plaintext attack? Briefly explain your answer.
(1) Monoalphbetic Cipher (2) Hill Cipher (3) DES (4)RSA
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
Solution
• Monoalphbetic Cipher
• Hill Cipher
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
Conclusion
• Hill cipher is easy to break by plaintext attack.
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage 2.
• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is
based on that
The 16 rounds of stages are described by …1)( 1 IPIP
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
0L 0R
f
1R1L
f
2R2L
16R16L
.................
Stage 3
• Output
Output block
is the inverse of IP
),( 16161 LRIP
1IP
One Round Feistel Ciper
• One round
1iL 15L
f
15R
16L 16R
16k
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
Decryption
• First stage
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()',('' 116161001 kLfRkRfLR
151 ' RL
1515151515151 ),()),((' LkRfkRfLR
Part b)
• Permutation: IP, Left to Right and Right to left in each of 16 stages.
• Substitution: S-box in each of those 16 stages.
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
Problem 3
3. a) Use the Euclidean algorithm to compute the gcd(904,162).
b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n). You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
Solution
• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
Problem 4
4. a) In the RSA system, the public key of a given user is e=41, n=3599. What is the private key? Show each step of your calculation.
b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems? Why do we need large primer numbers for RSA?
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
Solution
Part 1.
n=59*61.
The inverse of e=41 is d=2081 (mod 3480).
3480)161(*)159()( n
Solution
3480=41*84+36
41=36*1+5
36=5*7+1
1=36-5*7=36-7*(41-36*1)
=8*36-7*41
=8*(3480-41*84)-7*41
=8*3480-679*41.
2801=-679(mod 3480)
Part b.
If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).
Part c.
• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
With a pair of messages a and
, we can find d from discrete log.)(mod nad
)(mod nay d
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
exponent( int a, int e, int m):
int exponent(int a, int e, int m){ int temp;
if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {
temp=exponent(a, e/2, m);return (temp*temp)%m;
}else{
temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;
};}
Bad Implementation
return (temp*temp*a)%m;
primality(int p)
int primality(int p){ int a, temp;
if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;
}
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
Bad Implementation
a=rand()%p;
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
Problem 55. a) How many multiplications does it take for
computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
)1234(mod5596
Solution
• It takes 12 multiplications
555
555
5555
555
5555
555
5555
555
555
2
224
449
9918
181837
373774
7474149
149149298
298298596
Midterm 2010
• 90-100: 1
• 80-89: 7
• 70-79: 5
• 60-70: 3
• <60: 1
Problem 1
1.a)Which of the following encryption methods use substitution method? B) Which of them use the permutation method? C)Which of them use both methods? Briefly explain your answer.
(1) Monoalphbetic Cipher (2) Playfair cipher (3) Transposition cipher (4) Hill Cipher (5) DES (6) RSA
Solution
• Substitution: Monoalphbetic Cipher, Playfair cipher, Hill Cipher, DES
• Permutation: Transposition cipher, DES.
• Both: DES
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage 2.
• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is
based on that
The 16 rounds of stages are described by …1)( 1 IPIP
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
0L 0R
f
1R1L
f
2R2L
16R16L
.................
Stage 3
• Output
Output block
is the inverse of IP
),( 16161 LRIP
1IP
One Round Feistel Ciper
• One round
1iL 15L
f
15R
16L 16R
16k
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
Decryption
• First stage
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()',('' 116161001 kLfRkRfLR
151 ' RL
1515151515151 ),()),((' LkRfkRfLR
Part b)
• Permutation: IP, Left to Right and Right to left in each of 16 stages.
• Substitution: S-box in each of those 16 stages.
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
Problem 3
3. a) Use the Euclidean algorithm to compute the gcd(78,104). Show your steps.
b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n) with m<n. You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
Solution
• gcd(104,78)=• gcd(78,26)=26 026378
26781104
Solution
• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
Problem 4
• 4. a) In the RSA system, the public key of a given user is e=3, n=55. What is the private key? Show each step of your calculation.
• b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems?
• c) Why do we need large primer numbers for RSA?
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
Solution
Part 1.
n=5*11.
The inverse of e=3 is d=27 (mod 40).
40)111(*)15()( n
Solution
40=13*3+1
1=40-13*3
27=-13(mod 40)
Part b.
If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).
Part c.
• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
With a pair of messages a and
, we can find d from discrete log.)(mod nad
)(mod nay d
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
exponent( int a, int e, int m):
int exponent(int a, int e, int m){ int temp;
if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {
temp=exponent(a, e/2, m);return (temp*temp)%m;
}else{
temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;
};}
Bad Implementation
return (temp*temp*a)%m;
primality(int p)
int primality(int p){ int a, temp;
if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;
}
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
Bad Implementation
a=rand()%p;
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
Problem 55. a) How many multiplications does it take for
computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
)1234(mod5596
Solution
• It takes 12 multiplications
555
555
5555
555
5555
555
5555
555
555
2
224
449
9918
181837
373774
7474149
149149298
298298596
Problem 6
6 . Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the private key. Assume n=pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Show that the RSA system can be broken.
Solution
• Assume that the block m has a common factor with n.
• The plain text m is encrypted into the cipher text
• The cipher text c also has a common factor with n.
• Compute gcd(c,n) to get one of the two factors, and also the second.
• With two factors and public key, compute private key
)(mod nmc publicK
Problem 7
7. Users A and B use the Diffie-Hellman key exchange method with a common prime q=7 and primitive root a=3. If user A has private key =2, and use B has private key =4, what is the shared secret key? Show the steps of your calculation.
Solution
• A Calculates
• B Calculates
• A Calculates
• B Calculates
• The shared key is 2.
)(mod2932 qa AX )(mod48134 qa BX
)(mod2164)( 2 qa AB XX
)(mod2162)( 4 qa BA XX
Key management
• Distribution of public key
• Use of public key encryption to distribute secret key
Public announcement of public key
• Uncontrolled public-key distribution
A
aKU
aKU
aKU
Publicly Available Directory
• Public-key publication• KU: public key. KR: private key
A
aKU
Public-key directory
B
bKU
Publicly Available Directory
• Public-key publication
A
1|| timerequest
B
Public-keyauthority
]1||Re||[ TimequestKUKR bE
2|| timerequest
]2||Re||[ TimequestKUKR aE
]||[ 1NIDE AKUb
]||[ 21 NNEKUa
][ 2NEbKU
Public-Key Certificate
• Exchange of Public-key Certificates
A
aKU
B
Certificateauthority
],,1[ aAauth KUIDTimeKRA EC
bKU
AC
BC
],,2[ bBauth KUIDTimeKRB EC
Public-Key Certificate
Simple public-key encryption to establish a session key
A BAA IDKU ||
][ sKU KEa
It is a secure for an active attack
• A generates and sends B• E intercepts , creates and sends
to B• B generates a secret key, and sends • E intercepts , learns • E sends to A
},{ aa KRKU },,{ Aa IDAKU
},,{ Aa IDAKU },{ ee KRKU
},,{ Ae IDAKU
sK ][ sKU KEe
][ sKU KEe sK
][ sKU KEa
Secret Key distribution with authentication
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]]||[[ 2 sKRKU KNEEab
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
Generation of Secret Key by A
User A computes
)(mod)( qYK AXB
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
Generation of Secret Key by B
User B computes
)(mod)( qYK BXA
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
Authentication
• Masquerade: illegal insertion message to network
• Content modification: change content of message
• Sequence modification: modification to a sequence of message
• Timing modification: delay or replay of message
• Source repudiation: denial of transmission by source
• Destination repudiation: denial of receipt by destination
Two levels of authentication
• Produce an authenticator
• Verify the authenticity of a message
Authentication Methods
• Message encryption
• Message authentication (MAC)
• Hash function
Symmetric Encryption
• Encrypt the message M with key K shared by A and B
M ME D
)(MEK
K K
Source nDestinatio
Message Encryption
Append checksum to message M and encrypt them together
MM
F
D
))(||( MFMEK
KSource
nDestinatio
F(M)E
M
F(M)
F
K
Comparison
Public Key encryption
• Public key encryption: confidentiality
M ME D
)(MEbKU
bKU bKR
Source nDestinatio
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
Public Key encryption
• Public key encryption: authentication and signature
M ME D
)(MEaKR
aKR aKU
Source nDestinatio
Public Key encryption
• Public key encryption: confidentiality, authentication and signature
M ME D
)]([ MEEab KREU
aKR bKR
Source nDestinatio
E D
)(MEaKR
bKU aKU
)(MEaKR
Message Authentication Code
• Use a secret key to generate a small fixed-size block of data, MAC, that is appended to the message
• M = input message• C = MAC function• K = shared secret key• MAC = message authentication code
)(MCMAC K
Message Authentication
Append MAC to message
MM
C C
K
Comparison
)(MCKK
Message Authentication
Authentication and confidentiality
MC
M
2KSource
nDestinatio
Comparison
1K))(||(
12MCME KK
ED
2K
)(1
MCK
C
1K
Hash Function
• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)
• There is no key to control hash function
Hash
Message plus concatenated hash code is encrypted using symmetric encryption
MH
M
2KSource
nDestinatio
Comparison
))(||( MHMEK
ED
K
)(MH
H
Hash Function
• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)
• There is no key to control hash function
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
Hash
Message plus concatenated hash code is encrypted using symmetric encryption
MH
M
2KSource
nDestinatio
Comparison
))(||( MHMEK
ED
K
)(MH
H
Protocol• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of x.
• It is impossible to find different x and y with f(x)=f(y)
Birthday attack
• Among k people, what is the probability that two of them have the same birthday
Counting
• K people: • The number of cases that all of them have different
birthdays:
• The number of all possible k birthdays
)!365(!365)1365(...364365 kk
k365
kppp ,...,, 21
Probability
• K people:
• The probability that k people have different birthdays
)!365(365!356
365
)!365(!365
),365(kkk
kkQ
kppp ,...,, 21
Birthday Paradox
• K people:
• The probability that at least 2 people have same birthday
)!365(365!3561),365(1),365(
kkkQkP
kppp ,...,, 21
999.0)100,365(
7.0)30,365(
5072.0)23,365(
P
P
P
Counting
• Select k random numbers between 1 and n: • The number of cases that all of them are different
• The number of all possible k possibilities
)1(...)1( knnn
kn
kppp ,...,, 21
Probability
• K numbers between 1 and n:
• The probability that k numbers are different
kn
knnnknQ )1)...(1(),(
kppp ,...,, 21
Birthday Paradox
• K numbers between 1 and n
• The probability that at least 2 of them are the same.
)1)...(1)(1(1
...1
1
),(1),(
121
121
)1)...(1(
nk
nn
nkn
nn
nn
nn
n
knnnk
knQknP
kppp ,...,, 21
Birthday Paradox
• For , consider the function
0')'(
1)'0(
,)'(
x
x
exf
f
exf
0x xexf )(
2/')'()'0()0()(: fxffxfTaloy x0
xe x 1
Birthday Paradox
nkk
nk
nknn
nk
nn
nkn
nn
nn
nn
n
knnn
e
e
eee
knQknP
k
2/)1(
/)...21(
)/)1(()/2()/1(
121
121
)1)...(1(
1
1
...1
)1)...(1)(1(1
...1
1
),(1),(
Birthday Paradox
Let
nkkeknQknP 2/)1(1),(1),(
nnnk
e
e
e
nkk
nkk
nkk
18.12ln2
2
2/1
12/1
2/)1(
2/)1(
2/)1(
Attack Hash
• Hash function H has possible values
• Select k random values and apply H to them
• If , it has collision H(x)=H(y) for different x and y with big chance.
mk 2
m2
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
What is the probability R(n,k) that two sets are not disjoint?
},...,,{ 21 kxxx },...,,{ 21 kyyy
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
• The probability that does not match is
• The probability that no match in to is
• The probability that no match in to is
},...,,{ 21 kxxxX },...,,{ 21 kyyyY
1y 1xn11
Y 1x kn )1( 1
Y X2
)1())1(( 11 kn
kkn
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
is the probability that at least one match in Y to X
},...,,{ 21 kxxxX },...,,{ 21 kyyyY
2
)1(1),( 1 knknR
),( knR
Overlap between two sets
Since for x>0,
nk
n
e
e
knR
k
kn
2
21
2
1
)(1
)1(1),( 1
xex 1
Overlap between two sets
Let ,
nk
eknR2
1),(
nnnk
e
e
nk
nk
nk
83.0)2(ln
2ln
2
12/1
2
2
2
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature• Opponent generates variations type 1 messages • Opponent generates variations type 2 messages• Find a type 1 message x and type 2 message y such that
Hash(x)=Hash(y)• Get the signature from the boss for the type 1 message X
the signature is • Send out y||
2/2m
2/2m
))(( XHashEK
))(( XHashEK
Variations of the same message
to introduce Afred,
the jewellery buyer for
……..
variations
This isletterI writingam
toyou to
you
newnewly edappo int
chiefsenior
2/2m
A simple hash function
• Message M is partitioned into m blocks of n bits
mnmmm
n
n
m
bbbB
bbbB
bbbB
BBBM
,,2,1
2,2,22,12
1,1,21,11
21
...
......
...
...
||...||||
A simple hash function
• Hash function value
is defined as
mnnnn
m
m
bbbc
bbbc
bbbc
,2,1,
,22,21,22
,12,11,11
...
......
...
...
nccc ...21
A simple hash function
• Message M is partitioned into m blocks of n bits
mnmmm
n
n
m
bbbB
bbbB
bbbB
BBBM
,,2,1
2,2,22,12
1,1,21,11
21
...
......
...
...
||...||||
Rabin’s Hash
• A message M is partitioned into
• = initial value
• Encrypted with DES with 64 bits output.• It is weak for birthday attack
0H
NMMM ,...,, 21
)( 1 iMi HEHi
NHG
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature• Calculate the hash code G• Construct the desired messages• Compute for • Opponent generates blocks Xs • Opponent generates blocks Ys• Find a X block and Y block:• Form message with encrypted
signature
2/2m
2/2m
][][ 2 GDHE YNX
)(GEK
221 ,...,, NQQQ
][ 1 iQi HEHi
2,...,2,1 Ni
YXQQQ N ,,,...,, 221
Davies and Price variation
• A message M is partitioned into
• = initial value0H
NMMM ,...,, 21
11)( iiMi HHEHi
NHG
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
Hash Design
• IV = initial value b=length of input block• CV= chaining variable f=compression algorithm• L = number of input blocks Y= input block• N = length of hash code
0CVIV 1CV1LCV
0Y1Y 1LY
b b b
n n n nf f f
LCV
n
Principle
• The hash function is collision resistant if the compression function is collision resistant
MD5
• 128 bits Hash
0Y 1YqY 1LY
512 512 512 512
5MDH5MDH 5MDH 5MDH
... ...
128 128 128 128
IV 1CV qCV 1LCV
bit128
Message
lengthpadding )5121( bits
)2mod( 64KbitsK
0..10
Step 1: Padding
• Append (1 to 512) bits so that the total message length is =448(mod 512)
• At least one bit is appended
Step 2: Append Length
64 bits are used for storing the length of the message.
If the message is longer than 64 bits. Only low-order 64 bits are used. It is modular
Expanded message:
642
110 ,...,, LYYY
Step 3: Initialize buffer
128-bit buffer to hold four words (A,B,C,D)
10325476
98
89
67452301
D
BADCFEC
EFCDABB
A
Step 4: Process message in 512 bit
MD5 has four similar rounds
Each round uses one of the four functions F, G, H and I
Each round has 16 similar steps
All 512 bits are used in each round
a
MD5 Processing
• a
512
qY qCVbit128
A
A
A
B
B
B
C
C
C
D
D
D
1qCV
][],16...1[, iXTF
]2[],32...17[, iXTG
]3[],48...33[, iXTH
]4[],64...49[, iXTI
Compression function
sCLS
A B C D
A B C D
g][kX
][iT
MD5 compression function
• 16 steps operating on the buffer ABCD• Each step is of the form
• a,b,c,d = four words of the buffer • g = one of the functions F, G, H, I• <<<s = circular left shift by s bits• X[k] = M[q*16+k]= k-th word in the q-th 512-bit block• T[i] = the i-th 32-bit word in matrix T• + = addition modulo
)])[][),,((( siTkXdcbgaba
322
Four functions
• The function g can be any of the four functions
)()(),,( cbcbdcbF
)()(),,( dcdbdcbG
dcbdcbH ),,(
dbcdcbI )(),,(
Functions T
• T has 64 entriesT[1…64]. Each entry is 32bit word
• T[i] is the integer part of
• The i is in the radians
))(sin(232 iabs
.......
242070]3[
75678]2[
47876]1[
DBT
BCET
AADT
Digital Signature
• Verify the author , date and time• Authenticate the content • Be verifiable by third party
Digital Signature
• X: sender• Y: receiver• A: arbiter
X
Arbiter
Y
Digital Signature
• : the key shared between x and A• : the key shared between A and y• M : message• H : hash function• ID : identification number • T : timestamp
)](||[||: MHIDEMAX XK xa
]||)](||[||||[: TMHIDEMIDEYA XKXK xaay
xaK
ayK
Digital Signature
• X: sender• Y: receiver• A: arbiter
)](||[|| MHIDEM XK xa
X
Arbiter
Y
]||)](||[||||[ TMHIDEMIDE XKXK xaay
Digital Signature
• Y stores M and
• Y sends to the
arbiter A to settle disputes.
• Both sides trust the arbiter A.
]||)](||[||||[ TMHIDEMIDE XKXK xaay
]||)](||[||||[ TMHIDEMIDE XKXK xaay
Problem
• The arbiter can see the message
Arbiter does not see the message
• .
))]((||[||][||: MEHIDEMEIDAXxyxaxy KXKKX
]||))]((||[||][||[: TMEHIDEMEIDEYAxyxaxyay KXKKXK
messagehide _
Problem
• The arbiter can form an alliance with the sender to deny a signed message.
Public Key Approach
• KR: private key• KU: public key.
])][(||[||: MEEIDEIDAXxyx KRKUxKRX
]||]][[||[: TMEEIDEYAxya KRKUXKR
Mutual Authentication
Two issues:
• Confidentiality
• Timeliness
Some attacks
• Simply replay: copy a message and replay it later
• Repetition: Replay a timestamped message within the valid time window
Two approaches
• Timestamp: make sure it is fresh message
• Challenge: A sends B a nonce and expects that B’s reply contains it. Make sure it is fresh message from B.
One-way Authentication
• KDC: responsible for generating the short term key.• A: sender B: receiver• Session key. shared between A and KDC• shared between B and KDC.
][||]||[:
]]||[||||||[:
||||:
1
1
MEIDKEBA
IDKENIDKEAKDC
NIDIDKDCA
sb
ba
KAsK
AsKBsK
BA
:sK :aK
:bK
Public key One-way Authentication
A: sender B: receiver
It is confidential, but no signature
][||][: MEKEBAsb KsKU
Public key One-way Authentication
A: sender B: receiver
Hard to deny
)]([||: MHEMBAaKR
Public key One-way Authentication
A: sender B: receiver
Confidential and hard to deny and
)]]([||[: MHEMEBAab KRKU
Mutual Authentication
• KDC: responsible for generating the short term key.• A: sender• B: receiver
)]([:
][:
]||[:
]]||[||||||[:
||||:
2
2
1
1
NfEBA
NEAB
IDKEBA
IDKENIDKEAKDC
NIDIDKDCA
s
s
b
ba
K
K
AsK
AsKBsK
BA
Problem
• Attacker can replay the message at step 3
• If the attacker can intercept the message at step 4, he can impersonate A to send B some message.
Mutual Authentication
• T: timestamp
)]([:
][:
]||||[:
]]||||[||||||[:
||:
1
1
NfEBA
NEAB
TIDKEBA
TIDKETIDKEAKDC
IDIDKDCA
s
s
b
ba
K
K
AsK
AsKBsK
BA
Time check
tTClock ||
Avoid replay attack
• The replay attack can be avoided by checking the timestamp.
Mutual Authentication
.
][||]||||[:
||]||||[||]||||||[:
]||||[||||:
||:
bKbsAK
bbsAKbsaBK
baAKbB
aA
NETKIDEBA
NTKIDETKNIDEAKDC
TNIDENIDKDCB
NIDBA
sb
ba
b
Mutual Authentication
.B have received the message from A
Prevent the replay attack Session Key
bbsAKbsaBK NTKIDETKNIDEAKDCba
||]||||[||]||||||[:
Mutual Authentication
. Prevent the replay attack
][||]||||[: bKbsAK NETKIDEBAsb
Public Key Approach
AS: the authentication server
Clock synchronization is needed
]]||[[||]||||[||]||||[:
]||||[||]||||[:
||:
TKEETKUIDETKUIDEBA
TKUIDETKUIDEAAS
IDIDASA
SKRKUbBKRaAKR
bBKRaAKR
BA
abasas
asas
Mutual Authentication
• KDC: responsible for generating the short term key.• A: sender B: receiver
][:
]||]||||[[:
]]||||[[||]||[:
][||||:
]||[:
]||[:
||:
bK
bBsaKRKU
BsaKRKUaAKR
aKUAB
AaKU
bBKR
BA
NEBA
NIDKNEEAB
IDKNEEKUIDEBKDC
NEIDIDKDCB
IDNEBA
KUIDEAKDC
IDIDKDCA
s
authb
authbauth
auth
b
auth
Mutual Authentication
Tell KDC for the intention to establish a secure connection with B
A gets the public key of B from KDC
]||[:
||:
bBKR
BA
KUIDEAKDC
IDIDKDCA
auth
Mutual Authentication
A tells B the intention for secure communication
Tell KDC Na so that KDC can stamp the session key with the nonce
][||||:
]||[:
aKUAB
AaKU
NEIDIDKDCB
IDNEBA
auth
b
Mutual Authentication
• The session key is tied with
• Tell B the public key of A • B can verify it is from the KDC
]]||||[[||]||[: BsaKRKUaAKR IDKNEEKUIDEBKDCauthbauth
aN
Mutual Authentication
• Encrypt it with A’s public key. The key is fresh for A
• Tell B that A has the session key now.
][:
]||]||||[[:
bK
bBsaKRKU
NEBA
NIDKNEEAB
s
autha
Mutual Authentication
The nonce is for A
][:
]||]||||||[[:
]]||||[[||]||[:
][||||:
]||[:
]||[:
||:
bK
bBAsaKRKU
BsaKRKUaAKR
aKUAB
AaKU
bBKR
BA
NEBA
NIDIDKNEEAB
IDKNEEKUIDEBKDC
NEIDIDKDCB
IDNEBA
KUIDEAKDC
IDIDKDCA
s
authb
authbauth
auth
b
auth
Chapter 14 – Authentication Applications
Authentication Applications
• will consider authentication functions
• developed to support application-level authentication & digital signatures
• will consider Kerberos – a private-key authentication service
• then X.509 directory authentication service
Kerberos
• trusted key server system from MIT
• provides centralised private-key third-party authentication in a distributed network– allows users access to services distributed
through network– without needing to trust all workstations– rather all trust a central authentication server
• two versions in use: 4 & 5
Kerberos Requirements
• first published report identified its requirements as:– security– reliability– transparency– scalability
• implemented using an authentication protocol
Authentication with AS
• CAS: IDc||Pc||IDv
• ASC: Ticket
• C: IDc||Ticket
Ticket=E(Kv, [IDc||ADc||IDv])
Items
• C =client
• AS =authentication server
• V =server
• IDc =identifier of user on C
• IDv =identifier of V
• Pc =password of user on C
• ADc=network address of C
• Kv =secret encryption key shared by AS and V
More Secure Authentication
Once per user logon session:• CAS: IDc||IDtgs• ASC: E(Kc, )
Once per type of service:• CTGS: IDc||IDv||• TGSC:
Once per service session:• CV
tgsTicket
tgsTicket
vTicket
])||||||||[,( 11 LifetimeTSIDADIDKETicket tgsCCtgstgs
])||||||||[,( 22 LifetimeTSIDADIDKETicket vCCvv
Items
• TGS: Ticket granting server (TGS)
• TS: Time stamp
Kerberos 4 Overview
• A basic third-party authentication scheme
• have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)– users subsequently request access to other
services from TGS on basis of users TGT
Kerberos 4 Overview
Kerberos Realms
• a Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server
• this is termed a realm– typically a single administrative domain
• if have multiple realms, their Kerberos servers must share keys and trust
Kerberos Version 5
• developed in mid 1990’s• provides improvements over v4
– addresses environmental shortcomings• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
– and technical deficiencies• double encryption, non-std mode of use, session keys,
password attacks
• specified as Internet standard RFC 1510
X.509 Authentication Service
• part of CCITT X.500 directory service standards– distributed servers maintaining some info database
• defines framework for authentication services – directory may store public-key certificates
– with public key of user
– signed by certification authority
• also defines authentication protocols • uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
ITU-T
• ITU telecommunication standardization sector (ITU-T) coordinates standards for telecommunications on behalf of the international telecommunication union (ITU)
X.509 Certificates
• issued by a Certification Authority (CA), containing: – version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
X.509 Certificates
Make Certification
Unsigned certificate,User ID, Public Key
Encryption with CA PR
Hashing of unsigned cert.
Unsigned certificate,User ID, Public Key
Encryption with
Obtaining a Certificate
• any user with access to CA can get any certificate from it
• only the CA can modify a certificate
• because cannot be forged, certificates can be placed in a public directory
CA Hierarchy
• if both users share a common CA then they are assumed to know its public key
• otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to
validate other CA's – each CA has certificates for clients (forward) and
parent (backward)
• each client trusts parents certificates • enable verification of any certificate from one CA
by users of all other CAs in hierarchy
CA{V, SN, AI, CA, TA, A, Ap}
• V: version • SN: Serial number, an integer unique within the issuing CA• AI: Signature algorithm identifier, the algorithm used to
sign the certficate• CA:Issuer nuame, X. 500 name of the CA that created and
signed this certificate.• TA: Period of time, first and last valid dates• A: Subject name, name of the user to whom this certificate
refers, certificate the public key • AP: Issuer unique indentifier for indenting CA
CA Hierarchy Use
Certificate Revocation
• certificates have a period of validity• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CA’s maintain list of revoked certificates– the Certificate Revocation List (CRL)
• users should check certs with CA’s CRL
Authentication Procedures
• X.509 includes three alternative authentication procedures:
• One-Way Authentication
• Two-Way Authentication
• Three-Way Authentication
• all use public-key signatures
One-Way Authentication
• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message
• message must include timestamp, nonce, B's identity and is signed by A
One way
• The identity of B is singed with A’s public key.
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
Items
• time stamp
• a nonce
• signed with A’s private key.
:At
:An
:sgn Data BID
Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
• reply includes original nonce from A, also timestamp and nonce from B
Two-way
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
• has reply from A back to B containing signed copy of nonce from B
• means that timestamps need not be checked or relied upon
Three-way
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB
}{ BrA
X.509 Version 3
• has been recognised that additional information is needed in a certificate – email/URL, policy details, usage constraints
• rather than explicitly naming new fields defined a general extension method
• extensions consist of:– extension identifier– criticality indicator– extension value
Certificate Extensions
• key and policy information– convey info about subject & issuer keys, plus
indicators of certificate policy
• certificate subject and issuer attributes– support alternative names, in alternative
formats for certificate subject and/or issuer
• certificate path constraints– allow constraints on use of certificates by other
CA’s
Summary
• have considered:– Kerberos trusted key server system– X.509 authentication and certificates
Problem
Let message M=10111011 01011110 00011011
1) Assume that n=8. Compute the simple hashing function value h(M).
2) Find another different message M’ such that h(M)=h(M’).
3) Does the simple hashing function satisfy the requirements for general hashing function?
Some New approaches for Preventing Software Tampering
Bin Fu, Uni. of New Orleans
Golden Richard III, Uni. of New Orleans
Yixin Chen Uni. of New Orleans
Adbo Husseiny Tech. Int. of Virginia
Software protection
• Global economic impact of software piracy was $11billion in 2001,.
• 40% of commerical software in use is pirated.
Password• Check Password before running the software
• The password checking may be bypassed
Check password
#define realPassword 5413
……..
read(password);
if (password!= realPassword)
print("password is incorrect");
else run the software
Problems with the password checking
• It is easy to bypass by removing the part of code checking the password
• The password is released in the code.
Method 1
• Select a hashing function h( )
• Select multiple constants and changed them (offline)
c1’c1-h(password+1);
c2’c2-h(password+2);
• Recover them from the correct password (online)
c1c1’+h(password+1)
c2c2’+h(password+2)
Solve Quadratic Equation
02 cbxx
It has two roots:
2
42
1
cbbx
2
42
2
cbbx
#define c1 2.0
#define c2 4.0
void quadratic(double b, double c, double *root1,
double *root2){
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
For solving the equation
02 cbxx
#include <stdio.h> #include <math.h> #define realPassword 2314 #define c1 2.0 #define c2 4.0 void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main(){ double b, c, root1, root2; int password; scanf("%d", &password); if (password!= realPassword) { printf("password is incorrect"); } else { scanf("%lf, %lf", &b, &c); quadratic(b,c, &root1, &root2); printf("%lf, %lf", root1, root2); }}
//offline for computing e1 and e2
#define d1 e1 //e1=c1-hash(realPassword+1)
#define d2 e2 //e2=c2-hash(realPassword+2)
double c1,c2;
void main() {
…….
scanf("%d", &password);
c1=d1+hash(password+1);
c2=d2+hash(password+2);
………
#include <stdio.h> #include <math.h> #include ``hash.h'' #define d1 e1 #define d2 e2 double c1,c2; void quadratic(double b, double c, double *root1, double *root2) { double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double b,c, root1, root2; int password; scanf("%d", &password); c1=d1+hash(password+1); c2=d2+hash(password+2); scanf("%lf",&b); scanf("%lf",&c); quadratic(b,c, &root1, &root2); printf("%lf, %lf",root1, root2); }
Hardness to break
• The attacker has to understand the algorithm to considerable level in order to recover those constants
• If attacker knows some of the constants the security depends on the hardness of the invertibility of the hashing function
Method 2
• Multiple constants are hidden in an array
• Only correct password can find their correct addresses
int main(){ double b,c,root1, root2; int password; double constants[array_size]={ 3.12, 4.0, 5.12, 4.13, 2.0, 5.16, 2.17, 3.0, 7.52, 6.9, 8.73, 9.23, 9.0, 8.42, 7.29, 5.9, 1.92, 9.2, 3.92, 6.63, 8.7, 8.36, 9.15, 1.0, 4.91, 4.9, 7.19, 2.76, 5.8, 8.79, 5.32, 4.9, 9.30, 2.9, 8.17, 9.26, 7.2, 3.12, 3.56, 3.7, 7.98, 6.8, 3.32, 5.78, 4.6, 1.26, 4.32, 2.8, 3.10, 5.3, 3.83, 4.28, 7.9, 3.64, 4.57, 4.9, 2.23, 3.8, 3.87, 6.12, 4.5, 4.98, 0.00, 9.0 }; scanf("\%d", &password); c1=constants[hash(password+1)]; c2=constants[hash(password+2)]; c3=constants[hash(password+3)]; c4=constants[hash(password+4)]; ……..}
Correct Password gives correct memory addresses
• For correct password p, h(p+1)=4, h(p+2)=1, h(p+3)=23, h(p+4)=62.
• c1=const[4]=2.0; c2=const[1]=1.0; c3=const[23]=1.0; c4=const[62]=0.0;
Combine Two Methods (Off Line)
• Select two hashing functions h_address( ) and h_value
• Select some constants c1, c2
• Compute c1’=c1-h_value(p+1) and c2’c2-h_value(p+2)
• Save c1’ at h_address(p+1) and c2’ at h_address(p+2)
Combine Two Methods (On Line)
• Read the password p
• Fetch c1’ from h_address(p+1) and c2’ from h_address(p+2)
• Recover c1 by c1’+h_value(p+1) and c2 by c2+h_value(p+2)
Hide the password
• Offline: let q=hash(password)
• Online:
read p
if (hash(p)==q) then accept
else reject
• Security: collision is hard for hash( )
Apply the method to obfuscation
• Define function pointers array
• Let the password determine the functions called by giving the address to the corresponding pointers
#define c0 0#define c1 1#define c2 2#define c3 3double temp; int (*a[4])();double b, c, root1, root2;int step0( ) {temp=sqrt(b*b-4.0*c); return 0; }int step1( ) {root1=(-b+temp)/2.0; return 0; }int step2( ) {root2=(-b-temp)/2.0; return 0; }int quadratic( ) {a[c0](); a[c1](); a[c2](); return 0; }int main(){ //assign function pointers to the array a[ ] below a[0]=step0; a[1]=step1; a[2]=step2; a[3]=quadratic;
Method 3
• Select multiple constants and changed them (offline)
c1’c1-h(password+1); c2’c2-h(password+2);
c3’c3-h(password+3); c4’c4-h(password+4);
• Recover them from the correct password (online)
c1c1’+h(password+1); c2c2’+h(password+2);
c3c3’+h(password+3); c4c4’+h(password+4);
Conclusions
• Protect software by password
Method 1: change multiple constants
Method 2: Rearrange multiple constants
• Future research: Protect software by hardware
The End
Thank You
Client and Server
Client
Client
Client
Server
Application protocol
TCP protocol
IP protocol
Ethernet protocol
Ethernet
Web client
TCP
IP
Ethernet driver
Web server
TCP
IP
Ethernet driver
Router A
Rounter B
Router C
Router D
Router E D1D2
D3
Design Philosophy
FTP,WEB
TCP
IP
Application Service
Reliable Transport Service
Connectionless Packet Delivery Service
Port Number
• TCP allows multiple application programs on a machine
• Protocol number identify the ultimate destination within a machine
• End point is represented by (host_ip_address, port)
Learn Networking
• Packet header
• Buffer management
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
TCP handshaking Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
TCP sends packets Client Server
send packet1
receive packet1
receive ACK1 send ACK1
send packet2
receive packet2
send ACK2
receive ACK2
Sliding Window Algorithm
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
Only send the packets in the window at one moment
Window moves right after leftmost is acknowledged
Algorithm Properties• Remember which packets unacknowledged
• Move past all acknowledged packets
• Retransmit the lost packet when it is expired
• The window size changes based on the bandwidth
Example of size four send p1
send p2 receive p1, send A1
send p3 receive p2, send A2
send p4 receive p3, send A3
receive p4, send A4
receive A1
receive A2
receive A3
receive A4
TCP segment format
Source port(16b) Destination port(16b)
Sequence number(32b)
Acknowledgement number(32b)
Hlen(4b) Reserved(6b) Code bits(6b) Window(16b)
Checksum(16b) ….
Data
TCP Header• Source port: TCP port number of source end• Destination port: TCP port number of destination end• Sequence number: Position in sender’s byte stream• Acknowledgement number: Number of bytes expect to
receive • Hlen: Length of header measured in 32b. (maybe 20bytes)• Code bits: Purpose of the segment such as reset connection,
end of the byte stream, etc• Window: Buffer size• Checksum: Data integrity
Internet Protocol (IP)• Unreliable, connectionless delivery
• Routing over internet
• Rules for unreliable delivery
Error message,
Discard packet
IP datagram format
Vers(4b) Hlen(4b) ServiceType(8b) TotalLength(16b)
Identification(16b) Flad(4b) FragmentOffset(12b)
TimeToLive(8b) Protocol(8b) HeaderChecksum(16b)
SourceIPAddress(32b)
DestinationIPAddress(32b)
IPOptions(24b) Padding(8b)
Data …….
IP • Vers: IP version to create the datagram
• Hlen: datagram header length measured in 32b
• ServiceType: precedence(3b), D(1b), T(1b), R(1b),
• TotalLength: the total length of datagram in bytes
• Identification: Determine which datagram it belongs
• FragmentOffset: Offset in the original datagram
• Checksum: Data integrity
• TimeToLive: Maximum time to stay over internet. Decreased by one by each router.
IP routing
• Find path to send the packet
• Routing table
• Routing protocolsrouter
router
router
routerM M
router
Socket Address • struct in_addr_t{
in_addr_t s_addr; //32 bit IPv4 address
};
• struct sockaddr_t{
unit8_t sin_len; //length of structure
sa_family_t sin_family; //AF_INET
in_port_t sin_port; //16 bit port number
struct in_addr sin_addr; //32 bit IPv4 address
char sin_zero[8]; //unused
};
Generic Socket Address
• struct sockaddr{
uint8_t sa_len;
sa_family_t sa_family; //address family:AF_xx
char sa_data[14]; //prot.-specific address
};
bind( )
• #include <sys/socket.h>
• int bind(int sockfd,
const sockaddr *myaddr,
socklen_t addrlen)
• Get the local protocol address to a socket
listen( )
• #include <sys/socket.h>
• int listen(int sockfd, int backlog)
• Return 0 if OK, -1 on error
• Converts unconnected into a passive socket, indicating the kernel should accept incoming connection request
listen( )• sockfd: socket descriptor returned by socket
function
• Backlog: maximum sum of two queues
incomplete connection queue: before the third hand connections
completed connection queue: after the third hand connections
Two Queues for Connection
accept
completed
connections
incomplete
connections
Arriving SYN
server
TCP
accept( )• #include <sys/socket.h>
• int accept(int sockfd,
struct sockaddr *cliaddr,
socklen_t *addrlen)
• Called by TCP for returning completed connection from the front of completed connection queue
Connect( )
• #include <sys/socket.h>
• int connect(int sockfd,
const struct sockaddr *servaddr,
socklen_t addrlen);
• Returns 0 if OK, -1 on error
• Establish a connection with a TCP server
Connect( )• Sockfd: socket descriptor returned by socket
function
• Servaddr: socket address structure with IP address and port number of server
• Addrlen: the length of socket address structure
A web site for source code
• Address:
http://www.kohala.com/start/unpv12e.html
• Download Source code
• Execute the commands in README
• Book: Unix Network Programming,
by Richard Stevens
Application protocol
TCP protocol
IP protocol
Ethernet protocol
Ethernet
Web client
TCP
IP
Ethernet driver
Web server
TCP
IP
Ethernet driver
Port Number
• TCP allows multiple application programs on a machine
• Protocol number identify the ultimate destination within a machine
• End point is represented by (host_ip_address, port)
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
TCP handshaking Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
IP Security
• have considered some application specific security mechanisms– eg. Kerberos, SSL/HTTPS
• however there are security concerns that cut across protocol layers
• would like security implemented by the network for all applications
IPSec
• general IP Security mechanisms
• provides– authentication– confidentiality– key management
• applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses
Benefits of IPSec
• in a firewall/router provides strong security to all traffic crossing the perimeter
• is resistant to bypass
• is below transport layer, hence transparent to applications
• can be transparent to end users
• can provide security for individual users if desired
IP Security Architecture
• specification is quite complex
• defined in numerous RFC’s– incl. RFC 2401/2402/2406/2408– many others, grouped by category
• mandatory in IPv6, optional in IPv4
IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets– a form of partial sequence integrity
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Security Associations
• a one-way relationship between sender & receiver that affords security for traffic flow
• defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier
• has a number of other parameters– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
Authentication Header (AH)
• provides support for data integrity & authentication of IP packets– end system/router can authenticate user/app– prevents address spoofing attacks by tracking
sequence numbers
• based on use of a MAC– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key
Original IP
• Before AH
Orig IP hdr TCP Data4IPv
DataTCPdest
dest,routingOrig IP
hdr6IPv
Transport Mode AH
• After AH
Orig IPhdr
AH TCP Data4IPv
DataTCPdest
AH dest,routingOrig IP
hdr6IPv
tedAuthentica
tedAuthentica
Tunnel Mode AH
• Format
Orig IPhdr
AH TCP Data
4IPv
DataTCPext
headersAH ext headerOrig IP
hdr6IPv
tedAuthentica
tedAuthentica
New IPhdr
New IPhdr
Authentication Header
Transport & Tunnel Modes
Encapsulating Security Payload (ESP)
• provides message content confidentiality & limited traffic flow confidentiality
• can optionally provide the same authentication services as AH
• supports range of ciphers, modes, padding– incl. DES, Triple-DES, RC5, IDEA, CAST etc– CBC most common– pad to meet blocksize, for traffic flow
Encapsulating Security Payload
Transport vs Tunnel Mode ESP
• transport mode is used to encrypt & optionally authenticate IP data– data protected but header left in clear– can do traffic analysis but is efficient– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet– add new header for next hop– good for VPNs, gateway to gateway security
Transport Mode ESP
• Format
Orig IPhdr
ESPhdr
TCP DataESPtrlr
ESPauth4IPv
ESPauth
ESPtrlr
DataTCPdestESP
hdr dest,routing
Orig IPhdr
6IPv
Encrypted
tedAuthentica
Encrypted
tedAuthentica
Tunnel Mode ESP
• Format
4IPv
ESPhdr
Orig IPhdr
TCP DataESPtrlr
ESPauth
ESPauth
ESPtrlr
DataTCPexthdr
ESPhdr
orig IPhdr
exthdr
6IPv
New IPhdr
New IPhdr
Encrypted
tedAuthentica
Encrypted
tedAuthentica
Items
• ESP trailer: Padding, Pad length, etc.
• ESP auth: ESP authentication.
Combining Security Associations
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s– form a security bundle
• have 4 cases (see next)
Combining Security Associations
Key Management
• handles key generation & distribution• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management– sysadmin manually configures every system
• automated key management– automated system for on demand creation of keys
for SA’s in large systems– has Oakley & ISAKMP elements
Oakley
• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses– cookies, groups (global params), nonces, DH
key exchange with authentication
• can use arithmetic in prime fields or elliptic curve fields
ISAKMP
• Internet Security Association and Key Management Protocol
• provides framework for key management
• defines procedures and packet formats to establish, negotiate, modify, & delete SAs
• independent of key exchange protocol, encryption alg, & authentication method
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
Final Presentation
• Final a related security paper in the last five years published in a good journal or conference
• Read it carefully.• Describe the security problem that deals• Describe the solution• Possible future development• Find the current background in that line.• Every one talks about 30 minutes• No single paper can be shared by two people.
Evaluation
• Presentation
• The quality of the paper that you selected
• The slides that you made
• Problem and solution.
• Your effort in proposing any future research plan in the similar topic.
Aggressive Key Exchange
• The communications:
]||||||||||[,,,,,,,,_,: EHAOgGRPNIDIDSNIDIDNIDPEHAOgGRPKEYXOKCKYRI xIRIKIIRI
xI
]|||||||||||||||[,,,,,,,,,_,: EHASggGRPNNIDIDSNNIDIDNIDPEHASgGRPKEYXOKCKYIR xyIRIRKRIRIR
xR
]||||||||||||[,,,,,,,,,_,,: EHASggGRPNIDIDSNNIDIDNIDPEHAOgGRPKEYXOKCKYCKYRI yxIRIKIRIRI
xRI
Protocol for Key Management
• The communications:
]||||||||||[
,,,,,,
,,_,
:
EHAOgGRPNIDIDS
NIDIDNIDPEHAOg
GRPKEYXOKCKY
RI
xIRIKI
IRIx
I
Protocol for Key Management
• The communications:
]|||||||||||||||[
,,,,,,,
,,_,
:
EHASggGRPNNIDIDS
NNIDIDNIDPEHASg
GRPKEYXOKCKY
IR
xyIRIRKR
IRIRx
R
Protocol for Key Management
• The communications:
]||||||||||||[
,,,,,,,
,,_,,
:
EHASggGRPNIDIDS
NNIDIDNIDPEHAOg
GRPKEYXOKCKYCKY
RI
yxIRIKI
RIRIx
RI
• I=Initiator• R=Responder• = Initiator, responder cookies• =Key exchange message type• GRP= Name of Diffie-Hellman group for this exchange• =Public key of initiator, responder;• EHAO, EHAS=Encryption, hash authentication functions,
offered and selected• NIDP=Indicates encryption is not used for remainder of this
message• =Random nonce supplied by initiator, responder • =Indicates the signature over X using
private key (signing key) of initiator, responder
RI CKYCKY ,
KEYXOK
yx gg ,
RI NN ,
][],[ XSXS KRKI
ISAKMP
Summary
• have considered:– IPSec security framework– AH– ESP– key management & Oakley/ISAKMP
Chapter 17 – Web Security
Web Security
• Web now widely used by business, government, individuals
• but Internet & Web are vulnerable• have a variety of threats
– integrity– confidentiality– denial of service– authentication
• need added security mechanisms
SSL (Secure Socket Layer)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard known as TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end service
• SSL has two layers of protocols
SSL Architecture
SSL Architecture
• SSL session– an association between client & server– created by the Handshake Protocol– define a set of cryptographic parameters– may be shared by multiple SSL connections
• SSL connection– a transient, peer-to-peer, communications link– associated with 1 SSL session
Parameters for a session
• Session identifier:
• Peer Certificate: An X509.v3 certificate
• Compression method
• Cipher spec: data encryption algorithm and hash
• Master key: 48 bits shared between client and server
• Is resumable: whether the session can be used for newconnections
Parameters for a connection
• Server and client random: chosen for each connection
• Server write MAC secret key: Used for MAC
• Client write MAC secret key: Used for MAC
• Server write key: Used for encryption
• Client write key: Used for encryption
• Initialization vector:
• Sequence number: for each transmitted message
SSL Record Protocol
• confidentiality– using symmetric encryption with a shared
secret key defined by Handshake Protocol– IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128– message is compressed before encryption
• message integrity– using a MAC with shared secret key– similar to HMAC but with different padding
SSL Record FormatContent type Major version Minor version
Compressedlength
Plaintext compressed
MAC(0, 16, or 20 bytes)
encrypted
SSL Record Operation
• adata
Fragment
Compress
MacAdd
headerrecordSSLAppend
Encrypt
SSL Change Cipher Spec Protocol
• one of 3 SSL specific protocols which use the SSL Record protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use
SSL Alert Protocol
• conveys SSL-related alerts to peer entity• severity
• warning or fatal
• specific alert• unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
• compressed & encrypted like all SSL data
SSL Handshake Protocol
• allows server & client to:– authenticate each other– to negotiate encryption & MAC algorithms– to negotiate cryptographic keys to be used
• comprises a series of messages in phases– Establish Security Capabilities– Server Authentication and Key Exchange– Client Authentication and Key Exchange– Finish
SSL Handshake Protocol
Phase 1
• Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers
Phase 2
• Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase
Phase 2 Format
• Server-parameters: about certificate, key-exchange protocol (Diffie-Hellman)
• Hash(clientHello.random||serverHello.random||serverParams)
Phase 3
• Client sends certificate if requested. Client sends key exchange. Client may send certificate verification
Phase 4
• Change cipher suite and finish handshake protocol.
TLS (Transport Layer Security)
• IETF standard RFC 2246 similar to SSLv3• with minor differences
– in record format version number– uses HMAC for MAC– a pseudo-random function expands secrets– has additional alert codes– some changes in supported ciphers– changes in certificate negotiations– changes in use of padding
Secure Electronic Transactions (SET)
• open encryption & security specification• to protect Internet credit card transactions• developed in 1996 by Mastercard, Visa etc• not a payment system• rather a set of security protocols & formats
– secure communications amongst parties– trust from use of X.509v3 certificates– privacy by restricted info to those who need it
SET Components
SET Transaction
1. customer opens account2. customer receives a certificate3. merchants have their own certificates4. customer places an order5. merchant is verified6. order and payment are sent7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service10. merchant requests payment
Dual Signature
• customer creates dual messages– order information (OI) for merchant– payment information (PI) for bank
• neither party needs details of other
• but must know they are linked
• use a dual signature for this– signed concatenated hashes of OI & PI
Dual Signature
• DS=
• PI: Payment information (credit card number, etc)
• OI: Order information
• H: Hashing function• PRc: Private key of the customer
))])(||)(([,( OIHPIHHPRE c
Digests
• OIMD: Order information digest.
• PIMD: Payment information digest.
• POMD: Payment order message digest
)(OIH
)(PIH
))(||)(( OIHPIHH
Purchase Request – Customer
Purchase Request – Merchant
Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key
3. processes order and forwards the payment information to the payment gateway for authorization (described later)
4. sends a purchase response to cardholder
Payment Gateway Authorization
1. verifies all certificates2. decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block3. verifies merchant's signature on authorization block4. decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block5. verifies dual signature on payment block6. verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer7. requests & receives an authorization from issuer8. sends authorization response back to merchant
Payment Capture
• merchant sends payment gateway a payment capture request
• gateway checks request
• then causes funds to be transferred to merchants account
• notifies merchant using capture response
Summary
• have considered:– need for web security– SSL/TLS transport layer security protocols– SET secure credit card payment protocols
A new authentication
• Public key approach: every message has an unique signature
• ElGammal scheme: every message has multiple signatures
ElGammal Signature Scheme
Let p be a primer .
Let be a primitive root of p.
Let be secret number.
Public:
Secret:
a
)(mod pa
,,pa
),,,( apK
ElGammal Signature Scheme
With
For a random ,
Define
),(),(
)1(mod)( 1
kxsignature
pkax
K
k
),,,( apK 11: pkk
ElGammal Signature Scheme
With and
)(mod
),,(
p
truexonverificati
x
,x
Explain
This is because
)(mod pxkaka
Misuse One
If the random number k is released, it is easy to get the secret number a
)1(mod)(
)1)(mod(
)1(mod)(
1
1
pkxa
paxk
pkax
Misuse Two
If same k is used for two signatures and
for and respectively
)(mod
)(mod22
11
p
px
x
),( 1 ),( 21x 2x
Misuse Two
From
we have
Since
)(mod
)(mod22
11
p
px
x
)(mod2121 pxx
)(mod pk
)(mod2121 )( pxxk
Misuse Two
From
we have
Since
)(mod
)(mod22
11
p
px
x
)(mod2121 pxx
)(mod pk
)(mod2121 )( pxxk
Misuse Two
It is equivalent to
Let
We have
)(|
)1(|
)(|
21
21
xxd
pd
d
)1(mod)( 2121 pxxk
)1,gcd( 21 pd
Misuse Two
We have
for
Select one of them to have
)1(mod')'('
)'(mod)'('
)'(mod''
1
1
ppixk
pxk
pkx
1,...,2,1,0 pi
)(mod pk
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and
Let be a q-th root modulo p.
Let be secret number
Public:
Secret:
)1(| pq
)(mod pa
,,,qpa
),,,,( aqpK
a 11 qa
Digital Signature Standard
With
For a random ,
Define
),(),(
)(mod)(
)))(mod(mod(
12
11
1
kxsignature
e
xe
qkax
qp
K
k
),,,,( aqpK 11: pkk
Digital Signature Standard
With and
)(mod
),,(
21 p
truexonverificati
ee
,x
Explain
This is because
)(mod
1
11
11
21
)(
pk
ax
ax
x
ee
Chapter 16 – IP Security
If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.
—The Art of War, Sun Tzu
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and
Let be a q-th root modulo p:
Let be secret number
Public:
Secret:
)1(| pq
)(mod pa
,,,qpa
),,,,( aqpK
a 11 qa
)(mod1 pq
Digital Signature Standard
With
For a random ,
Define
),(),(
)(mod)(
)))(mod(mod(
12
11
1
kxsignature
e
xe
qkax
qp
K
k
),,,,( aqpK 11: pkk
Digital Signature Standard
With and
)(mod
),,(
21 p
truexonverificati
ee
,x
Explain
This is because
)(mod
1
11
11
21
)(
pk
ax
ax
x
ee
Intrusion Detection
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 18 – Intruders
They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the code he would prove his loyalty to London Central beyond a doubt.—Talking to Strange Men, Ruth Rendell
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local• can identify classes of intruders:
– masquerader– misfeasor– clandestine user
• varying levels of competence
Intruders
• clearly a growing publicized problem– from “Wily Hacker” in 1986/87– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
Intrusion Techniques
• aim to increase privileges on system• basic attack methodology
– target acquisition and information gathering – initial access – privilege escalation – covering tracks
• key goal often is to acquire passwords• so then exercise access rights of owner
Password Guessing
• one of the most common attacks• attacker knows a login (from email/web page etc) • then attempts to guess password for it
– try default passwords shipped with systems– try all short passwords– then try by searching dictionaries of common words– intelligent searches try passwords associated with the user (variations
on names, birthday, phone, common words/interests) – before exhaustively searching all possible passwords
• check by login attempt or against stolen password file • success depends on password chosen by user• surveys show many users choose poorly
Password Capture
• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,
email) – extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user• users need to be educated to use suitable
precautions/countermeasures
Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can– block if detected quickly– act as deterrent– collect info to improve security
• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between
Approaches to Intrusion Detection
• statistical anomaly detection– threshold– profile based
• rule-based detection– anomaly– penetration identification
Audit Records
• fundamental tool for intrusion detection
• native audit records– part of all common multi-user O/S– already present for use– may not have info wanted in desired form
• detection-specific audit records– created specifically to collect wanted info– at cost of additional overhead on system
Statistical Anomaly Detection
• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector
• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter
Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time– counter, gauge, interval timer, resource use
• use various tests on these to determine if current behavior is acceptable– mean & standard deviation, multivariate, markov
process, time series, operational
• key advantage is no prior knowledge used
Examples
• Counter: number of logins by a single users
• Gauge: number of outgoing messages for a user process
• Interval timer: length of time between successive logins to an account.
• Resource utilization: number of pages printed during a user session and time consumed by a program execution.
Rule-Based Intrusion Detection
• observe events on system & apply rules to decide if activity is suspicious or not
• rule-based anomaly detection– analyze historical audit records to identify usage
patterns & auto-generate rules for them– then observe current behavior & match against
rules to see if conforms– like statistical anomaly detection does not require
prior knowledge of security flaws
Rule-Based Intrusion Detection
• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness
patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &
codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules
Rule examples
• Users should not read files in other users’ personal directories.
• Users must not write other users’ files
• Users who log in after hours often access the same files they used before
• Users do not generally open disk devices directly but rely on high-level commands
• Users should not be logged in more than once to the same system
• Users do not make copies of system programs
Base-Rate Fallacy
• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record
Distributed Intrusion Detection
• traditional focus is on single systems• but typically have networked systems• more effective defense has these working
together to detect intrusions• issues
– dealing with varying audit record formats– integrity & confidentiality of networked data– centralized or decentralized architecture
Distributed Intrusion Detection - Architecture
Distributed Intrusion Detection – Agent Implementation
Honeypots
• decoy systems to lure attackers– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator can respond
• are filled with fabricated information• instrumented to collect detailed information on
attackers activities• may be single or multiple networked systems
Password Management
• front-line defense against intruders
• users supply both:– login – determines privileges of that user– password – to identify them
• passwords often stored encrypted– Unix uses multiple DES (variant with salt)– more recent systems use crypto hash function
Managing Passwords
• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to
something they can remember • protect password file from general access• set technical policies to enforce good passwords
– minimum length (>6) – require a mix of upper & lower case letters, numbers,
punctuation – block know dictionary words
Managing Passwords• may reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group
• may enforce periodic changing of passwords • have system monitor failed login attempts, &
lockout account if see too many in a short period
• do need to educate users and get support • balance requirements with user acceptance
Proactive Password Checking
• most promising approach to improving password security
• allow users to select own password
• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)
to detect poor choices
Statistical Anomaly Detection
• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector
• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter
Conditional Probability
• Pr[A|B]• Pr[AB]• Pr[B]
]Pr[
]Pr[]|Pr[
B
ABBA
Bayes Theorem• E1, E2,…, En are mutually exclusive events
]Pr[]|Pr[]Pr[1
ii
n
i
EEAA
]Pr[]|Pr[
]Pr[]|Pr[
]Pr[
]Pr[]|Pr[]|EPr[
1
i
ii
n
i
iiii
EEA
EEA
A
EEAA
Diagram
• E1, E2, E3, E4
1E2E
4E3E
Dice
• Calculate the probability that a sum of 8 on the roll of two dice assume one dice even
• A={Sum of 8}
• B={at least one dice even}
• Pr[A|B]=(36-3x3)/36=1/9
• Pr[AB]=3/36=1/12 for (2,6), (4,4) and (6,2)
• Pr[A|B]=(1/12)/(3/4)=1/4
Problem
• Compute the probability that sum is 7 of two roll of two dice under the condition one dice is odd.
Summary
• have considered:– problem of intrusion– intrusion detection (statistical & rule-based)– password management
Base-Rate Fallacy
• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record
Intruders
• clearly a growing publicized problem
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local• can identify classes of intruders:
– masquerader– misfeasor– clandestine user
• varying levels of competence
Password Capture
• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,
email) – extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user• users need to be educated to use suitable
precautions/countermeasures
Password Checking
• Let H(x) be a hashing function with one way propoerty
• For a password y with id u, Z=H(y) is saved for u.
• When a password y’ is typed for u, fetch z and check if
)'(yhZ
Honeypots
• decoy systems to lure attackers– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator can respond
• are filled with fabricated information• instrumented to collect detailed information on
attackers activities• may be single or multiple networked systems
Managing Passwords
• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to
something they can remember • protect password file from general access• set technical policies to enforce good passwords
– minimum length (>6) – require a mix of upper & lower case letters, numbers,
punctuation – block know dictionary words
Managing Passwords• may reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group
• may enforce periodic changing of passwords • have system monitor failed login attempts, & lockout
account if see too many in a short period • do need to educate users and get support • balance requirements with user acceptance • be aware of social engineering attacks
Proactive Password Checking
• most promising approach to improving password security
• allow users to select own password
• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)
to detect poor choices
Rule-Based Intrusion Detection
• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness
patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &
codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules
#define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void main() { …… address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is the correct realPassword). }
#include <stdio.h> #include <math.h> #define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double root1,root2; int password; address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is correct (equal to realPassword). scanf("%lf", &a[0]); // read the parameter b scanf("%lf", &a[1]); // read the parameter c quadratic(a[0], a[1], &root1, &root2); printf("%lf, %lf", root1, root2); }
the vulnerability of web servers
Here only talk about the web application with PHP.
1. PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
2. PHP provided a lot of useful functions to make programming easier, but attackers also can use these functions to do something unexpected.
This form will allow the web browser user to upload a file from their local to the remote web server.
<FORM METHOD="POST" ENCTYPE="multipart/form-data">
<INPUT TYPE="FILE" NAME=“upload">
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE“ VALUE="10240">
<INPUT TYPE="SUBMIT“ NAME=“Submit Query”>
</FORM>
It looks as follow:
This function is obviously useful but also brings risk.
While the attackers ultimate goal is obviously to be able to execute commands on the remote web server and they can't achieve that by using
files on their local machine.
Therefore they need to get PHP code define into a file local to the remote machine. This sounds like an impossible task initially but file upload comes to the rescue. If the attacker creates a file on their machine containing PHP code to be executed then upload it, PHP will be kind enough to save the attacker’s file.
Simple example
This is a upload form, it allows students to upload their homework to the “upload” folder in the remote web server, but it doesn’t have any control for the upload file, in other words the students can submit any kind of files.
Simple example
In order to let students check whether they submit their homework successful, the web server will give a list of all the files in the “upload” folder to the client, allow students to view the filenames.
Simple example
But if somebody submit a PHP file like that, and execute it in remote web server, then jack’s homework will be deleted, obviously it is important files for jack.
ex. “ ./ ” means the current
directory
Solution
• Forbid some unsafe functions by configuring parameters of the web server.
ex. Set “safe_mode on” in “php.ini” file, its effort include: 1. restrict which commands can be executed 2. restrict which functions can be used 3. If you want, you can remove file upload completely
• Adding some codes in the uploading program to forbid files which are executable or dangerous. We also can use some simple codes change the uploading file’s extension to make them unexecutable.
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 20 – Firewalls
The function of a strong position is to make the forces holding it practically unassailable
—On War, Carl Von Clausewitz
Introduction
• seen evolution of information systems
• now everyone want to be on the Internet
• and to interconnect networks
• has persistent security concerns– can’t easily secure every system in org
• need "harm minimisation"
• a Firewall usually part of this
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services– only authorized traffic is allowed
• auditing and controlling access– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defence
Firewall Limitations
• cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats– eg disgruntled employee
• cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types. It is
impossible to scan all files and emails.
Firewalls – Packet Filters
Firewalls – Packet Filters
• simplest of components
• foundation of any firewall system
• examine each IP packet (no context) and permit or deny according to rules
• hence restrict access to services (ports)
• possible default policies– that not expressly permitted is prohibited – that not expressly prohibited is permitted
Firewalls – Packet Filters
Attacks on Packet Filters
• IP address spoofing– fake source address to be trusted– add filters on router to block
• source routing attacks– attacker sets a route other than default– block source routed packets
• tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check
Firewalls – Stateful Packet Filters
• examine each IP packet in context– keeps tracks of client-server sessions– checks each packet validly belongs to one
• better able to detect bogus packets out of context
Firewalls - Application Level Gateway (or Proxy)
Firewalls - Application Level Gateway (or Proxy)
• use an application specific gateway / proxy • has full access to protocol
– user requests service from proxy – proxy validates request as legal – then actions request and returns result to user
• need separate proxies for each service – some services naturally support proxying – others are more problematic – custom services generally not supported
Firewalls - Circuit Level Gateway
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general outbound connections
• SOCKS commonly used for this
Bastion Host
• highly secure host system • potentially exposed to "hostile" elements • hence is secured to withstand this • may support 2 or more net connections• may be trusted to enforce trusted separation
between network connections• runs circuit / application level gateways • or provides externally accessible services
Firewall Configurations
Firewall Configurations
Firewall Configurations
Access Control
• given system has identified a user • determine what resources they can access• general model is that of access matrix with
– subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed
• can decompose by– columns as access control lists– rows as capability tickets
Access Control Matrix
Trusted Computer Systems
• information security is increasingly important • have varying degrees of sensitivity of information
– cf military info classifications: confidential, secret etc
• subjects (people or programs) have varying rights of access to objects (information)
• want to consider ways of increasing confidence in systems to enforce these rights
• known as multilevel security– subjects have maximum & current security level – objects have a fixed security level classification
Bell LaPadula (BLP) Model
• one of the most famous security models• implemented as mandatory policies on system • has two key policies: • no read up (simple security property)
– a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object
• no write down (*-property)– a subject can only append/write to an object if the current
security level of the subject is dominated by (<=) the classification of the object
Reference Monitor
Evaluated Computer Systems
• governments can evaluate IT systems• against a range of standards:
– TCSEC, IPSEC and now Common Criteria
• define a number of “levels” of evaluation with increasingly stringent checking
• have published lists of evaluated products– though aimed at government/defense use– can be useful in industry also
Summary
• have considered:– firewalls– types of firewalls– configurations– access control– trusted systems
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
Pseudorandom Number Generator
Applications:
• Key generation
• Randomized algorithm
• Authentication protocols
• ……
Randomness
• Uniform distribution: The frequency of each number should be approximately the same.
• Independence: No one value in the sequence can be inferred from the others
• Unpredictability
Linear Generator
A sequence of numbers is generated by
: starting value
a: the multiplier
c: the increment
m: the modulus
))(mod(1 mcaXX nn
0X )0( 0 mX )0( ma )0( mc
m0
Requirements for linear generator
• Generate all numbers between 0 and m
• Look random
• Should implement efficient with 32-bit arithmetic
Linear Generator
A sequence of numbers is generated by
))(mod(1 mcaXX nn
1231 m
1680775 a
0c
)12(mod16807 311 nn XX
Linear Generator weakness
If m,c,a are known, then once a single number is discovered, then all subsequent numbers are known
If it is known that a linear generator is used, he can still solve the equations:
))(mod(
))(mod(
))(mod(
43
32
21
mcaXX
mcaXX
mcaXX
Generator with DES
C is a counter with period N
mKKey :
C
1C
Encryption
]1[ CEXmKi
Blum Blum Shub Generator
Choose two prime numbers p=q=3(mod 4)
Let n=pq
Choose a random number s relatively prime to n
for i=1 to
)(mod20 nsX
)2(mod
)(mod)( 21
ii
ii
XB
nXX