CPS 290 Computer Security

Network ToolsCryptography Basics

CPS 290 Page 1

Discovering My Laptop’s IPv4 Address

On Windows, use program ipconfig. On Mac or Linux, use ifconfig or ip.

Only my wired ethernet interface has an IP address (152.3.136.127.)

CPS 290 Page 2

Resolving the name www.cs.duke.edu to an IP address

On Windows, use nslookup. On Mac or Linux, use dig.The answer is provided by the authoritative name server

duke.cs.duke.edu (152.3.140.1)www.cs.duke.edu is an alias for the canonical name (CNAME)

sibyl.cs.duke.eduThe address for sibyl.cs.duke.edu is 152.3.140.31.

CPS 290 Page 3

Capturing and Examining Packets

I begin to capture packets on my wired ethernet interface using the program called wireshark (for Windows, Mac, or Linux).

I make a request to http://www.cs.duke.edu/~bmm through my browser.I enter the filter (ip.src == 152.3.136.127 || ip.dst == 152.3.136.127) &&

(ip.dst == 152.3.140.31 || ip.src == 152.3.140.31) to examine only packets between my machine and www.cs.duke.edu.

CPS 290 Page 4

TCP Three-Way Handshake

First three packets show the TCP three-way handshake, SYN, SYN-ACK, ACK, which is used to establish a TCP connection.

Note: The handshake makes it difficult to establish a TCP connection with a spoofed (forged) browser source address in the SYN packet:Server will send SYN-ACK to the spoofed address, which won’t reply with an ACK.Sender of spoofed SYN packet doesn’t receive the SYN-ACK, doesn’t know the correct sequence number to ACK.

CPS 290 Page 5

SYN

SYN-ACK

ACK

Browser Sends HTTP GET Request

CPS 290 Page 6

Server Responds with HTTP 301 Code

CPS 290 Page 7

The server didn’t like my request for http://www.cs.duke.edu/~bmm It wanted me to enter http://www.cs.duke.edu/~bmm/Criminy!

CPS 290 Page 8

Basic Cryptography Definitions

Private Key or Symmetric: Key1 = Key2

Public Key or Asymmetric: Key1 Key2

Key1 or Key2 is public depending on the protocol

Encryption

Decryption

Key1

Key2

Cyphertext

Ekey1(M) = C

Dkey2(C) = M

Original Plaintext

Plaintext

CPS 290 Page 9

What does it mean to be secure?

Unconditionally Secure: Encrypted message cannot be decoded without the key

Shannon showed in 1943 that key must be as long as the message to be unconditionally secure – this is based on information theory

A one time pad – xor a random key with a message (Used in 2nd world war)

Security based on computational cost: it is computationally “infeasible” to decode a message without the key.

E.g., there is no (probabilistic) polynomial time algorithm can decode the message.

CPS 290 Page 10

Primitives: One-Way Functions

(Informally): A function Y = f(x)is one-way if it is easy to compute y from x but

“hard” to compute x from y

Building block of most cryptographic protocolsAnd, the security of most protocols rely on their

existence.Unfortunately, not proved to exist, even if we

assume P NP.

CPS 290 Page 11

One-way functions: possible definition

1. F(x) is polynomial time2. F-1(y) is NP-hard

What is wrong with this definition?

“F-1(y) is NP-hard” is a statement only about worst-case complexity

F-1(y) may be NP-hard, but still easy to solve for most y

Efforts to base cryptosystems on NP-hard problems have all failed. We don’t know how to generate difficult to solve instances.

CPS 290 Page 12

One-way functions:better definition

For almost all y no single PPT (probabilistic polynomial time) algorithm can compute x

Roughly: at most a fraction 1/|x|k instances x are easy for any k and as |x| ->

This definition can be used to make the probability of hitting an easy instance arbitrarily small.

CPS 290 Page 13

Some examples (conjectures)

Factoring: x = (u,v)y = f(u,v) = u*v If u and v are prime it is hard to generate

them from y.Discrete Log: y = gx mod p

where p is prime and g is a “generator” (i.e., g1, g2, g3, … generates all values < p).

DES with fixed message: y = DESx(m)

This would assume a family of DES functions of increasing key size (for asymptotics)

CPS 290 Page 14

One-way functions in private-key protocols

y = ciphertext m = plaintext k = key

y = Ek(m) = E(k,m) = Em(k) (i.e. f = Em)

Given y and m, should Em be a one-way function?

In a known-plaintext attack we know a (y,m) pair.The m along with E defines f Em(k) needs to be easy (plug in k and compute)

Em-1(y) should be hard

Otherwise we could extract the key k.

CPS 290 Page 15

One-way functions in public-key protocols

y = ciphertext m = plaintext k = public key

Consider: y = Ek(m) (i.e., f = Ek)

We know k and thus f Ek(m) needs to be easy

Ek-1(y) should be hard

Otherwise we could decrypt y.But what about the intended recipient, who

should be able to decrypt y?

CPS 290 Page 16

One-Way Trapdoor Functions

A one-way function with a “trapdoor”The trapdoor is a key that makes it easy to

invert the function y = f(x)Example: RSA (conjectured to be hard to invert

without trapdoor)y = xe mod nWhere n = pq (p, q are prime)p or q or d (where ed = 1 mod (p-1)(q-1)) can

be used as trapdoorsIn public-key algorithms

f(x) = public key (e.g., e and n in RSA)Trapdoor = private key (e.g., d in RSA)

CPS 290 Page 17

One-way Hash Functions

Y = h(x) where– y is a fixed length independent of the size of

x. In general this means h is not invertible since it is many to one.

– Calculating y from x is easy– Calculating any x such that y = h(x) give y

is hardUsed in digital signatures and other protocols.

CPS 290 Page 18

Protocols: Digital Signatures

Goals:1. Convince recipient that message was

actually sent by a trusted source2. Do not allow repudiation, i.e., that’s not my

signature.3. Do not allow tampering with the message

without invalidating the signatureItem 2 turns out to be hard to do

CPS 290 Page 19

Using Public Keys

More Efficiently

Alice BobDk1(m)

Alice BobDk1(h(m)) + m

K1 = Alice’s private keyBob decrypts it with her public key

h(m) is a one-way hash of m