CSCI 6365 Network Security and Management Instructor: Bin Fu, Ph.D Office: ENGR 3.280 Phone:...

CSCI 6365

• Network Security and Management

• Instructor: Bin Fu, Ph.D

• Office: ENGR 3.280

• Phone: 381-3635

• Email: [email protected]

• Web: http://cs.panam.edu/~binfu/

mailto:[email protected]

Textbook

Textbook: Cryptography and Network Security, by William Stallings, Fourth Edition

Topics

• Symmetric ciphers

• Block ciphers and DES

• Public key cryptography (RSA)

• Hash functions

• Key management

• Network Authentications

• IP security

• Web security

• Software security, etc

Exam, Assignment and Grade

• Midterm: 20%

• Final: 25%

• 4 assignments: 30%

• Attendance and Exercises in class: 25%

Chapter 1 – Introduction

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

—The Art of War, Sun Tzu

Background

• Information Security requirements have changed in recent times

• traditionally provided by physical and administrative mechanisms

• computer use requires automated tools to protect files and other stored information

• use of networks and communications links requires measures to protect data during transmission

Definitions

• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers

• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of interconnected networks

Services, Mechanisms, Attacks

• need systematic way to define requirements

• consider three aspects of information security:– security attack– security mechanism– security service

• consider in reverse order

OSI Security Architecture

• ITU-T X.800 Security Architecture for OSI

• defines a systematic way of defining and providing security requirements

• for us it provides a useful, if abstract, overview of concepts we will study

Security Services

• X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers

• RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources

• X.800 defines it in 5 major categories

Security Services (X.800)

• Authentication - assurance that the communicating entity is the one claimed

• Access Control - prevention of the unauthorized use of a resource

• Data Confidentiality –protection of data from unauthorized disclosure

• Data Integrity - assurance that data received is as sent by an authorized entity

• Non-Repudiation - protection against denial by one of the parties in a communication

Security Mechanisms (X.800)

• specific security mechanisms:– encipherment, digital signatures, access

controls, data integrity, authentication exchange, traffic padding, routing control, notarization

• pervasive security mechanisms:– trusted functionality, security labels, event

detection, security audit trails, security recovery

Classify Security Attacks as

• passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or

– monitor traffic flows

• active attacks – modification of data stream to:– masquerade of one entity as some other

– replay previous messages

– modify messages in transit

– denial of service

Model for Network Security

Model for Network Security

• using this model requires us to: – design a suitable algorithm for the security

transformation – generate the secret information (keys) used by

the algorithm – develop methods to distribute and share the

secret information – specify a protocol enabling the principals to use

the transformation and secret information for a security service

Model for Network Access Security

Model for Network Access Security

• using this model requires us to: – select appropriate gatekeeper functions to

identify users – implement security controls to ensure only

authorised users access designated information or resources

• trusted computer systems can be used to implement this model

Summary

• have considered:– computer, network, internet security def’s– security services, mechanisms, attacks– X.800 standard– models for network (access) security

Cryptography

Theoretical impact Application impact

Cryptography

AlgebraNumber theory

Complexity theory

Security

Two parts of cryptography

• Symmetric ciphers

If the encryption is known, then decryption is known. Examples: DES, AES

• Public Key (non-symmetric cipher)

Even the encryption is know, the decryption is still unknown. Example: RSA

Basic Concepts in Cryptography

• Plaintext: Original intelligible message

• Encryption algorithm: convert plaintext into ciphertext

• Key: One of inputs to encryption algorithm. Different key determines different encryption output

• Ciphertext: output of encryption, unintelligible data

• Decryption algorithm: takes the ciphertext and key to generate plaintext

Model of Cryptosystem

Encryption DecryptionMessage Message

Key

Secure channel

Cryptanalyst

X Y X

'X

'K

K

Encryption and Decryption

• Message X • Encryption key K • Ciphertext Y

Encryption function:

Decryption function:

)(XEY K

)(YDX K

Attacks

• Ciphertext only attack:

attacker only knows ciphertext

• Known Plaintext attack:

attacker gets some plaintext patterns and their encryptions

• Chosen-plaintext attack:

attacker choose message to encrypt

Caesar Cipher

• Plain to Cipher mapping

a b c d e f g h i j k l m n o p q r s t u v w x y z

D E F G H I J K L MN O PQ RS TUVW XYZ A BC

• Plain to Cipher mapping

Plaintext: A t t a c k a t m i d n i g h t

Ciphertext: DWWDFK DW P LGQLJ KW

Two functions

• a b c …. Z

• 0 1 2 … 25

• The encryption function is

E(p)=p+3 (mod 26)

• The Decryption function is

D(c)=(c-3) (mod 26)

Key space and security

• The number of keys for Caesar cipher is 26

• It is easy to break by brute-force attack via trying all possible keys

Monoalphabetic Cipher

• Plain letters to cipher letters


Z E I R M F S K B HC U PQ GJ TOVW XYD A LN

• Plaintext to ciphertext


Ciphertext: ZWWZ I C ZW P BRQBS KW


• Plain:


• Cipher: a permutation of 26 letters

• Number of possible keys:

26!=1x 2 x 3 x 4 …x 25 x26

Statistics for English Letters• Frequency of 26 Letters

E(12.7%) T(9.0%) A(8.1%) O(7.5%) I(6.9%) N(6.7%) S( 6.3%) H(6.0%) R(5.9%) D(4.2%) L(4.0%) C( 2.7%) U(2.7%) M(2.4%) W(2.3%) F(2.2%) G(2.0%) Y(1.9%) P(1.9%) B(1.4%)

V(0.9%) K(0.7% ) X(0.15%)J(0.15%) Q(0.09%)

Z(0.07%)

Cipher Analysis

• Select a cipher long enough

• Analysis the frequency of all letters

• Find the mapping of letters

Multiple Substitutes

• A letter may be assigned different cipher symbols

e3,7,23

• It makes it much harder to attack via statistic message

Playfair Cipher

• Key: monarchy

M O N A R

C H Y B D

E F G I/J K

L P Q S T

U V W X Z

Pairing before Encryption• Pair up letters

walk(wa)(lk)

• Insert filler letter for a pair with the same letter

balloon(ba)(lx)(lo)(on)

Encryption Rules

ar RM

plaintext letters in the same row are replaced by the letter to the right (circularly)

• muCM plaintext letters in the same column are replaced by the letter to the beneath (circularly)

• bpHS plaintext letters are replaced by the letter that lie in its own row and column

Advantage of playfair over monoalphabetic

• Multiple substitutes

• Making the frequency analysis more difficulty

Polyalphabetic Cipher

• 6 letters: a b c d e f

a A B C D E F

b B C D E F A

c C D E F A B

d D E F A B C

e E F A B C D

f F A B C D E

Encryption rules• Keyword: dece

• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA

• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and

column “f”, which is “C”


• 26 letters: a b c d e f …….

a A B C D E F …….

b B C D E F G …….

c C D E F G H …….

d D E F G H I …….

e E F G H I J …….

f F G H I J K …….

……

Advantage

• Each plaintext letter may be mapped to any of the 26 letters.

Basic Properties of Mod

• For integers x, y, and k,

x=y (mod k)

if there is another integer z such that x-y=z*k

• Example: x=7, y=11, k=4

3=11 (mod 4)

• If x=y(mod k) iff x and y have the same remainder when divided by k

Mod k

• Assume

x=y(mod k) and

u=v(mod k)

we have:

x+u=y+v(mod k)

x*u=y*v(mod k)

Hill Cipher

• Take m successive plaintext letters and substitutes for them m ciphertext letters

• Each letter is assigned a numerical value

• The Substitution is via a linear transformation

Hill Cipher

26mod

3

2

1

333231

232221

131211

3

2

1

p

p

p

kkk

kkk

kkk

c

c

c

26mod

26mod

26mod

3332321313

3232221212

3132121111

pkpkpkc

pkpkpkc

pkpkpkc

Matrix Multiplication

• For two matrixes nmkjmlji bBaA

,, ,

ABC

nlkicC

,

m

jkjjiki bac

1,,,

Properties of matrix product

• Associative: (AB)C=A(BC)

• IA=AI=A, where I is the unit matrix

1 0 0 … 0

I= 0 1 0 … 0

0 0 1 … 0

……

0 0 0 … 1

Inverse of matrix

• For matrix , if there is another matrix

such that AB=I, where I is the unit

matrix. B is called the inverse of A, denoted by

nnjiaA

,

nnjibB

,

1AB

Hill Cipher

• C=K P mod 26

C is a column of m cipher letters

K is a mxm matrix

P is a column of m plain letters

• K is invertible with

I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal

1K

IKK 1


• Encryption:

• Decryption:

26mod)( KPPEC K

PIPKPKCKCDP K 11 26mod)(

Example

17 17 5• K= 21 18 21

2 2 19

4 9 15 • = 15 17 6

24 0 17

1K

Example

443 442 442 1 0 0

K = 858 495 780 mod 26 = 0 1 0

494 52 365 0 0 1

1K

Hill Cipher Security

333231

232221

131211

333231

232221

131211

333231

232221

131211

ppp

ppp

ppp

kkk

kkk

kkk

ccc

ccc

ccc

KCP

KPC

1

Conclusion

• Hill cipher is easy to break by plaintext attack.

Problems

1. Encrypt the plaintext with Polyalphabetic Cipher with the key decedece: BEEF

2. The ciphertext is from playfair encryption. Convert the it into plaintext. Show each of your steps:

SENASXFNMG

Name Email

Encryption for binary message

• iff a and b are different

• Encryption:

• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext

iii kpc

1ba

Decryption for binary message

• Decryption:

• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext

i

iiii

iiiii

p

pkkp

kkpkc

0)(

)(

Transposition techniques

• Encryption is by some permutation on the plaintext

• Plaintext: attack postponed until two am xyz

• Write the message in row:

a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

• Read by column:

aodwtsuottnaaptmcoixknlypetz

Transposition techniques

• Permute the order of columns

Key: 4 3 1 2 5 6 7

a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

• Ciphertext:

ttna aptm tsuo aodw coix knly petz

Second round

• Input: ttna aptm tsuo aodw coix knly petz

• Permute the order of columns

Key: 4 3 1 2 5 6 7

t t n a a p t

m t s u o a o

d w c o i x k

n l y p e t z

• Ciphertext:

nscy auop ttwl tmdn aoie paxt tokz

Two basic methods

• Substitution

monoalphabetic cipher

polyalbpabetic cipher

• Permutation

transposition

Block Cipher

• Block cipher: a block of plaintext is treated as a whole and used to produce a ciphertext of the same length

• Mapping can be described by a table

00 11

01 10

10 00

11 01• Key size for n bits block is

nn2

Principal of block cipher

• Diffusion

The plaintext is dissipated into long range of the ciphertext

• Confusion

Make the relationship between ciphertext and the key as complicated as possible

Diffusion

• Let each plaintext digit affect many cipher digits• Example 1: Hill cipher

• Example 2: For message M=m1, m2, m3, ……

Let the ciphertext

26mod

3

2

1

333231

232221

131211

3

2

1

p

p

p

kkk

kkk

kkk

c

c

c

k

iinn my

1

Diffusion and confusion

• Confusion makes the statistics information of plaintext be dissipated

• Confusion is usually achieved by substitution

Magic function f(x)

• For every integer x, f(x) is easy to compute.

• Given f(x), it is very hard to find the information of x.

• It is impossible to find different x and y with f(x)=f(y)

Protocol• Alice pick a random integer and computes f(x)

She read f(x) to Bob on the phone

• Bob tells Alice his guess of x as even or odd

• Alice reads x to Bob

• Bob verifies f(x) and sees if his guess was correct

Problem

The following cipher text is from the transposition method with the key 4132. Get the plaintext back.

OCLTG NNENT OAEOH NESPI

Name:

DES

• Data Encryption Standard (DES) was established by National Bureau of Standard in 1977

• Most widely used encryption scheme, especially in financial applications

DES

• DES is a block cipher

• Each plaintext block is a 64 bits {0,1} string

• Each ciphertext block is a 64 bits {0,1} string

• The key size is 56 bits {0,1} string

• It is a combination of substitution and permutation

Three stages

• Stage 1: apply a fixed permutation IP

IP(Input Block)

• Stage 2: 16 rounds of operations (i=1,2,…,16)

• Stage 3: Output

Output block

),( 00 RL

),( 16161 LRIP

1 ii RL

),( 11 iiii kRfLR

Stage 1

• Apply a fixed permutation IP

IP(Input Block)

• is the left 32 bits

• is the right 32 bits

• IP is a fixed permutation function

),( 00 RL

0L

0R

Stage 2

• 16 rounds of operations (i=1,2,…,16)

• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input

key

1 ii RL

),( 11 iiii kRfLR

ik

One Round Feistel Ciper

• One round

1iL 1iL

f

1iR

iL iR

Principals

• The substitution is used in the f

• The permutation is applied in each of the 16 rounds

0L 0R

f

1R1L

f

2R2L

16R16L

.................

One Round Feistel Cipher

• One round

1iL 15L

f

15R

16L 16R

16k

Decryption

• First stage:

• Second stage:

),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL

1601 '' LRL

)',()','('' 116161001 kLfRkRfLR

151 ' RL

1516151615151 ),()),((' LkRfkRfLR

Decryption

• Inverse of the DES

),()','( 141422 LRRL

),()','( 131333 LRRL

),()','( 001616 LRRL

),()','( 151511 LRRL

.....................

Function ),( 1 ii KRf

1iRiK

1S 2S 3S 4S 5S 6S 7S 8S

P

E

32

48

48

32

32

68

48

6

4

)))(((),( 11 iiii KRESPKRf

Function

• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )

Each Si is a 4x16 table with 4bits at each entry

Bi determines an entry in the Si table

• (d)


)( 1 iRET),...,(' 81 BBKTT i

))(),...,(),(('' 882211 BSBSBST

)''(''' TPT

Design of function f

• Function f makes the DES nonlinear

• The S box makes function f nonlinear

Design of f• Strict avalanche criterion:

When input bit I is inverted, any output bit j of S-box should change with probability 1/2

• Bit independent criterion:

Output bits j and k should change independently when any input bit i is inverted

• The two criterions depend on the design of S-box, which has been studied a lot:

Choice of parameters

• Block size: larger size means greater security, and less efficiency

• Key size: larger key size means greater security, and slower speed

• Number of rounds: Single round is inadequate

Design of function f

• Function f makes the DES nonlinear

• The S box makes function f nonlinear

E table

• E is a fixed expansion that maps 32 bits to 48 bits

Each entry of E determines which bit to select from 32 bits

32 1 2 3 4 5

4 5 6 7 8 9

8 9 10 11 12 13

12 13 14 15 16 17

16 17 18 19 20 21

20 21 22 23 24 25

24 25 26 27 28 29

28 29 30 31 32 1

P table

• P is a fixed 32 bits permutation 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

Key generation

Input 56 bits key K= for i=1,2,9,16; otherwise

for i=1 to 16 do

5621 ......kkk1iv 2iv

),()(1 00 DCKPCT

)( 1 iii vCC )( 1 iii vDD

),(2 iii DCPCK

bits28

bits48 bits28

PC1 and PC2

• PC1(K) is the permutation of 56 bits of K

• PC2(C,D) selects 48 bits from the 56 bits input through a table

Electronic Codebook Mode• ECB:

• It may be possible to substitute message

NPPP ,......,, 21

NCCC ,......,, 21

bits64 bits64 bits64

Cipher Block Chaining Mode

• Encryption: ][ 1 jjKj PCEC

Encrypt Encrypt Encrypt

1C2C kC

K K K

IV 1P2P

NP

1NC

......

IV

• IV should be a confidential message• It is used for encrypting the first block

)( 11 PIVEC K

)( 11 CDIVP K

Decryption

• Decryption of CBC

jjjjjKj PPCCCDC 111 ][

)()]([][ 11 jjjjKKjK PCPCEDCD

CBC Decryption

• Decryption:

Decrypt Decrypt Decrypt

1C 2C kC

K K K

IV

1P 2P NP1NC

......

Cipher Feedback Mode

• CFB

))((11 IVESPC Ks

))((11 IVESCP Ks

))((11 IVESPC Ks

CBF

• CFB

Encrypt Encrypt EncryptK

IV

bitss bitss bitss

K K......

bitss bitss bitss

bitss

bitss 1MC

bitss _64 bitss _64 bitss _64


1C 2CMC

1P 2P MPbitss bitss bitss

shift shiftshift

CBF Decryption

K

IV

Encrypt Encrypt Encrypt

bitss bitss bitss

K K......

bitss bitss bitss

bitss

bitss 1MC



1C 2C MC

2P MP

shift shiftshift

1P

Problems

a) Which parts of DES uses permutation method?

b) Which parts of DES uses the substitution method?

c) Explain why DES can be invertible (verify each round is easy to inverse).

d) Does DES require that the function f is invertible? Why?

(note: a function f is not invertible if for some )

Name:

)()(, yfxfyx

Problem 1

Key: d e c edece: Plaintex: BEEFCiphtertext: ECAD

Explanation for the first cipher text• The key “d” determines the row number “d”• The plaintext “b” determines column number “b”• The cipher letter is at the intersection of row “d” and

column “b”, which is “E”

Encryption rules• Keyword: dece

• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA

• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and

column “f”, which is “C”


• 6 letters: a b c d e f

a A B C D E F

b B C D E F A

c C D E F A B

d D E F A B C

e E F A B C D

f F A B C D E

Symmetric Encryption

• The key for the decryption is the same as the key for encryption.

• Examples: DES, AES

Asymmetric Techniques

• The key for encryption is different from the key for decryption

• Example: RSA

Divisor

• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.

• c|b to denote that c is a divisor of b.

• Examples: 4|16, 2|10, 3|27

Modular

• Given two positive integer n and any integer a, there are integers r and q such that:

• r is the residue (remainder) when divided by n• is the largest integer at most x. e.g.

rqna

naqnr ,0

rna )(mod

x 38.3

Mod n

• Given integers x and n>1, x (mod n) is the remainder of x divided by n.

• Example 7 (mod 4)=3 10 (mod 3)=1

• Define if x (mod n)=y (mod n)

• iff (x-y) =n*z for some integer z

)(mod nyx

)(mod nyx

Mod n• Assume

we have:

)(mod nvyux

)(mod nyx )(mod nvu

)(mod nvyux

)(mod** nvyux

System Zn

• The set Zn={0,1,2,…,n-1}. It has two operations + and *

• For a,b in Zn, a+b is (a+b)(mod n), and a*b is (ab)(mod n)

• Z5={0,1,2,3,4}

2+3=0 (mod 5) 2*4=3 (mod 5) 4*4 =1 (mod 5)

Properties of Modular Arithmetic

• Commutative:

• Associative:

• Distributive:

• Identities

• Additive inverse (-x)

nyxwnyxw

nyxwnyxw

mod))((mod))((

mod))((mod))((

nwxnxw

nwxnxw

mod)(mod)(

mod)(mod)(

nwywxnwyx

nywxwnyxw

mod))()((mod))((

mod))()((mod))((

nwnw

nwnw

modmod)1(

modmod)0(

nnxnx mod0mod))((

Zn

• Commutative:

• Associative:

• Identities

• Additive inverse (-w)

(Zn,+) is an abelian group

nyxwnyxw mod))((mod))((

nwxnxw mod)(mod)(

nwnw modmod)0(

nnxnx mod0mod))((

Properties of Modular Arithmetic

• Commutative:• Associative:• Distributive:

• Identities

nyxwnyxw mod))((mod))((

nwxnxw mod)(mod)(

nwywxnwyx

nywxwnyxw

mod))()((mod))((

mod))()((mod))((

nwnw modmod)1(

Greatest common divisor


• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.

• Examples: gcd(10,4)=2, gcd(16,100)=4

• Problem: How to find gcd(a,b)?

Modular

• Assume a and b are two positive integers

• This is a recursive equation since the second item goes down

rqba

baqbr ,0

),gcd(),gcd( rbba

Example

• gcd(1970,1066)=• gcd(1066,904)=• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224

2416

46110

610116

1016126

1626268

2668194

68941162

941625904

16290411066

904106611970

Euclid algorithm

• Assume a1 and a2 are two positive integers

3211 aaqa 230 aa

4322 aaqa 340 aa

5433 aaqa 450 aa .......

mmmm aaqa 122 10 mm aa

mmm aqa 11

Observation

Each can be expressed as for some integers

Proof: It is true for i=1,2. Assume it is true for all cases <i

Since and inductive assumption

and ,

we have

ia

22122 avaua iii

iiii aaqa 122

21 avaua iii

ii vu ,

21111 avaua iii

iiiiiii aavqvauqu 21221122 )()(

iiiiii aavauqavau )( 211122212

TheoremFor two positive integers a and b with c=gcd(a,b),

there are two integers p and q such that p*a+q*b=c

Speed of Euclid algorithm


• If , we have

• In another words,

3211 aaqa 2

1

123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa

4322 aaqa 3

2


)(1 3232 aaaa 232aa

2/)( 232 aaa

2/)( 2324 aaaa



• Example: RSA

Number Theory

• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,

Primers: 2,3,5,7,11,13,17,23,29,….

• Theorem: Each positive integer n can be uniquely factorized into product of primers:

0,...,,

...

,...

21

21

2121

k

k

ek

ee

eee

ppp

pppn k

Lemma

If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1

Proof

• Since gcd(a,m)=1, there are integers u and v such that au+mv=1

• Similarly, ax+ny=1 for some integers x and y

• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1

• a(uax+uny+mvx)+(mn)(vy)=1

• So, gcd(a,mn)=1

Observations

• For two different primers p and q, gcd(p,q)=1 and

• If prime number p is different from each of the primers

(it is possible that for different i,and j), then

1),gcd( mqp

kqqq ,...,, 21

1)...,gcd( 21 kqqqp

ji qq

Unique factorization

Every positive integer n has unique factorization

Proof: Assume

Where , x and y parts have no factor p

Therefore, gcd(p,x)=1

Since e<f, we have

It contradicts that gcd(p,x)=1

,

,

ypn

xpnf

e

fe 0

ypx ef

Fermat Theorem

If p is a primer, a is a positive integer with gcd(p,a)=1, then

)(mod11 pa p

Proof

Consider the lists: 1, 2, 3, …, p-1, and

a*1,a*2, a*3, …, a*(p-1)

For a*u and a*v in the second list, if a*u=a*v(mod p),

then a*(u-v)=0 (mod p).

It implies that u-v=0(mod p). So, u=v.

The element in the second list are all different (mod p).

So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)

Proof

We have )(mod)!1()!1(1 pppa p

)(mod0)!1)(1( 1 ppa p

1))!1(,gcd( pp

)(mod0)1( 1 pa p

)(mod11 pa p

Euler Function

For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1

Define to be the number of elments in

Example, ={1, 3,7,9}

For every prime number p,

)(n

*nZ

*nZ

*10Z

1)( pp

Theorem

If m and n are positive integers with gcd(m,n)=1, then

)()()( nmmn

Euler Theorem

If a and n are positive integers with gcd(a,n)=1, then

Foundation for RSA public key encryption

)(mod1)( na n

Proof

Let be the elements in

Claim: is a permutation of

)(21 ,...,, naaa )(n *nZ

)(mod,...,, )(21 naaaaaa n

)(21 ,...,, naaa

Finite Fields

• Cryptography depends on number theory and algebra

• Number theory: factorization,…

• Algebra: finite field theory,…

• AES will be built on the finite field theory

Group

A group is a set of elements with operation

• Closure: If , then • Associative: For a,b,c in G• Identity element: There is an e in G s.t.

for all a in G• Inverse element : For each a in G there is a’ in G s.t.

),( G

Gba , Gba cbacba )()(

aeaae

eaaaa ''

Infinite Group and Abelian Group

• Infinite Group: If is a group and G is an infinite set, it is called infinite group

• Abelian group: If is a group and

for all elements a,b in G

),( G

),( G abba

Group Examples

• Let Z={…,-2,-1,0,1,2,…} be the set of all integers

(z,+) is a group.

• Let M3={0,1,2} and a+b is defined as (a+b) (mod 3)

(M3,+) is a group of 3 elements.

Ring

A ring is

• is an abelian group • Closure under multiplication: If a, b are in R, so is• Associativity of multiplication:• Distributive laws:

),,( R

),( Rba )()( cbacba

)()()( cabacba

)()()( cbcacba

Ring Examples

• Let Z={…,-2,-1,0,1,2,…} be the set of all integers

(z,+,*) is a ring.

• Let M3={0,1,2} and a+b, a*b are defined as (a+b) (mod 3) and (ab)(mod 3) respectively

(M3,+,*) is a ring of 3 elements.

Commutative Ring

A ring is commutative if it satisfies

for all a, b in R

A ring is integral domain if it satisfies

1) It is commutative

2) It has element 1 in R such that

3) If a,b in R have , then a=0 or b=0

),,( R

abba

),,( R

aaa 110 ba

Field

A field is

• is an integral domain• Multiplicative inverse: For each a in F except 0, there is

another , called the inverse element of a, such that

),,( F

),,( F

1a

111 aaaa

ZpIf p is a primer number, (Zp, +,x) is a field.

ZpIf p is a primer number, (Zp, +,x) is a field.

Proof. For each a in {1,2,…,p-1}

a*1, a*2, …, a*(p-1) are different from each other (mod p)

The list is a permutation of 1,2,…, p-1

So, there is a*b in the list with a*b=1 (mod p)

The element is the inverse of a.

Zp

• Assume , where a,x,y are in {1,2,…p-1}

We have

Since p is a primer, we have or

It is impossible that

We have

So,

)(mod payax )(| ayaxp

)(| yxap

ap | )(| yxp

ap |)(| yxp

)(mod pyx

Zn

• (Z3,+, x) is a field

• (Z4,+,x) is not a field

Problems

• Z5=({0,1,2,3,4},+, *). The + and * operations are under mod 5. Find the inverse for each element if it exists.

• Z6=({0,1,2,3,4,5},+, *). The + and * operations are under mod 6. Find the inverse for each element if it exists.

• Is Z5 or Z6 a field?


• The key for the decryption is the same as the key for encryption.

• Examples: DES, AES



• Example: RSA

Number Theory

• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,

Primers: 2,3,5,7,11,13,17,23,29,….

• Theorem: Each positive integer n can be uniquely factorized into product of primers:

0,...,,

...

,...

21

21

2121

k

k

ek

ee

eee

ppp

pppn k

Lemma

If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1

Proof

• Since gcd(a,m)=1, there are integers u and v such that au+mv=1

• Similarly, ax+ny=1 for some integers x and y

• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1

• a(uax+uny+mvx)+(mn)(vy)=1

• So, gcd(a,mn)=1

Observations

• For two different primers p and q, gcd(p,q)=1 and

• If prime number p is different from each of the primers

(it is possible that for different i,and j), then

1),gcd( mqp

kqqq ,...,, 21

1)...,gcd( 21 kqqqp

ji qq

Unique factorization

Every positive integer n has unique factorization

Proof: Assume

Where , x and y parts have no factor p

Therefore, gcd(p,x)=1

Since e<f, we have

It contradicts that gcd(p,x)=1

,

,

ypn

xpnf

e

fe 0

ypx ef

Fermat Theorem


)(mod11 pa p

Proof

Consider the lists: 1, 2, 3, …, p-1, and

a*1,a*2, a*3, …, a*(p-1)

For a*u and a*v in the second list, if a*u=a*v(mod p),

then a*(u-v)=0 (mod p).

It implies that u-v=0(mod p). So, u=v.

The element in the second list are all different (mod p).

So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)

Proof

We have )(mod)!1()!1(1 pppa p

)(mod0)!1)(1( 1 ppa p

1))!1(,gcd( pp

)(mod0)1( 1 pa p

)(mod11 pa p

Euler Function

For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1

Define to be the number of elments in

Example, ={1, 3,7,9}

For every prime number p,

)(n

*nZ

*nZ

*10Z

1)( pp

Theorem

If m and n are positive integers with gcd(m,n)=1, then

)()()( nmmn

ProofThe table below contains all elements in 1,2,…,mn-1

Each column has elements k with gcd(k,n)=1.

mn

m

)1(

.

0

1)1(

.

1

1

mn

m

......

......

......

......

)1()1(

.

)1(

1

mmn

mm

m

)(n

Proof

• For two elements a,b in each column, gcd(m,a)=gcd(m,b).

• There are columns with gcd(m,a)=1, where a is an element in the column.

)(m

A special case

• Let p and q are two different prime numbers

• and

• We have

1)( pp 1)( qq

)1)(1()()()( qpqppq

Euler Theorem

If a and n are positive integers with gcd(a,n)=1, then

Foundation for RSA public key encryption

)(mod1)( na n

Proof

Let be the elements in

Claim: is a permutation of

)(21 ,...,, naaa )(n *nZ


)(21 ,...,, naaa

Proof

If

Then

Since gcd(a,n)=1, there is an integer b,c with a*b+n*c=1

)(mod naaaa ji

)(mod0 naaaa ji )(mod0)( naaa ji

)(mod1 nab

Proof

From

We have

So,

We have proven the claim.

)(mod0)( naaba ji

)(mod0)( naaa ji

)(mod naa ji

)(mod0)( naa ji

Proof

By the Claim that is a permutation of

We have ))(mod)...()((... )(21)(21 naaaaaaaaa nn


)(21 ,...,, naaa

))(mod...(... )(21)(

)(21 naaaaaaa nn

n

Proof

Since

We have

There are integers b and c with

1)...,gcd( )(21 naaan

1),gcd(,...,1),gcd(,1),gcd( )(21 nananan

1)...( )(21 ncbaaa n

)(mod1)...( )(21 nbaaa n

Proof

By

and

We have

))(mod...(... )(21)(

)(21 naaaaaaa nn

n

)(mod1)...( )(21 nbaaa n

)(mod)...()...( )(21)(

)(21 nbaaaabaaa nn

n

)(mod1 )( na n

A special case

• Let p and q are two prime numbers, and n=pq.

• Since

• Let a be a number with gcd(a,n)=1 , then

)1)(1()()()( qpqppq

)(mod1)1)(1()( naa qpn

)(mod1)1)(1( naa qp

Problems

1. Compute

2. Write all elements in

3. Compute and

*33Z

)7(mod380

)13( )26(

Public key

• A revolution of cryptography.

• Previous methods are mainly based on the permutation and substitution

• Public key is based on mathematical function

Public Key

• Encryption:

• Decryption

)(XEY publicKey

)(YDX privateKey

RSA Key Setup

• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that

• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and

)1)(1()( qpN)(Ne 1))(,gcd( Ne

))((mod1 Ned

)(N

RSA Encryption• Let m<N be a confidential message• Cipher text is made by

)(mod Nmc e

RSA Decryption

• Plaintext is obtained by

)(mod Ncm d

RSA Principal

Since ,

we have

If

then and

))((mod1 Nde )(1 Nkde

)(mod)()(1 Nmmmmc NkNkedd

,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk

)(mod1)( Nmmmmc Nkd

RSA Example

• Choose two primers p=7 and q=13. N=7x13=91• Compute• Choose e=5• Compute d by 72x(-2)+5x29=1 and get d=29• Public key (N, e) = ( 91,5)• Message m=3.• Ciphertext • Decryption

72126)13()7()91(

)91(mod6124335 c

)91(mod36129 dc

Problems in RSA

• How to obtain two large prime numbers p and q?

• How to choose e and d with ed=1?

• How to compute for large e and d?

))((mod N

))((mod, Ncm de

Compute

Let a and n be two positive integers

Use the recursive equation:• If n is even:• If n=2k+1 is odd:

• Let T(n) be the number of multiplications.

na

22/ )( nn aa 2)( kn aaa

2)()( 2 nTnT

)(log2)( nnT

Example

• Compute f(29)= # of multiplications• f(29)=3*f(14)*f(14)=• f(14)=f(7)*f(7)=• f(7)=3*f(3)*f(3)=• f(3)=3*f(1)*f(1)=

• The total number of multiplications is 2+1+2+2=7

2932)14(*3 f

2)7(f2)3(*3 f2)1(*3 f 2

2

1

2

Testing Primality

Design an algorithm for testing if a number is prime

Input n>0

For (i=2; i ; i=i+1){

if n=0(mod i)=0 return no

}

return yes.

Total number of steps is

n

)( nO

Testing Primality

Use Fermat Theorem:


It is necessary, but not sufficient. In other words, there exists a composite number that also has such a property

)(mod11 pa p

Testing Primality


Furthermore,

)(mod11 pa p

1| 1 pap

)1)(1()1( 2/)1(2/)1(1 ppp aaa

1| 2/)1( pap 1| 2/)1( papor

)(mod12/)1( pa p

,So

,So

,So

Testing Primality

If p is not a primer, for most of 0<a<p, it does not satisfy both

)(mod11 pa p

)(mod12/)1( pa p

and

Algorithm

Input integer p>0

randomly select integer

if ( )

return (definitely) “composite”

else

return “prime “

or),0( pa

)(mod12/)1( pa p 1),gcd( pa

Error probability

If the input integer p is a prime number

The algorithm always outputs “Prime”

If the input integer p is a composite number

The algorithm says “prime” with probability 5.0

Amplification

Repeat the algorithm k times on the same input




The algorithm says “prime” at every time with probability

k)5.0(

Testing Primality

If p is a primer, a is a positive integer with gcd(p,a)=1 , and

for some even number j

Then,

)(mod1 pa j

1| jap

)1)(1()1( 2/2/ jjj aaa

1| 2/ jap 1| 2/ japor

)(mod12/ pa j

,So

,So

,So

Testing Primality

If p is odd, a is a positive integer with gcd(p,a)=1 ,

, where q is a odd number

Consider the list:

If p is a prime number, there exists with

If p is a composite number, for a random a: 0<a<p, it has probability there exists i<k

qp k21

ki

)(mod12 pa qi

qqqq k2,...,2,2, 2

4/1)(mod12 pa qi

Algorithm

Input odd integer p>0

let

randomly select integer

for (i=0 to k-1 ) do

{ if ( )

return “prime”

}

return “composite “

),0( pa

)(mod12 pa qi

qp k21

Error probability




The algorithm says “prime” with probability 4/1

Amplification

Repeat the algorithm k times on the same input




The algorithm says “prime” at every time with probability

k)( 41

A Free Book

A computational introduction to number theory and algebra

By Victor Shoup

>500 pages pdf file

Problem

How many times should you repeat the first primality algorithm so that it has <0.0001 chance to give a wrong answer?

Midterm

• October 14, 2010 (Thursday)

• Class time

• Close book

Key management

• Distribution of public key

• Use of public key encryption to distribute secret key

Public announcement of public key

• Uncontrolled public-key distribution

A

aKU

aKU

aKU

Publicly Available Directory

• Public-key publication• KU: public key. KR: private key

A

aKU

Public-key directory

B

bKU


• Public-key publication

A

1|| timerequest

B

Public-keyauthority

]1||Re||[ TimequestKUKR bE

2|| timerequest

]2||Re||[ TimequestKUKR aE

]||[ 1NIDE AKUb

]||[ 21 NNEKUa

][ 2NEbKU

Public-Key Certificate

• Exchange of Public-key Certificates

A

aKU

B

Certificateauthority

],,1[ aAauth KUIDTimeKRA EC

bKU

AC

BC

],,2[ bBauth KUIDTimeKRB EC


Simple public-key encryption to establish a session key

A BAA IDKU ||

][ sKU KEa

It is a secure for an active attack

• A generates and sends B• E intercepts , creates and sends

to B• B generates a secret key, and sends • E intercepts , learns • E sends to A

},{ aa KRKU },,{ Aa IDAKU

},,{ Aa IDAKU },{ ee KRKU

},,{ Ae IDAKU

sK ][ sKU KEe

][ sKU KEe sK

][ sKU KEa

Secret Key distribution with authentication

• Public-key distribution of secret keys

A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]][[ sKRKU KEEab

][ 2NEbKU


• Assume A and B know each others public keys


A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]]||[[ 2 sKRKU KNEEab




A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]][[ sKRKU KEEab

][ 2NEbKU

Diffle-Hellman Key Exchange

• Enable two users to exchange key securely

• Published in 1976

• Commercial Products available

Global Public Elements

• Primer number

• Primitive root of q

( (mod q)

is a permutation of 1,2,3,…,q-1)

q

132 ,...,,, q

User A Key Generation

• Select private

• Compute public

AX

AY

qX A

)(mod qY AXA

User B Key Generation

• Select private

• Compute public

BX

BY

qX B

)(mod qY BXB

Generation of Secret Key by A

User A computes

)(mod)( qYK AXB


• A:

))(mod(

)(mod)(

)(mod))(mod(

)(mod)(

q

q

qq

qYK

AB

AB

AB

A

XX

XX

XX

XB

Generation of Secret Key by B

User B computes

)(mod)( qYK BXA


• A:

))(mod(

)(mod)(

)(mod))(mod(

)(mod)(

q

q

qq

qYK

AB

AB

AB

A

XX

XX

XX

XB

Midterm 2008

• 90-100: 1

• 80-89: 2

• 70-79: 4

• 50-60: 2

Problem 1

1. a) What is the plaintext attack? b)Which of the following encryption methods can be easily broken by the plaintext attack? Briefly explain your answer.

(1) Monoalphbetic Cipher (2) Hill Cipher (3) DES (4)RSA

Attacks

• Ciphertext only attack:

attacker only knows ciphertext

• Known Plaintext attack:

attacker gets some plaintext patterns and their encryptions

• Chosen-plaintext attack:

attacker choose message to encrypt

Solution

• Monoalphbetic Cipher

• Hill Cipher


• Plain:




26!=1x 2 x 3 x 4 …x 25 x26

Hill Cipher

• C=K P mod 26


K is a mxm matrix




1K

IKK 1


• Encryption:

• Decryption:

26mod)( KPPEC K


Example

17 17 5• K= 21 18 21

2 2 19

4 9 15 • = 15 17 6

24 0 17

1K

Example

443 442 442 1 0 0

K = 858 495 780 mod 26 = 0 1 0

494 52 365 0 0 1

1K


333231

232221

131211

333231

232221

131211

333231

232221

131211

ppp

ppp

ppp

kkk

kkk

kkk

ccc

ccc

ccc

KCP

KPC

1

Conclusion

• Hill cipher is easy to break by plaintext attack.

Problem 2

2. a) Which parts of DES uses permutation method?



Answer

• A) Stage 1, stage 3, and all 16 rounds of stage 2.

• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is

based on that

The 16 rounds of stages are described by …1)( 1 IPIP

Three stages


IP(Input Block)


• Stage 3: Output

Output block

),( 00 RL

),( 16161 LRIP

1 ii RL

),( 11 iiii kRfLR

Stage 1


IP(Input Block)




),( 00 RL

0L

0R

Stage 2



key

1 ii RL

),( 11 iiii kRfLR

ik


• One round

1iL 1iL

f

1iR

iL iR

Principals



0L 0R

f

1R1L

f

2R2L

16R16L

.................

Stage 3

• Output

Output block

is the inverse of IP

),( 16161 LRIP

1IP


• One round

1iL 15L

f

15R

16L 16R

16k

Decryption

• First stage:

• Second stage:

),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL

1601 '' LRL

)',()','('' 116161001 kLfRkRfLR

151 ' RL

1516151615151 ),()),((' LkRfkRfLR

Decryption

• Available information

(1) keys: k1,k2,…, k16

(2) IP

(3) Ciphertext: C

Decryption

• First stage

),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL

1601 '' LRL

)',()',('' 116161001 kLfRkRfLR

151 ' RL

1515151515151 ),()),((' LkRfkRfLR

Part b)

• Permutation: IP, Left to Right and Right to left in each of 16 stages.

• Substitution: S-box in each of those 16 stages.


1iRiK

1S 2S 3S 4S 5S 6S 7S 8S

P

E

32

48

48

32

32

68

48

6

4


Function


Each Si is a 4x16 2D table with 4bits at each entry


• (d)


)( 1 iRET),...,(' 81 BBKTT i

))(),...,(),(('' 882211 BSBSBST

)''(''' TPT

Problem 3

3. a) Use the Euclidean algorithm to compute the gcd(904,162).

b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n). You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.




• Examples: gcd(10,4)=2, gcd(16,100)=4


Modular



rqba

baqbr ,0

),gcd(),gcd( rbba

Solution

• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224

2416

46110

610116

1016126

1626268

2668194

68941162

941625904

Euclid algorithm


3211 aaqa 230 aa

4322 aaqa 340 aa

5433 aaqa 450 aa .......


mmm aqa 11

Observation




and ,

we have

ia

22122 avaua iii

iiii aaqa 122

21 avaua iii

ii vu ,

21111 avaua iii





• If , we have


3211 aaqa 2

1


4322 aaqa 3

2


)(1 3232 aaaa 232aa

2/)( 232 aaa

2/)( 2324 aaaa

Problem 4

4. a) In the RSA system, the public key of a given user is e=41, n=3599. What is the private key? Show each step of your calculation.

b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems? Why do we need large primer numbers for RSA?

Public Key

• Encryption:

• Decryption

)(XEY publicKey

)(YDX privateKey

RSA Key Setup



)1)(1()( qpN)(Ne 1))(,gcd( Ne

))((mod1 Ned

)(N


)(mod Nmc e

RSA Decryption


)(mod Ncm d

RSA Principal

Since ,

we have

If

then and




)(mod1)( Nmmmmc Nkd

Solution

Part 1.

n=59*61.

The inverse of e=41 is d=2081 (mod 3480).

3480)161(*)159()( n

Solution

3480=41*84+36

41=36*1+5

36=5*7+1

1=36-5*7=36-7*(41-36*1)

=8*36-7*41

=8*(3480-41*84)-7*41

=8*3480-679*41.

2801=-679(mod 3480)

Part b.

If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).

Part c.

• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.

• Discrete logarithm is to find x with y and n, where

With a pair of messages a and

, we can find d from discrete log.)(mod nad

)(mod nay d

Gcd(int a, int b)

int gcd(int a, int b){

if ((a%b)==0) return b;

return gcd(b, a%b);

}

exponent( int a, int e, int m):

int exponent(int a, int e, int m){ int temp;

if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {

temp=exponent(a, e/2, m);return (temp*temp)%m;

}else{

temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;

};}

Bad Implementation

return (temp*temp*a)%m;

primality(int p)

int primality(int p){ int a, temp;

if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;

}

Bad Implementation

temp=exponent(a, (p-1)/2,p);

if ((temp!=1)&&(temp!=-1)) return 0;

Bad Implementation

a=rand()%p;

Bad Implementation

if ((exponent(a, (p-)/2,p)!=1)

&&

(temp=exponent(a, (p-1)/2,p)!=p-1))

return 0;

Problem 55. a) How many multiplications does it take for

computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .

b) Explain why RSA needs fast exponentiation?

)1234(mod5596

Solution

• It takes 12 multiplications

555

555

5555

555

5555

555

5555

555

555

2

224

449

9918

181837

373774

7474149

149149298

298298596

Midterm 2010

• 90-100: 1

• 80-89: 7

• 70-79: 5

• 60-70: 3

• <60: 1

Problem 1

1.a)Which of the following encryption methods use substitution method? B) Which of them use the permutation method? C)Which of them use both methods? Briefly explain your answer.

(1) Monoalphbetic Cipher (2) Playfair cipher (3) Transposition cipher (4) Hill Cipher (5) DES (6) RSA

Solution

• Substitution: Monoalphbetic Cipher, Playfair cipher, Hill Cipher, DES

• Permutation: Transposition cipher, DES.

• Both: DES


• Plain:




26!=1x 2 x 3 x 4 …x 25 x26

Hill Cipher

• C=K P mod 26


K is a mxm matrix




1K

IKK 1


• Encryption:

• Decryption:

26mod)( KPPEC K


Example

17 17 5• K= 21 18 21

2 2 19

4 9 15 • = 15 17 6

24 0 17

1K

Example

443 442 442 1 0 0

K = 858 495 780 mod 26 = 0 1 0

494 52 365 0 0 1

1K


333231

232221

131211

333231

232221

131211

333231

232221

131211

ppp

ppp

ppp

kkk

kkk

kkk

ccc

ccc

ccc

KCP

KPC

1

Problem 2

2. a) Which parts of DES uses permutation method?



Answer

• A) Stage 1, stage 3, and all 16 rounds of stage 2.

• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is

based on that

The 16 rounds of stages are described by …1)( 1 IPIP

Three stages


IP(Input Block)


• Stage 3: Output

Output block

),( 00 RL

),( 16161 LRIP

1 ii RL

),( 11 iiii kRfLR

Stage 1


IP(Input Block)




),( 00 RL

0L

0R

Stage 2



key

1 ii RL

),( 11 iiii kRfLR

ik


• One round

1iL 1iL

f

1iR

iL iR

Principals



0L 0R

f

1R1L

f

2R2L

16R16L

.................

Stage 3

• Output

Output block

is the inverse of IP

),( 16161 LRIP

1IP


• One round

1iL 15L

f

15R

16L 16R

16k

Decryption

• First stage:

• Second stage:

),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL

1601 '' LRL

)',()','('' 116161001 kLfRkRfLR

151 ' RL

1516151615151 ),()),((' LkRfkRfLR

Decryption

• Available information

(1) keys: k1,k2,…, k16

(2) IP

(3) Ciphertext: C

Decryption

• First stage

),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL

1601 '' LRL

)',()',('' 116161001 kLfRkRfLR

151 ' RL

1515151515151 ),()),((' LkRfkRfLR

Part b)

• Permutation: IP, Left to Right and Right to left in each of 16 stages.

• Substitution: S-box in each of those 16 stages.


1iRiK

1S 2S 3S 4S 5S 6S 7S 8S

P

E

32

48

48

32

32

68

48

6

4


Function


Each Si is a 4x16 2D table with 4bits at each entry


• (d)


)( 1 iRET),...,(' 81 BBKTT i

))(),...,(),(('' 882211 BSBSBST

)''(''' TPT

Problem 3

3. a) Use the Euclidean algorithm to compute the gcd(78,104). Show your steps.

b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n) with m<n. You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.




• Examples: gcd(10,4)=2, gcd(16,100)=4


Modular



rqba

baqbr ,0

),gcd(),gcd( rbba

Solution

• gcd(104,78)=• gcd(78,26)=26 026378

26781104

Solution

• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224

2416

46110

610116

1016126

1626268

2668194

68941162

941625904

Euclid algorithm


3211 aaqa 230 aa

4322 aaqa 340 aa

5433 aaqa 450 aa .......


mmm aqa 11

Observation




and ,

we have

ia

22122 avaua iii

iiii aaqa 122

21 avaua iii

ii vu ,

21111 avaua iii





• If , we have


3211 aaqa 2

1


4322 aaqa 3

2


)(1 3232 aaaa 232aa

2/)( 232 aaa

2/)( 2324 aaaa

Problem 4

• 4. a) In the RSA system, the public key of a given user is e=3, n=55. What is the private key? Show each step of your calculation.

• b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems?

• c) Why do we need large primer numbers for RSA?

Public Key

• Encryption:

• Decryption

)(XEY publicKey

)(YDX privateKey

RSA Key Setup



)1)(1()( qpN)(Ne 1))(,gcd( Ne

))((mod1 Ned

)(N


)(mod Nmc e

RSA Decryption


)(mod Ncm d

RSA Principal

Since ,

we have

If

then and




)(mod1)( Nmmmmc Nkd

Solution

Part 1.

n=5*11.

The inverse of e=3 is d=27 (mod 40).

40)111(*)15()( n

Solution

40=13*3+1

1=40-13*3

27=-13(mod 40)

Part b.

If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).

Part c.

• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.

• Discrete logarithm is to find x with y and n, where

With a pair of messages a and

, we can find d from discrete log.)(mod nad

)(mod nay d

Gcd(int a, int b)

int gcd(int a, int b){

if ((a%b)==0) return b;

return gcd(b, a%b);

}

exponent( int a, int e, int m):

int exponent(int a, int e, int m){ int temp;

if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {

temp=exponent(a, e/2, m);return (temp*temp)%m;

}else{

temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;

};}

Bad Implementation

return (temp*temp*a)%m;

primality(int p)

int primality(int p){ int a, temp;

if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;

}

Bad Implementation

temp=exponent(a, (p-1)/2,p);

if ((temp!=1)&&(temp!=-1)) return 0;

Bad Implementation

a=rand()%p;

Bad Implementation

if ((exponent(a, (p-)/2,p)!=1)

&&

(temp=exponent(a, (p-1)/2,p)!=p-1))

return 0;

Problem 55. a) How many multiplications does it take for

computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .

b) Explain why RSA needs fast exponentiation?

)1234(mod5596

Solution

• It takes 12 multiplications

555

555

5555

555

5555

555

5555

555

555

2

224

449

9918

181837

373774

7474149

149149298

298298596

Problem 6

6 ． Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the private key. Assume n=pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Show that the RSA system can be broken.

Solution

• Assume that the block m has a common factor with n.

• The plain text m is encrypted into the cipher text

• The cipher text c also has a common factor with n.

• Compute gcd(c,n) to get one of the two factors, and also the second.

• With two factors and public key, compute private key

)(mod nmc publicK

Problem 7

7. Users A and B use the Diffie-Hellman key exchange method with a common prime q=7 and primitive root a=3. If user A has private key =2, and use B has private key =4, what is the shared secret key? Show the steps of your calculation.

Solution

• A Calculates

• B Calculates

• A Calculates

• B Calculates

• The shared key is 2.

)(mod2932 qa AX )(mod48134 qa BX

)(mod2164)( 2 qa AB XX

)(mod2162)( 4 qa BA XX

Key management

• Distribution of public key

• Use of public key encryption to distribute secret key

Public announcement of public key

• Uncontrolled public-key distribution

A

aKU

aKU

aKU


• Public-key publication• KU: public key. KR: private key

A

aKU

Public-key directory

B

bKU


• Public-key publication

A

1|| timerequest

B

Public-keyauthority

]1||Re||[ TimequestKUKR bE

2|| timerequest

]2||Re||[ TimequestKUKR aE

]||[ 1NIDE AKUb

]||[ 21 NNEKUa

][ 2NEbKU


• Exchange of Public-key Certificates

A

aKU

B

Certificateauthority

],,1[ aAauth KUIDTimeKRA EC

bKU

AC

BC

],,2[ bBauth KUIDTimeKRB EC


Simple public-key encryption to establish a session key

A BAA IDKU ||

][ sKU KEa

It is a secure for an active attack

• A generates and sends B• E intercepts , creates and sends

to B• B generates a secret key, and sends • E intercepts , learns • E sends to A

},{ aa KRKU },,{ Aa IDAKU

},,{ Aa IDAKU },{ ee KRKU

},,{ Ae IDAKU

sK ][ sKU KEe

][ sKU KEe sK

][ sKU KEa



A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]][[ sKRKU KEEab

][ 2NEbKU




A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]]||[[ 2 sKRKU KNEEab




A B

]||[ 1 AKU IDNEb

]||[ 21 NNEKUa

]][[ sKRKU KEEab

][ 2NEbKU


• Primer number


( (mod q)


q

132 ,...,,, q


• Select private

• Compute public

AX

AY

qX A

)(mod qY AXA


• Select private

• Compute public

BX

BY

qX B

)(mod qY BXB

Generation of Secret Key by A

User A computes

)(mod)( qYK AXB


• A:

))(mod(

)(mod)(

)(mod))(mod(

)(mod)(

q

q

qq

qYK

AB

AB

AB

A

XX

XX

XX

XB

Generation of Secret Key by B

User B computes

)(mod)( qYK BXA


• A:

))(mod(

)(mod)(

)(mod))(mod(

)(mod)(

q

q

qq

qYK

AB

AB

AB

A

XX

XX

XX

XB

Authentication

• Masquerade: illegal insertion message to network

• Content modification: change content of message

• Sequence modification: modification to a sequence of message

• Timing modification: delay or replay of message

• Source repudiation: denial of transmission by source

• Destination repudiation: denial of receipt by destination

Two levels of authentication

• Produce an authenticator

• Verify the authenticity of a message

Authentication Methods

• Message encryption

• Message authentication (MAC)

• Hash function


• Encrypt the message M with key K shared by A and B

M ME D

)(MEK

K K

Source nDestinatio

Message Encryption

Append checksum to message M and encrypt them together

MM

F

D

))(||( MFMEK

KSource

nDestinatio

F(M)E

M

F(M)

F

K

Comparison

Public Key encryption

• Public key encryption: confidentiality

M ME D

)(MEbKU

bKU bKR

Source nDestinatio

Public Key

• Encryption:

• Decryption

)(XEY publicKey

)(YDX privateKey


• Public key encryption: authentication and signature

M ME D

)(MEaKR

aKR aKU

Source nDestinatio


• Public key encryption: confidentiality, authentication and signature

M ME D

)]([ MEEab KREU

aKR bKR

Source nDestinatio

E D

)(MEaKR

bKU aKU

)(MEaKR

Message Authentication Code

• Use a secret key to generate a small fixed-size block of data, MAC, that is appended to the message

• M = input message• C = MAC function• K = shared secret key• MAC = message authentication code

)(MCMAC K

Message Authentication

Append MAC to message

MM

C C

K

Comparison

)(MCKK

Message Authentication

Authentication and confidentiality

MC

M

2KSource

nDestinatio

Comparison

1K))(||(

12MCME KK

ED

2K

)(1

MCK

C

1K

Hash Function

• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)

• There is no key to control hash function

Hash

Message plus concatenated hash code is encrypted using symmetric encryption

MH

M

2KSource

nDestinatio

Comparison

))(||( MHMEK

ED

K

)(MH

H

Hash Function

• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)

• There is no key to control hash function

Requirements for Hash function

• H(x) is easy to compute

• Given h, it is computational hard to find x such that H(x)=h: One-way property

• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance

• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance

Hash

Message plus concatenated hash code is encrypted using symmetric encryption

MH

M

2KSource

nDestinatio

Comparison

))(||( MHMEK

ED

K

)(MH

H

Protocol• Alice pick a random integer and computes f(x)

She read f(x) to Bob on the phone

• Bob tells Alice his guess of x as even or odd

• Alice reads x to Bob

• Bob verifies f(x) and sees if his guess was correct

Magic function f(x)

• For every integer x, f(x) is easy to compute.

• Given f(x), it is very hard to find the information of x.

• It is impossible to find different x and y with f(x)=f(y)

Birthday attack

• Among k people, what is the probability that two of them have the same birthday

Counting

• K people: • The number of cases that all of them have different

birthdays:

• The number of all possible k birthdays

)!365(!365)1365(...364365 kk

k365

kppp ,...,, 21

Probability

• K people:

• The probability that k people have different birthdays

)!365(365!356

365

)!365(!365

),365(kkk

kkQ

kppp ,...,, 21

Birthday Paradox

• K people:

• The probability that at least 2 people have same birthday

)!365(365!3561),365(1),365(

kkkQkP

kppp ,...,, 21

999.0)100,365(

7.0)30,365(

5072.0)23,365(

P

P

P

Counting

• Select k random numbers between 1 and n: • The number of cases that all of them are different

• The number of all possible k possibilities

)1(...)1( knnn

kn

kppp ,...,, 21

Probability

• K numbers between 1 and n:

• The probability that k numbers are different

kn

knnnknQ )1)...(1(),(

kppp ,...,, 21

Birthday Paradox

• K numbers between 1 and n

• The probability that at least 2 of them are the same.

)1)...(1)(1(1

...1

1

),(1),(

121

121

)1)...(1(

nk

nn

nkn

nn

nn

nn

n

knnnk

knQknP

kppp ,...,, 21

Birthday Paradox

• For , consider the function

0')'(

1)'0(

,)'(

x

x

exf

f

exf

0x xexf )(

2/')'()'0()0()(: fxffxfTaloy x0

xe x 1

Birthday Paradox

nkk

nk

nknn

nk

nn

nkn

nn

nn

nn

n

knnn

e

e

eee

knQknP

k

2/)1(

/)...21(

)/)1(()/2()/1(

121

121

)1)...(1(

1

1

...1

)1)...(1)(1(1

...1

1

),(1),(

Birthday Paradox

Let

nkkeknQknP 2/)1(1),(1),(

nnnk

e

e

e

nkk

nkk

nkk

18.12ln2

2

2/1

12/1

2/)1(

2/)1(

2/)1(

Attack Hash

• Hash function H has possible values

• Select k random values and apply H to them

• If , it has collision H(x)=H(y) for different x and y with big chance.

mk 2

m2

Overlap between two sets

Given two sets and

Each element has random value between 1 and n

What is the probability R(n,k) that two sets are not disjoint?

},...,,{ 21 kxxx },...,,{ 21 kyyy


Given two sets and


• The probability that does not match is

• The probability that no match in to is

• The probability that no match in to is

},...,,{ 21 kxxxX },...,,{ 21 kyyyY

1y 1xn11

Y 1x kn )1( 1

Y X2

)1())1(( 11 kn

kkn


Given two sets and


is the probability that at least one match in Y to X

},...,,{ 21 kxxxX },...,,{ 21 kyyyY

2

)1(1),( 1 knknR

),( knR


Since for x>0,

nk

n

e

e

knR

k

kn

2

21

2

1

)(1

)1(1),( 1

xex 1


Let ,

nk

eknR2

1),(

nnnk

e

e

nk

nk

nk

83.0)2(ln

2ln

2

12/1

2

2

2

Birthday Attack

Assume the hash code is m bits. Encrypted hash for signature• Opponent generates variations type 1 messages • Opponent generates variations type 2 messages• Find a type 1 message x and type 2 message y such that

Hash(x)=Hash(y)• Get the signature from the boss for the type 1 message X

the signature is • Send out y||

2/2m

2/2m

))(( XHashEK

))(( XHashEK

Variations of the same message

to introduce Afred,

the jewellery buyer for

……..

variations

This isletterI writingam

toyou to

you

newnewly edappo int

chiefsenior

2/2m

A simple hash function

• Message M is partitioned into m blocks of n bits

mnmmm

n

n

m

bbbB

bbbB

bbbB

BBBM

,,2,1

2,2,22,12

1,1,21,11

21

...

......

...

...

||...||||


• Hash function value

is defined as

mnnnn

m

m

bbbc

bbbc

bbbc

,2,1,

,22,21,22

,12,11,11

...

......

...

...

nccc ...21


• Message M is partitioned into m blocks of n bits

mnmmm

n

n

m

bbbB

bbbB

bbbB

BBBM

,,2,1

2,2,22,12

1,1,21,11

21

...

......

...

...

||...||||

Rabin’s Hash

• A message M is partitioned into

• = initial value

• Encrypted with DES with 64 bits output.• It is weak for birthday attack

0H

NMMM ,...,, 21

)( 1 iMi HEHi

NHG

Birthday Attack

Assume the hash code is m bits. Encrypted hash for signature• Calculate the hash code G• Construct the desired messages• Compute for • Opponent generates blocks Xs • Opponent generates blocks Ys• Find a X block and Y block:• Form message with encrypted

signature

2/2m

2/2m

][][ 2 GDHE YNX

)(GEK

221 ,...,, NQQQ

][ 1 iQi HEHi

2,...,2,1 Ni

YXQQQ N ,,,...,, 221

Davies and Price variation

• A message M is partitioned into

• = initial value0H

NMMM ,...,, 21

11)( iiMi HHEHi

NHG

Hash Design

• IV = initial value b=length of input block• CV= chaining variable f=compression algorithm• L = number of input blocks Y= input block• N = length of hash code

0CVIV 1CV1LCV

0Y1Y 1LY

b b b

n n n nf f f

LCV

n

Principle

• The hash function is collision resistant if the compression function is collision resistant

MD5

• 128 bits Hash

0Y 1YqY 1LY

512 512 512 512

5MDH5MDH 5MDH 5MDH

... ...

128 128 128 128

IV 1CV qCV 1LCV

bit128

Message

lengthpadding )5121( bits

)2mod( 64KbitsK

0..10

Step 1: Padding

• Append (1 to 512) bits so that the total message length is =448(mod 512)

• At least one bit is appended

Step 2: Append Length

64 bits are used for storing the length of the message.

If the message is longer than 64 bits. Only low-order 64 bits are used. It is modular

Expanded message:

642

110 ,...,, LYYY

Step 3: Initialize buffer

128-bit buffer to hold four words (A,B,C,D)

10325476

98

89

67452301

D

BADCFEC

EFCDABB

A

Step 4: Process message in 512 bit

MD5 has four similar rounds

Each round uses one of the four functions F, G, H and I

Each round has 16 similar steps

All 512 bits are used in each round

a

MD5 Processing

• a

512

qY qCVbit128

A

A

A

B

B

B

C

C

C

D

D

D

1qCV

][],16...1[, iXTF

]2[],32...17[, iXTG

]3[],48...33[, iXTH

]4[],64...49[, iXTI

Compression function

sCLS

A B C D

A B C D

g][kX

][iT

MD5 compression function

• 16 steps operating on the buffer ABCD• Each step is of the form

• a,b,c,d = four words of the buffer • g = one of the functions F, G, H, I• <<<s = circular left shift by s bits• X[k] = M[q*16+k]= k-th word in the q-th 512-bit block• T[i] = the i-th 32-bit word in matrix T• + = addition modulo

)])[][),,((( siTkXdcbgaba

322

Four functions

• The function g can be any of the four functions

)()(),,( cbcbdcbF

)()(),,( dcdbdcbG

dcbdcbH ),,(

dbcdcbI )(),,(

Functions T

• T has 64 entriesT[1…64]. Each entry is 32bit word

• T[i] is the integer part of

• The i is in the radians

))(sin(232 iabs

.......

242070]3[

75678]2[

47876]1[

DBT

BCET

AADT

Digital Signature

• Verify the author , date and time• Authenticate the content • Be verifiable by third party

Digital Signature

• X: sender• Y: receiver• A: arbiter

X

Arbiter

Y

Digital Signature

• : the key shared between x and A• : the key shared between A and y• M : message• H : hash function• ID : identification number • T : timestamp

)](||[||: MHIDEMAX XK xa

]||)](||[||||[: TMHIDEMIDEYA XKXK xaay

xaK

ayK

Digital Signature

• X: sender• Y: receiver• A: arbiter

)](||[|| MHIDEM XK xa

X

Arbiter

Y

]||)](||[||||[ TMHIDEMIDE XKXK xaay

Digital Signature

• Y stores M and

• Y sends to the

arbiter A to settle disputes.

• Both sides trust the arbiter A.



Problem

• The arbiter can see the message

Arbiter does not see the message

• .

))]((||[||][||: MEHIDEMEIDAXxyxaxy KXKKX

]||))]((||[||][||[: TMEHIDEMEIDEYAxyxaxyay KXKKXK

messagehide _

Problem

• The arbiter can form an alliance with the sender to deny a signed message.

Public Key Approach

• KR: private key• KU: public key.

])][(||[||: MEEIDEIDAXxyx KRKUxKRX

]||]][[||[: TMEEIDEYAxya KRKUXKR

Mutual Authentication

Two issues:

• Confidentiality

• Timeliness

Some attacks

• Simply replay: copy a message and replay it later

• Repetition: Replay a timestamped message within the valid time window

Two approaches

• Timestamp: make sure it is fresh message

• Challenge: A sends B a nonce and expects that B’s reply contains it. Make sure it is fresh message from B.

One-way Authentication

• KDC: responsible for generating the short term key.• A: sender B: receiver• Session key. shared between A and KDC• shared between B and KDC.

][||]||[:

]]||[||||||[:

||||:

1

1

MEIDKEBA

IDKENIDKEAKDC

NIDIDKDCA

sb

ba

KAsK

AsKBsK

BA

:sK :aK

:bK

Public key One-way Authentication

A: sender B: receiver

It is confidential, but no signature

][||][: MEKEBAsb KsKU



Hard to deny

)]([||: MHEMBAaKR



Confidential and hard to deny and

)]]([||[: MHEMEBAab KRKU


• KDC: responsible for generating the short term key.• A: sender• B: receiver

)]([:

][:

]||[:

]]||[||||||[:

||||:

2

2

1

1

NfEBA

NEAB

IDKEBA

IDKENIDKEAKDC

NIDIDKDCA

s

s

b

ba

K

K

AsK

AsKBsK

BA

Problem

• Attacker can replay the message at step 3

• If the attacker can intercept the message at step 4, he can impersonate A to send B some message.


• T: timestamp

)]([:

][:

]||||[:

]]||||[||||||[:

||:

1

1

NfEBA

NEAB

TIDKEBA

TIDKETIDKEAKDC

IDIDKDCA

s

s

b

ba

K

K

AsK

AsKBsK

BA

Time check

tTClock ||

Avoid replay attack

• The replay attack can be avoided by checking the timestamp.


.

][||]||||[:

||]||||[||]||||||[:

]||||[||||:

||:

bKbsAK

bbsAKbsaBK

baAKbB

aA

NETKIDEBA

NTKIDETKNIDEAKDC

TNIDENIDKDCB

NIDBA

sb

ba

b


.B have received the message from A

Prevent the replay attack Session Key

bbsAKbsaBK NTKIDETKNIDEAKDCba

||]||||[||]||||||[:


. Prevent the replay attack

][||]||||[: bKbsAK NETKIDEBAsb

Public Key Approach

AS: the authentication server

Clock synchronization is needed

]]||[[||]||||[||]||||[:

]||||[||]||||[:

||:

TKEETKUIDETKUIDEBA

TKUIDETKUIDEAAS

IDIDASA

SKRKUbBKRaAKR

bBKRaAKR

BA

abasas

asas


• KDC: responsible for generating the short term key.• A: sender B: receiver

][:

]||]||||[[:

]]||||[[||]||[:

][||||:

]||[:

]||[:

||:

bK

bBsaKRKU

BsaKRKUaAKR

aKUAB

AaKU

bBKR

BA

NEBA

NIDKNEEAB

IDKNEEKUIDEBKDC

NEIDIDKDCB

IDNEBA

KUIDEAKDC

IDIDKDCA

s

authb

authbauth

auth

b

auth


Tell KDC for the intention to establish a secure connection with B

A gets the public key of B from KDC

]||[:

||:

bBKR

BA

KUIDEAKDC

IDIDKDCA

auth


A tells B the intention for secure communication

Tell KDC Na so that KDC can stamp the session key with the nonce

][||||:

]||[:

aKUAB

AaKU

NEIDIDKDCB

IDNEBA

auth

b


• The session key is tied with

• Tell B the public key of A • B can verify it is from the KDC

]]||||[[||]||[: BsaKRKUaAKR IDKNEEKUIDEBKDCauthbauth

aN


• Encrypt it with A’s public key. The key is fresh for A

• Tell B that A has the session key now.

][:

]||]||||[[:

bK

bBsaKRKU

NEBA

NIDKNEEAB

s

autha


The nonce is for A

][:

]||]||||||[[:

]]||||[[||]||[:

][||||:

]||[:

]||[:

||:

bK

bBAsaKRKU

BsaKRKUaAKR

aKUAB

AaKU

bBKR

BA

NEBA

NIDIDKNEEAB

IDKNEEKUIDEBKDC

NEIDIDKDCB

IDNEBA

KUIDEAKDC

IDIDKDCA

s

authb

authbauth

auth

b

auth

Chapter 14 – Authentication Applications

Authentication Applications

• will consider authentication functions

• developed to support application-level authentication & digital signatures

• will consider Kerberos – a private-key authentication service

• then X.509 directory authentication service

Kerberos

• trusted key server system from MIT

• provides centralised private-key third-party authentication in a distributed network– allows users access to services distributed

through network– without needing to trust all workstations– rather all trust a central authentication server

• two versions in use: 4 & 5

Kerberos Requirements

• first published report identified its requirements as:– security– reliability– transparency– scalability

• implemented using an authentication protocol

Authentication with AS

• CAS: IDc||Pc||IDv

• ASC: Ticket

• C: IDc||Ticket

Ticket=E(Kv, [IDc||ADc||IDv])

Items

• C =client

• AS =authentication server

• V =server

• IDc =identifier of user on C

• IDv =identifier of V

• Pc =password of user on C

• ADc=network address of C

• Kv =secret encryption key shared by AS and V

More Secure Authentication

Once per user logon session:• CAS: IDc||IDtgs• ASC: E(Kc, )

Once per type of service:• CTGS: IDc||IDv||• TGSC:

Once per service session:• CV

tgsTicket

tgsTicket

vTicket

])||||||||[,( 11 LifetimeTSIDADIDKETicket tgsCCtgstgs

])||||||||[,( 22 LifetimeTSIDADIDKETicket vCCvv

Items

• TGS: Ticket granting server (TGS)

• TS: Time stamp

Kerberos 4 Overview

• A basic third-party authentication scheme

• have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication

credential (ticket granting ticket TGT)

• have a Ticket Granting server (TGS)– users subsequently request access to other

services from TGS on basis of users TGT

Kerberos 4 Overview

Kerberos Realms

• a Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server

• this is termed a realm– typically a single administrative domain

• if have multiple realms, their Kerberos servers must share keys and trust

Kerberos Version 5

• developed in mid 1990’s• provides improvements over v4

– addresses environmental shortcomings• encryption alg, network protocol, byte order, ticket

lifetime, authentication forwarding, interrealm auth

– and technical deficiencies• double encryption, non-std mode of use, session keys,

password attacks

• specified as Internet standard RFC 1510

X.509 Authentication Service

• part of CCITT X.500 directory service standards– distributed servers maintaining some info database

• defines framework for authentication services – directory may store public-key certificates

– with public key of user

– signed by certification authority

• also defines authentication protocols • uses public-key crypto & digital signatures

– algorithms not standardised, but RSA recommended

ITU-T

• ITU telecommunication standardization sector (ITU-T) coordinates standards for telecommunications on behalf of the international telecommunication union (ITU)

X.509 Certificates

• issued by a Certification Authority (CA), containing: – version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)

• notation CA<<A>> denotes certificate for A signed by CA

X.509 Certificates

Make Certification

Unsigned certificate,User ID, Public Key

Encryption with CA PR

Hashing of unsigned cert.

Unsigned certificate,User ID, Public Key

Encryption with

Obtaining a Certificate

• any user with access to CA can get any certificate from it

• only the CA can modify a certificate

• because cannot be forged, certificates can be placed in a public directory

CA Hierarchy

• if both users share a common CA then they are assumed to know its public key

• otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to

validate other CA's – each CA has certificates for clients (forward) and

parent (backward)

• each client trusts parents certificates • enable verification of any certificate from one CA

by users of all other CAs in hierarchy

CA{V, SN, AI, CA, TA, A, Ap}

• V: version • SN: Serial number, an integer unique within the issuing CA• AI: Signature algorithm identifier, the algorithm used to

sign the certficate• CA:Issuer nuame, X. 500 name of the CA that created and

signed this certificate.• TA: Period of time, first and last valid dates• A: Subject name, name of the user to whom this certificate

refers, certificate the public key • AP: Issuer unique indentifier for indenting CA

CA Hierarchy Use

Certificate Revocation

• certificates have a period of validity• may need to revoke before expiry, eg:

1. user's private key is compromised

2. user is no longer certified by this CA

3. CA's certificate is compromised

• CA’s maintain list of revoked certificates– the Certificate Revocation List (CRL)

• users should check certs with CA’s CRL

Authentication Procedures

• X.509 includes three alternative authentication procedures:

• One-Way Authentication

• Two-Way Authentication

• Three-Way Authentication

• all use public-key signatures

One-Way Authentication

• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message

• message must include timestamp, nonce, B's identity and is signed by A

One way

• The identity of B is singed with A’s public key.

]},[,sgn,,,{ abbBAA KPUEDataIDrtA

Items

• time stamp

• a nonce

• signed with A’s private key.

:At

:An

:sgn Data BID

Two-Way Authentication

• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply

• reply includes original nonce from A, also timestamp and nonce from B

Two-way


]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB

Three-Way Authentication

• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks

• has reply from A back to B containing signed copy of nonce from B

• means that timestamps need not be checked or relied upon

Three-way


]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB

}{ BrA

X.509 Version 3

• has been recognised that additional information is needed in a certificate – email/URL, policy details, usage constraints

• rather than explicitly naming new fields defined a general extension method

• extensions consist of:– extension identifier– criticality indicator– extension value

Certificate Extensions

• key and policy information– convey info about subject & issuer keys, plus

indicators of certificate policy

• certificate subject and issuer attributes– support alternative names, in alternative

formats for certificate subject and/or issuer

• certificate path constraints– allow constraints on use of certificates by other

CA’s

Summary

• have considered:– Kerberos trusted key server system– X.509 authentication and certificates

Problem

Let message M=10111011 01011110 00011011

1) Assume that n=8. Compute the simple hashing function value h(M).

2) Find another different message M’ such that h(M)=h(M’).

3) Does the simple hashing function satisfy the requirements for general hashing function?

Some New approaches for Preventing Software Tampering

Bin Fu, Uni. of New Orleans

Golden Richard III, Uni. of New Orleans

Yixin Chen Uni. of New Orleans

Adbo Husseiny Tech. Int. of Virginia

Software protection

• Global economic impact of software piracy was $11billion in 2001,.

• 40% of commerical software in use is pirated.

Password• Check Password before running the software

• The password checking may be bypassed

Check password

#define realPassword 5413

……..

read(password);

if (password!= realPassword)

print("password is incorrect");

else run the software

Problems with the password checking

• It is easy to bypass by removing the part of code checking the password

• The password is released in the code.

Method 1

• Select a hashing function h( )

• Select multiple constants and changed them (offline)

c1’c1-h(password+1);

c2’c2-h(password+2);

• Recover them from the correct password (online)

c1c1’+h(password+1)

c2c2’+h(password+2)

Solve Quadratic Equation

02 cbxx

It has two roots:

2

42

1

cbbx

2

42

2

cbbx

#define c1 2.0

#define c2 4.0

void quadratic(double b, double c, double *root1,

double *root2){

double temp;

temp=sqrt(b*b-c2*c);

*root1=(-b+temp)/c1;

*root2=(-b-temp)/c1;

}

For solving the equation

02 cbxx

#include <stdio.h> #include <math.h> #define realPassword 2314 #define c1 2.0 #define c2 4.0 void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main(){ double b, c, root1, root2; int password; scanf("%d", &password); if (password!= realPassword) { printf("password is incorrect"); } else { scanf("%lf, %lf", &b, &c); quadratic(b,c, &root1, &root2); printf("%lf, %lf", root1, root2); }}

//offline for computing e1 and e2

#define d1 e1 //e1=c1-hash(realPassword+1)

#define d2 e2 //e2=c2-hash(realPassword+2)

double c1,c2;

void main() {

…….

scanf("%d", &password);

c1=d1+hash(password+1);

c2=d2+hash(password+2);

………

#include <stdio.h> #include <math.h> #include ``hash.h'' #define d1 e1 #define d2 e2 double c1,c2; void quadratic(double b, double c, double *root1, double *root2) { double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double b,c, root1, root2; int password; scanf("%d", &password); c1=d1+hash(password+1); c2=d2+hash(password+2); scanf("%lf",&b); scanf("%lf",&c); quadratic(b,c, &root1, &root2); printf("%lf, %lf",root1, root2); }

Hardness to break

• The attacker has to understand the algorithm to considerable level in order to recover those constants

• If attacker knows some of the constants the security depends on the hardness of the invertibility of the hashing function

Method 2

• Multiple constants are hidden in an array

• Only correct password can find their correct addresses

int main(){ double b,c,root1, root2; int password; double constants[array_size]={ 3.12, 4.0, 5.12, 4.13, 2.0, 5.16, 2.17, 3.0, 7.52, 6.9, 8.73, 9.23, 9.0, 8.42, 7.29, 5.9, 1.92, 9.2, 3.92, 6.63, 8.7, 8.36, 9.15, 1.0, 4.91, 4.9, 7.19, 2.76, 5.8, 8.79, 5.32, 4.9, 9.30, 2.9, 8.17, 9.26, 7.2, 3.12, 3.56, 3.7, 7.98, 6.8, 3.32, 5.78, 4.6, 1.26, 4.32, 2.8, 3.10, 5.3, 3.83, 4.28, 7.9, 3.64, 4.57, 4.9, 2.23, 3.8, 3.87, 6.12, 4.5, 4.98, 0.00, 9.0 }; scanf("\%d", &password); c1=constants[hash(password+1)]; c2=constants[hash(password+2)]; c3=constants[hash(password+3)]; c4=constants[hash(password+4)]; ……..}

Correct Password gives correct memory addresses

• For correct password p, h(p+1)=4, h(p+2)=1, h(p+3)=23, h(p+4)=62.

• c1=const[4]=2.0; c2=const[1]=1.0; c3=const[23]=1.0; c4=const[62]=0.0;

Combine Two Methods (Off Line)

• Select two hashing functions h_address( ) and h_value

• Select some constants c1, c2

• Compute c1’=c1-h_value(p+1) and c2’c2-h_value(p+2)

• Save c1’ at h_address(p+1) and c2’ at h_address(p+2)

Combine Two Methods (On Line)

• Read the password p

• Fetch c1’ from h_address(p+1) and c2’ from h_address(p+2)

• Recover c1 by c1’+h_value(p+1) and c2 by c2+h_value(p+2)

Hide the password

• Offline: let q=hash(password)

• Online:

read p

if (hash(p)==q) then accept

else reject

• Security: collision is hard for hash( )

Apply the method to obfuscation

• Define function pointers array

• Let the password determine the functions called by giving the address to the corresponding pointers

#define c0 0#define c1 1#define c2 2#define c3 3double temp; int (*a[4])();double b, c, root1, root2;int step0( ) {temp=sqrt(b*b-4.0*c); return 0; }int step1( ) {root1=(-b+temp)/2.0; return 0; }int step2( ) {root2=(-b-temp)/2.0; return 0; }int quadratic( ) {a[c0](); a[c1](); a[c2](); return 0; }int main(){ //assign function pointers to the array a[ ] below a[0]=step0; a[1]=step1; a[2]=step2; a[3]=quadratic;

Method 3

• Select multiple constants and changed them (offline)

c1’c1-h(password+1); c2’c2-h(password+2);

c3’c3-h(password+3); c4’c4-h(password+4);

• Recover them from the correct password (online)

c1c1’+h(password+1); c2c2’+h(password+2);

c3c3’+h(password+3); c4c4’+h(password+4);

Conclusions

• Protect software by password

Method 1: change multiple constants

Method 2: Rearrange multiple constants

• Future research: Protect software by hardware

The End

Thank You

Client and Server

Client

Client

Client

Server

Application protocol

TCP protocol

IP protocol

Ethernet protocol

Ethernet

Web client

TCP

IP

Ethernet driver

Web server

TCP

IP

Ethernet driver

Router A

Rounter B

Router C

Router D

Router E D1D2

D3

Design Philosophy

FTP,WEB

TCP

IP

Application Service

Reliable Transport Service

Connectionless Packet Delivery Service

Port Number

• TCP allows multiple application programs on a machine

• Protocol number identify the ultimate destination within a machine

• End point is represented by (host_ip_address, port)

Learn Networking

• Packet header

• Buffer management

TCP client TCP server

socket()

bind()

listen()

accept()

socket() connection

connect()

write() data request read()

read data reply write()

close() end notification read() close()

TCP handshaking Client Server

socket socket,bind,

connect listen,

(block) accept(block)

connect

returns

accept returns

read(blocks)

TCP sends packets Client Server

send packet1

receive packet1

receive ACK1 send ACK1

send packet2

receive packet2

send ACK2

receive ACK2

Sliding Window Algorithm

p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12

p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12

Only send the packets in the window at one moment

Window moves right after leftmost is acknowledged

Algorithm Properties• Remember which packets unacknowledged

• Move past all acknowledged packets

• Retransmit the lost packet when it is expired

• The window size changes based on the bandwidth

Example of size four send p1

send p2 receive p1, send A1



receive p4, send A4

receive A1

receive A2

receive A3

receive A4

TCP segment format

Source port(16b) Destination port(16b)

Sequence number(32b)

Acknowledgement number(32b)

Hlen(4b) Reserved(6b) Code bits(6b) Window(16b)

Checksum(16b) ….

Data

TCP Header• Source port: TCP port number of source end• Destination port: TCP port number of destination end• Sequence number: Position in sender’s byte stream• Acknowledgement number: Number of bytes expect to

receive • Hlen: Length of header measured in 32b. (maybe 20bytes)• Code bits: Purpose of the segment such as reset connection,

end of the byte stream, etc• Window: Buffer size• Checksum: Data integrity

Internet Protocol (IP)• Unreliable, connectionless delivery

• Routing over internet

• Rules for unreliable delivery

Error message,

Discard packet

IP datagram format

Vers(4b) Hlen(4b) ServiceType(8b) TotalLength(16b)

Identification(16b) Flad(4b) FragmentOffset(12b)

TimeToLive(8b) Protocol(8b) HeaderChecksum(16b)

SourceIPAddress(32b)

DestinationIPAddress(32b)

IPOptions(24b) Padding(8b)

Data …….

IP • Vers: IP version to create the datagram

• Hlen: datagram header length measured in 32b

• ServiceType: precedence(3b), D(1b), T(1b), R(1b),

• TotalLength: the total length of datagram in bytes

• Identification: Determine which datagram it belongs

• FragmentOffset: Offset in the original datagram

• Checksum: Data integrity

• TimeToLive: Maximum time to stay over internet. Decreased by one by each router.

IP routing

• Find path to send the packet

• Routing table

• Routing protocolsrouter

router

router

routerM M

router

Socket Address • struct in_addr_t{

in_addr_t s_addr; //32 bit IPv4 address

};

• struct sockaddr_t{

unit8_t sin_len; //length of structure

sa_family_t sin_family; //AF_INET

in_port_t sin_port; //16 bit port number

struct in_addr sin_addr; //32 bit IPv4 address

char sin_zero[8]; //unused

};

Generic Socket Address

• struct sockaddr{

uint8_t sa_len;

sa_family_t sa_family; //address family:AF_xx

char sa_data[14]; //prot.-specific address

};

bind( )

• #include <sys/socket.h>

• int bind(int sockfd,

const sockaddr *myaddr,

socklen_t addrlen)

• Get the local protocol address to a socket

listen( )


• int listen(int sockfd, int backlog)

• Return 0 if OK, -1 on error

• Converts unconnected into a passive socket, indicating the kernel should accept incoming connection request

listen( )• sockfd: socket descriptor returned by socket

function

• Backlog: maximum sum of two queues

incomplete connection queue: before the third hand connections

completed connection queue: after the third hand connections

Two Queues for Connection

accept

completed

connections

incomplete

connections

Arriving SYN

server

TCP

accept( )• #include <sys/socket.h>

• int accept(int sockfd,

struct sockaddr *cliaddr,

socklen_t *addrlen)

• Called by TCP for returning completed connection from the front of completed connection queue

Connect( )


• int connect(int sockfd,

const struct sockaddr *servaddr,

socklen_t addrlen);

• Returns 0 if OK, -1 on error

• Establish a connection with a TCP server

Connect( )• Sockfd: socket descriptor returned by socket

function

• Servaddr: socket address structure with IP address and port number of server

• Addrlen: the length of socket address structure

A web site for source code

• Address:

http://www.kohala.com/start/unpv12e.html

• Download Source code

• Execute the commands in README

• Book: Unix Network Programming,

by Richard Stevens

http://www.kohala.com/start/unpv12e.html

Application protocol

TCP protocol

IP protocol

Ethernet protocol

Ethernet

Web client

TCP

IP

Ethernet driver

Web server

TCP

IP

Ethernet driver

Port Number

• TCP allows multiple application programs on a machine

• Protocol number identify the ultimate destination within a machine

• End point is represented by (host_ip_address, port)

TCP client TCP server

socket()

bind()

listen()

accept()

socket() connection

connect()

write() data request read()

read data reply write()

close() end notification read() close()

TCP handshaking Client Server

socket socket,bind,

connect listen,

(block) accept(block)

connect

returns

accept returns

read(blocks)

Cryptography and Network Security

Third Edition

by William Stallings

Lecture slides by Lawrie Brown

IP Security

• have considered some application specific security mechanisms– eg. Kerberos, SSL/HTTPS

• however there are security concerns that cut across protocol layers

• would like security implemented by the network for all applications

IPSec

• general IP Security mechanisms

• provides– authentication– confidentiality– key management

• applicable to use over LANs, across public & private WANs, & for the Internet

IPSec Uses

Benefits of IPSec

• in a firewall/router provides strong security to all traffic crossing the perimeter

• is resistant to bypass

• is below transport layer, hence transparent to applications

• can be transparent to end users

• can provide security for individual users if desired

IP Security Architecture

• specification is quite complex

• defined in numerous RFC’s– incl. RFC 2401/2402/2406/2408– many others, grouped by category

• mandatory in IPv6, optional in IPv4

IPSec Services

• Access control

• Connectionless integrity

• Data origin authentication

• Rejection of replayed packets– a form of partial sequence integrity

• Confidentiality (encryption)

• Limited traffic flow confidentiality

Security Associations

• a one-way relationship between sender & receiver that affords security for traffic flow

• defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier

• has a number of other parameters– seq no, AH & EH info, lifetime etc

• have a database of Security Associations

Authentication Header (AH)

• provides support for data integrity & authentication of IP packets– end system/router can authenticate user/app– prevents address spoofing attacks by tracking

sequence numbers

• based on use of a MAC– HMAC-MD5-96 or HMAC-SHA-1-96

• parties must share a secret key

Original IP

• Before AH

Orig IP hdr TCP Data4IPv

DataTCPdest

dest,routingOrig IP

hdr6IPv

Transport Mode AH

• After AH

Orig IPhdr

AH TCP Data4IPv

DataTCPdest

AH dest,routingOrig IP

hdr6IPv

tedAuthentica

tedAuthentica

Tunnel Mode AH

• Format

Orig IPhdr

AH TCP Data

4IPv

DataTCPext

headersAH ext headerOrig IP

hdr6IPv

tedAuthentica

tedAuthentica

New IPhdr

New IPhdr

Authentication Header

Transport & Tunnel Modes

Encapsulating Security Payload (ESP)

• provides message content confidentiality & limited traffic flow confidentiality

• can optionally provide the same authentication services as AH

• supports range of ciphers, modes, padding– incl. DES, Triple-DES, RC5, IDEA, CAST etc– CBC most common– pad to meet blocksize, for traffic flow

Encapsulating Security Payload

Transport vs Tunnel Mode ESP

• transport mode is used to encrypt & optionally authenticate IP data– data protected but header left in clear– can do traffic analysis but is efficient– good for ESP host to host traffic

• tunnel mode encrypts entire IP packet– add new header for next hop– good for VPNs, gateway to gateway security

Transport Mode ESP

• Format

Orig IPhdr

ESPhdr

TCP DataESPtrlr

ESPauth4IPv

ESPauth

ESPtrlr

DataTCPdestESP

hdr dest,routing

Orig IPhdr

6IPv

Encrypted

tedAuthentica

Encrypted

tedAuthentica

Tunnel Mode ESP

• Format

4IPv

ESPhdr

Orig IPhdr

TCP DataESPtrlr

ESPauth

ESPauth

ESPtrlr

DataTCPexthdr

ESPhdr

orig IPhdr

exthdr

6IPv

New IPhdr

New IPhdr

Encrypted

tedAuthentica

Encrypted

tedAuthentica

Items

• ESP trailer: Padding, Pad length, etc.

• ESP auth: ESP authentication.

Combining Security Associations

• SA’s can implement either AH or ESP

• to implement both need to combine SA’s– form a security bundle

• have 4 cases (see next)

Combining Security Associations

Key Management

• handles key generation & distribution• typically need 2 pairs of keys

– 2 per direction for AH & ESP

• manual key management– sysadmin manually configures every system

• automated key management– automated system for on demand creation of keys

for SA’s in large systems– has Oakley & ISAKMP elements

Oakley

• a key exchange protocol

• based on Diffie-Hellman key exchange

• adds features to address weaknesses– cookies, groups (global params), nonces, DH

key exchange with authentication

• can use arithmetic in prime fields or elliptic curve fields

ISAKMP

• Internet Security Association and Key Management Protocol

• provides framework for key management

• defines procedures and packet formats to establish, negotiate, modify, & delete SAs

• independent of key exchange protocol, encryption alg, & authentication method


• Primer number


( (mod q)


q

132 ,...,,, q


• Select private

• Compute public

AX

AY

qX A

)(mod qY AXA


• Select private

• Compute public

BX

BY

qX B

)(mod qY BXB


• A:

))(mod(

)(mod)(

)(mod))(mod(

)(mod)(

q

q

qq

qYK

AB

AB

AB

A

XX

XX

XX

XB

Final Presentation

• Final a related security paper in the last five years published in a good journal or conference

• Read it carefully.• Describe the security problem that deals• Describe the solution• Possible future development• Find the current background in that line.• Every one talks about 30 minutes• No single paper can be shared by two people.

Evaluation

• Presentation

• The quality of the paper that you selected

• The slides that you made

• Problem and solution.

• Your effort in proposing any future research plan in the similar topic.

Aggressive Key Exchange

• The communications:

]||||||||||[,,,,,,,,_,: EHAOgGRPNIDIDSNIDIDNIDPEHAOgGRPKEYXOKCKYRI xIRIKIIRI

xI

]|||||||||||||||[,,,,,,,,,_,: EHASggGRPNNIDIDSNNIDIDNIDPEHASgGRPKEYXOKCKYIR xyIRIRKRIRIR

xR

]||||||||||||[,,,,,,,,,_,,: EHASggGRPNIDIDSNNIDIDNIDPEHAOgGRPKEYXOKCKYCKYRI yxIRIKIRIRI

xRI

Protocol for Key Management


]||||||||||[

,,,,,,

,,_,

:

EHAOgGRPNIDIDS

NIDIDNIDPEHAOg

GRPKEYXOKCKY

RI

xIRIKI

IRIx

I



]|||||||||||||||[

,,,,,,,

,,_,

:

EHASggGRPNNIDIDS

NNIDIDNIDPEHASg

GRPKEYXOKCKY

IR

xyIRIRKR

IRIRx

R



]||||||||||||[

,,,,,,,

,,_,,

:

EHASggGRPNIDIDS

NNIDIDNIDPEHAOg

GRPKEYXOKCKYCKY

RI

yxIRIKI

RIRIx

RI

• I=Initiator• R=Responder• = Initiator, responder cookies• =Key exchange message type• GRP= Name of Diffie-Hellman group for this exchange• =Public key of initiator, responder;• EHAO, EHAS=Encryption, hash authentication functions,

offered and selected• NIDP=Indicates encryption is not used for remainder of this

message• =Random nonce supplied by initiator, responder • =Indicates the signature over X using

private key (signing key) of initiator, responder

RI CKYCKY ,

KEYXOK

yx gg ,

RI NN ,

][],[ XSXS KRKI

ISAKMP

Summary

• have considered:– IPSec security framework– AH– ESP– key management & Oakley/ISAKMP

Chapter 17 – Web Security

Web Security

• Web now widely used by business, government, individuals

• but Internet & Web are vulnerable• have a variety of threats

– integrity– confidentiality– denial of service– authentication

• need added security mechanisms

SSL (Secure Socket Layer)

• transport layer security service

• originally developed by Netscape

• version 3 designed with public input

• subsequently became Internet standard known as TLS (Transport Layer Security)

• uses TCP to provide a reliable end-to-end service

• SSL has two layers of protocols

SSL Architecture

SSL Architecture

• SSL session– an association between client & server– created by the Handshake Protocol– define a set of cryptographic parameters– may be shared by multiple SSL connections

• SSL connection– a transient, peer-to-peer, communications link– associated with 1 SSL session

Parameters for a session

• Session identifier:

• Peer Certificate: An X509.v3 certificate

• Compression method

• Cipher spec: data encryption algorithm and hash

• Master key: 48 bits shared between client and server

• Is resumable: whether the session can be used for newconnections

Parameters for a connection

• Server and client random: chosen for each connection

• Server write MAC secret key: Used for MAC

• Client write MAC secret key: Used for MAC

• Server write key: Used for encryption

• Client write key: Used for encryption

• Initialization vector:

• Sequence number: for each transmitted message

SSL Record Protocol

• confidentiality– using symmetric encryption with a shared

secret key defined by Handshake Protocol– IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,

RC4-40, RC4-128– message is compressed before encryption

• message integrity– using a MAC with shared secret key– similar to HMAC but with different padding

SSL Record FormatContent type Major version Minor version

Compressedlength

Plaintext compressed

MAC(0, 16, or 20 bytes)

encrypted

SSL Record Operation

• adata

Fragment

Compress

MacAdd

headerrecordSSLAppend

Encrypt

SSL Change Cipher Spec Protocol

• one of 3 SSL specific protocols which use the SSL Record protocol

• a single message

• causes pending state to become current

• hence updating the cipher suite in use

SSL Alert Protocol

• conveys SSL-related alerts to peer entity• severity

• warning or fatal

• specific alert• unexpected message, bad record mac, decompression failure,

handshake failure, illegal parameter

• close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown

• compressed & encrypted like all SSL data

SSL Handshake Protocol

• allows server & client to:– authenticate each other– to negotiate encryption & MAC algorithms– to negotiate cryptographic keys to be used

• comprises a series of messages in phases– Establish Security Capabilities– Server Authentication and Key Exchange– Client Authentication and Key Exchange– Finish

SSL Handshake Protocol

Phase 1

• Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers

Phase 2

• Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase

Phase 2 Format

• Server-parameters: about certificate, key-exchange protocol (Diffie-Hellman)

• Hash(clientHello.random||serverHello.random||serverParams)

Phase 3

• Client sends certificate if requested. Client sends key exchange. Client may send certificate verification

Phase 4

• Change cipher suite and finish handshake protocol.

TLS (Transport Layer Security)

• IETF standard RFC 2246 similar to SSLv3• with minor differences

– in record format version number– uses HMAC for MAC– a pseudo-random function expands secrets– has additional alert codes– some changes in supported ciphers– changes in certificate negotiations– changes in use of padding

Secure Electronic Transactions (SET)

• open encryption & security specification• to protect Internet credit card transactions• developed in 1996 by Mastercard, Visa etc• not a payment system• rather a set of security protocols & formats

– secure communications amongst parties– trust from use of X.509v3 certificates– privacy by restricted info to those who need it

SET Components

SET Transaction

1. customer opens account2. customer receives a certificate3. merchants have their own certificates4. customer places an order5. merchant is verified6. order and payment are sent7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service10. merchant requests payment

Dual Signature

• customer creates dual messages– order information (OI) for merchant– payment information (PI) for bank

• neither party needs details of other

• but must know they are linked

• use a dual signature for this– signed concatenated hashes of OI & PI

Dual Signature

• DS=

• PI: Payment information (credit card number, etc)

• OI: Order information

• H: Hashing function• PRc: Private key of the customer

))])(||)(([,( OIHPIHHPRE c

Digests

• OIMD: Order information digest.

• PIMD: Payment information digest.

• POMD: Payment order message digest

)(OIH

)(PIH

))(||)(( OIHPIHH

Purchase Request – Customer

Purchase Request – Merchant

Purchase Request – Merchant

1. verifies cardholder certificates using CA sigs

2. verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key

3. processes order and forwards the payment information to the payment gateway for authorization (described later)

4. sends a purchase response to cardholder

Payment Gateway Authorization

1. verifies all certificates2. decrypts digital envelope of authorization block to obtain

symmetric key & then decrypts authorization block3. verifies merchant's signature on authorization block4. decrypts digital envelope of payment block to obtain

symmetric key & then decrypts payment block5. verifies dual signature on payment block6. verifies that transaction ID received from merchant

matches that in PI received (indirectly) from customer7. requests & receives an authorization from issuer8. sends authorization response back to merchant

Payment Capture

• merchant sends payment gateway a payment capture request

• gateway checks request

• then causes funds to be transferred to merchants account

• notifies merchant using capture response

Summary

• have considered:– need for web security– SSL/TLS transport layer security protocols– SET secure credit card payment protocols

A new authentication

• Public key approach: every message has an unique signature

• ElGammal scheme: every message has multiple signatures

ElGammal Signature Scheme

Let p be a primer .

Let be a primitive root of p.

Let be secret number.

Public:

Secret:

a

)(mod pa

,,pa

),,,( apK


With

For a random ,

Define

),(),(

)1(mod)( 1

kxsignature

pkax

K

k

),,,( apK 11: pkk


With and

)(mod

),,(

p

truexonverificati

x

,x

Explain

This is because

)(mod pxkaka

Misuse One

If the random number k is released, it is easy to get the secret number a

)1(mod)(

)1)(mod(

)1(mod)(

1

1

pkxa

paxk

pkax

Misuse Two

If same k is used for two signatures and

for and respectively

)(mod

)(mod22

11

p

px

x

),( 1 ),( 21x 2x

Misuse Two

From

we have

Since

)(mod

)(mod22

11

p

px

x

)(mod2121 pxx

)(mod pk

)(mod2121 )( pxxk

Misuse Two

It is equivalent to

Let

We have

)(|

)1(|

)(|

21

21

xxd

pd

d

)1(mod)( 2121 pxxk

)1,gcd( 21 pd

Misuse Two

We have

for

Select one of them to have

)1(mod')'('

)'(mod)'('

)'(mod''

1

1

ppixk

pxk

pkx

1,...,2,1,0 pi

)(mod pk

Digital Signature Standard

Let p be a primer of 512 bits

Let q be a primer of 160 bits and

Let be a q-th root modulo p.

Let be secret number

Public:

Secret:

)1(| pq

)(mod pa

,,,qpa

),,,,( aqpK

a 11 qa


With

For a random ,

Define

),(),(

)(mod)(

)))(mod(mod(

12

11

1

kxsignature

e

xe

qkax

qp

K

k

),,,,( aqpK 11: pkk


With and

)(mod

),,(

21 p

truexonverificati

ee

,x

Explain

This is because

)(mod

1

11

11

21

)(

pk

ax

ax

x

ee

Chapter 16 – IP Security

If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.

—The Art of War, Sun Tzu


Let p be a primer of 512 bits

Let q be a primer of 160 bits and

Let be a q-th root modulo p:

Let be secret number

Public:

Secret:

)1(| pq

)(mod pa

,,,qpa

),,,,( aqpK

a 11 qa

)(mod1 pq


With

For a random ,

Define

),(),(

)(mod)(

)))(mod(mod(

12

11

1

kxsignature

e

xe

qkax

qp

K

k

),,,,( aqpK 11: pkk


With and

)(mod

),,(

21 p

truexonverificati

ee

,x

Explain

This is because

)(mod

1

11

11

21

)(

pk

ax

ax

x

ee

Intrusion Detection


Third Edition



Chapter 18 – Intruders

They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the code he would prove his loyalty to London Central beyond a doubt.—Talking to Strange Men, Ruth Rendell

Intruders

• significant issue for networked systems is hostile or unwanted access

• either via network or local• can identify classes of intruders:

– masquerader– misfeasor– clandestine user

• varying levels of competence

Intruders

• clearly a growing publicized problem– from “Wily Hacker” in 1986/87– to clearly escalating CERT stats

• may seem benign, but still cost resources

• may use compromised system to launch other attacks

Intrusion Techniques

• aim to increase privileges on system• basic attack methodology

– target acquisition and information gathering – initial access – privilege escalation – covering tracks

• key goal often is to acquire passwords• so then exercise access rights of owner

Password Guessing

• one of the most common attacks• attacker knows a login (from email/web page etc) • then attempts to guess password for it

– try default passwords shipped with systems– try all short passwords– then try by searching dictionaries of common words– intelligent searches try passwords associated with the user (variations

on names, birthday, phone, common words/interests) – before exhaustively searching all possible passwords

• check by login attempt or against stolen password file • success depends on password chosen by user• surveys show many users choose poorly

Password Capture

• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,

email) – extracting recorded info after successful login (web

history/cache, last number dialed etc)

• using valid login/password can impersonate user• users need to be educated to use suitable

precautions/countermeasures

Intrusion Detection

• inevitably will have security failures

• so need also to detect intrusions so can– block if detected quickly– act as deterrent– collect info to improve security

• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between

Approaches to Intrusion Detection

• statistical anomaly detection– threshold– profile based

• rule-based detection– anomaly– penetration identification

Audit Records

• fundamental tool for intrusion detection

• native audit records– part of all common multi-user O/S– already present for use– may not have info wanted in desired form

• detection-specific audit records– created specifically to collect wanted info– at cost of additional overhead on system

Statistical Anomaly Detection

• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector

• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter

Audit Record Analysis

• foundation of statistical approaches

• analyze records to get metrics over time– counter, gauge, interval timer, resource use

• use various tests on these to determine if current behavior is acceptable– mean & standard deviation, multivariate, markov

process, time series, operational

• key advantage is no prior knowledge used

Examples

• Counter: number of logins by a single users

• Gauge: number of outgoing messages for a user process

• Interval timer: length of time between successive logins to an account.

• Resource utilization: number of pages printed during a user session and time consumed by a program execution.

Rule-Based Intrusion Detection

• observe events on system & apply rules to decide if activity is suspicious or not

• rule-based anomaly detection– analyze historical audit records to identify usage

patterns & auto-generate rules for them– then observe current behavior & match against

rules to see if conforms– like statistical anomaly detection does not require

prior knowledge of security flaws


• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness

patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &

codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules

Rule examples

• Users should not read files in other users’ personal directories.

• Users must not write other users’ files

• Users who log in after hours often access the same files they used before

• Users do not generally open disk devices directly but rely on high-level commands

• Users should not be logged in more than once to the same system

• Users do not make copies of system programs

Base-Rate Fallacy

• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time

• this is very hard to do

• existing systems seem not to have a good record

Distributed Intrusion Detection

• traditional focus is on single systems• but typically have networked systems• more effective defense has these working

together to detect intrusions• issues

– dealing with varying audit record formats– integrity & confidentiality of networked data– centralized or decentralized architecture

Distributed Intrusion Detection - Architecture

Distributed Intrusion Detection – Agent Implementation

Honeypots

• decoy systems to lure attackers– away from accessing critical systems

– to collect information of their activities

– to encourage attacker to stay on system so administrator can respond

• are filled with fabricated information• instrumented to collect detailed information on

attackers activities• may be single or multiple networked systems

Password Management

• front-line defense against intruders

• users supply both:– login – determines privileges of that user– password – to identify them

• passwords often stored encrypted– Unix uses multiple DES (variant with salt)– more recent systems use crypto hash function

Managing Passwords

• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to

something they can remember • protect password file from general access• set technical policies to enforce good passwords

– minimum length (>6) – require a mix of upper & lower case letters, numbers,

punctuation – block know dictionary words

Managing Passwords• may reactively run password guessing tools

– note that good dictionaries exist for almost any language/interest group

• may enforce periodic changing of passwords • have system monitor failed login attempts, &

lockout account if see too many in a short period

• do need to educate users and get support • balance requirements with user acceptance

Proactive Password Checking

• most promising approach to improving password security

• allow users to select own password

• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)

to detect poor choices

Statistical Anomaly Detection

• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector

• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter

Conditional Probability

• Pr[A|B]• Pr[AB]• Pr[B]

]Pr[

]Pr[]|Pr[

B

ABBA

Diagram

• E1, E2, E3, E4

1E2E

4E3E

Dice

• Calculate the probability that a sum of 8 on the roll of two dice assume one dice even

• A={Sum of 8}

• B={at least one dice even}

• Pr[A|B]=(36-3x3)/36=1/9

• Pr[AB]=3/36=1/12 for (2,6), (4,4) and (6,2)

• Pr[A|B]=(1/12)/(3/4)=1/4

Problem

• Compute the probability that sum is 7 of two roll of two dice under the condition one dice is odd.

Summary

• have considered:– problem of intrusion– intrusion detection (statistical & rule-based)– password management

Base-Rate Fallacy

• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time

• this is very hard to do

• existing systems seem not to have a good record

Intruders

• clearly a growing publicized problem

• may seem benign, but still cost resources

• may use compromised system to launch other attacks

Intruders

• significant issue for networked systems is hostile or unwanted access

• either via network or local• can identify classes of intruders:

– masquerader– misfeasor– clandestine user

• varying levels of competence

Password Capture

• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,

email) – extracting recorded info after successful login (web

history/cache, last number dialed etc)

• using valid login/password can impersonate user• users need to be educated to use suitable

precautions/countermeasures

Password Checking

• Let H(x) be a hashing function with one way propoerty

• For a password y with id u, Z=H(y) is saved for u.

• When a password y’ is typed for u, fetch z and check if

)'(yhZ

Honeypots

• decoy systems to lure attackers– away from accessing critical systems

– to collect information of their activities

– to encourage attacker to stay on system so administrator can respond

• are filled with fabricated information• instrumented to collect detailed information on

attackers activities• may be single or multiple networked systems

Managing Passwords

• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to

something they can remember • protect password file from general access• set technical policies to enforce good passwords

– minimum length (>6) – require a mix of upper & lower case letters, numbers,

punctuation – block know dictionary words

Managing Passwords• may reactively run password guessing tools

– note that good dictionaries exist for almost any language/interest group

• may enforce periodic changing of passwords • have system monitor failed login attempts, & lockout

account if see too many in a short period • do need to educate users and get support • balance requirements with user acceptance • be aware of social engineering attacks

Proactive Password Checking

• most promising approach to improving password security

• allow users to select own password

• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)

to detect poor choices


• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness

patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &

codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules

#define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void main() { …… address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is the correct realPassword). }

#include <stdio.h> #include <math.h> #define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double root1,root2; int password; address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is correct (equal to realPassword). scanf("%lf", &a[0]); // read the parameter b scanf("%lf", &a[1]); // read the parameter c quadratic(a[0], a[1], &root1, &root2); printf("%lf, %lf", root1, root2); }

the vulnerability of web servers

Here only talk about the web application with PHP.

1. PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

2. PHP provided a lot of useful functions to make programming easier, but attackers also can use these functions to do something unexpected.

This form will allow the web browser user to upload a file from their local to the remote web server.

<FORM METHOD="POST" ENCTYPE="multipart/form-data">

<INPUT TYPE="FILE" NAME=“upload">

<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE“ VALUE="10240">

<INPUT TYPE="SUBMIT“ NAME=“Submit Query”>

</FORM>

It looks as follow:

This function is obviously useful but also brings risk.

While the attackers ultimate goal is obviously to be able to execute commands on the remote web server and they can't achieve that by using

files on their local machine.

Therefore they need to get PHP code define into a file local to the remote machine. This sounds like an impossible task initially but file upload comes to the rescue. If the attacker creates a file on their machine containing PHP code to be executed then upload it, PHP will be kind enough to save the attacker’s file.

Simple example

This is a upload form, it allows students to upload their homework to the “upload” folder in the remote web server, but it doesn’t have any control for the upload file, in other words the students can submit any kind of files.

Simple example

In order to let students check whether they submit their homework successful, the web server will give a list of all the files in the “upload” folder to the client, allow students to view the filenames.

Simple example

But if somebody submit a PHP file like that, and execute it in remote web server, then jack’s homework will be deleted, obviously it is important files for jack.

ex. “ ./ ” means the current

directory

Solution

• Forbid some unsafe functions by configuring parameters of the web server.

ex. Set “safe_mode on” in “php.ini” file, its effort include: 1. restrict which commands can be executed 2. restrict which functions can be used 3. If you want, you can remove file upload completely

• Adding some codes in the uploading program to forbid files which are executable or dangerous. We also can use some simple codes change the uploading file’s extension to make them unexecutable.


Third Edition



Chapter 20 – Firewalls

The function of a strong position is to make the forces holding it practically unassailable

—On War, Carl Von Clausewitz

Introduction

• seen evolution of information systems

• now everyone want to be on the Internet

• and to interconnect networks

• has persistent security concerns– can’t easily secure every system in org

• need "harm minimisation"

• a Firewall usually part of this

What is a Firewall?

• a choke point of control and monitoring

• interconnects networks with differing trust

• imposes restrictions on network services– only authorized traffic is allowed

• auditing and controlling access– can implement alarms for abnormal behavior

• is itself immune to penetration

• provides perimeter defence

Firewall Limitations

• cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)

• cannot protect against internal threats– eg disgruntled employee

• cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types. It is

impossible to scan all files and emails.

Firewalls – Packet Filters


• simplest of components

• foundation of any firewall system

• examine each IP packet (no context) and permit or deny according to rules

• hence restrict access to services (ports)

• possible default policies– that not expressly permitted is prohibited – that not expressly prohibited is permitted

Attacks on Packet Filters

• IP address spoofing– fake source address to be trusted– add filters on router to block

• source routing attacks– attacker sets a route other than default– block source routed packets

• tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check

Firewalls – Stateful Packet Filters

• examine each IP packet in context– keeps tracks of client-server sessions– checks each packet validly belongs to one

• better able to detect bogus packets out of context

Firewalls - Application Level Gateway (or Proxy)

Firewalls - Application Level Gateway (or Proxy)

• use an application specific gateway / proxy • has full access to protocol

– user requests service from proxy – proxy validates request as legal – then actions request and returns result to user

• need separate proxies for each service – some services naturally support proxying – others are more problematic – custom services generally not supported

Firewalls - Circuit Level Gateway

Firewalls - Circuit Level Gateway

• relays two TCP connections

• imposes security by limiting which such connections are allowed

• once created usually relays traffic without examining contents

• typically used when trust internal users by allowing general outbound connections

• SOCKS commonly used for this

Bastion Host

• highly secure host system • potentially exposed to "hostile" elements • hence is secured to withstand this • may support 2 or more net connections• may be trusted to enforce trusted separation

between network connections• runs circuit / application level gateways • or provides externally accessible services

Firewall Configurations

Access Control

• given system has identified a user • determine what resources they can access• general model is that of access matrix with

– subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed

• can decompose by– columns as access control lists– rows as capability tickets

Access Control Matrix

Trusted Computer Systems

• information security is increasingly important • have varying degrees of sensitivity of information

– cf military info classifications: confidential, secret etc

• subjects (people or programs) have varying rights of access to objects (information)

• want to consider ways of increasing confidence in systems to enforce these rights

• known as multilevel security– subjects have maximum & current security level – objects have a fixed security level classification

Bell LaPadula (BLP) Model

• one of the most famous security models• implemented as mandatory policies on system • has two key policies: • no read up (simple security property)

– a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object

• no write down (*-property)– a subject can only append/write to an object if the current

security level of the subject is dominated by (<=) the classification of the object

Reference Monitor

Evaluated Computer Systems

• governments can evaluate IT systems• against a range of standards:

– TCSEC, IPSEC and now Common Criteria

• define a number of “levels” of evaluation with increasingly stringent checking

• have published lists of evaluated products– though aimed at government/defense use– can be useful in industry also

Summary

• have considered:– firewalls– types of firewalls– configurations– access control– trusted systems

Pseudorandom Number Generator

Applications:

• Key generation

• Randomized algorithm

• Authentication protocols

• ……

Randomness

• Uniform distribution: The frequency of each number should be approximately the same.

• Independence: No one value in the sequence can be inferred from the others

• Unpredictability

Linear Generator

A sequence of numbers is generated by

: starting value

a: the multiplier

c: the increment

m: the modulus

))(mod(1 mcaXX nn

0X )0( 0 mX )0( ma )0( mc

m0

Requirements for linear generator

• Generate all numbers between 0 and m

• Look random

• Should implement efficient with 32-bit arithmetic

Linear Generator

A sequence of numbers is generated by

))(mod(1 mcaXX nn

1231 m

1680775 a

0c

)12(mod16807 311 nn XX

Linear Generator weakness

If m,c,a are known, then once a single number is discovered, then all subsequent numbers are known

If it is known that a linear generator is used, he can still solve the equations:

))(mod(

))(mod(

))(mod(

43

32

21

mcaXX

mcaXX

mcaXX

Generator with DES

C is a counter with period N

mKKey :

C

1C

Encryption

]1[ CEXmKi

Blum Blum Shub Generator

Choose two prime numbers p=q=3(mod 4)

Let n=pq

Choose a random number s relatively prime to n

for i=1 to

)(mod20 nsX

)2(mod

)(mod)( 21

ii

ii

XB

nXX

CSCI 6365 Network Security and Management Instructor: Bin Fu, Ph.D Office: ENGR 3.280 Phone:...

Documents

Transcript of CSCI 6365 Network Security and Management Instructor: Bin Fu, Ph.D Office: ENGR 3.280 Phone:...