EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim.
EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell
description
Transcript of EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell
![Page 1: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/1.jpg)
EE515/IS523 Think Like an
AdversaryLecture 3
Cryptography in a Nutshell
Yongdae Kim
![Page 2: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/2.jpg)
Recap http://syssec.kaist.ac.kr/courses/ee515 E-mail policy
Include [ee515] or [is523] in the subject of your e-mail
Student Survey http://bit.ly/SiK9M3
News posting KLMS http://edu3.kaist.ac.kr/course/view.php?id=14461
Match making, criticism KLMS
Text only posting, email!
![Page 3: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/3.jpg)
In a Nutshell Security by Obscurity is not secure! Conservative modeling for adversary State-sponsored, Hacktivists, Hacker+Criminals,
Researchers ;-) Care for the weakest link. Plan for unknown attacks. Check for environmental changes All stages are important Attacker modeling, design, implementation,
deployment, operation Check News! Cyber Warfare?
![Page 4: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/4.jpg)
Security & RiskWe only have finite resources for security…
If we only have $20K, which should we buy?
Product A
Prevents Attacks: U,W,Y,Z
Cost $10K
Product B
Prevents Attacks: V,X
Cost $20K
![Page 5: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/5.jpg)
RiskThe risk due to a set of attacks is the
expected (or average) cost per unit of time.One measure of risk is Annualized Loss
Expectancy, or ALE:
Σattack A
( pA × LA )
Annualized attack incidence
Cost per attack
ALE of attack A
![Page 6: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/6.jpg)
Risk ReductionA defense mechanism may reduce the risk of
a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR):
The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost.
Σattack A
(pA × LA – p’A×L’A)
![Page 7: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/7.jpg)
Basic Cryptography
Yongdae Kim
![Page 8: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/8.jpg)
The main players
Alice Bob
EveYves?
![Page 9: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/9.jpg)
Attacks
Source Destination
Normal Flow
Source Destination
Interruption: Availability
Source Destination
Interception: Confidentiality
Source Destination
Modification: Integrity
Source Destination
Fabrication: Authenticity
![Page 10: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/10.jpg)
Taxonomy of AttacksPassive attacks
EavesdroppingTraffic analysis
Active attacksMasqueradeReplayModification of message contentDenial of service
![Page 11: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/11.jpg)
Big pictureTrusted third party
(e.g. arbiter, distributorof secret information)
SecretInformation
Message
SecretInformation
Message
Alice Bob
InformationChannel
Eve
![Page 12: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/12.jpg)
Terminology for Encryption
A denotes a finite set called the alphabet M denotes a set called the message space
M consists of strings of symbols from an alphabetAn element of M is called a plaintext
C denotes a set called the ciphertext spaceC consists of strings of symbols from an alphabetAn element of C is called a ciphertext
K denotes a set called the key space An element of K is called a key
Ee is an encryption function where e K
Dd called a decryption function where d K
![Page 13: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/13.jpg)
Encryption
Why do we use key?Or why not use just a shared encryption function?
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
c insecure channel
Alice Bob
Adversary
m m
![Page 14: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/14.jpg)
SKE with Secure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
c Insecure channel
Alice Bob
Adversary
Key source
e
m m
d Secure channel
![Page 15: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/15.jpg)
PKE with insecure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
cInsecure channel
Alice Bob
PassiveAdversary
Key source
d
m m
e Insecure channel
![Page 16: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/16.jpg)
Public key should be authentic!
ee
ee
EEee(m)(m)
ee’’
EEee’’(m)(m)EEee(m)(m)
Need to authenticate public keys
![Page 17: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/17.jpg)
Digital SignaturesPrimitive in authentication and non-
repudiation
Signature Process of transforming the message and some
secret information into a tag
NomenclatureM is set of messagesS is set of signaturesSA: M ! S for A, kept private
VA is verification transformation from M to S for A, publicly known
![Page 18: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/18.jpg)
Key Establishment, Management
Key establishmentProcess to whereby a shared secret key becomes
available to two or more partiesSubdivided into key agreement and key transport.
Key managementThe set of processes and mechanisms which
support key establishment The maintenance of ongoing keying relationships
between parties
![Page 19: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/19.jpg)
Symmetric vs. Public keyPros Cons
SKE High data throughput Relatively short key size
The key must remain secret at both ends
O(n2) keys to be managed Relatively short lifetime of
the key
PKE
O(n) keys Only the private key
must be kept secret longer key life time digital signature
Low data throughput Much larger key sizes
![Page 20: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/20.jpg)
Symmetric key EncryptionSymmetric key encryption
if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e
Usually e = d
Block cipherbreaks up the plaintext messages to be
transmitted into blocks of a fixed length, and encrypts one block at a time
Stream cipherencrypt individual characters of plaintext
message one at a time, using encryption transformation which varies with time
![Page 21: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/21.jpg)
Hash function and MAC A hash function is a function h
compression ease of computation Properties
one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)
Examples: SHA-1, MD-5
MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk
ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance
Example: HMAC
![Page 22: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/22.jpg)
How Random is the Hash function?
![Page 23: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/23.jpg)
Applications of Hash Function
File integrity
Digital signatureSign = SSK(h(m))
Password verificationstored hash = h(password)
File identifier
Hash table
Generating random numbers
![Page 24: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/24.jpg)
Hash function and MAC A hash function is a function h
compression ease of computation Properties
one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)
Examples: SHA-1, MD-5
MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk
ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance
Example: HMAC
![Page 25: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/25.jpg)
MAC construction from Hash Prefix
M=h(k||x) appending y and deducing h(k||x||y) form h(k||x) without
knowing k Suffix
M=h(x||k) possible a birthday attack, an adversary that can choose x
can construct x’ for which h(x)=h(x’) in O(2n/2)
STATE OF THE ART: HMAC (RFC 2104) HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding The outer hash operates on an input of two blocks Provably secure
![Page 26: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/26.jpg)
How to use MAC?A & B share a secret key kA sends the message x and the MAC
M←Hk(x)B receives x and M from AB computes Hk(x) with received MB checks if M=Hk(x)
![Page 27: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/27.jpg)
PKE with insecure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
cInsecure channel
Alice Bob
PassiveAdversary
Key source
d
m m
e Insecure channel
![Page 28: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/28.jpg)
Digital Signature
IntegrityAuthenticationNon-repudiationI did not
have intimate relations with that woman,…, Ms. Lewinsky
![Page 29: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/29.jpg)
Digital Signature with Appendix
Schemes with appendixRequires the message as input to verification
algorithmRely on cryptographic hash functions rather than
customized redundancy functionsDSA, ElGamal, Schnorr etc.
![Page 30: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/30.jpg)
Digital Signature with Appendix
M
m mh
Mh
h s*
SSA,k
Mh x Su 2{True, False}
VA
s* = SA,k(mh)
u = VA(mh, s*)
![Page 31: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/31.jpg)
Authentication
How to prove your identity?Prove that you know a secret information
When key K is shared between A and ServerA S: HMACK(M) where M can provide freshnessWhy freshness?
Digital signature?A S: SigSK(M) where M can provide freshness
Comparison?
![Page 32: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/32.jpg)
Encryption and Authentication
EK(M)
Redundancy-then-Encrypt: EK(M, R(M))
Hash-then-Encrypt: EK(M, h(M))
Hash and Encrypt: EK(M), h(M)
MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)
MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))
![Page 33: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/33.jpg)
Challenge-response authentication
Alice is identified by a secret she possessesBob needs to know that Alice does indeed possess
this secretAlice provides response to a time-variant
challengeResponse depends on both secret and challenge
UsingSymmetric encryptionOne way functions
![Page 34: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/34.jpg)
Challenge Response using SKE
Alice and Bob share a key KTaxonomy
Unidirectional authentication using timestamps
Unidirectional authentication using random numbers
Mutual authentication using random numbers
Unilateral authentication using timestampsAlice Bob: EK(tA, B)Bob decrypts and verified that timestamp is OKParameter B prevents replay of same message in
B A direction
![Page 35: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/35.jpg)
Challenge Response using SKE
Unilateral authentication using random numbersBob Alice: rb
Alice Bob: EK(rb, B)
Bob checks to see if rb is the one it sent out Also checks “B” - prevents reflection attack
rb must be non-repeating
Mutual authentication using random numbersBob Alice: rb
Alice Bob: EK(ra, rb, B)
Bob Alice: EK(ra, rb)
Alice checks that ra, rb are the ones used earlier
![Page 36: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/36.jpg)
Challenge-response using OWF
Instead of encryption, used keyed MAC hK
Check: compute MAC from known quantities, and check with message
SKID3Bob Alice: rb
Alice Bob: ra, hK(ra, rb, B)
Bob Alice: hK(ra, rb, A)
![Page 37: EE515/IS523 Think Like an Adversary Lecture 3 Cryptography in a Nutshell](https://reader036.fdocuments.in/reader036/viewer/2022062315/5681593e550346895dc67b90/html5/thumbnails/37.jpg)
Key Establishment, Management
Key establishmentProcess to whereby a shared secret key becomes
available to two or more partiesSubdivided into key agreement and key transport.
Key managementThe set of processes and mechanisms which
support key establishment The maintenance of ongoing keying relationships
between parties