04/19/23 Tutorial on Network Security: Sep 2003
1
Network Security (contd.)Network Security (contd.)
Bijendra Jain([email protected])
04/19/23 Tutorial on Network Security: Sep 2003
2
Lecture 3: Public-key Lecture 3: Public-key cryptographycryptography
04/19/23 Tutorial on Network Security: Sep 2003
3
Public-key cryptographyPublic-key cryptography
Public-key cryptography is not necessarily more secure than private-key cryptography
Private-key cryptography is not obsolete—it still is exceptionally useful
Distribution of keys in public-key cryptography is not trivial-- Public-key cryptography has attempted to address this issue head-on
04/19/23 Tutorial on Network Security: Sep 2003
4
Public-key cryptographyPublic-key cryptography Public-key cryptography requires the use of
two keys:– One for encryption– A related one for decryption
One key is kept private, while the other is made public
Can either key be used for encryption, and the other for decryption:– YES, for RSA
04/19/23 Tutorial on Network Security: Sep 2003
5
Public-key cryptography: confidentialityPublic-key cryptography: confidentiality
Used for Confidentiality:
04/19/23 Tutorial on Network Security: Sep 2003
6
Public-key cryptography: confidentialityPublic-key cryptography: confidentiality
Used for confidentiality:
04/19/23 Tutorial on Network Security: Sep 2003
7
Public-key cryptography: authenticationPublic-key cryptography: authentication
Used for authentication:
04/19/23 Tutorial on Network Security: Sep 2003
8
Public-key cryptography: authenticationPublic-key cryptography: authentication
Used for authentication:
04/19/23 Tutorial on Network Security: Sep 2003
9
Confidentiality Confidentiality andand authentication authentication
Used for :
04/19/23 Tutorial on Network Security: Sep 2003
10
Public-key cryptographyPublic-key cryptography Easy for B to generate keys, (private) KRB and (public) KUB
Easy for sender A to encrypt C = EKUB (M), given M and KUB
Easy for receiver B to decrypt M = DKRB (C), given C and KRB
Given KUB it is infeasible for others to determine KRB
Given KUB and ciphertext C it is infeasible for others to decipher M
(optionally) encryption and decryption can be applied in any order
Function E (or D) is “one-way function with trap-door”– The inverse of E (or D) is infeasible, unless additional information
(trap-door) is available
04/19/23 Tutorial on Network Security: Sep 2003
11
RSA algorithmRSA algorithm Approach first suggested by Diffie and Hellman Invented by Rivest, Shamir, Adleman at MIT, first
published in 1978 Algorithms are patented Block cipher, where plaintext is < n Permits any key length
– typically 128 through 1014 is common
04/19/23 Tutorial on Network Security: Sep 2003
12
RSA algorithmRSA algorithm Consider n, and blocks of size k bits s.t.
2k < n 2k+1. Encryption and decryption algorithms:
C = Me mod n M = Cd mod n = Med mod nwheresender knows public key KU = {e, n}receiver knows private key KR = {d, n}
For this to be a public-key crypto system:– M = Med mod n for some e, d, n for all M < n– Easy to calculate Me mod n, and Cd mod n– Infeasible to determine d, given e and n
04/19/23 Tutorial on Network Security: Sep 2003
13
RSA algorithmRSA algorithm Key generation
– Select any prime numbers p, q– Compute n = p*q– Compute phi = (p-1)*(q-1)– Select e, such that 1< e < phi, and gcd(phi, e) = 1– Find d such that ed = 1 mod phi– Public key KU = {e, n}– Private key KR = {d, n}
Encryption, decryption algorithms: for any plaintext M < nC = Me (mod n)M = Cd (mod n)
Can be shown that M = Cd mod n = Med mod n
04/19/23 Tutorial on Network Security: Sep 2003
14
RSA: exampleRSA: exampleLet p = 7, q = 17
N = p*q = 119
Phi = (p-1)*(q-1) = 96
Select e = 5 (note e is relatively prime to 96, and < 96)
Find d =77 (note d*e = 1 mod 96, and d < 96)
KU = {5, 119}, KR = {77, 119}
Let M = 19 (note M < 119)
Encryption step: C = 19**5 = 2476099 mod 119 = 66
Decryption step: M = 66**77 = 127………. mod 119 = 19
04/19/23 Tutorial on Network Security: Sep 2003
15
RSA: computational aspectsRSA: computational aspects Computing C = Me (mod n)
– use the following two properties:
1. A * B mod n = (A mod n)*(B mod n) mod n
Or, e.g., 195 mod 119 = (192 mod 119) * (193 mod 119) mod 119
2. A**8 = (A**4)**2 = ((A**2)**2)**2
Or, 19**9 = (19**8)*(19**1) = (((19**2)**2)**2)*(19**1)
04/19/23 Tutorial on Network Security: Sep 2003
16
RSA: key generationRSA: key generation Selecting two primes: p, q
– Should be very large Since M < n = p*q Infeasible to calculate factors p, q of n by exhaustive search
– Finding large primes Pick a large number randomly, and then test
Selecting e, relative prime to phi = (p-1)*(q-1)– Pick an e, and test for relative primality– Extended Euclid’s algorithm computes gcd, and inverse, d
04/19/23 Tutorial on Network Security: Sep 2003
17
RSA: its strengthRSA: its strength Brute force Factor n to obtain p and q
– Then calculate phi = (p-1)*(q-1), and then invert e to obtain d “Factor” n to obtain phi
– Then invert e to obtain d Progress towards meeting challenges
– Ciphers using RSA with keys of size up to 431 bits have been deciphered Effort involved was only 500 MIPS-years (1 MIPS machine working for 1 year
– a 200 MHz Pentium is 50 MIPS) A 2048 bit RSA is expected to require 1014 MIPS-years Today, and for the near future, consider RSA key size of 1024 to
2048 Additionally consider selecting p and q appropriately, such as p and q
are of approx. same length, etc.
04/19/23 Tutorial on Network Security: Sep 2003
18
RSA: distribution of public keysRSA: distribution of public keys Public announcements Directory on the web, where data is secured Public-key authority Certificates
04/19/23 Tutorial on Network Security: Sep 2003
19
RSA: distribution of public keysRSA: distribution of public keys Public announcements
– Public key is “public”– User can share his/her public with others– Popular with PGP– However, one may even send “false” keys
04/19/23 Tutorial on Network Security: Sep 2003
20
RSA: distribution of public keysRSA: distribution of public keys Publicly accessible directory
– By a trusted and well known “authority”– Individual users “register” their public key using some other
means– Public keys are secure– For instance on the web, or printed directory– Individual users control, update their public keys, and do so
in a secure manner– Weaknesses:
Break into the authority’s database Alter the key during communication
04/19/23 Tutorial on Network Security: Sep 2003
21
RSA: distribution of public keysRSA: distribution of public keys Public-key authority
– Very similar to publicly accessible directory– Different: user can request/obtain public key in secure manner
Initiator A
X, PK authority
1. REQ (KUB, T1)
2. ENCKUX(KUB, REQ (KUB, T1))
Initiator B
X, PK authority
4. REQ (KUA, T2)
5. ENCKUX(KUA, REQ (KUA, T2))
3. ENCKUB(IDA, N1)
6. ENCKUA(IDB, N1, N2)
7. ENCKUB(N2)
04/19/23 Tutorial on Network Security: Sep 2003
22
RSA: distribution of public keysRSA: distribution of public keys Public-key certificates
– Certificates need not be issued each time– Sender provides public key with a certificate– Receiver checks the certificate, thereby confirms public key– A certificate:
Anyone can read, determine the owner’s public key Anyone can verify that certificate is signed by authority Only certificate can create certificate Anyone can check “currency” of certificate
04/19/23 Tutorial on Network Security: Sep 2003
23
RSA: CertificatesRSA: Certificates
CERTA = ENCPUX (IDA, KUA, TA, DURA)
where PUX is public key of certification authority
IDA is user ID
KUA is public key of A
TA is time of issuance of certificate
DURA is the duration for which the certificate is valid
04/19/23 Tutorial on Network Security: Sep 2003
24
Lecture 4:Lecture 4:Message AuthenticationMessage Authentication
04/19/23 Tutorial on Network Security: Sep 2003
25
Message authenticationMessage authentication Source of Message
– Protection against masquerading
Integrity of message– Protection against modification
Integrity of sequence of messages– Protection against deletion, addition and re-ordering
Integrity of timing– Protection against delay and replay
04/19/23 Tutorial on Network Security: Sep 2003
26
Using private-key encryptionUsing private-key encryption Encrypt message using private-key encryption
system– Basically provides confidentiality– Authentication and Integrity check are difficult, but possible
Particularly if it is some bit sequence Use an FCS (frame check sequence), as in TCP
Integrity of a sequence of TCP messages can also be ensured
Does not provide for non-repudiation
04/19/23 Tutorial on Network Security: Sep 2003
27
Using public-key encryptionUsing public-key encryption Similar, except that it only provides for authentication Again, the transmitted message must have some
structure (FCS, for example)
04/19/23 Tutorial on Network Security: Sep 2003
28
Message Authentication CodesMessage Authentication Codes Integrity check is not difficult any more Based on private-key encryption Transmitted message in (M, MAC)
MAC = CK(M)
where:– C is MAC algorithm,– K is the shared key
Provides for message integrity, user authentication, but not non-repudiation
04/19/23 Tutorial on Network Security: Sep 2003
29
Message Authentication CodesMessage Authentication Codes Algorithm C differs:
– from encryption in that it is NOT reversible– From FCS, etc. in that it is not easy to design a new
message with same FCS– From use of hash functions, in that encryption and “hashing”
is simultaneous
Algorithm C is more difficult to crack
04/19/23 Tutorial on Network Security: Sep 2003
30
Message authentication codesMessage authentication codes Authentication based on MAC-- superior since it is efficient
Authentication based on appending an FCS, then encrypting
FCS is a bad idea, anyway
Data sentMessage E()
K
||
fcs()
Data sentMessage ||
MAC()
K
04/19/23 Tutorial on Network Security: Sep 2003
31
Message authentication: alternativesMessage authentication: alternatives
Data sentMessage ||
H() E()
K
Data sentMessage ||
H()
E()
K
04/19/23 Tutorial on Network Security: Sep 2003
32
Digital SignatureDigital Signature
Data sentMessage ||
H() E()
KR
04/19/23 Tutorial on Network Security: Sep 2003
33
Message authentication: alternativesMessage authentication: alternatives
Data sentMessage ||
H()
Secret K
||
This approach completely does away with encryption– Efficient– Strength depends completely on how good is the hashing function
04/19/23 Tutorial on Network Security: Sep 2003
34
MAC codesMAC codes MAC is also known as cryptographic checksum Transmitted message in (M, MAC)
MAC = CK(M)
where:– C is MAC algorithm,– MAC is n bit long– M is variable length message– K is k-bit shared key
MAC requirements:– Given M, CK(M) it should be computationally infeasible to obtain M’ s.t. MAC
= CK(M) = CK(M’)
– MAC = CK(M) should be uniformly distributed, or for random M, M’
Prob (CK(M) = CK(M’) = 2-n
– Similarly if M’ is obtained by carrying out simple transformations
04/19/23 Tutorial on Network Security: Sep 2003
35
MAC CodesMAC Codes 64 bit DAA (Data Authentication Algorithm) is based
on DES:O1 = EK(D1)
O2 = EK(O1 D2)
O3 = EK(O2 D3)
…
…
ON = EK(ON-1 DN)
04/19/23 Tutorial on Network Security: Sep 2003
36
Hash functionsHash functions
Requirements of a hash function:– Can be applied to block of data of any size– Produces a fixed length digest– Easy to compute h = H(M)– One-way function: given h, it must be computationally infeasible to
compute M such that h = H(M)– Weak collision: Given M, it must be computationally infeasible to
compute M’ such that H(M’) = H(M)– Strong collision: computationally infeasible to find M, M’ such that
H(M’) = H(M)
Data sentMessage ||
H() E()
KR
04/19/23 Tutorial on Network Security: Sep 2003
37
Hash functionsHash functions
Simple hash function:O1 = D1
O2 = O1 D2
O3 = O2 D3
…
…
ON = ON-1 DN
MD4, MD5
04/19/23 Tutorial on Network Security: Sep 2003
38
MD5MD5
Develop in 1992, by Ron Rivest 128 bit hash code Processes 512 bits at a time (add padding bits if necessary) 4 rounds of 16 steps each, involving gcd, and + mod 232
operations
Y0 Y1 … … YL…
IV
CV1
HMD5 HMD5HMD5 HMD5
CV2 CVL-1 CVL
04/19/23 Tutorial on Network Security: Sep 2003
39
MD4MD4 Similar to MD5, developed earlier in 1990 by Ron Rivest 128 bit hash code, processes 512 bits at a time 3 rounds of 16 steps each, involving gcd, and + mod 232
operations faster
04/19/23 Tutorial on Network Security: Sep 2003
40
SHA-1 hash functionSHA-1 hash function
Developed by NIST in 1995 Based on MD4 160 bit hash Operates on blocks of length 512 bit More secure against brute force attacks Appears to be secure against cryptanalysis MD5 and SHA-1 are equally fast, simple
04/19/23 Tutorial on Network Security: Sep 2003
41
HMACHMAC Truly a MAC Required for IPSec Based on hash functions Any “good” hash function can be used The “IV” can be kept secret (becomes the key) MD5 or SHA-1 can be used
04/19/23 Tutorial on Network Security: Sep 2003
42
ThanksThanks
Top Related