cyptography and network security
DESCRIPTION
fTRANSCRIPT
UNIT-I Security trends OSI Security Architecture Security Attacks Security Services Security mechanisms A Model for Network Security Symmetric Cipher Model Substitution Techniques and Transposition Techniques Block Cipher Principles The Data Encryption Standard and The Strength of DES Differential and linear cryptanalysis Block cipher design principles Evaluation criteria for AES and The AES Cipher. 1
Cryptography
Cryptography is the study of Secret (crypto-) writing (-graphy).
2
Cryptography
cryptography - study of encryption principles/methods.
Cryptography deals with creating documents that can be shared secretly over public communication channels.
3
Cryptanalysis
cryptanalysis (code breaking) - study of principles/ methods of decrypting cipher text without knowing key.
4
Cryptology
The area of cryptography and crypt analysis together are called cryptology.
5
Computer Security generic name for the collection of tools
designed to protect data.
6
Network Security
It is used to protect data during their transmission.
7
Internet security it is used to protect data during their
transmission over a collection of interconnected networks.
8
Security trends In 1994, the Internet Architecture Board
(IAB) issued a report entitled "Security in the Internet Architecture"
The report stated the general agreement that the Internet needs more and better security, and it identified key areas for security mechanisms.
9
CERT Statistics security trend in Internet-related
vulnerabilities reported to CERT over a 10-year period.
These include security weaknesses in the operating systems of attached computers as well as vulnerabilities in Internet routers and other network devices.
10
CERT Statistics
11
OSI Security Architecture
The OSI (open systems interconnection) security architecture provides a systematic
framework for defining security attacks, mechanisms, and services.
12
Services, Mechanisms, Attacks
consider three aspects of information security: security attack security mechanism security service
13
Security service
A service that enhances the security of data processing systems and information transfers.
A security service makes use of one or more security mechanisms.
14
Security Services Authentication Access control Data Confidentiality Data Integrity Non-Repudiation
15
Authentication Authentication is a process of verification of
the sender.
16
Access Control prevention of the unauthorized use of a
resource
17
Data Confidentiality protection of data from unauthorized
disclosure.
18
Data Integrity assurance that data received is as sent by
an authorized entity
19
Non-Repudiation Nonrepudiation prevents either sender or
receiver from denying a transmitted message.
20
Security Mechanism A mechanism that is designed to detect,
prevent, or recover from a security attack.
21
Encipherment
The use of mathematical algorithm to transmit from data into a form that is not understandable.
22
Digital signature
A valid digital signature gives a recipient reason to believe that the message was created by a known sender.
23
Access control
A variety of mechanisms that enforce access right to resource.
24
Data integrity
A variety of mechanism used to assure the integrity of a data unit.
25
Traffic padding
The insertion of bits into gaps in a data stream to avoid traffic analysis attempts.
26
Routing control
Enables selection of particular physically secure routes for data.
27
Notarization
The use of a trusted third party to assure certain properties of a data exchange.
28
Security Attack Any action that compromise the security of
information. threat & attack used to mean same thing
29
passive attacks passive attacks attempt to learn or
make use of information from the system but does not affect system resources.
Are difficult to detect because they do not involve any alteration of the data.
30
Release of message contents
31
Traffic analysis
32
Active attacks active attacks attempt to alter system
resources or affect their operation. Easy to detect because they will
involve alteration of the data.
33
Masquerade A masquerade takes place when one
entity pretends to be a different entity
34
Masquerade
35
Replay
36
Modification of messages
37
Denial of service
38
Model for Network Security
39
Model for Network Security
design a suitable algorithm for the security transformation
generate the secret keys used by the algorithm
develop methods to distribute secret key specify a protocol enabling the principals to
use the transformation and secret information for a security service
40
Model for Network Access Security
Symmetric Encryption
Symmetric encryption, also referred to as conventional encryption or single-key encryption
All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption.
Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key. 42
Some Basic Terminology
plaintext - original message Cipher text - coded message key – shared by both sender and receiver encipher (encrypt) - converting plaintext to cipher text decipher (decrypt) – converting cipher text to plaintext
Symmetric Cipher Model
Cryptography
characterize cryptographic system by: type of encryption operations used
substitution / transposition / product number of keys used
single-key or private / two-key or public way in which plaintext is processed
block / stream
Cryptanalysis
There are two general approach to attacking a conventional encryption scheme
cryptanalytic attack brute-force attack
Cryptanalytic attack
Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext.
47
Brute-force attack
Brute-force attacks try every possible key on a piece of cipher text until plaintext is obtained.
48
Types of Encryption Schemes
Encryption
Classical ModernRotor Machines
Substitution Public KeyTransposition Secret Key
BlockStreamSteganography
49
Substitution Techniques letters of plaintext are replaced by other
letters or by numbers or symbols.
50
Caesar Cipher
The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.
Caesar Cipher
• mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y z0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as:c = E(p) = (p + k) mod (26)p = D(c) = (c – k) mod (26)
Caesar Cipher
example:meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
53
Brute-Force Cryptanalysis of Caesar Cipher
If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed.
Simply try all the 25 possible keys.
54
55
Monoalphabetic Ciphers
mono alphabetic substitution uses fixed substitution over the entire message
56
Mono alphabetic Ciphers
Shuffle the letters and map each plaintext letter to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyzCipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplacelettersCipher text: WIRFRWAJUHYFTSDVFSFUUFYA
57
Monoalphabetic Cipher Security
• the monoalphabetic substitution cipher is not secure
• problem is language characteristics
Relative Frequency of Letters in English Text
59
Monoalphabetic Cipher
the relative frequency of the letters can be determined and compared to a standard frequency distribution for English.
If the message were long enough, this technique alone might be sufficient,
60
Playfair Cipher
The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword.
Plaintext is encrypted two letters at a time using this matrix.
61
62
Playfair Cipher• Rules:
– Take a pair of letters from plaintext– Separate repeating letters with an x– Plaintext letters in the same row are replaced by
letters to the right (cyclic manner)– Plaintext letters in the same column are replaced by
letters below (cyclic manner)– Plaintext letters in different row and column are
replaced by the letter in the row corresponding to the column of the other letter and vice versa
Playfair Cipher
63
Keyword: LARGESTPlain text: Mu st se ey ou
Cipher text: UZTBDLGZPN
Hill Cipher The encryption algorithm takes m
successive plaintext letters and substitutes for them m cipher text letters.
The substitution is determined by m linear equations in which each character is assigned a numerical value (a = 0, b = 1 ... z = 25).
64
Hill Cipher
65
Hill Cipher where C and P are column vectors of
length 3, representing the plaintext and cipher text, and K is a 3 x 3 matrix, representing the encryption key
66
Hill CipherIn general terms, the Hill cipher system can
be expressed as follows:C = E(K, P) = KP mod 26P = D(K1, C) = K1C mod 26 = P
67
Hill Cipher
68
Consider the message ‘CAT', and the key GYBNQKURP
For Example if the key is an 3 X 3 matrix
Plain Text : paymoremoney
m=3(p a y)=(15 0 24)
So Encryption is as follows
(15 0 24) = (303 303 531) mod 26 = (17 17 11) = RRL
Now the cipher text for pay is RRL
For Decryption you have to find the K-1
How to find inverse of K that is K-1
1. Find the adjoint of the element in the matrix, 2. Transpose the matrix
adj A= 300 -357 6 -313 313 0
267 -252 -51
This is Transpose of
adj A
Determinant of matrix A is==17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2)
= -939
(18*19 – 21*2) – (19*21 – 21*2) + (21*2 – 18*2) – ( 17*19 – 5*2) ………….
Now K-1 is 1/adj(A) * K-1
1/adj(A) = 1 /(-939) = (-939)-1
= (-939 mod 26) -1 (the easy way to find -939mod 26 is keep adding 26 with -939 till you get a positive value, so that you will get 23) = (23) -1 mod 26
= 23 * 17 = 391 mod 26 =1 (find a number when multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1)
Now (-939 mod 26) -1 = 17
Now according to 1/adj(A) * K-1 = 17 * K-1
= 17 *
=
300 -313 267-357 313 -252
6 0 -51
5100 -5321 45396069 5321 4284
102 0 867
Mod 26
Mod 26 =
This is the inverse matrix
Polyalphabetic Ciphers
Each plaintext letter has multiple corresponding cipher text letters.
72
Vigenère Cipher
The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword.
It is a simple form of polyalphabetic substitution.
73
Vigenère Cipher
To encrypt a message, a key is needed that as long as the message. Usually, the key is a repeating keyword.
key: `deceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
74
75
One-time pad The one-time pad's security comes from
it's key; the key is EQUAL to the length of the plaintext and is COMPLETELY random.
76
One-time pad
H E L L O Message 7 4 11 11 14 X M C K L Key + 23 12 2 10 11 = 30 16 13 21 25 Message + key = 4 16 13 21 25 Message+key(mod 26) E Q N V Z → ciphertext
77
Transposition Encryption
position of the plain text will be changed.
78
Rail Fence cipher The simplest such cipher is the rail fence
technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.
The example message is: meet me after the toga party
eg. write message out as:m e m a t r h t g p r y e t e f e t e o a a t
giving ciphertextMEMATRHTGPRYETEFETEOAAT
Row Transposition Ciphers
A more complex transposition cipher is to write the message in a rectangle, row by row, and read the message off shuffling the order of the columns in each row.
80
Row Transposition Ciphers
81
Rotor machine In cryptography, a rotor machine is an
electro-mechanical device used for encrypting and decrypting secret messages.
82
Example of Rotor Machine
83
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one knows, apart from the sender and receiver.
84
Character marking:
text are overwritten in pencil The marks are ordinarily not visible unless the paper is held at an angle to bright light.
85
Invisible ink A number of substances can be used for
writing but leave no visible trace until heat or some chemical is applied to the paper.
86
Pin punctures:
Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.
87
Block Cipher Principles
A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length.
88
Block CipherDivide input bit stream into n-bit sections, encrypt only that section.
89
Block cipher versus Stream Ciphers
block ciphers process messages in blocks stream ciphers process messages in bit
or byte.
90
Reversible Mapping
Each block of plain text must produce a unique cipher text block. Such a transformation is called reversible.
91
Reversible Mapping
92
Irreversible Mapping
Each block of plain text must not produce a unique cipher text block. Such a transformation is called reversible.
93
Irreversible Mapping
94
Feistel cipher Feistel cipher is a symmetric structure used in
the construction of block ciphers.
95
Confusion and Diffusion
• “Confusion” = Substitution (non linear function)• a -> b
• “Diffusion” = Transposition (linear function)• abcd -> dacb
Encryption Decryptionplaintext ciphertext plaintext
Key KA Key KB
96
Confusion Each bit of the cipher text block has highly nonlinear relations with the plaintext block
bits and the key bits.
97
Diffusion
Each plaintext block bit or key bit affects many bits of the cipher text block.
98
99
Feistel Cipher Structure The inputs to the encryption algorithm are a
plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0
and R0. The two halves of the data pass through n
rounds of processing and then combine to produce the cipher text block.
Each round i has as inputs Li-1 and Ri-1, derived from the previous round, as well as a subkey Ki, derived from the overall K.
100
Feistel Cipher Structure
A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR of the output of that function and the left half of the data.
101
Feistel Cipher structure
102
Feistel Cipher structure
103
Feistel Cipher Design Elementsblock size - increasing size improves
security, but decrease the encryption speed.
key size – increasing key size improves security, but decrease the encryption speed.
number of rounds - increasing number of rounds improves security but decrease the encryption speed.
104
Feistel Cipher Design Elementssub key generation algorithm - greater
complexity can make analysis harder, decrease the encryption speed.
round function - greater complexity can make analysis harder, but decrease the encryption speed.
105
Simplified DES Developed 1996 as a teaching tool Santa Clara University Prof. Edward Takes an 8-bit block plaintext, a 10 –bit key and
produces an 8-bit block of cipher text Decryption takes the 8-bit block of cipher text,
the same 10-bit key and produces the original 8-bit block of plaintext
106
107
Five Functions to Encrypt
IP – an initial permutation fk - a complex, 2-input function SW – a simple permutation that swaps
the two nybles fk - a complex, 2-input function; again IP – inverse permutation of the initial
permutation
108
109
110
111
112
113
114
115
116
DES
The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption.
data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output.
117
DES
• Adopted in 1976 as US Government standard encryption technique
• Utilizes a 56-bit symmetric key• Cracked in 1998• Replaced in 2002 by AES which utilizes
128 bit keys.
118
119
DES
• First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input.
• This is followed by a phase consisting of 16 rounds of the same function, which involves both permutation and substitution functions.
120
DES
• The output of the last (sixteenth) round consists of 64 bits that are a function of the input plaintext and the key.
• The left and right halves of the output are swapped to produce the preoutput.
• Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit cipher text.
121
64 Bit input
122
Initial permutation
123
124
Figure 23-13
Permutation
125
Details of Single Round• uses two 32-bit L & R halves• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 F(Ri–1, Ki)• F takes 32-bit R half and 48-bit sub key:
– expands R to 48-bits using perm E– adds to sub key using XOR– passes through 8 S-boxes to get 32-bit result– finally permutes using 32-bit perm P
126
127
MS 128
1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32
1 48
Expansion Permutation
32
48
Definition of DES S-Boxes
129
S-Boxes• The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as input and produces 4 bits as output.
• The first and last bits of the input to box Si form a 2-bit binary that represent the row of the table for Si.
• The middle four bits select one of the sixteen columns
130
Example
• For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100 (column 12).
• The value in row 1, column 12 is 9, so the output is 1001.
131
S-Boxes
132
133
Key Generation
134
64 bit input key
135
Permuted Choice One (PC-1)
136
Permuted Choice Two (PC-2)
137
Schedule of Left Shifts
138
Avalanche Effect
A small change in the plaintext or in the key results in a significant change in the cipher text.
DES provides a strong avalanche effect Changing 1 bit in the plaintext affects 34 bits in the cipher text on average.
139
Avalanche Effect in DES
140
The Strength of DES
• The use of 56 bit key• The Nature of the DES algorithm• Timing attacks
141
The use of 56 bit key
• With a key length of 56 bits, there are 256 possible keys.
• single machine performing one DES encryption per microsecond would take more than a thousand years to break the cipher.
142
The Nature of the DES algorithm
Eight S-boxes, that are used in each iteration.
143
Timing Attacks timing attack is one in which information
about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various cipher texts.
144
Differential Cryptanalysis
• Differential cryptanalysis is the first published attack that is capable of breaking DES in less than 255 encryptions.
• powerful method to analyse block ciphers
Differential Cryptanalysis
differential cryptanalysis compares two related pairs of encryptions.
it is feasible to determine the sub key used in the function f.
The differential cryptanalysis attack is complex.
146
Differential Cryptanalysis Compares Pairs of Encryptions
• with a known difference in the input • searching for a known difference in output• when same subkeys are used
Linear Cryptanalysis
• another recent development • also a statistical method • must be iterated over rounds, with
decreasing probabilities• developed by Matsui in early 90's• based on finding linear approximations• can attack DES with 243 known plaintexts,
easier but still in practise infeasible
Linear Cryptanalysis
For example, the following equation, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first cipher text bit is equal to the second bit of the key
P1ӨP3 ӨC1=k2
Block Cipher Design
• basic principles still like Feistel’s in 1970’s• number of rounds
– more is better, exhaustive search best attack• function f:
– provides “confusion”, is nonlinear, avalanche– have issues of how S-boxes are selected
• key schedule– complex subkey creation, key avalanche
AES
• DES finally proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000.
• The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in 2001.
151
AES
AES is a block cipher intended to replace DES for commercial applications.
It uses a 128-bit block size. AES does not use a Feistel structure.
152
Evaluation Criteria for AES
153
Security Minimum key size for AES is 128 bits,
brute-force attacks with current and projected technology were considered impractical.
154
COST
The algorithm(s) specified in the AES shall be available on a worldwide, non-exclusive, royalty-free basis.
155
Computational efficiency
Computational efficiency refers to the speed of the algorithm.
156
Memory requirement
The memory required to implement a candidate algorithm for both hardware and software implementations of the algorithm will also be considered during the evaluation process.
157
Algorithm and implementation characteristics
This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations.
158
Key Agility Key agility refers to the ability to change
keys quickly and with a minimum of resources.
159
The AES Cipher• The input to the encryption and decryption
algorithms is a single 128-bit block.• This block is copied into the State array,
which is modified at each stage of encryption or decryption.
• After the final stage, State is copied to an output matrix.
160
161
162
AES
163
164
Substitute Bytes Transformation
• Replace each byte in the state array with its corresponding value from the S-Box
00 44 88 CC
11 55 99 DD
22 66 AA EE
33 77 BB FF
55
165
Shift row transformation
• The first row of State is not altered. • For the second row, a 1-byte circular left
shift is performed.• For the third row, a 2- byte circular left
shift is performed. • For the fourth row, a 3-byte circular left
shift is performed.
166
Shift row transformation
167
Shift row transformation
168
Mix column Transformation
• Apply mix column transformation to each column.
169
Mix column Transformation
170
Add Round Key
• XOR each byte of the round key with its corresponding byte in the state array.
171
AddRoundKey
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
S’0,0 S’0,1 S’0,2 S’0,3
S’1,0 S’1,1 S’1,2 S’1,3
S’2,0 S’2,1 S’2,2 S’2,3
S’3,0 S’3,1 S’3,2 S’3,3
S0,1
S1,1
S2,1
S3,1
S’0,1
S’1,1
S’2,1
S’3,1
R0,0 R0,1 R0,2 R0,3
R1,0 R1,1 R1,2 R1,3
R2,0 R2,1 R2,2 R2,3
R3,0 R3,1 R3,2 R3,3
R0,1
R1,1
R2,1
R3,1
XOR
172
Key Expansion Algorithm
• The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (176 bytes).
• This is sufficient to provide a 4-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher.
173
174
175
1. Using this Playfair matrix
encrypt this message: cryptography and network security
Answer
176
BGXQHWEGROKWLOSUADAWGIDLDQBPCW
Example Given the plaintext {00 01 02 03 04 05 06 07 08 09
0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01},
I. Show the original contents of State, displayed as a 4 x 4 matrix.
II.Show the value of State array after initial AddRoundKey.
III.Show the value of State array after Sub Bytes.IV.Show the value of State array after Shift Rows.V.Show the value of State array after Mix Columns.
177
State array
178
State array after initial AddRoundKey
179
State array after Sub Bytes
180
State array after Shift Rows
181
State array after Mix Columns
182
Example
Consider the given key K and the plaintext, namely: in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F
• in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 0100 1101 1110 1111
183
A. Derive K1, the first-round sub key.B. Derive L0, R0.C. Expand R0 to get E[R0], where E[·] is the
expansion function.D. Calculate A = E[R0] Ө K1.E. Group the 48-bit result of (d) into sets of 6 bits
and evaluate the corresponding S-box substitutions.
F. Concatenate the results of (e) to get a 32-bit result, B.
G. Apply the permutation to get P(B).H. Calculate R1 = P(B)Ө L0.i. Write down the cipher text. 184
UNIT-II Multiple Encryption and Triple DES Block Cipher Modes of Operation Stream cipher and RC4 Placement of Encryption function Traffic confidentiality Key Distribution Principle of Public Key Cryptosystems The RSA Algorithm Key management Diffie Hellman Key Exchange Elliptic curve cryptography.
185
Multiple Encryption Multiple encryption is a technique in
which an encryption algorithm is used multiple times.
186
Double DES
The simplest form of multiple encryption has two encryption stages and two keys .
Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as
C = E(K2, E(K1, P))
187
Double DES
188
Double DES
• Decryption requires that the keys be applied in reverse order
P = D(K1, D(K2, C))• this scheme apparently involves a key
length of 56 x 2 = 112 bits, of resulting in a dramatic increase in cryptographic strength
189
Meet-in-the-middle attack• Given a known pair, (P, C), the attack
proceeds as follows.• First, encrypt P for all 256 possible values of
K1 Store these results in a table and then sort the table by the values of X.
• Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match.
190
Meet-in-the-middle attack• If a match occurs, then test the two
resulting keys against a new known plaintext-cipher text pair.
• If the two keys produce the correct cipher text, accept them as the correct keys.
191
Triple DES with Two Keys• Triple DES makes use of three stages of
the DES algorithm, using a total of two or three distinct keys.
• The function follows an encrypt-decrypt-encrypt (EDE) sequence
C = E(K1, D(K2, E(K1, P)))
192
Triple DES with Two Keys
193
Triple DES with Three Keys
• Three-key 3DES has an effective key length of 168 bits and is defined as follows:
• C = E(K3, D(K2, E(K1, P)))
194
Block Cipher Modes of Operation
• To apply a block cipher in a variety of applications, four "modes of operation" have been defined by NIST .
• mode of operation is a technique for enhancing the effect of a cryptographic algorithm for an application
195
Electronic Codebook (ECB)
Each block of 64 plaintext bits is encrypted independently using the same key.
196
Electronic Codebook (ECB)
197
Limitation of ECB
• The most significant characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the message, always produces the same cipher text.
• For lengthy messages, the ECB mode may not be secure.
198
Typical Application
• Secure transmission of single values (e.g., an encryption key)
199
Cipher Block Chaining (CBC)
200
• To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different cipher text blocks.
• A simple way to satisfy this requirement is the cipher block chaining (CBC) mode
• The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of cipher text.
Cipher Block Chaining (CBC)
201
Cipher Block Chaining (CBC)
• use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
202
Limitations of CBC
• need Initialization Vector (IV)
203
Typical Application
• General-purpose block-oriented transmission
• Authentication
204
Cipher Feedback (CFB)
205
Input is processed j bits at a time. Preceding cipher text is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of cipher text.
Cipher Feedback (CFB)
206
Cipher Feedback (CFB)
207
Limitation of CFB
A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks.
208
Typical Application
209
• General-purpose stream-oriented transmission
• Authentication
Output Feedback (OFB) The alternative to CFB is OFB. Here the
generation of the "random" bits is independent of the message being encrypted.
The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).
210
Output Feedback (OFB)
211
Typical Application
• Stream-oriented transmission over noisy channel (e.g., satellite communication)
212
Counter (CTR)
Each block of plaintext is XOR ed with an encrypted counter. The counter is incremented for each subsequent block.
213
Counter (CTR)
214
Advantages and Limitations of CTR
can do parallel encryptions in h/w or s/w.good for bursty high speed links.
provable security (good as other modes) but CTR does not reusing the same key
and counter value
Typical Application
• General-purpose block-oriented transmission• Useful for high-speed requirements
216
Stream Ciphers and RC4
217
Stream Ciphers
• stream cipher encrypts plaintext one byte at a time.
• stream cipher may be designed to operate on one bit at a time.
218
Stream Cipher Structure
Stream Cipher Structure
220
Design considerations
• long period with no repetitions of pseudo random key.
• output of the pseudorandom number generator is conditioned on the value of the input key.
• To protect against brute-force attacks, the key needs to be sufficiently long.
221
RC4 Basics
• A symmetric key encryption algorithm.• Invented by Ron Rivest. • Normally uses 64 bit and 128 bit key sizes.• Cryptographically very strong yet very easy to
implement. • Consists of 2 parts: Key Scheduling Algorithm
(KSA) & Pseudo-Random Generation Algorithm
RC4 Block Diagram
Plain Text
Secret Key
RC4
+Encrypted
Text
Keystream
RC4 …break up
• Initialize an array of 256 bytes.• Run the KSA on them • Run the PRGA on the KSA output to
generate keystream.• XOR the data with the keystream.
Array InitializationC Code:
char S[256];Int i;For(i=0; i< 256; i++)
S[i] = i;
After this the array would like this :
S[] = { 0,1,2,3, ……, 254, 255}
The KSA• The initialized array S[256] is now run through
the KSA. The KSA uses the secret key to scramble the array.
• C Code for KSA:
int i, j = 0;for(i=0; i<256; i++){
j = ( j + S[i] + key[ i % key_len] ) % 256;swap(S[i], S[j]);
}
The PRGA• The KSA scrambled S[256] array is used to generate the
PRGA. This is the actual keystream.• C Code:
i = j = 0;while(output_bytes){
i = ( I + 1) % 256;j = ( j + S[i] ) % 256;swap( S[i], S[j] );output = S[ ( S[i] + S[j] ) % 256 ]
}
Encryption using RC4
• Choose a secret key• Run the KSA and PRGA using the key to
generate a keystream.• XOR keystream with the data to generated
encrypted stream.• Transmit Encrypted stream.
Decryption using RC4• Use the same secret key as during the encryption phase.• Generate keystream by running the KSA and PRGA.• XOR keystream with the encrypted text to generate the
plain text.• Logic is simple :
(A xor B) xor B = A
A = Plain Text or DataB = KeyStream
RC4 Example
• Simple 4-byte example• S = {0, 1, 2, 3}• K = {1, 7, 1, 7}• Set i = j = 0
KSAFirst Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3}
Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
KSAThird Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2}
Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}):j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
PRGAReset i = j = 0, Recall S = {2, 1, 3, 0}i = i + 1 = 1j = j + S[ i ] = 0 + 1 = 1Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0}Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3
Analysis of RC4
• Advantages– Faster than DES– Enormous key space (average of 1700 bits)
• Disadvantages– Large number of “weak” keys 1 of 256– “Weak” keys can be detected and exploited
with a high probability
Placement of Encryption function
If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located.
235
Confidentiality using Symmetric Encryption
• traditionally symmetric encryption is used to provide message confidentiality
Placement of Encryption
• link encryption• end-to-end encryption
237
Link encryption
Link encryption is an approach to encrypts and decrypts all data at each end of a communications line
238
End-to-end encryption
encryption process is carried out at the two end systems
239
Placement of Encryption
Placement of Encryption
With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear.
To achieve greater security, both link and end-to-end encryption are needed
Placement of Encryption
• can place encryption function at various layers in OSI Reference Model– link encryption occurs at layers 1 or 2– end-to-end can occur at layers 3, 4, 6, 7
Front-End Processor Function
243
244
Traffic Confidentiality Knowledge about the number and length
of messages between nodes may enable an opponent to determine who is talking to whom.
245
Information that can be derived from a traffic analysis attack:
• Identities of partners• How frequently the partners are
communicating• Message pattern, message length, or
quantity of messages that suggest important information is being exchanged
246
Link Encryption Approach
Network-layer headers are encrypted, reducing the opportunity for traffic analysis.
However, it is still possible to observe the amount of traffic entering and leaving each end system.
247
Traffic-Padding Encryption Device
• Traffic padding produces cipher text output continuously, even in the absence of plaintext.
248
Traffic-Padding Encryption Device
249
Traffic-Padding Encryption Device• A continuous random data stream is
generated.• When plaintext is available, it is encrypted
and transmitted. • When input plaintext is not present, random
data are encrypted and transmitted. • This makes it impossible for an attacker to
distinguish between true data flow and padding
250
End-to-End Encryption Approach
• if encryption is implemented at the application layer, then an opponent can determine which transport unit are engaged in dialogue.
• In addition, null messages can be inserted randomly into the stream. These tactics deny an opponent knowledge about the amount of data exchanged between end users and difficult to understand the underlying traffic pattern.
251
Key Distribution
252
Key Distribution
given parties A and B have various key distribution alternatives:
1. A can select key and physically deliver to B2. third party can select & deliver key to A & B3. if A & B have communicated previously can
use previous key to encrypt a new key4. if A & B have secure communications with a
third party C, C can relay key between A & B
Session key• Session keys can also be termed
temporary keys or one-time use keys. Usually after a session, these keys are discarded and not used again.
• Communication between end systems is encrypted using session key.
254
Master key• session keys are transmitted in encrypted
form, using a master key that is shared by the key distribution center and an end system or user.
255
The Use of a Key Hierarchy
256
Key Distribution Scenario
Key Distribution Scenario
• A issues a request to the KDC for a session key to protect a logical connection to B.
• The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC
258
Key Distribution Scenario
• A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping.
• B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb).
259
Key Distribution Scenario
• Using the newly minted session key for encryption, B sends a nonce, N2, to A.
• Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one).
260
15.261
Hierarchical Key Control
Hierarchical Key Control
• It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it may not be practical to do so. As an alternative, a hierarchy of KDCs can be established.
• If two entities in different domains desire a shared key,then the corresponding local KDCs can communicate through a global KDC.
262
Decentralized Key Control
263
Decentralized Key Control1. A issues a request to B for a session key and
includes a nonce, N12. B responds with a message that is encrypted
using the shared master key. The response includes the session key selected by B, an identifier of B, the value f(N1), and another nonce, N2.
3. Using the new session key, A returns f(N2) to B.
264
Principles of Public-Key Cryptosystems
265
Private-Key Cryptography
• traditional private/secret/single key cryptography uses one key
• shared by both sender and receiver • if this key is disclosed communications are
compromised • does not support authentication
266
Public-Key Cryptography• Asymmetric encryption is a form of cryptosystem
in which encryption and decryption are performed using the different keys—one a public key and one a private key. It is also known as public-key encryption.
• Asymmetric encryption transforms plaintext into cipher text using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the cipher text.
• Asymmetric encryption can be used for confidentiality, authentication, or both. 267
Public-Key Cryptographypublic-key/two-key/asymmetric cryptography involves the use of two keys:
– a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
268
Principles of Public-Key Cryptosystems
• The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption.
• Key distribution• Does not Supports Data authentication
269
270
Confidentiality using public-Key system
Encryption
• Each user generates a pair of keys to be used for the encryption and decryption of messages.
• Each user places one of the two keys in a public register This is the public key.
• The companion key is kept private.
271
Encryption
• If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice's public key.
• When Alice receives the message, she decrypts it using her private key.
• No other recipient can decrypt the message because only Alice knows Alice's private key.
272
273
Authentication using Public-Key System
Difference between Symmetric Encryption and asymmetric Encryption
Symmetric encryption Asymmetric encryption
symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using same key.
Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys .one is public key and another one is private key.
It is also known as secret key encryption.
It is also known as public-key encryption.
symmetric encryption can be used for confidentiality.
Asymmetric encryption can be used for confidentiality, authentication, or both.
The most widely used symmetric key-key cryptosystem is Transposition and substitution.
The most widely used public-key cryptosystem is RSA.
274
Public-Key Cryptosystem: Secrecy
275
Public-Key Cryptosystem: Secrecy
• With the message X and the encryption key PUb as input, A forms the cipher text Y = [Y1, Y2,..., YN]:
• Y = E(PUb, X)• The intended receiver, in possession of
the matching private key, is able to invert the transformation:
• X = D(PRb, Y)
276
Public-Key Cryptosystem: Authentication
277
Public-Key Cryptosystem: Authentication and Secrecy
278
Applications for Public-Key Cryptosystems
• Encryption/decryption• Digital signature• Key exchange
279
Requirements for Public-Key Cryptography
1.It is computationally easy for a party B to generate a pair (public key PUb, private key PRb).
2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding cipher text: C = E(PUb, M)
3.It is computationally easy for the receiver B to decrypt the resulting cipher text using the private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb, M)] 280
Requirements for Public-Key Cryptography
4. It is computationally infeasible for an opponent, knowing the public key, PUb, to determine the private key, PRb.
5.It is computationally infeasible for an opponent, knowing the public key, PUb, and a cipher text, C, to recover the original message, M.
281
The RSA Algorithm
282
Our dramatis personae
Rivest Shamir Adleman
283
The RSA Algorithm
RSA algorithm is developed by Ron Rivest , Adi Shamir, and Len Adleman at MIT and first published in 1978.
The RSA scheme is a block cipher in which the plaintext and cipher text are integers between 0 and n.
284
RSA Public Key Cryptosystem
c=m e mod n Network
Plain Text Cipher Text Cipher Text Plain Text
AliceBob
Bob: (e, n)Public Key Directory (Yellow/White Pages)
public key:e & n
secret key: d
m=c d mod n
The RSA Algorithm – Key Generation
1. Select p,q p and q both prime2. Calculate n = p x q 3. Calculate 4. Select integer e5. Calculate d6. Public Key KU = {e,n}7. Private key KR = {d,n}
286
)1)(1()( qpn)(1;1)),(gcd( neen
)(mod1 ned
The RSA Algorithm - Encryption
• Plaintext: M<n
• Ciphertext: C = Me (mod n)
287
The RSA Algorithm - Decryption
• Ciphertext: C
• Plaintext: M = Cd (mod n)
288
Example
Select two prime numbers, p = 17 and q = 11.
Calculate n = pq = 17 x 11 = 187
Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160.
Select e such that e is relatively prime to θ(n) = 160 and less than θ(n) we choose e = 7
289
Example
Calculate d value using the formulad=(1+X * θ(n) )/e
X=0 d=(1+0*160)/ 7 = 0.143X=1 d=(1+1 *160)/7 = 23
d=23
290
Example
PU={e, n}PR={d , n}The resulting keys are public key PU = {7,187}private key PR = {23,187}.
291
Encryption
Ciphertext: C = Me (mod n) C=887 (mod 187) c=11
292
Decryption
Plaintext: M = Cd (mod n) M=1123 (mod 187) M=88
293
The RSA Algorithm
294
The RSA Algorithm
295
The RSA Algorithm
296
Example
perform the Encryption and decryption for p =7, q = 11, e = 17 and m = 8
297
Key generation
Calculate n = pq = 7 x 11 = 77Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60Calculate d value using the formulad=(1+X * θ(n) )/eX=0 d=(1+0*60)/ 17 = 0.0588X=1 d=(1+1*60)/17 = 3.58X=2 d=(1+2*60)/17 =7.11x=3 d=(1+3*60)/17=10.64
298
Key generation
X=4 d=(1+4*60)/17=14.17X=5 d=(1+5*60)/17=17.70X=6 d=(1+6*60)/17=21.23X=7 d=(1+7*60)/17=24.76X=8 d=(1+8*60)/17=28.29X=9 d=(1+9*60)/17=31.82x=10 d=(1+10*60)/17=35.35
299
Key generation
X=11 d=(1+11*60)/17=38.88X=12 d=(1+12*60)/17=42.41X=13 d=(1+13*60)/17=45.94X=14 d=(1+14*60)/17=49.47X=15 d=(1+15*60)/17=53
300
Key generation
PU={e, n}PR={d , n}The resulting keys are public key PU = {17,77}private key PR = {53,77}.
301
Encryption
Ciphertext: C = Me (mod n) C=817 (mod 77) c=57
302
Decryption
Plaintext: M = Cd (mod n) M=5753 (mod 77) M=8
303
The Security of RSA Brute force: This involves trying all
possible private keys. Mathematical attacks: There are several
approaches, all equivalent in effort to factoring the product of two primes.
Timing attacks: These depend on the running time of the decryption algorithm.
Chosen cipher text attacks This type of attack make use of properties of the RSA algorithm.
304
Key Management One of the major roles of public-key
encryption has been to address the problem of key distribution.
• The distribution of public keys• Distribution of secret keys using public key
305
Distribution of Public Keys• Public announcement• Publicly available directory• Public-key authority• Public-key certificates
306
Public Announcement of Public Keys
• any participant can send his or her public key to any other participant or broadcast the key to the community at large.
307
Public Announcement of Public Keys
308
Example
• For Example USENET is a public forum anybody can post a message and read message.
• it has a major weakness. • some user could pretend to be user A and
send a public key to another participant.
309
Publicly Available Directory• can obtain greater security by registering keys
with a public directory• The authority maintains a directory with a {name,
public key} entry for each participant.• Each participant registers a public key with the
directory authority.• A participant may replace the existing key with a
new one at any time.• Participants could also access the directory
electronically.310
Publicly Available Directory
311
Public-Key Authority Stronger security for public-key distribution
can be achieved by providing tighter control over the distribution of public keys from the directory.
312
Public-Key Authority
313
Public-Key Authority 1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B. 2. The authority responds with a message that is encrypted using the
authority's private key, PRauthThus, A is able to decrypt the message using the authority's public key.
The message includes the following: ● B's public key, PUb which A can use to encrypt messages destined for B ● The original request, to enable A to match this response with the
corresponding earlier request and to verify that the original request was not altered before reception by the authority
● The original timestamp, so A can determine that this is not an old message from the authority.
314
Public-Key AuthorityA stores B's public key and also uses it to encrypt a message to B containing
an identifier of A(IDA) and a nonce (N1), which is used to identify this transaction uniquely.
4,5.B retrieves A's public key from the authority in the same manner as A retrieved B's public key.
At this point, public keys have been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable:
6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
315
Public-Key Certificates
316
Public-Key Certificates• Any participant can read a certificate to
determine the name and public key of the certificate's owner.
• Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.
• Only the certificate authority can create and update certificates.
317
Distribution of Secret Keys Using Public-Key Cryptography
• Simple Secret Key Distribution• Secret Key Distribution with
Confidentiality and Authentication
318
Simple Secret Key Distribution
319
Simple Secret Key Distribution
1.A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of Pua and an identifier of A, IDA.
2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
320
Simple Secret Key Distribution
3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks.
4. A discards PUa and PRa and B discards PUa.
321
Man-in-the-middle attack
1.A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA.
2.E capture the message, creates its own public/private key pair {PUe, PRe} and transmits PUe|| IDA to B.
322
Man-in-the-middle attack
3.B generates a secret key, Ks, and transmits E(PUe, Ks).
4.E capture the message, and learns Ks by computing D(PRe, E(PUe, Ks)).
5.E transmits E(PUa, Ks) to A.
323
Secret Key Distribution with Confidentiality and Authentication
324
1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.
325
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.
326
Diffie-Hellman Key Exchange The purpose of the algorithm is to enable
two users to securely exchange a key that can then be used for subsequent encryption of messages.
327
Primitive roots P is prime numbera is a primitive root of p means
It should satisfies following conditiona mod p, a2 mod p,..., ap-1 mod pare distinct and consist of the integers from
1 through p-1 in some permutation.
328
Primitive roots 3 is a primitive root of 5:a=3,p=5
p ap ap mod 5
1 3 32 9 43 27 24 81 1
329
Primitive roots 4 is not a primitive root of 5:a= 4 p=5
p ap ap mod 5
1 4 42 16 13 64 44 256 1
330
The Diffie-Hellman Key Exchange Algorithm
331
The Diffie-Hellman Key Exchange Algorithm
332
The Diffie-Hellman Key Exchange Algorithm
333
The Diffie-Hellman Key Exchange Algorithm
334
The Diffie-Hellman Key Exchange Algorithm
335
The Diffie-Hellman Key Exchange Algorithm
336
Diffie-Hellman Example Users A and B use the Diffie-Hellman key
exchange technique with a common prime q = 71 and a primitive root a = 7.
i)If user A has private key XA = 5, what is A's public key YA?
ii)If user B has private key XB = 12, what is B's public key YB?
iii) What is the shared secret key?
337
Diffie-Hellman Example
YA= aXA mod q
=75 mod 71 = 51
YB= aXB mod q
=712 mod 71 = 4
338
Diffie-Hellman Example
Ks= yBXA mod q = 45 mod 71 = 30
Ks= yAXB mod q = 5112mod 71 = 30
339
Diffie-Hellman Example
Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2.
I. Show that 2 is a primitive root of 11.II.If user A has public key YA = 9, what is A's
private key XA?
III.If user B has public key YB = 3, what is the shared secret key K, shared with A?
340
Elliptic Curve Cryptography
Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys.
341
Elliptic Curve Cryptography ECC generates keys through the
properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers
342
Elliptic Curve Cryptography
• ECC requires significantly smaller key size with same level of security.
• Benefits of having smaller key sizes : faster computations, need less storage space.
• ECC ideal for constrained environments : Pagers ; PDAs ; Cellular Phones ; Smart Cards.
343
elliptic curve• Elliptic curves are not ellipses. They are so
named because they are described by cubic equations, used for calculating the circumference of an ellipse.
• An elliptic curve is a set of points (x, y), for which it is true that
• y2 = x3 + ax + b given certain chosen numbers a and b.
344
elliptic curve
345
ECC Diffie-Hellman Key Exchange
346
ECC Diffie-Hellman Key Exchange
347
ECC Diffie-Hellman Key Exchange
348
ECC Diffie-Hellman Key Exchange
349
ECC Diffie-Hellman Key Exchange
350
UNIT-III
351
Contents Message Authentication and Hash functions Authentication requirements Authentication functions Message Authentication codes and Hash functions Security of hash functions and MAC’s Secure hash Algorithm Whirlpool HMAC and CMAC Digital Signatures Authentication protocols Digital signature standard Kerberos X.509 Authentication Service • Public Key Infrastructure. 352
Authentication requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation
353
Authentication Functions Message encryption: The cipher text of the
entire message serves as its authenticator
Message authentication code (MAC): A function of the message and a secret key that
produces a fixed-length value that serves as the authenticator
Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator
354
Basic Uses of Message Encryption
355
Basic Uses of Message Encryption
356
Basic Uses of Message Encryption
357
Basic Uses of Message Encryption
358
Internal Error Control
359
External Error Control
360
Message Authentication Codes
Message authentication code (often MAC) is a short piece of information used to authenticate a message.
361
Message Authentication Codes
MAC = C(K, M)M = input messageC= MAC functionK= shared secret keyMAC= message authentication code
362
Basic Uses of Message Authentication Code
363
Basic Uses of Message Authentication Code
364
Basic Uses of Message Authentication Code
365
Requirements for MACs
1. knowing a message and MAC, is infeasible to find another message with same MAC
2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the
message.
Data Authentication Algorithm
• Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC– using IV=0 and zero-pad of final block– encrypt message using DES in CBC mode– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security
Data Authentication Algorithm
Hash Function
hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).
The hash code is also referred to as a message digest or hash value
A hash value h is generated by a function H of the form h = H(M)
369
Basic Uses of Hash Function
370
Basic Uses of Hash Function
371
Basic Uses of Hash Function
372
Basic Uses of Hash Function
373
Basic Uses of Hash Function
374
Basic Uses of Hash Function
375
Requirements for Hash Functions
1. can be applied to any sized message M2. produces fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h
• one-way property
Weak collision resistance
Given an input m1 it should be difficult to find another input m2 — where m1!=m2 — such that H(m1)=H(m2)
377
Strong collision resistance
It should be difficult to find two different messages m1 and m2 such that H(m1)=H(m2)
378
Hash Functions & MAC Security
• like block ciphers have:• brute-force attacks exploiting
– strong collision resistance hash have cost 2m/2
• have proposal for h/w MD5 cracker• 128-bit hash looks vulnerable, 160-bits better
– MACs with known message-MAC pairs• can either attack keyspace (cf key search) or MAC• at least 128-bit MAC is needed for security
Hash Functions & MAC Security • cryptanalytic attacks exploit structure
– like block ciphers want brute-force attacks to be the best alternative
• have a number of analytic attacks on iterated hash functions– CVi = f[CVi-1, Mi]; H(M)=CVN
– typically focus on collisions in function f– like block ciphers is often composed of rounds– attacks exploit properties of round functions
Secure Hash Algorithms The Secure Hash Algorithm (SHA) was
developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard in 1993.
381
Types of SHA
1. SHA-0 2. SHA-13. SHA-2244. SHA-2565. SHA-3846. SHA-512
382
ComparisonsSHA-1 SHA-256 SHA-384 SHA-512
Message digest size
160 256 384 512
Message size <264 <264 <2128 <2128
Block size 512 512 1024 1024
Word size 32 32 64 64
Number of steps
80 64 80 80
383
SHA-512• The algorithm takes as input a message
with a maximum length of less than 2128
bits and produces as output a 512-bit message digest.
• The input is processed in 1024-bit blocks.
384
SHA-512 Logic
Padding is the addition of one or more extra bits to a transmission .
385
Message Digest Generation Using SHA-512
386
Message Digest Generation Using SHA-512
Step 1: Append padding bits.Step 2: Append length.Step 3: Initialize hash buffer.Step 4: Process message in 1024-bit (128-word) blocks.
387
Processing of a Single 1024-Bit Block
388
Processing of a Single 1024-Bit Block
• A 512-bit buffer is used to hold intermediate and final results of the hash function.
• The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
• These registers are initialized default hexadecimal values.
389
a = 6A09E667F3BCC908
b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B
h = 5BE0CDI9137E2179
390
SHA-512 Processing of a Single 1024-Bit Block
• Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the buffer.
391
H0= IV
Hi= SUM64(Hi-1, abcdefghi)
MD= HN
392
• WhereIV= initial value of the abcdefgh buffer,
• abcdefghi= the output of the last round of processing of the ith message block
• N= the number of blocks in the message (including padding and length fields)
• SUM64= Addition modulo 264 performed separately on each word of the pair of inputs
• MD= final message digest value
393
SHA-512 Round Function
394
SHA-512 Round Function
395
SHA-512 Round Function
396
SHA-512 Round Function
397
SHA-512 Round Function
398
SHA-512 Round Function
399
Creation of 80-word Input Sequence for SHA-512 Processing of Single Block
400
Creation of 80-word Input Sequence for SHA-512 Processing of Single Block
401
Creation of 80-word Input Sequence for SHA-512 Processing of Single Block
402
Whirlpool
• Whirlpool is based on the use of a block cipher for the compression function.
• It takes a message of any length less than 2256 bits and returns a 512-bit message digest.
403
Features
• The hash code length is 512 bits• The underlying block cipher is based on
AES .
404
Whirlpool Hash Structure
405
12.406
Message Digest Generation Using Whirlpool
Whirlpool Overview
Step 1: Append padding bitsStep 2: Append length Step 3: Initialize hash matrixStep 4: Process message in 512-bit (64-
byte) blocks, using as its core, the block cipher W.
407
Whirlpool Overview
408
Comparison of Whirlpool Block Cipher W and AES
W AES
Block size (bits) 512 128
Key size (bits) 512 128, 192, or 256
Matrix orientation
Input is mapped row-wise Input is mapped column-wise
Number of rounds
10 10, 12, or 14
409
Whirlpool Block Cipher W
410
Whirlpool Block Cipher W
The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher text as output.
The encryption algorithm involves the use of four different functions add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR).
411
Whirlpool Matrix Structure• The plaintext input to W is a single 512-bit
block. • This block is treated as an 8 x 8 square
matrix of bytes, labeled Cstate.
412
Whirlpool Matrix Structure
413
The Nonlinear Layer SB
414
The Nonlinear Layer SB The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are used as a column value.
These row and column values serve as indexes into the S-box to select a unique 8-bit output value.
For example, the hexadecimal value[3] {95}references row 9, column 5 of the S-box, which contains the value {BA}. Accordingly, the value {95}is mapped into the value {BA}. 415
Mix Row
• Each byte of a row is mapped into a new value that is a function of all eight bytes in that row.
• The transformation can be defined by the matrix multiplication: B = AC
• where A is the input matrix, B is the output matrix, and C is the transformation matrix:
416
Whirlpool Performance & Security
• Whirlpool is a very new proposal, hence there is little experience with use
• compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput.
417
MAC
418
HMAC(Hash-based Message Authentication Code)CMAC(Cipher-based Message Authentication Code)
Types of MAC
419
HMAC Message authentication code is generated
by hash function. HMAC is computationally very fast and
very compact. Any cryptographic hash function, such as
MD5 or SHA-1, may be used in the calculation of an HMAC.
420
HMAC AlgorithmH = embedded hash functionIV = initial value input to hash functionM = message input to HMACYi = ith block of M, L = number of blocks in Mb = number of bits in a blockn = length of hash code produced by embedded
hash functionK= secret key
421
HMAC AlgorithmK+ = K padded with zeros on the leftipad = 00110110 (36 in hexadecimal)opad = 01011100 (5C in hexadecimal)
422
HMAC Overview
423
HMAC Overview
1.Append zeros to the left end of K to create a b-bit string K+.
2. XOR K+ with ipad to produce the b-bit block Si.
3. Append M to Si.4. Apply H to the stream generated in step
5. XOR K+ with opad to produce the b-bit block So
424
HMAC Overview
6.Append the hash result from step 4 to So7.Apply H to the stream generated in step 6
and output the result.
425
HMAC Overview
426
Efficient Implementation of HMAC
427
Two quantities are precomputed
428
CMAC
Message authentication code is generated by cipher based.
429
CMAC Overview
430
CMAC Overview
The message is divided into n blocks M1..Mn, padded if necessary.
The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not).
431
CMAC Overview
432
CMAC Overview
T= MSBTlen(Cn)
whereT= message authentication code, also referred to
as the tagTlen= bit length of TMSBs(X)= the s leftmost bits of the bit string X
433
Digital signature
A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.
The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message.
434
Digital Signature Properties The signature must be a bit pattern that depends on the
message being signed. The signature must use some information unique to the
sender, to prevent both fake and disagreement. It must be relatively easy to produce the digital signature. It must be relatively easy to recognize and verify the
digital signature. It must be computationally infeasible to fake a digital
signature. It must be practical to retain a copy of the digital
signature in storage.435
Direct Digital Signatures
Direct Digital Signatures involve only the communicating parties. A digital signature may be formed by
encrypting the entire message with the sender’s private key.
Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes.
security depends on sender’s private-key436
Arbitrated Digital Signatures
• involves use of arbiter A– validates any signed message– then dated and sent to recipient
• requires suitable level of trust in arbiter• can be implemented with either private or
public-key algorithms• arbiter may or may not see message
437
Arbitrated Digital Signatures
438
X = sender
Y = recipient
A = Arbiter
M = message
T = timestamp
Authentication Protocols
• Authentication Protocols are used to support parties of each others identity and to exchange session keys.
• may be one-way or mutual
439
One-Way Authentication
• required when sender & receiver are not in communications at same time (eg. email)
440
Mutual Authentication
• required when sender & receiver are in communications at same time. (eg. Client-server)
441
Digital Signature Standard
The digital signature standard (DSS) is an NIST standard that uses the secure hash
algorithm (SHA).
442
Two Approaches to Digital Signatures
443
The Digital Signature Algorithm (DSA)
444
Global Public-Key Components
p prime number where 2L-1 < p < 2L for 512 <= L <= 1024
q prime divisor of (p- 1), where 2159 < q < 2160
g = h(p-1)/q mod p, where h is any integer with 1 < h < (p -1)
such that h(p- 1)/q mod p > 1
445
User's Private Key
X random or pseudorandom integer with 0 < x < q
446
User's Public Key
y= gx mod p
447
User's Per-Message Secret Number
k= random or pseudorandom integer with 0 < k < q
448
Signing
r= (gk mod p) mod q s= [k-1 (H(M) + xr)] mod q Signature = (r, s)
449
Verifying
w= (s')-1 mod q u1= [H(M')w] mod q u2=(r')w mod q v= [(gu1 yu2 ) mod p] mod q
450
Verifying
TEST: v = r' M= message to be signedH(M)= hash of M using SHA-1 M', r', s’= received versions of M, r, s
451
Kerberos
452
Kerberos
Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users.
453
Kerberos
Kerberos is an authentication service designed for use in a distributed environment.
Kerberos makes use of a trusted third-part authentication service that enables clients and servers to establish authenticated communication.
454
455
Requirements for KERBEROS Secure: opponent does not find it to be the weak linkScalable: The system supports large number of clients and
seversReliable: For all services that rely on Kerberos for
access control, lack of availability of the Kerberos service means lack of availability of the supported services.
Transparent: the user should not be aware that authentication is taking place.
A Simple Authentication Dialogue
C = clientAS = authentication serverV =serverIDC = identifier of user on CIDV = identifier of VPC = password of user on CADC = network address of CKv = secret encryption key shared by AS and V
456
457
A Simple Authentication Dialogue
1- IDc + Pc+IDv
2- Ticket
3- IDc +Ticket
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key between AS and V (Server)
Pc=password of client
A More Secure Authentication Dialogue
minimize the number of times that a user has to enter a password
tickets are not reusable To solve these problems, we introduce a
scheme a new server, known as the ticket-granting server (TGS)
458
Once per user logon session:
(1)CAS : IDC||Idtgs
(2) AS C : E(Kc, Tickettgs)
459
Once per type of service:
(3) C TGS: IDC||IDV||Tickettgs
(4) TGS C: Ticketv
460
Once per service session:
(5) C V: IDC||Ticketv
461
Kerberos 4 Overview
462
1.The client requests a ticket-granting ticket on behalf of the user by sending its user's ID and password to the AS, together with the TGS ID, indicating a request to use the TGS service.
2. The AS responds with a ticket that is encrypted with a key that is derived from the user‘s password. When this response arrives at the client, the client prompts the user for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully recovered.
463
3.The client requests a service-granting ticket on behalf of the user.
4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID and network address with the incoming information to authenticate the user. If the user is permitted access to the server V, the TGS issues a ticket to grant access to the requested service.
464
5.The client requests access to a service on behalf of the user. For this purpose, the client transmits a message to the server containing the user's ID and the service-granting ticket. The server authenticates by using the contents of the ticket.
465
466
467
468
Kerberos allows the global distribution of ASs and TGSs, with each system called a realm. A user may get a ticket for a local server or a remote server.
Kerberos realm
Kerberos realm• 1.The Kerberos server must have the user ID
and hashed passwords of all participating users in its database.
• 2.The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server.
• Such an environment is referred to as a Kerberos realm.
470
31/03/2005 Authentication Applications471
Request for Service in another realm:
1-Request ticket
for local TGS
2-Ticket for lo
cal TGS
5-Request ticket for remote server
6-Ticket for remote server
3-Request ticket fo
r remote TGS
4-Ticket for remote TGS
7-request for remote service
The minor differences between version 4 and version 5
1) Version 5 has a longer ticket lifetime.2) Version 5 allows tickets to be renewed.3) Version 5 can accept any symmetric-key algorithm.4) Version 5 uses a different protocol for describing data
types.5) Version 5 has more overhead than version 4.
X.509 Authentication Service
X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI).
X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
473
Public-Key Certificate Use
474
X.509 Certificates• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
475
X.509 Certificates
476
CRL • certificates have a period of validity• may need to revoke before expiry, eg:
1. user's private key is compromised2. user is no longer certified by this CA3. CA's certificate is compromised
• CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates.
477
Obtaining a Certificate
• any user with access to CA can get any certificate from it
• only the CA can modify a certificate • because cannot be forged, certificates can
be placed in a public directory
478
CA Hierarchy • if both users share a common CA then they are
assumed to know its public key • otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to
validate other CA's – each CA has certificates for clients (forward) and
parent (backward) • each client trusts parents certificates • enable verification of any certificate from one CA
by users of all other CAs in hierarchy
479
CA Hierarchy Use
480
A get B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>
31/03/2005 Authentication Applications 481
Authentication Procedures:• CA must authenticate/verify an applicant
before issuing it a certificate for it.• Three alternative authentication procedures:
– One-Way Authentication – Two-Way Authentication – Three-Way Authentication
One-Way Authentication
• One way authentication involves a single transfer of information from one user (A) to another (B)
482
31/03/2005 Authentication Applications 483
One-Way Authentication:
• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key
31/03/2005 Authentication Applications 484
Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kab]}
31/03/2005 Authentication Applications 485
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}
Public-Key Infrastructure public-key infrastructure (PKI) as the set of
hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.
486
Public-Key Infrastructure End entity: A generic term used to denote
end users, devices (e.g., servers, routers) Certification authority (CA): The issuer
of certificates and certificate revocation lists (CRLs).
Registration authority (RA): An optional component that can assume a number of administrative functions.
487
Public-Key Infrastructure CRL issuer: An optional component that a
CA can delegate to publish CRLs. Repository: A generic term used to denote
any method for storing certificates and CRLs so that they can be retrieved by End Entities.
488
Public-Key Infrastructure
489
Public-Key Infrastructure Registration: This is the process whereby a
user first makes itself known to a CA (directly, or through an RA), prior to that CA issuing a certificate or certificates for that user.
Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure
490
Public-Key Infrastructure Certification: This is the process in which
a CA issues a certificate for a user's public key, and returns that certificate to the user's client system and/or posts that certificate in a repository.
Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and new certificates issued.
491
Public-Key Infrastructure Cross certification: one certificate
authority use the certificate to the another certificate authority.
492
UNIT-IV
493
Contents
Pretty Good Privacy S/MIME IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combining Security Associations Key management.
494
Pretty Good Privacy
495
Pretty Good Privacy
PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.
496
Pretty Good Privacy
PGP is an open-source freely available software package for e-mail security.
It provides authentication through the use of digital signature;
It provides confidentiality through the use of symmetric block encryption;
497
Pretty Good Privacy
It provides compression using the ZIP algorithm.
It provides e-mail compatibility using the radix-64 encoding scheme.
It provides Segmentation and reassembly to accommodate long e-mails.
498
Pretty Good Privacy
Ks =session key used in symmetric encryption scheme
PRa =private key of user A, used in public-key encryption scheme
PUa =public key of user A, used in public-key encryption scheme
499
Pretty Good Privacy
EP = public-key encryption DP = public-key decryption EC = symmetric encryption DC = symmetric decryption H = hash function || = concatenation Z = compression using ZIP algorithm R64 = conversion to radix 64 ASCII format
500
501
Authentication
1.The sender creates a message.2.SHA-1 is used to generate a 160-bit hash
code of the message.3.The hash code is encrypted with RSA using
the sender's private key, and the result is prepended to the message.
4.The receiver uses RSA with the sender's public key to decrypt and recover the hash code.
502
Authentication
5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
503
Confidentiality
1.The sender generates a message and a random 128-bit number to be used as a session key for this message only.
2.The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key.
3.The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message.
504
Confidentiality
4.The receiver uses RSA with its private key to decrypt and recover the session key.
5.The session key is used to decrypt the message.
505
Transmission and Reception of PGP Messages
506
PGP Message Format
PGP Message Format
The message component includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time of creation.
508
PGP Message Format
The signature component includes the following:
Timestamp: The time at which the signature was made.
Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key.
509
PGP Message Format
Leading two octets of message digest: To enable the recipient to determine if the correct public key was used to decrypt the message digest for authentication
• Key ID of sender's public key: Identifies the public key that should be used to decrypt the message digest
510
PGP Message Format
The session key component includes the session key and the identifier of the recipient's public key that was used by the sender to encrypt the session key.
511
Signing the message
PGP retrieves the sender's private key from the private-key ring using your_userid as anindex. If your_userid was not provided in the command, the first private key on the ring is retrieved.
PGP prompts the user for the passphrase to recover the unencrypted private key.
The signature component of the message is constructed.
512
Encrypting the message
PGP generates a session key and encrypts the message.
PGP retrieves the recipient's public key from the public-key ring using her_userid as an index.
The session key component of the message is constructed.
513
PGP Message Generation
PGP Message Reception
Decrypting the message PGP retrieves the receiver's private key
from the private-key ring, using the Key ID field in
the session key component of the message as an index.
PGP prompts the user for the passphrase to recover the unencrypted private key.
PGP then recovers the session key and decrypts the message.
516
Authenticating the message
PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the signature key component of the message as an index.
PGP recovers the transmitted message digest. PGP computes the message digest for the
received message and compares it to the transmitted message digest to authenticate.
517
S/MIME
Another security service designed for electronic mail Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension is Secure/Multipurpose Internet Mail Extension (S/MIME). (S/MIME).
The protocol is an enhancement of the Multipurpose The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocolInternet Mail Extension (MIME) protocol
518
RFC 822
RFC 822 defines a format for text messages that are sent using electronic mail. It has been the standard for Internet-based text mail message and remains in common use.
519
RFC 822
520
MIME
MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP .
521
MIME SMTP cannot transmit executable files or other
binary objects.
SMTP cannot transmit text data that includes national language characters
SMTP servers may reject mail message over a certain size.
SMTP cannot handle non textual data.
522
16.523
MIME
16.524
MIME Message structure
16.525
MIME-VersionMIME-VersionThis header defines the version of MIME used. The This header defines the version of MIME used. The current version is 1.1.current version is 1.1.
Content-TypeContent-TypeThe content type and the content subtype are separated The content type and the content subtype are separated by a slash. Depending on the subtype, the header may by a slash. Depending on the subtype, the header may contain other parameters.contain other parameters.
16.526
16.527
16.3.1 Continued
S/MIME Functions
enveloped dataencrypted content and associated keys
signed dataencoded message + signed digest
clear-signed dataclear text message + encoded signed digest
signed & enveloped datanesting of signed & encrypted entities
Cryptographic AlgorithmsFunction Requirement
Create a message digest to be used in forming a digital signature.
MUST support SHA-1.
Encrypt message digest to form digital signature.
Receiver SHOULD support MD5 for backward compatibility. Sending and receiving agents MUST support DSS. Sending agents SHOULD support RSA encryption. Receiving agents SHOULD support verification of RSA signatures with key sizes 512 bits to 1024 bits.
Encrypt session key for transmission with message.
Sending and receiving agents SHOULD support Diffie-Hellman. Sending and receiving agents MUST support RSA encryption with key sizes 512 bits to 1024 bits.
529
Cryptographic Algorithms
Encrypt message for transmission with one-time session key.
Sending and receiving agents MUST support encryption with triple DES
Sending agents SHOULD support encryption with AES.
Sending agents SHOULD support encryption with RC2/40.
530
S/MIME Messages
Type Subtype smime Parameter Description
Multipart Signed A clear-signed message in two parts: one is the message and the other is the signature.
Application pkcs 7-mime signedData A signed S/MIME entity.
pkcs 7-mime envelopedData An encrypted S/MIME entity.
pkcs 7-mime degenerate signedData An entity containing only public- key
certificates.
pkcs 7-mime CompressedData A compressed S/MIME entity
531
Enveloped data This consists of encrypted content of any
type and encrypted-content encryption keys for one or more recipients.
532
533
enveloped data
Version
Encrypted Content Info
Recipient Info
Version
Recipient ID (issuer and s.no.)
Key Encryption Algorithm
Encrypted Key
Content Encryption Alg.
Content type
Encrypted Content
Originator Info
S/M
IME
/ mes
sage
form
ats
534
Enveloped data – Example Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7mContent-Transfer-Encoding: base64Content-Disposition: attachment; filename=smime.p7m
rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT67n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9Hf8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF40GhIGfHfQbnj756YT64V
S/M
IME
/ mes
sage
form
ats
Signed data
A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer.
535
Clear-signed data
recipients without S/MIME capability can view the message content, although they cannot verify the signature.
536
537
Clear-signed data – Example Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42
--boundary42Content-Type: text/plain
This is a clear-signed message.
--boundary42Content-Type: application/pkcs7-signature; name=smime.p7sContent-Transfer-Encoding: base64Content-Disposition: attachment; filename=smime.p7s
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT64VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnjn8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF47GhIGfHfYT64VQbnj756
--boundary42--
S/M
IME
/ mes
sage
form
ats
Signed and enveloped data
Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.
538
IP Security
• IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6), by means of additional headers.
• IPSec encompasses three functional areas: authentication, confidentiality, and key management.
539
IP Security
The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others.
540
IPSec
The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header, and that the packet has not been altered in transit.
541
IPSec
The confidentiality facility enables communicating nodes to encrypt messages to prevent watch by third parties.
The key management facility is concerned with the secure exchange of keys. IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. 542
IPSec Uses
An organization maintains LANs at dispersed locations.
Non secure IP traffic is conducted on each LAN.
For traffic offsite, through some sort of private or public WAN, IPSec protocols are used.
These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world.
544
The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN;
these operations are transparent to workstations and servers on the LAN.
Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security. 545
Benefits of IPSec
When IPSec is implemented in a firewall or router, it provides strong security
IPSec is below the transport layer (TCP, UDP) and so is transparent to applications.
IPSec can be transparent to end users. IPSec can provide security for individual
users
IP Security Architecture
The IPSec specification consists of numerous documents.
RFC 2401: An overview of a security architecture
RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
RFC 2408: Specification of key management capabilities
IPSec Document Overview
548
IPSec Document Overview
Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of the ESP for packet encryption and, optionally, authentication.
Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each other.
549
IPSec Document Overview
Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication.
550
IPSec Document Overview• Encryption Algorithm: A set of documents
that describe how various encryption algorithms are used for ESP.
• Authentication Algorithm: A set of documents that describe how various authentication algorithms are used for AH and for the authentication option of ESP.
• Key Management: Documents that describe key management schemes
551
IPSec Services
• Connectionless integrity Assurance that received traffic has not been modified.
• Data origin authenticationAssurance that traffic is sent by valid party.
• Confidentiality (encryption)Assurance that user’s traffic is not examined by non-authorized parties.
• Access controlPrevention of unauthorized use of a resource.
Applications of IPSec
Secure branch office connectivity over the Internet
Secure remote access over the Internet Establsihing extranet and intranet connectivity
with partners Enhancing electronic commerce security
553
Security Associations
A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction.
Agreement between two entities on a security policy, including:– Encryption algorithm– Authentication algorithm– Shared session keys– SA lifetime
554
Transport Mode
In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated.
555
Tunnel mode
In tunnel mode, the entire IP packet is encrypted and/or authenticated.
556
Authentication Header (AH) The Authentication Header provides
support for data integrity and authentication of IP packets.
The data integrity feature ensures that undetected modification to a packet’s content in transit is not possible.
The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly;
557
Authentication Header (AH)
it also prevents address spoofing attacks and replay attacks.
Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key.
AH supports MACs using HMAC-MD5-96 or HMAC-SHA-1-96.
558
Authentication Header
Next Header (8 bits) Identifies the type of header
immediately following this header.
560
PAYLOAD LEN specifies the length of the authentication header
Reserved (16 bits): For future use
SEQUENCE NUMBER contains a unique sequence number for each packet sent.
SECURITY PARAMETERS INDEX specifies the security scheme used
561
Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet
562
Transport & Tunnel Modes
Transport mode Transport mode provides protection
primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload.
Typically, transport mode is used for end-to-end communication between two hosts.
564
Tunnel mode Tunnel mode provides protection to
the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header.
Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPSec.
565
AH: Transport and Tunnel Mode
Original
Transport mode
Tunnel mode
Encapsulating Security Payload (ESP)
The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality.
As an optional feature, ESP can also provide an authentication service, with the same MACs as AH
• supports range of ciphers, modes, padding– incl. DES, Triple-DES, RC5, IDEA, CAST etc
Encapsulating Security Payload
Encapsulating Security Payload Security Parameters Index (32 bits): Identifies a
security association Sequence Number (32 bits): contains a unique
sequence number for each packet sent.
Payload Data (variable): This is a transport-level segment (transport mode)
569
Encapsulating Security Payload Padding (0–255 bytes): for various reasons Pad Length (8 bits): length of pad bytes Next Header (8 bits): Identifies the type of data
contained in the payload data field by identifying the first header in that payload
Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field
570
Transport vs Tunnel Mode ESP
• transport mode is used to encrypt & optionally authenticate IP data– data protected but header left in clear– can do traffic analysis but is efficient– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet– add new header for next hop– good for VPNs, gateway to gateway security
ESP: Transport and Tunnel Mode
• Original
• Transport Mode– Good for host to
host traffic• Tunnel Mode
– Good for VPNs, gateway to gateway security
Combining Security Associations
• SA’s can implement either AH or ESP• to implement both need to combine SA’s
– form a security association bundle– may terminate at different or same
endpoints– combined by
• transport adjacency• iterated tunneling
Combining Security Associations
• Case 1 security is provided between end systems that implement IPSec.
• Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec.
• Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here.
• Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall
575
Key Management• The key management portion of IPSec involves
the determination and distribution of secret keys.
• manual key management– Sys admin manually configures every system
• automated key management– automated system for on demand creation of keys
for SA’s in large systems• The default automated key management
protocol for IPSec is referred to as ISAKMP/Oakley.
Oakley Key Determination Protocol
Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security.
577
Features of Oakley• It employs a mechanism known as cookies
to prevent clogging attacks.• It uses nonces to ensure against replay
attacks.• It enables the exchange of Diffie-Hellman
public key values.• It authenticates the Diffie-Hellman exchange
to prevent man-in-the-middle attacks.
578
04/02/06 Hofstra University – Network Security Course, CSC290A
579
Aggressive Oakley Key Exchange
ISAKMP
• Internet Security Association and Key Management Protocol provides framework for key management
• defines procedures and packet formats to establish, negotiate, modify, & delete SAs
ISAKMP
ISAKMP
Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA deletion.
Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator.
Next Payload (8 bits): Indicates the type of the first payload in the message;
582
ISAKMP
Major Version (4 bits): Indicates major version of ISAKMP in use.
Minor Version (4 bits): Indicates minor version in use.
Exchange Type (8 bits): Indicates the type of exchange
583
ISAKMP
Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Two bits so far defined: The Encryption bit is set if all payloads following the header are encrypted using the encryption algorithm for this SA. The Commit bit is used to ensure that encrypted material is not received prior to completion of SA establishment.
Message ID (32 bits): Unique ID for this message.
Length (32 bits): Length of total message (header plus all payloads) in octets 584
ISAKMP Payload Types SA payload is used to begin the
establishment of an SA
The Proposal payload contains information used during SA negotiation
585
ISAKMP Payload Types The Transform payload defines a security
transform to be used to secure the communications channel for the designated protocol.
The Key Exchange payload can be used
for a variety of key exchange techniques, including Oakley, Diffie-Hellman, and the RSA-based key exchange used by PGP.
586
ISAKMP Payload Types The Identification payload is used to
determine the identity of communicating peers and may be used for determining authenticity of information.
The Certificate payload transfers a public-
key certificate
587
ISAKMP Payload Types Certificate Request payload to request
the certificate of the other communicating entity.
The Hash payload contains data generated by a hash function over some part of the message and/or ISAKMP state.
588
ISAKMP Payload Types The Signature payload contains data
generated by a digital signature function over some part of the message and/or ISAKMP state.
The Nonce payload contains random data used to avoid the reply attack.
The Notification payload contains either error or status information
589
UNIT-V
590
Contents Web Security Considerations Secure Socket Layer and Transport Layer Security Secure Electronic Transaction Intruders and Intrusion Detection Password Management Viruses and related threads Virus countermeasures Distributed denial of services attack Firewall Design principles Trusted System Common Criteria for Information Technology Security
Evaluation.591
Web Security Web now widely used by business,
government, individuals but Internet & Web are vulnerable have a variety of threats
integrity confidentiality denial of service authentication
need added security mechanisms
593
What is Secure Socket Layer ?• Secure Socket Layer (SSL) is a protocol
developed by Netscape for transmitting private documents via the Internet.
• The SSL Security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.
• SSL is built into all major browsers and web servers.
594
What is SSL? (cont’d)• Both Netscape Navigator and Internet
Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers.
• The primary goal of SSL is to provide privacy and reliability between two communicating applications.
SSL (Secure Socket Layer)
• SSL probably most widely used Web security mechanism.
• Its implemented at the Transport layer; IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later).
• SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
595
Relative Location of Security Facilities in the TCP/IP Protocol Stack
596
SSL Architecture
SSL Architecture
The SSL Protocol Stack is composed of two layers.
1. The first layer is the higher layer which is composed of SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alert Protocol, and HTTP, which are used in the management of SSL exchanges.
2. The second layer is the lower layer composed of the SSL Record Protocol, TCP, and IP.
598
SSL Architecture• The SSL Record Protocol provides basic
security services to various higher-layer protocols.
• In particular , the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL.
599
SSL Architecture SSL connection A connection is a network transfer that provides a suitable type
of service, such connections are transient, peer-to-peer relationships, associated with one session
SSL session An SSL session is an association between a client and a
server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections.
SSL Record Protocol Services
• SSL Record Protocol defines two services for SSL connections:
• Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC), which is similar to HMAC
• Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol
601
SSL Record Protocol Operation
SSL Record Format
603
SSL Change Cipher Spec Protocol
• The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest, consisting of a single message which consists of a single byte with the value 1.
Its purpose is to cause the pending state to be copied into the current state
SSL Change Cipher Spec Protocol
605
SSL Alert Protocol• The Alert Protocol is used to convey SSL-related
alerts to the peer entity.• Each message in this protocol consists of
two bytes, the first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte contains a code that indicates the specific alert.
SSL Alert Protocol severity
warning or fatal specific alert
fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
607
SSL Alert Protocol
608
SSL Handshake Protocol• The most complex part of SSL is the
Handshake Protocol. • This protocol allows the server and
client to authenticate each other and to agree an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.
• The Handshake Protocol is used before any application data is transmitted.
SSL Handshake Protocol
610
SSL Handshake Protocol
• Type (1 byte): Indicates type of the messages.
• Length (3 bytes): The length of the message in bytes.
• Content ( 0 bytes): The parameters associated with this message;
611
SSL Handshake Protocol
SSL Handshake Protocol
• The Handshake Protocol consists of a series of messages exchanged by client and server, which can be viewed in 4 phases:
• Phase 1. Establish Security Capabilities - this phase is used by the client to initiate a logical connection and to establish the security capabilities that will be associated with it
613
SSL Handshake Protocol
• Phase 2. Server Authentication and Key Exchange - the server begins this phase by sending its certificate if it needs to be authenticated.
• Phase 3. Client Authentication and Key Exchange - the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable
614
SSL Handshake Protocol
• Phase 4. Finish - this phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec
615
TLS (Transport Layer Security)
TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL.
Version Number• The TLS Record Format is the same as
that of the SSL Record Format, and the fields in the header have the same meanings. The one difference is in version values. For the current version of TLS,the Major Version is 3 and the Minor Version is 1.
617
Message Authentication Code
For TLS, the MAC calculation encompasses the fields indicated in the following expression:
• HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type || TLSCompressed.version || TLSCompressed.length || TLSCompressed.fragment)
618
Alert Codes
TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. A number of additional codes are defined in TLS;
• protocol_version• encryption failed:• record_overflow:• unknown_ca• decode_error• export_restriction
619
Secure Electronic Transactions SET is an open encryption and security
specification designed to protect credit card transactions on the Internet.
620
Secure Electronic Transactions
Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet.
SET was not itself a payment system, but rather a set of security protocols and formats that enable users to employ the existing credit card payment infrastructure on an open network in a secure fashion.
621
Key Features of SET
Confidentiality of information: Cardholder account and payment information is secured as it travels across the network.
Integrity of data: Payment information sent from cardholders to merchants includes order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transfer. RSA digital signatures, using SHA-1 hash codes, provide message integrity.
622
Key Features of SET
Cardholder account authentication: SET enables merchants to verify that a cardholder is a legitimate user of a valid card account number.
623
SMU CSE 5349/7349
SET Transactions
SET Transaction1. Customer browse and decide to purchase .2. SET send order and payment information.3. Merchants forward the payment information to
the bank4. Bank check with the issuer for payment
authorization.5. Issuer authorize the payment 6. Bank authorize the payment7. merchant complete the order8. Merchant capture the transaction9. Issuer send credit card bill to the customer.
Dual Signature The purpose of the SET dual signature is to
link two messages that are intended for two different recipients, the order information (OI) for the merchant and the payment information (PI) for the bank.
The merchant does not need to know the customer’s credit card number, and the bank does not need to know the details of the customer’s order, however the two items must be linked in a way that can be used to resolve disputes if necessary.
Dual Signature
The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result.
Finally, the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI)||H(OI))])
627
Dual Signature
628
SET Purchase Request
SET purchase request exchange consists of four messages
1. Initiate Request - get certificates2. Initiate Response - signed response3. Purchase Request - of OI & PI4. Purchase Response - ack order
Purchase Request – Customer
Purchase Request – Merchant1. verifies cardholder certificates using CA sigs2. verifies dual signature using customer's public
signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key
3. processes order and forwards the payment information to the payment gateway for authorization (described later)
4. sends a purchase response to cardholder
Purchase Request – Merchant
IntrudersReferred to as a hacker or cracker
633
Three classes of intruders
Masquerader Misfeasor Clandestine user
634
Masquerader
An individual who is not authorized to use the computer and who break in a system's access controls to exploit a valid user's account.
The masquerader is likely to be an outsider.
635
Misfeasor
A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
the misfeasor generally is an insider.
636
Clandestine user
An individual who seizes supervisory control of the system and uses this control to avoid auditing and access controls.
clandestine user can be either an outsider or an insider
637
Intrusion The basic aim is to gain access and/or
increase privileges on some system.
A set of actions aimed to compromise the security goals, namely
• Integrity, confidentiality, or availability, of a computing and networking resource
638
Password Guessing
A basic technique for gaining access is to get a user password, so the attacker can login and use all the access rights of the account owner.
639
Password Guessing
1.Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.
2.Exhaustively try all short passwords3.Collect information about users, such as their
full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies.
640
Password Guessing
4.Try users' phone numbers, Social Security numbers, and room numbers.
5.Try all legitimate license plate numbers for this state.
641
Intrusion Detection
The process of identifying and responding to intrusion activities.
642
Intrusion Detection
Intrusion Detection
intruder differs from the typical behavior of an authorized user, there is an overlap
in these behaviors. which will catch more intruders, will also
lead to a number of "false positives," or authorized users identified as intruders.
Audit record
A fundamental tool for intrusion detection is the audit record.
Some record of ongoing activity by users must be maintained as input to an intrusion detection system.
645
Types of Audit Record
Native audit records Detection-specific audit records
646
Native audit records: Virtually all main O/S’s include
accounting software that collects information on user activity.
advantage is its already there in O/S. disadvantage is it may not contain the
needed information
647
Detection-specific audit records:
implement collection facility to generates custom audit records with desired info.
advantage is it can be vendor independent and portable,
disadvantage is extra overhead involved
648
Approaches to intrusion detection:
Statistical anomaly detection: Involves the collection of data relating to
the behavior of valid users over a period of time.
Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not valid user behavior.
649
Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events.
Profile based: develop profile of activity of each user and use to detect changes in the behavior
650
Rule-based detection
Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.
651
Rule-based detection
Anomaly detection: Rules are developed to detect difference from previous usage patterns.
Penetration identification: An expert system approach that searches for unsure behavior.
652
Distributed Intrusion Detection
• A distributed intrusion detection system may need to deal with different audit record formats.
• Either a centralized or decentralized architecture can be used
653
Distributed Intrusion Detection - Architecture
Distributed Intrusion Detection - Architecture
Host agent module: audit collection module operating as a background process on a monitored system.
LAN monitor agent module: like a host agent module except it analyzes LAN traffic .
Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion
655
Distributed Intrusion Detection – Agent Implementation
Distributed Intrusion Detection – Agent Implementation
The agent captures each native O/S audit record, & applies a filter that retains only records of security interest.
These records are then reformatted into a standardized format (HAR). Then a template-driven logic module analyzes the records for suspicious activity. When suspicious activity is detected, an alert is sent to the central manager.
657
Distributed Intrusion Detection – Agent Implementation
The central manager includes an expert system that can draw inferences from received data.
The manager may also query individual systems for copies of HARs to correlate with those from other agents.
658
Honeypots Honeypots are decoy systems, designed
to attract a potential attacker away from critical systems and divert an attacker from accessing critical systems.
collect information about the attacker’s activity
HoneyPot A
Gateway
Attackers
Attack Data
How do HPs work?Prevent
Detect
Response
Monitor
No connection
Password Management
Passwords are usually stored encrypted rather than in the clear .
Unix systems traditionally used a multiple DES variant with salt as a one-way hash function (see text).
662
663
Password Studies
• Purdue 1992 - many short passwords• Klein 1990 - many guessable passwords• conclusion is that users choose poor
passwords too often• need some approach to counter this
Password Selection Strategies
• User education• Computer Generated• Reactive Checking• Proactive Checking
user education
Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords.
666
Computer Generated
Computer-generated passwords also have problems. If the passwords are quite random in nature ,users will not be able to remember them.
667
Reactive Checking
A reactive password checking strategy is one in which the system periodically runs its own password cracker to find guessable passwords.
668
Proactive Checking
In this scheme, a user is allowed to select his or her own password. However, at the time of selection, the system will checks whether the password is allowable or not.
669
Viruses and related threads
670
Malicious software
Malicious software is software that is intentionally included or inserted in a system for a harmful purpose.
671
Malicious software
672
trapdoor
A trapdoor is a means of access to a computer program that bypasses security mechanisms.
673
Logic bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
674
Trojan Horses
• A Trojan horse is a useful, program or command procedure containing hidden code that performs some unwanted or harmful function that an unauthorized user could not accomplish directly.
• Commonly used to make files readable, propagate a virus or worm, or simply to destroy data.
675
Viruses
A virus is a small piece of software that attached on real programs.
2 main characteristics of viruses It must execute itself. It must replicate itself.
676
Viruses A virus is a piece of software that can “infect”
other programs by modifying them.
A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run.
Once a virus is executing, it can perform any function, such as erasing files and programs.
677
virus phases
Dormant phase: virus is idle, waiting for trigger event.
Propagation phase: virus places a copy of itself into other programs
Triggering phase: virus is activated by some trigger event to perform planned function.
Execution phase: desired function is performed
678
Virus Structure
Types of VirusesBoot sector infector: spoil a boot record and spreads
when a system is booted from the disk containing the virus.
File infector: When an infectious file is executed on a system, the infection routine will seek out other files and insert its code into them, generally at the beginning or end of the existing file.
Macro virus: macro virus is a virus that is written in a macro language. Many applications, such as Microsoft Word and Excel, support powerful macro languages.
680
Types of Viruses
Encrypted virus: A virus using encryption to hide itself from virus scanners.
Stealth virus: A computer virus that actively hides itself from antivirus software by masking the size of the file.
681
Types of Viruses Polymorphic virus: A virus that changes its virus
signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
Metamorphic virus: As with a polymorphic virus ,a metamorphic virus change with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.
682
Worms
A worm is a program that can replicate itself and send copies from computer to computer across network connections.
683
zombie zombie is a computer connected to
the Internet that has been compromised by a cracker.
It can be used to perform malicious tasks under remote direction.
684
Virus Countermeasures
• best countermeasure is prevention• but in general not possible • hence need to do one or more of:
– detection - of viruses in infected system – identification - of specific infecting virus– removeal - restoring system to clean state
Anti-Virus Software first-generation
– scanner uses virus signature to identify virussecond-generation – heuristic scanners use rules to search for probable
virus infectionthird-generation – activity traps which identify a virus by its actions
rather than its structure fourth-generation – packages with a variety of antivirus techniques
Digital Immune System
The Digital Immune System from IBM is a comprehensive approach to virus protection, and provides a general purpose emulation and virus-detection system.
When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running IBM Antivirus so it can be detected before it is run elsewhere.
687
Digital Immune System
Digital Immune System
1. A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine
2. The administrative machine encrypts the sample and sends it to a central virus analysis machine
3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus
689
Digital Immune System
4.The resulting prescription is sent back to the administrative machine
5.The administrative machine forwards the prescription to the infected client
6.The prescription is also forwarded to other clients in the organization
7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.
690
Distributed denial of services attack
distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users
691
Distributed Denial of Service Attacks (DDoS)
SYN flood attack
1. The attacker takes control of multiple hosts over the Internet
2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target
3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes get stuck as more traffic floods in.
693
ICMP attack
1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors.
2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site.
3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.
694
What is a Firewall ?
• A firewall :– Acts as a security
gateway between two networks
• Usually between trusted and untrusted networks (such as between a corporate network and the Internet)
Internet
Corporate Site
Corporate Network Gateway
Firewall
A firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed.
696
Firewall
697
defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.
provides a location for monitoring security-related events
698
Firewall is a convenient platform for several Internet functions that are not security related, such as NAT and Internet usage audits or logs
A firewall can serve as the platform for IPSec to implement virtual private networks.
.
699
Firewall Limitations
1. cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP.
2. do not protect against internal threats.3. cannot protect against the transfer of
virus-infected programs.
Types of firewalls
packet filters application-level gateways circuit-level gateways
701
Firewalls – Packet Filters A packet-filtering router applies a set of
rules to each incoming and outgoing IP packet to forward or discard the packet.
Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface.
advantages are simplicity, transparency & speed.
Firewalls – Packet Filters
Firewalls - Application Level Gateway (or Proxy)
An application level gateway ,also called proxy server.
Firewalls - Application Level Gateway (or Proxy)
• A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints.
• If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used.
Firewalls - Application Level Gateway (or Proxy)
Firewalls - Circuit Level Gateway
A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents.
The security function consists of determining which connections will be allowed. 707
Firewalls - Circuit Level Gateway
Firewall Configurations
Single-homed bastion configuration
• screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems:
• a packet-filtering router - allows Internet packets to/from bastion only
• a bastion host - performs authentication and proxy functions
710
Firewall Configurations
Dual-homed bastion configuration
screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security.
an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.
712
Firewall Configurations
Screened subnet firewall configuration
It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated sub network.
This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.
714
Henric Johnson 715
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Trusted Systems– Protection of data and resources on the
basis of levels of security (e.g. military)– Users can be granted clearances to
access certain categories of data
04/19/06 Hofstra University – Network Security Course, CSC290A
716
Access MatrixGeneral model of access control:• Subject – entity capable of accessing
objects (user = process= subject)• Object – anything to which access is
controlled (files, programs, memory)• Access right – way in which an object is
accessed by a subject (read, write, exe)
Henric Johnson 717
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
Henric Johnson 718
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Reference Monitor– Controlling element in the hardware and
operating system of a computer that regulates the access of subjects to objects on basis of security parameters
– The monitor has access to a file (security kernel database)
– The monitor enforces the security rules (no read up, no write down)
Henric Johnson 719
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Properties of the Reference Monitor– Complete mediation: Security rules are
enforced on every access– Isolation: The reference monitor and
database are protected from unauthorized modification
– Verifiability: The reference monitor’s correctness must be provable (mathematically)
Henric Johnson 720
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• A system that can provide such verifications (properties) is referred to as a trusted system
Henric Johnson 721
Trojan Horse DefenseTrojan Horse Defense
• Secure, trusted operating systems are one way to secure against Trojan Horse attacks
Trojan Horse Defense
Trojan Horse Defense
Trojan Horse Defense
Trojan Horse Defense