data link security - mississippi state universityweb.cse.msstate.edu/~ramkumar/cryptoqo2.pdf ·...
TRANSCRIPT
Data Link Security
Mahalingam RamkumarMississippi State University, MS
October 31, 2013
Ramkumar Data Link Security
What is Security?
1 Ability to make confident statements regarding specificproperties of specific systems
2 What gives us the ability to make such statements?
3 Extrapolating from “reasonably strong” assumptions in alogical manner.
Ramkumar Data Link Security
Data Link Security
1 Ability to make confident assertions regarding the authenticityand/or integrity and/or privacy of data received overcommunication channels.
2 How? Cryptographic tools.
3 Assumptions: strength of various cryptographic primitives.
Ramkumar Data Link Security
Cryptographic Primitives
1 Symmetric primitives: block ciphers, hash functions
2 Asymmetric primitives
3 Properties of good cryptographic primitives, and4 How they are used to meet our goals (secure communications)
1 Unicast communications2 Broadcast communications3 Multicast communications (not typically important for most
application scenarios)
Ramkumar Data Link Security
Symmetric Cryptography Overview
Alice and Bob share a key K
Alice wants to send a message P to Bob
Alice encrypts the message P using key K to get encryptedmessage C
Alice sends C to Bob
Only Bob (who has the key K ) can decrypt the message
Bob is convinced the message is from Alice, and that it hasnot been modified enroute.
(Not very different from a scenario where a message is mailedin a locked box)
Ramkumar Data Link Security
Symmetric Cryptography Overview
C = EK (P) (Encryption algorithm)
P = DK (C ) (Decryption algorithm)
No way to get P given C without knowledge of K
Security lies only in the key. Algorithms are completely open.
Against a good cipher, the only viable attack should be abrute force attack (try all possible keys)
If an algorithm uses 64 bit keys, and if we have the ability totest a million (220) keys per second, brute force attack willtake roughly 243 seconds (about 218, or quarter million years)
Ramkumar Data Link Security
Symmetric Cryptography
1 Data-mangling based on a key
2 Data-mangling should be reversible
3 Two basic types of reversible data-mangling — substitutionand permutation
4 Old ciphers used one or the other.
5 Modern ciphers use a combination of both — substitutionpermutation networks
6 The trick is to use them repeatedly
Ramkumar Data Link Security
Cipher Requirements
Knowledge of pairs (P1,C1) · · · (Pn,Cn) should not provideany information about the key K .
Knowledge of pairs (P1,C1) · · · (Pn,Cn) should not provideany information about Pn+1 given Cn+1
Think of the encryption / decryption mechanism as a blackbox
and attacker has access to the black box (but not the keyinside)he can find any P for a given C or C for a given P.but he should not be able to find the key K .
Ramkumar Data Link Security
Confusion and Diffusion
C = EK (P), P = DK (C )
for the same P, even changing one bit of the key will result ina very different C
for the same K even changing one bit of P will result in avery different C
Good confusion and diffusion properties guarantee desiredproperties for a block cipher.
AES, DES, . . .
Ramkumar Data Link Security
Compression/Hash Function
h = H(M)
M is typically 512 bits
h is typically n = 160 bits
Given M, easy to calculate h.
Practically impossible to find M ′ 6= M which satisfiesh = H(M ′).
Pre-image resistant (second pre-image resistant). Brute forcecomplexity 2n
Practically impossible to find any two strings A and B 6= Asuch that H(A) = H(B)
Collision resistant (stronger condition). Brute forcecomplexity 2n/2
Hash function involves repeated use of a compression functionui+1 = H(Mi , ui ) (512-bit Mi , 160-bit ui and ui+1).
Ramkumar Data Link Security
Uses of Hash Function
As a commitment.
Alice wants Bob to know right now that she knows X , butdoes not want to reveal X to Bob now.
Alice provides x = H(X ) to Bob. The next day Alice revealsX . Bob is now convinced that Alice knew X the previous day(no way Alice could have synthesized X from x).
Time stamping a document. Alice sends hash of document toa time stamping authority.
Ramkumar Data Link Security
Message Authentication Codes
Key based hash function
Sender and receiver share a secret K
Example. Message M. HMACM = H(K ,M). SendsM,HMACM .
Receiver extracts message M and verifiesHMACM = H(K ,M).
Successful verification proves two things
Message has not been modified, andMessage was sent by the person who knows the secret K .
Ramkumar Data Link Security
Cipher Vs Hash Function
Block cipher
Two inputs: K , P (or K and C )one output: C = E (P,K ) (or P = D(C ,K ))
Hash Function
Two inputs: ui , M (previous hash or starting hash ui andcurrent block M)one output: ui+1 = H(ui ,M)
Block cipher: characterized by block size (size of P and C )and key size
typically 64/128 and 128
Hash function: block size and digest size: typically 512 and160 respectively
Ramkumar Data Link Security
Cipher Vs Hash Function
Both require confusion and diffusion properties
Cipher needs to be reversible; Hash function does not
More flexibility in choosing data mangling functions for hashfunctions (not necessarily a good thing).
Cipher restricted to combinations of substitutions andpermutations
Cipher standard AES; Hash SHA-1/SHA-2; SHA-3 currentlybeing standardized
Ramkumar Data Link Security
Asymmetric Cryptography
Symmetric cryptography is useful once we have established akey.
How do we exchange keys? (the two parties may never havehad the opportunity to meet before).
This is where asymmetric cryptography comes in
Alice and Bob (meeting for the first time) are communicatingover a public channel
Every one can hear the conversation between Alice and Bob
Can they conduct a private conversation?
How do they establish a secret?
Ramkumar Data Link Security
Asymmetric Cryptography
Each person has two keys (a key pair) a private key, and apublic key
Choose a random private key (Alice chooses RA)
Compute public key from private key (Alice computesUA = FG (RA))
Public key is made public (Alice advertises UA)
Private key is a secret (only Alice knows RA)
No way to compute private key from public key.
Ramkumar Data Link Security
Asymmetric Cryptography
Bits encrypted using public key can be decrypted using theprivate key
C = EUA(P); P = DRA
(C );
Bits encrypted using private key can be decrypted using thepublic key:
S = ERA(M); M = DUA
(S);
Ramkumar Data Link Security
Encryption / Decryption & Signing / Verification
Alice’s key pair (RA,UA)
Bob wants to send P privately to Alice.
Encrypt P using Alice’s public key. C = EUA(P);
Only Alice can decrypt (as only Alice has the correspondingprivate key) P = DRA
(C );
S = ERA(M); M = DUA
(S); Alice needs to broadcast amessage M
Alice computes S = ERA(M);
broadcasts S along with MAnybody with the knowledge of Alice’s public key can verifythat M = DUA
(S)
Ramkumar Data Link Security
Number Theory
What makes such constructions possible?
Clever ways of using well known math problems.
Prime numbers, difficulty of factorization, etc.
Choose two large primes p and q
compute n = pq; broadcast n;
How easy is it for some one to determine p or q given n? (justtry out all primes less than
√n)
p and q are private keys; n is the corresponding public key.
Ramkumar Data Link Security
Simple Asymmetric Scheme
Alice chooses two large primes p, q
Alice broadcasts n = pq
Bob desires to send a secret X to Alice (X has the samenumber of digits as n)
Bob computes Y = X 2 mod n
From Y , only way to compute X is if we know the factors pand q of n
Only Alice can compute X .
Ramkumar Data Link Security
Remote Communications
When Alice sends n how does Bob know it is Alice who issending n
Oscar can generate p′, q′ and m = p′q′ and claim he is Alice?
Need a way to bind n with “Alice”
Certificate Authority.
Remember S = ER(M); M = DU(S);
Let (R,U) be key pair of CA
M = ALICE ‖ UA
S is the signature in a certificate ALICE ‖ UA ‖ S
Ramkumar Data Link Security
Asymmetric vs Symmetric
Asymmetric cryptographic primitives is typically 3 orders ofmagnitude more demanding than symmetric cryptographicprimitives
Working with very large numbers (typically 500-1000 digitnumbers)
Used sparingly
Encryption is used only to send a symmetric secret (the secretcan then be used to encrypt all subsequent packets)
Signature is computed over the hash of a message to besigned.
Message to be signed is hashed h = H(M). Hash h isencrypted using private key to obtain the signature S .
Ramkumar Data Link Security
Typical Procedure for Establishing Secure Link
Initiator A and responder B
Initiator requests B’s certificate, submits its certificate to B
Initiator and responder verify each other’s certificate andthereby get to know the authentic public keys UA of A andUB of B
The steps to establish a shared key KAB depends on thespecific asymmetric scheme used
Diffie-Hellman scheme KAB = F(UA,B) = F(UB ,A)
Challenge-Response Schemes
Ramkumar Data Link Security
Challenge-Response Schemes
Initiator A and responder B
A picks a random number X
A encrypts X using public key of B (C = EUB(X ));
A challenges B (by sending X ) to decrypt X
Similarly, B can challenge A.
At the end of challenge response process A and B share asecret.
Ramkumar Data Link Security
Secure Links
Once a shared secret has been established at either ends ofany link
Any number of packets can be encrypted using the secret
Packets can be authenticated using message authenticationcodes
Ramkumar Data Link Security
Scalability
The strategy for establishing secure links bootstrapped usingasymmetric schemes is highly scalable
Any number of participants
All that a participant has to do is to generate a key pair, andget the public key signed by the CA.
One time interaction with CA
May be an over-kill for small networks or networks that do notneed to scale as much
Ramkumar Data Link Security
Other Key Distribution Strategies
Use a key distribution center instead of a CA
Every participant shares a secret with the KDC
This secret can be used to securely send other secrets to everyparticipant
Other secrets:
Session secrets (online KDC)Give every participant N − 1 keys (for a network of size N)Send to every participant N/2 non secret valuesGive every participant n << N keys.
Ramkumar Data Link Security
Modular Arithmetic
Arithmetic in a finite ring or field
Zm = {0, 1, · · · ,m − 1}If m is prime, the ring is a field
Possible to perform additions, multiplication
Multiplicative inverses
In a field all numbers have a multiplicative inverse (exceptzero)
In a ring only number relatively prime to the modulus have amultiplicative inverse
Ramkumar Data Link Security
Modular Arithmetic
Fermat’s theorem ap−1 mod p ≡ 1 or ap mod p ≡ a
Euler - Phi Function Φ(m) - number of numbers below mrelatively prime to m
Or the number of elements in Zm that have a multiplicativeinverse.
If m = p, Φ(m) = p − 1.
If m = pq, Φ(m) = (p − 1)(q − 1)
Euler Fermat’s theorem — aΦ(m)+1 mod m ≡ a.
Ramkumar Data Link Security
Examples
229mod 7 ≡ 25+4×6 ≡ 25 mod 7
326 mod 15 ≡ 32+8∗3 ≡ 32 mod 15 asΦ(15) = (3− 1)(5− 1) = 8
Consider (xy )z mod m. If yz ≡ 1 mod Φ(m), then(xy )z ≡ x mod m
Ramkumar Data Link Security
What is easy, what is not
Exponentiation is easy. Evaluating ga mod m where g , a andm are integers of 200 digits each involves only order oflog(m) ≈ 665 multiplications
Finding multiplicative inverse is also easy log(m) complexity
Testing if a number m is prime is also easy (using probabilisticprimality testing)
Factorizing is not easy
Ramkumar Data Link Security
RSA - (Rivest - Shamir - Adelman)
Choose two large primes p and q.
n = pq is the modulus (Zn is a ring - not a field)
Φ(n) = (p − 1)(q − 1).
Choose e such that (e,Φ(n)) = 1.
Find d such that de ≡ 1 mod Φ(n). Or d is the multiplicativeinverse of d mod Φ(n) (use extended Euclidean algorithm)
Destroy p, q and Φ(n).
n and e are public keys
d is the private key
Cannot determine p and q from n (factorization is hard)
Cannot determine Φ(n) without factoring n. So finding dgiven e (and n) is hard.
Ramkumar Data Link Security
RSA - As a Cipher
Alice’s public keys are na and ea.
Bob wished to send a message P to Alice
C = Pea mod na. Bob sends C to Alice
P = Cda ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.
eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).
Only Alice (who has access to da) decrypt the message
Ramkumar Data Link Security
RSA - As a Signature Scheme
Alice’s public keys are na and ea.
Alice wishes to send (broadcast) a signed message P
S = Pda mod na. Alice broadcasts S
P = Sea ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.
eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).
Any recipient (who knows Alice’s public key ea) can verifythat the message is from Alice.
Ramkumar Data Link Security
RSA Example
p = 11, q = 13. n = pq = 143
φ(n) = (p − 1)(q − 1) = 120.
Choose e = 7
d ≡ e−1 mod 120 ≡ 103.
P ≡ 41 mod 143.
C ≡ 417 mod 143 ≡ 24.
P ≡ Cd ≡ 24103 mod 143 ≡ 41.
Ramkumar Data Link Security
Public Key Infrastructure
X.509 Authentication service
Basic function - authentication of public keys
Public key certificates issued by CAs
Permits different public key algorithms
Revocation of certificates
Employs a network of CAs.
Ramkumar Data Link Security