introduction wireless comm ppt
DESCRIPTION
Ppt describe about wireless sensor networksTRANSCRIPT
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 1
Wireless Network Security
LECTURE 1: Introduction. Wireless communication.
Security and privacy goals. Brief overview of security
mechanisms.
-
ACKNOWLEDGEMENTS
Slides used in these lectures are based on Lecture slides I used at Purdue (555, 590T, 590W)
www.cerias.purdue.edu/homes/crisn Slides provided with the book "Security and
Cooperation in Wireless Networks", J-P. Hubaux and Levente Buttyan, 2008
http://secowinet.epfl.ch/index.php?page=slideshow.html Research presentations from collaborations with
former students and colleagues PhD Theses of Jing Dong and Reza Curtmola NIST SP documents wikipedia
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 2
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 3
Topics
Monday: Wireless communication characteristics; Wireless networks and applications. Security goals and adversarial models
Tuesday: Attacks on protocols. Cellular networks; WiMAX networks
Wednesday: 802.11 networks; Data link security; Secure routing in ad hoc networks
Thursday: Sensor networks, Bluetooth Friday: RFID, VANETs
-
Readings
Security and cooperation in wireless networks. L Buttyan, J-P Hubaux.
Slides Research papers NIST SP
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 4
-
Today
Wireless communication
Wireless architectures Introduction to crypto
and attacks
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 5
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 6
Security Services (or Goals)
1) Confidentiality: information is available for reading only to authorized parties.
Example: Alice sends a message to Bob, only Alice and Bob can understand the content of the message.
2) Authentication: Data source authentication: the data is coming from
an authorized party. Example: Alice receives a message from Bob. This
service ensures that the message is from Bob and not from Carl.
Entity authentication: the entity is who it says it is. Example: When Alice tries to obtain access to her bank account, an authentication operation is performed to ensure that Alice asks for the information.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 7
Security Services (2)
3) Integrity: detect if data was modified, from the source to the destination.
Example: Alice sends an email to Bob. Carl intercepts the message and modifies it. Data integrity allows for Bob to detect that the message was modified on the way from Alice to him.
4) Non-repudiation: neither the sender, nor the receiver of a message are able to deny the transmission.
Example: Alice sends Bob a contract, signed. The non-repudiation service ensures that Alice can not claim that the signature was produced by somebody else.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 8
Security Services (3)
5) Access control: only authorized parties can use specific resources.
Example: Alice wants to print a document, she must be authorized to get that document and to use the printer.
6) Availability: resources available to authorized parties.
Example: A web site might become unavailable if the server crashes, or is bombarded with requests.
-
Privacy
1) Anonymity: hiding who performed a given action (k-anonymity)
2) Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject
3) Unlinkability: hiding information about the relationships between any item
4) Unobservability: hiding of the items themselves
5) Pseudonymity: making use of a pseudonym instead of the real identity
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 9
-
Security and Wireless Communication
The usual goals: authentication, confidentiality, integrity, access control, non-repudiation, denial of service
Additionally: privacy is a big concern particularly location privacy
Is wireless communication more vulnerable?
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 10
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 11
Wireless Specific
Physical security: an issue for small devices, Protocols have to consider inside attacks (assume the
device is controlled by the adversary) Eavesdropping: easier than wired Resource constraints: medium is shared, some
devices have limited power and computation resources Solutions must not have significant overhead
Privacy: many devices equipped with location services, location privacy a bigger concern
Denial of service: jamming is an issue for some type of wireless communication
-
Wireless communication characteristics
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 12
-
Wireless Communication
c (speed of light) = 3x108 m/s f is the frequency is the wavelength
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 13
THERE IS NO LINK: electromagnetic waves
cf =
-
Wave Propagation
Reflection: wave gets reflected when it hits an object very large compared with the wavelength
Diffraction: wave bends at the edges and propagates in different directions when it hits an impenetrable object
Scattering: wave scatters when it travels through a medium containing objects smaller than the wavelength (e.g. trees)
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 14
-
Characteristics
Interaction with the environment: path loss, interference, blockage
Transmission constraints: constrain the ability to transmit information at different data rates
Noise: Quality of communication is affected by noise
Error rate: Higher than in wired communication
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 15
-
Wave Components
Direct path component: Path loss: attenuation of an electromagnetic wave in
transit from a transmitter to a receiver Fading: time variation of the received signal power
caused by changes in the transmission medium or path
Doppler shift: the apparent change in frequency and wavelength of a wave that is perceived by an observer moving relative to the source of the waves
Multi-path components: Result from reflection, refraction, scattering Wave arrives at receiver shifted in amplitude, phase
and frequency
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 16
-
Path Loss
Power of transmission reduces: terrain contours different environments (urban or rural, vegetation
and foliage) propagation medium (dry or moist air) distance between the transmitter and the receiver height and location of the antennas
Wavelength/frequency: Long wavelength (low frequency), less loss Short wavelength (high frequency), more loss
Different models to estimate path loss Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 17
-
Fading
Fast fading: rapid fluctuations in amplitude, phase Due to multi-path propagation resulting in
interference of multiple copies of the same transmitted signal arriving at the receiver
Slow fading: the duration of the fading may last for multiple seconds or minutes Due to absorption of the transmission by
objects, for example in buildings
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 18
-
Interference
Adjacent channel interference: interference caused by extraneous power from a signal in an adjacent channel
Co-channel interference: due to weather conditions, wireless communications systems (radio, TV, etc.) in different locations that share common channels can experience co-channel interference
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 19
-
Thermal Noise
Noise generated by the thermal agitation of the charge carriers (the electrons) inside an electrical conductor in equilibrium, which happens regardless of any applied voltage
Causes errors in reception (digital) or degradation of quality (analog)
Effectively limits transmission range when transmitting signal strength falls below noise floor
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 20
-
Noise Limits Transmitting Distance
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 21
+
+
=
=
Short range transmission (low path loss)
Long range transmission (high path loss)
Signal to Noise Ratio (SNR)
High
Low
-
Transmission Rate Constraints
Nyquists Theorem: specifies the maximum data rate possible on a channel
C = 2 * B * log2 L (bits/sec)
B = bandwidth of the channel C = maximum channel capacity L = number of discrete signal levels/voltage
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 22
-
Transmission Rate Constraints
Shannons Theorem: specifies the maximum data rate possible in a noisy channel
C = B * log2 (1+ S/N) (bits/sec)
B = bandwidth of the channel C = maximum channel capacity S = signal power N = noise power SNR = 10 log10 (S/N)
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 23
-
Multiple Access Techniques
Transmission medium is broadcast If everybody sends, then communication is not
meaningful, garbage Multiple access such that:
maximize message throughput minimize mean waiting time
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 24
Multiple access techniques: methods that determine how the medium is accessed such the channel is shared between multiple participants
-
Multiple Access Methods
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 25
Three domains in which users can be separated: frequency, time, and space
Frequency division multiple access (FDMA) Time division multiple access (TDMA) Code division multiple access (CDMA) Space division multiple access (SDMA)
-
FDMA
Each station has its own frequency band, separated by guard bands to eliminate inter-channel interference
Receivers tune to the right frequency Number of frequencies is limited Best suited for analog links Main drawback is under-utilization of the
frequency spectrum
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 26
Users are separated in frequency domain
-
TDMA
Relies on time synchronization Users can be given different amounts of
bandwidth Users can use idle times to determine best
base station Synchronization overhead Problems with multipath interference on
wireless links
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 27
Users transmit data on same frequency, but at different times (separated in time)
-
CDMA
Send at a different frequency at each time slot (frequency hopping)
Convert a single bit to a code (direct sequence), receiver can decipher bit by inverse process
Difficult to spy No need for all stations to synchronize All cells can use all frequencies Increased complexity
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 28
Users separated both by time and frequency
-
Spread Spectrum
Enables a signal to be transmitted across a frequency band, much wider than the minimum bandwidth required by the information signal
Transmitter spreads the energy across a number of frequencies
Benefits: privacy, decreased narrowband interference, increased signal capacity
In North America FCC waveband is divided into 75 hopping channels, power transmission limited to 1 watt on each channel
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 29
-
Frequency Hoping Spread Spectrum (FHSS)
Transmitter hops between available frequencies according to a predefined algorithm, which can be either random or preplanned
Transmitter operates in synchronization with the receiver
Large number of frequencies used Results in a system that is quite resistant to
jamming
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 30
-
FHSS: Details
Signal hops from frequency to frequency at fixed intervals
Transmitter operates in one channel at a time Bits are transmitted using some encoding
scheme At each successive interval, a new carrier
frequency is selected Receiver, hopping between frequencies in
synchronization with transmitter, picks up message
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 31
-
FHSS Example
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 32
-
Direct Sequence Spread Spectrum (DSSS)
Each bit in original signal is represented by multiple bits in the transmitted signal
Data is chopped in small pieces and spread across the frequency domain
Performance of DSSS is usually better and more reliable
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 33
-
DSSS Example
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 34
-
DSSS vs FHSS
FHSS transmits data, using smaller blocks of data, that are spread out over many switching channels.
If two WLANs exist in the same area, one of the two networks using FHSS, FHSS will take precedence over the DSSS-based network, which will only be able to transport data correctly when the FHSS-nodes are in idle mode.
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 35
-
Space Division Multiple Access
Several users use the same frequency & time slot (in TDMA)
Each user is separated by the smart antenna by using its unique spatial location
Different areas can be served using the same frequency
Increased co-channel interference from adjacent co-channel cells
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 36
Users are separated in space domain
-
OSI/ISO Model
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 37
-
Summary : Wireless Characteristics:
38
Higher error rate Higher signaling overhead
Constrained information transmission Distance vs data rates
Shared channel Coordination
Open environment Eavesdropping
Limited coverage Cooperation
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011
-
Wireless Networks: Architectures and
Applications
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 39
-
Spectrum Allocation
Name 900 Mhz 2.4 Ghz 5 Ghz
Range 902 - 928 2.4 - 2.4835 5.15 - 5.35
Bandwidth 26 Mhz 83.5 Mhz 200 Mhz
Wavelength .33m / 13.1 .125m / 4.9 .06 m / 2.4
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 40
Licensed: frequencies auctioned to the highest bidder
Unlicensed: frequencies not allocated at all, for example ISM (industrial, scientific and medical)
Public bands
-
Spectrum Regulators
Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite and cable in US Established by the Communications Act of 1934
and operates as an independent U.S. government agency overseen by Congress.
Europe, on a country basis Romania: National Regulatory Authority for
Communications and Information Technology Italia: Ministro delle comunicazioni and
Autorit per le garanzie nelle comunicazioni.
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 41
-
IEEE Standards R
ange
ZigBee 802.15.4
15.4c 802.15.3 802.15.3c WPAN
WLAN
WMAN
WRAN
WiFi 802.11
0.01 0.1 1 10 100 1000
Bluetooth 802.15.1
IEEE 802.22
WiMax IEEE 802.16
IEEE 802.20
Data Rate (Mbps)
[Heile06] Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 42
Slide by Omid Fatemieh (From Spring 2010 cs463 at UIUC)
-
Wireless Networks
Cellular Networks WMAN WiMAX MANETs WMNs Sensor Networks WPAN - Bluetooth RFID VANETs
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 43
-
Cellular Networks
Architecture: Wireless phones communicate with an infrastructure consisting of base stations Uses licensed spectrum Communication between base stations is wired Frequency reused by dividing the area covered
by a cellular network in cells Wide coverage Large number of users
Applications: voice, text, data, video, internet, payment
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 44
-
Wireless Local Area Networks (WLANs)
Provides increased bandwidth (up to 11Mb for 802.11b and up to 54Mb for 802.11g)
Uses unlicensed spectrum to provide access to a local network
Infrastructure mode: Fixed access point connected to the wired infrastructure, mobile stations communicating wireless with the access point
Ad hoc mode: mobile stations communicate with each other via wireless
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 45
-
Mobile Ad Hoc Networks (MANETs)
Architecture: Mobile nodes communicate via multi-hop with each other Requires cooperation Network is self-configuring
Characteristics: Easy to deploy, do not require fixed
infrastructure Network topology may change rapidly and
unpredictably
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 46
-
Wireless Mesh Networks (WMNs)
Architecture: Set of fixed wireless routers that form a wireless backbone and a set of wireless clients. A WMN can be integrated with other types of networks such as wired (Internet), cellular or sensors networks via a gateway
Applications: community and neighborhood networking, broadband home networking, enterprise networking, health and medical systems, surveillance systems
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 47
-
WiMAX Networks
Architecture: Long range system, licensed (2.3 GHz, 2.5 GHz and
3.5 GHz) or unlicensed spectrum Uses a QoS mechanism based on connections
between the base station and the user device
Applications: Mobile broadband connectivity across cities and
countries through a variety of devices. Wireless alternative to cable and DSL for "last mile"
broadband access
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 48
-
Sensor Networks
Architecture: Low cost small devices, able to sense the
environment (temperature, light, humidity), report sensed data using wireless communication
A large number of sensors (static or mobile), distributed in an ad hoc manner over an area
Nodes cooperate: communicate via multi-hop wireless communication, some nodes aggregate data
Unlicensed spectrum Applications: battlefield surveillance, medical
monitoring, biological detection, habitant monitoring, home security, disaster recovery
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 49
-
SCADA
Architecture: (Supervisory Control and Data Acquisition Type of Industrial Control System) Human-Machine Interface (HMI) Remote Terminal Units (RTUs): many are
wireless today Programmable Logic Controllers (PLCs) Devices hardened with respect to environmental
and physical threats Applications: industrial control systems: computer
systems that monitor and control industrial, infrastructure, or facility-based processes
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 50
-
Wireless Personal Area Networks: Bluetooth
Architecture: Connect and exchange information in short
communication range of 1, 10 and 100 meters Uses unlicensed spectrum
Applications: PDAs, mobile phones, laptops, PCs, printers, digital
cameras and video game consoles Cell phone and a hands free headset or car kit PC input and output devices (mouse, keyboard and
printer) Test equipment, GPS receivers and medical
equipment. Remote controls where infrared was traditionally used
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 51
-
Vehicular Networks (VANETs)
Architecture: Cars have onboard equipment equipped with GPS Integrated with the safety belts, steering to prevent
skidding, and warning alerts Can communicate with the roadside infrastructure
Applications: Congestion detection, collision alert, toll collection, deceleration warning, road hazard warning, electronic payments, monitor traffic, send updates, and switch traffic signals
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 52
-
VANETs Status
US: Spectrum allocated by FCC in 1999, existent standard: Radio standard for Dedicated Short-Range Communications (DSRC), based on an extension of 802.11, 802.11p
US Department of Transportation Initiative VII: Vehicle Infrastructure Integration initiative will work toward deployment of advanced vehicle-vehicle and vehicle-infrastructure communications that could keep vehicles from leaving the road and enhance their safe movement through intersections.
Europe in August 2008 the European Telecommunications Standards Institute ETSI has allocated 30 MHz of spectrum in the 5.9GHz band
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 53
-
Radio-Frequency Identification (RFID)
Architecture: Wireless communication between a reader and
an electronic tag attached to an object RFID tag: microchip + RF antenna, can be active
or passive, stores few hundred bits Applications: identification and tracking,
electronic tickets for public transport systems, access control to building, automated toll-payment transponders, anti-theft systems for cars, passports
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 54
-
Next Generation of Air Traffic Control
IP VPN
UAT/1090
Squitter
GPS GPS
UAT
HF/Satcom
Cristina Nita-Rotaru 55 Lecture 1/ WS Milano Summer 2011
-
Global Positioning System (GPS)
Architecture: 24 satellites that orbit the
Earth in very precise orbits twice a day and emit signals
Applications: Position and coordinates Travel progress reports Accurate time
measurement
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 56
-
Galileo
Global navigation satellite system currently being built by the European Union.
Should become operational in 2013-2014.
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 57
-
Wireless Networks: Summary so Far
Wireless communication is omnipresent today operating in licensed and unlicensed spectrum
Architectures: Centralized Peer to peer
Communication: One-hop Multi-hop
Devices: different computational power and physical accessibility
Mobility: Fixed node Mobile nodes
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 58
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 59
Security Goals, Attacks, Adversarial Models
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 60
Information Security
Security attacks: Any action that compromises the security of information.
Security mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
Security service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 61
Security Services (or Goals)
1) Confidentiality: information is available for reading only to authorized parties.
Example: Alice sends a message to Bob, only Alice and Bob can understand the content of the message.
2) Authentication: Data source authentication: the data is coming from an
authorized party. Example: Alice receives a message from Bob. This
service ensures that the message is from Bob and not from Carl.
Entity authentication: the entity is who it says it is. Example: When Alice tries to obtain access to her bank account, an authentication operation is performed to ensure that Alice asks for the information.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 62
Security Services (2)
3) Integrity: detect if data was modified, from the source to the destination.
Example: Alice sends an email to Bob. Carl intercepts the message and modifies it. Data integrity allows for Bob to detect that the message was modified on the way from Alice to him.
4) Non-repudiation: neither the sender, nor the receiver of a message are able to deny the transmission.
Example: Alice sends Bob a contract, signed. The non-repudiation service ensures that Alice can not claim that the signature was produced by somebody else.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 63
Security Services (3)
5) Access control: only authorized parties can use specific resources.
Example: Alice wants to print a document, she must be authorized to get that document and to use the printer.
6) Availability: resources available to authorized parties.
Example: A web site might become unavailable if the server crashes, or is bombarded with requests.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 64
Security Attacks
Passive: the attacker does not modify the data, only monitors the communication. It threatens confidentiality. Example: listen to the communication between Alice and Bob, and if its encrypted try to decrypt it.
Active: the attacker is actively involved in deleting, adding or modifying data. It threatens all security services.
Example: Alice sends Bob a message: meet me today at 5, Carl intercepts the message and modifies it meet me tomorrow at 5, and then sends it to Bob.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 65
Security Attacks: Examples
Interruption
Interception
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 66
Security Attacks: Examples
Modification
Fabrication (injection)
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 67
Security Mechanisms
Cryptography: protect data by performing operations on the data (for example encrypt data).
Software: access limitations to in a database, in operating system protect each user from other users, networking: firewall.
Hardware: use smartcards and trusted computing for authentication.
Policies: define who has access to what resources. Physical security: control who has physical access to devices storing data.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 68
What is Cryptography About?
Constructing and analyzing protocols which enable parties to achieve security objectives, overcoming the influence of adversaries. Note: a protocol (or a scheme) is a suite of
algorithms that tell each party what to do Attack model: assumptions about the resources and
actions available to the adversary
How to devise and analyze protocols understand the threats posed by the adversaries
and the secueity objectives (goals) think as an adversary
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 69
Actually
Cryptography: the study of mathematical techniques related to aspects of providing information security services (construct).
Cryptanalysis: the study of mathematical techniques for attempting to defeat information security services (break).
Cryptology: the study of cryptography and cryptanalysis (both).
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 70
Basic Terminology in Cryptography
cryptography cryptanalysis cryptology plaintexts ciphertexts keys encryption decryption
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 71
Secret-key vs. Public-key Cryptography
Secret-key cryptography (a.k.a. symmetric cryptography) encryption & decryption use the same key key must be kept secret key distribution is very difficult
Public-key cryptography (a.k.a. asymmetric cryptography) encryption key different from decryption key cannot derive decryption key from encryption key higher cost than symmetric cryptography
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 72
How Do You Know a Cipher is Secure?
Show that under the considered attack model, security goals are NOT achieved (break it)
Show that under the considered attack model, security goals ARE achieved (evaluate/prove)
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 73
Breaking Ciphers
There are different methods of breaking a cipher, depending on: the type of information available to
the attacker the interaction with the cipher
machine the computational power available to
the attacker
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 74
Breaking Ciphers
Ciphertext-only attack: The cryptanalyst knows only the
ciphertext. Sometimes the language of the plaintext and the cipher are also known.
The goal is to find the plaintext and the key. NOTE: any encryption scheme
vulnerable to this type of attack is considered to be completely insecure.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 75
Breaking Ciphers (2)
Known-plaintext attack: The cryptanalyst knows one or
several pairs of ciphertext and the corresponding plaintext.
The goal is to find the key used to encrypt these messages or a way to decrypt any new messages that use that key.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 76
Breaking Ciphers (3)
Chosen-plaintext attack The cryptanalyst can choose a number of
messages and obtain the ciphertexts for them
The goal is to deduce the key used in the other encrypted messages or decrypt any new messages using that key.
It can be adaptive, the choice of plaintext depends on the ciphertext received from previous requests.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 77
Breaking Ciphers (4)
Chosen-ciphertext attack Similar to the chosen-plaintext attack, but the cryptanalyst can choose a number of ciphertexts and obtain the plaintexts.
It can also be adaptive The choice of ciphertext may depend on the plaintext received from previous requests.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 78
How Do You Know a Cipher is Secure?
Show that under the considered attack model, security goals are NOT achieved (break it)
Show that under the considered attack model, security goals ARE achieved (evaluate/prove)
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 79
Models for Evaluating Security
Unconditional security The adversary has unlimited computational
resources. Analysis is made by using probability theory. Perfect secrecy: observation of the ciphertext provides no information to an adversary.
Complexity-theoretic security The adversary is assumed to have polynomial
computational power. The analysis uses complexity theory; Polynomial attacks although feasible, in practice can be computationally infeasible.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 80
Models for Evaluating Security (2)
Provable security Proof of security relies on the difficulty of solving a
well-known and supposedly difficult problem (example: computation of discrete logarithms).
Computational security (practical security) Measures the amount of computational effort required to defeat a system. Sometimes related to the hard problems, but no proof of equivalence is known.
Ad hoc security (heuristic security) Variety of convincing arguments that every
successful attack requires more resources than the ones available to an attacker. Unforeseen attacks remain a threat.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 81
One-Time Pad
Key is chosen randomly Plaintext X = (x1 x2 xn) Key K = (k1 k2 kn) Ciphertext Y = (y1 y2 yn)
ek(X) = (x1+k1 x2+k2 xn+kn) mod m dk(Y) = (y1- k1 y2-k2 yn-kn) mod m
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 82
Shannon (Information-Theoretic) Security
Basic Idea: Ciphertext should provide no information about Plaintext
Such a scheme has perfect secrecy One-time pad has perfect secrecy if
Key-length msg-length Key is random Key is used only once
Result due to Shannon, 1949. C. E. Shannon, Communication Theory of Secrecy Systems,
Bell System Technical Journal, vol.28-4, pp 656--715, 1949.
-
Summary so Far
Cryptographic protocols are an important tool in ensuring security
Security goals: confidentiality integrity, authentication
There are very few protocols for which we can prove security
OTP has perfect secrecy under some conditions
Ciphers that are vulnerable to ciphertext-only attacks are completely insecure
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 83
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 84
Stream Ciphers and Block Ciphers
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 85
Stream Ciphers
OTP not practical for most applications, key needs to be random, used only once and as long as the message
OPT: a key is a random bit string of length n Stream ciphers:
Idea: replace rand by pseudo rand Use Pseudo Random Number Generator PRNG: {0,1}s {0,1}n
expand a short (e.g., 128-bit) random seed into a long (e.g., 106 bit) string that looks random
Secret key is the seed Eseed[M] = M PRNG(seed)
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 86
Properties of Stream Ciphers
Do not have perfect secrecy security depends on PRNG
PRNG must be unpredictable given consecutive sequence of bits output
(but not seed), next bit must be hard to predict
Typical stream ciphers are very fast Used in many places, often incorrectly
SSL( RC4), DVD (LFSR), WEP (RC4), etc.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 87
Fundamental Weaknesses of Stream Ciphers
If the same keystream is used twice ever, then easy to break
Highly malleable easy to change ciphertext so that
plaintext changes in predictable, e.g., flip bits
Weaknesses exist even if the PRNG is strong
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 88
Block Ciphers
Map n-bit plaintext blocks to n-bit ciphertext blocks (n: block length).
For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection; E : Pn X K Cn s.t. for all key k K, E(x, k) is an invertible mapping written Ek(x).
The inverse mapping is the decryption function, y = Dk(x) denotes the decryption of plaintext x under k.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 89
Block Ciphers Features
Block size: in general larger block sizes mean greater security.
Key size: larger key size means greater security (larger key space).
Number of rounds: multiple rounds offer increasing security.
Encryption modes: define how messages larger than the block size are encrypted, very important for the security of the encrypted message.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 90
History of Data Encryption Standard (DES)
1967: Feistel at IBM Lucifer: block size 128; key size 128 bit
1972: NBS asks for an encryption standard 1975: IBM developed DES (modification of Lucifer)
block size 64 bits; key size 56 bits 1975: NSA suggests modifications 1977: NBS adopts DES as encryption standard in
(FIPS 46-1, 46-2). 2001: NIST adopts Rijndael as replacement to DES.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 91
DES Features
Features: Block size = 64 bits Key size = 56 bits Number of rounds = 16 16 intermediary keys, each 48
bits
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 92
Cryptanalysis of DES
Brute Force: Known-Plaintext Attack Try all 256 possible keys Requires constant memory Time-consuming DES challenges: (RSA)
msg=the unknown message is :xxxxxxxx CT= C1 | C2 | C3 | C4 1997 Internet search: 3 months 1998 EFF machine (costs $250K): 3 days 1999 Combined: 22 hours
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 93
Triple DES
Use three different keys
Encrypt: C = EK3 [ DK2 [ EK1 [P] ] ] Decrypt: P = DK3 [ EK2 [ DK1 [C] ] ]
Key space is 56 x 3 = 168 bits No known practical attack against it.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 94
AES - Rijndael Features
Designed to be efficient in both hardware and software across a variety of platforms.
Uses a variable block size, 128,192, 256-bits, key size of 128-, 192-, or 256-bits.
128-bit round key used for each round (Can be pre-computed and cached for future encryptions).
Note: AES uses a 128-bit block size. Variable number of rounds (10, 12, 14):
10 if B = K = 128 bits 12 if either B or K is 192 and the other is 192 14 if either B or K is 256 bits
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 95
Rijandel Cryptanalysis
Academic break on weaker version of the cipher, 9 rounds
Requires 2224 work and 285 chosen related-key plaintexts.
Attack not practical.
Resistant to linear and differential cryptanalysis
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 96
Encryption Modes: ECB
Message is broken into independent blocks of block_size bits;
Electronic Code Book (ECB): each block encrypted separately.
Encryption: ci = Ek(xi) Decryption: xi = Dk(ci)
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 97
Properties of ECB
Deterministic: the same data block gets encrypted the same way, reveals patterns of data when a data block repeats.
Malleable: reordering ciphertext results in reordered plaintext.
Errors in one ciphertext block do not propagate.
Usage: not recommended to encrypt more than one block of data.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 98
Encryption Modes: CBC
Cipher Block Chaining (CBC): next input depends upon previous output
Encryption: Ci= Ek (MiCi-1), with C0=IV Decryption: Mi= Ci-1Dk(Ci), with C0=IV
M1 M2 M3
IV Ek
C1
Ek
C2
Ek
C3 C0
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 99
Properties of CBC
Randomized encryption: repeated text gets mapped to different encrypted data. can be proven to be secure assuming that the block cipher has
desirable properties and that random IVs are used A ciphertext block depends on all preceding plaintext blocks;
reorder affects decryption Self-correcting: errors in one block propagate to two blocks Sequential encryption: cannot use parallel hardware Usage: chooses random IV and protects the integrity of IV Observation: if Ci=Cj then Ek (MiCi-1) = Ek (MjCj-1); thus MiCi-1
= MjCj-1; thus Mi Mj = Ci-1 Cj-1
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 100
Use Block Ciphers to Construct Stream Ciphers
Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) Common properties:
uses only the encryption function of the cipher both for encryption and for decryption
malleable: possible to make predictable bit changes
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 101
Encryption Modes: CFB
Cipher Feedback (CFB): the message is XORed with the feedback of encrypting the previous block
Ij
E
Oj
xj
Ij
E
Oj
k
xj
r-bit shift r-bit shift I1=IV
cj
Encryption Decryption
k
cj
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 102
Properties of CFB
Randomized encryption A ciphertext block depends on all preceding
plaintext blocks; reorder affects decryption Errors propagate for several blocks after
the error, but the mode is self-synchronizing (like CBC).
Decreased throughput. Can vary the number of bits feed back, trading off
throughput for ease of use Sequential encryption
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 103
Encryption Modes: OFB
Output feedback (OFB): construct a PRNG using DES y0=IV yi = Ek[yi-1]
Ij
E
Oj
xj
Ij
E
Oj
k k
xj
Oj-1
I1=IV
Oj-1
Encryption Decryption
cj cj
I1=IV
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 104
Properties of OFB
Randomized encryption Sequential encryption, but pre-
processing possible Error propagation limited Subject to limitation of stream cipher
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 105
Counter Mode (CTR): Another way to construct PRNG using DES yi = Ek[counter+i] Sender and receiver share: counter
(does not need to be secret) and the secret key.
Encryption Modes:CTR
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 106
Properties of CTR
Software and hardware efficiency: different blocks can be encrypted in parallel.
Preprocessing: the encryption part can be done offline and when the message is known, just do the XOR.
Random access: decryption of a block can be done in random order, very useful for hard-disk encryption.
Messages of arbitrary length: ciphertext is the same length with the plaintext (i.e., no IV).
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 107
Ideal Block Cipher
An ideal block cipher is a substitution cipher from {0,1}n to {0,1}n Also known as a random permutation Each key determines one permutation on the
plaintext space A random key is chosen
Why is this an ideal block cipher? Known-plaintext, chosen plaintext, and
chosen ciphertext attacks are totally ineffective
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 108
Security Goal of Block Cipher
Indistinguishable from an ideal block cipher (i.e., a random permutation)
The best block cipher should be a pseudo-random permutation (PRP)
For all existing block ciphers, if there is no known attack, they are assumed to be PRP for some suitable parameters.
-
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 109
Block Cipher Modes Revisited
Suppose that the adversary knows that a ciphertext results from one of two possible plaintexts, the adversary should not be able to tell that which one plaintext is more likely to be the actual one.
If a block cipher is a PRP, then using this cipher under the CBC, CTR modes has semantic security.
-
Summary so Far
Stream ciphers are faster than block ciphers
Keystream reuse for stream ciphers makes them insecure
Current standard is AES, no known practical attacks against it
Security of block ciphers depends on the encryption mode
Recommended encryption modes CBC and CTR
Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 110