introduction wireless comm ppt

Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 1

Wireless Network Security

LECTURE 1: Introduction. Wireless communication.

Security and privacy goals. Brief overview of security

mechanisms.

ACKNOWLEDGEMENTS

Slides used in these lectures are based on Lecture slides I used at Purdue (555, 590T, 590W)

www.cerias.purdue.edu/homes/crisn Slides provided with the book "Security and

Cooperation in Wireless Networks", J-P. Hubaux and Levente Buttyan, 2008

http://secowinet.epfl.ch/index.php?page=slideshow.html Research presentations from collaborations with

former students and colleagues PhD Theses of Jing Dong and Reza Curtmola NIST SP documents wikipedia



Topics

Monday: Wireless communication characteristics; Wireless networks and applications. Security goals and adversarial models

Tuesday: Attacks on protocols. Cellular networks; WiMAX networks

Wednesday: 802.11 networks; Data link security; Secure routing in ad hoc networks

Thursday: Sensor networks, Bluetooth Friday: RFID, VANETs

Readings

Security and cooperation in wireless networks. L Buttyan, J-P Hubaux.

Slides Research papers NIST SP


Today

Wireless communication

Wireless architectures Introduction to crypto

and attacks



Security Services (or Goals)

1) Confidentiality: information is available for reading only to authorized parties.

Example: Alice sends a message to Bob, only Alice and Bob can understand the content of the message.

2) Authentication: Data source authentication: the data is coming from

an authorized party. Example: Alice receives a message from Bob. This

service ensures that the message is from Bob and not from Carl.

Entity authentication: the entity is who it says it is. Example: When Alice tries to obtain access to her bank account, an authentication operation is performed to ensure that Alice asks for the information.


Security Services (2)

3) Integrity: detect if data was modified, from the source to the destination.

Example: Alice sends an email to Bob. Carl intercepts the message and modifies it. Data integrity allows for Bob to detect that the message was modified on the way from Alice to him.

4) Non-repudiation: neither the sender, nor the receiver of a message are able to deny the transmission.

Example: Alice sends Bob a contract, signed. The non-repudiation service ensures that Alice can not claim that the signature was produced by somebody else.



5) Access control: only authorized parties can use specific resources.

Example: Alice wants to print a document, she must be authorized to get that document and to use the printer.

6) Availability: resources available to authorized parties.

Example: A web site might become unavailable if the server crashes, or is bombarded with requests.

Privacy

1) Anonymity: hiding who performed a given action (k-anonymity)

2) Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject

3) Unlinkability: hiding information about the relationships between any item

4) Unobservability: hiding of the items themselves

5) Pseudonymity: making use of a pseudonym instead of the real identity


Security and Wireless Communication

The usual goals: authentication, confidentiality, integrity, access control, non-repudiation, denial of service

Additionally: privacy is a big concern particularly location privacy

Is wireless communication more vulnerable?



Wireless Specific

Physical security: an issue for small devices, Protocols have to consider inside attacks (assume the

device is controlled by the adversary) Eavesdropping: easier than wired Resource constraints: medium is shared, some

devices have limited power and computation resources Solutions must not have significant overhead

Privacy: many devices equipped with location services, location privacy a bigger concern

Denial of service: jamming is an issue for some type of wireless communication

Wireless communication characteristics


Wireless Communication

c (speed of light) = 3x108 m/s f is the frequency is the wavelength


THERE IS NO LINK: electromagnetic waves

cf =

Wave Propagation

Reflection: wave gets reflected when it hits an object very large compared with the wavelength

Diffraction: wave bends at the edges and propagates in different directions when it hits an impenetrable object

Scattering: wave scatters when it travels through a medium containing objects smaller than the wavelength (e.g. trees)


Characteristics

Interaction with the environment: path loss, interference, blockage

Transmission constraints: constrain the ability to transmit information at different data rates

Noise: Quality of communication is affected by noise

Error rate: Higher than in wired communication


Wave Components

Direct path component: Path loss: attenuation of an electromagnetic wave in

transit from a transmitter to a receiver Fading: time variation of the received signal power

caused by changes in the transmission medium or path

Doppler shift: the apparent change in frequency and wavelength of a wave that is perceived by an observer moving relative to the source of the waves

Multi-path components: Result from reflection, refraction, scattering Wave arrives at receiver shifted in amplitude, phase

and frequency


Path Loss

Power of transmission reduces: terrain contours different environments (urban or rural, vegetation

and foliage) propagation medium (dry or moist air) distance between the transmitter and the receiver height and location of the antennas

Wavelength/frequency: Long wavelength (low frequency), less loss Short wavelength (high frequency), more loss

Different models to estimate path loss Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 17

Fading

Fast fading: rapid fluctuations in amplitude, phase Due to multi-path propagation resulting in

interference of multiple copies of the same transmitted signal arriving at the receiver

Slow fading: the duration of the fading may last for multiple seconds or minutes Due to absorption of the transmission by

objects, for example in buildings


Interference

Adjacent channel interference: interference caused by extraneous power from a signal in an adjacent channel

Co-channel interference: due to weather conditions, wireless communications systems (radio, TV, etc.) in different locations that share common channels can experience co-channel interference


Thermal Noise

Noise generated by the thermal agitation of the charge carriers (the electrons) inside an electrical conductor in equilibrium, which happens regardless of any applied voltage

Causes errors in reception (digital) or degradation of quality (analog)

Effectively limits transmission range when transmitting signal strength falls below noise floor


Noise Limits Transmitting Distance


+

+

=

=

Short range transmission (low path loss)

Long range transmission (high path loss)

Signal to Noise Ratio (SNR)

High

Low

Transmission Rate Constraints

Nyquists Theorem: specifies the maximum data rate possible on a channel

C = 2 * B * log2 L (bits/sec)

B = bandwidth of the channel C = maximum channel capacity L = number of discrete signal levels/voltage


Transmission Rate Constraints

Shannons Theorem: specifies the maximum data rate possible in a noisy channel

C = B * log2 (1+ S/N) (bits/sec)

B = bandwidth of the channel C = maximum channel capacity S = signal power N = noise power SNR = 10 log10 (S/N)


Multiple Access Techniques

Transmission medium is broadcast If everybody sends, then communication is not

meaningful, garbage Multiple access such that:

maximize message throughput minimize mean waiting time


Multiple access techniques: methods that determine how the medium is accessed such the channel is shared between multiple participants

Multiple Access Methods


Three domains in which users can be separated: frequency, time, and space

Frequency division multiple access (FDMA) Time division multiple access (TDMA) Code division multiple access (CDMA) Space division multiple access (SDMA)

FDMA

Each station has its own frequency band, separated by guard bands to eliminate inter-channel interference

Receivers tune to the right frequency Number of frequencies is limited Best suited for analog links Main drawback is under-utilization of the

frequency spectrum


Users are separated in frequency domain

TDMA

Relies on time synchronization Users can be given different amounts of

bandwidth Users can use idle times to determine best

base station Synchronization overhead Problems with multipath interference on

wireless links


Users transmit data on same frequency, but at different times (separated in time)

CDMA

Send at a different frequency at each time slot (frequency hopping)

Convert a single bit to a code (direct sequence), receiver can decipher bit by inverse process

Difficult to spy No need for all stations to synchronize All cells can use all frequencies Increased complexity


Users separated both by time and frequency

Spread Spectrum

Enables a signal to be transmitted across a frequency band, much wider than the minimum bandwidth required by the information signal

Transmitter spreads the energy across a number of frequencies

Benefits: privacy, decreased narrowband interference, increased signal capacity

In North America FCC waveband is divided into 75 hopping channels, power transmission limited to 1 watt on each channel


Frequency Hoping Spread Spectrum (FHSS)

Transmitter hops between available frequencies according to a predefined algorithm, which can be either random or preplanned

Transmitter operates in synchronization with the receiver

Large number of frequencies used Results in a system that is quite resistant to

jamming


FHSS: Details

Signal hops from frequency to frequency at fixed intervals

Transmitter operates in one channel at a time Bits are transmitted using some encoding

scheme At each successive interval, a new carrier

frequency is selected Receiver, hopping between frequencies in

synchronization with transmitter, picks up message


FHSS Example


Direct Sequence Spread Spectrum (DSSS)

Each bit in original signal is represented by multiple bits in the transmitted signal

Data is chopped in small pieces and spread across the frequency domain

Performance of DSSS is usually better and more reliable


DSSS Example


DSSS vs FHSS

FHSS transmits data, using smaller blocks of data, that are spread out over many switching channels.

If two WLANs exist in the same area, one of the two networks using FHSS, FHSS will take precedence over the DSSS-based network, which will only be able to transport data correctly when the FHSS-nodes are in idle mode.


Space Division Multiple Access

Several users use the same frequency & time slot (in TDMA)

Each user is separated by the smart antenna by using its unique spatial location

Different areas can be served using the same frequency

Increased co-channel interference from adjacent co-channel cells


Users are separated in space domain

OSI/ISO Model


Summary : Wireless Characteristics:

38

Higher error rate Higher signaling overhead

Constrained information transmission Distance vs data rates

Shared channel Coordination

Open environment Eavesdropping

Limited coverage Cooperation

Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011

Wireless Networks: Architectures and

Applications


Spectrum Allocation

Name 900 Mhz 2.4 Ghz 5 Ghz

Range 902 - 928 2.4 - 2.4835 5.15 - 5.35

Bandwidth 26 Mhz 83.5 Mhz 200 Mhz

Wavelength .33m / 13.1 .125m / 4.9 .06 m / 2.4


Licensed: frequencies auctioned to the highest bidder

Unlicensed: frequencies not allocated at all, for example ISM (industrial, scientific and medical)

Public bands

Spectrum Regulators

Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite and cable in US Established by the Communications Act of 1934

and operates as an independent U.S. government agency overseen by Congress.

Europe, on a country basis Romania: National Regulatory Authority for

Communications and Information Technology Italia: Ministro delle comunicazioni and

Autorit per le garanzie nelle comunicazioni.


IEEE Standards R

ange

ZigBee 802.15.4

15.4c 802.15.3 802.15.3c WPAN

WLAN

WMAN

WRAN

WiFi 802.11

0.01 0.1 1 10 100 1000

Bluetooth 802.15.1

IEEE 802.22

WiMax IEEE 802.16

IEEE 802.20

Data Rate (Mbps)

[Heile06] Cristina Nita-Rotaru Lecture 1/ WS Milano Summer 2011 42

Slide by Omid Fatemieh (From Spring 2010 cs463 at UIUC)

Wireless Networks

Cellular Networks WMAN WiMAX MANETs WMNs Sensor Networks WPAN - Bluetooth RFID VANETs


Cellular Networks

Architecture: Wireless phones communicate with an infrastructure consisting of base stations Uses licensed spectrum Communication between base stations is wired Frequency reused by dividing the area covered

by a cellular network in cells Wide coverage Large number of users

Applications: voice, text, data, video, internet, payment


Wireless Local Area Networks (WLANs)

Provides increased bandwidth (up to 11Mb for 802.11b and up to 54Mb for 802.11g)

Uses unlicensed spectrum to provide access to a local network

Infrastructure mode: Fixed access point connected to the wired infrastructure, mobile stations communicating wireless with the access point

Ad hoc mode: mobile stations communicate with each other via wireless


Mobile Ad Hoc Networks (MANETs)

Architecture: Mobile nodes communicate via multi-hop with each other Requires cooperation Network is self-configuring

Characteristics: Easy to deploy, do not require fixed

infrastructure Network topology may change rapidly and

unpredictably


Wireless Mesh Networks (WMNs)

Architecture: Set of fixed wireless routers that form a wireless backbone and a set of wireless clients. A WMN can be integrated with other types of networks such as wired (Internet), cellular or sensors networks via a gateway

Applications: community and neighborhood networking, broadband home networking, enterprise networking, health and medical systems, surveillance systems


WiMAX Networks

Architecture: Long range system, licensed (2.3 GHz, 2.5 GHz and

3.5 GHz) or unlicensed spectrum Uses a QoS mechanism based on connections

between the base station and the user device

Applications: Mobile broadband connectivity across cities and

countries through a variety of devices. Wireless alternative to cable and DSL for "last mile"

broadband access


Sensor Networks

Architecture: Low cost small devices, able to sense the

environment (temperature, light, humidity), report sensed data using wireless communication

A large number of sensors (static or mobile), distributed in an ad hoc manner over an area

Nodes cooperate: communicate via multi-hop wireless communication, some nodes aggregate data

Unlicensed spectrum Applications: battlefield surveillance, medical

monitoring, biological detection, habitant monitoring, home security, disaster recovery


SCADA

Architecture: (Supervisory Control and Data Acquisition Type of Industrial Control System) Human-Machine Interface (HMI) Remote Terminal Units (RTUs): many are

wireless today Programmable Logic Controllers (PLCs) Devices hardened with respect to environmental

and physical threats Applications: industrial control systems: computer

systems that monitor and control industrial, infrastructure, or facility-based processes


Wireless Personal Area Networks: Bluetooth

Architecture: Connect and exchange information in short

communication range of 1, 10 and 100 meters Uses unlicensed spectrum

Applications: PDAs, mobile phones, laptops, PCs, printers, digital

cameras and video game consoles Cell phone and a hands free headset or car kit PC input and output devices (mouse, keyboard and

printer) Test equipment, GPS receivers and medical

equipment. Remote controls where infrared was traditionally used


Vehicular Networks (VANETs)

Architecture: Cars have onboard equipment equipped with GPS Integrated with the safety belts, steering to prevent

skidding, and warning alerts Can communicate with the roadside infrastructure

Applications: Congestion detection, collision alert, toll collection, deceleration warning, road hazard warning, electronic payments, monitor traffic, send updates, and switch traffic signals


VANETs Status

US: Spectrum allocated by FCC in 1999, existent standard: Radio standard for Dedicated Short-Range Communications (DSRC), based on an extension of 802.11, 802.11p

US Department of Transportation Initiative VII: Vehicle Infrastructure Integration initiative will work toward deployment of advanced vehicle-vehicle and vehicle-infrastructure communications that could keep vehicles from leaving the road and enhance their safe movement through intersections.

Europe in August 2008 the European Telecommunications Standards Institute ETSI has allocated 30 MHz of spectrum in the 5.9GHz band


Radio-Frequency Identification (RFID)

Architecture: Wireless communication between a reader and

an electronic tag attached to an object RFID tag: microchip + RF antenna, can be active

or passive, stores few hundred bits Applications: identification and tracking,

electronic tickets for public transport systems, access control to building, automated toll-payment transponders, anti-theft systems for cars, passports


Next Generation of Air Traffic Control

IP VPN

UAT/1090

Squitter

GPS GPS

UAT

HF/Satcom

Cristina Nita-Rotaru 55 Lecture 1/ WS Milano Summer 2011

Global Positioning System (GPS)

Architecture: 24 satellites that orbit the

Earth in very precise orbits twice a day and emit signals

Applications: Position and coordinates Travel progress reports Accurate time

measurement


Galileo

Global navigation satellite system currently being built by the European Union.

Should become operational in 2013-2014.


Wireless Networks: Summary so Far

Wireless communication is omnipresent today operating in licensed and unlicensed spectrum

Architectures: Centralized Peer to peer

Communication: One-hop Multi-hop

Devices: different computational power and physical accessibility

Mobility: Fixed node Mobile nodes



Security Goals, Attacks, Adversarial Models


Information Security

Security attacks: Any action that compromises the security of information.

Security mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.

Security service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.


Security Services (or Goals)

1) Confidentiality: information is available for reading only to authorized parties.

Example: Alice sends a message to Bob, only Alice and Bob can understand the content of the message.

2) Authentication: Data source authentication: the data is coming from an

authorized party. Example: Alice receives a message from Bob. This

service ensures that the message is from Bob and not from Carl.

Entity authentication: the entity is who it says it is. Example: When Alice tries to obtain access to her bank account, an authentication operation is performed to ensure that Alice asks for the information.



3) Integrity: detect if data was modified, from the source to the destination.

Example: Alice sends an email to Bob. Carl intercepts the message and modifies it. Data integrity allows for Bob to detect that the message was modified on the way from Alice to him.

4) Non-repudiation: neither the sender, nor the receiver of a message are able to deny the transmission.

Example: Alice sends Bob a contract, signed. The non-repudiation service ensures that Alice can not claim that the signature was produced by somebody else.



5) Access control: only authorized parties can use specific resources.

Example: Alice wants to print a document, she must be authorized to get that document and to use the printer.

6) Availability: resources available to authorized parties.

Example: A web site might become unavailable if the server crashes, or is bombarded with requests.


Security Attacks

Passive: the attacker does not modify the data, only monitors the communication. It threatens confidentiality. Example: listen to the communication between Alice and Bob, and if its encrypted try to decrypt it.

Active: the attacker is actively involved in deleting, adding or modifying data. It threatens all security services.

Example: Alice sends Bob a message: meet me today at 5, Carl intercepts the message and modifies it meet me tomorrow at 5, and then sends it to Bob.


Security Attacks: Examples

Interruption

Interception


Security Attacks: Examples

Modification

Fabrication (injection)


Security Mechanisms

Cryptography: protect data by performing operations on the data (for example encrypt data).

Software: access limitations to in a database, in operating system protect each user from other users, networking: firewall.

Hardware: use smartcards and trusted computing for authentication.

Policies: define who has access to what resources. Physical security: control who has physical access to devices storing data.


What is Cryptography About?

Constructing and analyzing protocols which enable parties to achieve security objectives, overcoming the influence of adversaries. Note: a protocol (or a scheme) is a suite of

algorithms that tell each party what to do Attack model: assumptions about the resources and

actions available to the adversary

How to devise and analyze protocols understand the threats posed by the adversaries

and the secueity objectives (goals) think as an adversary


Actually

Cryptography: the study of mathematical techniques related to aspects of providing information security services (construct).

Cryptanalysis: the study of mathematical techniques for attempting to defeat information security services (break).

Cryptology: the study of cryptography and cryptanalysis (both).


Basic Terminology in Cryptography

cryptography cryptanalysis cryptology plaintexts ciphertexts keys encryption decryption


Secret-key vs. Public-key Cryptography

Secret-key cryptography (a.k.a. symmetric cryptography) encryption & decryption use the same key key must be kept secret key distribution is very difficult

Public-key cryptography (a.k.a. asymmetric cryptography) encryption key different from decryption key cannot derive decryption key from encryption key higher cost than symmetric cryptography


How Do You Know a Cipher is Secure?

Show that under the considered attack model, security goals are NOT achieved (break it)

Show that under the considered attack model, security goals ARE achieved (evaluate/prove)


Breaking Ciphers

There are different methods of breaking a cipher, depending on: the type of information available to

the attacker the interaction with the cipher

machine the computational power available to

the attacker


Breaking Ciphers

Ciphertext-only attack: The cryptanalyst knows only the

ciphertext. Sometimes the language of the plaintext and the cipher are also known.

The goal is to find the plaintext and the key. NOTE: any encryption scheme

vulnerable to this type of attack is considered to be completely insecure.


Breaking Ciphers (2)

Known-plaintext attack: The cryptanalyst knows one or

several pairs of ciphertext and the corresponding plaintext.

The goal is to find the key used to encrypt these messages or a way to decrypt any new messages that use that key.



Chosen-plaintext attack The cryptanalyst can choose a number of

messages and obtain the ciphertexts for them

The goal is to deduce the key used in the other encrypted messages or decrypt any new messages using that key.

It can be adaptive, the choice of plaintext depends on the ciphertext received from previous requests.



Chosen-ciphertext attack Similar to the chosen-plaintext attack, but the cryptanalyst can choose a number of ciphertexts and obtain the plaintexts.

It can also be adaptive The choice of ciphertext may depend on the plaintext received from previous requests.


How Do You Know a Cipher is Secure?

Show that under the considered attack model, security goals are NOT achieved (break it)

Show that under the considered attack model, security goals ARE achieved (evaluate/prove)


Models for Evaluating Security

Unconditional security The adversary has unlimited computational

resources. Analysis is made by using probability theory. Perfect secrecy: observation of the ciphertext provides no information to an adversary.

Complexity-theoretic security The adversary is assumed to have polynomial

computational power. The analysis uses complexity theory; Polynomial attacks although feasible, in practice can be computationally infeasible.


Models for Evaluating Security (2)

Provable security Proof of security relies on the difficulty of solving a

well-known and supposedly difficult problem (example: computation of discrete logarithms).

Computational security (practical security) Measures the amount of computational effort required to defeat a system. Sometimes related to the hard problems, but no proof of equivalence is known.

Ad hoc security (heuristic security) Variety of convincing arguments that every

successful attack requires more resources than the ones available to an attacker. Unforeseen attacks remain a threat.


One-Time Pad

Key is chosen randomly Plaintext X = (x1 x2 xn) Key K = (k1 k2 kn) Ciphertext Y = (y1 y2 yn)

ek(X) = (x1+k1 x2+k2 xn+kn) mod m dk(Y) = (y1- k1 y2-k2 yn-kn) mod m


Shannon (Information-Theoretic) Security

Basic Idea: Ciphertext should provide no information about Plaintext

Such a scheme has perfect secrecy One-time pad has perfect secrecy if

Key-length msg-length Key is random Key is used only once

Result due to Shannon, 1949. C. E. Shannon, Communication Theory of Secrecy Systems,

Bell System Technical Journal, vol.28-4, pp 656--715, 1949.

Summary so Far

Cryptographic protocols are an important tool in ensuring security

Security goals: confidentiality integrity, authentication

There are very few protocols for which we can prove security

OTP has perfect secrecy under some conditions

Ciphers that are vulnerable to ciphertext-only attacks are completely insecure



Stream Ciphers and Block Ciphers


Stream Ciphers

OTP not practical for most applications, key needs to be random, used only once and as long as the message

OPT: a key is a random bit string of length n Stream ciphers:

Idea: replace rand by pseudo rand Use Pseudo Random Number Generator PRNG: {0,1}s {0,1}n

expand a short (e.g., 128-bit) random seed into a long (e.g., 106 bit) string that looks random

Secret key is the seed Eseed[M] = M PRNG(seed)


Properties of Stream Ciphers

Do not have perfect secrecy security depends on PRNG

PRNG must be unpredictable given consecutive sequence of bits output

(but not seed), next bit must be hard to predict

Typical stream ciphers are very fast Used in many places, often incorrectly

SSL( RC4), DVD (LFSR), WEP (RC4), etc.


Fundamental Weaknesses of Stream Ciphers

If the same keystream is used twice ever, then easy to break

Highly malleable easy to change ciphertext so that

plaintext changes in predictable, e.g., flip bits

Weaknesses exist even if the PRNG is strong


Block Ciphers

Map n-bit plaintext blocks to n-bit ciphertext blocks (n: block length).

For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection; E : Pn X K Cn s.t. for all key k K, E(x, k) is an invertible mapping written Ek(x).

The inverse mapping is the decryption function, y = Dk(x) denotes the decryption of plaintext x under k.


Block Ciphers Features

Block size: in general larger block sizes mean greater security.

Key size: larger key size means greater security (larger key space).

Number of rounds: multiple rounds offer increasing security.

Encryption modes: define how messages larger than the block size are encrypted, very important for the security of the encrypted message.


History of Data Encryption Standard (DES)

1967: Feistel at IBM Lucifer: block size 128; key size 128 bit

1972: NBS asks for an encryption standard 1975: IBM developed DES (modification of Lucifer)

block size 64 bits; key size 56 bits 1975: NSA suggests modifications 1977: NBS adopts DES as encryption standard in

(FIPS 46-1, 46-2). 2001: NIST adopts Rijndael as replacement to DES.


DES Features

Features: Block size = 64 bits Key size = 56 bits Number of rounds = 16 16 intermediary keys, each 48

bits


Cryptanalysis of DES

Brute Force: Known-Plaintext Attack Try all 256 possible keys Requires constant memory Time-consuming DES challenges: (RSA)

msg=the unknown message is :xxxxxxxx CT= C1 | C2 | C3 | C4 1997 Internet search: 3 months 1998 EFF machine (costs $250K): 3 days 1999 Combined: 22 hours


Triple DES

Use three different keys

Encrypt: C = EK3 [ DK2 [ EK1 [P] ] ] Decrypt: P = DK3 [ EK2 [ DK1 [C] ] ]

Key space is 56 x 3 = 168 bits No known practical attack against it.


AES - Rijndael Features

Designed to be efficient in both hardware and software across a variety of platforms.

Uses a variable block size, 128,192, 256-bits, key size of 128-, 192-, or 256-bits.

128-bit round key used for each round (Can be pre-computed and cached for future encryptions).

Note: AES uses a 128-bit block size. Variable number of rounds (10, 12, 14):

10 if B = K = 128 bits 12 if either B or K is 192 and the other is 192 14 if either B or K is 256 bits


Rijandel Cryptanalysis

Academic break on weaker version of the cipher, 9 rounds

Requires 2224 work and 285 chosen related-key plaintexts.

Attack not practical.

Resistant to linear and differential cryptanalysis


Encryption Modes: ECB

Message is broken into independent blocks of block_size bits;

Electronic Code Book (ECB): each block encrypted separately.

Encryption: ci = Ek(xi) Decryption: xi = Dk(ci)


Properties of ECB

Deterministic: the same data block gets encrypted the same way, reveals patterns of data when a data block repeats.

Malleable: reordering ciphertext results in reordered plaintext.

Errors in one ciphertext block do not propagate.

Usage: not recommended to encrypt more than one block of data.


Encryption Modes: CBC

Cipher Block Chaining (CBC): next input depends upon previous output

Encryption: Ci= Ek (MiCi-1), with C0=IV Decryption: Mi= Ci-1Dk(Ci), with C0=IV

M1 M2 M3

IV Ek

C1

Ek

C2

Ek

C3 C0


Properties of CBC

Randomized encryption: repeated text gets mapped to different encrypted data. can be proven to be secure assuming that the block cipher has

desirable properties and that random IVs are used A ciphertext block depends on all preceding plaintext blocks;

reorder affects decryption Self-correcting: errors in one block propagate to two blocks Sequential encryption: cannot use parallel hardware Usage: chooses random IV and protects the integrity of IV Observation: if Ci=Cj then Ek (MiCi-1) = Ek (MjCj-1); thus MiCi-1

= MjCj-1; thus Mi Mj = Ci-1 Cj-1


Use Block Ciphers to Construct Stream Ciphers

Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) Common properties:

uses only the encryption function of the cipher both for encryption and for decryption

malleable: possible to make predictable bit changes


Encryption Modes: CFB

Cipher Feedback (CFB): the message is XORed with the feedback of encrypting the previous block

Ij

E

Oj

xj

Ij

E

Oj

k

xj

r-bit shift r-bit shift I1=IV

cj

Encryption Decryption

k

cj


Properties of CFB

Randomized encryption A ciphertext block depends on all preceding

plaintext blocks; reorder affects decryption Errors propagate for several blocks after

the error, but the mode is self-synchronizing (like CBC).

Decreased throughput. Can vary the number of bits feed back, trading off

throughput for ease of use Sequential encryption


Encryption Modes: OFB

Output feedback (OFB): construct a PRNG using DES y0=IV yi = Ek[yi-1]

Ij

E

Oj

xj

Ij

E

Oj

k k

xj

Oj-1

I1=IV

Oj-1

Encryption Decryption

cj cj

I1=IV


Properties of OFB

Randomized encryption Sequential encryption, but pre-

processing possible Error propagation limited Subject to limitation of stream cipher


Counter Mode (CTR): Another way to construct PRNG using DES yi = Ek[counter+i] Sender and receiver share: counter

(does not need to be secret) and the secret key.

Encryption Modes:CTR


Properties of CTR

Software and hardware efficiency: different blocks can be encrypted in parallel.

Preprocessing: the encryption part can be done offline and when the message is known, just do the XOR.

Random access: decryption of a block can be done in random order, very useful for hard-disk encryption.

Messages of arbitrary length: ciphertext is the same length with the plaintext (i.e., no IV).


Ideal Block Cipher

An ideal block cipher is a substitution cipher from {0,1}n to {0,1}n Also known as a random permutation Each key determines one permutation on the

plaintext space A random key is chosen

Why is this an ideal block cipher? Known-plaintext, chosen plaintext, and

chosen ciphertext attacks are totally ineffective


Security Goal of Block Cipher

Indistinguishable from an ideal block cipher (i.e., a random permutation)

The best block cipher should be a pseudo-random permutation (PRP)

For all existing block ciphers, if there is no known attack, they are assumed to be PRP for some suitable parameters.


Block Cipher Modes Revisited

Suppose that the adversary knows that a ciphertext results from one of two possible plaintexts, the adversary should not be able to tell that which one plaintext is more likely to be the actual one.

If a block cipher is a PRP, then using this cipher under the CBC, CTR modes has semantic security.

Summary so Far

Stream ciphers are faster than block ciphers

Keystream reuse for stream ciphers makes them insecure

Current standard is AES, no known practical attacks against it

Security of block ciphers depends on the encryption mode

Recommended encryption modes CBC and CTR


introduction wireless comm ppt

Documents

ws milano summer

security services

security goals

book security

sensor networks

vanets readings security

authorized parties

data source authentication