security definition
DESCRIPTION
Security Definition. Unconditional Security The system cannot be defeated, no matter how much power is available by the adversary. Computational security - PowerPoint PPT PresentationTRANSCRIPT
Security Definition
• Unconditional Security– The system cannot be defeated, no matter how
much power is available by the adversary.
• Computational security– The perceived level of computation required to
defeat the system using the best known attack exceeds, by a comfortable margin, the computational resources of the hypothesized adversary.
– e.g., given limited computing resources, it takes the age of universe to break cipher.
Security Definition
• Provable security– The difficulty of defeating the system can be
shown to be essentially as difficult as solving a well-known and supposedly difficult problem (e.g., integer factorization)
• Ad hoc security– Claims of security generally remain questionable– Unforeseen attacks remain a threat
Secret Key Cryptographic Algorithms
• DES (Data Encryption Standard)
• 3DES (Triple DES)
• IDEA (International Data Encryption Algorithm)
• AES (Advanced Encryption Standard)
DES (Data Encryption Standard)• Authors: NSA & IBM, 1977
• Data block size: 64-bit (64-bit input, 64-bit output)• Key size: 56-bit key
• Encryption is fast– DES chips– DES software: a 500-MIP CPU can encrypt at about 30K
octets per second
• Security– No longer considered secure: 56 bit keys are vulnerable
to exhaustive search
Symmetric key crypto: DES
initial permutation
16 identical “rounds” of function application, each using different 48 bits of key
final permutation
DES operation
Triple-DES (3DES)
• C = DESk3(DESk2(DESk1(P))).
• Data block size: 64-bit• Key size: 168-bit key; effective key size: 112 (due to
man-in-the-middle attack)
• Encryption is slower than DES
• Securer than DES
IDEA (International Data Encryption Algorithm)
• Authors: Lai & Massey, 1991
• Data block size: 64-bit• Key size: 128-bit
• Encryption is slower than DES• Security
– Nobody has yet published results on how to break it
• Having patent protection
AES (Advanced Encryption Standard)
• Authors: Daemen & Rijmen
• Block size:128-bit• Key size: 128-bit, 192-bit, 256-bit
• Encryption is fast
• Security– As of 2005, no successful attacks are recognized.– NSA stated it secure enough for non-classified data.
Other SKC Algorithms
• RC2– Block size: 64 bits; key size: variable– Vulnerable to a chosen plaintext attack
• RC4– Stream cipher– Key size: variable (typically 40-256 bits)– No longer considered secure: the key stream generated by RC4 is
slightly biased in favor of certain sequences of bytes.
• RC5– Block size: variable (32, 64, 128 bits); key size: variable (0-2040bits)– Not secure when key size <= 64 bits
• RC6– Derived from RC5– Block size: variable; key size: variable
Some Hash functions
• Message digest (MD) algorithms– MD2, MD4, MD5, MD6; Author: Ron Rivest– 128-bit hash value– Some collisions are found.
• Secure hash algorithm (SHA) family
– SHA-0, SHA-1• 160-bit hash value• Reported “being broken”: collisions can be found with a
complexity lower than the brute-force search
– SHA-2• SHA-224, SHA-256, SHA-384, SHA-512.
PKC Algorithm: RSA
• Its security is based on the difficulty of factoring– Choose two large prime numbers, p and q.– Compute n=p*q and z=(p-1)*(q-1).– Find d and e (both less than n), such that e has no
common factors with z, and e*d-1 is divisible by z.– Encryption: c=me mod n; decryption: m=cd mod n.
• The best known algorithm for solving the problem is sub-exponential (less than exponential), but super-polynomial (more than any fixed degree polynomial)– Key size should be large (e.g., 1024 bits)
• Encryption/decryption involves exponentiation operations on large numbers.
PKC Algorithm: ECC (Elliptic Curve Cryptography)• Its security is based on the difficulty of solving the
discrete logarithm problem for the group of an elliptic curve over some finite field.
• Encryption/decryption operations are slower for an ECC system than for a factorization system or modulo integer discrete log system of the same size.
• Why ECC outperform RSA?– Till now, the mathematicians do not (yet?) have sub-
exponential algorithms for breaking the ECC system. – Key size can be smaller (e.g., 160 bits) than RSA (1024
bits).
Key Establishment and Distribution
Key Establishment• DH (Diffie-Hellmen) Scheme
Alice Bob
Pick x Pick y
n, g, gx mod n
gy mod n
Compute:
(gymod n)x =gxy mod n
Compute:
(gxmod n)y =gxy mod n
Key Establishment• DH (Diffie-Hellmen) Scheme: Man-in-the-middle attack
Alice Bob
Pick x Pick y
n, g, gx mod n
gy mod n
gvy mod n
Judy
gu mod n
n, g, gv mod n
gvy mod n gxu mod n
gxu mod n
Key Distribution Center (KDC)
• Alice, Bob need shared symmetric key.• KDC: server shares different secret key with
each registered user (many users)
• Alice, Bob know own symmetric keys, KA-KDC KB-
KDC , for communicating with KDC.
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDC
KB-KDC
KA-KDC
KA-KDC
KP-KDC
KDC
Key Distribution Center (KDC)
Aliceknows
R1
Bob knows to use R1 to communicate with Alice
Alice and Bob communicate: using R1 as session key for shared symmetric
encryption
Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?
KDC generate
s R1
KB-KDC(A,R1)
KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )
Certification Authorities
• Certification authority (CA): binds public key to particular entity, E.
• E (person, router) registers its public key with CA.– E provides “proof of identity” to CA. – CA creates certificate binding E to its public key.– certificate containing E’s public key digitally signed
by CA – CA says “this is E’s public key”Bob’s public
key K B+
Bob’s identifying informatio
n
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bob’s public
key, signed by CA
Certification Authorities
• When Alice wants Bob’s public key:– gets Bob’s certificate (Bob or elsewhere).– apply CA’s public key to Bob’s certificate,
get Bob’s public key
Bob’s public
key K B+
digitalsignature(decrypt)
CA public
key K CA+
K B+
A certificate contains
• Serial number (unique to issuer)• info about certificate owner, including algorithm and
key value itself (not shown)• info about certificate
issuer• valid dates• digital signature by
issuer
Group Key management: A naïve approach
• Distribution– Open a secure channel with
each of the members.– Send the group key
• Complexity order = N [O(N)]
• Rekeying when membership changes– Send the new group key, separately to each
of the remaining members.• complexity O(N)
Tree-Based Algorithms
• 2 types of keys – SEKs (Session Encryption Key)– KEKs (Key Encryption Key)
• A Group Controller constructs a tree based hierarchy of KEKs
Logical entities
Group key
members
Group Controller
N number of members
d tree degree
depth1( )ln N
( )ln d
Logical Key Hierarchy (LKH)
• Updates the group key and the key encryption key by means of the ciphering of key-nodes in a hierarchical tree where members are located at the leaves.
• Achieve rekeying with only O(logN) messages instead of O(N) showed by trivial approach.
• Different ciphering algorithms can be used (DESede, AES…)
Logical Key Hierarchy (LKH)
• Initialization
KK3232KK3131 KK3333 KK3434 KK3535 KK3636 KK3737 KK3838
KK2222KK2121 KK2323 KK2424
KK1111 KK1212
KK00 GKCsGKCs
MM11 MM22 MM44 MM66MM55MM33 MM77 MM88
N secure channels
• Leaving Member
GKCsGKCs
KK3232KK3131 KK3434 KK3535 KK3636 KK3737 KK3838
KK2222KK2121 KK2323 KK2424
KK1111 KK1212
KK00
MM11 MM22 MM44 MM66MM55MM33 MM77 MM88
( )ln N
( )ln dRekeying Messages
K’K’1111
K’K’2222
K’K’00 KK34 34 { K{ K1111’}’}KK34 34 { K{ K00’}’} KK34 34 { K{ K2222’}’}
KK21 21 { K{ K1111’}’}KK21 21 { K{ K00’}’}
KK12 12 { K{ K00’}’}
Logical Key Hierarchy (LKH)
• Joining Member
GKCsGKCs
KK3232KK3131 KK3333 KK3434 KK3535 KK3636 KK3737 KK3838
KK2222KK2121 KK2323 KK2424
KK1111 KK1212
KK00
MM11 MM22 MM44 MM66MM55MM33 MM77 MM88
( )ln N
( )ln dRekeying messages
K’K’2121
K’K’1111
K’K’00
KK21 21 { K{ K2121’}’} KK11 11 { K{ K1111’}’} KK00 { K{ K00’}’}
KK31 31 { K{ K2121’}’} KK31 31 { K{ K1111’}’} KK31 31 { K{ K00’}’}
Logical Key Hierarchy (LKH)