He who wants to defend everything defends nothing
- Slides: 94
“He, who wants to defend everything, defends nothing. ” --- Frederick, the Great 1
Focus of a Security Plan Reference: Thomas Calabrese, ”Information Security Intelligence, ” Thomson Delmar learning, 2004, pp 4 n n n Scope: restricting the scope as much as possible Prioritization Practicability Some Examples of Attacks and a Hint about technologies 2
Example of a Security Incident: Phishing (mis)uses the following rule: If ASCII 00 and 01 characters are used just prior to @ character, IE would not display the rest of the URL. Example: http: //www. whitehouse. gov%01%00@www. hacker. com/. . . will show up as http: //www. whitehouse. gov in the status bar, indicating as if the message is from the White House. However the response will go to the Hacker. 3
Anti-Phishing. org n n n A Web site www. antiphishing. org, for reporting incidents, set up by a group of global banks and technology companies, led by Secure-messaging firm Tumbleweed Communications Corp Fast Response required; The phishing Web sites: often only in place for a day. Example: Dec 2003: Phishing e-mail appeared to come from the U. K. bank Nat. West. Anti-Phishing. org tracked the IP address to a spoofed home computer in San Francisco. "The owner of the computer probably had no idea he'd been hijacked, " says Dave Jevans, Tumbleweed's senior vice president of marketing. 4
Common attacks on Financial Institutions like Banks through Internet Common attacks: n phishing (attempts to trick account holders to give their account authentication details away), n fraudulent association with the bank as part of investment scams, and n trademark violation Losses due to attacks: "The major banks don't want to divulge the amount of losses. But just to give one example, a major Australian bank has put several million dollars in reserve since August 2003 to cover damages due to Internet frauds. “– Dave Jevans, e. Week, Dec 2003 5
An Example: time-to-market for Internet Security products n n 16 December, 2003: Discovery of the problem of Phishing 5 January 2004: Announcement of development of a new Anti-phishing service by Netcraft, of Bath, England. Netcraft says that the service is mainly for banks and other financial organizations 6
General Strategies for security n n n Continuous vigilance by monitoring and analysis reduce size of target: disable unneeded services limit access of attacker to target systems hardening the OS and applications Use technologies, which cannot be hacked easily 7
General Strategies for security: Technologies n n Confidentiality: encrypting sensitive data Integrity: Hashing, Digital Signatures Authentication: Digital certificates Non-repudiation: Trusted Digital 3 rd part signatures 8
“Using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. “ --- Professor Eugene Spafford Purdue University 9
CRYPTOGRAPHY n n n Cryptography (from two words in Greek): means secret writing. Cryptoanalysis: breaking of a cryptographic code CRYPTOGRAPHY: process data into unintelligible form, n n n reversibly/irreversibly without data loss usually one-to-one in size /compression 10
Cryptography Services, provided by cryptographic tools: n n Encoding information into a form which makes the information unintelligible to an unauthorized person integrity checking: no tampering authentication: not an impostor Encryption or Enciphering Plaintext Encryption Algorithm Ciphertext Key 11
Why encrypt? n A few valid reasons for (reversibly) encrypting data are: n n To prevent casual browsers from viewing sensitive data files To prevent accidental disclosure of sensitive data To prevent privileged users (e. g. , system administrators) from viewing private data files To complicate matters for intruders who attempt to search through a system's files 12
Kerckhoff’s principle The security of an encryption scheme should depend upon only the secrecy of the key, and NOT on the secrecy of the algorithm. 13
Classification n Two types of Encryption Algorithms n n n Reversible Irreversible Two types of Keys n n Symmetric Asymmetric 14
Types of Cryptographic Algorithms: • Secret Key • Example: DES, AES (Rijndael) • Public Key • Example: RSA, Rabin, El Gamal • Message Digest (Hash or cryptographic checksum) Example : SHA 256 • Message Authentication Codes 15
Reversible Encryption Reversible ENCRYPTION: cleartext ENCRYPTION DEVICE Decryption key cleartext n ciphertext encryption key Decryption Device can be used only when the same type of encryption software/equipment is available at both the ends 16
Decryption n Decryption or Deciphering Ciphertext Decryption Algorithm Plaintext Key 17
Fingerprinting Data Irreversible Encryption Hash Functions Plaintext Encryption Algorithm Hash Collisions in the output? 18
Cryptographic Hash Functions (H) n H : A transformation m = variable size input h = hash value : a fixed size string, also known as message digest or fingerprint or compression function. m H(m) h 19
Message Digest Variable Length Message Hashing Algorithm Fixed Length Digest 20
Uses of Hash Functions n n Integrity check for getting a document time- stamped without revealing its contents to the time stamp service Authentication through Digital Signatures For generation of pseudo-random numbers to generate several keys from a single shared secret Typical output of a Hash: 128 to 512 bits 21
A Cryptographic Hash function Properties of Cryptographic Hash functions : § One-way functions ‘Hard’ to invert : Computationally infeasible to find some input m such that H(m) = h. § Collision-resistant: a very large number of collisions exist. But these cannot be found. § Should be a random mapping from all possible input values to the set of possible output values 22
Message Digest (MD) • Consider an algorithm that generates outputs which are randomly distributed. • Let the MD (output) be of n bits • 2 n No of possible outputs. • Since these are randomly distributed, the probability is that after 1. 2 (2 n )1/2 digests are computed, we may find the same value. • ( Reference: statistical ideas of Birthday Paradox; Please see the last set of slides on Cryptoanalysis for a statement of the Paradox. ) Thus for n = 128, it would be (1. 2)264. 23
Definitions WEAKLY COLLISION FREE HASH FUNCTION: Given a message m 1. It is computationally infeasible to find m 2 such that § m 1 is not equal to m 2, and, § H(m 1) = H(m 2). STRONGLY COLLISION FREE HASH FUNCTION: It is computationally infeasible to find any two messages m 1 and m 2 such that H(m 1) = H(m 2). 24
Hash Functions: Collision-free Example: Consider a Hash of 128 bits. Weak: The probability of finding a message m 2 corresponding to a given hash value H(m 1) is 2 -128. Strong: The probability of finding two messages with the same hash value (with no constraint on any of the two messages) is 2 -64. 25
Properties of Cryptographic Hash functions (continued) n H(m) is easy to compute. § The input can be of any length. § The output has a fixed length. Notes 1: Consider a transformation of a sequence of length n 1 to a sequence of length n 2, where n 1 > n 2. In such a case, there must exist multiple input sequences that map to the same fixed-length hash value. 26
Notes on hash functions (continued) In the definitions of hash functions, it is only required that ‘to find x’ should be computationally infeasible, even though we know that x exists. 2. Computationally Infeasible (CI) means that the time complexity of the algorithm should grow faster than any polynomial. So CI means that it may take an extremely long time to compute x on even the fastest machine of the day. 27
Popular Hash Functions n n Iterative functions: n Split the message to equal sized blocks m 1, m 2, …… mk(padding for the last block) n Hi = h(Hi-1, mi), with H 0 as a fixed value MD 2 , MD 4 and MD 5 developed by Rivest. MD 2 (1989 ): Optimized for 8 bit machine; MD 4 (1990) , MD 5 (1991) : Optimized for 32 -bit machines. n MD 4 and MD 5 : Both produce a 128 -bit hash value. 28
Popular Hash Function: MD 5 n MD 4: n n n Den Boer and Bosselaers ( in a paper in 1991) discovered weaknesses. was cracked by Dobbertin. He devised a method to generate collisions in MD 4. MD 5 (Ref: RFC 1321) was supposed to be more secure. probability of MD 5 collision 1/3 x 1038 n n 1994: A non-fatal flaw discovered. SHA 1 (Secure Hash Algorithm) : Produces a 160 bit hash value from a message of less than 264 bits; 29
Popular Hash Function: SHA 1 n SHA 1: designed by NSA and standardized by NIST as a part of the Capstone project. (based on MD 5 and 2 to 3 times slower than MD 5) (Ref: RFC 3174 and FIPS 180 -1) n Aug 2004: reported generating collisions in MD 4 using "hand calculation", and in the family of MD 4/MD 5/SHA/RIPEMD. So its usage is now not recommended. * *Reference: Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu, ” Collisions for Hash Functions MD 4, MD 5, HAVAL 128 and RIPEMD, ” Cryptology e. Print Archive: Report 2004/199, http: //eprint. iacr. org/2004/199. pdf 30
Popular Hash Functions: To be used today n SHA 256, SHA 384 and SHA 512 (Ref: FIPS 1802) designed for use with AES with 128, 196 and 256 bits. Slower than SHA 1; may take nearly as much time as encryption by AES. SHA 384 uses SHA 512 method and discards the remaining bits. So though it takes the same time as SHA 512, it is less secure. Others: Snerfu: generates 128 bit or 256 bit hash; Haval: produces 128, 160, 192, 224 or 256 bit hash. 31
Secret Key/ Symmetric Cryptography n n Simpler and faster (than asymmetric by a factor of 1000) For Integrity check, a fixed-length checksum for the message may have to be used; CRC* not sufficient *Cyclic Redundancy Check 32
Symmetric Key Encryption Also called Private/Secret key Encryption Message by sender Sender-end Pr-key Encrypted Message Internet Message at receiver Pr-key Encrypted Message Receiver-end 33
Symmetric Key Cipher Standards n Data Encryption Standard: n n n the initial version developed by IBM as a US standard from 1975 to 1999 Advanced Encryption Standard n n The proposal from two belgian professor accepted in Sept 2000 Declared in Nov 2001 34
Theoretical Basis of DES Claude Shannon’s theories: Recapitulation 1945: Introduce diffusion and confusion through cryptographic algorithms. • Diffusion: Use permutation followed by some functional transformation. • So that one ‘character’ in ciphertext = function of a large number of ‘characters’ in the plaintext. • Thus if e is the most commonly used character in English plaintext, it may not be so in the ciphertext. In ciphertext all the characters should have ideally an equal frequency of occurrence. 35
Diffusion & Confusion : Recapitulation • Diffusion: seeks to make statistical relationship between the plaintext and ciphertext as complex as possible. Diffuses the structure of the plaintext over a large part of the ciphertext. • Confusion: makes the relationship between the statistics of the ciphertext and the encryption key as complex as possible. • Achieved by using a complex substitution algorithm. 36
Substitution and permutation Substitution or Permutation: easy to break by using statistical analysis For every language: frequency of characters, digrams ( two letter sequences) and trigrams are known. statistical analysis to decipher encrypted information. n English: e: the character with highest frequency n C: #define and #include in the beginning n Protocols and tcpdump: repetitive, fixed sized 37 fields
Kerckhoff’s Rule The strength of an encryption algorithm depends upon: 1. Design of the algorithm 2. Key length 3. Secrecy of the key ( requires proper management of key distribution) 1883: Jean Guillaumen Hubert Victor Fransois Alexandre Auguste Kerckhoff von Nieuwenhof: “ Cryptosystems should rely on the secrecy of the key, but not of algorithm. ” Advantages of Openness: 1994: A hacker published the source code of RC 4, a secret encryption algorithm, designed by RSA Data security Inc. attacks, that exposed several weaknesses of RC 4 38
Types of Cipher Algorithms n n Streaming Cipher: encrypts data bit by bit Block cipher: encrypts a fixed- sized block of data at a time. Block ciphers: n n For a 64 bit block of plaintext, for encryption to a 64 -bit ciphertext, may need a table of 264 = 150 million terabytes. For a block size of 128 bits, the table would require a memory of 5 x 1039 bytes. 39
DES Encryption: DES a public standard. But its design criterion has not been published. 64 bit plaintext goes through • an Initial Permutation (IP). • 16 Rounds of a complex function fk as follows: • Round 1 of a complex function fk with sub key K 1. • Round 2 of a complex function fk with sub key K 2. • Round 16 of a complex function fk with sub key K 16 Every round ends with a swap of Left-half and Right-half. • an Inverse Initial Permutation (IP-1 ) to produce 64 bit ciphertext. 40
DES Round x: block of plaintext n let x 0 = IP (x) = L 0: R 0 n 16 rounds with f: cipher function Ki: sub-key for the ith round While i ≤ 16, xi = Li: Ri Li = Ri-1 Ri = Li: f(Ri-1 , Ki) n 41
Function n n n Expansion permutation to get 48 bits from 32 bits of Ri : each input block of 4 bits contributes 2 bits to each output block Avalanche Effect: A small difference in plaintext causes quite different ciphertext E(Ri-1) Ki S-boxes for converting 48 bits to 32 bits output: Non-linear; provide major part of the strength of the cipher Straight permutation XOR with left half Switch the left half and the right half 42
Key Schedule Algorithm n n n Each sub-key Ki : 48 bits: obtained from a 56 bit key K Fixed Permutation: PC 1(K) = C 0: D 0 A left circular shift (of 1 or 2 bits) on the Lefthalf (C 0 ) and Right-half (D 0) separately (Output: C 1 of 28 bits and D 1 of 28 bits) 2 bits: for rounds 3 -8 and 10 -15 Compression permutation PC 2 to get 48 bit key Ki from Ci: Di Round-dependent left shifts different parts of initial key create each sub-key 43
Sub Key Generation The input key: 56 bits Hardware Design: the 8, 16, 24, 32, 40, 48, 56 and 64 th bit is always the odd parity bit. 64 bit key Software design: the key is stated in ASCII code. Each character of 8 bits, with the first bit being zero plus 7 bits of code. (!) Since DES was designed with the viewpoint of hardware implementation, the conversion to 56 bits is done by neglecting every 8 th bit. PC 1 converts to 56 bits and permutes. 44
Key Schedule K: 64 bit key n C 0: D 0 =PC 1(K) , 56 bit key n 16 steps for i = 1 -15: A left circular shift (of 1 or 2 bits) on the Left-half (Ci-1) and Right-half (Di-1) separately (Output: Ci of 28 bits and Di of 28 bits) n 16 Subkeys for i = 1 -15: Ki = PC 2(Ci : Di ) of 48 bits each n 45
PC 1: Obtaining C 0 and D 0 PC 1 generates C 0 and D 0, the left and the right halves respectively. C 0 Read the first column of the input 64 -bit key from bottom up. Write it row-wise from left to right. Repeat for the second, the third and the lower-half of the fourth column respectively. D 0 Read the seventh column of the input 64 -bit key from bottom up. Write it row-wise from left to right. Repeat for the sixth, the fifth and the upper-half of the fourth column respectively. Probably the conversion to the two halves was done due to the limitation of the hardware of seventies. 46
Sub Key Generation: continued Thus DES has a 56 bit key K consisting of C 0 and D 0. All the sub keys K 1 to K 16 are of 48 bits. To generate these keys, K goes through • A Permuted Choice (PC-1) (output C 0 of 28 bits and D 0 of 28 bits). • A left circular shift (of 1 or 2 bits) on the Left-half (C 0 ) and Right-half (D 0) separately (Output: C 1 of 28 bits and D 1 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 1 of 48 bits. 47
Sub Key Generation (continued) • A left circular shift (of 1 or 2 bits) on the Left-half (C 1 ) and Right-half (D 1) separately (Output: C 2 of 28 bits and D 2 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 2 of 48 bits. • A left circular shift (of 1 or 2 bits) on the Left-half (C 15 ) and Right-half (D 15) separately (Output: C 16 of 28 bits and D 16 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 16 of 48 bits. 48
Key Schedule n KA = PC 1(K) KB 1 = LS-j(KA); LS-j is left circular shift by j bits, on the two halves of the 56 bits separately. j is given by Table 5. KB 2 = LS-j(KB 1) KB 3 = LS-j(KB 2). KBi = LS-j(Kbi-1). KB 16 = LS-j(KB 15) n n Ki = PC 2(KBi) 49
i-th Round The part in yellow, in the previous slide, shows the sub key generation. After PC 1, the circular rotations are independent for the left half and the right-half. ENCRYPTION: In the i-th round, Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) = Li-1 P(S( E(Ri-1) Ki )) Where E: expansion from 32 bits to 48 S: Using 8 S-boxes to convert 48 bits to 32 bits – each S box converts 6 bits to 4 bits P: permutation 50
Expansion-Permutation (E/P): • In figure 2, the E-table generates 48 -bit output from 32 bit input by expansion-permutation by using table T 6. Table T 6: E/P 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 51
DES Decryption: Decryption uses the same algorithm as encryption except that the application of the sub-keys is reversed. : • • • In the first round of decryption, sub-key K 16 is used. . In the 16 th round of decryption, sub-key K 1 is used. 52
Decryption Relations ENCRYPTION: (from slide 49) Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) = Li-1 P(S( E(Ri-1) Ki )) Rewriting: DECRYPTION relations are: Ri-1= Li Li-1 = Ri F(Ri-1, Ki) On substituting the value of Ri-1 from the first decryption relation, Li-1 = Ri F(Li, Ki) 53
Decryption Process n n n First: IP on ciphertext: undoes the final IP-1 step of encryption 16 Rounds: First round with subkey 16 undoes 16 th round of encryption. . Sixteenth round with subkey 1 undoes 1 st encryption round Last: IP-1 undoes the initial encryption IP 54
AES n n AES: designed by Joan Daemen and Vincent Rijmen Initially known as Rijndael Cipher 55
Rijndael Cipher Three steps: n initial XOR of the block with the sub-key 1 n has 9/11/13 rounds in which state undergoes: n byte substitution (The same S-box used on every byte) n shift rows(permute bytes between columns) n mix columns (subs using matrix multiply of groups) n add round key (XOR state with separate sub-keys for each round) n Incomplete last (i. e. 10/12/14 th) round (without mix columns operation) 56
Rijandael Cipher n continued The Rijndael cipher has a variable block length and key length. currently keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 bits. n n Rijndael can be implemented efficiently on a wide range of processors and in hardware. all operations can be combined into XOR and table lookups - hence very fast & efficient 57
Rijandael Cipher n n continued for 128 bit block: processes data as 4 groups of 4 bytes each. Each group is shown as a column in a matrix of four columns. Each column has 4 rows. Each cell of the 4 x 4 matrix contains one byte. The output in every round creates a new state of 128 bits or of 4 columns of 4 bytes each. The ciphertext is the final output generated by the cipher system. 58
Steps of a Round Function n n Round function: uniform and parallel, composed of 4 steps (except for the incomplete– without Mix. Column-- last round) Each step has its own particular function: n n n Byte. Sub: non-linearity Shift. Row: inter-column diffusion Mix Column: inter-byte diffusion within columns Round key addition Figure on slide 20: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same. 59
Pseudo Code for Encryption for the earlier rounds, and, for the last round Round(State, Round. Key) { Bytesub(State); Shift. Row(State); Mix. Column(State); Add. Round. Key(State, Roundkey); } n For the last round, it is a little different: Round(State, Round. Key) { Bytesub(State); Shift. Row(State); Add. Round. Key(State, Roundkey); } n 60
Rijandael Cipher continued 61
Three Steps of Decryption n initial XOR of the ciphertext with the sub-key has 9/11/13 rounds in which state undergoes: n Inv. Byte substitution (The same Inverse S-box used on every byte) n Inv. Shift rows(permute bytes between columns) n Inv. Mix columns (subs using matrix multiply of groups) n add round key (XOR state with separate sub-keys for each round) Incomplete last (i. e. 10/12/14 th) round (without Inv. Mix columns operation) 62
Pseudo Code for Decryption for the earlier rounds, and, for the last round Round(State, Round. Key) { Inv. Byte. Sub(State); Inv. Shift. Row(State); Inv. Mix. Column(State); Add. Round. Key(State, Roundkey); } n For the last round, it is a little different: Round(State, Round. Key) { Inv. Bytesub(State); Inv. Shift. Row(State); Add. Round. Key(State, Roundkey); n 63
Public Key/ Asymmetric Cryptography invented in 1976 by Whitfield Diffie and Martin Hellman n two keys: private (d), public (e) Both are mathematically related. REQUIREMENTS: Computationally infeasible n n to derive one key from the other; to find out the private key from a chosen plaintext attack much slower (about 1000 times) than secret key cryptography 64
public-key cryptography (continued) n public-key cryptography system requires n a trusted system for distributing public keys RSA (Rivest, Shamir and Adelman) Algorithm is well known for the public key system. APPLICATIONS n a digital signature system to authenticate that a message is really from whom it purports to be from n Pretty Good Privacy system, an e-mail system, uses the public key system for 65 security.
public-key cryptography (continued) 66
Asymmetric/Public Key Encryption A B’s public Encrypted Message key Internet Message B’s private Encrypted Message key B 67
public-key cryptography (continued) n Data transmission: private key(d), public key (e) 68
public-key cryptography (continued) Applications and Advantages: n Storage: for safety: use public key of trusted person n Secret vs. Public Key system: secret key system: needs secret key for every pair of persons, that wish to communicate n users n(n-1)/2 keys public key system: needs two keys for every person, who wants to communicate. n users 2 n keys 69
Digital certificate for getting Public Key reliably n A digital certificate from a trusted party may contain: n n n The name of a person His e-mail address His public key The recipient of the encrypted certificate uses the public key of the Certification Authority to decode the certificate. Examples of CAs: www. verisign. com or www. thawte. com (Verisign’s liability limited to $100 only!) Standard for certificate: X. 509 70
Digital signatures Digital Signatures: A is to sign a Msg and send it to B n A Msg Digest Algorithm Msg + Encoded Digest Encoding using Private key of A Msg + Encoded Digest Decode digest using Public key of A Digest Msg Digest Algorithm Digest Compare 71 B
Key management issues n n Distribution of keys for both symmetric and asymmetric cases is a challenge, when the two communicating parties are located at a distance. Certifying authorities, as mentioned earlier, help. But in view of the very limited liability, that the certifying authorities are ready to shoulder, it is not a complete solution. 72
Message/data Encryption Combines conventional and public-key encryption Recipient’s Session key Public key Encrypted session key Encrypt data Encrypted data 73
Message/data Encryption Combines conventional and public-key encryption Recipient’s Private key Session key Encrypted session key Decrypt Encrypted data Public-key encryption provides a secure channel to exchange symmetric encryption keys 74
Message Authentication Codes MAC: A sort of Hash function, which uses a key m: message (can be of any size) K: fixed-size symmetric key known to both the sender and receiver only MAC: of fixed size m MAC Function MAC Key 75
MAC’s for integrity Message Authentication code, adds a password/key to a hash data Mac Message MAC Password/key Only the password holder(s) can generate the MAC 76
MAC n A MAC function (also called a cryptographic checksum) n n n continued Need not be reversible. Many-to-one function MAC provides n n n Authentication and integrity If one more symmetric key is used, confidentiality can be provided. This separates authentication and confidentiality functionalities. 77
MAC n n continued Separation of Authentication and Confidentiality: This may be required in a system wherein authentication may be at the application layer, whereas confidentiality may be required at a lower layer (like at transport layer. ) Or the recipient organisation may check for authentication at the entry system. The confidentiality may be required up to the final host within the recipient organization. Does not provide signatures n The recipient can forge the message. n The sender can repudiate it. 78
HMAC: keyed Hashing for Message Authentication HMAC: An algorithm which uses a keyless hash function and a cryptographic key to develop a MAC Advantages: Hash functions are faster; no export controls on keyless hash functions. H: a keyless hash function Input: a block of b bytes Output: a hash of l bytes K: key no longer than b bytes K’: pad K, if required, so that K’ becomes b bytes long 79
HMAC (continued) ipad: a sequence of b bytes obtained by repeating the byte 0011 0110 opad: a sequence of b bytes obtained by repeating the byte 0101 1100 Definition of a HMAC-H function with a key K and message m: H(K, m) = H( (K’ XOR opad) ll H( (K’ XOR ipad) ll m) ) Reference: 1. M. Bellare, R. Kaneti and H. Krawczyk, ‘Keyed Hash Functions and Message Authentication, ’ Advances in Cryptology - Proceedings of CRYPTO ’ 96, PP. 1 -15 (1996) 2. H. Krawczyk, M. Bellare and R. Kaneti, ‘RFC 2104’, Feb 1997 80
Function for MAC n HMAC: n n n MD 5 or an SHA function may be used. Recommendation for a 128 bit security: SHA-256 MAC may also be obtained by using a block cipher and by throwing away all the blocks except the last block. This is called CBC-MAC. CBC: cipher block chaining method However if it is used, the key for encryption and the key for message authentication must be different. Secondly it would be slower than HMAC. 81
Authentication issues n If only the message between Alice and Bob is authenticated, n n Eve could store the message and send it later again. Or Eve could send the message from Alice -- back to Alice at some later time, spoofing it as a message from Bob. To avoid it, d = information like message number, sender address and receiver address etc may be concatenated with m before creating a MAC. If a protocol for time synchronization is being used by both the sender and the receiver, time in seconds after midnight at Greenwich may also be used. Alternatively a random number, called a nonce may also be usedfor the purpose. 82
Authentication issues n …. 2 Further problem: Version problem, which may increase the size of fields. Example: Alice sends the older version. Eve adds data to make it look to Bob as if Alice sent the new version. So version number has also to be added to d. RULE: Authentication at a higher layer only. 83
Cryptanalysis continued Cryptanalysis : It tries to locate the structures and patterns of the plaintext in the ciphertext. None of the cryptological methods can completely eliminate the patterns and structures of the plaintext in the ciphertext. Polyalphabetic cipher where the substitution differs from character to character in response to a key, which is n as long as the message, and which is, n truly random can eliminate such patterns. But the key? 84
Cryptanalysis Methods: Finding the Key Assumption: The hacker always knows the ciphertext and the encryption algorithm. More is the information available to a hacker Easier is the analysis for finding the Key TYPES OF ATTACKS: The type is dependent on the amount of INFORMATION available to a Hacker: 1. ciphertext only Analysis for key: Most difficult 2. Known plaintext-ciphertext pairs 3. Chosen plaintext-ciphertext pairs 4. Chosen ciphertext-plaintext pairs 5. Chosen text (both 3 and 4) Analysis for key: Easiest 85
Two Definitions n n UNCONDITIONALLY SECURE: An encryption algorithm for which no amount of ciphertext can make it possible for one to determine uniquely the corresponding plaintext. There is no such algorithm available. COMPUTATIONALLY SECURE: An encryption algorithm is said to be computationally secure if n n The cost of breaking the cipher is more than the intrinsic value of the information, or, the time required to break the cipher is more than the time over which the information is required to be 86 confidential.
Exhaustive Key Search Key Size 32 56 128 26 P No. of Possible keys 232 =4. 3 x 109 256 = 7. 2 x 1016 2128 = 3. 4 x 1038 26!=4 x 1026 Average Time at 1 decryption per microsecond 231= 35. 8 m 1142 y 5. 4 x 1024 y 4 x 1026 =6. 4 x 1012 y 87
Large numbers and computational security -as worked out by Dr Lawrie Brown n It can be shown from energy consumption considerations that the maximum number of possible elementary operations in 1000 years is about: 3 x 1048. Similarly if 10 atoms are needed to store a bit of information, the greatest possible number of bits storable in a volume of say the moon is: 1045. If for deciphering a cipher requires more operations than 3 x 1048, or needs more storage than 1045, it is pretty reasonable to say it is computationally secure. Reference: Notes of Dr Lawrie Brown, Australian Defence Force Academy available at http: //www. williamstallings. com/Crypto 3 e. html 88
Exhaustive Key Search n (continued) A calculation in 1995 showed that: n n 56 -bit key broken in 1 week with 120, 000 processors ($6. 7 M); 56 -bit key broken in 1 month with 28, 000 processors ($1. 6 M); 64 -bit key broken in 1 week with 3. 1 x 107 processors ($1. 7 B); 128 -bit key broken in 1 week with 5. 6 x 1026 processors 89
Brute Force Cryptoanalysis n n n 1999: 56 -bit key broken in 22. 5 h with 1, 800 chips ($250, 000) (245 109 keys/s, or 4. 08 microsecond for one key -- see eff. org); helped by distributed. net 1998: 56 -bit key broken, on dedicated h/w, in a few days 1997: 56 -bit key broken, by using a large number of machines in parallel on the Internet, in a few months 90
Birthday paradox n A result from probability theory: Consider an element that has an equal probability of assuming any one of the N values. The probability of a collision is more than 50% after choosing 1. 2√N values. Random input Function One of k equally likely values The same output can be expected after 1. 2 k 1/2 inputs. Thus in a group of 23, two or more persons are likely to share the same birthday. (Put k = 365) Birthday attacks are used to find collisions of Hash functions 91
Birthday Bound n n A 64 bit key has 264 = 18 x 1018 different key values. But 232 = 4. 3 x 109 A Key is selected at random. So after seeing 1. 2 x 232 transactions, a hacker can expect the same key to be used. For an n-bit case, 2 n/2 is called the Birthday Bound 92
Example of a Birthday Attack Assume n A 64 bit key n The first statement in a message is always the same. A hacker n listens to and stores all encrypted messages. n When the FIRST encrypted sentence turns out to be the same, he replaces the rest of the new message by the old message, that he has in his memory. By Birthday Paradox, this is likely to happen after 232 transactions. 93
Example of a “Meet in the Middle” attack n n Generate 232 keys. Store encrypted messages of the first sentence. Compare the first sentence of every encrypted message on the net with each of the stored messages. On getting a match, the Hacker knows the key. So he can now replace the remaining message by whatever he wants. 94
- He who defends everything defends nothing
- Nothing but nothing leaves nothing
- Paul defends his role as a true apostle of
- Everything is nothing
- Words means nothing
- Nothing ___ nothing gained
- The way my mother speaks carol ann duffy annotated
- Alesha dixon he does nothing
- What's maycomb usual disease
- Defend
- Fire sponge classification
- Decide and defend
- Defend challenge qualify
- How do sponges defend themselves
- How do animals defend themselves
- Decide and defend
- Defend
- William b travis
- Decide and defend
- Defend
- Defend from license audits
- Why is it important to defend your faith
- Lord i lift everything to you
- Food chain begins with
- What is everything made of
- Computer science is changing everything
- In everything give thanks to the lord
- Data-to-everything
- Everything you need to know about the odyssey
- How everything
- Everything that can be invented has been invented
- Anything that has mass and volume.
- Does everything fall at the same speed
- Everything about chemical engineering
- Lesson 3 : everything begins with cells
- Pumpkin spice communion wafers
- Tag questions
- Mobile crane hand signals
- Where is everything
- Fnet formula
- Marketing is everything
- Tag question everything
- God see everything
- Everything's an argument chapter 13
- Everything around you is made up of
- Not everything that counts can be counted meaning
- Resurrection changes everything
- 100 similes
- Arnold wesker chips with everything
- Hindu beliefs about god
- Everything finder
- R alliteration
- God does everything for our good story
- How everything
- Are atoms in everything
- How grieve everything we
- The avalanche devoured everything in its path
- Put everything together
- Is everything relative
- We will not be moved you're standing with us
- Knowing is good knowing everything is better
- Look at the bed
- Everything that lives and moves will be food for you
- Put everything away
- Behold i make everything new
- Everything that surrounds an organism
- What does material mean
- Does everything fall at the same speed
- Checklists for everything
- Biological perspective drawing
- Everything has been invented
- Technique is everything
- What is the answer to life the universe and everything
- Tag question everything
- Section ecosystems everything is connected
- Everything toolbar
- Jesus you are my lord jesus you are my everything
- Be happy not because everything is good
- What is everything made of
- Everything around you is made up of
- Under my wings everything prospers
- God saw everything he made and it was good
- Matter is anything that
- Everything's an argument chapter 17
- Quotes attitude is everything
- What does that mean
- Holy lord hinges
- Where is everything
- Steven johnson everything bad is good for you
- What happened is everything ok
- How to put god first in everything you do
- Macklemore song about basketball shoes
- Everything's an argument chapter 1
- Attitude changes everything
- Everything psychological is simultaneously biological