Network Security Cryptography HIMANSHU GUPTA FACULTY MEMBER AMITY
Network Security & Cryptography HIMANSHU GUPTA FACULTY MEMBER, AMITY UNIVERSITY, NOIDA
Differential Cryptanalysis & Linear Cryptanalysis
Differential Cryptanalysis l Differential Cryptanalysis was followed by a number of papers by Biham and Shamir, who demonstrated this form of attack on a variety of encryption algorithms and hash functions. l Differential Cryptanalysis is the first published attack that is capable of breaking DES in less than 55 power of 2.
Contd… l This scheme can successfully cryptanalyze DES with an effort on the order of 47 power of 2. l Although Differential Cryptanalysis is a powerful tool, it does not do very well against DES.
Linear Cryptanalysis l Linear Cryptanalysis attack is based on finding linear approximation to describe the transformations performed in DES. l Linear Cryptanalysis can find a DES key given 47 power of 2 known plaintexts, as compared to the 47 power of 2 chosen plaintexts for Differential Cryptanalysis.
Contd…. l Linear Cryptanalysis is a minor improvement , because it may be easier to acquire known plaintext rather than the chosen plaintext. l Linear Cryptanalysis is still infeasible as an attack on DES.
Block cipher modes of operation
Electronic Code Block Mode In ECB mode, we divide the long message into 64 -bits blocks and encrypt each block separately. l The encryption of each block is independed of other block in ECB mode. l The problem with the ECB mode is that the encryption of each 8 -byte block is independent of the others. l This means that Eve could exchange two blocks: Bob would notice this change if the both blocks were related to the same message. l
ECB MODE
Cipher Block Chaining Mode In CBC mode, the encryption (or decryption) of a block depends on all previous blocks. l To encrypt the second plaintext block, we first XOR it with the first ciphertext block and then pass it through the encryption process. l The situation for first block is different because there is no previous block, hence, a 64 -bits random number, called initialization vector(IV), is used. The IV is sent with the data so that the receiver can use it in decryption. l
CBC MODE
Cipher Feedback Mode l CFB mode was created for those situations in which we need to send or receive data 1 byte at a time, but still want to use DES (or Triple DES). One solution is to make a 1 -byte nth cipher block dependent on a 1 -byte nth plaintext block, which depends on 8 previous bytes itself.
CFM MODE
Cipher Stream Mode To encrypt/decrypt 1 bit at a time and at the same time be independent of the previous bits, we can use CSM mode. l In CSM mode, data are XORed bit by bit with a long, one-time bit stream that is generated by an initialization vector in a looping process. l The looping process generates a 64 -bits sequence that is XORed with plaintext to create ciphertext. l
CSM MODE
Contemporary Symmetric Ciphers
Blowfish Algorithm l Blowfish is asymmetric block cipher developed by Bruce Schneier. l Blowfish encrypts 64 -bit blocks of plaintext into 64 -bit blocks of ciphertext. l Blowfish is implemented in numerous product. So far, the security of Blowfish is unchallenged.
Characteristics of Blowfish Fast: Blowfish encrypts data on 32 -bit microprocessor at a rate of 18 clock cycles per byte. l Compact: Blowfish can run in less than 5 k of memory. l Simple: Blowfish’s simple structure is easy to implement and eases the task of determining the strength of the algorithm. l Variably Secure: The key length is variable and can be as long as 448 bits. This allows a tradeoff between higher speed and higher security. l
Subkey and S-Box Generation Blowfish makes use of a key that ranges from 32 bits to 448 bits. That key is used to generate eighteen 32 -bit subkey and four 8× 32 S-boxes containing a total of 1024 32 -bit entries. l The keys are stored in a K-array: K 1, K 2, K 3, …………. , Kj 1 j 14 l The subkeys are stored in the P-array: P 1, P 2, P 3, ………………. , P 18. l There are four s-boxes, each with 256 32 -bit entries: S 1, 0, S 1, 1, S 1, 2, ……………, S 1, 255 S 2, 0, S 2, 1, S 2, 2, ……………, S 2, 255 S 3, 0, S 3, 1, S 3, 2, ……………, S 3, 255 S 4, 0, S 4, 1, S 4, 2, ……………, S 4, 255 l
Algorithm l l l Initialize first the P-array and then the four Sboxes in order using the bits of the fractional part of the constant . Perform a bitwise XOR of the P-array and the Karray. For example, P 1=P 1 K 1, P 2=P 2 K 2, ……. , P 14=P 14 K 14, P 15=P 15 K 1, ……. , P 18=P 18 K 4. Encrypt the 64 -bit block of all zeros using the current P-array & S-array, replace P 1 and P 2 with the output of encryption. Encrypt the output of step 3 using the current P and S arrays and replace P 3 and P 4 with the resulting ciphertext. Continue this process to update all elements of P.
Encryption and Decryption Blowfish uses two primitive operations: Addition of words, denoted by +, is performed modulo 2³². • Bitwise exclusive-OR: This operation is denoted by . •
CAST-128 Algorithm l CAST-128 is a DES-like substitution-permutation crypto algorithm, employing a 128 -bit key operating on a 64 -bit block. CAST-256 is an extension of CAST -128, using a 128 -bit block. l The CAST-128 encryption algorithm has been designed to allow a key size which can vary from 40 bits to 128 bits, in 8 -bit increments (that is, the allowable key sizes are 40, 48, 56, 64, . . . , 112, 120, and 128 bits.
Contd…… l For key sizes up to and including 80 bits (i. e. , 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly as specified but uses 12 rounds instead of 16. l For key sizes greater than 80 bits, the algorithm uses the full 16 rounds; l For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least significant, positions) out to 128 bits (since the CAST-128 key schedule assumes an input key of 128 bits).
CAST-128 Algorithm l l a) b) c) l l CAST-128 uses a pair of subkeys per round: a 5 -bit quantity Kri is used as a "rotation" key for round i and a 32 -bit quantity Kmi is used as a "masking" key for round i. Three different round functions are used in CAST-128. The rounds are as follows (where D is the data input to the operation, Ia - Id are the most significant byte through least significant byte of I, respectively, Si is the ith s-box and O is the output of the operation). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise e. Xclusive-OR, and "<<<" is the circular left-shift operation. Type 1: I = ((Kmi + D) <<< Kri) O = ((S 1[Ia] ^ S 2[Ib]) - S 3[Ic]) + S 4[Id] Type 2: I = ((Kmi ^ D) <<< Kri) O = ((S 1[Ia] - S 2[Ib]) + S 3[Ic]) ^ S 4[Id] Type 3: I = ((Kmi - D) <<< Kri) O = ((S 1[Ia] + S 2[Ib]) ^ S 3[Ic]) S 4[Id] Let f 1, f 2, f 3 be keyed round function operations of Types 1, 2, and 3 (respectively) above. CAST-128 uses four round function substitution boxes (s-boxes), S 1 - S 4.
RC 2 Algorithm A 64 -bit block cipher using variable-sized keys designed to replace DES. It's code has not been made public although many companies have licensed RC 2 for use in their products. l A conventional (secret-key) block encryption algorithm, called RC 2, which may be considered as a proposal for a DES replacement. The input and output block sizes are 64 bits each. The key size is variable, from one byte up to 128 bytes. l The algorithm is designed to be easy to implement on 16 -bit microprocessors. On an IBM AT, the encryption runs about twice as fast as DES. l
Algorithm Description The term "word" to denote a 16 -bit quantity. The symbol + will denote twos-complement addition. The symbol & will denote the bitwise "and" operation. The term XOR will denote the bitwise "exclusive-or" operation. The symbol ~ will denote bitwise complement. The symbol ^ will denote the exponentiation operation. The term MOD will denote the modulo operation. l This algorithm is dealing with eight-bit byte operations as well as 16 -bit word operations, we will use two alternative notations for referring to the key buffer: For word operations, we will refer to the positions of the buffer as K[0], . . . , K[63]; each K[i] is a 16 -bit word. For byte operations, we will refer to the key buffer as L[0], . . . , L[127]; each L[i] is an eight-bit byte. These are alternative views of the same data buffer. At all times it will be true that K[i] = L[2*i] + 256*L[2*i+1]. l
RC 5 Algorithm A block-cipher supporting a variety of block sizes, key sizes, and number of encryption passes over the data. l RC 5 is a group of algorithms designed by Ron Rivest of RSA Data Security that can take on a variable block size, key size, and number of rounds. l The block size is generally dependent on the word size of the machine the particular version of RC 5 was designed to run on; on 32 -bit processors (with 32 -bit words), RC 5 generally has a 64 -bit block size. l
Contd…. l David Wagner, John Kelsey, and Bruce Schneier have found weak keys in RC 5, with the probability of selecting a weak key to be 2 -10 r, where r is the number of rounds. l Kundsen has also found a differential attack on RC 5 is described in this RSA document.
Characteristics of RC 5 l l l l l Suitable for hardware or software. Fast Adaptable to processor of different word length. Variable no. of rounds. Variable-length key. Simple Low memory requirement High Security. Data-dependent rotation.
Parameters of RC 5 Sr. No. Parameter Definition Allowable Value 1. w Word size in bits. RC 5 encrypts 2 word block. 16, 32, 64 2. r Number of rounds. 0, 1, 2, …. , 255 3. b No. of 8 -bits bytes in the secret key K. 0, 1, 2, …. , 255
Encryption in RC 5 Algorithm The plaintext is assumed to initially resides in two w-bit registers A and B. LEi and REi refers to the left and right half of the data after round i has completed. Both halves of data are updated in each round. Thus, one round of RC 5 is equivalent to two rounds of DES. l The algorithm can be defined by the following pseudocode: LEo = A + S[0] ; REo = B + S[1] ; for i = 1 to r do LEi = ((LEi-1 REi-1) <<< REi-1) + S[2*i] ; REi = ((REi-1 LEi-1) <<< LEi-1) + S[2*I + 1] ; l
Decryption in RC 5 Algorithm In this case, 2 w bits of ciphertext are initially assigned to the two one-word variables LDi and RDi to refer to the left and right half of the data before round i has begun. . l The algorithm can be defined by the following pseudocode: for i = r downto 1 do RDi-1 = ((RDi - S[2 * i + 1] >>> LDi) ; LDi-1 = ((LDi – S[2 * i] >>> RDi-1) ; B = RDo - S[1] ; A = LDo - S[0] ; l
Characterstics of Advanced Symmetric Block Cipher l l l Variable Key Length: The strength is determined by its key length. The longer the key, the longer it takes for a bruteforce key search. Blowfish and RC 5 provide a variable key length. Mixed Operators: The use of more than one arithmatic and/or Boolean operator complicates cryptanalysis. Data-dependent rotation: It provide excellent confusion and diffusion. It make recovery of the subkeys even more difficult. (RC 5) Key-dependent S-boxes: Larger S-boxes should yield highly nonlinear results and should be very difficult to cryptanalyze. Blowfish uses key dependent S-boxes. Lengthy key schedule algorithm: The generation of subkeys takes much longer than a single encryption or decryption.
Contd… l l l Variable plaintext/ciphertext block length. : A longer block length yields greater cryptographic strength. (RC 5) Variable number of rounds: It makes a tradeoff between security and execution speed. An increase in the no. of rounds increases the encryption/decryption time. (RC 5) Operation on both data halves each round: In this, security could be increased with minimal a increase in execution time. (Blowfish & RC 5) Variable F: The use of a function F that varies from round to round may complicate the cryptanalysis problem. Key-dependent rotation: A rotation can be used that depends on the key rather than on the data.
Elliptic Curve Cryptography Elliptic curve are described by cubic equation as y 2=x 3+ax+b. l The addition operation in ECC is the counterpart of modular multiplication in RSA. l
ECC Principle l If Q = k. P and Q and P are known, it is “infeasible” to find k. This is called the discrete logarithm problem for elliptic curves. l We can find ke and kd such that kd ke P = P l The message can be represented in form of a point on the Elliptic Curve message M
ECC (cont’d) A_ Public P , k. A, e , k. B, e private key: k. A, d receive (Q, R) Calculate Q - k. A, d. R B_ private key: k. B, d m M (M+ k. B, d P, k. A, e k. B, d P)
Security of ECC Degree of Difficulty to determine k given Q & P. l The fastest known technique for elliptic curve logarithm is Pollard Rho method. l Smaller key size can be used for ECC compared to RSA, which is a computational advantage to using ECC. l Security
Confidentiality Using Symmetric Encryption
Placement of Encryption Function l If encryption is to be used to counter attacks on confidentiality, then it should be decide that what to encrypt and where the encryption function should be located. l For safe encryption, there are two fundamental alternatives: link encryption and end-to-end encryption.
(A) Link Encryption l l l In link encryption, each vulnerable communication link is equipped on both ends with an encryption device. All the potential links in a path from source to destination must use link encryption. Each pair of nodes that share a link should a unique key, with a different key used on each link. In link encryption, each key must be distributed to only two nodes. All traffic over all communications links is secured.
(B) End-to-end Encryption In end-to-end encryption, the encryption process is carried out at the two end systems. l The source host or terminal encrypts the data. The data in encrypted form are then transmitted unaltered across the network to the destination terminal or host. l The destination shares a key with the source and so is able to decrypts the data. l End-to-end Encryption relieves the end user of concern about the degree of security of networks and links that support the communication. l
Message Digest Algorithm-MD 5 message digest algorithm was developed by Ron Rivest. l When both brute-force and cryptanalysis concern have arisen, MD 5 was the most widely used secure hash algorithm. l MD 5 algorithm takes as input a message of arbitrary length and produces as output a 128 -bit message digest. The input is processed in 512 -bit block. l
MD 5 Operation The processing of MD 5 consists of the following steps: Ø Step 1: Appending padding bits. The message is padded so that its length in bits is congruent to 448 modulo 512. Padding is always added, even if the message is already of the desired length. For example, if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits. Thus, the no. of padding bits is in the range of 1 to 512. Ø Step 2: Append length. A 64 -bit representation of the length in bits of the original message is appended to the result of step 1. The field contains the length of original message, modulo 64 power of 2.
Contd…. . Step 3: Initialize MD buffer: A 128 -bits buffer is used to hold intermediate and final result of the hash function. The buffer can be represented as four 32 -bits registers (A, B, C, D). l Step 4: Process message in 512 bit blocks. The heart of the algorithm is a compression function that consists of four “rounds” of processing; this module is labeled as HMD 5. The four rounds have a similar structure, but each uses a different primitive logical function. Each round takes as input the current 512 -bit block being processed and the 128 -bit buffer value and updates the contents of the buffer. The output of the fourth round is added to the input to the first round (CVq) to produce CVq+1. l Step 5: Output. After all 512 -bit blocks have been processed, the output from the Lth stage is the 128 -bit message digest l
Strength of MD 5 The MD 5 algorithm has the property that every bit of the hash code is a function of every bit in the input. The complex repetition of the basic functions produces results that are well mixed. Ø Using differential cryptanalysis, it is possible to find two messages that produce the same digest for a single round MD 5, but not able to generalize the attack to the fourround MD 5. Ø The most serious attack on MD 5 is developed by Dobbertin. His technique enables the generation of collision for the MD 5 compression function. Thus, there was a need to replace the popular MD 5 with a hash function that has a longer hash code and is more resistant to known method of cryptanalysis. Two alternatives are popular: SHA-1 and RIPEMD-160.
SHA 1 Algorithm SHA 1 was developed by the NSA for NIST as part of the Secure Hash Standard (SHS). l SHA 1 is similar in design to MD 4. l The original published algorithm, known as SHA, was modified by NSA to protect against an unspecified attack; the updated algorithm is named SHA 1. l It produces a 160 -bit digest -- large enough to protect against "birthday" attacks, where two different messages are selected to produce the same signature, for the next decade. l
RIPEMD 160 Algorithm RIPEMD and its successors were developed by the European RIPE project l The original RIPEMD algorithm was then strengthened and renamed to RIPEMD-160. l RIPEMD-160 is a 160 -bit cryptographic hash function, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel l It is intended to be used as a secure replacement for the 128 -bit hash functions MD 4, MD 5, and RIPEMD. l
There are three good reasons to consider such a replacement: Ø A 128 -bit hash result does not offer sufficient protection anymore. A brute force collision search attack on a 128 -bit hash result requires 264 evaluations of the function. Ø Hans produced in the Fall of 1995 collisions for (all 3 rounds of) MD 4. Hans also found collisions for the compression function of MD 5. RSA Data Security, for which Ron Rivest developed MD 4 and MD 5, recommend that MD 4 should not longer be used, and that MD 5 should not be used for future applications that require the hash function to be collision-resistant. Ø At the rump session of Crypto 2004 it was announced that Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu found collisions for MD 4, MD 5, RIPEMD, and the 128 -bit version of HAVAL. No details of this attack are public yet.
Comparison between various algorithms Algorithm cycles Mbit/sec Mbyte/sec relative performance MD 4 241 191. 2 23. 90 1. 00 MD 5 337 136. 7 17. 09 0. 72 RIPEMD 480 96. 0 12. 00 0. 50 RIPEMD-128 592 77. 8 9. 73 0. 41 SHA-1 837 55. 1 6. 88 0. 29 1013 45. 5 5. 68 0. 24 RIPEMD-160
HMAC l HMAC is a Message Authentication Code with Hash function. l HMAC has been chosen as the mandatory-to -implement MAC for IP security. l HMAC is used in other internet protocols, such as SSL (Secure Socket Layer).
HMAC Design Objectives l l l It is designed to use available hash functions without modification, for which code is freely & widely available. It is designed to allow for easy replace ability of the embedded hash function. It is designed to preserves the original performance of the hash function without incurring a significant degradation. It is designed to use & handle keys in a simple way. It is designed to have a well understood cryptographic analysis of the strength of the authentication mechanism.
HMAC Algorithm l l l l Append zeros to the left end of secret key K to create a block bits string K+. ( e. g. , if K is the length of 160 bits and b=512, then K will be appended with 44 zero bytes 0 X 00. XOR K+ with ipad (00110110 or 36 in Hexadecimal) to produce the b-bit block Si. Append M ( Message input) to Si. Apply H (embedded hash function as MD 5, SHA 1 or RIPEMD-160) to the stream generated in step 3. XOR K+ with opad (01011100 or 5 C in Hexadecimal) to produce the b-bit block So. Append the hash result from step 4 to So. Apply H to the stream generated in step 6 and output the result.
Digital Signatures Cryptographic technique analogous to handwritten signatures. Sender (Bob) digitally signs document, establishing he is document owner/creator. l Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document. l Simple digital signature for message m: Bob encrypts m with his private key d. B, creating signed message, d. B(m). l Bob sends m and d. B(m) to Alice. l
Digital Signatures (more) Suppose Alice receives Alice thus verifies that: msg m, and digital – Bob signed m. signature d. B(m) – No one else signed m. l Alice verifies m signed – Bob signed m and not by Bob by applying m’. Bob’s public key e. B to Non-repudiation: d. B(m) then checks – Alice can take m, and e. B(d. B(m) ) = m. signature d. B(m) to court l If e. B(d. B(m) ) = m, and prove that Bob whoever signed m. must have used Bob’s private key. l
Digital signature = Signed message digest Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message:
Digital Signatures l. Symmetric-Key Signatures l. Public-Key Signatures l. Message Digests l. The Birthday Attack
Symmetric-Key Signatures Digital signatures with Big Brother.
Public-Key Signatures Digital signatures using public-key cryptography.
Message Digests Digital signatures using message digests.
Timing Attacks developed by Paul Kocher in mid-1990’s l exploit timing variations in operations l – eg. multiplying by small vs large number – or IF's varying which instructions executed infer operand size based on time taken l RSA exploits time taken in exponentiation l countermeasures l – use constant exponentiation time – add random delays – blind values used in calculations
Authentication Protocols l. Mutual Authentication Protocol. l. One-way Protocol Authentication
Mutual Authentication Protocol This protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys. l In this protocol, to prevent compromise of session keys, essential identification and session key information must be communicated in encrypted form. l This protocol prevents the replay attack(threat of message replay) using timestamps or challenge/response. l
Contd…. . Mutual authentication follows two approaches as Symmetric Encryption approach and Public-key encryption approach. l In Symmetric Encryption approach : (1) A KDC (2) KDC A (3) A B (4) B A (5) A B. In Public-key encryption approach: (1) A AS (2) AS A (3) A B Where, KDC is Key Distribution Center and As is Authentication Server. l
One-way Authentication Protocol It also follows two approaches as Symmetric Encryption approach and Public-key encryption approach. l In Symmetric Encryption approach: In Symmetric Encryption approach : (1) A KDC (2) KDC A (3) A B In Public-key encryption approach: A B: M || Eka [H(M)] l
Digital Signature Standard l The National Institute of Standard and Technology published Information Processing Standard FIPS 186, known as the Digital Signature Standard. l DSS makes use of Secure Hash Algorithm and presents a new digital signature technique, the Digital Signature Algorithm. l Digital Signature Algorithm based on RSA and on elliptic curve cryptography.
DSA Explanation l l l Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA provides the capability to generate and verify signatures. Signature generation makes use of a private key to generate a digital signature. Signature verification makes use of a public key which corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are assumed to be known to the public in general. Private keys are never shared. Anyone can verify the signature of a user by employing that user's public key. Signature generation can be performed only by the possessor of the user's private key.
DSA Operation A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest. 2. The message digest is then input to the DSA to generate the digital signature. 3. The digital signature is sent to the intended verifier along with the signed data (often called the message). 4. The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process. 1.
DSA Generation & Verification
DSA PARAMETERS p = a prime modulus, where 2 L-1 < p < 2 L for 512 = < L = <1024 and L a multiple of 64 2. q = a prime divisor of p - 1, where 2159 < q < 2160 1. 3. g = h(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such that h(p-1)/q mod p > 1 4. x = a randomly or pseudorandomly generated integer with 0 <x<q 5. 6. l y = gx mod p k = a randomly or pseudorandomly generated integer with 0 < k<q The integers p, q, and g can be public and can be common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret.
SIGNATURE GENERATION l The signature of a message M is the pair of numbers r and s computed according to the equations below: r = (gk mod p) mod q and s = (k-1(SHA(M) + xr)) mod q. l In the above, k-1 is the multiplicative inverse of k, mod q; i. e. , (k-1 k) mod q = 1 and 0 < k-1 < q. The value of SHA(M) is a 160 -bit string output by the Secure Hash Algorithm specified in FIPS 180. l The signature is transmitted along with the message to the verifier.
SIGNATURE VERIFICATION Prior to verifying the signature in a signed message, p, q and g plus the sender's public key and identity are made available to the verifier in an authenticated manner. l Let M', r' and s' be the received versions of M, r, and s, respectively, and let y be the public key of the signatory. To verifier first checks to see that 0 < r' < q and 0 < s' < q; if either condition is violated the signature shall be rejected. If these two conditions are satisfied, the verifier computes w = (s')-1 mod q u 1 = ((SHA(M')w) mod q u 2 = ((r')w) mod q v = (((g)ul (y)u 2) mod p) mod q. l If v = r', then the signature is verified and the verifier can have high confidence that the received message was sent by the party holding the secret key x corresponding to y. For a proof that v = r' when M' = M, r' = r, and s' = s, see Appendix 1. If v does not equal r', then the message may have been modified, the message may have been incorrectly signed by the signatory, or the message may have been signed by an impostor. The message should be considered invalid.
Kerberos l Kerberos is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. l Kerberos prevents eavesdropping or replay attacks, and ensures the integrity of the data. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the service verify each other's identity.
Contd…. . It makes use of a trusted third party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users. l Kerberos maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to Kerberos. l For communication between two entities, Kerberos generates a session key which they can use to secure their interactions. l
Protocol Description l One can specify the protocol as follows in security protocol notation, where Alice (A) authenticates herself to Bob (B) using a server S: We see here that the security of the protocol relies heavily on timestamps T and lifespans L as reliable indicators of the freshness of a communication (see the BAN logic). l In relation to the following Kerberos operation, it is helpful to note that the server S here stands for both authentication service (AS), and ticket granting service (TGS). In , KAB stands for the session key between A and B, is the client to server ticket, is the authenticator, and confirms B's true identity and its recognition of A. This is required for mutual authentication.
X. 509 Protocol X. 509 is an ITU standard for digital certificates. l X. 509 defines a certificate format for binding public keys to X. 500 distinguished path names. X. 509 supports both secret-key (single-key) cryptography and public-key cryptography. l The original X. 509 data record was originally designed to hold a password instead of a public key. l The fields in the certificate define the issuing CA, the signing algorithms, how long the certificate is valid, and information about the owner of the certificate. l
Contd…. Certificates are typically managed by CAs (certificate authorities), which are public entities, usually regulated, that act as third-party key holders. To create a certificate, the CA combines a user's public key with the user information (as defined by X. 509), then signs the information with its private key. Anyone receiving the certificate can verify its authenticity with the CA's public key. The authenticity of the CA's public key can be further verified via the chain of trust that exists within the PKI (public-key infrastructure). l The X. 509 standard defines what information can go into a certificate, and describes how to write it down (the data format). l
International Data Encryption Algorithm (IDEA) IDEA (International Data Encryption Algorithm) is an encryption algorithm developed at ETH in Zurich, Switzerland. l It uses a block cipher with a 128 -bit key, and is generally considered to be very secure. l The algorithm was intended as a replacement for the Data Encryption Standard. l The cipher is patented in a number of countries but is freely available for non-commercial use. The name "IDEA" is also a trademark. The patents will expire in 2010– 2011. l
IDEA Operation IDEA operates on 64 -bit blocks using a 128 -bit key, and consists of a series of eight identical transformations (a round, see the illustration) and an output transformation (the half-round). l The processes for encryption and decryption are similar. l In more detail, these operators, which all deal with 16 -bit quantities, are: l 1. 2. 3. Bitwise e. Xclusive OR (denoted with a blue circle). Addition modulo 216 (denoted with a green rectangle). Multiplication modulo 216+1, where the all-zero word (0 x 0000) is interpreted as 216 (denoted by a red circle ). (See the IDEA Diagram)
IDEA Overview General Designers: James Massey, Xuejia Lai First published: 1991 Derived from: PES Cipher(s) based on this design: MESH, Akelarre, FOX (IDEA NXT) Algorithm detail Block size(s): 64 bits Key size(s): 128 bits Structure: Substitution-permutation network Number ofrounds: 8. 5 Best cryptanalysis A collision attack requiring 224 chosen plaintexts breaks 5 rounds with a complexity of 2126.
IDEA Operation Modes IDEA is a block-cipher, it may be used, as DES, in any of the operations modes: ECB The electronic cookbook mode, where each block of 64 plaintext bits is encoded independently using the same key. This is useful only when encrypting short messages, as equal blocks of 64 plaintext bits in the text will be equal in the ciphertext as well. CBC The cipher block chaining mode, where the input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. This is useful when encrypting longer messages since equal blocks of 64 plaintext bits in a message will be different in the ciphertext. l
CFB The cipher feedback mode, where the input is processed x bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudo-random output, which is XOR-ed with the plaintext to produce the next unit of ciphertext. OFB The Output feedback mode, which is similar to CFB, except that the input is the preceding IDEA output. l The CBC, CFB, and OFB mode also uses an initialization vector (IV), which is used as the first input to the encryption algorithm and is XOR-ed with the first block of 64 plaintext bits. This is because, without an IV, the first block of 64 plaintext bits would otherwise be equal in ciphertext as well--as is the case with all blocks in ECB mode. In CBC and OFB mode the IV should be different every time the same plaintext is encrypted, while in CFB mode the IV must be different every time--this is because, if the IV in CFB mode is not unique, a cryptoanalyst can easily recover the corresponding plaintext block
MIME Multipurpose Internet Mail Extensions (MIME) is an Internet Standard for the format of e-mail. l Virtually all human written Internet e-mail and a fairly large proportion of automated e-mail is transmitted via SMTP in MIME format. l MIME defines mechanisms for sending other kinds of information in e-mail, including text in languages other than English using character encodings other than ASCII as well as 8 -bit binary content such as files containing images, sounds, movies, and computer programs. l MIME is also a fundamental component of communication protocols such as HTTP, which requires that data be transmitted in the context of e-mail-like messages, even though the data may not actually be e-mail. l
Contd…. MIME defines a collection of e-mail headers for specifying additional attributes of a message including content type, and defines a set of transfer encodings which can be used to represent 8 -bit binary data using characters from the 7 bit ASCII character set. l MIME also specifies rules for encoding non-ASCII characters in e-mail message headers, such as "Subject: ", allowing these header fields to contain non-English characters. l MIME headers contains MIME-Version to indicates the message is MIME-formatted, Content-Type to indicates the type and subtype of the message content and Content. Transfer-Encoding as a set of methods for representing binary data in ASCII text format. l
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. l S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of the mid 1990 s. l S/MIME provides the cryptographic security services for electronic messaging applications: authentication, message integrity and nonrepudiation of origin (using digital signatures) and privacy and data security (using encryption). l
Contd…. l S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between all of the following (and others): Outlook (since 1999? and Outlook 98) Outlook Express (since 1999? ) Apple Mail (Since Mac OS X v 10. 3 Panther) Mozilla Mail (all releases after 0. 9. 7) Mozilla Thunderbird (all releases) Netscape Communicator (since 3. 0? ) Lotus Notes (since release 5. 0) Novell Group. Wise (since 1998 with the 5. 5 release) Qualcomm Eudora (since release 7. 0. However 7. 0 implementation of S/MIME is very deficient. ) The Bat! Mutt (since release 1. 5. 5 i) Gnus (with an external extension) Novell Evolution (since release 2. 0. 0) Balsa (since release 2. 2. 6) l KMail (since release 1. 6, integrated in KDE 3. 2) l l l l
Functionality of S/MIME l l 1. 2. 3. 4. In term of general functionality, S/MIME is very similar to the PGP(Pretty Good Privacy). Both offer the ability to sign and/or encrypt message. S/MIME provides the following functions: Enveloped Data: This consists of encrypted content of any type data. Signed Data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. Clear-Signed Data: Recipient without S/MIME capability can view the message content, although they can not verify the signature. Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.
Pretty Good Privacy l l 1. 2. 3. 4. 5. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. PGP has grown explosively and is now widely used. A number of reasons can be sited for this growth as: It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX, Macintosh, and many more. It is based on algorithm that have survived extensive public review and are considered more secure like as RSA, CAST-128, IDEA and SHA-1. It has wide range of applicability over the internet and other networks. It is not developed by, nor is it controlled by, any government or standard organization, this makes PGP attractive. PGP is now on an Internet standards track.
IP Security includes the Security in the Internet Architecture. It provides the security to the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanism.
Applications of IP Security l 1. 2. 3. 4. It provides the capabilities to secure communications across a LAN, across public and private WAN, and across the internet. Some applications are given as: Secure branch office connectivity over the internet. Secure remote access over the internet. Establishing extranet and intranet connectivity with partners. Enhancing electronic commerce security.
IP Security Architecture l The IP Security specification consists of following components: IP Security Documents. 2. IP Security Services. 3. Security Association (SA). 4. Transport and Tunnel Modes. 1.
1. IP Security Documents l l l l Architecture: It covers the general concepts, security requirements, definitions, and mechanism defining IP security technology. Encapsulating Security Payload: It covers the packet format and general issues related to the use of ESP for packet encryption. Authentication Header: It covers the packet format and general issues related to the use of AH for packet authentication. Encryption Algorithm: A set of documents that describe how various encryption algorithm are used for ESP. Authentication Algorithm: A set of documents that describe how various authentication algorithm are used for AH. Key Management: A set of documents that describe key management scheme. Domain of Interpretation: This include identifiers for approved encryption and authentication algorithms, as well as operational parameters.
2. IP Security Services l Access Control. l Connectionless integrity. l Data origin authentication. l Rejection of replayed packets. l Confidentiality. l Limited traffic flow confidentiality.
3. Security Association l l 1. 2. 3. A key concept that appears in both the authentication and confidentiality mechanism for IP is the security association. A security association is uniquely identified by three parameters: Security Parameter Index: a bit string assigned to this SA and having logical significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed. IP Destination Address: This is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router. Security Protocol Identifier: This indicates whether the association is an AH or ESP security association.
4. Transport and Tunnel Modes l Transport mode provides protection primarily for upper-layer protocols. Transport mode is used for end-to-end communication between two hosts. ESP in the transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in the transport mode authenticates the IP payload and selected portion of IP header. l Tunnel mode provides the protection to the entire IP packet. To achieve this, after the AH and ESP fields are added to the IP packet, the entire packet plus security field is treated as the payload of new “outer” IP packet with a new outer IP header.
Intruders l l 1. 2. 3. One of the two most publicized threats to security is the intruder and other is Virus. Anderson identified three class of intruders: Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account. Misfeasor: A legitimate user who access data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine user: An individual who seizes supervisory control of the system and use this control to evade auditing or to suppress audit collection.
Intrusion Techniques The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. This requires the intruder to acquire information as user password that should have been protected. l The password file can be protected in two ways: 1. One-way encryption: The system stores only an encrypted form of the user’s password. When user present a password, the system encrypts that password and compares it with the stored value. 2. Access Control: Access to the password file is limited to one or a few accounts. l
Intrusion Detection is very beneficial due to the various reasons: 1. If an intrusion is detected, the intruder can be identified and ejected from the system before any damage is done or any data is compromised. 2. An effective intrusion detection system can serve as deterrent to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. l
Intrusion Detection Techniques l 1. 2. 3. 4. Statistical Anomaly Detection: Audit Records. Statistical Anomaly Detection. Rule-Based Detection: The Base-Rate Fallacy. Distributed Intrusion detection. Honeypots. Intrusion Detection Exchange Format.
Honeypots l Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to Ø Divert an attacker from accessing critical systems. Ø Collect information about the attacker’s activity. Ø Encourage the attacker to stay on the system long enough for administrators to respond.
- Slides: 100