Security Definition Unconditional Security The system cannot be
Security Definition • Unconditional Security – The system cannot be defeated, no matter how much power is available by the adversary. • Computational security – The perceived level of computation required to defeat the system using the best known attack exceeds, by a comfortable margin, the computational resources of the hypothesized adversary. – e. g. , given limited computing resources, it takes the age of universe to break cipher.
Security Definition • Provable security – The difficulty of defeating the system can be shown to be essentially as difficult as solving a well-known and supposedly difficult problem (e. g. , integer factorization) • Ad hoc security – Claims of security generally remain questionable – Unforeseen attacks remain a threat
Secret Key Cryptographic Algorithms • DES (Data Encryption Standard) • 3 DES (Triple DES) • IDEA (International Data Encryption Algorithm) • AES (Advanced Encryption Standard)
DES (Data Encryption Standard) • Authors: NSA & IBM, 1977 • Data block size: 64 -bit (64 -bit input, 64 -bit output) • Key size: 56 -bit key • Encryption is fast – DES chips – DES software: a 500 -MIP CPU can encrypt at about 30 K octets per second • Security – No longer considered secure: 56 bit keys are vulnerable to exhaustive search
Symmetric key crypto: DES operation initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation
Triple-DES (3 DES) • C = DESk 3(DESk 2(DESk 1(P))). • Data block size: 64 -bit • Key size: 168 -bit key; effective key size: 112 (due to man-in-the-middle attack) • Encryption is slower than DES • Securer than DES
IDEA (International Data Encryption Algorithm) • Authors: Lai & Massey, 1991 • Data block size: 64 -bit • Key size: 128 -bit • Encryption is slower than DES • Security – Nobody has yet published results on how to break it • Having patent protection
AES (Advanced Encryption Standard) • Authors: Daemen & Rijmen • Block size: 128 -bit • Key size: 128 -bit, 192 -bit, 256 -bit • Encryption is fast • Security – As of 2005, no successful attacks are recognized. – NSA stated it secure enough for non-classified data.
Other SKC Algorithms • RC 2 – Block size: 64 bits; key size: variable – Vulnerable to a chosen plaintext attack • RC 4 – Stream cipher – Key size: variable (typically 40 -256 bits) – No longer considered secure: the key stream generated by RC 4 is slightly biased in favor of certain sequences of bytes. • RC 5 – Block size: variable (32, 64, 128 bits); key size: variable (0 -2040 bits) – Not secure when key size <= 64 bits • RC 6 – Derived from RC 5 – Block size: variable; key size: variable
Some Hash functions • Message digest (MD) algorithms – MD 2, MD 4, MD 5, MD 6; Author: Ron Rivest – 128 -bit hash value – Some collisions are found. • Secure hash algorithm (SHA) family – SHA-0, SHA-1 • 160 -bit hash value • Reported “being broken”: collisions can be found with a complexity lower than the brute-force search – SHA-2 • SHA-224, SHA-256, SHA-384, SHA-512.
PKC Algorithm: RSA • Its security is based on the difficulty of factoring – Choose two large prime numbers, p and q. – Compute n=p*q and z=(p-1)*(q-1). – Find d and e (both less than n), such that e has no common factors with z, and e*d-1 is divisible by z. – Encryption: c=me mod n; decryption: m=cd mod n. • The best known algorithm for solving the problem is sub-exponential (less than exponential), but superpolynomial (more than any fixed degree polynomial) – Key size should be large (e. g. , 1024 bits) • Encryption/decryption involves exponentiation operations on large numbers.
PKC Algorithm: ECC (Elliptic Curve Cryptography) • Its security is based on the difficulty of solving the discrete logarithm problem for the group of an elliptic curve over some finite field. • Encryption/decryption operations are slower for an ECC system than for a factorization system or modulo integer discrete log system of the same size. • Why ECC outperform RSA? – Till now, the mathematicians do not (yet? ) have subexponential algorithms for breaking the ECC system. – Key size can be smaller (e. g. , 160 bits) than RSA (1024 bits).
Key Establishment and Distribution
Key Establishment • DH (Diffie-Hellmen) Scheme Alice Bob Pick x Pick y n, g, gx mod n gy mod n Compute: (gymod n)x =gxy mod n (gxmod n)y =gxy mod n
Key Establishment • DH (Diffie-Hellmen) Scheme: Man-in-the-middle attack gxu mod n Alice Bob Pick x Pick y gvy mod n n, g, gx mod n n, g, gv mod n gu mod n Judy gxu mod n gvy mod n gy mod n
Key Distribution Center (KDC) • Alice, Bob need shared symmetric key. • KDC: server shares different secret key with each registered user (many users) • Alice, Bob know own symmetric keys, KA-KDC KBKDC , for communicating with KDC KA-KDC KP-KDC KB-KDC KA-KDC KX-KDC KY-KDC KB-KDC KZ-KDC
Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R 1 KA-KDC(A, B) Alice knows R 1 KA-KDC(R 1, KB-KDC(A, R 1) ) KB-KDC(A, R 1) Bob knows to use R 1 to communicate with Alice and Bob communicate: using R 1 as session key for shared symmetric encryption
Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, router) registers its public key with CA. – E provides “proof of identity” to CA. – CA creates certificate binding E to its public key. – certificate containing E’s public key digitally signed digital Bob’s + signature K public by CA – + CA says “this is E’s public key” B key Bob’s identifying information KB (encrypt) CA private key K- CA certificate for Bob’s public key, signed by CA
Certification Authorities • When Alice wants Bob’s public key: – gets Bob’s certificate (Bob or elsewhere). – apply CA’s public key to Bob’s certificate, get Bob’s public key + KB digital signature (decrypt) CA public key + K CA Bob’s public + key KB
A certificate contains • Serial number (unique to issuer) • info about certificate owner, including algorithm and key value itself (not shown) • info about certificate issuer • valid dates • digital signature by issuer
Group Key management: A naïve approach • Distribution – Open a secure channel with each of the members. – Send the group key • Complexity order = N [O(N)] • Rekeying when membership changes – Send the new group key, separately to each of the remaining members. • complexity O(N)
Tree-Based Algorithms • 2 types of keys – SEKs (Session Encryption Key) – KEKs (Key Encryption Key) • A Group Controller constructs a tree based hierarchy of KEKs Group Controller Group key Logical entities N number of members d tree degree 1+ ln( N ) ln( d ) depth members
Logical Key Hierarchy (LKH) • Updates the group key and the key encryption key by means of the ciphering of key-nodes in a hierarchical tree where members are located at the leaves. • Achieve rekeying with only O(log. N) messages instead of O(N) showed by trivial approach. • Different ciphering algorithms can be used (DESede, AES…)
Logical Key Hierarchy (LKH) • Initialization K 0 GKCs N secure channels K 11 K 12 K 21 K 22 K 23 K 24 K 31 K 32 K 33 K 34 K 35 K 36 K 37 K 38 M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8
Logical Key Hierarchy (LKH) • Leaving Member ln (N ) ln( d ) Rekeying Messages GKCs K 0 K’ 0 K 34 { K 0’} K 34 { K 11’} K 34 { K 22’} K 21 { K 0’} K 21 { K 11’} K 12 { K 0’} K 11 K’ 11 K 21 K 31 M 1 K 22 K 32 M 3 K 12 K’ 22 K 23 K 24 K 35 K 36 K 37 K 38 M 4 M 5 M 6 M 7 M 8
Logical Key Hierarchy (LKH) • Joining Member ln( N ) ln( d ) Rekeying messages K 0 K’ 0 GKCs K 31 { K 21’} K 21 { K 21’} K 11 K 21 K’ 11 K’ 21 K 31 { K 11’} K 31 { K 0’} K 11 { K 11’} K 0 { K 0’} K 12 K 23 K 24 K 31 K 32 K 33 K 34 K 35 K 36 K 37 K 38 M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8
- Slides: 26