08.10.2015 s kondakci 1 süleyman kondakcı 08.10.2015 s kondakci 2 brief intro main objectives of...

21.04.23S Kondakci 1

Süleyman Kondakcı


Brief IntroBrief Intro Main objectives of information security Basic functions of cryptology Basic cryptographic systems Symmetric crypography Simple (XOR) encryption Asymmetric crypography and its

application to authentication Confidentiality with asymmetric

crypography Secure message exchange Digital Signature Othe important issues

3

The TrThe Triad iad of of Security Security ObjectObjectivesives

Integrity

Confidentiality

Avalaibility

4

Attacks, MechanismsAttacks, Mechanisms, and, and ServicesServices

Security Attack: Any action that compromises the security of information.

Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.

Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

5

Security AttacksSecurity Attacks

Interruption: This is an attack on availability

Interception: This is an attack on confidentiality

Modification: This is an attack on integrity

Fabrication: This is an attack on authenticity

6

Security ServicesSecurity Services

Confidentiality (privacy)

Authentication (who created or sent the data)

Integrity (has not been altered)

Non-repudiation (the order is final)

Access control (prevent misuse of resources)

Availability (permanence, non-erasure)

Denial of Service Attacks

Virus that deletes files


Main Objectives Main Objectives Exapanded(1)Exapanded(1)

1) Confidentiality (Gizlilik)Protecting data from unauthorized disclosure

2) Authentication (Kimlik Doğrulama)Reliably determining the identity of the communicating parts

3) Integrity (Bütünlük sağlama)Ensure that the contents of the traffic are not altered in transmission.

4) Access Control (Erişim kontrolü)Prvent anauthorized users/devices.

5) Traffic Flow Control Trafik akış denetim ve yönetimi


Main Objectives Exapanded Main Objectives Exapanded (2)(2)

6) Availability (Sistem sürekliliği)Güvenlik servislerinde idame

7) Accountability (Gözetleme ve denetleme)Ağ aktivitelerinin taranması ve loglanması

8) Scalability (Ölçeklenebilirlilik)Adding new users/devices should be easy and should not require changes to existing architecture and infrastructure.

10

DefenceDefence Methods Methods

Encryption Authorization: access control file

systems, databases, and operating system controls for protecting users from violating each other’s area)

Authentication Hardware Controls (smartcard) Policies (frequent changes of

passwords) Physical Controls


The Basic Cipher Operator: The Basic Cipher Operator: XORXOR

0

1

1

0

Encoded Text Bit

0

0

1

1

Plaintext Bit

0

1

0

1

Key Bit

Aslo known as Vernam CAslo known as Vernam Ciipherpher


Plaintext 0 1 1 0 0 1 0 1Key 1 0 1 0 0 1 1 1

Ciphertext 1 1 0 0 0 0 1 0

Ciphertext 1 1 0 0 0 0 1 0Key 1 0 1 0 0 1 1 1

Plaintext 0 1 1 0 0 1 0 1

Encrypting and Decrypting with XOREncrypting and Decrypting with XOR


Monoalphabetic Ciphers: Monoalphabetic Ciphers: Cipher ROT13Cipher ROT13

Plaintext Ciphertext

AB...

MN...Z

NO...ZA...

M

$ tr "[a-z][A-Z]" "[n-z][a-m][N-Z][A-M]" < plain_file


Polyalphabetic Substitution Ciphers: Polyalphabetic Substitution Ciphers: Vigenere CipherVigenere Cipher

( ) ( ) mod(26)

( ) ( )mod(26)

C E P P k

P D C C k

P = plain text,P = plain text,

C= Cipher text,C= Cipher text,

E(P) = Encryption,E(P) = Encryption,

D(C) = Decryption.D(C) = Decryption.


FlexibleFlexible CaeserCaeser CipherCipher iin n CC

/** Denmonstration of a flexible shifter function * S. Kondakci/10/5/1996 */void caeser(short c,int shifts){ ifif (('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z')) { int Case = (isupper(c) == 0 ? 122 : 90); if ( shifts + c >= Case) printf("%c",(char)(c-25+shifts)); else putchar(c + shifts); } else if (c == '\n') putchar('\n\n'); else putchar(c);}


Rail fence technique

.hidmtbetsbue

tgnihymhtustL

Plaintext: Plaintext: “Let us bust them by the midnight”“Let us bust them by the midnight”

Ciphertext:Ciphertext:


Rail fence technique with key

Plaintext: Plaintext: “Let us bust them by the midnight”“Let us bust them by the midnight”

Ciphertext: Ciphertext: tedte.uthumnshtbygLtmsbiehitedte.uthumnshtbygLtmsbiehi

Write the plaintext row by row in a rectangle, and cipher the message, column by column.

.

:

253684197:

thgindim

ehtybmeht

tsubsuteLtxetnialP

yeK


CryptographyCryptography Cryptography is the study of mathematical techniques related to

aspects of information security such as confidentiality, data integrity, entity

authentication, and data origin authentication.

Study of cryptography consists of a number of primitives (basic tasks and algorithms) that can be combined to provide a full range of information

security services.


Modern CryptographyModern Cryptography 1977: Data Encryption Standard (DES)

adopted by the U.S. Federal Information Processing for encrypting unclassified information

1976: Diffie and Hellman, introduced the revolutionary concept of public-key cryptography. Security is based on the intractability of the discrete logarithm problem

1978: Rivest, Shamir, and Adleman (RSA), perhaps the most well-known scheme; security is based on the the intractability of factoring large integers.


Model of 2-Party Communication Model of 2-Party Communication Using Encryption Using Encryption


A Taxonomy of Cryptographic A Taxonomy of Cryptographic PrimitivesPrimitives

CCiipher pher TypesTypes

Stream cipher: Encrypts digital data one bit or one byte at a time.

Block cipher: A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typical block sizes are 64 or 128 bits.

22


TerminologyTerminology CryptographyCryptography terminologies :

Encryption/Encipherment Decryption/Decipherment Cryptographic Algorithm/cipher Encryption Key/Decryption KeyBelow a symmetric key scheme using a shared single key for

secure data exchange.

D_keyE_key

Plaintext M

Plaintext M

Plaintext M

Plaintext M

Encryption

Encryption

Decryption

Decryption

C = Ciphertext = E_key(M)C = Ciphertext = E_key(M)

C

M = Plaintext = D_key(C)M = Plaintext = D_key(C)

21.04.23S Kondakci

24

Basic Encryption Basic Encryption TEchniquesTEchniques

Symmetric algorithm Asymmetric algorithm

4/22

Secret key ciphering Public key ciphering


Basic Basic AlgoritAlgorithhmmss Symmetric/Shared key systems

Single key (Secret commonly shared). The single key both ciphers and

deciphers.

Asymmetric/Public key systems: Uses 2 keys:

Private key (Private to the generator) Public key (Distributed to others)

One of the keys ciphers the other deciphers


Symmetric EncryptionSymmetric Encryption

DES, 3DES (Data Encryption Standard) IDEA (International Data Enc. Algorithm) FEAL LOKI LUCIFER RC2 (Rives’t Code ) RC4 RC5


A 2-Party Communication A 2-Party Communication UsingUsing


One of the major problems in symmetric-key systems is to find an efficient method to agree upon and exchange keys



Plaintext M

Plaintext M

Plaintext M

Plaintext M

Same “Secret Key”Same “Secret Key”

Ciphertext C

Ciphertext C Ciphertext

C

Ciphertext C


Encryption—DES and 3 DESEncryption—DES and 3 DES

Widely adopted standard

Encrypts plaintext into ciphertextciphertext

DES performs 16 roundsrounds

Triple DES 168-bit 3DES includes three DES keys

Accomplished on VPN client, server, router, or firewall


Average time required for Average time required for exhaustiveexhaustive key search key search

Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years


Costs/Times to Break DES Costs/Times to Break DES KeysKeys

BudgetBudget 40-Bit40-Bit 56-Bit56-Bit 168-Bit168-Bit3 DES3 DES

Type of Type of AttackerAttacker

IndividualIndividualHackerHacker

DedicatedDedicatedHackerHacker

Intelligence Intelligence CommunityCommunity

$400$400 38 Years38 Years Too LongToo Long

556 Days556 Days 101019 19 YearsYears

2121MinutesMinutes

101017 17 YearsYears$10M$10M 0.020.02SecondsSeconds

$10K$10K 1212MinutesMinutes

5 Hours5 Hours


Asymmetric AlgorithmsAsymmetric Algorithms

A pair of mathematically related keys:

A private key and a public key

Çok kullanılan açık anahtar kripto sistem:

Stanford Üniversitesi’nden Whitfield Diffie ve Martin Hellman 1976 da açık anahtar sistemi buldular.

Rivest Shamir Adleman (RSA)


Authentication with Authentication with Asymmetric AlgorithmsAsymmetric Algorithms

Private KeyPrivate Key

D_keyE_key

Plaintext = M

(kullanıcı Kimliği)

Plaintext = M

(kullanıcı Kimliği)

Plaintext MPlaintext MEncryption

Encryption

Decryption

Decryption

C

Public KeyPublic Key


Confidentiality with Confidentiality with Asymmetric AlgorithmsAsymmetric Algorithms

Public KeyPublic Key

D_keyE_key

Plaintext = M

(Message)

Plaintext = M

(Message)

Plaintext MPlaintext M

Encryption

Encryption

Decryption

Decryption

C

Private KeyPrivate Key


Feistel Cipher StructureFeistel Cipher Structure

Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973

The realization of a Fesitel Network depends on the choice of the following parameters and design features (see next slide):

A simple Feistel System A simple Feistel System


© S. Kondakcı


Feistel Cipher StructureFeistel Cipher Structure Block size: larger block sizes mean greater

security Key Size: larger key size means greater

security Number of rounds: multiple rounds offer

increasing security Subkey generation algorithm: greater

complexity will lead to greater difficulty of cryptanalysis.

Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern


Feistel Cipher DecryptionFeistel Cipher Decryption

Private-Key Cryptography

traditional private/secret/single key cryptography uses one key

shared by both sender and receiver if this key is disclosed

communications are compromised also is symmetric, parties are equal hence does not protect sender from

receiver forging a message & claiming is sent by sender

Public-Key Cryptography

probably most significant advance in the 3000 year history of cryptography

uses two keys – a public & a private keyasymmetric since parties are not equal uses clever application of number

theoretic concepts to functioncomplements rather than replaces

private key crypto

Why Public-Key Cryptography?

developed to address two key issues: key distribution – how to have secure

communications in general without having to trust a KDC with your key

digital signatures – how to verify a message comes intact from the claimed sender

public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976

known earlier in classified community

Public-Key Cryptography

public-key/two-key/asymmetric cryptography involves the use of two keys:

a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures

a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

is asymmetric because those who encrypt messages or verify signatures

cannot decrypt messages or create signatures

Public-Key Secrecy

b,C =E(PU M) a,M=D(PR C)

Public-Key Authentication

b,C =E(PR M)b,M=D(PU X)

Public-Key Authentication & Secrecy

b, a

a, b

Z=E(PU E(PR ,X))

X =D(PU D(PR ,Z))

Applications for Public-Key Cryptosystems

Three categories: Encryption/decryption: The sender

encrypts a message with the recipient’s public key.

Digital signature: The sender ”signs” a message with its private key.

Key echange: Two sides cooperate two exhange a session key.

Requirements for Public-Key Cryptography

1.Computationally easy for a party B to generate a pair (public key KUb, private key KRb)

2.Easy for sender to generate ciphertext:

3.Easy for the receiver to decrypt ciphertect using private key:

)(MEC KUb

)]([)( MEDCDM KUbKRbKRb

Requirements for Public-Key Cryptography

4. Computationally infeasible to determine private key (KRb) knowing public key (KUb)

5. Computationally infeasible to recover message M, knowing KUb and ciphertext C

6. Either of the two keys can be used for encryption, with the other used for decryption:

)]([)]([ MEDMEDM KRbKUbKUbKRb

Public-Key Cryptographic Algorithms

RSA and Diffie-Hellman RSA - Ron Rives, Adi Shamir and Len

Adleman at MIT, in 1977. RSA is a block cipher The most widely implemented

Diffie-Hellman Echange a secret key securely Compute discrete logarithms

The RSA Algorithm – Key Generation

1. Select p,q p and q both prime2. Calculate n = p x q3. Calculate 4. Select integer e5. Calculate d6. Public Key KU = {e,n}7. Private key KR = {d,n}

)1)(1()( qpn)(1;1)),(gcd( neen

)(mod1 ned

The RSA Algorithm - Decryption

Ciphertext: C

Plaintext: M = Cd (mod n)

The RSA Algorithm - Encryption

Plaintext: M<n

Ciphertext: C = Me (mod n)

Example of RSA Algorithm

Authentication

• Requirements - must be able to verify that:1. Message came from apparent

source or author,2. Contents have not been altered,3. Sometimes, it was sent at a certain time or sequence.

• Protection against active attack (falsification of data and transactions)

Approaches to Message Authentication

Authentication Using Conventional Encryption

Only the sender and receiver should share a key

Message Authentication without Message Encryption

An authentication tag is generated and appended to each message

Message Authentication Code Calculate the MAC as a function of the message

and the key. MAC = F(K, M)

One-way HASH One-way HASH functionfunction

One-way HASH function

Secret value is added before the hash and removed before transmission.


RSA Açık Anahtar İle RSA Açık Anahtar İle ŞifrelemeŞifreleme

EncryptedData

EncryptedData

DataData

To Bob

Alice’s RSA Prv. Key

DataData

Encrp.Data

Encrp.Data

Alice’s RSA Pub. Key

RSA calculationRSA calculation

RSA calculationRSA calculation

One-way Trust Model Information encrypted with the RSA private key can only be decrypted with the matching RSA public key


Example: A trusted Example: A trusted messagingmessaging

Both the message and a session key (S-key) are encrypted and sent to Bob. Bob uses his own public key to decrypt the session key, then uses the decrypted session key to decrypt the message

Ciphertext

S-key Bob’s public key Cipher-key

To Bob

S-key

Plaintext

Ciphertext

Shared session key


Bob Deciphers the Session Bob Deciphers the Session KeyKey

Ciphertext

Bob’s private key

S-key S-key

Bob deciphers

the e

ncrypted

sessi

on

key usin

g his own priv

ate key

and

asymmetr

ic alg

orithm. N

ow he has

the sess

ion key an

d ciphere

d mess

age


Bob Deciphers the Bob Deciphers the MessageMessage

Ciphertext

S-key

Plaintext

Plaintext


Fingerprint: One-way Fingerprint: One-way Hash FunctionsHash Functions

Also called hash function, cryptographic checksum, message integrity check, message digest function

PlaintextPlaintext Finger printFinger print

Fingerprint (also called hash value) is

• always unique for a given message

•one-way; can’t generate plaintext from the hash value


One-way HashOne-way Hash

UnknownPlaintextUnknownPlaintextFinger printFinger print

one-way; can’t generate plaintext from the hash value


Message Digest Message Digest AlgorithmsAlgorithms

(Mesaj Özetleme)(Mesaj Özetleme)

MD4:128-bit hash value, 32-bit register faster than MD2, better security

MD5: Replacement for MD4, solves some weaknesses of MD4

SHA: Secure Hash Algorithm, 160-bit.

HAVAL, SNEFRU, etc ...


Digital SignaturesDigital Signatures(Sayısal İmzalar)(Sayısal İmzalar)

Digital signatures ensure: message integrity integrity (not modified in (not modified in

transit)transit) identityidentity of the sender (Sender’s private

key) non-repudiationnon-repudiation 0000123

SHA, DH, 3837829 …

1/1/93 to 12/31/98

Alice Smith, Acme Corp

DH, 3813710 ...

Acme Corporation, Security Dept.

SHA, DH, 2393702347 ...

Message

Digital certificate


Digital SignaturesDigital Signatures

To verify the signature of the message both the sender and receiver create digest messages.

Sender’s public key

Receiver GeneretedDigest

Sender GeneretedDigest

Digest

Digest

Digest

Comparator

TRUE

FALSE

At the Receiver’s Side

Digest DigestTo the Receiver

At the Sender’s Side Sender’s private key


That’s all Folks! That’s all Folks!

Süleyman Kondakcı:[email protected]

08.10.2015 s kondakci 1 süleyman kondakcı 08.10.2015 s kondakci 2 brief intro main objectives of...

Documents