254542 networks management and security
DESCRIPTION
254542 Networks Management and Security. Lecture 2 June 25 th & 30 th 2005. Cryptography. E = Encryption, D = Decryption K 1 and K 2 = Encryption and Decryption keys m = message or plaintext E(m, K 1 ) = ciphertext D(E(m, K 1 ), K 2 ) = m. Ciphertext. Plaintext. D. Plaintext. E. - PowerPoint PPT PresentationTRANSCRIPT
254542 Networks Management and
Security
Lecture 2
June 25th & 30th 2005
Cryptography
• E = Encryption, D = Decryption• K1 and K2 = Encryption and Decryption keys• m = message or plaintext• E(m, K1) = ciphertext• D(E(m, K1), K2) = m
E DPlaintext
K2K1
Ciphertext
Plaintext
• Both parties share the same key, K1 = K2
• a.k.a. Symmetric Cryptography
• Secrecy can be achieved by– Information theory e.g. One time pad– Computational complexity e.g. DES, AES, etc
Secret-Key Cryptography
Information Theoretical Secrecy
• A key is …– known to both parties– as long as the message– used only once for each message being sent
• Theoretically unbreakable
One Time Pad
• Let’s– A = Alice, B = Bob– m = message/plaintext, c = ciphertext, k = key– L = length of text, = bitwise exclusive-or – L(m) = L(k)
• Then– c = m k– c k = (m k) k = m
Advantages of One Time Pad
• Perfect secrecy
• If the pad is never used again, no more knowledge about m can be gained– If c is known, any message can be derived
using an arbitrary k (i.e. m = c k)
• Note: two time pad allows some knowledge of messages– c1 c2 = (m1 k) (m2 k) = m1 m2
Disadvantages of One Time Pad
• More keys are used up as more messages are sent
• Keys are too long
• Key management is difficult
• An alternative to achieve secrecy is by computation complexity
Computation Complexity
• Assumption “It is too hard and would take to long to decrypt a message”– Unproven but generally known to be true
• Easier to manage and implement
Computational Security
• Block cipher– Data Encryption Standard (DES)– Triple DES– Advanced Encryption Standard (AES)
• Rijndael encryption
• Stream cipher– RC4
Stream cipher
• Operate on small units of plaintext (bits)
• c1 may not be equal to c2 even if m1 = m2 and k1 = k2– Encryption time is also important
• Faster than block cipher
• Approximation of the one time pad
• Mostly synchronous stream cipher– K (keystream) is independent of m and c
DES
• Most widely used block cipher (e.g. in banking, government, etc)
• Both parties share a 64-bit key
• Every 8th bit in the key is unused (making only 56 bits effective)
• 64-bit blocks
• 16 rounds (iterative encryption)
First step of DES• M = 0000 0001 0010 0011 0100 0101 0110 0111 (L)
1000 1001 1010 1011 1100 1101 1110 1111 (R)(L and R are both 32 bits long)
• K64 = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001
after the PC-1 permutation
PC-1 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 9 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4
K56 = 1111000 0110011 0010101 0101111 (C0)0101010 1011001 1001111 0001111 (D0)
* note: example from http://www.aci.net/kalliste/des.htm
Find Cn & Dnround #Left Shifts
1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1
Cn = Cn-1 << # of ith left shifts
Dn = Dn-1 << # of ith left shifts
1 <= n <= 16
C0 and D0 are known
Find Kn
• PC-2 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32
• Kn = CnDn with PC-2 permutation
• Each Kn is 48 bits long
Initial Permutation (IP)
• Perform IP permutation on MIP 58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
• Get L0 and R0 (32 bits each)
Encoding
• For n = 1 to 16 do– Ln = Rn-1– Rn = Ln-1 + f(Rn-1, Kn)
• This will result in L16R16
• Reverse to R16L16
• Apply final permutation IP-1
Modes of Operation
• Electronic Code Block (ECB)– Each block is encrypted
independently– Shortcoming???
• Chain Block Coding (CBC)– Most widely used– Avoid some problems in ECB
(how?)
• Cipher Feedback (CFB)– Allow shorter keys
++
++
kk
kk
kk
kk
kk
kk
m1m1
m2m2
m3m3
m1m1
m2m2
m3m3
c3c3
c2c2
c1c1
c1c1
c2c2
c3c3
m3m3
++
IVIV
Using DES securely
• Avoid using weak and semi-weak keys– 4 weak keys Ek(Ek(m)) = m– 12 semi-weak keys: Ek1 (Ek2 (m)) = m– Thus, 252 probability of picking weak and
semi-weak keys
• Change DES key frequently• But is it practical? (e.g. in encrypting
harddisk files)– Possible solutions?
Cracking DES
• Brute force – using exhaustive search in 256 key space
• Differential cryptanalysis– Chosen plaintext is encrypted– Reduce the number of keys to 247
• Linear cryptanalysis– Linear approximation of encryption key– 243 keys
Double DES
• Encrypt twice using two 56-bit keys = Regular DES with 112-bit key?Encrypt twice using two 56-bit keys = Regular DES with 112-bit key?
mmEEk1k1(m)(m)
EEk2k2(E(Ek1k1(m))(m))6464 6464 6464
k1k1 k2k25656 5656
• No, it is vulnerable to meet-in-the-middle attackNo, it is vulnerable to meet-in-the-middle attack
Encrypt with all possible K1sEncrypt with all possible K1s Decrypt with all possible K2sDecrypt with all possible K2s
• Effective search space = O(2Effective search space = O(25656))
Triple DES
• C = Ek1 (Dk2 (Ek1 (m)))
• Backward compatible
• If k1 = k2, it is a regular DES
• Key space = 2112
Authentication in Secret-key Cryptography
• Message Authentication Code (MAC) is computed (a.k.a. checksum) – Digital signature is for public-key cryptography
• Unconditionally secure MAC
– MAC(M, K’) where k’ = authentication key– k’ cannot be reused
message, Mmessage, M MAC(M, K’)MAC(M, K’)
Hash function-based MAC
• Hash function, H– Input can be of any length– Output is fix sized (smaller than m)– Output string is called hash value (or message
digest), h = H(m)– H is relatively easy to compute– One-way (When h = H(x), x is hard to find)– Collision free i.e. given x, y is hard to find such that
H(x) = H(y)
• Well known hash functions are MD2, MD5, SHA
ANSI X9.17• Key management standard for secret-key
cryptography• Primarily designed for financial institutions
– Large amount of transactions– Frequently updated keys
• Use three-level hierarchy of keys– Master key (KKM) is manually distributed– Key-encrypting keys (KEK) are distributed online– Data keys (KDs) are also distributed online
• X9.42 (for Diffie-Hellman), X9.44 (for RSA)
Public-Key Cryptography
• K1 ≠ K2, asymmetric cryptography
• Increase security and convenience• No key transmission• Slower than secret-key cryptography• Provide digital signature that cannot be repudiated
(unlike secret-key cryptography, why?)
mmEEpp(m)(m)
M = DM = Dss(E(Epp(m))(m))
Public key, pPublic key, p Private key, sPrivate key, s
Questions
• Which cryptography is suitable for a computer lab?
• Password file in unix?
• Large system?
• Hybrid scheme– Use public-key cryptography to establish a
secret key
Reading
• Michael j. Wiener, “Efficient DES key search,” 1993
• Phillip Rogaway, “The Security of DESX,” 1996