communication system security - gbv · 2013. 7. 25. · 8.6.2 ip-based networkdomainsecurity 316...
TRANSCRIPT
-
CHAPMAN & HALL/CRC
CRYPTOGRAPHY AND NETWORK SECURITY
Communication
System Security
Lidong ChenNational Institute of Standards and Technology
Gaithersburg, Maryland, USA
Guang GongUniversity of Waterloo
Ontario, Canada
CRC PressTaylor & Francis CroupBoca Raton London NewYork
CRC Press is an imprint of the
Taylor St Francis Croup an Informs business
A CHAPMAN & HALL BOOK
-
Contents
Preface xvii
Acknowledgments xix
1 Introduction 1
1.1 Nodes, Links, and Layers 11.2 Information Security Objectives and Protection Mechanisms . . 3
1.2.1 Confidentiality 4
,1.2.2 Integrity and Authenticity 6
1.3 Trust Model 8
1.4 Threat Model. .
9
1.4.1 Computation Power of Attackers . 91.4.2 Physical Vulnerability 91.4.3 Jamming and Intrusion 101.4.4 The Man-in-the-Middle Attacks r
. . .10
1.5 Communication System Security 11
1.5.1 Trusted Platform 11
1.5.2 Protected Communications 13
1 Practical Cryptography Primitives 15
2 Pseudorandom Sequence Generators 192.1 Feedback Shift Register Sequences 20
2.1.1 Feedback Shift Registers 202.1.2 Efficient Hardware Implementation for FSRs 272.1.3 LFSR and m-Sequence Generators . . . 27
2.2 Linear Spans and Berlekamp-Massey Algorithm • • • • 312.2.1 Discrepancy Sequences . 322.2.2 Updating LFSRs from Discrepancy 332.2.3 Generation of a Discrepancy Table 342.2.4 A Procedure of the BM Algorithm 36
2.2.5 Linear Span Attacks 37
v
-
ri Contents
2.3 Randomness Criteria of a PRSG 37
2.3.1 Correlation Functions of Sequences 382.3.2 Golomb's Randomness Postulates 40
2.3.3 One-Time Pad and.Randomness Criteria 422.4 Randomness Properties of m-Sequences 432.5 Nonlinear Generators 45
2.5.1 Filtering Sequence Generators 462.5.2 Combinatorial Sequence Generators . 49
2.5.3 Clock-Control Generators and Shrinking Generators . . 522.6 Blum-Blum-Shub (BBS) Generators 55
2.6.1 Scheme of x2 mod N Generator 552.6.2 Randomness Properties of BBS Generators 56
2.7 Security Modes of PRSGs 572.7.1 Scrambler Mode for Randomization 57
2.7.2 Scrambler Mode for Integrity Check 60
2.8 Known Attacks 62
2.8.1 Attacking Scenarios 622.8.2 Correlation Attack 63
2.8.3 A Glance at Algebraic Attacks 682.8.4 Selective Discrete Fourier.Transform (DFT) Attacks . . 732.8.5 A General Model for Solving Equations Related Attacks 81
Notes.
82
Exercises 83
Bibliography 87
3 Design of Stream Ciphers 913.1 Design Principles of Stream Ciphers 92
3.1.1 Two Phases in Stream Cipher . 933.1.2 Design Principles 943.1.3 Finite State Machine and Stream Cipher 95
3.2 Stream Ciphers in Communication Systems 963.2.1 A5/1 in GSM System 973.2.2 w7 — An Analogue Cipher of A5/1 1013.2.3 E0 in Bluetooth Standard . 102
3.2.4 RC4in WEP . 1053.3 WG Stream Cipher 107
3.3.1 Description of WG Cipher 1093.3.2 Key Initialization and Running Phases 1123.3.3 Randomness Properties of WG Ciphers 1133.3.4 A Concrete Design of WG{29,11) 114
3.4 Grain and Grain-Like Generators 117
3.4.1 Grain 2 Key Stream Generator 1173.4.2 Grain-Like Generator Using NLFSR Masked by LFSR . 120
3.5 Trivium and Trivium-Like Generators 122
3.5.1 Description of Trivium-Like Generator 122
-
Contents vii
3.5.2 Key Initialization and IV in Trivium 124
3.5.3 Periods of Trivium-Like Generator 124
3.6 Snow 3G 125
3.6.1 Description of Snow 3G 126
3.6.2 Key Initialization and Running Phases 128
3.6.3 Randomness Properties . . 129
3.7 AIDA/Cube Attacks 1293.7.1 Reed-Muller Transform of Boolean Functions ...... 130
3.7.2 RMT Spectrum Used in AIDA/Cube Attacks 1313.7.3 Procedure of AIDA/Cube Attacks 133
Notes 135
Exercises 135
Bibliography 140
4 Design of Block Ciphers, Hash Functions, and MAC 143
4.1 Design Principles of Block Ciphers 144
4.1.1 Diffusion and Confusion in the Design of Block Ciphers 1444.1.2 Structure of Block Ciphers . 146
4.2 DES (Data Encryption Standard, NIST 1976) 1474.2.1 Permutations at Front-End and Key Schedule ...... 147
4.2.2 Feedback / and S-Boxes 149
4.2.3 Spectral Properties of S-Box 3 , ... 152
4.2.4 Triple-DES 153
4.3 AES (Advanced Encryption Standard) Rijndael ....... v. 1554.3.1 Rijndael's Operators 156
4.3.2 Rijndael Encryption and Decryption 160
4.3.3 Word-Operation of AES Rijndael 161
4.4 Encryption Modes . 162
4.4.1 Block Cipher Modes 162
4.4.2 Block Cipher Implemented as Stream Cipher Modes . . 163
4.5 Hash Functions 165
4.5.1 MD5 and SHAs. . .
166
4.5.2 Description of Secure Hash Algorithm (SHA-1) 167
4.6 Message Authentication Code (MAC) 1704.6.1 XorMAC
. . . .171
4.6.2 CBC-MAC 173
4.6.3 , NMAC and HMAC 173
4.6.4 Modes of Encryption and Authentication 174
4.6.5 Conversions among Symmetric-Key Algorithms .... 1754.7 Birthday Attack and Time-Memory Trade-Off Attacks 176
4.7.1 Birthday Problem 1764.7.2 Time-Memory Trade-off Attack 177
Notes 177
Exercises 178
Bibliography 180
-
viii Contents
5 Public-Key Cryptographic Algorithms 185
5.1 Security of Public-Key Cryptography 186
5.2 Diffie-Hellman Key Exchange . . 187
5.3 RSA Encryption and Digital Signature 189
5.3.1 Some Results in Number Theory 189
5.3.2 RSA Encryption 191
5.3.3 RSA Digital Signature Algorithm (RSA-DSA) ...... 193
5.3.4 Speed-Up RSA Using Chinese Remainder
Theorem (CRT) . . . 195
5.4 ElGamal Digital Signature Algorithm and Digital SignatureStandard 196
5.4.1 ElGamal DSA .196
5.4.2 How to Attack ElGamal DSA 198
5.4.3 DSS (Digital Signature Standard) 199
5.5 Elliptic Curve Digital Signature Algorithm (EC-DSA) ..... 2015.5.1 Elliptic Curves over Finite Fields . 202
5.5.2 EC-DSA (IEEE P1363/D4, 1998) 205
5.6 Identity-Based Cryptography from Bilinear Pairing 207
5.6.1 Pre-Shared Secret Keys and Identity-Based EncryptionScheme 208
5.6.2 Features of IBC 211
5.6.3 Distinctive Features of IBC Schemes 211
5.6.4 Key Escrow and Other Problems 213
Notes . . : 213
Exercises 214
Bibliography • • • 216
II Security Mechanisms and Protocols 221
6 Security Infrastructure 225
6.1 Infrastructure Support . 225
6.2 Authentication Server - 226
6.2.1 Entity Authentication 226
6.2.2 Access Authentication and Backend Server ....... 228
6.3 Certificate Authority 230
6.3.1 Public-Key Certificate . . . 232
6.3.2 Certificate Chain and Revocation 232
6.4 Key Generation and Distribution Server . . : 234
6.4.1 Public/Private Key Pair Generation 2346.4.2 Key Escrow .235
6.4.3 Symmetric Key Generation and Distribution ...... 236
6.5 Signing Server 237
6.5.1 Signature for Authorized Software 237
6.5.2 Signature for Copyrights 237
-
Contents
Notes 238
Exercises 238
Bibliography 239
7 Establish Protected Communications 241
7.1 Mutual Authentication 242' 7.2 Key Establishment 252
7.2.1 Authenticated Key Establishment 2527.2.2 Key Derivation and Key Confirmation . . .... . . . . 254
7.2.3 Perfect Forward Secrecy . 2567.2.4 Man-in-the-Middle Attack >. 258
7.2.5 Key Agreement with Implicit Authentication 259
7.3 Cryptographic Algorithm Negotiation 2617.4 Protected Communications 264
Notes 267
Exercises 268
Bibliography 271
8 Network Security Protocols 273
8.1 Internet Security Protocols 274
8.1.1 Security Associations (SAs) 2758.1.2 Internet Key Exchange Version 2 (IKEv2) 2768.1.3 IPsec Modes 286
,8.1.4 Authentication Header (AH) .2888.1.5 Encapsulating Security Payload (ESP) 289
8.2 Transport Layer Security (TLS) 2918.2.1 TLS Handshake. 292
8.2.2 Helios and TLS Cipher Suites 293
8.2.3 KeyExchange and Key Establishment .......... 2948.2.4 Certificate and Authentication
. . ...........296
8.2.5 Finished and Post-Verification. . . .
297
8.2.6 Application Data Protection 2978.2.7 Use TLS to Secure HTTP 298
8.3 The Secure Shell (SSH) 2998.3.1 SSH Transport Protocol 3008.3.2 Plaintext Recover Attacks against SSH 302
8.4 Hop-by-Hop versus End-to-End Protection 3048.4.1 Hop-by-Hop Protection 3078.4.2 End-to-End Protection 308
8.5 Intra-Domain versus Inter-Domain Protection 309
8.5.1 Intra-Domain Protection 310
8.5.2 Inter-Domain Protection 311
8.5.3 Virtual Private Network (VPN) 3128.6 Network Domain Security in Cellular Systems 313
8.6.1 Security Protocol for MAP (MAPsec) 315
-
X Contents
8.6.2 IP-Based Network Domain Security 316Notes 317
Exercises 318
Bibliography 320
III Wireless Security 323
9 Network Access Authentication 327
9.1 Basic Concepts in Access Authentication 3299.1.1 Generalized Model for Access Authentication 330
9.1.2 Point of Attachment (PoA) 3319.1.3 Access Authentication Methods 332
9.1.4 Key Establishment and Key Hierarchy 3389.1.5 Practical Access Authentication Protocols . . 344
9.2 Authentication and Key Agreement (AKA) in 3G and LTE . . 3469.2.1 UMTS Network Architecture 347
9.2.2 Long-Term Credentials 348
9.2.3 Authentication Vectors 348
9.2.4 UMTS Access Authentication Protocol 351
9.2.5 Sequence Number Resynchronization 3539.2.6 AKA in 3GPP2
,,: 354
9.2.7 AKA Security Discussion 3559.2.8 AKA Evolution in LTE 357
9.3 Authentication, Authorization, and Accounting (AAA) 3619.3.1 Remote Authentication Dial-In User
Services (RADIUS) 3629.3.2 RADIUS Messages and Attributes 3639.3.3 RADIUS Protocol Protections 365
9.3.4 Use RADIUS for PAP and CHAP.367
9.3.5 Vulnerabilities, Challenges, Limitations, and Evolutions 369
9.3.6 Diameter 371
9.4 Extensible Authentication Protocol (EAP) 3759.4.1 EAP Entities and Messages 3769.4.2 EAP Transport Mechanisms in Pass-Through Mode . . 377
9.4.3 EAP Exported Keys 379
9.4.4 EAP-TLS 380
9.4.5 EAP-AKA 383
9.4.6 Tunneled EAP Methods 386
9.4.7 EAP Security Claims and Pitfalls 391Notes 393
Exercises 394
Bibliography 397
-
Contents'
xi
10 Wireless Network Security 40110.1 Special Aspects of Wireless Protection 402
10.1.1 Key Establishment for Wireless Link 402
10.1.2 Bandwidth Efficiency 40310.1.3 Throughput and Processing Efficiency 404
10.1.4 Vulnerabilities 404
10.2 UMTS and LTE Air Link Protection 405
10.2.1 Protocol Structure and Protection Profile 406
10.2.2 Secure Mode Setup 40910.2.3 Encryption of User Data and Control Signals 41110.2.4 Integrity Protection and Local Authentication'1 414
10.2.5 Protections for LTE 419
10.3 IEEE 802.11 Security Solutions . 42010.3.1 Wired Equivalent Privacy (WEP) 42210.3.2 Authentication and Key Establishment 42610.3.3 Wireless Protection Mechanism — CCMP
........430
10.3.4 TKIP for Backward Compatibility 432
Notes 434
Exercises 435
Bibliography 436
11 Security for Mobility 43911.1 Challenges in Establishing Protection for a Mobile Node .... 442
11.2 Secure Handover in UMTS and LTE 445
11.3 Options for Fast Authentication 44811.3.1 Pre-Authentication 449
11.3.2 Re-Authentication 452
11.3.3 Protection Setup and Session Key Derivation 456
11.3.4 Applicable Scenarios for Fast Authentication 45711.4 Secure Fast BSS Transition in IEEE 802.11 459
11.4.1 Key Hierarchy for Fast BSS Transition 46111.4.2 Fast BSS Transition 463
11.5 Security in Mobile IP — Mobility Information Protection . . . 46811.5.1 Introduction to IP Routing and Mobile IP 46811.5.2 Security for Mobile IPv4 . 47211.5.3 Return Routability — Security in Mobile IPv6 48311.5.4 Mobile IP Deployment and Proxy Mobile IP 491
11.6 Media Independent Handover — Service Protection 49311.6.1 Establish MIH Data Protection
. , . .495
11.6.2 Rely on Protections Provided in Transport Protocols . . 497
Notes 498
Exercises 498
Bibliography 500
-
xii Contents
12 Broadcast and Multicast Key Distribution and
Authentication 503
12.1 Basic Models for Multicast Key Distribution 503
12.1.1 Key Sharing Scenarios 505
12.1.2 A Naive Protocol 507
12.2 Logic Key Tree Based Multicast Key Distribution 509
12.2.1 Basic Concepts of Graph Theory 510
12.2.2 Tree Topology-Based Multicast Key Distribution
Protocol 511 .
12.2.3 Performance Evaluation 520
12.3 Hash Chain Based Authentication 523
12.3.1 Hash Chains 524
12.3.2 Hash Chain Based Message Authentication 525
12.3.3 Hash Chain Based Access Authentication 526
12.4 Merkle Trees for Authentication . . 528
Notes 531
Exercises 532
Bibliography 533
IV System Security 535
13 Trusted Platform . 539
13.1 The Platform'
539
13.2 Introduction to Trusted Platform 542
13.2.1 Threats to a Platform 543
13.2.2 Primary Objectives 546
13.2.3 Challenges 548
13.3 Trust Principles and Basic Mechanisms 549
13.3.1 Root of Trust 549
13.3.2 Transitive Trust Principle 550
13.3.3 Secure Boot 551
13.3.4 Validation and Authorization 555
13.3.5 Authenticate to Remote Parties 556
13.4 Technologies and Methodologies for Trusted Platforms 560
13.4.1 One-Time Programmable Memory 561
13.4.2 Tamper Response Hardware 562
13.4.3 Secure Storage 562
13.4.4 Protected Execution 563
13.5 Trusted Platform in Practice 565
13.5.1 Trusted Platform Module (TPM) 566
13.5.2 Trusted Platform for Mobile Device 575
Notes 580
Exercises 580
Bibliography 581
-
Contents xiii
14 Physical-Layer Security 583
14.1 Shannon's Perfect Secrecy 58514.1.1 A Little Knowledge of Entropy Functions 58514.1.2 Shannon's Perfect Secrecy Channel 58714.1.3 Perfect Secrecy and Modern Cryptography 58814.1.4 Comparisons with Quantum Cryptography 589
14.2 Wyner's Wiretap Channel 589
14.2.1 Equivocation Rate . . 59014.2.2 Achievable Secrecy of Wiretap Channels . . . 591
14.3 Wiretap Codes for Achievable Secrecy Using ParityCheck Codes 594
14.3.1 Parity Sets 594
14.3.2 Encoder and Decoder of Wiretap Parity Codes 59514.3.3 Equivocation Rate of Wiretap Parity Codes 596
14.4 Wiretap Codes for Achievable Secrecy Using Linear Codes . . . 59914.4.1 Some Basic Concepts about ECC .s 599
14.4.2 Cosets of Linear Codes.
604
14.4.3 Encoder and Decoder of Wiretap Linear Codes 605
14.4.4 Equivocation Rate of Wiretap Linear Codes 607
14.5 Other Methods for Physical-Layer Security 61114.5.1 MIMO-Based Approaches 61114.5.2 Smart Antenna Approaches 613
14.5.3 Exploiting Randomness of Signals and Channels .... 613Notes 614
Exercises 614
Bibliography 616
15 Spread-Spectrum Techniques for Anti-Jamming-Attacks 619
15.1 Some Basic Concepts of Digital Communications 62015.1.1 Digital Modulation Techniques 62115.1.2 Modulation and Demodulation 621
15.1.3 Performance of Modulation Schemes 623
15.1.4 Spread-Spectrum Systems 62515.1.5 Autocorrelation and Power Spectral Density
of PN-Sequences 62815.2 BPSK Direct-Sequence Spread-Spectrum Systems 631
15.2.1 DS-BPSK Signals and Bandwidth 63215.2.2 DS-BPSK Modulation and Demodulation
........ 635
15.2.3 Synchronization 63815.3 Frequency-Hopping Spread Spectrum 640
15.3.1 FH-MFSK Signals and Frequency Hopping Sequences . 64115.3.2 FH MFSK Modulation and Demodulation 642
15.3.3 Examples of Slow FH and Fast FH Systems 64215.4 The Jamming Attacks 647
15.4.1 Assumptions and Definitions of a Jamming Game . . . 647
-
xiv Contents
15.4.2 Pull Band and Partial Band Jamming Attacks 65015.4.3 Pulse Jamming Attacks . 65015.4.4 Single Tone and Multitone Jamming Attacks 651
15.4.5 Repeat-Back (or Reactive) Jamming Attacks 65215.5 Code-Division Multiple Access (CDMA) and Jamming
Capacity 655
15.5.1 Multiple Access Interference and System Models .... 656
15.5.2 DS-CDMA Transmitters and Receivers .658
15.5.3 Selection Criteria of Spreading PN Sequences 660
15.5.4 Revisit of Countermeasures for Repeat-Back Jammers . 665
15.5.5 Interference Limitation and Jamming Capacity 66715.5.6 Random Code Spread-Spectrum Systems 669
15.5.7 An Abstract Interpretation of Spread-Spectrum
Systems , 670
15.6 Bloom Filters and Or-Channel Schemes 674
15.6.1 Bloom Filters for Membership Verification • • • 674
15.6.2 Or-Channel Coding for Spread Spectrum without Pre-
Shared PN Sequences 678
15.6.3 Probability of Jamming Errors in Or-Channel CodingSchemes 685
15.6.4 Some Comparisons with DS/DS-CDMA Systems .... 688Notes 690
Exercises 691
Bibliography 695
APPENDICES 697
A Computations in Finite Fields 699
A.l Prime Finite Fields 699
A.2 Binary Extension Fields 700
A.3 Properties of Finite Fields 702
A.4 Trace Functions, Cosets, Relationship with m-Sequences andSubfields 703
A.5 Finding a Primitive Polynomial over GF(2k) of Degree m byFactorization 706
B Some Mathematical Formulae 707
B. l Number of Boolean Functions 707
B.2 Computation of Euler Function 708
B.3 Algebraic Immunity 708
C Signals and Spectra in Physical Layer 709
C. l Deterministic Signals . . . 709
C.l.l Energy and Power 709
C.1.2 Linear Time Invariant Systems 710
-
Contents xv
C.1.3 Fourier Transform . . 710
C.1.4 Energy and Power Spectral Density 712
C.1.5 Autocorrelation 713
C.2 Random Signals 713
C.2.1 Autocorrelation and Crosscorrelation of Random Pro¬
cesses 713
C.2.2 Wide-Sense Stationary Processes , . . . . 714
C.2.3 Power Spectral Density of WSS Processes 714
C.3 Definitions of the Bandwidth 715
Index 717