CSCE 790:Computer Network Security

Chin-Tser Huanghuangct@cse.sc.edu

University of South Carolina

9/9/2003 2

Points of Vulnerability Adversary can eavesdrop from a

machine on the same LAN Adversary can eavesdrop by dialing

into communication server Adversary can eavesdrop by gaining

physical control of part of external links twisted pair, coaxial cable, or optical fiber radio or satellite links

9/9/2003 3

Placement of Symmetric Encryption

Two major placement alternatives Link encryption

encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys

End-to-end encryption encryption occurs between original source and

final destination need devices at each end with shared keys

9/9/2003 4

Characteristics ofLink and End-to-End Encryption

9/9/2003 5

Placement of Encryption Can place encryption function at various

layers in OSI Reference Model link encryption occurs at layers 1 or 2 end-to-end can occur at layers 3, 4, 6, 7

If move encryption toward higher layer less information is encrypted but is more

secure application layer encryption is more complex,

with more entities and need more keys

9/9/2003 6

Scope of Encryption

9/9/2003 7

Traffic Analysis When using end-to-end encryption,

must leave headers in clear so network can correctly route information

Hence although contents are protected, traffic patterns are not protected

Ideally both are desired end-to-end protects data contents over

entire path and provides authentication link protects traffic flows from monitoring

9/9/2003 8

Key Distribution

Symmetric schemes require both parties to share a common secret key

Need to securely distribute this key If key is compromised during

distribution, all communications between two parties are compromised

9/9/2003 9

Key Distribution Schemes Various key distribution schemes for

two parties A can select key and physically deliver to B third party C can select and deliver key to A

and B if A and B have shared a key previously, can

use previous key to encrypt a new key if A and B have secure communications with

third party C, C can relay key between A and B

9/9/2003 10

Key Distribution Scenario

9/9/2003 11

Key Distribution Issues Hierarchies of KDC’s are required for

large networks, but must trust each other

Session key lifetimes should be limited for greater security

Use of automatic key distribution on behalf of users, but must trust system

Use of decentralized key distribution Controlling purposes keys are used for

9/9/2003 12

Summary of Symmetric Encryption

Traditional symmetric cryptography uses one key shared by both sender and receiver

If this key is disclosed, communications are compromised

Symmetric because parties are equal

Provide confidentiality, but does not provide non-repudiation

9/9/2003 13

Insufficiencies with Symmetric Encryption

Symmetric encryption is not enough to address two key issues key distribution – how to have

secure communications in general without having to trust a KDC with your key?

digital signatures – how to verify that a received message really comes from the claimed sender?

9/9/2003 14

Advent of Asymmetric Encryption

Probably most significant advance in the 3000 year history of cryptography

Use two keys: a public key and a private key

Asymmetric since parties are not equal

Clever application of number theoretic concepts instead of merely substitution and permutation

9/9/2003 15

How Asymmetric Encryption Works

Asymmetric encryption uses two keys that are related to each other a public key, which may be known to

anybody, is used to encrypt messages, and verify signatures

a private key, known only to the owner, is used to decrypt messages encrypted by the matching public key, and create signatures

the key used to encrypt messages or verify signatures cannot decrypt messages or create signatures

9/9/2003 16

Asymmetric Encryptionfor Confidentiality

9/9/2003 17

Asymmetric Encryptionfor Authentication

9/9/2003 18

Security of Asymmetric Encryption

Like symmetric schemes brute-force exhaustive search attack is always theoretically possible, but keys used are too large (>512bits)

Not more secure than symmetric encryption, dependent on size of key

Security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems

Generally the hard problem is known, just made too hard to do in practise

Require using very large numbers, so is slow compared to symmetric schemes

9/9/2003 19

RSA Invented by Rivest, Shamir & Adleman of MIT in

1977 Best known and widely used public-key scheme Based on exponentiation in a finite (Galois)

field over integers modulo a prime exponentiation takes O((log n)3) operations

(easy) Use large integers (eg. 1024 bits) Security due to cost of factoring large numbers

factorization takes O(e log n log log n) operations (hard)

9/9/2003 20

RSA Key Setup Each user generates a public/private key pair

by select two large primes at random: p, q compute their system modulus n=p·q

note ø(n)=(p-1)(q-1) select at random the encryption key e

where 1<e<ø(n), gcd(e,ø(n))=1 solve following equation to find decryption key d

e·d=1 mod ø(n) and 0≤d≤n publish their public encryption key: KU= {e,n} keep secret private decryption key: KR= {d,n}

9/9/2003 21

RSA Usage to encrypt a message M the sender:

obtains public key of recipient KU={e,n} computes: C=Me mod n, where 0≤M<n

to decrypt the ciphertext C the owner: uses their private key KR={d,n} computes: M=Cd mod n

note that the message M must be smaller than the modulus n (block if needed)

9/9/2003 22

Why RSA Works Euler's Theorem:aø(n) mod n = 1 where gcd(a,n)=1

In RSA, we have n=p·q ø(n)=(p-1)(q-1) carefully chosen e and d to be inverses mod ø(n) hence e·d=1+k·ø(n) for some k

hence :Cd = (Me)d = M1+k·ø(n) = M1·(Mø(n))q = M1·(1)q = M1 = M mod n

9/9/2003 23

RSA Example: Computing Keys

1. Select primes: p=17, q=112. Compute n=pq=17×11=1873. Compute ø(n)=(p–1)(q-1)=16×10=1604. Select e: gcd(e,160)=1 and e<160

choose e=7

5. Determine d: de=1 mod 160 and d<160 d=23 since 23×7=161=10×160+1

6. Publish public key KU={7,187}7. Keep secret private key KR={23,187}

9/9/2003 24

RSA Example: Encryption and Decryption

Given message M = 88 (88<187) Encryption:

C = 887 mod 187 = 11 Decryption:

M = 1123 mod 187 = 88

9/9/2003 25

Exponentiation Use a property of modular arithmetic[(a mod n)(b mod n)]mod n = (ab)mod n

Use the Square and Multiply Algorithm to multiply the ones that are needed to compute the result

Look at binary representation of exponent Only take O(log2 n) multiples for number n

eg. 75 = 74·71 = 3·7 = 10 (mod 11) eg. 3129 = 3128·31 = 5·3 = 4 (mod 11)

9/9/2003 26

RSA Key Generation Users of RSA must:

determine two primes at random - p,q select either e or d and compute the other

Primes p,q must not be easily derived from modulus n=p·q means p,q must be sufficiently large typically guess and use probabilistic test

Exponents e, d are multiplicative inverses, so use Inverse algorithm to compute the other

9/9/2003 27

Security of RSA

Three approaches to attacking RSA brute force key search (infeasible

given size of numbers) mathematical attacks (based on

difficulty of computing ø(n), by factoring modulus n)

timing attacks (on running of decryption)

9/9/2003 28

Factoring Problem Mathematical approach takes 3 forms:

factor n=p·q, hence find ø(n) and then d determine ø(n) directly and find d find d directly

Currently believe all equivalent to factoring have seen slow improvements over the years

as of Aug 99 best is 130 decimal digits (512) bit with GNFS biggest improvement comes from improved algorithm

cf “Quadratic Sieve” to “Generalized Number Field Sieve” 1024+ bit RSA is secure barring dramatic breakthrough

ensure p, q of similar size and matching other constraints

9/9/2003 29

Timing Attacks Developed in mid-1990’s Exploit timing variations in operations

eg. multiplying by small vs large number Infer operand size based on time taken RSA exploits time taken in

exponentiation Countermeasures

use constant exponentiation time add random delays blind values used in calculations

9/9/2003 30

Next Class

Key management with asymmetric encryption

Diffie-Hellman key exchange Read Chapter 10