data link security - mississippi state universityweb.cse.msstate.edu/~ramkumar/cryptoqo2.pdf ·...

Data Link Security

Mahalingam RamkumarMississippi State University, MS

October 31, 2013

Ramkumar Data Link Security

What is Security?

1 Ability to make confident statements regarding specificproperties of specific systems

2 What gives us the ability to make such statements?

3 Extrapolating from “reasonably strong” assumptions in alogical manner.


Data Link Security

1 Ability to make confident assertions regarding the authenticityand/or integrity and/or privacy of data received overcommunication channels.

2 How? Cryptographic tools.

3 Assumptions: strength of various cryptographic primitives.


Cryptographic Primitives

1 Symmetric primitives: block ciphers, hash functions

2 Asymmetric primitives

3 Properties of good cryptographic primitives, and4 How they are used to meet our goals (secure communications)

1 Unicast communications2 Broadcast communications3 Multicast communications (not typically important for most

application scenarios)


Symmetric Cryptography Overview

Alice and Bob share a key K

Alice wants to send a message P to Bob

Alice encrypts the message P using key K to get encryptedmessage C

Alice sends C to Bob

Only Bob (who has the key K ) can decrypt the message

Bob is convinced the message is from Alice, and that it hasnot been modified enroute.

(Not very different from a scenario where a message is mailedin a locked box)


Symmetric Cryptography Overview

C = EK (P) (Encryption algorithm)

P = DK (C ) (Decryption algorithm)

No way to get P given C without knowledge of K

Security lies only in the key. Algorithms are completely open.

Against a good cipher, the only viable attack should be abrute force attack (try all possible keys)

If an algorithm uses 64 bit keys, and if we have the ability totest a million (220) keys per second, brute force attack willtake roughly 243 seconds (about 218, or quarter million years)


Symmetric Cryptography

1 Data-mangling based on a key

2 Data-mangling should be reversible

3 Two basic types of reversible data-mangling — substitutionand permutation

4 Old ciphers used one or the other.

5 Modern ciphers use a combination of both — substitutionpermutation networks

6 The trick is to use them repeatedly


Cipher Requirements

Knowledge of pairs (P1,C1) · · · (Pn,Cn) should not provideany information about the key K .

Knowledge of pairs (P1,C1) · · · (Pn,Cn) should not provideany information about Pn+1 given Cn+1

Think of the encryption / decryption mechanism as a blackbox

and attacker has access to the black box (but not the keyinside)he can find any P for a given C or C for a given P.but he should not be able to find the key K .


Confusion and Diffusion

C = EK (P), P = DK (C )

for the same P, even changing one bit of the key will result ina very different C

for the same K even changing one bit of P will result in avery different C

Good confusion and diffusion properties guarantee desiredproperties for a block cipher.

AES, DES, . . .


Compression/Hash Function

h = H(M)

M is typically 512 bits

h is typically n = 160 bits

Given M, easy to calculate h.

Practically impossible to find M ′ 6= M which satisfiesh = H(M ′).

Pre-image resistant (second pre-image resistant). Brute forcecomplexity 2n

Practically impossible to find any two strings A and B 6= Asuch that H(A) = H(B)

Collision resistant (stronger condition). Brute forcecomplexity 2n/2

Hash function involves repeated use of a compression functionui+1 = H(Mi , ui ) (512-bit Mi , 160-bit ui and ui+1).


Uses of Hash Function

As a commitment.

Alice wants Bob to know right now that she knows X , butdoes not want to reveal X to Bob now.

Alice provides x = H(X ) to Bob. The next day Alice revealsX . Bob is now convinced that Alice knew X the previous day(no way Alice could have synthesized X from x).

Time stamping a document. Alice sends hash of document toa time stamping authority.


Message Authentication Codes

Key based hash function

Sender and receiver share a secret K

Example. Message M. HMACM = H(K ,M). SendsM,HMACM .

Receiver extracts message M and verifiesHMACM = H(K ,M).

Successful verification proves two things

Message has not been modified, andMessage was sent by the person who knows the secret K .


Cipher Vs Hash Function

Block cipher

Two inputs: K , P (or K and C )one output: C = E (P,K ) (or P = D(C ,K ))

Hash Function

Two inputs: ui , M (previous hash or starting hash ui andcurrent block M)one output: ui+1 = H(ui ,M)

Block cipher: characterized by block size (size of P and C )and key size

typically 64/128 and 128

Hash function: block size and digest size: typically 512 and160 respectively


Cipher Vs Hash Function

Both require confusion and diffusion properties

Cipher needs to be reversible; Hash function does not

More flexibility in choosing data mangling functions for hashfunctions (not necessarily a good thing).

Cipher restricted to combinations of substitutions andpermutations

Cipher standard AES; Hash SHA-1/SHA-2; SHA-3 currentlybeing standardized


Asymmetric Cryptography

Symmetric cryptography is useful once we have established akey.

How do we exchange keys? (the two parties may never havehad the opportunity to meet before).

This is where asymmetric cryptography comes in

Alice and Bob (meeting for the first time) are communicatingover a public channel

Every one can hear the conversation between Alice and Bob

Can they conduct a private conversation?

How do they establish a secret?



Each person has two keys (a key pair) a private key, and apublic key

Choose a random private key (Alice chooses RA)

Compute public key from private key (Alice computesUA = FG (RA))

Public key is made public (Alice advertises UA)

Private key is a secret (only Alice knows RA)

No way to compute private key from public key.



Bits encrypted using public key can be decrypted using theprivate key

C = EUA(P); P = DRA

(C );

Bits encrypted using private key can be decrypted using thepublic key:

S = ERA(M); M = DUA

(S);


Encryption / Decryption & Signing / Verification

Alice’s key pair (RA,UA)

Bob wants to send P privately to Alice.

Encrypt P using Alice’s public key. C = EUA(P);

Only Alice can decrypt (as only Alice has the correspondingprivate key) P = DRA

(C );

S = ERA(M); M = DUA

(S); Alice needs to broadcast amessage M

Alice computes S = ERA(M);

broadcasts S along with MAnybody with the knowledge of Alice’s public key can verifythat M = DUA

(S)


Number Theory

What makes such constructions possible?

Clever ways of using well known math problems.

Prime numbers, difficulty of factorization, etc.

Choose two large primes p and q

compute n = pq; broadcast n;

How easy is it for some one to determine p or q given n? (justtry out all primes less than

√n)

p and q are private keys; n is the corresponding public key.


Simple Asymmetric Scheme

Alice chooses two large primes p, q

Alice broadcasts n = pq

Bob desires to send a secret X to Alice (X has the samenumber of digits as n)

Bob computes Y = X 2 mod n

From Y , only way to compute X is if we know the factors pand q of n

Only Alice can compute X .


Remote Communications

When Alice sends n how does Bob know it is Alice who issending n

Oscar can generate p′, q′ and m = p′q′ and claim he is Alice?

Need a way to bind n with “Alice”

Certificate Authority.

Remember S = ER(M); M = DU(S);

Let (R,U) be key pair of CA

M = ALICE ‖ UA

S is the signature in a certificate ALICE ‖ UA ‖ S


Asymmetric vs Symmetric

Asymmetric cryptographic primitives is typically 3 orders ofmagnitude more demanding than symmetric cryptographicprimitives

Working with very large numbers (typically 500-1000 digitnumbers)

Used sparingly

Encryption is used only to send a symmetric secret (the secretcan then be used to encrypt all subsequent packets)

Signature is computed over the hash of a message to besigned.

Message to be signed is hashed h = H(M). Hash h isencrypted using private key to obtain the signature S .


Typical Procedure for Establishing Secure Link

Initiator A and responder B

Initiator requests B’s certificate, submits its certificate to B

Initiator and responder verify each other’s certificate andthereby get to know the authentic public keys UA of A andUB of B

The steps to establish a shared key KAB depends on thespecific asymmetric scheme used

Diffie-Hellman scheme KAB = F(UA,B) = F(UB ,A)

Challenge-Response Schemes


Challenge-Response Schemes

Initiator A and responder B

A picks a random number X

A encrypts X using public key of B (C = EUB(X ));

A challenges B (by sending X ) to decrypt X

Similarly, B can challenge A.

At the end of challenge response process A and B share asecret.


Secure Links

Once a shared secret has been established at either ends ofany link

Any number of packets can be encrypted using the secret

Packets can be authenticated using message authenticationcodes


Scalability

The strategy for establishing secure links bootstrapped usingasymmetric schemes is highly scalable

Any number of participants

All that a participant has to do is to generate a key pair, andget the public key signed by the CA.

One time interaction with CA

May be an over-kill for small networks or networks that do notneed to scale as much


Other Key Distribution Strategies

Use a key distribution center instead of a CA

Every participant shares a secret with the KDC

This secret can be used to securely send other secrets to everyparticipant

Other secrets:

Session secrets (online KDC)Give every participant N − 1 keys (for a network of size N)Send to every participant N/2 non secret valuesGive every participant n << N keys.


Modular Arithmetic

Arithmetic in a finite ring or field

Zm = {0, 1, · · · ,m − 1}If m is prime, the ring is a field

Possible to perform additions, multiplication

Multiplicative inverses

In a field all numbers have a multiplicative inverse (exceptzero)

In a ring only number relatively prime to the modulus have amultiplicative inverse


Modular Arithmetic

Fermat’s theorem ap−1 mod p ≡ 1 or ap mod p ≡ a

Euler - Phi Function Φ(m) - number of numbers below mrelatively prime to m

Or the number of elements in Zm that have a multiplicativeinverse.

If m = p, Φ(m) = p − 1.

If m = pq, Φ(m) = (p − 1)(q − 1)

Euler Fermat’s theorem — aΦ(m)+1 mod m ≡ a.


Examples

229mod 7 ≡ 25+4×6 ≡ 25 mod 7

326 mod 15 ≡ 32+8∗3 ≡ 32 mod 15 asΦ(15) = (3− 1)(5− 1) = 8

Consider (xy )z mod m. If yz ≡ 1 mod Φ(m), then(xy )z ≡ x mod m


What is easy, what is not

Exponentiation is easy. Evaluating ga mod m where g , a andm are integers of 200 digits each involves only order oflog(m) ≈ 665 multiplications

Finding multiplicative inverse is also easy log(m) complexity

Testing if a number m is prime is also easy (using probabilisticprimality testing)

Factorizing is not easy


RSA - (Rivest - Shamir - Adelman)

Choose two large primes p and q.

n = pq is the modulus (Zn is a ring - not a field)

Φ(n) = (p − 1)(q − 1).

Choose e such that (e,Φ(n)) = 1.

Find d such that de ≡ 1 mod Φ(n). Or d is the multiplicativeinverse of d mod Φ(n) (use extended Euclidean algorithm)

Destroy p, q and Φ(n).

n and e are public keys

d is the private key

Cannot determine p and q from n (factorization is hard)

Cannot determine Φ(n) without factoring n. So finding dgiven e (and n) is hard.


RSA - As a Cipher

Alice’s public keys are na and ea.

Bob wished to send a message P to Alice

C = Pea mod na. Bob sends C to Alice

P = Cda ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.

eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).

Only Alice (who has access to da) decrypt the message


RSA - As a Signature Scheme

Alice’s public keys are na and ea.

Alice wishes to send (broadcast) a signed message P

S = Pda mod na. Alice broadcasts S

P = Sea ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.

eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).

Any recipient (who knows Alice’s public key ea) can verifythat the message is from Alice.


RSA Example

p = 11, q = 13. n = pq = 143

φ(n) = (p − 1)(q − 1) = 120.

Choose e = 7

d ≡ e−1 mod 120 ≡ 103.

P ≡ 41 mod 143.

C ≡ 417 mod 143 ≡ 24.

P ≡ Cd ≡ 24103 mod 143 ≡ 41.


Public Key Infrastructure

X.509 Authentication service

Basic function - authentication of public keys

Public key certificates issued by CAs

Permits different public key algorithms

Revocation of certificates

Employs a network of CAs.


data link security - mississippi state universityweb.cse.msstate.edu/~ramkumar/cryptoqo2.pdf ·...

Documents