two disparate examples of of encryption/digital signatures
TRANSCRIPT
Two disparate Examples ofTwo disparate Examples ofof Encryption/Digital of Encryption/Digital
SignaturesSignatures
Consider thisConsider this
A group ofA group of 5 5 young scientists (like you ) working for a chemical young scientists (like you ) working for a chemical organisation has come up with a new anti-aging cream. The organisation has come up with a new anti-aging cream. The president of the company is ecstatic because it will sky rocket president of the company is ecstatic because it will sky rocket the organisation’s net sales. However, the president also the organisation’s net sales. However, the president also received an anonymous tip stating that that two of the five received an anonymous tip stating that that two of the five scientists are considering job offers from their competitor scientists are considering job offers from their competitor company (unfortunately the tip off does not say who they are) to company (unfortunately the tip off does not say who they are) to copy the formula. Assuming that only those 5 scientists use a copy the formula. Assuming that only those 5 scientists use a computer where the details of the formula and the process of computer where the details of the formula and the process of making the cream are stored as data files.making the cream are stored as data files.
Assume the following:Assume the following:
1. The president does not know how to use the computer (or its 1. The president does not know how to use the computer (or its related programs).related programs).
2. The formula/process files are always stored in encrypted form 2. The formula/process files are always stored in encrypted form using the private key cipher method.using the private key cipher method.
3. Every time these files are accessed/modified, at least three 3. Every time these files are accessed/modified, at least three scientist have to provide their secret key before the encrypted scientist have to provide their secret key before the encrypted file can be decrypted.file can be decrypted.
4. How will you modify the crypto technique that we talked in 4. How will you modify the crypto technique that we talked in the class to suit this situation?the class to suit this situation?
3
Use & Abuse of encryptionUse & Abuse of encryption
Proper use:Proper use:protects privacy of individualsprotects privacy of individualsprotects commercial interests of protects commercial interests of
companiescompanies Abuse:Abuse:
organised crimes (s.a. drug trafficking)organised crimes (s.a. drug trafficking)fraud and corruptionfraud and corruptionterrorismterrorism............
4
US proposalUS proposal
Key escrow was proposed by US Key escrow was proposed by US government in 1993 as “government in 1993 as “something in something in betweenbetween”, with the aim to balance ”, with the aim to balance between the interests of individuals between the interests of individuals and those of and those of organisations or organisations or governmentsgovernments
5
Basic idea behind the proposalBasic idea behind the proposal
Individuals (and companies) are Individuals (and companies) are allowed to use encryptionallowed to use encryption
But, keys used by an individual must But, keys used by an individual must be available to law enforcement when be available to law enforcement when they wish to monitor the individual’s they wish to monitor the individual’s communicationscommunications
6
““Escrow”Escrow”
Dictionary Meaning:Dictionary Meaning:
1. 1. nn. written legal engagement to do . written legal engagement to do something, kept in third person’s something, kept in third person’s custody until some condition has been custody until some condition has been fulfilled; (money or goods so kept);fulfilled; (money or goods so kept);
2. 2. v.tv.t. place in escrow. place in escrow
7
Key escrowKey escrow (say 2 persons) (say 2 persons)
A key used by an individual is “split A key used by an individual is “split into two halves”into two halves”
One half is stored in Escrow Agency AOne half is stored in Escrow Agency A The other half is stored in Escrow The other half is stored in Escrow
Agency BAgency B Both agencies are organisations Both agencies are organisations
independent of governmentsindependent of governments
8
Key escrow (2)Key escrow (2)
When police wish to monitor an When police wish to monitor an individual’s communications, they first individual’s communications, they first obtain a court order from judges (the obtain a court order from judges (the court system)court system)
Police then present the court order Police then present the court order to Escrow Agency A to obtain the 1st half to Escrow Agency A to obtain the 1st half
of the individual’s keyof the individual’s keyto Escrow Agency B to obtain the 2nd half to Escrow Agency B to obtain the 2nd half
of the individual’s keyof the individual’s key
9
Key escrow (3)Key escrow (3)
Now police can put the 2 halves Now police can put the 2 halves together and get the individual’s keytogether and get the individual’s key
With the key in their hands, police can With the key in their hands, police can now monitor all communications of now monitor all communications of the individualthe individual
10
Escrowed keyEscrowed key
E Network or Storage
Plain Text Cipher Text Cipher Text
D
OriginalPlain Text
Bob
Secret Key
Alice
Secret Key
EscrowAgency A
EscrowAgency B
11
AnalogueAnalogue
you are allowed to lock your dooryou are allowed to lock your door but you have to leave a copy of your but you have to leave a copy of your
key, half of which is kept by Locksmith key, half of which is kept by Locksmith A and the other half by Locksmith BA and the other half by Locksmith B
When police wish to break into your When police wish to break into your home, they get a court order with home, they get a court order with which they can get the two halves of which they can get the two halves of the copy and hence your keythe copy and hence your key
12
ControversyControversy
does it really work ?does it really work ?how about double encryption by a “bad” how about double encryption by a “bad”
guy ?guy ?what happens if Escrow Agencies A and B what happens if Escrow Agencies A and B
conspireconspirehow do governments trust each other ?how do governments trust each other ?
where is freedom of individuals ?where is freedom of individuals ?does a government have the right to intrude does a government have the right to intrude
into individuals’ privacy ?into individuals’ privacy ?other implications ?other implications ?
13
A positive use of key escrowA positive use of key escrow
Encrypted data become useless if the Encrypted data become useless if the key is lost or forgotten !key is lost or forgotten !Have you ever forgotten your password ?Have you ever forgotten your password ?
To prevent loss of corporate To prevent loss of corporate information, a company can build a information, a company can build a company-wide “key escrow” systemcompany-wide “key escrow” system (our original Question on slide 2)(our original Question on slide 2)Question: HOW ?Question: HOW ?
(hint: no police or court system is (hint: no police or court system is involved in this case.)involved in this case.)
14
How to “split” a user keyHow to “split” a user key
bad way(s):bad way(s):K = KK = Kaa K Kbb,,
KKaa is kept by Escrow Agency A, is kept by Escrow Agency A,
KKbb is kept by Escrow Agency B is kept by Escrow Agency B
good ways:good ways:K = K1 K = K1 XORXOR K2, K2,
K1 is kept by Escrow Agency A,K1 is kept by Escrow Agency A,K2 is kept by Escrow Agency BK2 is kept by Escrow Agency B
secret sharing schemessecret sharing schemes
15
An exercise & a questionAn exercise & a question
an exercisean exerciseHow to “split” a key if there are 3 or more How to “split” a key if there are 3 or more
escrow agencies ?escrow agencies ? In the above discussions, all agencies In the above discussions, all agencies
have to be consulted in order to have to be consulted in order to recover a key. An important question:recover a key. An important question:Is it possible to design a system so that Is it possible to design a system so that
some of the agencies, say 4 out of 5, can some of the agencies, say 4 out of 5, can recover a key ?recover a key ?
16
Secret sharing in a bankSecret sharing in a bank
a real world problem:a real world problem:A bank branch has a safe and 3 senior A bank branch has a safe and 3 senior
tellers. tellers. The safe can be opened only by senior The safe can be opened only by senior
tellers, but they do not trust each other. tellers, but they do not trust each other. Can we design a system for the branch Can we design a system for the branch
whereby any 2 of the 3 senior tellers whereby any 2 of the 3 senior tellers together can open the safe, but NO together can open the safe, but NO individual teller can do so.individual teller can do so.
17
(t,n)-threshold secret sharing(t,n)-threshold secret sharing
Consider a group of n participants Consider a group of n participants (=people). Let t <= n.(=people). Let t <= n.
A (t,n)-threshold secret sharing A (t,n)-threshold secret sharing scheme is a method of sharing a key K scheme is a method of sharing a key K among n participants, such thatamong n participants, such thatany t or more participants from the group any t or more participants from the group
can recover the key K, andcan recover the key K, andany t-1 or less participants from the group any t-1 or less participants from the group
can NOT do so. can NOT do so.
18
Real world problemsReal world problems
bank branchbank branchto design a (2,3)-threshold secret sharingto design a (2,3)-threshold secret sharing
key escrow agencykey escrow agency(2,2)-threshold secret sharing(2,2)-threshold secret sharingmore generally, (t,n)-threshold secret more generally, (t,n)-threshold secret
sharing.sharing.E.g. (4,5)-threshold secret sharingE.g. (4,5)-threshold secret sharing
millionaire’s willmillionaire’s willa millionaire with 8 childrena millionaire with 8 children
19
Shamir’s (t,n)-threshold schemeShamir’s (t,n)-threshold scheme
Key disposing --- by the dealerKey disposing --- by the dealerinitialisationinitialisationdistributing a share to each of the n distributing a share to each of the n
participants in the groupparticipants in the group Key recovery --- by participantsKey recovery --- by participants
gathering shares from t participantsgathering shares from t participantsreconstructing the key from the t sharesreconstructing the key from the t shares
20
Shamir (3,5)-threshold schemeShamir (3,5)-threshold scheme
Assume that K=13 is a key.Assume that K=13 is a key. Initially the only person who knows Initially the only person who knows
K=13 is the dealer !K=13 is the dealer ! The aim is to construct a threshold The aim is to construct a threshold
scheme so that 3 our of the 5 scheme so that 3 our of the 5 participants can recover the key K.participants can recover the key K.
Parameters:Parameters:K=13, t=3, n=5K=13, t=3, n=5
21
Key Disposal -- by dealerKey Disposal -- by dealer
InitialisationInitialisationchooses a prime p > K & p > n+1.chooses a prime p > K & p > n+1.
Say p = 17.Say p = 17.chooses 2 (=t-1) random non-zero integers chooses 2 (=t-1) random non-zero integers
[1,...,p-1], i.e., [1,...,16]. [1,...,p-1], i.e., [1,...,16]. Assume that the following are chosen:Assume that the following are chosen:aa11 = 10 = 10
aa22 = 2 = 2
Form a polynomial of degree t-1:Form a polynomial of degree t-1:a(x) =a(x) = K + aK + a11*x + a*x + a22*x*x22
== 13 + 10*x + 2*x13 + 10*x + 2*x22
22
Key disposal -- by dealerKey disposal -- by dealer
Share distributionShare distributionfor Participant 1for Participant 1
a(1) =a(1) = 13 + 10*1 + 2*113 + 10*1 + 2*12 2 = 8 (mod 17 )= 8 (mod 17 )gives 8 to Participant 1 as his sharegives 8 to Participant 1 as his share
for Participant 2for Participant 2a(2) =a(2) = 13 + 10*2 + 2*213 + 10*2 + 2*22 2 = 7 (mod 17 )= 7 (mod 17 )gives 7 to Participant 2 as his sharegives 7 to Participant 2 as his share
for Participant 3for Participant 3a(3) =a(3) = 13 + 10*3 + 2*313 + 10*3 + 2*32 2 = 10 (mod 17 )= 10 (mod 17 )gives 10 to Participant 3 as his sharegives 10 to Participant 3 as his share
23
Key disposal-- by dealerKey disposal-- by dealer
for Participant 4for Participant 4a(4) =a(4) = 13 + 10*4 + 2*413 + 10*4 + 2*42 2 = 0 (mod 17 )= 0 (mod 17 )gives 0 to Participant 4 as his sharegives 0 to Participant 4 as his share
for Participant 5for Participant 5a(5) =a(5) = 13 + 10*5 + 2*513 + 10*5 + 2*52 2 = 11 (mod 17 )= 11 (mod 17 )gives 11 to Participant 5 as his sharegives 11 to Participant 5 as his share
24
Key recovery -- by 3 participantsKey recovery -- by 3 participants
Assume that 3 participants, say Assume that 3 participants, say Participants 1, 3 and 5 decide to Participants 1, 3 and 5 decide to recover the key K.recover the key K.
Share gatheringShare gatheringthe 3 participants put together their the 3 participants put together their
shares, namely 3 numbers shares, namely 3 numbers 8, 10, 118, 10, 11
25
Key recovery -- by 3 participantsKey recovery -- by 3 participants
Key reconstructionKey reconstructionsolve the following equationssolve the following equationsK + aK + a11 * 1 + a * 1 + a22 * 1 * 122 = 8 (mod 17) = 8 (mod 17)K + aK + a11 * 3 + a * 3 + a22 * 3 * 322 = 10 (mod 17) = 10 (mod 17)K + aK + a11 * 5 + a * 5 + a22 * 5 * 522 = 11 (mod 17) = 11 (mod 17)
the resultthe resultaa11 = 10 = 10aa22 = 2 = 2K = 13K = 13
K = 13 is indeed the key !K = 13 is indeed the key !
26
QuestionsQuestions
With the the (3,5)-threshold schemeWith the the (3,5)-threshold schemeCan 2 or less participants recover the key Can 2 or less participants recover the key
K ?K ?What if more than 3 participants wish to What if more than 3 participants wish to
recover the key ?recover the key ?
27
The DealerThe Dealer
The dealer has to be honest !The dealer has to be honest !can be a person trusted by all can be a person trusted by all
participants.participants.can also be a dedicated program which can also be a dedicated program which
erases all relevant information on the key erases all relevant information on the key K after the shares are distributed K after the shares are distributed successfully.successfully.
28
Combination LockCombination Lock
Assume that a key K is a 4-digit Assume that a key K is a 4-digit number, i.e., K is in [0000,..,9999].number, i.e., K is in [0000,..,9999].
Initially the only person who knows Initially the only person who knows the key K is the dealer !the key K is the dealer !
Constructs a Shamir (2,6)-threshold Constructs a Shamir (2,6)-threshold scheme so that 2 ouscheme so that 2 outt of the 6 of the 6 participants can recover the key K.participants can recover the key K.
Hint: choose a 5-digit prime (say Hint: choose a 5-digit prime (say 10007) !10007) !
29
Escrowing DES keysEscrowing DES keys
Assume that a key K is a 56-bit DES Assume that a key K is a 56-bit DES key (about 17 digits).key (about 17 digits).
Initially the only person who knows Initially the only person who knows the key K is the dealer !the key K is the dealer !
Constructs a Shamir (5,10)-threshold Constructs a Shamir (5,10)-threshold scheme so that 5 our of the 10 scheme so that 5 our of the 10 escrow escrow agencies agencies can recover the key K.can recover the key K.
Hint: choose a prime > 2Hint: choose a prime > 25656 ! ! (how do (how do you get that?)you get that?)
30
Another example?Another example?
Consider the problem:Consider the problem:As a database administrator of finance As a database administrator of finance
company, before starting the database, company, before starting the database, how you will be able to verify (quickly) how you will be able to verify (quickly) that the database state is same as the one that the database state is same as the one when you shutdown the previous day (the when you shutdown the previous day (the database integrity may be satisfied).database integrity may be satisfied).
How do you know which files have been How do you know which files have been modified by a virus (how to check the modified by a virus (how to check the integrity of system files)integrity of system files)??
31
Simple!!Simple!!
Note down the size of the database file Note down the size of the database file before shutdown and check the size before shutdown and check the size when you start the database. If they when you start the database. If they are not same, then someone has are not same, then someone has modified the database file!!modified the database file!!
32
Little bit more complexLittle bit more complex
Log filesLog files – look for things out of – look for things out of ordinary such asordinary such asUsers logged in at strange hours; Users logged in at strange hours;
unexplained reboots; unexplained unexplained reboots; unexplained changes to the system clock; unusual changes to the system clock; unusual error messages from the mailer, ftp error messages from the mailer, ftp daemon or other network servers; failed daemon or other network servers; failed login attempts with bad password; login attempts with bad password; unauthorised unauthorised susu command; users logging command; users logging from unfamiliar sites on the network, etc.from unfamiliar sites on the network, etc.Process known as audit trails.Process known as audit trails.
33
Auditing and LoggingAuditing and Logging
Log files are an important building Log files are an important building block of a secure system: they form a block of a secure system: they form a recorded history, or recorded history, or audit trailaudit trail, of the , of the computer’s past, making it easier to computer’s past, making it easier to track an attack.track an attack.
Log files also have a fundamental Log files also have a fundamental vulnerability vulnerability (as they can be modified (as they can be modified similar to modifying the database files)similar to modifying the database files) as they are stored on the system as they are stored on the system which can be modified by the intruderwhich can be modified by the intruder..
34
Integrity ManagementIntegrity Management
The goal of integrity management is to The goal of integrity management is to prevent alterations to (or deletions of) prevent alterations to (or deletions of) data, to detect modification or data, to detect modification or deletions if they occur, and to recover deletions if they occur, and to recover from alterations or deletions if they from alterations or deletions if they happen.happen.
35
File protectionFile protection
basicbasicall-none protectionall-none protectiongroup protectiongroup protection
single permissionsingle permissionpassword or tokenpassword or tokentemporary acquired permissiontemporary acquired permission
per-object & per user protectionper-object & per user protection ExampleExample
UNIXUNIX
36
Integrity managementIntegrity management
Is achieved byIs achieved by preventionprevention detecting changedetecting change
37
PreventionPrevention
By placing controls – such as software, By placing controls – such as software, hardware, file system and operating system hardware, file system and operating system controls.controls.
By having immutable and append-only filesBy having immutable and append-only files immutable files are those that cannot be immutable files are those that cannot be
modified once the system is running (modified once the system is running (suitable for suitable for system programs such as system programs such as login, passwdlogin, passwd programsprograms) and append-only files to which data ) and append-only files to which data can be appended, but in which the existing data can be appended, but in which the existing data cannot be changed(cannot be changed(suitable for log filessuitable for log files))
38
Integrity Management TechniquesIntegrity Management Techniques
Setting appropriate file permissions and Setting appropriate file permissions and restricting access to the root account on restricting access to the root account on Unix.Unix.
Immutable filesImmutable files – that cannot be modified – that cannot be modified once the system is running.once the system is running.
Append only filesAppend only files – files to which data can – files to which data can be appended, but in which the existing data be appended, but in which the existing data cannot be changed. This type is ideally cannot be changed. This type is ideally suitable for log files.suitable for log files.
Read-only file systems – a hardware read Read-only file systems – a hardware read only protection will be even better.only protection will be even better.
39
Detecting a change in a file(s)Detecting a change in a file(s)
Meta dataMeta data - such as file sizes, last - such as file sizes, last modification time, etcmodification time, etc
Comparison copiesComparison copies – comparing byte-by- – comparing byte-by-byte – unwieldy and time consuming.byte – unwieldy and time consuming.
ChecksumChecksum – file content can be modified in – file content can be modified in such a way that it generates the same such a way that it generates the same checksum – not effective.checksum – not effective.
Digital Signatures!!!Digital Signatures!!!
40
Detecting a changeDetecting a change
Comparison of files with a (good) backup Comparison of files with a (good) backup copy.copy. the backup copy has to be in a protected mode.the backup copy has to be in a protected mode. comparison has to be performed byte-by-byte comparison has to be performed byte-by-byte
and hence time consuming process (especially and hence time consuming process (especially for large files – such as database files)for large files – such as database files)
once an authorised change is detected, replace once an authorised change is detected, replace the altered version with the comparison copy, the altered version with the comparison copy, thereby restoring the system to normal.thereby restoring the system to normal.
41
Detecting a change (2)Detecting a change (2)
Checklists and metadataChecklists and metadata Store only a summary of important Store only a summary of important
characteristics of each file and directory characteristics of each file and directory and use this information for comparison.and use this information for comparison. e.g. of summary information – time stamps e.g. of summary information – time stamps
(last read/modified, file protection modes,link (last read/modified, file protection modes,link count using count using ncheckncheck etc) etc)
Running this kind of detection change as a Running this kind of detection change as a croncron (as a background) job may (as a background) job may notnot be a good be a good idea!idea!
42
Detecting a change(3)Detecting a change(3)
Checksum and SignaturesChecksum and Signatures changes can be made in such a way that the changes can be made in such a way that the
checksum and metadata may not change and checksum and metadata may not change and hence the previous method may fail.hence the previous method may fail. e.g. setting the clock backwards, perform the changes e.g. setting the clock backwards, perform the changes
and set the clock forwardand set the clock forward CRC (CRC (Cyclic Redundancy CodeCyclic Redundancy Code) checksums – ) checksums –
useful only when there are few bits of change useful only when there are few bits of change and they are generated by well known and they are generated by well known polynomials.polynomials.
Generate digital signatures for the file contents Generate digital signatures for the file contents and use the signature to detect the change.and use the signature to detect the change.
43
Detection of changes using SignaturesDetection of changes using Signatures
Remember that signatures are one way Remember that signatures are one way function and it is possible to generate function and it is possible to generate signature for small and large files.signature for small and large files.
Since signature is generated by one-way Since signature is generated by one-way function and good signature function will function and good signature function will generate different signatures for different generate different signatures for different files, it is difficult for the intruder to modify files, it is difficult for the intruder to modify the content of a file and still able to generate the content of a file and still able to generate the signature as that of the un-modified file.the signature as that of the un-modified file.
44
Detection of changes using Signatures Detection of changes using Signatures (2)(2)
Let the set of files which you want to detect for Let the set of files which you want to detect for change is stored in the file change is stored in the file /usr/adm/filelist/usr/adm/filelist
and the corresponding digital signatures (say and the corresponding digital signatures (say using the MD5 algorithm) of those files are stored using the MD5 algorithm) of those files are stored in the file in the file /usr/adm/savelist/usr/adm/savelist. .
Then the following shell script can verify whether Then the following shell script can verify whether any of the files in the any of the files in the filelistfilelist has been modified in has been modified in its contents or not.its contents or not.
#!/bin/sh#!/bin/shfind `cat /usr/adm/filelist` -ls –type f –exec md5 {}\; >/tmp/nowfind `cat /usr/adm/filelist` -ls –type f –exec md5 {}\; >/tmp/nowdiff –b /usr/adm/savelist /tmp/nowdiff –b /usr/adm/savelist /tmp/now
45
Detection of changes using Signatures Detection of changes using Signatures (3)(3)
It is important that the original signature file It is important that the original signature file is not modified by the intruder.is not modified by the intruder. It may be a good idea to store this file on a It may be a good idea to store this file on a
different system.different system.
For some files detecting change with For some files detecting change with signature may not be meaningful. For signature may not be meaningful. For example, example, /etc/passwd/etc/passwd (or (or /etc/shadow/etc/shadow) file ) file contents will change quite often, hence contents will change quite often, hence hybrid of metadata (for such files) and hybrid of metadata (for such files) and signatures are used for detecting changes.signatures are used for detecting changes.
46
TripwireTripwire
In practice one need not generate digital In practice one need not generate digital signature on the content of each of the signature on the content of each of the file.file. e.g. e.g. We need to know if the owner or We need to know if the owner or
protection of /etc/passwd file is changed, but protection of /etc/passwd file is changed, but we do not care about the size or checksum we do not care about the size or checksum because we do expect the contents to changebecause we do expect the contents to change whilewhile we should be concerned if the contents we should be concerned if the contents of /bin/login is altered.of /bin/login is altered.
tripwire is a package that allows to tripwire is a package that allows to configure the files, directories that need to configure the files, directories that need to be monitored using MD algorithms.be monitored using MD algorithms. ftp://coast.cs.purdue/edu/pub/COAST/Tripwireftp://coast.cs.purdue/edu/pub/COAST/Tripwire