network securityailab.cs.nchu.edu.tw/course/networksecurity/103/ns02.pdf · • program security...
TRANSCRIPT
2
Outline• Review• Cryptology
– Introduction and terminologies – Definition of cryptosystem and cryptanalysis– Types of encryption
• operations• the number of keys used• the way the plaintext processed
– Symmetric encryption -- Classical techniques• substitution:
– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau
• transposition
3
Review
• Grading policy• Motivation• Definitions• Security services, mechanisms, and attacks
(X800)• Basic network concept• Security models
4
Review
• Grading (Tentative)Homework 15%
(You may collaborate when solving the homework, however when writing up the solutions you must do so on your own. No typed or printed assignments.)
Project 20% (Presentation and/or paper required) Midterm exam 25% (Open book and notes)Final exam 30% (Open book and notes)Class participation 10%
5
Review: Motivation
• Hacker intrusion• Password compromise (access control)• Spam (data integrity)• Program security• Virus • Denial of service
6
Review: Definitions
• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of interconnected networks
7
Review: Security GoalsSecurity Goals
• The goal of security is to institute controls that preserve– secrecy: assets are accessible only by
authorized parties;– integrity: assets can be modified only by
authorized parties;– availability: assets are available to authorized
parties.
8
Review: Services, Mechanisms, Attacks
• three aspects of information security:– security attack– security mechanism– security service
9
Review: Security Services (X.800)
• Authentication - assurance that the communicating entity is the one claimed
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized disclosure
• Data Integrity - assurance that data received is as sent by an authorized entity
• Non-Repudiation - protection against denial by one of the parties in a communication
10
Review: Security Mechanisms (X.800)
• Specific security mechanisms: May be incorporated into the appropriate protocol layer in order to provide some of the OSI security services.– encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding, routing control, notarization
• Pervasive security mechanisms: Mechanisms that are not specific to any particular OSI security service or protocol layer.– trusted functionality, security labels, event detection,
security audit trails, security recovery
11
Review: Classify Security Attacks as
• Passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or– monitor traffic flows
• Active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service
12
Review: Network concepts
• Terminology: node, host, link, terminal• Media: cable, optical fiber, microwave• Protocol: ISO reference model, TCP/IP• Addressing: IP address, port, socket• Type of network: LAN, WAN, internet• Topology: common bus, star or hub, ring
13
Review: Internet Protocols vs OSI
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
TCPIP
Network Interface
Hardware1
2
3
4
1
2
3
4
6
5
7
16
Outline• Review• Cryptology
– Introduction and terminologies – Definition of cryptosystem and cryptanalysis– Types of encryption
• operations• the number of keys used• the way the plaintext processed
– Symmetric encryption -- Classical techniques• substitution:
– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau
• transposition
17
Cryptology
• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques – substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
18
Steganography vs Cryptography
• Types of transformation (in model for network communication security model)– Steganography: conceal the existence of the
secret message (watermarking / data hiding)– Cryptography: render the secret message
unintelligible to outsiders
19
Steganography
• hides existence of message– using only a subset of letters/words in a longer
message marked in some way– using invisible ink– hiding in LSB in graphic image or sound file
• has drawbacks– high overhead to hide relatively few info bits
23
Basic Terminology• plaintext - the original message • ciphertext - the coded message • cipher - algorithm for transforming plaintext to ciphertext• key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext• decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methods• cryptanalysis (codebreaking) - the study of principles/
methods of deciphering ciphertext without knowing key• cryptology - the field of both cryptography and cryptanalysis
24
Cryptology
• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
25
Definition of cryptosystems
A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied:
1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. K, the key space, is a finite set of possible keys4. For each k K, there is an encryption rule eKE
and a corresponding decryption rule dK D. Each eK :P C and dK : C P are functions such that dK(eK(x)) = x for every plaintext x P.
26
Attacking a cryptosystem
• Cryptanalysis approach: this type of attack exploits – the characteristics of the algorithm plus perhaps – some knowledge of the general characteristics of the
plaintext or even – some sample plaintext-ciphertext pairs.
• Brute force approach: – an attacker tries every possible key on a piece of
ciphertext until intelligible translation into plaintext is obtained.
27
Types of Cryptanalytic Attacks• ciphertext only
– only know algorithm / ciphertext• known plaintext
– know/suspect plaintext & ciphertext to attack cipher • chosen plaintext
– select plaintext and obtain ciphertext to attack cipher• chosen ciphertext
– select ciphertext and obtain plaintext to attack cipher• chosen text
– select either plaintext or ciphertext to en/decrypt to attack cipher
Use blackboard
28
Kerkhoff’s principle (1/4)
• Why did people publish their cryptoystem (DES, . . . )?• Better: don’t publish your system but keep it secret!• Auguste Kerkhoffs, “La Cryptographie Militaire”,
1883 Cryptographic systems should be designed in such a way that they are not compromised if the opponent learns the technique being used.
• In other words, the security should reside in thechoice of key rather than in obscure design features.
29
Kerkhoff’s principle (2/4)
• It is hard (and often impossible), to keep a cryptosystem in use secret!
• What, if you fail to keep it secret?
30
Kerkhoff’s principle (3/4)
• Designing a good cryptosystem is hard! Even experts get it wrong quite often: Most cryptosystems are broken after publication. Use a survivor!
• “. . . nothing substitutes for extensive peer review and years of analysis.” – B. Schneier
• If you don’t publish, nobody will analyze your scheme . . . except for the bad guys!
31
Kerkhoff’s principle (4/4)
• Distinguish system itself (= algorithm), from key:– Key: secret, easy to change, chosen at random
from large set of possible keys.• Assume: Bad guys know system but
don’t know key!
34
Brute Force Search
• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext
35
Brute Force Search
• Input: C, KOutput: M or k
loop until an intelligible translation into plaintext is obtained (M is meaningful)
k KM D(C)
output M or k• Complexity: |K|/2 (expected number of iterations)
Use blackboard
36
More Definitions
• unconditional security– no matter how much computer power is
available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext
• computational security– given limited computing resources (eg time
needed for calculations is greater than age of universe), the cipher cannot be broken
37
Modern cryptology
• Use computational complexity theory to design cryptosystems which provide good diffusion and confusion– diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext– confusion – makes relationship between
ciphertext and key as complex as possible
38
Cryptology
• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
40
Cryptographic systems
• can characterize by:– type of encryption operations used
• substitution / transposition / product
– number of keys used• single-key or private / two-key or public
– way in which plaintext is processed• block / stream
41
Type of operations
• Fundamental requirement: no information is lost (all operations are reversible)
• Substitution: each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element
• Transposition: elements in the plaintext are rearranged.
42
Cryptographic systems
• can characterize by:– type of encryption operations used
• substitution / transposition / product
– number of keys used• single-key or private / two-key or public
– way in which plaintext is processed• block / stream
43
Symmetric Encryption
• AKA conventional/private-key/single-key• sender and recipient share a common key• all classical encryption algorithms are
private-key• was only type prior to invention of public-
key in 1970’s
46
Requirements
• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver
Y = EK(X)X = DK(Y)
• assume encryption algorithm is known• implies a secure channel to distribute key
47
Public-Key Cryptography
• probably most significant advance in the 3000 year history of cryptography
• uses two keys – a public & a private key• AKA asymmetric encryption • uses clever application of number theoretic
concepts to function• complements rather than replaces private
key crypto
48
Public-Key Cryptography
• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
• PKC is asymmetric because– those who encrypt messages or verify signatures
cannot decrypt messages or create signature
50
Why Public-Key Cryptography?
• developed to address two key issues:– key distribution – how to have secure
communications in general without having to trust a KDC with your key
– digital signatures – how to verify a message comes intact from the claimed sender
• public invention due to Whitfield Diffie & Martin Hellman at Stanford U. in 1976– known earlier in classified community
51
Public-Key Characteristics
• Public-Key algorithms rely on two keys with the characteristics that it is:– computationally infeasible to find decryption
key knowing only algorithm & encryption key– computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known– either of the two related keys can be used for
encryption, with the other used for decryption (in some schemes)
Use blackboard
53
Cryptographic systems
• can characterize by:– type of encryption operations used
• substitution / transposition / product
– number of keys used• single-key or private / two-key or public
– way in which plaintext is processed• block / stream
56
Block vs Stream Ciphers
• block ciphers process messages in into blocks, each of which is then en/decrypted
• like a substitution on very big characters– 64-bits or more
• stream ciphers process messages a bit or byte at a time when en/decrypting
• many current ciphers are block ciphers• hence are focus of course
57
Cryptology
• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
58
Classical Substitution Ciphers
• where letters of plaintext are replaced by other letters or by numbers or symbols
• or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns
59
Caesar Cipher
• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• replaces each letter by 3rd letter on• example:
meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
60
Caesar Cipher
• can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)
Cryptanalysis of Caesar Cipher
• only have 26 possible ciphers – A maps to A,B,..Z
• could simply try each in turn • a brute force search• given ciphertext, just try all shifts of letters• do need to recognize when have plaintext• eg. break ciphertext “PHHW PH DIWHU
WKH WRJD SDUWB"
63
Monoalphabetic Cipher
• rather than just shifting the alphabet • could shuffle (jumble) the letters arbitrarily • each plaintext letter maps to a different random
ciphertext letter • hence key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZNPlaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
64
Monoalphabetic Cipher Security
• now have a total of 26! = 4 x 1026 keys • with so many keys, might think is secure • but would be !!!WRONG!!!• problem is language characteristics
65
Language Redundancy and Cryptanalysis
• human languages are redundant• letters are not equally commonly used • in English e is by far the most common
letter then T,R,N,I,O,A,S • other letters are fairly rare cf. Z,J,K,Q,X • have tables of single, double & triple letter
frequencies
67
Frequencies in Cryptanalysis• key concept - monoalphabetic substitution ciphers do
not change relative letter frequencies • discovered by Arabian scientists in 9th century• calculate letter frequencies for ciphertext• compare counts/plots against known values • if Caesar cipher look for common peaks/troughs
– peaks at: A-E-I triple, NO pair, RST triple– troughs at: JK, X-Z
• for monoalphabetic must identify each letter– tables of common double/triple letters help
68
Example Cryptanalysis
• given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• count relative letter frequencies• guess P & Z are e and t• guess ZW is th and hence ZWP is the• proceeding with trial and error finally get:
it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow
69
Playfair Cipher
• not even the large number of keys in a monoalphabetic cipher provides security
• one approach to improving security was to encrypt multiple letters
• the Playfair Cipher is an example • invented by Charles Wheatstone in 1854,
but named after his friend Baron Playfair
70
Playfair Key Matrix
• a 5X5 matrix of letters based on a keyword • fill in letters of keyword (sans duplicates) • fill rest of matrix with other letters• eg. using the keyword MONARCHY
MONARCHYBDEFGIKLPQSTUVWXZ
71
Encrypting and Decrypting
• plaintext encrypted two letters at a time: 1. if a pair is a repeated letter, insert a filler like 'X',
eg. "balloon" encrypts as "ba lx lo on" 2. if both letters fall in the same row, replace each with
letter to right (wrapping back to start from end), eg. “ar" encrypts as "RM"
3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. “mu" encrypts to "CM"
4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)
Use blackboard
72
Security of the Playfair Cipher
• security much improved over monoalphabetic• since have 26 x 26 = 676 digrams• would need a 676 entry frequency table to analyse
(verses 26 for a monoalphabetic) and correspondingly more ciphertext
• was widely used for many years (eg. US & British military in WW1)
• it can be broken, given a few hundred letters • since still has much of plaintext structure
73
Hill cipher
• Hill 1929• The encryption algorithm takes m
successive plaintext letters and substitutes for them m ciphertext letters.
• K = {m m invertible matrices over Z26 }• Example: m = 3
Use blackboard
74
Hill cipher
• Hill cipher completely hides single letter frequencies (i.e. Hill cipher is strong against ciphertext only attack.)
• Hill cipher can be easily broken with a known plaintext attack (only need mplaintext-ciphertext pairs).
• Example: m = 3
Use blackboard
75
Polyalphabetic Ciphers
• another approach to improving security is to use multiple cipher alphabets
• called polyalphabetic substitution ciphers• makes cryptanalysis harder with more alphabets to
guess and flatter frequency distribution • use a key to select which alphabet is used for each
letter of the message • use each alphabet in turn • repeat from start after end of key is reached
76
Vigenère Cipher
• simplest polyalphabetic substitution cipher is the Vigenère Cipher
• effectively multiple caesar ciphers • key is multiple letters long K = k1 k2 ... kd
• ith letter specifies ith alphabet to use • use each alphabet in turn • repeat from start after d letters in message• decryption simply works in reverse
77
Example
• write the plaintext out
• eg using keyword deceptivekey:plaintext: wearediscoveredsaveyourselfciphertext:
78
Example
• write the plaintext out • write the keyword repeated above it
• eg using keyword deceptivekey: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:
79
Example
• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key
encrypt the corresponding plaintext letter• eg using keyword deceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
80
Aids
• simple aids can assist with en/decryption • expand into a Vigenère Tableau (see text
Table 2.3)
82
Security of Vigenère Ciphers
• have multiple ciphertext letters for each plaintext letter
• hence letter frequencies are obscured• but not totally lost• start with letter frequencies
– see if look monoalphabetic or not• if not, then need to determine number of
alphabets, since then can attach each
83
Kasiski Method
• method developed by Babbage / Kasiski• repetitions in ciphertext give clues to period• so find same plaintext an exact period apart
which results in the same ciphertextof course, could also be random fluke
• eg repeated “VTW” in previous example– suggests size of 3 or 9– then attack each monoalphabetic cipher individually
using same techniques as before
84
Example
• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key • encrypt the corresponding plaintext letter• eg using keyword deceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
85
One-Time Pad (1/3)• If a truly random key as long as the message is used, the
cipher will be secure. • It is called a One-Time pad (OTP)
P=C=K=(Z2)n, n ≥1k = (k1, k2, …, kn ) x = (x1, x2, …, xn )y = (y1, y2, …, yn )
ek(x) = (x1 k1, x2 k2, …, xn kn)dk(y) = (y1 k1, y2 k2, …, yn kn)
86
One-Time Pad (2/3)
• One-Time pad is unbreakable since if k is random then y is random too (that is, ciphertextbears no statistical relationship to the plaintext) and for any plaintext & any ciphertext there exists a key mapping one to other.
• In practice, two fundamental difficulties– Supplying truly random keys of large volumn is a
significant task– Key distribution and protection are problematic
87
One-Time Pad (3/3)
• One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security.
88
Cryptology
• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption
– operations– the number of keys used– the way the plaintext processed
• Symmetric encryption -- Classical techniques– substitution:
• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau
– transposition
89
Transposition Ciphers
• now consider classical transposition or permutation ciphers
• these hide the message by rearranging the letter order
• without altering the actual letters used
90
Rail Fence cipher
• write message letters out diagonally over a number of rows
• eg. write message out as:m e m a t r h t g p r ye t e f e t e o a a t
91
Rail Fence cipher
• write message letters out diagonally over a number of rows
• then read off cipher row by row• eg. write message out as:
m e m a t r h t g p r ye t e f e t e o a a t
• giving ciphertextMEMATRHTGPRYETEFETEOAAT
92
Row Transposition Ciphers
• a more complex scheme• write letters of message out in rows over a
specified number of columns• then reorder the columns according to some
key before reading off the rowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p
o s t p o n ed u n t i l tw o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
93
Product Ciphers
• ciphers using substitutions or transpositions are not secure because of language characteristics
• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition– but a substitution followed by a transposition makes
a new much harder cipher
• this is bridge from classical to modern ciphers