network securityailab.cs.nchu.edu.tw/course/networksecurity/103/ns02.pdf · • program security...

1

Network Security 網路安全

Lecture 2March 9, 2015

洪國寶

2

Outline• Review• Cryptology

– Introduction and terminologies – Definition of cryptosystem and cryptanalysis– Types of encryption

• operations• the number of keys used• the way the plaintext processed

– Symmetric encryption -- Classical techniques• substitution:

– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau

• transposition

3

Review

• Grading policy• Motivation• Definitions• Security services, mechanisms, and attacks

(X800)• Basic network concept• Security models

4

Review

• Grading (Tentative)Homework 15%

(You may collaborate when solving the homework, however when writing up the solutions you must do so on your own. No typed or printed assignments.)

Project 20% (Presentation and/or paper required) Midterm exam 25% (Open book and notes)Final exam 30% (Open book and notes)Class participation 10%

5

Review: Motivation

• Hacker intrusion• Password compromise (access control)• Spam (data integrity)• Program security• Virus • Denial of service

6

Review: Definitions

• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers

• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of interconnected networks

7

Review: Security GoalsSecurity Goals

• The goal of security is to institute controls that preserve– secrecy: assets are accessible only by

authorized parties;– integrity: assets can be modified only by

authorized parties;– availability: assets are available to authorized

parties.

8

Review: Services, Mechanisms, Attacks

• three aspects of information security:– security attack– security mechanism– security service

9

Review: Security Services (X.800)

• Authentication - assurance that the communicating entity is the one claimed

• Access Control - prevention of the unauthorized use of a resource

• Data Confidentiality –protection of data from unauthorized disclosure

• Data Integrity - assurance that data received is as sent by an authorized entity

• Non-Repudiation - protection against denial by one of the parties in a communication

10

Review: Security Mechanisms (X.800)

• Specific security mechanisms: May be incorporated into the appropriate protocol layer in order to provide some of the OSI security services.– encipherment, digital signatures, access controls, data

integrity, authentication exchange, traffic padding, routing control, notarization

• Pervasive security mechanisms: Mechanisms that are not specific to any particular OSI security service or protocol layer.– trusted functionality, security labels, event detection,

security audit trails, security recovery

11

Review: Classify Security Attacks as

• Passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or– monitor traffic flows

• Active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service

12

Review: Network concepts

• Terminology: node, host, link, terminal• Media: cable, optical fiber, microwave• Protocol: ISO reference model, TCP/IP• Addressing: IP address, port, socket• Type of network: LAN, WAN, internet• Topology: common bus, star or hub, ring

13

Review: Internet Protocols vs OSI

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

TCPIP

Network Interface

Hardware1

2

3

4

1

2

3

4

6

5

7

14

Review: Model for Network Communication Security

15

Review: Model for Network Access Security

16

Outline• Review• Cryptology

– Introduction and terminologies – Definition of cryptosystem and cryptanalysis– Types of encryption

• operations• the number of keys used• the way the plaintext processed

– Symmetric encryption -- Classical techniques• substitution:

– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau

• transposition

17

Cryptology

• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption

– operations– the number of keys used– the way the plaintext processed

• Symmetric encryption -- Classical techniques – substitution:

• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau

– transposition

18

Steganography vs Cryptography

• Types of transformation (in model for network communication security model)– Steganography: conceal the existence of the

secret message (watermarking / data hiding)– Cryptography: render the secret message

unintelligible to outsiders

19

Steganography

• hides existence of message– using only a subset of letters/words in a longer

message marked in some way– using invisible ink– hiding in LSB in graphic image or sound file

• has drawbacks– high overhead to hide relatively few info bits

20

Steganography

21

The Bible Code

The Bible Codeby Michael Drosnin

22

紀曉嵐 / 蘇東玻

• 鳳遊禾蔭鳥飛去

馬走蘆邊草不生

• 日落香殘去了凡心一點

火盡爐寒來把一馬栓牢

23

Basic Terminology• plaintext - the original message • ciphertext - the coded message • cipher - algorithm for transforming plaintext to ciphertext• key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext• decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methods• cryptanalysis (codebreaking) - the study of principles/

methods of deciphering ciphertext without knowing key• cryptology - the field of both cryptography and cryptanalysis

24

Cryptology

• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption


• Symmetric encryption -- Classical techniques– substitution:


– transposition

25

Definition of cryptosystems

A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied:

1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. K, the key space, is a finite set of possible keys4. For each k K, there is an encryption rule eKE

and a corresponding decryption rule dK D. Each eK :P C and dK : C P are functions such that dK(eK(x)) = x for every plaintext x P.

26

Attacking a cryptosystem

• Cryptanalysis approach: this type of attack exploits – the characteristics of the algorithm plus perhaps – some knowledge of the general characteristics of the

plaintext or even – some sample plaintext-ciphertext pairs.

• Brute force approach: – an attacker tries every possible key on a piece of

ciphertext until intelligible translation into plaintext is obtained.

27

Types of Cryptanalytic Attacks• ciphertext only

– only know algorithm / ciphertext• known plaintext

– know/suspect plaintext & ciphertext to attack cipher • chosen plaintext

– select plaintext and obtain ciphertext to attack cipher• chosen ciphertext

– select ciphertext and obtain plaintext to attack cipher• chosen text

– select either plaintext or ciphertext to en/decrypt to attack cipher

Use blackboard

28

Kerkhoff’s principle (1/4)

• Why did people publish their cryptoystem (DES, . . . )?• Better: don’t publish your system but keep it secret!• Auguste Kerkhoffs, “La Cryptographie Militaire”,

1883 Cryptographic systems should be designed in such a way that they are not compromised if the opponent learns the technique being used.

• In other words, the security should reside in thechoice of key rather than in obscure design features.

29


• It is hard (and often impossible), to keep a cryptosystem in use secret!

• What, if you fail to keep it secret?

30


• Designing a good cryptosystem is hard! Even experts get it wrong quite often: Most cryptosystems are broken after publication. Use a survivor!

• “. . . nothing substitutes for extensive peer review and years of analysis.” – B. Schneier

• If you don’t publish, nobody will analyze your scheme . . . except for the bad guys!

31


• Distinguish system itself (= algorithm), from key:– Key: secret, easy to change, chosen at random

from large set of possible keys.• Assume: Bad guys know system but

don’t know key!

32

Types of attacks on encrypted messages

Brute-Force Attack

34

Brute Force Search

• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext

35

Brute Force Search

• Input: C, KOutput: M or k

loop until an intelligible translation into plaintext is obtained (M is meaningful)

k KM D(C)

output M or k• Complexity: |K|/2 (expected number of iterations)

Use blackboard

36

More Definitions

• unconditional security– no matter how much computer power is

available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

• computational security– given limited computing resources (eg time

needed for calculations is greater than age of universe), the cipher cannot be broken

37

Modern cryptology

• Use computational complexity theory to design cryptosystems which provide good diffusion and confusion– diffusion – dissipates statistical structure of

plaintext over bulk of ciphertext– confusion – makes relationship between

ciphertext and key as complex as possible

38

Cryptology





– transposition

39

Cryptographic systems

40


• can characterize by:– type of encryption operations used

• substitution / transposition / product

– number of keys used• single-key or private / two-key or public

– way in which plaintext is processed• block / stream

41

Type of operations

• Fundamental requirement: no information is lost (all operations are reversible)

• Substitution: each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element

• Transposition: elements in the plaintext are rearranged.

42






43

Symmetric Encryption

• AKA conventional/private-key/single-key• sender and recipient share a common key• all classical encryption algorithms are

private-key• was only type prior to invention of public-

key in 1970’s

44

Symmetric Cipher Model

46

Requirements

• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver

Y = EK(X)X = DK(Y)

• assume encryption algorithm is known• implies a secure channel to distribute key

47

Public-Key Cryptography

• probably most significant advance in the 3000 year history of cryptography

• uses two keys – a public & a private key• AKA asymmetric encryption • uses clever application of number theoretic

concepts to function• complements rather than replaces private

key crypto

48


• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and

can be used to encrypt messages, and verify signatures

– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• PKC is asymmetric because– those who encrypt messages or verify signatures

cannot decrypt messages or create signature

49


50

Why Public-Key Cryptography?

• developed to address two key issues:– key distribution – how to have secure

communications in general without having to trust a KDC with your key

– digital signatures – how to verify a message comes intact from the claimed sender

• public invention due to Whitfield Diffie & Martin Hellman at Stanford U. in 1976– known earlier in classified community

51

Public-Key Characteristics

• Public-Key algorithms rely on two keys with the characteristics that it is:– computationally infeasible to find decryption

key knowing only algorithm & encryption key– computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is known– either of the two related keys can be used for

encryption, with the other used for decryption (in some schemes)

Use blackboard

52

Public-Key Cryptosystems

53






Stream Cipher

Block Cipher

56

Block vs Stream Ciphers

• block ciphers process messages in into blocks, each of which is then en/decrypted

• like a substitution on very big characters– 64-bits or more

• stream ciphers process messages a bit or byte at a time when en/decrypting

• many current ciphers are block ciphers• hence are focus of course

57

Cryptology





– transposition

58

Classical Substitution Ciphers

• where letters of plaintext are replaced by other letters or by numbers or symbols

• or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

59

Caesar Cipher

• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• replaces each letter by 3rd letter on• example:

meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB

60

Caesar Cipher

• can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C

• mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25

• then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)

Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers – A maps to A,B,..Z

• could simply try each in turn • a brute force search• given ciphertext, just try all shifts of letters• do need to recognize when have plaintext• eg. break ciphertext “PHHW PH DIWHU

WKH WRJD SDUWB"

63

Monoalphabetic Cipher

• rather than just shifting the alphabet • could shuffle (jumble) the letters arbitrarily • each plaintext letter maps to a different random

ciphertext letter • hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZNPlaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA

64

Monoalphabetic Cipher Security

• now have a total of 26! = 4 x 1026 keys • with so many keys, might think is secure • but would be !!!WRONG!!!• problem is language characteristics

65

Language Redundancy and Cryptanalysis

• human languages are redundant• letters are not equally commonly used • in English e is by far the most common

letter then T,R,N,I,O,A,S • other letters are fairly rare cf. Z,J,K,Q,X • have tables of single, double & triple letter

frequencies

66

English Letter Frequencies

67

Frequencies in Cryptanalysis• key concept - monoalphabetic substitution ciphers do

not change relative letter frequencies • discovered by Arabian scientists in 9th century• calculate letter frequencies for ciphertext• compare counts/plots against known values • if Caesar cipher look for common peaks/troughs

– peaks at: A-E-I triple, NO pair, RST triple– troughs at: JK, X-Z

• for monoalphabetic must identify each letter– tables of common double/triple letters help

68

Example Cryptanalysis

• given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

• count relative letter frequencies• guess P & Z are e and t• guess ZW is th and hence ZWP is the• proceeding with trial and error finally get:

it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow

69

Playfair Cipher

• not even the large number of keys in a monoalphabetic cipher provides security

• one approach to improving security was to encrypt multiple letters

• the Playfair Cipher is an example • invented by Charles Wheatstone in 1854,

but named after his friend Baron Playfair

70

Playfair Key Matrix

• a 5X5 matrix of letters based on a keyword • fill in letters of keyword (sans duplicates) • fill rest of matrix with other letters• eg. using the keyword MONARCHY

MONARCHYBDEFGIKLPQSTUVWXZ

71

Encrypting and Decrypting

• plaintext encrypted two letters at a time: 1. if a pair is a repeated letter, insert a filler like 'X',

eg. "balloon" encrypts as "ba lx lo on" 2. if both letters fall in the same row, replace each with

letter to right (wrapping back to start from end), eg. “ar" encrypts as "RM"

3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. “mu" encrypts to "CM"

4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)

Use blackboard

72

Security of the Playfair Cipher

• security much improved over monoalphabetic• since have 26 x 26 = 676 digrams• would need a 676 entry frequency table to analyse

(verses 26 for a monoalphabetic) and correspondingly more ciphertext

• was widely used for many years (eg. US & British military in WW1)

• it can be broken, given a few hundred letters • since still has much of plaintext structure

73

Hill cipher

• Hill 1929• The encryption algorithm takes m

successive plaintext letters and substitutes for them m ciphertext letters.

• K = {m m invertible matrices over Z26 }• Example: m = 3

Use blackboard

74

Hill cipher

• Hill cipher completely hides single letter frequencies (i.e. Hill cipher is strong against ciphertext only attack.)

• Hill cipher can be easily broken with a known plaintext attack (only need mplaintext-ciphertext pairs).

• Example: m = 3

Use blackboard

75

Polyalphabetic Ciphers

• another approach to improving security is to use multiple cipher alphabets

• called polyalphabetic substitution ciphers• makes cryptanalysis harder with more alphabets to

guess and flatter frequency distribution • use a key to select which alphabet is used for each

letter of the message • use each alphabet in turn • repeat from start after end of key is reached

76

Vigenère Cipher

• simplest polyalphabetic substitution cipher is the Vigenère Cipher

• effectively multiple caesar ciphers • key is multiple letters long K = k1 k2 ... kd

• ith letter specifies ith alphabet to use • use each alphabet in turn • repeat from start after d letters in message• decryption simply works in reverse

77

Example

• write the plaintext out

• eg using keyword deceptivekey:plaintext: wearediscoveredsaveyourselfciphertext:

78

Example

• write the plaintext out • write the keyword repeated above it

• eg using keyword deceptivekey: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:

79

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key

encrypt the corresponding plaintext letter• eg using keyword deceptive

key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourself

ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

80

Aids

• simple aids can assist with en/decryption • expand into a Vigenère Tableau (see text

Table 2.3)

82

Security of Vigenère Ciphers

• have multiple ciphertext letters for each plaintext letter

• hence letter frequencies are obscured• but not totally lost• start with letter frequencies

– see if look monoalphabetic or not• if not, then need to determine number of

alphabets, since then can attach each

83

Kasiski Method

• method developed by Babbage / Kasiski• repetitions in ciphertext give clues to period• so find same plaintext an exact period apart

which results in the same ciphertextof course, could also be random fluke

• eg repeated “VTW” in previous example– suggests size of 3 or 9– then attack each monoalphabetic cipher individually

using same techniques as before

84

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key • encrypt the corresponding plaintext letter• eg using keyword deceptive

key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

85

One-Time Pad (1/3)• If a truly random key as long as the message is used, the

cipher will be secure. • It is called a One-Time pad (OTP)

P=C=K=(Z2)n, n ≥1k = (k1, k2, …, kn ) x = (x1, x2, …, xn )y = (y1, y2, …, yn )

ek(x) = (x1 k1, x2 k2, …, xn kn)dk(y) = (y1 k1, y2 k2, …, yn kn)

86

One-Time Pad (2/3)

• One-Time pad is unbreakable since if k is random then y is random too (that is, ciphertextbears no statistical relationship to the plaintext) and for any plaintext & any ciphertext there exists a key mapping one to other.

• In practice, two fundamental difficulties– Supplying truly random keys of large volumn is a

significant task– Key distribution and protection are problematic

87

One-Time Pad (3/3)

• One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security.

88

Cryptology





– transposition

89

Transposition Ciphers

• now consider classical transposition or permutation ciphers

• these hide the message by rearranging the letter order

• without altering the actual letters used

90

Rail Fence cipher

• write message letters out diagonally over a number of rows

• eg. write message out as:m e m a t r h t g p r ye t e f e t e o a a t

91

Rail Fence cipher

• write message letters out diagonally over a number of rows

• then read off cipher row by row• eg. write message out as:

m e m a t r h t g p r ye t e f e t e o a a t

• giving ciphertextMEMATRHTGPRYETEFETEOAAT

92

Row Transposition Ciphers

• a more complex scheme• write letters of message out in rows over a

specified number of columns• then reorder the columns according to some

key before reading off the rowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p

o s t p o n ed u n t i l tw o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

93

Product Ciphers

• ciphers using substitutions or transpositions are not secure because of language characteristics

• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition– but a substitution followed by a transposition makes

a new much harder cipher

• this is bridge from classical to modern ciphers

94

Question?

network securityailab.cs.nchu.edu.tw/course/networksecurity/103/ns02.pdf · • program security...

Documents