1 “He, who wants to defend everything, defends nothing.” --- Frederick, the Great
Jan 15, 2016
1
“He, who wants to defend everything, defends nothing.”
--- Frederick, the Great
2
Focus of a Security PlanReference: Thomas Calabrese,”Information Security Intelligence,” Thomson Delmar learning, 2004, pp 4
Scope: restricting the scope as much as possible
Prioritization Practicability
Some Examples of Attacks and a Hint about technologies
3
Example of a Security Incident: PhishingPhishing (mis)uses the following rule:If ASCII 00 and 01 characters are used
just prior to @ character, IE would not display the rest of the URL.
Example: http://www.whitehouse.gov%01%[email protected]/......
will show up as http://www.whitehouse.gov in the status bar, indicating as if the message is from the White House. However the response will go to the Hacker.
4
Anti-Phishing.org A Web site www.antiphishing.org, for reporting
incidents, set up by a group of global banks and technology
companies, led by Secure-messaging firm Tumbleweed Communications Corp
Fast Response required; The phishing Web sites: often only in place for a
day. Example: Dec 2003: Phishing e-mail appeared to
come from the U.K. bank NatWest. Anti-Phishing.org tracked the IP address to a
spoofed home computer in San Francisco. "The owner of the computer probably had no idea he'd been hijacked," says Dave Jevans, Tumbleweed's senior vice president of marketing.
5
Common attacks on Financial Institutions like
Banks through InternetCommon attacks: phishing (attempts to trick account holders to
give their account authentication details away), fraudulent association with the bank as part of
investment scams, and trademark violation Losses due to attacks:"The major banks don't want to divulge the amount
of losses. But just to give one example, a major Australian bank has put several million dollars in reserve since August 2003 to cover damages due to Internet frauds.“– Dave Jevans, eWeek, Dec 2003
6
An Example: time-to-market for Internet Security
products 16 December, 2003: Discovery of the
problem of Phishing 5 January 2004: Announcement of
development of a new Anti-phishing service by Netcraft, of Bath, England.
Netcraft says that the service is mainly for banks and other financial organizations
7
General Strategies for security Continuous vigilance by monitoring and
analysis reduce size of target: disable unneeded services limit access of attacker to target
systems hardening the OS and applications Use technologies, which cannot be
hacked easily
8
General Strategies for security: Technologies
Confidentiality: encrypting sensitive data
Integrity: Hashing, Digital Signatures
Authentication: Digital certificates Non-repudiation: Trusted Digital 3rd
part signatures
9
“Using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.“
--- Professor Eugene Spafford Purdue University
10
CRYPTOGRAPHY
Cryptography (from two words in Greek): means secret writing.
Cryptoanalysis: breaking of a cryptographic code
CRYPTOGRAPHY: process data into unintelligible form, reversibly/irreversibly without data loss usually one-to-one in size /compression
11
CryptographyServices, provided by cryptographic tools:
Encoding information into a form which makes the information unintelligible to an unauthorized person
integrity checking: no tampering authentication: not an impostor
Encryption or Enciphering
Encryption AlgorithmPlaintext
Key
Ciphertext
12
Why encrypt?
A few valid reasons for (reversibly) encrypting data are:
To prevent casual browsers from viewing sensitive data files
To prevent accidental disclosure of sensitive data
To prevent privileged users (e.g., system administrators) from viewing private data files
To complicate matters for intruders who attempt to search through a system's files
13
Kerckhoff’s principle
The security of an encryption scheme should depend upon only the secrecy of the key, and NOT on the secrecy of the algorithm.
14
Classification
Two types of Encryption Algorithms Reversible Irreversible
Two types of Keys Symmetric Asymmetric
15
Types of Cryptographic Algorithms:
Cryptographic Algorithms:• Secret Key
• Example: DES, AES (Rijndael)• Public Key
• Example: RSA, Rabin, El Gamal• Message Digest (Hash or cryptographic
checksum) Example : SHA 256
• Message Authentication Codes
16
Reversible Encryption
Reversible ENCRYPTION:
cleartext ENCRYPTION DEVICE encryption key
cleartext
can be used only when the same type of encryption software/equipment is available at both the ends
ciphertext
Decryption Device
Decryption key
17
Decryption Decryption or Deciphering
DecryptionAlgorithm
Ciphertext
Plaintext
Key
18
Fingerprinting Data Irreversible Encryption
Hash Functions
EncryptionAlgorithm
Plaintext
Collisions in the output?
Hash
19
Cryptographic Hash Functions (H) H : A transformation m = variable size input h = hash value : a fixed size string, also known as message digest or
fingerprint or compression function.
H(m)m h
20
Message Digest
VariableLengthMessage
HashingAlgorithm
Fixed LengthDigest
21
Uses of Hash Functions Integrity check for getting a document time- stamped
without revealing its contents to the time stamp service
Authentication through Digital Signatures For generation of pseudo-random
numbers to generate several keys from a single shared secret
Typical output of a Hash: 128 to 512 bits
22
A Cryptographic Hash functionProperties of Cryptographic Hash functions : One-way functions ‘Hard’ to invert : Computationally infeasible
to find some input m such that H(m) = h. Collision-resistant: a very large number of
collisions exist. But these cannot be found. Should be a random mapping from all
possible input values to the set of possible output values
23
Message Digest (MD)
• Consider an algorithm that generates outputs which are randomly distributed.
• Let the MD (output) be of n bits• 2n No of possible outputs.
• Since these are randomly distributed, the probability is that after 1.2 (2n )1/2 digests are computed, we may find the same value.
( Reference: statistical ideas of Birthday Paradox; Please see the last set of slides on Cryptoanalysis for a statement of the Paradox.)
• Thus for n = 128, it would be (1.2)264 .
24
DefinitionsWEAKLY COLLISION FREE HASH FUNCTION: Given a message m1. It is computationally infeasible to find m2
such that
m1 is not equal to m2, and, H(m1) = H(m2).
STRONGLY COLLISION FREE HASH FUNCTION:It is computationally infeasible to find any two
messages m1 and m2 such that H(m1) = H(m2).
25
Hash Functions: Collision-free ExampleExample: Consider a Hash of 128 bits.Weak: The probability of finding a
message m2 corresponding to a given hash value H(m1) is
2-128.Strong:The probability of finding two
messages with the same hash value (with no constraint on any of the two messages) is 2-64.
26
Properties of Cryptographic Hash functions (continued) H(m) is easy to compute. The input can be of any length. The output has a fixed length.
Notes 1: Consider a transformation of a sequence of length n1 to a sequence of length n2, where n1 > n2.
In such a case, there must exist multiple input sequences that map to the same fixed-length hash value.
27
Notes on hash functions (continued)
In the definitions of hash functions, it is only
required that ‘to find x’ should be computationally infeasible, even though we know that x exists.
2. Computationally Infeasible (CI) means that the time complexity of the algorithm should grow faster than any polynomial.
So CI means that it may take an extremely long time to compute x on even the fastest machine of the day.
28
Popular Hash Functions Iterative functions:
Split the message to equal sized blocks m1, m2,…… mk(padding for the last block)
Hi = h(Hi-1, mi), with H0 as a fixed value MD2 , MD4 and MD5 developed by Rivest. MD2 (1989 ): Optimized for 8 bit machine; MD4 (1990) , MD5 (1991) : Optimized for
32-bit machines . MD4 and MD5 : Both produce a 128-bit
hash value.
29
Popular Hash Function: MD5 MD4:
Den Boer and Bosselaers ( in a paper in 1991) discovered weaknesses.
was cracked by Dobbertin. He devised a method to generate collisions in MD4.
MD5 (Ref: RFC 1321) was supposed to be more secure. probability of MD5 collision 1/3x1038
1994: A non-fatal flaw discovered. SHA1 (Secure Hash Algorithm) :
Produces a 160 bit hash value from a message of less than 264 bits;
30
Popular Hash Function: SHA 1 SHA 1: designed by NSA and standardized by
NIST as a part of the Capstone project. (based on MD5 and 2 to 3 times slower than MD5) (Ref: RFC 3174 and FIPS 180-1)
Aug 2004: reported generating collisions in MD4 using "hand calculation", and in the family of MD4/MD5/SHA/RIPEMD. So its usage is now not recommended.*
*Reference: Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu,” Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD,” Cryptology ePrint Archive: Report 2004/199, http://eprint.iacr.org/2004/199.pdf
31
Popular Hash Functions: To be used today SHA 256, SHA 384 and SHA 512 (Ref:
FIPS 180-2)designed for use with AES with 128, 196 and 256
bits. Slower than SHA1; may take nearly as much time as encryption by AES.
SHA384 uses SHA 512 method and discards the remaining bits. So though it takes the same time as SHA 512, it is less secure.
Others: Snerfu: generates 128 bit or 256 bit hash;
Haval: produces 128, 160, 192, 224 or 256 bit hash.
32
Secret Key/ Symmetric Cryptography
Simpler and faster (than asymmetric by a factor of 1000)
For Integrity check, a fixed-length checksum for the message may have to be used; CRC* not sufficient
*Cyclic Redundancy Check
33
Symmetric Key Encryption
Also called Private/Secret key Encryption
Sender-endMessageby sender
Messageat receiver
Pr-key
Pr-key
EncryptedMessage
EncryptedMessage
Internet
Receiver-end
34
Symmetric Key Cipher Standards
Data Encryption Standard: the initial version developed by IBM as a US standard from 1975 to 1999
Advanced Encryption Standard The proposal from two belgian
professor accepted in Sept 2000 Declared in Nov 2001
35
Theoretical Basis of DESClaude Shannon’s theories: Recapitulation
1945: Introduce diffusion and confusion through cryptographic algorithms.
• Diffusion: Use permutation followed by some functional transformation.
• So that one ‘character’ in ciphertext = function of a large number of ‘characters’ in the
plaintext.• Thus if e is the most commonly used character in
English plaintext, it may not be so in the ciphertext. In ciphertext all the characters should have ideally
an equal frequency of occurrence.
36
Diffusion & Confusion : Recapitulation
• Diffusion: seeks to make statistical relationship between the plaintext and ciphertext as complex as possible. Diffuses the structure of the plaintext over a large part of the ciphertext.
• Confusion: makes the relationship between the statistics of the ciphertext and the encryption key as complex as possible.
• Achieved by using a complex substitution algorithm.
37
Substitution and permutationSubstitution or Permutation: easy to break by
using statistical analysis
For every language: frequency of characters, digrams ( two letter sequences) and trigrams are known. statistical analysis to decipher encrypted information.
English: e: the character with highest frequency
C: #define and #include in the beginning Protocols and tcpdump: repetitive, fixed
sized fields
38
Kerckhoff’s RuleThe strength of an encryption algorithm depends upon:
1. Design of the algorithm2. Key length3. Secrecy of the key ( requires proper
management of key distribution)1883: Jean Guillaumen Hubert Victor Fransois AlexandreAuguste Kerckhoff von Nieuwenhof: “ Cryptosystems shouldrely on the secrecy of the key, but not of algorithm.”
Advantages of Openness: 1994: A hacker published the source code of RC4, a secret encryption algorithm, designed by RSA Data security Inc. attacks, that exposed several weaknesses of RC4
39
Types of Cipher Algorithms Streaming Cipher: encrypts data bit
by bit Block cipher: encrypts a fixed- sized
block of data at a timeBlock ciphers: For a 64 bit block of plaintext, for
encryption to a 64-bit ciphertext, may need a table of 264 = 150 million terabytes.
For a block size of 128 bits, the table would require a memory of 5x1039 bytes.
40
DES Encryption: DES a public standard. But its design criterion has not been published.64 bit plaintext goes through• an Initial Permutation (IP).• 16 Rounds of a complex function fk as follows:
• Round 1 of a complex function fk with sub key K1 .• Round 2 of a complex function fk with sub key K2.
• Round 16 of a complex function fk with sub key K16
Every round ends with a swap of Left-half and Right-half. • an Inverse Initial Permutation (IP-1 ) to produce 64 bit ciphertext.
41
DES Round x: block of plaintext let x0 = IP (x) = L0:R0
16 rounds with f: cipher function Ki: sub-key for the ith round While i ≤ 16,xi = Li:Ri
Li = Ri-1
Ri = Li: f(Ri-1 , Ki)
42
Function Expansion permutation to get 48 bits from 32
bits of Ri : each input block of 4 bits contributes 2 bits to each output block Avalanche Effect: A small difference in plaintext causes quite different ciphertext
E(Ri-1) Ki S-boxes for converting 48 bits to 32 bits
output: Non-linear; provide major part of the strength of the cipher
Straight permutation XOR with left half Switch the left half and the right half
43
Key Schedule Algorithm Each sub-key Ki : 48 bits: obtained from a
56 bit key K Fixed Permutation: PC1(K) = C0:D0 A left circular shift (of 1 or 2 bits) on the
Left-half (C0 ) and Right-half (D0) separately (Output: C1 of 28 bits and D1 of 28 bits)
2 bits: for rounds 3-8 and 10-15 Compression permutation PC2 to get 48 bit
key Ki from Ci:Di Round-dependent left shifts different
parts of initial key create each sub-key
44
Sub Key GenerationThe input key: 56 bitsHardware Design: the 8, 16, 24, 32, 40, 48, 56
and 64th bit is always the odd parity bit. 64 bit key
Software design: the key is stated in ASCII code. Each character of 8 bits, with the first bit being zero plus 7 bits of code. (!)
Since DES was designed with the viewpoint ofhardware implementation, the conversion to 56bits is done by neglecting every 8th bit. PC1 converts to 56 bits and permutes.
45
Key Schedule K: 64 bit key C0: D0 =PC1(K) , 56 bit key 16 steps for i = 1-15: A left circularshift (of 1 or 2 bits) on the Left-half (Ci-1)
and Right-half (Di-1) separately (Output: Ci of 28 bits and Di of 28 bits)
16 Subkeys for i = 1-15: Ki = PC2(Ci : Di )
of 48 bits each
46
PC1: Obtaining C0 and D0
PC1 generates C0 and D0, the left and the right halves respectively.
C0 Read the first column of the input 64-bit key from bottom up. Write it row-wise from left to right. Repeat for the second, the third and the lower-half of the fourth column respectively.
D0 Read the seventh column of the input 64-bit key from bottom up. Write it row-wise from left to right. Repeat for the sixth, the fifth and the upper-half of the fourth column respectively.
Probably the conversion to the two halves was donedue to the limitation of the hardware of seventies.
47
Sub Key Generation: continued
Thus DES has a 56 bit key K consisting of C0 and D0.All the sub keys K1 to K16 are of 48 bits.To generate these keys, K goes through • A Permuted Choice (PC-1) (output C0 of 28 bits
and D0 of 28 bits).• A left circular shift (of 1 or 2 bits) on the Left-half (C0 )
and Right-half (D0) separately (Output: C1 of 28 bits and D1 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K1 of 48 bits.
48
Sub Key Generation (continued)• A left circular shift (of 1 or 2 bits) on the Left-half (C1 ) and
Right-half (D1) separately (Output: C2 of 28 bits and D2 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K2 of 48 bits.
• .• .• .• A left circular shift (of 1 or 2 bits) on the Left-half (C15 )
and Right-half (D15) separately (Output: C16 of 28 bits and D16 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K16 of 48 bits.
49
Key Schedule KA = PC1(K) KB1 = LS-j(KA); LS-j is left circular shift by j bits, on the two halves ofthe 56 bits separately. j is given by Table 5. KB2 = LS-j(KB1) KB3 = LS-j(KB2) . KBi = LS-j(Kbi-1) . KB16 = LS-j(KB15) Ki = PC2(KBi)
50
i-th RoundThe part in yellow, in the previous slide, shows the subkey generation. After PC1, the circular rotations areindependent for the left half and the right-half.
ENCRYPTION: In the i-th round,Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
= Li-1 P(S( E(Ri-1) Ki ))Where E: expansion from 32 bits to 48 S: Using 8 S-boxes to convert 48 bits to 32 bits – each S box converts 6 bits to 4 bits
P: permutation
51
Expansion-Permutation (E/P):
• In figure 2, the E-table generates 48-bit output from 32 bit input by expansion-permutation by using table T6.
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1
Table T6: E/P
52
DES Decryption:
Decryption uses the same algorithm as encryption
except that the application of the sub-keys isreversed.:
• In the first round of decryption, sub-key K16 is used.• .• .• .• In the 16th round of decryption, sub-key K1 is used .
53
Decryption RelationsENCRYPTION: (from slide 49)Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
= Li-1 P(S( E(Ri-1) Ki ))Rewriting: DECRYPTION relations are:Ri-1= Li
Li-1 = Ri F(Ri-1, Ki)
On substituting the value of Ri-1 from the first decryption relation,
Li-1 = Ri F(Li, Ki)
54
Decryption Process First: IP on ciphertext: undoes the final
IP-1 step of encryption 16 Rounds: First round with subkey 16
undoes 16th round of encryption . . Sixteenth round with subkey 1 undoes
1st encryption round Last: IP-1 undoes the initial encryption IP
55
AES AES: designed by Joan Daemen and Vincent
Rijmen Initially known as Rijndael Cipher
56
Rijndael CipherThree steps: initial XOR of the block with the sub-key 1 has 9/11/13 rounds in which state undergoes:
byte substitution (The same S-box used on every byte)
shift rows(permute bytes between columns) mix columns (subs using matrix multiply of
groups) add round key (XOR state with separate sub-
keys for each round) Incomplete last (i.e. 10/12/14th) round (without
mix columns operation)
57
Rijandael Cipher continued The Rijndael cipher has a variable block
length and key length. currently keys with a length of 128, 192, or 256 bits
to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 bits.
Rijndael can be implemented efficiently on a wide range of processors and in hardware.
all operations can be combined into XOR and table lookups - hence very fast & efficient
58
Rijandael Cipher continued for 128 bit block: processes data as 4 groups
of 4 bytes each. Each group is shown as a column in a matrix
of four columns. Each column has 4 rows. Each cell of the 4x4 matrix contains one byte. The output in every round creates a new
state of 128 bits or of 4 columns of 4bytes each.
The ciphertext is the final output generated by the cipher system.
59
Steps of a Round Function Round function: uniform and parallel,
composed of 4 steps (except for the incomplete– without MixColumn-- last round)
Each step has its own particular function: ByteSub: non-linearity ShiftRow: inter-column diffusion Mix Column: inter-byte diffusion within columns Round key addition
Figure on slide 20: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same.
60
Pseudo Code for Encryption for the earlier rounds, and, for the last round Round(State, RoundKey) { Bytesub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, Roundkey); } For the last round, it is a little different:Round(State, RoundKey) { Bytesub(State); ShiftRow(State); AddRoundKey(State, Roundkey); }
61
Rijandael Cipher continued
62
Three Steps of Decryption initial XOR of the ciphertext with the sub-key has 9/11/13 rounds in which state undergoes:
InvByte substitution (The same Inverse S-box used on every byte)
InvShift rows(permute bytes between columns) InvMix columns (subs using matrix multiply of
groups) add round key (XOR state with separate sub-
keys for each round) Incomplete last (i.e. 10/12/14th) round (without
InvMix columns operation)
63
Pseudo Code for Decryption for the earlier rounds, and, for the last round Round(State, RoundKey) { InvByteSub(State); InvShiftRow(State); InvMixColumn(State); AddRoundKey(State, Roundkey); } For the last round, it is a little different:Round(State, RoundKey) { InvBytesub(State); InvShiftRow(State); AddRoundKey(State, Roundkey); }
64
Public Key/ Asymmetric Cryptography
invented in 1976 by Whitfield Diffie and Martin Hellman two keys: private (d), public (e) Both are mathematically related.REQUIREMENTS: Computationally infeasible
to derive one key from the other; to find out the private key from a chosen plaintext
attack much slower (about 1000 times) than secret key
cryptography
65
public-key cryptography (continued) public-key cryptography system requires
a trusted system for distributing public keys
RSA (Rivest, Shamir and Adelman) Algorithm is well known for the public key system.
APPLICATIONS a digital signature system to authenticate
that a message is really from whom it purports to be from
Pretty Good Privacy system, an e-mail system, uses the public key system for security.
66
public-key cryptography (continued)
67
Asymmetric/Public Key Encryption
Message
Message
B’s public
B’s private
EncryptedMessage
EncryptedMessage
Internet
A
B
key
key
68
public-key cryptography (continued) Data transmission: private key(d), public
key (e)
69
public-key cryptography (continued)Applications and Advantages: Storage: for safety: use public key of trusted
person Secret vs. Public Key system: secret key system: needs secret key for every pair
of persons, that wish to communicate n users n(n-1)/2 keys public key system: needs two keys for every
person, who wants to communicate. n users 2n keys
70
Digital certificate for getting Public Key reliably A digital certificate from a trusted party
may contain: The name of a person His e-mail address His public key
The recipient of the encrypted certificate uses the public key of the Certification Authority to decode the certificate.
Examples of CAs: www.verisign.com or www.thawte.com (Verisign’s liability limited to $100 only!)
Standard for certificate: X.509
71
Digital signatures Digital Signatures: A is to sign a Msg and
send it to B
Msg
Msg
Msg +EncodedDigest
DigestAlgorithm
Msg +EncodedDigest
DigestAlgorithm
Decode digest using Public key of A
Encoding using Private key of A
Digest
Digest
Compare
BA
72
Key management issues Distribution of keys for both symmetric and
asymmetric cases is a challenge, when the two communicating parties are located at a distance.
Certifying authorities, as mentioned earlier, help. But in view of the very limited liability, that the certifying authorities are ready to shoulder, it is not a complete solution.
73
Message/data EncryptionCombines conventional and public-key encryption
Session key
Recipient’s
Public key
data
Encrypt
Encrypt
Encrypted sessionkey
Encrypted data
74
Message/data EncryptionCombines conventional and public-key encryption
Session key
Recipient’s
Private key
data
Decrypt
Decrypt
Encrypted sessionkey
Encrypted data
Public-key encryption provides a secure channel to exchange symmetric encryption keys
75
Message Authentication CodesMAC: A sort of Hash function, which uses
a keym: message (can be of any size)K: fixed-size symmetric key known to both the sender and receiver
only
MAC: of fixed size m MACMAC Function
Key
76
MAC’s for integrity
Message Authentication code, adds a password/key to a hash
data
Mac
Password/key
Only the password holder(s) can generate the MAC
data
Message MAC
77
MAC continued A MAC function (also called a cryptographic
checksum) Need not be reversible. Many-to-one function
MAC provides Authentication and integrity If one more symmetric key is used, confidentiality
can be provided. This separates authentication and confidentiality
functionalities.
78
MAC continued Separation of Authentication and Confidentiality:
This may be required in a system wherein authentication may be at the application layer, whereas confidentiality may be required at a lower layer (like at transport layer.)
Or the recipient organisation may check for authentication at the entry system. The confidentiality may be required up to the final host within the recipient organization.
Does not provide signatures The recipient can forge the message. The sender can repudiate it.
79
HMAC: keyed Hashing for Message AuthenticationHMAC: An algorithm which uses a keyless hash
function and a cryptographic key to develop a MAC
Advantages: Hash functions are faster;no export controls on keyless hash functions. H: a keyless hash function Input: a block of b bytes Output: a hash of l bytesK: key no longer than b bytesK’:pad K, if required, so that K’ becomes b bytes
long
80
HMAC (continued)ipad: a sequence of b bytes obtained by repeating the byte
0011 0110opad: a sequence of b bytes obtained by repeating the byte
0101 1100Definition of a HMAC-H function with a key K and
message m: H(K,m) = H( (K’ XOR opad) ll H( (K’ XOR ipad) ll m) )
Reference: 1. M. Bellare, R. Kaneti and H.Krawczyk, ‘Keyed Hash Functions and Message Authentication,’ Advances in Cryptology- Proceedings of CRYPTO ’96, PP. 1-15 (1996) 2.H.Krawczyk, M. Bellare and R. Kaneti, ‘RFC 2104’, Feb 1997
81
Function for MAC HMAC:
MD5 or an SHA function may be used. Recommendation for a 128 bit security: SHA-
256 MAC may also be obtained by using a
block cipher and by throwing away all the blocks except the last block. This is called CBC-MAC.
CBC: cipher block chaining method However if it is used, the key for
encryption and the key for message authentication must be different.
Secondly it would be slower than HMAC.
82
Authentication issues If only the message between Alice and Bob is
authenticated, Eve could store the message and send it later again. Or Eve could send the message from Alice -- back to Alice
at some later time, spoofing it as a message from Bob. To avoid it, d = information like message
number, sender address and receiver address etc may be concatenated with m before creating a MAC.
If a protocol for time synchronization is being used by both the sender and the receiver, time in seconds after midnight at Greenwich may also be used. Alternatively a random number, called a nonce may also be usedfor the purpose.
83
Authentication issues ….2 Further problem: Version problem,
which may increase the size of fields. Example: Alice sends the older
version. Eve adds data to make it look to Bob as if Alice sent the new version. So version number has also to be added to d. RULE: Authentication at a higher layer only.
84
Cryptanalysis continuedCryptanalysis : It tries to locate the structures and
patterns of the plaintext in the ciphertext.
None of the cryptological methods can completelyeliminate the patterns and structures of the
plaintext in the ciphertext.
Polyalphabetic cipher where the substitutiondiffers from character to character in responseto a key, which is
as long as the message, and which is, truly random
can eliminate such patterns. But the key?
85
Cryptanalysis Methods: Finding the KeyAssumption: The hacker always knows the ciphertext
and the encryption algorithm.More is the information available to a hacker Easier is the analysis for finding the KeyTYPES OF ATTACKS: The type is dependent on the
amount of INFORMATION available to a Hacker:1.ciphertext only Analysis for key: Most difficult
2.Known plaintext-ciphertext pairs3.Chosen plaintext-ciphertext pairs4.Chosen ciphertext-plaintext pairs5.Chosen text (both 3 and 4) Analysis for key: Easiest
86
Two Definitions UNCONDITIONALLY SECURE: An encryption
algorithm for which no amount of ciphertext can make it possible for one to determine uniquely the corresponding plaintext.
There is no such algorithm available. COMPUTATIONALLY SECURE: An encryption
algorithm is said to be computationally secure if
The cost of breaking the cipher is more than the intrinsic value of the information, or,
the time required to break the cipher is more than the time over which the information is required to be confidential.
87
Exhaustive Key SearchKey Size No. of Average Time Possible keys at 1 decryption
per microsecond32 232 =4.3x109 231= 35.8m
56 256 = 7.2x1016 1142 y128 2128 = 3.4 x1038 5.4x1024 y26P 26!=4x1026 4x1026 =6.4x1012y
88
Large numbers and computational security -- as worked out by Dr Lawrie Brown It can be shown from energy consumption
considerations that the maximum number of possible elementary operations in 1000 years is about:
3 x 1048. Similarly if 10 atoms are needed to store a bit of
information, the greatest possible number of bits storable in a volume of say the moon is: 1045.
If for deciphering a cipher requires more operations than 3 x 1048, or needs more storage than 1045, it is pretty reasonable to say it is computationally secure.
Reference: Notes of Dr Lawrie Brown, Australian Defence ForceAcademy available at
http://www.williamstallings.com/Crypto3e.html
89
Exhaustive Key Search (continued)
A calculation in 1995 showed that: 56-bit key broken in 1 week with 120,000 processors
($6.7M); 56-bit key broken in 1 month with 28,000 processors
($1.6M); 64-bit key broken in 1 week with 3.1x 107 processors
($1.7B); 128-bit key broken in 1week with 5.6x 1026 processors
90
Brute Force Cryptoanalysis 1999: 56-bit key broken in 22.5 h with 1,800 chips
($250,000) (245 109 keys/s, or 4.08 microsecond for one key -- see eff.org); helped by distributed.net
1998: 56-bit key broken, on dedicated h/w, in a few days
1997: 56-bit key broken, by using a large number
of machines in parallel on the Internet, in a few months
91
Birthday paradox
A result from probability theory: Consider an element that has an equal probability of assuming any one of the N values. The probability of a collision is more than 50% after choosing 1.2√N values.
FunctionRandom input
One of k equally likely values
The same output can be expected after 1.2k1/2 inputs. Thus in a group of 23, two or more persons are likely to share the same birthday. (Put k = 365) Birthday attacks are used to find collisions of Hash functions
92
Birthday Bound A 64 bit key has 264 = 18x1018
different key values. But 232 = 4.3x109
A Key is selected at random. So after seeing 1.2x 232
transactions, a hacker can expect the same key to be used.
For an n-bit case, 2n/2 is called the Birthday Bound
93
Example of a Birthday AttackAssume A 64 bit key The first statement in a message is always the
same.A hacker listens to and stores all encrypted messages. When the FIRST encrypted sentence turns out to
be the same, he replaces the rest of the new message by the old message, that he has in his memory.
By Birthday Paradox, this is likely to happen after 232 transactions.
94
Example of a “Meet in the Middle” attack Generate 232 keys. Store encrypted messages of the first
sentence. Compare the first sentence of every
encrypted message on the net with each of the stored messages.
On getting a match, the Hacker knows the key. So he can now replace the remaining message by whatever he wants.