CS 356 – Lecture 3 Cryptographic Tools - CS CSU … 356 – Lecture 3 Cryptographic Tools Spring 2013 . Review • Chapter 1: Basic Concepts and Terminology – Integrity, Confidentiality,

CS 356 – Lecture 3 Cryptographic Tools

Spring 2013

Review •  Chapter 1: Basic Concepts and Terminology

–  Integrity, Confidentiality, Availability, Authentication, and Accountability

– Types of threats: active vs. passive, insider/outsider

– Lots of terminology and general concepts •  Chapter 2: Basic Cryptographic Tools

– Symmetric key encryption and secure hashing

Message Authentication

Using a One-Way

Hash Function

publicly proposed by

Diffie and Hellman in

1976

based on mathematical functions

asymmetric •  uses two

separate keys •  public key

and private key

•  public key is made public for others to use

some form of protocol

is needed for distribution

• **

l  plaintext  l  readable  message  or  

data  that  is  fed  into  the  algorithm  as  input  

l  encryption  algorithm  l  performs  

transformations  on  the  plaintext  

l  public  and  private  key  l  pair  of  keys,  one  for  

encryption,  one  for  decryption  

l  ciphertext  l  scrambled  message  

produced  as  output  

l  decryption  key  l  produces  the  original  

plaintext  

• ***directed toward providing confidentiality

computationally easy to create key

pairs

computationally easy for sender

knowing public key to encrypt messages

computationally easy for receiver knowing private key to decrypt

ciphertext computationally

infeasible for opponent to

determine private key from public key

computationally infeasible for opponent to

otherwise recover original message

useful if either key can be used for

each role

RSA (Rivest, Shamir,

Adleman) developed in 1977

most widely accepted and implemented approach to

public-key encryption

block cipher in which the plaintext and ciphertext are integers between 0 and n-1

for some n.

Diffie-Hellman key exchange

algorithm

enables two users to securely reach agreement about a shared secret that

can be used as a secret key for subsequent symmetric encryption of messages

limited to the exchange of the keys

Digital Signature Standard

(DSS)

provides only a digital signature function with

SHA-1 cannot be used for

encryption or key exchange

Elliptic curve cryptography

(ECC) security like RSA, but with

much smaller keys

PubKey Algorithms

• Applications for Public-Key Cryptosystems

Digital Signatures

l used for authenticating both source and data integrity

l created by encrypting hash code with private key

l does not provide confidentiality l even in the case of complete encryption l message is safe from alteration but not

eavesdropping

Digital Envelopes

l  protects a message without needing to first arrange for sender and receiver to have the same secret key

•  ***equates to the same thing as a sealed envelope containing an unsigned letter

Random Numbers

l keys for public-key algorithms

l stream key for symmetric stream cipher

l symmetric key for use as a temporary session key or in creating a digital envelope

l handshaking to prevent replay attacks

l  session key

• Uses  include  generation  of:  

Summary •  introduced cryptographic algorithms •  symmetric encryption algorithms for

confidentiality •  message authentication & hash

functions •  public-key encryption •  digital signatures and key management •  random numbers

14

Cryptography is like magic fairy dust, we just sprinkle it on our protocols and its makes everything secure

15

A Simple DNS Attack

Caching DNS Server

Eric’s Laptop

www.ucla.edu A?

www.ucla.edu A 128.9.128.127

Root DNS Server

edu DNS Server

ucla.edu DNS Server

Dan’s Laptop

Easy to observe UDP DNS query sent to well known server on well known port.

www.ucla.edu A 169.232.33.135

First response wins. Second response is silently dropped.

And of course much more complex attacks…. (Bellovin 95 Kaminsky 08)

16

Secure DNS Query and Response

• Caching DNS Server

• End-user

• www.ucla.edu

•  www.ucla.edu = 169.232.33.135 • Plus (RSA) signature by the ucla.edu private key

• Authoritative DNS Servers

•  Follow the DNS tree to authenticate the response: 1)   Assume root public key is well known 2)   Root key signs edu key 3)   edu key signs ucla.edu key 4)   ucla.edu key signs the data

17

There is no magic fairy dust

What’s Next •  Read Chapter 1, 2, and 3

–  Chap 1: Focus on big picture and recurring concepts –  Chap 2: Identify cryptographic tools and properties

•  Homework 2 is Posted on Course Website –  Due Tuesday

•  Next Lecture Topics from Chapter 3 –  User Authentication