Cyptography and network security

UNIT-I Security trends OSI Security Architecture Security Attacks Security Services Security mechanisms A Model for Network Security Symmetric Cipher Model Substitution Techniques and Transposition Techniques Block Cipher Principles The Data Encryption Standard and The Strength of DES Differential and linear cryptanalysis Block cipher design principles Evaluation criteria for AES and The AES Cipher. 1

Cryptography

Cryptography is the study of Secret (crypto-) writing (-graphy).

2

Cryptography

cryptography - study of encryption principles/methods.

Cryptography deals with creating documents that can be shared secretly over public communication channels.

3

Cryptanalysis

cryptanalysis (code breaking) - study of principles/ methods of decrypting cipher text without knowing key.

4

Cryptology

The area of cryptography and crypt analysis together are called cryptology.

5

Computer Security generic name for the collection of tools

designed to protect data.

6

Network Security

It is used to protect data during their transmission.

7

Internet security it is used to protect data during their

transmission over a collection of interconnected networks.

8

Security trends In 1994, the Internet Architecture Board

(IAB) issued a report entitled "Security in the Internet Architecture"

The report stated the general agreement that the Internet needs more and better security, and it identified key areas for security mechanisms.

9

CERT Statistics security trend in Internet-related

vulnerabilities reported to CERT over a 10-year period.

These include security weaknesses in the operating systems of attached computers as well as vulnerabilities in Internet routers and other network devices.

10

CERT Statistics

11

OSI Security Architecture

The OSI (open systems interconnection) security architecture provides a systematic

framework for defining security attacks, mechanisms, and services.

12

Services, Mechanisms, Attacks

consider three aspects of information security: security attack security mechanism security service

13

Security service

A service that enhances the security of data processing systems and information transfers.

A security service makes use of one or more security mechanisms.

14

Security Services Authentication Access control Data Confidentiality Data Integrity Non-Repudiation

15

Authentication Authentication is a process of verification of

the sender.

16

Access Control prevention of the unauthorized use of a

resource

17

Data Confidentiality protection of data from unauthorized

disclosure.

18

Data Integrity assurance that data received is as sent by

an authorized entity

19

Non-Repudiation Nonrepudiation prevents either sender or

receiver from denying a transmitted message.

20

Security Mechanism A mechanism that is designed to detect,

prevent, or recover from a security attack.

21

Encipherment

The use of mathematical algorithm to transmit from data into a form that is not understandable.

22

Digital signature

A valid digital signature gives a recipient reason to believe that the message was created by a known sender.

23

Access control

A variety of mechanisms that enforce access right to resource.

24

Data integrity

A variety of mechanism used to assure the integrity of a data unit.

25

Traffic padding

The insertion of bits into gaps in a data stream to avoid traffic analysis attempts.

26

Routing control

Enables selection of particular physically secure routes for data.

27

Notarization

The use of a trusted third party to assure certain properties of a data exchange.

28

Security Attack Any action that compromise the security of

information. threat & attack used to mean same thing

29

passive attacks passive attacks attempt to learn or

make use of information from the system but does not affect system resources.

Are difficult to detect because they do not involve any alteration of the data.

30

Release of message contents

31

Traffic analysis

32

Active attacks active attacks attempt to alter system

resources or affect their operation. Easy to detect because they will

involve alteration of the data.

33

Masquerade A masquerade takes place when one

entity pretends to be a different entity

34

Masquerade

35

Replay

36

Modification of messages

37

Denial of service

38

Model for Network Security

39

Model for Network Security

design a suitable algorithm for the security transformation

generate the secret keys used by the algorithm

develop methods to distribute secret key specify a protocol enabling the principals to

use the transformation and secret information for a security service

40

Model for Network Access Security

Symmetric Encryption

Symmetric encryption, also referred to as conventional encryption or single-key encryption

All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption.

Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key. 42

Some Basic Terminology

plaintext - original message Cipher text - coded message key – shared by both sender and receiver encipher (encrypt) - converting plaintext to cipher text decipher (decrypt) – converting cipher text to plaintext

Symmetric Cipher Model

Cryptography

characterize cryptographic system by: type of encryption operations used

substitution / transposition / product number of keys used

single-key or private / two-key or public way in which plaintext is processed

block / stream

Cryptanalysis

There are two general approach to attacking a conventional encryption scheme

cryptanalytic attack brute-force attack

Cryptanalytic attack

Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext.

47

Brute-force attack

Brute-force attacks try every possible key on a piece of cipher text until plaintext is obtained.

48

Types of Encryption Schemes

Encryption

Classical ModernRotor Machines

Substitution Public KeyTransposition Secret Key

BlockStreamSteganography

49

Substitution Techniques letters of plaintext are replaced by other

letters or by numbers or symbols.

50

Caesar Cipher

The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.

Caesar Cipher

• mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y z0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

• then have Caesar cipher as:c = E(p) = (p + k) mod (26)p = D(c) = (c – k) mod (26)

Caesar Cipher

example:meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB

53

Brute-Force Cryptanalysis of Caesar Cipher

If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed.

Simply try all the 25 possible keys.

54

55

Monoalphabetic Ciphers

mono alphabetic substitution uses fixed substitution over the entire message

56

Mono alphabetic Ciphers

Shuffle the letters and map each plaintext letter to a different random ciphertext letter:

Plain letters: abcdefghijklmnopqrstuvwxyzCipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplacelettersCipher text: WIRFRWAJUHYFTSDVFSFUUFYA

57

Monoalphabetic Cipher Security

• the monoalphabetic substitution cipher is not secure

• problem is language characteristics

Relative Frequency of Letters in English Text

59

Monoalphabetic Cipher

the relative frequency of the letters can be determined and compared to a standard frequency distribution for English.

If the message were long enough, this technique alone might be sufficient,

60

Playfair Cipher

The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword.

Plaintext is encrypted two letters at a time using this matrix.

61

62

Playfair Cipher• Rules:

– Take a pair of letters from plaintext– Separate repeating letters with an x– Plaintext letters in the same row are replaced by

letters to the right (cyclic manner)– Plaintext letters in the same column are replaced by

letters below (cyclic manner)– Plaintext letters in different row and column are

replaced by the letter in the row corresponding to the column of the other letter and vice versa

Playfair Cipher

63

Keyword: LARGESTPlain text: Mu st se ey ou

Cipher text: UZTBDLGZPN

Hill Cipher The encryption algorithm takes m

successive plaintext letters and substitutes for them m cipher text letters.

The substitution is determined by m linear equations in which each character is assigned a numerical value (a = 0, b = 1 ... z = 25).

64

Hill Cipher

65

Hill Cipher where C and P are column vectors of

length 3, representing the plaintext and cipher text, and K is a 3 x 3 matrix, representing the encryption key

66

Hill CipherIn general terms, the Hill cipher system can

be expressed as follows:C = E(K, P) = KP mod 26P = D(K1, C) = K1C mod 26 = P

67

Hill Cipher

68

Consider the message ‘CAT', and the key GYBNQKURP

For Example if the key is an 3 X 3 matrix

Plain Text : paymoremoney

m=3(p a y)=(15 0 24)

So Encryption is as follows

(15 0 24) = (303 303 531) mod 26 = (17 17 11) = RRL

Now the cipher text for pay is RRL

For Decryption you have to find the K-1

How to find inverse of K that is K-1

1. Find the adjoint of the element in the matrix, 2. Transpose the matrix

adj A= 300 -357 6 -313 313 0

267 -252 -51

This is Transpose of

adj A

Determinant of matrix A is==17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2)

= -939

(18*19 – 21*2) – (19*21 – 21*2) + (21*2 – 18*2) – ( 17*19 – 5*2) ………….

Now K-1 is 1/adj(A) * K-1

1/adj(A) = 1 /(-939) = (-939)-1

= (-939 mod 26) -1 (the easy way to find -939mod 26 is keep adding 26 with -939 till you get a positive value, so that you will get 23) = (23) -1 mod 26

= 23 * 17 = 391 mod 26 =1 (find a number when multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1)

Now (-939 mod 26) -1 = 17

Now according to 1/adj(A) * K-1 = 17 * K-1

= 17 *

=

300 -313 267-357 313 -252

6 0 -51

5100 -5321 45396069 5321 4284

102 0 867

Mod 26

Mod 26 =

This is the inverse matrix

Polyalphabetic Ciphers

Each plaintext letter has multiple corresponding cipher text letters.

72

Vigenère Cipher

The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword.

It is a simple form of polyalphabetic substitution.

73

Vigenère Cipher

To encrypt a message, a key is needed that as long as the message. Usually, the key is a repeating keyword.

key: `deceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

74

75

One-time pad The one-time pad's security comes from

it's key; the key is EQUAL to the length of the plaintext and is COMPLETELY random.

76

One-time pad

H E L L O Message 7 4 11 11 14 X M C K L Key + 23 12 2 10 11 = 30 16 13 21 25 Message + key = 4 16 13 21 25 Message+key(mod 26) E Q N V Z → ciphertext

77

Transposition Encryption

position of the plain text will be changed.

78

Rail Fence cipher The simplest such cipher is the rail fence

technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.

The example message is: meet me after the toga party

eg. write message out as:m e m a t r h t g p r y e t e f e t e o a a t

giving ciphertextMEMATRHTGPRYETEFETEOAAT

Row Transposition Ciphers

A more complex transposition cipher is to write the message in a rectangle, row by row, and read the message off shuffling the order of the columns in each row.

80

Row Transposition Ciphers

81

Rotor machine In cryptography, a rotor machine is an

electro-mechanical device used for encrypting and decrypting secret messages.

82

Example of Rotor Machine

83

Steganography

Steganography is the art and science of writing hidden messages in such a way that no one knows, apart from the sender and receiver.

84

Character marking:

text are overwritten in pencil The marks are ordinarily not visible unless the paper is held at an angle to bright light.

85

Invisible ink A number of substances can be used for

writing but leave no visible trace until heat or some chemical is applied to the paper.

86

Pin punctures:

Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.

87

Block Cipher Principles

A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length.

88

Block CipherDivide input bit stream into n-bit sections, encrypt only that section.

89

Block cipher versus Stream Ciphers

block ciphers process messages in blocks stream ciphers process messages in bit

or byte.

90

Reversible Mapping

Each block of plain text must produce a unique cipher text block. Such a transformation is called reversible.

91

Reversible Mapping

92

Irreversible Mapping

Each block of plain text must not produce a unique cipher text block. Such a transformation is called reversible.

93

Irreversible Mapping

94

Feistel cipher Feistel cipher is a symmetric structure used in

the construction of block ciphers.

95

Confusion and Diffusion

• “Confusion” = Substitution (non linear function)• a -> b

• “Diffusion” = Transposition (linear function)• abcd -> dacb

Encryption Decryptionplaintext ciphertext plaintext

Key KA Key KB

96

Confusion Each bit of the cipher text block has highly nonlinear relations with the plaintext block

bits and the key bits.

97

Diffusion

Each plaintext block bit or key bit affects many bits of the cipher text block.

98

99

Feistel Cipher Structure The inputs to the encryption algorithm are a

plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0

and R0. The two halves of the data pass through n

rounds of processing and then combine to produce the cipher text block.

Each round i has as inputs Li-1 and Ri-1, derived from the previous round, as well as a subkey Ki, derived from the overall K.

100

Feistel Cipher Structure

A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR of the output of that function and the left half of the data.

101

Feistel Cipher structure

102

Feistel Cipher structure

103

Feistel Cipher Design Elementsblock size - increasing size improves

security, but decrease the encryption speed.

key size – increasing key size improves security, but decrease the encryption speed.

number of rounds - increasing number of rounds improves security but decrease the encryption speed.

104

Feistel Cipher Design Elementssub key generation algorithm - greater

complexity can make analysis harder, decrease the encryption speed.

round function - greater complexity can make analysis harder, but decrease the encryption speed.

105

Simplified DES Developed 1996 as a teaching tool Santa Clara University Prof. Edward Takes an 8-bit block plaintext, a 10 –bit key and

produces an 8-bit block of cipher text Decryption takes the 8-bit block of cipher text,

the same 10-bit key and produces the original 8-bit block of plaintext

106

107

Five Functions to Encrypt

IP – an initial permutation fk - a complex, 2-input function SW – a simple permutation that swaps

the two nybles fk - a complex, 2-input function; again IP – inverse permutation of the initial

permutation

108

109

110

111

112

113

114

115

116

DES

The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption.

data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output.

117

DES

• Adopted in 1976 as US Government standard encryption technique

• Utilizes a 56-bit symmetric key• Cracked in 1998• Replaced in 2002 by AES which utilizes

128 bit keys.

118

119

DES

• First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input.

• This is followed by a phase consisting of 16 rounds of the same function, which involves both permutation and substitution functions.

120

DES

• The output of the last (sixteenth) round consists of 64 bits that are a function of the input plaintext and the key.

• The left and right halves of the output are swapped to produce the preoutput.

• Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit cipher text.

121

64 Bit input

122

Initial permutation

123

124

Figure 23-13

Permutation

125

Details of Single Round• uses two 32-bit L & R halves• as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 F(Ri–1, Ki)• F takes 32-bit R half and 48-bit sub key:

– expands R to 48-bits using perm E– adds to sub key using XOR– passes through 8 S-boxes to get 32-bit result– finally permutes using 32-bit perm P

126

127

MS 128

1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32

1 48

Expansion Permutation

32

48

Definition of DES S-Boxes

129

S-Boxes• The substitution consists of a set of eight

S-boxes, each of which accepts 6 bits as input and produces 4 bits as output.

• The first and last bits of the input to box Si form a 2-bit binary that represent the row of the table for Si.

• The middle four bits select one of the sixteen columns

130

Example

• For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100 (column 12).

• The value in row 1, column 12 is 9, so the output is 1001.

131

S-Boxes

132

133

Key Generation

134

64 bit input key

135

Permuted Choice One (PC-1)

136

Permuted Choice Two (PC-2)

137

Schedule of Left Shifts

138

Avalanche Effect

A small change in the plaintext or in the key results in a significant change in the cipher text.

DES provides a strong avalanche effect Changing 1 bit in the plaintext affects 34 bits in the cipher text on average.

139

Avalanche Effect in DES

140

The Strength of DES

• The use of 56 bit key• The Nature of the DES algorithm• Timing attacks

141

The use of 56 bit key

• With a key length of 56 bits, there are 256 possible keys.

• single machine performing one DES encryption per microsecond would take more than a thousand years to break the cipher.

142

The Nature of the DES algorithm

Eight S-boxes, that are used in each iteration.

143

Timing Attacks timing attack is one in which information

about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various cipher texts.

144

Differential Cryptanalysis

• Differential cryptanalysis is the first published attack that is capable of breaking DES in less than 255 encryptions.

• powerful method to analyse block ciphers

Differential Cryptanalysis

differential cryptanalysis compares two related pairs of encryptions.

it is feasible to determine the sub key used in the function f.

The differential cryptanalysis attack is complex.

146

Differential Cryptanalysis Compares Pairs of Encryptions

• with a known difference in the input • searching for a known difference in output• when same subkeys are used

Linear Cryptanalysis

• another recent development • also a statistical method • must be iterated over rounds, with

decreasing probabilities• developed by Matsui in early 90's• based on finding linear approximations• can attack DES with 243 known plaintexts,

easier but still in practise infeasible

Linear Cryptanalysis

For example, the following equation, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first cipher text bit is equal to the second bit of the key

P1ӨP3 ӨC1=k2

Block Cipher Design

• basic principles still like Feistel’s in 1970’s• number of rounds

– more is better, exhaustive search best attack• function f:

– provides “confusion”, is nonlinear, avalanche– have issues of how S-boxes are selected

• key schedule– complex subkey creation, key avalanche

AES

• DES finally proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000.

• The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in 2001.

151

AES

AES is a block cipher intended to replace DES for commercial applications.

It uses a 128-bit block size. AES does not use a Feistel structure.

152

Evaluation Criteria for AES

153

Security Minimum key size for AES is 128 bits,

brute-force attacks with current and projected technology were considered impractical.

154

COST

The algorithm(s) specified in the AES shall be available on a worldwide, non-exclusive, royalty-free basis.

155

Computational efficiency

Computational efficiency refers to the speed of the algorithm.

156

Memory requirement

The memory required to implement a candidate algorithm for both hardware and software implementations of the algorithm will also be considered during the evaluation process.

157

Algorithm and implementation characteristics

This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations.

158

Key Agility Key agility refers to the ability to change

keys quickly and with a minimum of resources.

159

The AES Cipher• The input to the encryption and decryption

algorithms is a single 128-bit block.• This block is copied into the State array,

which is modified at each stage of encryption or decryption.

• After the final stage, State is copied to an output matrix.

160

161

162

AES

163

164

Substitute Bytes Transformation

• Replace each byte in the state array with its corresponding value from the S-Box

00 44 88 CC

11 55 99 DD

22 66 AA EE

33 77 BB FF

55

165

Shift row transformation

• The first row of State is not altered. • For the second row, a 1-byte circular left

shift is performed.• For the third row, a 2- byte circular left

shift is performed. • For the fourth row, a 3-byte circular left

shift is performed.

166


167


168

Mix column Transformation

• Apply mix column transformation to each column.

169

Mix column Transformation

170

Add Round Key

• XOR each byte of the round key with its corresponding byte in the state array.

171

AddRoundKey

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

S’0,0 S’0,1 S’0,2 S’0,3

S’1,0 S’1,1 S’1,2 S’1,3

S’2,0 S’2,1 S’2,2 S’2,3

S’3,0 S’3,1 S’3,2 S’3,3

S0,1

S1,1

S2,1

S3,1

S’0,1

S’1,1

S’2,1

S’3,1

R0,0 R0,1 R0,2 R0,3

R1,0 R1,1 R1,2 R1,3

R2,0 R2,1 R2,2 R2,3

R3,0 R3,1 R3,2 R3,3

R0,1

R1,1

R2,1

R3,1

XOR

172

Key Expansion Algorithm

• The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (176 bytes).

• This is sufficient to provide a 4-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher.

173

174

175

1. Using this Playfair matrix

encrypt this message: cryptography and network security

Answer

176

BGXQHWEGROKWLOSUADAWGIDLDQBPCW

Example Given the plaintext {00 01 02 03 04 05 06 07 08 09

0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01},

I. Show the original contents of State, displayed as a 4 x 4 matrix.

II.Show the value of State array after initial AddRoundKey.

III.Show the value of State array after Sub Bytes.IV.Show the value of State array after Shift Rows.V.Show the value of State array after Mix Columns.

177

State array

178

State array after initial AddRoundKey

179

State array after Sub Bytes

180

State array after Shift Rows

181

State array after Mix Columns

182

Example

Consider the given key K and the plaintext, namely: in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F

• in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 0100 1101 1110 1111

183

A. Derive K1, the first-round sub key.B. Derive L0, R0.C. Expand R0 to get E[R0], where E[·] is the

expansion function.D. Calculate A = E[R0] Ө K1.E. Group the 48-bit result of (d) into sets of 6 bits

and evaluate the corresponding S-box substitutions.

F. Concatenate the results of (e) to get a 32-bit result, B.

G. Apply the permutation to get P(B).H. Calculate R1 = P(B)Ө L0.i. Write down the cipher text. 184

UNIT-II Multiple Encryption and Triple DES Block Cipher Modes of Operation Stream cipher and RC4 Placement of Encryption function Traffic confidentiality Key Distribution Principle of Public Key Cryptosystems The RSA Algorithm Key management Diffie Hellman Key Exchange Elliptic curve cryptography.

185

Multiple Encryption Multiple encryption is a technique in

which an encryption algorithm is used multiple times.

186

Double DES

The simplest form of multiple encryption has two encryption stages and two keys .

Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as

C = E(K2, E(K1, P))

187

Double DES

188

Double DES

• Decryption requires that the keys be applied in reverse order

P = D(K1, D(K2, C))• this scheme apparently involves a key

length of 56 x 2 = 112 bits, of resulting in a dramatic increase in cryptographic strength

189

Meet-in-the-middle attack• Given a known pair, (P, C), the attack

proceeds as follows.• First, encrypt P for all 256 possible values of

K1 Store these results in a table and then sort the table by the values of X.

• Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match.

190

Meet-in-the-middle attack• If a match occurs, then test the two

resulting keys against a new known plaintext-cipher text pair.

• If the two keys produce the correct cipher text, accept them as the correct keys.

191

Triple DES with Two Keys• Triple DES makes use of three stages of

the DES algorithm, using a total of two or three distinct keys.

• The function follows an encrypt-decrypt-encrypt (EDE) sequence

C = E(K1, D(K2, E(K1, P)))

192

Triple DES with Two Keys

193

Triple DES with Three Keys

• Three-key 3DES has an effective key length of 168 bits and is defined as follows:

• C = E(K3, D(K2, E(K1, P)))

194

Block Cipher Modes of Operation

• To apply a block cipher in a variety of applications, four "modes of operation" have been defined by NIST .

• mode of operation is a technique for enhancing the effect of a cryptographic algorithm for an application

195

Electronic Codebook (ECB)

Each block of 64 plaintext bits is encrypted independently using the same key.

196

Electronic Codebook (ECB)

197

Limitation of ECB

• The most significant characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the message, always produces the same cipher text.

• For lengthy messages, the ECB mode may not be secure.

198

Typical Application

• Secure transmission of single values (e.g., an encryption key)

199

Cipher Block Chaining (CBC)

200

• To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different cipher text blocks.

• A simple way to satisfy this requirement is the cipher block chaining (CBC) mode

• The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of cipher text.


201


• use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)

C-1 = IV

202

Limitations of CBC

• need Initialization Vector (IV)

203

Typical Application

• General-purpose block-oriented transmission

• Authentication

204

Cipher Feedback (CFB)

205

Input is processed j bits at a time. Preceding cipher text is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of cipher text.


206


207

Limitation of CFB

A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks.

208

Typical Application

209

• General-purpose stream-oriented transmission

• Authentication

Output Feedback (OFB) The alternative to CFB is OFB. Here the

generation of the "random" bits is independent of the message being encrypted.

The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).

210

Output Feedback (OFB)

211

Typical Application

• Stream-oriented transmission over noisy channel (e.g., satellite communication)

212

Counter (CTR)

Each block of plaintext is XOR ed with an encrypted counter. The counter is incremented for each subsequent block.

213

Counter (CTR)

214

Advantages and Limitations of CTR

can do parallel encryptions in h/w or s/w.good for bursty high speed links.

provable security (good as other modes) but CTR does not reusing the same key

and counter value

Typical Application

• General-purpose block-oriented transmission• Useful for high-speed requirements

216

Stream Ciphers and RC4

217

Stream Ciphers

• stream cipher encrypts plaintext one byte at a time.

• stream cipher may be designed to operate on one bit at a time.

218

Stream Cipher Structure

Stream Cipher Structure

220

Design considerations

• long period with no repetitions of pseudo random key.

• output of the pseudorandom number generator is conditioned on the value of the input key.

• To protect against brute-force attacks, the key needs to be sufficiently long.

221

RC4 Basics

• A symmetric key encryption algorithm.• Invented by Ron Rivest. • Normally uses 64 bit and 128 bit key sizes.• Cryptographically very strong yet very easy to

implement. • Consists of 2 parts: Key Scheduling Algorithm

(KSA) & Pseudo-Random Generation Algorithm

RC4 Block Diagram

Plain Text

Secret Key

RC4

+Encrypted

Text

Keystream

RC4 …break up

• Initialize an array of 256 bytes.• Run the KSA on them • Run the PRGA on the KSA output to

generate keystream.• XOR the data with the keystream.

Array InitializationC Code:

char S[256];Int i;For(i=0; i< 256; i++)

S[i] = i;

After this the array would like this :

S[] = { 0,1,2,3, ……, 254, 255}

The KSA• The initialized array S[256] is now run through

the KSA. The KSA uses the secret key to scramble the array.

• C Code for KSA:

int i, j = 0;for(i=0; i<256; i++){

j = ( j + S[i] + key[ i % key_len] ) % 256;swap(S[i], S[j]);

}

The PRGA• The KSA scrambled S[256] array is used to generate the

PRGA. This is the actual keystream.• C Code:

i = j = 0;while(output_bytes){

i = ( I + 1) % 256;j = ( j + S[i] ) % 256;swap( S[i], S[j] );output = S[ ( S[i] + S[j] ) % 256 ]

}

Encryption using RC4

• Choose a secret key• Run the KSA and PRGA using the key to

generate a keystream.• XOR keystream with the data to generated

encrypted stream.• Transmit Encrypted stream.

Decryption using RC4• Use the same secret key as during the encryption phase.• Generate keystream by running the KSA and PRGA.• XOR keystream with the encrypted text to generate the

plain text.• Logic is simple :

(A xor B) xor B = A

A = Plain Text or DataB = KeyStream

RC4 Example

• Simple 4-byte example• S = {0, 1, 2, 3}• K = {1, 7, 1, 7}• Set i = j = 0

KSAFirst Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3}

Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}

KSAThird Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2}

Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}):j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}

PRGAReset i = j = 0, Recall S = {2, 1, 3, 0}i = i + 1 = 1j = j + S[ i ] = 0 + 1 = 1Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0}Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3

Analysis of RC4

• Advantages– Faster than DES– Enormous key space (average of 1700 bits)

• Disadvantages– Large number of “weak” keys 1 of 256– “Weak” keys can be detected and exploited

with a high probability

Placement of Encryption function

If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located.

235

Confidentiality using Symmetric Encryption

• traditionally symmetric encryption is used to provide message confidentiality

Placement of Encryption

• link encryption• end-to-end encryption

237

Link encryption

Link encryption is an approach to encrypts and decrypts all data at each end of a communications line

238

End-to-end encryption

encryption process is carried out at the two end systems

239



With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear.

To achieve greater security, both link and end-to-end encryption are needed


• can place encryption function at various layers in OSI Reference Model– link encryption occurs at layers 1 or 2– end-to-end can occur at layers 3, 4, 6, 7

Front-End Processor Function

243

244

Traffic Confidentiality Knowledge about the number and length

of messages between nodes may enable an opponent to determine who is talking to whom.

245

Information that can be derived from a traffic analysis attack:

• Identities of partners• How frequently the partners are

communicating• Message pattern, message length, or

quantity of messages that suggest important information is being exchanged

246

Link Encryption Approach

Network-layer headers are encrypted, reducing the opportunity for traffic analysis.

However, it is still possible to observe the amount of traffic entering and leaving each end system.

247

Traffic-Padding Encryption Device

• Traffic padding produces cipher text output continuously, even in the absence of plaintext.

248

Traffic-Padding Encryption Device

249

Traffic-Padding Encryption Device• A continuous random data stream is

generated.• When plaintext is available, it is encrypted

and transmitted. • When input plaintext is not present, random

data are encrypted and transmitted. • This makes it impossible for an attacker to

distinguish between true data flow and padding

250

End-to-End Encryption Approach

• if encryption is implemented at the application layer, then an opponent can determine which transport unit are engaged in dialogue.

• In addition, null messages can be inserted randomly into the stream. These tactics deny an opponent knowledge about the amount of data exchanged between end users and difficult to understand the underlying traffic pattern.

251

Key Distribution

252

Key Distribution

given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B2. third party can select & deliver key to A & B3. if A & B have communicated previously can

use previous key to encrypt a new key4. if A & B have secure communications with a

third party C, C can relay key between A & B

Session key• Session keys can also be termed

temporary keys or one-time use keys. Usually after a session, these keys are discarded and not used again.

• Communication between end systems is encrypted using session key.

254

Master key• session keys are transmitted in encrypted

form, using a master key that is shared by the key distribution center and an end system or user.

255

The Use of a Key Hierarchy

256

Key Distribution Scenario


• A issues a request to the KDC for a session key to protect a logical connection to B.

• The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC

258


• A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping.

• B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb).

259


• Using the newly minted session key for encryption, B sends a nonce, N2, to A.

• Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one).

260

15.261

Hierarchical Key Control

Hierarchical Key Control

• It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it may not be practical to do so. As an alternative, a hierarchy of KDCs can be established.

• If two entities in different domains desire a shared key,then the corresponding local KDCs can communicate through a global KDC.

262

Decentralized Key Control

263

Decentralized Key Control1. A issues a request to B for a session key and

includes a nonce, N12. B responds with a message that is encrypted

using the shared master key. The response includes the session key selected by B, an identifier of B, the value f(N1), and another nonce, N2.

3. Using the new session key, A returns f(N2) to B.

264

Principles of Public-Key Cryptosystems

265

Private-Key Cryptography

• traditional private/secret/single key cryptography uses one key

• shared by both sender and receiver • if this key is disclosed communications are

compromised • does not support authentication

266

Public-Key Cryptography• Asymmetric encryption is a form of cryptosystem

in which encryption and decryption are performed using the different keys—one a public key and one a private key. It is also known as public-key encryption.

• Asymmetric encryption transforms plaintext into cipher text using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the cipher text.

• Asymmetric encryption can be used for confidentiality, authentication, or both. 267

Public-Key Cryptographypublic-key/two-key/asymmetric cryptography involves the use of two keys:

– a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures

– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

268

Principles of Public-Key Cryptosystems

• The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption.

• Key distribution• Does not Supports Data authentication

269

270

Confidentiality using public-Key system

Encryption

• Each user generates a pair of keys to be used for the encryption and decryption of messages.

• Each user places one of the two keys in a public register This is the public key.

• The companion key is kept private.

271

Encryption

• If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice's public key.

• When Alice receives the message, she decrypts it using her private key.

• No other recipient can decrypt the message because only Alice knows Alice's private key.

272

273

Authentication using Public-Key System

Difference between Symmetric Encryption and asymmetric Encryption

Symmetric encryption Asymmetric encryption

symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using same key.

Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys .one is public key and another one is private key.

It is also known as secret key encryption.

It is also known as public-key encryption.

symmetric encryption can be used for confidentiality.

Asymmetric encryption can be used for confidentiality, authentication, or both.

The most widely used symmetric key-key cryptosystem is Transposition and substitution.

The most widely used public-key cryptosystem is RSA.

274

Public-Key Cryptosystem: Secrecy

275

Public-Key Cryptosystem: Secrecy

• With the message X and the encryption key PUb as input, A forms the cipher text Y = [Y1, Y2,..., YN]:

• Y = E(PUb, X)• The intended receiver, in possession of

the matching private key, is able to invert the transformation:

• X = D(PRb, Y)

276

Public-Key Cryptosystem: Authentication

277

Public-Key Cryptosystem: Authentication and Secrecy

278

Applications for Public-Key Cryptosystems

• Encryption/decryption• Digital signature• Key exchange

279

Requirements for Public-Key Cryptography

1.It is computationally easy for a party B to generate a pair (public key PUb, private key PRb).

2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding cipher text: C = E(PUb, M)

3.It is computationally easy for the receiver B to decrypt the resulting cipher text using the private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb, M)] 280

Requirements for Public-Key Cryptography

4. It is computationally infeasible for an opponent, knowing the public key, PUb, to determine the private key, PRb.

5.It is computationally infeasible for an opponent, knowing the public key, PUb, and a cipher text, C, to recover the original message, M.

281

The RSA Algorithm

282

Our dramatis personae

Rivest Shamir Adleman

283

The RSA Algorithm

RSA algorithm is developed by Ron Rivest , Adi Shamir, and Len Adleman at MIT and first published in 1978.

The RSA scheme is a block cipher in which the plaintext and cipher text are integers between 0 and n.

284

RSA Public Key Cryptosystem

c=m e mod n Network

Plain Text Cipher Text Cipher Text Plain Text

AliceBob

Bob: (e, n)Public Key Directory (Yellow/White Pages)

public key:e & n

secret key: d

m=c d mod n

The RSA Algorithm – Key Generation

1. Select p,q p and q both prime2. Calculate n = p x q 3. Calculate 4. Select integer e5. Calculate d6. Public Key KU = {e,n}7. Private key KR = {d,n}

286

)1)(1()( qpn)(1;1)),(gcd( neen

)(mod1 ned

The RSA Algorithm - Encryption

• Plaintext: M<n

• Ciphertext: C = Me (mod n)

287

The RSA Algorithm - Decryption

• Ciphertext: C

• Plaintext: M = Cd (mod n)

288

Example

Select two prime numbers, p = 17 and q = 11.

Calculate n = pq = 17 x 11 = 187

Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160.

Select e such that e is relatively prime to θ(n) = 160 and less than θ(n) we choose e = 7

289

Example

Calculate d value using the formulad=(1+X * θ(n) )/e

X=0 d=(1+0*160)/ 7 = 0.143X=1 d=(1+1 *160)/7 = 23

d=23

290

Example

PU={e, n}PR={d , n}The resulting keys are public key PU = {7,187}private key PR = {23,187}.

291

Encryption

Ciphertext: C = Me (mod n) C=887 (mod 187) c=11

292

Decryption

Plaintext: M = Cd (mod n) M=1123 (mod 187) M=88

293

The RSA Algorithm

294

The RSA Algorithm

295

The RSA Algorithm

296

Example

perform the Encryption and decryption for p =7, q = 11, e = 17 and m = 8

297

Key generation

Calculate n = pq = 7 x 11 = 77Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60Calculate d value using the formulad=(1+X * θ(n) )/eX=0 d=(1+0*60)/ 17 = 0.0588X=1 d=(1+1*60)/17 = 3.58X=2 d=(1+2*60)/17 =7.11x=3 d=(1+3*60)/17=10.64

298

Key generation

X=4 d=(1+4*60)/17=14.17X=5 d=(1+5*60)/17=17.70X=6 d=(1+6*60)/17=21.23X=7 d=(1+7*60)/17=24.76X=8 d=(1+8*60)/17=28.29X=9 d=(1+9*60)/17=31.82x=10 d=(1+10*60)/17=35.35

299

Key generation

X=11 d=(1+11*60)/17=38.88X=12 d=(1+12*60)/17=42.41X=13 d=(1+13*60)/17=45.94X=14 d=(1+14*60)/17=49.47X=15 d=(1+15*60)/17=53

300

Key generation

PU={e, n}PR={d , n}The resulting keys are public key PU = {17,77}private key PR = {53,77}.

301

Encryption

Ciphertext: C = Me (mod n) C=817 (mod 77) c=57

302

Decryption

Plaintext: M = Cd (mod n) M=5753 (mod 77) M=8

303

The Security of RSA Brute force: This involves trying all

possible private keys. Mathematical attacks: There are several

approaches, all equivalent in effort to factoring the product of two primes.

Timing attacks: These depend on the running time of the decryption algorithm.

Chosen cipher text attacks This type of attack make use of properties of the RSA algorithm.

304

Key Management One of the major roles of public-key

encryption has been to address the problem of key distribution.

• The distribution of public keys• Distribution of secret keys using public key

305

Distribution of Public Keys• Public announcement• Publicly available directory• Public-key authority• Public-key certificates

306

Public Announcement of Public Keys

• any participant can send his or her public key to any other participant or broadcast the key to the community at large.

307

Public Announcement of Public Keys

308

Example

• For Example USENET is a public forum anybody can post a message and read message.

• it has a major weakness. • some user could pretend to be user A and

send a public key to another participant.

309

Publicly Available Directory• can obtain greater security by registering keys

with a public directory• The authority maintains a directory with a {name,

public key} entry for each participant.• Each participant registers a public key with the

directory authority.• A participant may replace the existing key with a

new one at any time.• Participants could also access the directory

electronically.310

Publicly Available Directory

311

Public-Key Authority Stronger security for public-key distribution

can be achieved by providing tighter control over the distribution of public keys from the directory.

312

Public-Key Authority

313

Public-Key Authority 1. A sends a time stamped message to the public-key authority containing a

request for the current public key of B. 2. The authority responds with a message that is encrypted using the

authority's private key, PRauthThus, A is able to decrypt the message using the authority's public key.

The message includes the following: ● B's public key, PUb which A can use to encrypt messages destined for B ● The original request, to enable A to match this response with the

corresponding earlier request and to verify that the original request was not altered before reception by the authority

● The original timestamp, so A can determine that this is not an old message from the authority.

314

Public-Key AuthorityA stores B's public key and also uses it to encrypt a message to B containing

an identifier of A(IDA) and a nonce (N1), which is used to identify this transaction uniquely.

4,5.B retrieves A's public key from the authority in the same manner as A retrieved B's public key.

At this point, public keys have been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable:

6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B.

7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.

315

Public-Key Certificates

316

Public-Key Certificates• Any participant can read a certificate to

determine the name and public key of the certificate's owner.

• Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.

• Only the certificate authority can create and update certificates.

317

Distribution of Secret Keys Using Public-Key Cryptography

• Simple Secret Key Distribution• Secret Key Distribution with

Confidentiality and Authentication

318

Simple Secret Key Distribution

319


1.A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of Pua and an identifier of A, IDA.

2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.

320


3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks.

4. A discards PUa and PRa and B discards PUa.

321

Man-in-the-middle attack

1.A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA.

2.E capture the message, creates its own public/private key pair {PUe, PRe} and transmits PUe|| IDA to B.

322

Man-in-the-middle attack

3.B generates a secret key, Ks, and transmits E(PUe, Ks).

4.E capture the message, and learns Ks by computing D(PRe, E(PUe, Ks)).

5.E transmits E(PUa, Ks) to A.

323

Secret Key Distribution with Confidentiality and Authentication

324

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely.

2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.

325

3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.

4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it.

5. B computes D(PUa, D(PRb, M)) to recover the secret key.

326

Diffie-Hellman Key Exchange The purpose of the algorithm is to enable

two users to securely exchange a key that can then be used for subsequent encryption of messages.

327

Primitive roots P is prime numbera is a primitive root of p means

It should satisfies following conditiona mod p, a2 mod p,..., ap-1 mod pare distinct and consist of the integers from

1 through p-1 in some permutation.

328

Primitive roots 3 is a primitive root of 5:a=3,p=5

p ap ap mod 5

1 3 32 9 43 27 24 81 1

329

Primitive roots 4 is not a primitive root of 5:a= 4 p=5

p ap ap mod 5

1 4 42 16 13 64 44 256 1

330

The Diffie-Hellman Key Exchange Algorithm

331


332


333


334


335


336

Diffie-Hellman Example Users A and B use the Diffie-Hellman key

exchange technique with a common prime q = 71 and a primitive root a = 7.

i)If user A has private key XA = 5, what is A's public key YA?

ii)If user B has private key XB = 12, what is B's public key YB?

iii) What is the shared secret key?

337

Diffie-Hellman Example

YA= aXA mod q

=75 mod 71 = 51

YB= aXB mod q

=712 mod 71 = 4

338


Ks= yBXA mod q = 45 mod 71 = 30

Ks= yAXB mod q = 5112mod 71 = 30

339


Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2.

I. Show that 2 is a primitive root of 11.II.If user A has public key YA = 9, what is A's

private key XA?

III.If user B has public key YB = 3, what is the shared secret key K, shared with A?

340

Elliptic Curve Cryptography

Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys.

341

Elliptic Curve Cryptography ECC generates keys through the

properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers

342

Elliptic Curve Cryptography

• ECC requires significantly smaller key size with same level of security.

• Benefits of having smaller key sizes : faster computations, need less storage space.

• ECC ideal for constrained environments : Pagers ; PDAs ; Cellular Phones ; Smart Cards.

343

elliptic curve• Elliptic curves are not ellipses. They are so

named because they are described by cubic equations, used for calculating the circumference of an ellipse.

• An elliptic curve is a set of points (x, y), for which it is true that

• y2 = x3 + ax + b given certain chosen numbers a and b.

344

elliptic curve

345

ECC Diffie-Hellman Key Exchange

346


347


348


349


350

UNIT-III

351

Contents Message Authentication and Hash functions Authentication requirements Authentication functions Message Authentication codes and Hash functions Security of hash functions and MAC’s Secure hash Algorithm Whirlpool HMAC and CMAC Digital Signatures Authentication protocols Digital signature standard Kerberos X.509 Authentication Service • Public Key Infrastructure. 352

Authentication requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation

353

Authentication Functions Message encryption: The cipher text of the

entire message serves as its authenticator

Message authentication code (MAC): A function of the message and a secret key that

produces a fixed-length value that serves as the authenticator

Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

354

Basic Uses of Message Encryption

355


356


357


358

Internal Error Control

359

External Error Control

360

Message Authentication Codes

Message authentication code (often MAC) is a short piece of information used to authenticate a message.

361

Message Authentication Codes

MAC = C(K, M)M = input messageC= MAC functionK= shared secret keyMAC= message authentication code

362

Basic Uses of Message Authentication Code

363


364


365

Requirements for MACs

1. knowing a message and MAC, is infeasible to find another message with same MAC

2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the

message.

Data Authentication Algorithm

• Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC– using IV=0 and zero-pad of final block– encrypt message using DES in CBC mode– and send just the final block as the MAC

• or the leftmost M bits (16≤M≤64) of final block

• but final MAC is now too small for security

Data Authentication Algorithm

Hash Function

hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).

The hash code is also referred to as a message digest or hash value

A hash value h is generated by a function H of the form h = H(M)

369

Basic Uses of Hash Function

370


371


372


373


374


375

Requirements for Hash Functions

1. can be applied to any sized message M2. produces fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h

• one-way property

Weak collision resistance

Given an input m1 it should be difficult to find another input m2 — where m1!=m2 — such that H(m1)=H(m2)

377

Strong collision resistance

It should be difficult to find two different messages m1 and m2 such that H(m1)=H(m2)

378

Hash Functions & MAC Security

• like block ciphers have:• brute-force attacks exploiting

– strong collision resistance hash have cost 2m/2

• have proposal for h/w MD5 cracker• 128-bit hash looks vulnerable, 160-bits better

– MACs with known message-MAC pairs• can either attack keyspace (cf key search) or MAC• at least 128-bit MAC is needed for security

Hash Functions & MAC Security • cryptanalytic attacks exploit structure

– like block ciphers want brute-force attacks to be the best alternative

• have a number of analytic attacks on iterated hash functions– CVi = f[CVi-1, Mi]; H(M)=CVN

– typically focus on collisions in function f– like block ciphers is often composed of rounds– attacks exploit properties of round functions

Secure Hash Algorithms The Secure Hash Algorithm (SHA) was

developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard in 1993.

381

Types of SHA

1. SHA-0 2. SHA-13. SHA-2244. SHA-2565. SHA-3846. SHA-512

382

ComparisonsSHA-1 SHA-256 SHA-384 SHA-512

Message digest size

160 256 384 512

Message size <264 <264 <2128 <2128

Block size 512 512 1024 1024

Word size 32 32 64 64

Number of steps

80 64 80 80

383

SHA-512• The algorithm takes as input a message

with a maximum length of less than 2128

bits and produces as output a 512-bit message digest.

• The input is processed in 1024-bit blocks.

384

SHA-512 Logic

Padding is the addition of one or more extra bits to a transmission .

385

Message Digest Generation Using SHA-512

386

Message Digest Generation Using SHA-512

Step 1: Append padding bits.Step 2: Append length.Step 3: Initialize hash buffer.Step 4: Process message in 1024-bit (128-word) blocks.

387

Processing of a Single 1024-Bit Block

388

Processing of a Single 1024-Bit Block

• A 512-bit buffer is used to hold intermediate and final results of the hash function.

• The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).

• These registers are initialized default hexadecimal values.

389

a = 6A09E667F3BCC908

b = BB67AE8584CAA73B

c = 3C6EF372FE94F82B

c = A54FF53A5F1D36F1

e = 510E527FADE682D1

f = 9B05688C2B3E6C1F

g = 1F83D9ABFB41BD6B

h = 5BE0CDI9137E2179

390

SHA-512 Processing of a Single 1024-Bit Block

• Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the buffer.

391

H0= IV

Hi= SUM64(Hi-1, abcdefghi)

MD= HN

392

• WhereIV= initial value of the abcdefgh buffer,

• abcdefghi= the output of the last round of processing of the ith message block

• N= the number of blocks in the message (including padding and length fields)

• SUM64= Addition modulo 264 performed separately on each word of the pair of inputs

• MD= final message digest value

393

SHA-512 Round Function

394


395


396


397


398


399

Creation of 80-word Input Sequence for SHA-512 Processing of Single Block

400


401


402

Whirlpool

• Whirlpool is based on the use of a block cipher for the compression function.

• It takes a message of any length less than 2256 bits and returns a 512-bit message digest.

403

Features

• The hash code length is 512 bits• The underlying block cipher is based on

AES .

404

Whirlpool Hash Structure

405

12.406

Message Digest Generation Using Whirlpool

Whirlpool Overview

Step 1: Append padding bitsStep 2: Append length Step 3: Initialize hash matrixStep 4: Process message in 512-bit (64-

byte) blocks, using as its core, the block cipher W.

407

Whirlpool Overview

408

Comparison of Whirlpool Block Cipher W and AES

W AES

Block size (bits) 512 128

Key size (bits) 512 128, 192, or 256

Matrix orientation

Input is mapped row-wise Input is mapped column-wise

Number of rounds

10 10, 12, or 14

409

Whirlpool Block Cipher W

410

Whirlpool Block Cipher W

The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher text as output.

The encryption algorithm involves the use of four different functions add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR).

411

Whirlpool Matrix Structure• The plaintext input to W is a single 512-bit

block. • This block is treated as an 8 x 8 square

matrix of bytes, labeled Cstate.

412

Whirlpool Matrix Structure

413

The Nonlinear Layer SB

414

The Nonlinear Layer SB The leftmost 4 bits of the byte are used as

a row value and the rightmost 4 bits are used as a column value.

These row and column values serve as indexes into the S-box to select a unique 8-bit output value.

For example, the hexadecimal value[3] {95}references row 9, column 5 of the S-box, which contains the value {BA}. Accordingly, the value {95}is mapped into the value {BA}. 415

Mix Row

• Each byte of a row is mapped into a new value that is a function of all eight bytes in that row.

• The transformation can be defined by the matrix multiplication: B = AC

• where A is the input matrix, B is the output matrix, and C is the transformation matrix:

416

Whirlpool Performance & Security

• Whirlpool is a very new proposal, hence there is little experience with use

• compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput.

417

MAC

418

HMAC(Hash-based Message Authentication Code)CMAC(Cipher-based Message Authentication Code)

Types of MAC

419

HMAC Message authentication code is generated

by hash function. HMAC is computationally very fast and

very compact. Any cryptographic hash function, such as

MD5 or SHA-1, may be used in the calculation of an HMAC.

420

HMAC AlgorithmH = embedded hash functionIV = initial value input to hash functionM = message input to HMACYi = ith block of M, L = number of blocks in Mb = number of bits in a blockn = length of hash code produced by embedded

hash functionK= secret key

421

HMAC AlgorithmK+ = K padded with zeros on the leftipad = 00110110 (36 in hexadecimal)opad = 01011100 (5C in hexadecimal)

422

HMAC Overview

423

HMAC Overview

1.Append zeros to the left end of K to create a b-bit string K+.

2. XOR K+ with ipad to produce the b-bit block Si.

3. Append M to Si.4. Apply H to the stream generated in step

5. XOR K+ with opad to produce the b-bit block So

424

HMAC Overview

6.Append the hash result from step 4 to So7.Apply H to the stream generated in step 6

and output the result.

425

HMAC Overview

426

Efficient Implementation of HMAC

427

Two quantities are precomputed

428

CMAC

Message authentication code is generated by cipher based.

429

CMAC Overview

430

CMAC Overview

The message is divided into n blocks M1..Mn, padded if necessary.

The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not).

431

CMAC Overview

432

CMAC Overview

T= MSBTlen(Cn)

whereT= message authentication code, also referred to

as the tagTlen= bit length of TMSBs(X)= the s leftmost bits of the bit string X

433

Digital signature

A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.

The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message.

434

Digital Signature Properties The signature must be a bit pattern that depends on the

message being signed. The signature must use some information unique to the

sender, to prevent both fake and disagreement. It must be relatively easy to produce the digital signature. It must be relatively easy to recognize and verify the

digital signature. It must be computationally infeasible to fake a digital

signature. It must be practical to retain a copy of the digital

signature in storage.435

Direct Digital Signatures

Direct Digital Signatures involve only the communicating parties. A digital signature may be formed by

encrypting the entire message with the sender’s private key.

Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes.

security depends on sender’s private-key436

Arbitrated Digital Signatures

• involves use of arbiter A– validates any signed message– then dated and sent to recipient

• requires suitable level of trust in arbiter• can be implemented with either private or

public-key algorithms• arbiter may or may not see message

437

Arbitrated Digital Signatures

438

X = sender

Y = recipient

A = Arbiter

M = message

T = timestamp

Authentication Protocols

• Authentication Protocols are used to support parties of each others identity and to exchange session keys.

• may be one-way or mutual

439

One-Way Authentication

• required when sender & receiver are not in communications at same time (eg. email)

440

Mutual Authentication

• required when sender & receiver are in communications at same time. (eg. Client-server)

441

Digital Signature Standard

The digital signature standard (DSS) is an NIST standard that uses the secure hash

algorithm (SHA).

442

Two Approaches to Digital Signatures

443

The Digital Signature Algorithm (DSA)

444

Global Public-Key Components

p prime number where 2L-1 < p < 2L for 512 <= L <= 1024

q prime divisor of (p- 1), where 2159 < q < 2160

g = h(p-1)/q mod p, where h is any integer with 1 < h < (p -1)

such that h(p- 1)/q mod p > 1

445

User's Private Key

X random or pseudorandom integer with 0 < x < q

446

User's Public Key

y= gx mod p

447

User's Per-Message Secret Number

k= random or pseudorandom integer with 0 < k < q

448

Signing

r= (gk mod p) mod q s= [k-1 (H(M) + xr)] mod q Signature = (r, s)

449

Verifying

w= (s')-1 mod q u1= [H(M')w] mod q u2=(r')w mod q v= [(gu1 yu2 ) mod p] mod q

450

Verifying

TEST: v = r' M= message to be signedH(M)= hash of M using SHA-1 M', r', s’= received versions of M, r, s

451

Kerberos

452

Kerberos

Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users.

453

Kerberos

Kerberos is an authentication service designed for use in a distributed environment.

Kerberos makes use of a trusted third-part authentication service that enables clients and servers to establish authenticated communication.

454

455

Requirements for KERBEROS Secure: opponent does not find it to be the weak linkScalable: The system supports large number of clients and

seversReliable: For all services that rely on Kerberos for

access control, lack of availability of the Kerberos service means lack of availability of the supported services.

Transparent: the user should not be aware that authentication is taking place.

A Simple Authentication Dialogue

C = clientAS = authentication serverV =serverIDC = identifier of user on CIDV = identifier of VPC = password of user on CADC = network address of CKv = secret encryption key shared by AS and V

456

457

A Simple Authentication Dialogue

1- IDc + Pc+IDv

2- Ticket

3- IDc +Ticket

Ticket=Ekv[IDc,ADc,IDv]

kv=Secret Key between AS and V (Server)

Pc=password of client

A More Secure Authentication Dialogue

minimize the number of times that a user has to enter a password

tickets are not reusable To solve these problems, we introduce a

scheme a new server, known as the ticket-granting server (TGS)

458

Once per user logon session:

(1)CAS : IDC||Idtgs

(2) AS C : E(Kc, Tickettgs)

459

Once per type of service:

(3) C TGS: IDC||IDV||Tickettgs

(4) TGS C: Ticketv

460

Once per service session:

(5) C V: IDC||Ticketv

461

Kerberos 4 Overview

462

1.The client requests a ticket-granting ticket on behalf of the user by sending its user's ID and password to the AS, together with the TGS ID, indicating a request to use the TGS service.

2. The AS responds with a ticket that is encrypted with a key that is derived from the user‘s password. When this response arrives at the client, the client prompts the user for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct

password is supplied, the ticket is successfully recovered.

463

3.The client requests a service-granting ticket on behalf of the user.

4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID and network address with the incoming information to authenticate the user. If the user is permitted access to the server V, the TGS issues a ticket to grant access to the requested service.

464

5.The client requests access to a service on behalf of the user. For this purpose, the client transmits a message to the server containing the user's ID and the service-granting ticket. The server authenticates by using the contents of the ticket.

465

466

467

468

Kerberos allows the global distribution of ASs and TGSs, with each system called a realm. A user may get a ticket for a local server or a remote server.

Kerberos realm

Kerberos realm• 1.The Kerberos server must have the user ID

and hashed passwords of all participating users in its database.

• 2.The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server.

• Such an environment is referred to as a Kerberos realm.

470

31/03/2005 Authentication Applications471

Request for Service in another realm:

1-Request ticket

for local TGS

2-Ticket for lo

cal TGS

5-Request ticket for remote server

6-Ticket for remote server

3-Request ticket fo

r remote TGS

4-Ticket for remote TGS

7-request for remote service

The minor differences between version 4 and version 5

1) Version 5 has a longer ticket lifetime.2) Version 5 allows tickets to be renewed.3) Version 5 can accept any symmetric-key algorithm.4) Version 5 uses a different protocol for describing data

types.5) Version 5 has more overhead than version 4.

X.509 Authentication Service

X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI).

X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

473

Public-Key Certificate Use

474

X.509 Certificates• issued by a Certification Authority (CA), containing:

– version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)

• notation CA<<A>> denotes certificate for A signed by CA

475

X.509 Certificates

476

CRL • certificates have a period of validity• may need to revoke before expiry, eg:

1. user's private key is compromised2. user is no longer certified by this CA3. CA's certificate is compromised

• CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates.

477

Obtaining a Certificate

• any user with access to CA can get any certificate from it

• only the CA can modify a certificate • because cannot be forged, certificates can

be placed in a public directory

478

CA Hierarchy • if both users share a common CA then they are

assumed to know its public key • otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to

validate other CA's – each CA has certificates for clients (forward) and

parent (backward) • each client trusts parents certificates • enable verification of any certificate from one CA

by users of all other CAs in hierarchy

479

CA Hierarchy Use

480

A get B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>

31/03/2005 Authentication Applications 481

Authentication Procedures:• CA must authenticate/verify an applicant

before issuing it a certificate for it.• Three alternative authentication procedures:

– One-Way Authentication – Two-Way Authentication – Three-Way Authentication

One-Way Authentication

• One way authentication involves a single transfer of information from one user (A) to another (B)

482


One-Way Authentication:

• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message

A B1-A {ta,ra,B,sgnData,KUb[Kab]}

Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key


Two-Way Authentication

• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply

A B1-A {ta,ra,B,sgnData,KUb[Kab]}

2-B {tb,rb,A,sgnData,KUa[Kab]}


Three-Way Authentication

• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks

A B

1- A {ta,ra,B,sgnData,KUb[Kab]}

2 -B {tb,rb,A,sgnData,KUa[Kab]}

3- A{rb}

Public-Key Infrastructure public-key infrastructure (PKI) as the set of

hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.

486

Public-Key Infrastructure End entity: A generic term used to denote

end users, devices (e.g., servers, routers) Certification authority (CA): The issuer

of certificates and certificate revocation lists (CRLs).

Registration authority (RA): An optional component that can assume a number of administrative functions.

487

Public-Key Infrastructure CRL issuer: An optional component that a

CA can delegate to publish CRLs. Repository: A generic term used to denote

any method for storing certificates and CRLs so that they can be retrieved by End Entities.

488

Public-Key Infrastructure

489

Public-Key Infrastructure Registration: This is the process whereby a

user first makes itself known to a CA (directly, or through an RA), prior to that CA issuing a certificate or certificates for that user.

Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure

490

Public-Key Infrastructure Certification: This is the process in which

a CA issues a certificate for a user's public key, and returns that certificate to the user's client system and/or posts that certificate in a repository.

Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and new certificates issued.

491

Public-Key Infrastructure Cross certification: one certificate

authority use the certificate to the another certificate authority.

492

UNIT-IV

493

Contents

Pretty Good Privacy S/MIME IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combining Security Associations Key management.

494

Pretty Good Privacy

495

Pretty Good Privacy

PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

496

Pretty Good Privacy

PGP is an open-source freely available software package for e-mail security.

It provides authentication through the use of digital signature;

It provides confidentiality through the use of symmetric block encryption;

497

Pretty Good Privacy

It provides compression using the ZIP algorithm.

It provides e-mail compatibility using the radix-64 encoding scheme.

It provides Segmentation and reassembly to accommodate long e-mails.

498

Pretty Good Privacy

Ks =session key used in symmetric encryption scheme

PRa =private key of user A, used in public-key encryption scheme

PUa =public key of user A, used in public-key encryption scheme

499

Pretty Good Privacy

EP = public-key encryption DP = public-key decryption EC = symmetric encryption DC = symmetric decryption H = hash function || = concatenation Z = compression using ZIP algorithm R64 = conversion to radix 64 ASCII format

500

501

Authentication

1.The sender creates a message.2.SHA-1 is used to generate a 160-bit hash

code of the message.3.The hash code is encrypted with RSA using

the sender's private key, and the result is prepended to the message.

4.The receiver uses RSA with the sender's public key to decrypt and recover the hash code.

502

Authentication

5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.

503

Confidentiality

1.The sender generates a message and a random 128-bit number to be used as a session key for this message only.

2.The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key.

3.The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message.

504

Confidentiality

4.The receiver uses RSA with its private key to decrypt and recover the session key.

5.The session key is used to decrypt the message.

505

Transmission and Reception of PGP Messages

506

PGP Message Format

PGP Message Format

The message component includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time of creation.

508

PGP Message Format

The signature component includes the following:

Timestamp: The time at which the signature was made.

Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key.

509

PGP Message Format

Leading two octets of message digest: To enable the recipient to determine if the correct public key was used to decrypt the message digest for authentication

• Key ID of sender's public key: Identifies the public key that should be used to decrypt the message digest

510

PGP Message Format

The session key component includes the session key and the identifier of the recipient's public key that was used by the sender to encrypt the session key.

511

Signing the message

PGP retrieves the sender's private key from the private-key ring using your_userid as anindex. If your_userid was not provided in the command, the first private key on the ring is retrieved.

PGP prompts the user for the passphrase to recover the unencrypted private key.

The signature component of the message is constructed.

512

Encrypting the message

PGP generates a session key and encrypts the message.

PGP retrieves the recipient's public key from the public-key ring using her_userid as an index.

The session key component of the message is constructed.

513

PGP Message Generation

PGP Message Reception

Decrypting the message PGP retrieves the receiver's private key

from the private-key ring, using the Key ID field in

the session key component of the message as an index.

PGP prompts the user for the passphrase to recover the unencrypted private key.

PGP then recovers the session key and decrypts the message.

516

Authenticating the message

PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the signature key component of the message as an index.

PGP recovers the transmitted message digest. PGP computes the message digest for the

received message and compares it to the transmitted message digest to authenticate.

517

S/MIME

Another security service designed for electronic mail Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension is Secure/Multipurpose Internet Mail Extension (S/MIME). (S/MIME).

The protocol is an enhancement of the Multipurpose The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocolInternet Mail Extension (MIME) protocol

518

RFC 822

RFC 822 defines a format for text messages that are sent using electronic mail. It has been the standard for Internet-based text mail message and remains in common use.

519

RFC 822

520

MIME

MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP .

521

MIME SMTP cannot transmit executable files or other

binary objects.

SMTP cannot transmit text data that includes national language characters

SMTP servers may reject mail message over a certain size.

SMTP cannot handle non textual data.

522

16.523

MIME

16.524

MIME Message structure

16.525

MIME-VersionMIME-VersionThis header defines the version of MIME used. The This header defines the version of MIME used. The current version is 1.1.current version is 1.1.

Content-TypeContent-TypeThe content type and the content subtype are separated The content type and the content subtype are separated by a slash. Depending on the subtype, the header may by a slash. Depending on the subtype, the header may contain other parameters.contain other parameters.

16.526

16.527

16.3.1 Continued

S/MIME Functions

enveloped dataencrypted content and associated keys

signed dataencoded message + signed digest

clear-signed dataclear text message + encoded signed digest

signed & enveloped datanesting of signed & encrypted entities

Cryptographic AlgorithmsFunction Requirement

Create a message digest to be used in forming a digital signature.

MUST support SHA-1.

Encrypt message digest to form digital signature.

Receiver SHOULD support MD5 for backward compatibility. Sending and receiving agents MUST support DSS. Sending agents SHOULD support RSA encryption. Receiving agents SHOULD support verification of RSA signatures with key sizes 512 bits to 1024 bits.

Encrypt session key for transmission with message.

Sending and receiving agents SHOULD support Diffie-Hellman. Sending and receiving agents MUST support RSA encryption with key sizes 512 bits to 1024 bits.

529

Cryptographic Algorithms

Encrypt message for transmission with one-time session key.

Sending and receiving agents MUST support encryption with triple DES

Sending agents SHOULD support encryption with AES.

Sending agents SHOULD support encryption with RC2/40.

530

S/MIME Messages

Type Subtype smime Parameter Description

Multipart Signed A clear-signed message in two parts: one is the message and the other is the signature.

Application pkcs 7-mime signedData A signed S/MIME entity.

pkcs 7-mime envelopedData An encrypted S/MIME entity.

pkcs 7-mime degenerate signedData An entity containing only public- key

certificates.

pkcs 7-mime CompressedData A compressed S/MIME entity

531

Enveloped data This consists of encrypted content of any

type and encrypted-content encryption keys for one or more recipients.

532

533

enveloped data

Version

Encrypted Content Info

Recipient Info

Version

Recipient ID (issuer and s.no.)

Key Encryption Algorithm

Encrypted Key

Content Encryption Alg.

Content type

Encrypted Content

Originator Info

S/M

IME

/ mes

sage

form

ats

534

Enveloped data – Example Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7mContent-Transfer-Encoding: base64Content-Disposition: attachment; filename=smime.p7m

rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT67n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9Hf8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF40GhIGfHfQbnj756YT64V

S/M

IME

/ mes

sage

form

ats

Signed data

A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer.

535

Clear-signed data

recipients without S/MIME capability can view the message content, although they cannot verify the signature.

536

537

Clear-signed data – Example Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42

--boundary42Content-Type: text/plain

This is a clear-signed message.

--boundary42Content-Type: application/pkcs7-signature; name=smime.p7sContent-Transfer-Encoding: base64Content-Disposition: attachment; filename=smime.p7s

ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT64VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnjn8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF47GhIGfHfYT64VQbnj756

--boundary42--

S/M

IME

/ mes

sage

form

ats

Signed and enveloped data

Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.

538

IP Security

• IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6), by means of additional headers.

• IPSec encompasses three functional areas: authentication, confidentiality, and key management.

539

IP Security

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others.

540

IPSec

The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header, and that the packet has not been altered in transit.

541

IPSec

The confidentiality facility enables communicating nodes to encrypt messages to prevent watch by third parties.

The key management facility is concerned with the secure exchange of keys. IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. 542

IPSec Uses

An organization maintains LANs at dispersed locations.

Non secure IP traffic is conducted on each LAN.

For traffic offsite, through some sort of private or public WAN, IPSec protocols are used.

These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world.

544

The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN;

these operations are transparent to workstations and servers on the LAN.

Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security. 545

Benefits of IPSec

When IPSec is implemented in a firewall or router, it provides strong security

IPSec is below the transport layer (TCP, UDP) and so is transparent to applications.

IPSec can be transparent to end users. IPSec can provide security for individual

users

IP Security Architecture

The IPSec specification consists of numerous documents.

RFC 2401: An overview of a security architecture

RFC 2402: Description of a packet authentication extension to IPv4 and IPv6

RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

RFC 2408: Specification of key management capabilities

IPSec Document Overview

548


Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of the ESP for packet encryption and, optionally, authentication.

Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each other.

549


Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication.

550

IPSec Document Overview• Encryption Algorithm: A set of documents

that describe how various encryption algorithms are used for ESP.

• Authentication Algorithm: A set of documents that describe how various authentication algorithms are used for AH and for the authentication option of ESP.

• Key Management: Documents that describe key management schemes

551

IPSec Services

• Connectionless integrity Assurance that received traffic has not been modified.

• Data origin authenticationAssurance that traffic is sent by valid party.

• Confidentiality (encryption)Assurance that user’s traffic is not examined by non-authorized parties.

• Access controlPrevention of unauthorized use of a resource.

Applications of IPSec

Secure branch office connectivity over the Internet

Secure remote access over the Internet Establsihing extranet and intranet connectivity

with partners Enhancing electronic commerce security

553

Security Associations

A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction.

Agreement between two entities on a security policy, including:– Encryption algorithm– Authentication algorithm– Shared session keys– SA lifetime

554

Transport Mode

In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated.

555

Tunnel mode

In tunnel mode, the entire IP packet is encrypted and/or authenticated.

556

Authentication Header (AH) The Authentication Header provides

support for data integrity and authentication of IP packets.

The data integrity feature ensures that undetected modification to a packet’s content in transit is not possible.

The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly;

557

Authentication Header (AH)

it also prevents address spoofing attacks and replay attacks.

Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key.

AH supports MACs using HMAC-MD5-96 or HMAC-SHA-1-96.

558

Authentication Header

Next Header (8 bits) Identifies the type of header

immediately following this header.

560

PAYLOAD LEN specifies the length of the authentication header

Reserved (16 bits): For future use

SEQUENCE NUMBER contains a unique sequence number for each packet sent.

SECURITY PARAMETERS INDEX specifies the security scheme used

561

Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet

562

Transport & Tunnel Modes

Transport mode Transport mode provides protection

primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload.

Typically, transport mode is used for end-to-end communication between two hosts.

564

Tunnel mode Tunnel mode provides protection to

the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header.

Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPSec.

565

AH: Transport and Tunnel Mode

Original

Transport mode

Tunnel mode

Encapsulating Security Payload (ESP)

The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality.

As an optional feature, ESP can also provide an authentication service, with the same MACs as AH

• supports range of ciphers, modes, padding– incl. DES, Triple-DES, RC5, IDEA, CAST etc

Encapsulating Security Payload

Encapsulating Security Payload Security Parameters Index (32 bits): Identifies a

security association Sequence Number (32 bits): contains a unique

sequence number for each packet sent.

Payload Data (variable): This is a transport-level segment (transport mode)

569

Encapsulating Security Payload Padding (0–255 bytes): for various reasons Pad Length (8 bits): length of pad bytes Next Header (8 bits): Identifies the type of data

contained in the payload data field by identifying the first header in that payload

Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field

570

Transport vs Tunnel Mode ESP

• transport mode is used to encrypt & optionally authenticate IP data– data protected but header left in clear– can do traffic analysis but is efficient– good for ESP host to host traffic

• tunnel mode encrypts entire IP packet– add new header for next hop– good for VPNs, gateway to gateway security

ESP: Transport and Tunnel Mode

• Original

• Transport Mode– Good for host to

host traffic• Tunnel Mode

– Good for VPNs, gateway to gateway security

Combining Security Associations

• SA’s can implement either AH or ESP• to implement both need to combine SA’s

– form a security association bundle– may terminate at different or same

endpoints– combined by

• transport adjacency• iterated tunneling

Combining Security Associations

• Case 1 security is provided between end systems that implement IPSec.

• Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec.

• Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here.

• Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall

575

Key Management• The key management portion of IPSec involves

the determination and distribution of secret keys.

• manual key management– Sys admin manually configures every system

• automated key management– automated system for on demand creation of keys

for SA’s in large systems• The default automated key management

protocol for IPSec is referred to as ISAKMP/Oakley.

Oakley Key Determination Protocol

Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security.

577

Features of Oakley• It employs a mechanism known as cookies

to prevent clogging attacks.• It uses nonces to ensure against replay

attacks.• It enables the exchange of Diffie-Hellman

public key values.• It authenticates the Diffie-Hellman exchange

to prevent man-in-the-middle attacks.

578

04/02/06 Hofstra University – Network Security Course, CSC290A

579

Aggressive Oakley Key Exchange

ISAKMP

• Internet Security Association and Key Management Protocol provides framework for key management

• defines procedures and packet formats to establish, negotiate, modify, & delete SAs

ISAKMP

ISAKMP

Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA deletion.

Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator.

Next Payload (8 bits): Indicates the type of the first payload in the message;

582

ISAKMP

Major Version (4 bits): Indicates major version of ISAKMP in use.

Minor Version (4 bits): Indicates minor version in use.

Exchange Type (8 bits): Indicates the type of exchange

583

ISAKMP

Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Two bits so far defined: The Encryption bit is set if all payloads following the header are encrypted using the encryption algorithm for this SA. The Commit bit is used to ensure that encrypted material is not received prior to completion of SA establishment.

Message ID (32 bits): Unique ID for this message.

Length (32 bits): Length of total message (header plus all payloads) in octets 584

ISAKMP Payload Types SA payload is used to begin the

establishment of an SA

The Proposal payload contains information used during SA negotiation

585

ISAKMP Payload Types The Transform payload defines a security

transform to be used to secure the communications channel for the designated protocol.

The Key Exchange payload can be used

for a variety of key exchange techniques, including Oakley, Diffie-Hellman, and the RSA-based key exchange used by PGP.

586

ISAKMP Payload Types The Identification payload is used to

determine the identity of communicating peers and may be used for determining authenticity of information.

The Certificate payload transfers a public-

key certificate

587

ISAKMP Payload Types Certificate Request payload to request

the certificate of the other communicating entity.

The Hash payload contains data generated by a hash function over some part of the message and/or ISAKMP state.

588

ISAKMP Payload Types The Signature payload contains data

generated by a digital signature function over some part of the message and/or ISAKMP state.

The Nonce payload contains random data used to avoid the reply attack.

The Notification payload contains either error or status information

589

UNIT-V

590

Contents Web Security Considerations Secure Socket Layer and Transport Layer Security Secure Electronic Transaction Intruders and Intrusion Detection Password Management Viruses and related threads Virus countermeasures Distributed denial of services attack Firewall Design principles Trusted System Common Criteria for Information Technology Security

Evaluation.591

Web Security Web now widely used by business,

government, individuals but Internet & Web are vulnerable have a variety of threats

integrity confidentiality denial of service authentication

need added security mechanisms

593

What is Secure Socket Layer ?• Secure Socket Layer (SSL) is a protocol

developed by Netscape for transmitting private documents via the Internet.

• The SSL Security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

• SSL is built into all major browsers and web servers.

594

What is SSL? (cont’d)• Both Netscape Navigator and Internet

Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers.

• The primary goal of SSL is to provide privacy and reliability between two communicating applications.

SSL (Secure Socket Layer)

• SSL probably most widely used Web security mechanism.

• Its implemented at the Transport layer; IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later).

• SSL is designed to make use of TCP to provide a reliable end-to-end secure service.

595

Relative Location of Security Facilities in the TCP/IP Protocol Stack

596

SSL Architecture

SSL Architecture

The SSL Protocol Stack is composed of two layers.

1. The first layer is the higher layer which is composed of SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alert Protocol, and HTTP, which are used in the management of SSL exchanges.

2. The second layer is the lower layer composed of the SSL Record Protocol, TCP, and IP.

598

SSL Architecture• The SSL Record Protocol provides basic

security services to various higher-layer protocols.

• In particular , the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL.

599

SSL Architecture SSL connection A connection is a network transfer that provides a suitable type

of service, such connections are transient, peer-to-peer relationships, associated with one session

SSL session An SSL session is an association between a client and a

server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections.

SSL Record Protocol Services

• SSL Record Protocol defines two services for SSL connections:

• Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC), which is similar to HMAC

• Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol

601

SSL Record Protocol Operation

SSL Record Format

603

SSL Change Cipher Spec Protocol

• The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest, consisting of a single message which consists of a single byte with the value 1.

Its purpose is to cause the pending state to be copied into the current state

SSL Change Cipher Spec Protocol

605

SSL Alert Protocol• The Alert Protocol is used to convey SSL-related

alerts to the peer entity.• Each message in this protocol consists of

two bytes, the first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte contains a code that indicates the specific alert.

SSL Alert Protocol severity

warning or fatal specific alert

fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter

warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown

607

SSL Alert Protocol

608

SSL Handshake Protocol• The most complex part of SSL is the

Handshake Protocol. • This protocol allows the server and

client to authenticate each other and to agree an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.

• The Handshake Protocol is used before any application data is transmitted.

SSL Handshake Protocol

610


• Type (1 byte): Indicates type of the messages.

• Length (3 bytes): The length of the message in bytes.

• Content ( 0 bytes): The parameters associated with this message;

611



• The Handshake Protocol consists of a series of messages exchanged by client and server, which can be viewed in 4 phases:

• Phase 1. Establish Security Capabilities - this phase is used by the client to initiate a logical connection and to establish the security capabilities that will be associated with it

613


• Phase 2. Server Authentication and Key Exchange - the server begins this phase by sending its certificate if it needs to be authenticated.

• Phase 3. Client Authentication and Key Exchange - the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable

614


• Phase 4. Finish - this phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec

615

TLS (Transport Layer Security)

TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL.

Version Number• The TLS Record Format is the same as

that of the SSL Record Format, and the fields in the header have the same meanings. The one difference is in version values. For the current version of TLS,the Major Version is 3 and the Minor Version is 1.

617

Message Authentication Code

For TLS, the MAC calculation encompasses the fields indicated in the following expression:

• HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type || TLSCompressed.version || TLSCompressed.length || TLSCompressed.fragment)

618

Alert Codes

TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. A number of additional codes are defined in TLS;

• protocol_version• encryption failed:• record_overflow:• unknown_ca• decode_error• export_restriction

619

Secure Electronic Transactions SET is an open encryption and security

specification designed to protect credit card transactions on the Internet.

620

Secure Electronic Transactions

Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet.

SET was not itself a payment system, but rather a set of security protocols and formats that enable users to employ the existing credit card payment infrastructure on an open network in a secure fashion.

621

Key Features of SET

Confidentiality of information: Cardholder account and payment information is secured as it travels across the network.

Integrity of data: Payment information sent from cardholders to merchants includes order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transfer. RSA digital signatures, using SHA-1 hash codes, provide message integrity.

622

Key Features of SET

Cardholder account authentication: SET enables merchants to verify that a cardholder is a legitimate user of a valid card account number.

623

SMU CSE 5349/7349

SET Transactions

SET Transaction1. Customer browse and decide to purchase .2. SET send order and payment information.3. Merchants forward the payment information to

the bank4. Bank check with the issuer for payment

authorization.5. Issuer authorize the payment 6. Bank authorize the payment7. merchant complete the order8. Merchant capture the transaction9. Issuer send credit card bill to the customer.

Dual Signature The purpose of the SET dual signature is to

link two messages that are intended for two different recipients, the order information (OI) for the merchant and the payment information (PI) for the bank.

The merchant does not need to know the customer’s credit card number, and the bank does not need to know the details of the customer’s order, however the two items must be linked in a way that can be used to resolve disputes if necessary.

Dual Signature

The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result.

Finally, the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI)||H(OI))])

627

Dual Signature

628

SET Purchase Request

SET purchase request exchange consists of four messages

1. Initiate Request - get certificates2. Initiate Response - signed response3. Purchase Request - of OI & PI4. Purchase Response - ack order

Purchase Request – Customer

Purchase Request – Merchant1. verifies cardholder certificates using CA sigs2. verifies dual signature using customer's public

signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key

3. processes order and forwards the payment information to the payment gateway for authorization (described later)

4. sends a purchase response to cardholder

Purchase Request – Merchant

IntrudersReferred to as a hacker or cracker

633

Three classes of intruders

Masquerader Misfeasor Clandestine user

634

Masquerader

An individual who is not authorized to use the computer and who break in a system's access controls to exploit a valid user's account.

The masquerader is likely to be an outsider.

635

Misfeasor

A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.

the misfeasor generally is an insider.

636

Clandestine user

An individual who seizes supervisory control of the system and uses this control to avoid auditing and access controls.

clandestine user can be either an outsider or an insider

637

Intrusion The basic aim is to gain access and/or

increase privileges on some system.

A set of actions aimed to compromise the security goals, namely

• Integrity, confidentiality, or availability, of a computing and networking resource

638

Password Guessing

A basic technique for gaining access is to get a user password, so the attacker can login and use all the access rights of the account owner.

639

Password Guessing

1.Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.

2.Exhaustively try all short passwords3.Collect information about users, such as their

full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies.

640

Password Guessing

4.Try users' phone numbers, Social Security numbers, and room numbers.

5.Try all legitimate license plate numbers for this state.

641

Intrusion Detection

The process of identifying and responding to intrusion activities.

642

Intrusion Detection

Intrusion Detection

intruder differs from the typical behavior of an authorized user, there is an overlap

in these behaviors. which will catch more intruders, will also

lead to a number of "false positives," or authorized users identified as intruders.

Audit record

A fundamental tool for intrusion detection is the audit record.

Some record of ongoing activity by users must be maintained as input to an intrusion detection system.

645

Types of Audit Record

Native audit records Detection-specific audit records

646

Native audit records: Virtually all main O/S’s include

accounting software that collects information on user activity.

advantage is its already there in O/S. disadvantage is it may not contain the

needed information

647

Detection-specific audit records:

implement collection facility to generates custom audit records with desired info.

advantage is it can be vendor independent and portable,

disadvantage is extra overhead involved

648

Approaches to intrusion detection:

Statistical anomaly detection: Involves the collection of data relating to

the behavior of valid users over a period of time.

Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not valid user behavior.

649

Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events.

Profile based: develop profile of activity of each user and use to detect changes in the behavior

650

Rule-based detection

Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

651

Rule-based detection

Anomaly detection: Rules are developed to detect difference from previous usage patterns.

Penetration identification: An expert system approach that searches for unsure behavior.

652

Distributed Intrusion Detection

• A distributed intrusion detection system may need to deal with different audit record formats.

• Either a centralized or decentralized architecture can be used

653

Distributed Intrusion Detection - Architecture

Distributed Intrusion Detection - Architecture

Host agent module: audit collection module operating as a background process on a monitored system.

LAN monitor agent module: like a host agent module except it analyzes LAN traffic .

Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion

655

Distributed Intrusion Detection – Agent Implementation


The agent captures each native O/S audit record, & applies a filter that retains only records of security interest.

These records are then reformatted into a standardized format (HAR). Then a template-driven logic module analyzes the records for suspicious activity. When suspicious activity is detected, an alert is sent to the central manager.

657


The central manager includes an expert system that can draw inferences from received data.

The manager may also query individual systems for copies of HARs to correlate with those from other agents.

658

Honeypots Honeypots are decoy systems, designed

to attract a potential attacker away from critical systems and divert an attacker from accessing critical systems.

collect information about the attacker’s activity

HoneyPot A

Gateway

Attackers

Attack Data

How do HPs work?Prevent

Detect

Response

Monitor

No connection

Password Management

Passwords are usually stored encrypted rather than in the clear .

Unix systems traditionally used a multiple DES variant with salt as a one-way hash function (see text).

662

663

Password Studies

• Purdue 1992 - many short passwords• Klein 1990 - many guessable passwords• conclusion is that users choose poor

passwords too often• need some approach to counter this

Password Selection Strategies

• User education• Computer Generated• Reactive Checking• Proactive Checking

user education

Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords.

666

Computer Generated

Computer-generated passwords also have problems. If the passwords are quite random in nature ,users will not be able to remember them.

667

Reactive Checking

A reactive password checking strategy is one in which the system periodically runs its own password cracker to find guessable passwords.

668

Proactive Checking

In this scheme, a user is allowed to select his or her own password. However, at the time of selection, the system will checks whether the password is allowable or not.

669

Viruses and related threads

670

Malicious software

Malicious software is software that is intentionally included or inserted in a system for a harmful purpose.

671

Malicious software

672

trapdoor

A trapdoor is a means of access to a computer program that bypasses security mechanisms.

673

Logic bomb

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.

674

Trojan Horses

• A Trojan horse is a useful, program or command procedure containing hidden code that performs some unwanted or harmful function that an unauthorized user could not accomplish directly.

• Commonly used to make files readable, propagate a virus or worm, or simply to destroy data.

675

Viruses

A virus is a small piece of software that attached on real programs.

2 main characteristics of viruses It must execute itself. It must replicate itself.

676

Viruses A virus is a piece of software that can “infect”

other programs by modifying them.

A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run.

Once a virus is executing, it can perform any function, such as erasing files and programs.

677

virus phases

Dormant phase: virus is idle, waiting for trigger event.

Propagation phase: virus places a copy of itself into other programs

Triggering phase: virus is activated by some trigger event to perform planned function.

Execution phase: desired function is performed

678

Virus Structure

Types of VirusesBoot sector infector: spoil a boot record and spreads

when a system is booted from the disk containing the virus.

File infector: When an infectious file is executed on a system, the infection routine will seek out other files and insert its code into them, generally at the beginning or end of the existing file.

Macro virus: macro virus is a virus that is written in a macro language. Many applications, such as Microsoft Word and Excel, support powerful macro languages.

680

Types of Viruses

Encrypted virus: A virus using encryption to hide itself from virus scanners.

Stealth virus: A computer virus that actively hides itself from antivirus software by masking the size of the file.

681

Types of Viruses Polymorphic virus: A virus that changes its virus

signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.

Metamorphic virus: As with a polymorphic virus ,a metamorphic virus change with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.

682

Worms

A worm is a program that can replicate itself and send copies from computer to computer across network connections.

683

zombie zombie is a computer connected to

the Internet that has been compromised by a cracker.

It can be used to perform malicious tasks under remote direction.

684

Virus Countermeasures

• best countermeasure is prevention• but in general not possible • hence need to do one or more of:

– detection - of viruses in infected system – identification - of specific infecting virus– removeal - restoring system to clean state

Anti-Virus Software first-generation

– scanner uses virus signature to identify virussecond-generation – heuristic scanners use rules to search for probable

virus infectionthird-generation – activity traps which identify a virus by its actions

rather than its structure fourth-generation – packages with a variety of antivirus techniques

Digital Immune System

The Digital Immune System from IBM is a comprehensive approach to virus protection, and provides a general purpose emulation and virus-detection system.

When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running IBM Antivirus so it can be detected before it is run elsewhere.

687



1. A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine

2. The administrative machine encrypts the sample and sends it to a central virus analysis machine

3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus

689


4.The resulting prescription is sent back to the administrative machine

5.The administrative machine forwards the prescription to the infected client

6.The prescription is also forwarded to other clients in the organization

7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.

690

Distributed denial of services attack

distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users

691

Distributed Denial of Service Attacks (DDoS)

SYN flood attack

1. The attacker takes control of multiple hosts over the Internet

2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target

3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes get stuck as more traffic floods in.

693

ICMP attack

1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors.

2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site.

3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.

694

What is a Firewall ?

• A firewall :– Acts as a security

gateway between two networks

• Usually between trusted and untrusted networks (such as between a corporate network and the Internet)

Internet

Corporate Site

Corporate Network Gateway

Firewall

A firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed.

696

Firewall

697

defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.

provides a location for monitoring security-related events

698

Firewall is a convenient platform for several Internet functions that are not security related, such as NAT and Internet usage audits or logs

A firewall can serve as the platform for IPSec to implement virtual private networks.

.

699

Firewall Limitations

1. cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP.

2. do not protect against internal threats.3. cannot protect against the transfer of

virus-infected programs.

Types of firewalls

packet filters application-level gateways circuit-level gateways

701

Firewalls – Packet Filters A packet-filtering router applies a set of

rules to each incoming and outgoing IP packet to forward or discard the packet.

Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface.

advantages are simplicity, transparency & speed.

Firewalls – Packet Filters

Firewalls - Application Level Gateway (or Proxy)

An application level gateway ,also called proxy server.


• A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints.

• If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used.


Firewalls - Circuit Level Gateway

A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.

Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents.

The security function consists of determining which connections will be allowed. 707

Firewalls - Circuit Level Gateway

Firewall Configurations

Single-homed bastion configuration

• screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems:

• a packet-filtering router - allows Internet packets to/from bastion only

• a bastion host - performs authentication and proxy functions

710


Dual-homed bastion configuration

screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security.

an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.

712


Screened subnet firewall configuration

It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated sub network.

This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.

714

Henric Johnson 715

The Concept ofThe Concept ofTrusted SystemsTrusted Systems

• Trusted Systems– Protection of data and resources on the

basis of levels of security (e.g. military)– Users can be granted clearances to

access certain categories of data

04/19/06 Hofstra University – Network Security Course, CSC290A

716

Access MatrixGeneral model of access control:• Subject – entity capable of accessing

objects (user = process= subject)• Object – anything to which access is

controlled (files, programs, memory)• Access right – way in which an object is

accessed by a subject (read, write, exe)

Henric Johnson 717


Henric Johnson 718


• Reference Monitor– Controlling element in the hardware and

operating system of a computer that regulates the access of subjects to objects on basis of security parameters

– The monitor has access to a file (security kernel database)

– The monitor enforces the security rules (no read up, no write down)

Henric Johnson 719


• Properties of the Reference Monitor– Complete mediation: Security rules are

enforced on every access– Isolation: The reference monitor and

database are protected from unauthorized modification

– Verifiability: The reference monitor’s correctness must be provable (mathematically)

Henric Johnson 720


• A system that can provide such verifications (properties) is referred to as a trusted system

Henric Johnson 721

Trojan Horse DefenseTrojan Horse Defense

• Secure, trusted operating systems are one way to secure against Trojan Horse attacks

Trojan Horse Defense




Cyptography and network security

Engineering

concept ofthe

homed bastion

single choke

secure socket

cipher block

key id field

make analysis

unencrypted