Network SecurityNetwork Securityailab.cs.nchu.edu.tw/course/NetworkSecurity/101/NS02.pdf · – monoalphabetic: Caesar Playfair Hillmonoalphabetic: Caesar, Playfair, Hill – polyalphabetic:

Network SecurityNetwork Security 網路安全網路安全

L 2Lecture 2February 25, 2013eb u y ,

洪國寶

1

Outline• Review• CryptologyCryptology

– Introduction and terminologies – Definition of cryptosystem and cryptanalysis

Types of encryption– Types of encryption • operations• the number of keys used• the way the plaintext processed• the way the plaintext processed

– Symmetric encryption -- Classical techniques• substitution:

monoalphabetic: Caesar Playfair Hill– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau

• transposition

2

Review

• Grading• Motivation• Definitions• Definitions• Security services, mechanisms, and attacks

(X800)• Basic network concept• Basic network concept• Security models

3

Review

• Grading (Tentative)H k 15%Homework 15%

(You may collaborate when solving the homework, however when writing up the solutions you must dohowever when writing up the solutions you must do so on your own. No typed or printed assignments.)

Project 20% (Presentation and/or paper required)Project 20% (Presentation and/or paper required) Midterm exam 25% (Open book and notes)Final exam 30% (Open book and notes)Final exam 30% (Open book and notes)Class participation 10%

4

Review: Motivation

• Hacker intrusion• Password compromise (access control)• Spam (data integrity)• Spam (data integrity)• Program security• Virus

D i l f i• Denial of service

5

Review: Definitions

• Computer Security - generic name for the ll ti f t l d i d t t t d tcollection of tools designed to protect data

and to thwart hackers• Network Security - measures to protect

data during their transmissiong• Internet Security - measures to protect

data during their transmission over adata during their transmission over a collection of interconnected networks

6

Review: Security GoalsSecurity Goals

• The goal of security is to institute controls that preserve– secrecy: assets are accessible only bysecrecy: assets are accessible only by

authorized parties;– integrity: assets can be modified only by– integrity: assets can be modified only by

authorized parties;a ailabilit t il bl t th i d– availability: assets are available to authorized parties.

7

Review: Services, Mechanisms, Attacks

• three aspects of information security:– security attack– security mechanismsecurity mechanism– security service

8

Review: Security Services (X.800)

• Authentication - assurance that the communicating entity is the one claimedcommunicating entity is the one claimed

• Access Control - prevention of the unauthorized use of a resource

• Data Confidentiality –protection of data from unauthorized disclosure

• Data Integrity - assurance that data received is as sent by an authorized entityN R di ti i i d i l b• Non-Repudiation - protection against denial by one of the parties in a communication

9

Review: Security Mechanisms (X.800)

• Specific security mechanisms: May be incorporated into the appropriate protocol layer inincorporated into the appropriate protocol layer in order to provide some of the OSI security services.– encipherment, digital signatures, access controls, data

i i h i i h ffi ddiintegrity, authentication exchange, traffic padding, routing control, notarization

• Pervasive security mechanisms: MechanismsPervasive security mechanisms: Mechanisms that are not specific to any particular OSI security service or protocol layer.– trusted functionality, security labels, event detection,

security audit trails, security recovery

10

Review: Classify Security Attacks as

• Passive attacks - eavesdropping on, or monitoring f i iof, transmissions to:– obtain message contents, or– monitor traffic flows

• Active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service

11

Review: Network concepts

• Terminology: node, host, link, terminal• Media: cable, optical fiber, microwave• Protocol: ISO reference model TCP/IP• Protocol: ISO reference model, TCP/IP• Addressing: IP address, port, socket• Type of network: LAN, WAN, internet

T l b t h b i• Topology: common bus, star or hub, ring

12

Review: Internet Protocols vs OSI

Application 7

Presentation

Session

Application4 6

5Session

TransportTCPIP2

3 4

5

Network

Data Link

IP

Network Interface1

2

2

3

PhysicalHardware1

1

13

R i M d l f N kReview: Model for Network Communication Securityy

14

Review: Model for Network AccessReview: Model for Network Access Securityy

15

Outline• Review• CryptologyCryptology

– Introduction and terminologies – Definition of cryptosystem and cryptanalysis

Types of encryption– Types of encryption • operations• the number of keys used• the way the plaintext processed• the way the plaintext processed

– Symmetric encryption -- Classical techniques• substitution:

monoalphabetic: Caesar Playfair Hill– monoalphabetic: Caesar, Playfair, Hill– polyalphabetic: Vigenere tableau

• transposition

16

Cryptology

• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption

i– operations– the number of keys used– the way the plaintext processedy p p

• Symmetric encryption -- Classical techniques – substitution:

• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau

– transposition

17

Steganography vs Cryptography

• Types of transformation (in model for network communication security model)– Steganography: conceal the existence of theSteganography: conceal the existence of the

secret message (watermarking / data hiding)– Cryptography: render the secret message– Cryptography: render the secret message

unintelligible to outsiders

18

Steganography

• hides existence of message– using only a subset of letters/words in a longer

message marked in some wayg y– using invisible ink

hiding in LSB in graphic image or sound file– hiding in LSB in graphic image or sound file• has drawbacks

– high overhead to hide relatively few info bits

19

Steganography

20

The Bible Code

The Bible Codeby Michael Drosniny

21

紀曉嵐 / 蘇東玻

• 鳳遊禾蔭鳥飛去

馬走蘆邊草不生

• 日落香殘去了凡心一點

火盡爐寒來把一馬栓牢

22

Basic Terminology• plaintext - the original message • ciphertext - the coded message

i h l i h f f i l i i h• cipher - algorithm for transforming plaintext to ciphertext • key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext• encipher (encrypt) - converting plaintext to ciphertext • decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methodsyp g p y y yp p p• cryptanalysis (codebreaking) - the study of principles/

methods of deciphering ciphertext without knowing key• cryptology the field of both cryptography and cryptanalysis• cryptology - the field of both cryptography and cryptanalysis

23

Cryptology

• Introduction and terminologies • Definition of cryptosystem and cryptanalysis• Types of encryption


• Symmetric encryption -- Classical techniques– substitution:


– transposition

24

Definition of cryptosystems

A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied:the following conditions are satisfied:

1. P is a finite set of possible plaintexts2 C i fi i f ibl i h2. C is a finite set of possible ciphertexts3. K, the key space, is a finite set of possible keys4. For each k K, there is an encryption rule eKE

and a corresponding decryption rule dK D. E h P C d d C P f iEach eK :P C and dK : C P are functions such that dK(eK(x)) = x for every plaintext x P.

25

Attacking a cryptosystem

• Cryptanalysis approach: this type of attack l i h h i i f h l i h lexploits the characteristics of the algorithm plus

perhaps some knowledge of the general h i i f h l icharacteristics of the plaintext or even some

sample plaintext-ciphertext pairs.• Brute force approach: an attacker tries every

possible key on a piece of ciphertext until intelligible translation into plaintext is obtained.

26

Types of Cryptanalytic Attacks• ciphertext only

– only know algorithm / ciphertextk l i• known plaintext– know/suspect plaintext & ciphertext to attack cipher

• chosen plaintext• chosen plaintext– select plaintext and obtain ciphertext to attack cipher

• chosen ciphertext• chosen ciphertext– select ciphertext and obtain plaintext to attack cipher

• chosen textchosen text– select either plaintext or ciphertext to en/decrypt to attack

cipher

27

Kerkhoff’s principle (1/4)• Why did people publish their cryptoystem (DES, . . . )?• Better: don’t publish your system but keep it secret!• Better: don t publish your system but keep it secret!

• Auguste Kerkhoffs “La Cryptographie Militaire”• Auguste Kerkhoffs, La Cryptographie Militaire , 1883Cryptographic systems should be designed in such aCryptographic systems should be designed in such a way that they are not compromised if the opponent learns the technique being used.

• In other words, the security should reside in thechoice of key rather than in obscure design features.

28

Kerkhoff’s principle (2/4)

• It is hard (and often impossible), to keep a cryptosystem in use secret!

• What if you fail to keep it secret?What, if you fail to keep it secret?

29


• Designing a good cryptosystem is hard! Even i i f Mexperts get it wrong quite often: Most

cryptosystems are broken after publication. Use a i !survivor!

• “. . . nothing substitutes for extensive peer review and years of analysis.” – B. Schneier

• If you don’t publish, nobody will analyze your y p , y y yscheme . . . except for the bad guys!

30


• Distinguish system itself (= algorithm), from key:– Key: secret, easy to change, chosen at randomKey: secret, easy to change, chosen at random

from large set of possible keys.• Assume: Bad guys know system but• Assume: Bad guys know system but

don’t know key!

31

Types of attacks on encrypted messagesyp yp g

32

Brute Force Search

• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext• assume either know / recognise plaintext

33

Brute Force Search

• Input: C, KOutput: M or k

loop until an intelligible translation into p gplaintext is obtained (M is meaningful)

k Kk KM D(C)

output M or k• Complexity: |K|/2 (expected number of iterations)

34

p y | | ( p )

More Definitions

• unconditional security– no matter how much computer power is

available, the cipher cannot be broken since the i h t t id i ffi i t i f ti tciphertext provides insufficient information to

uniquely determine the corresponding plaintext t ti l it• computational security

– given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken

35

Modern cryptology

• Use computational complexity theory to design cryptosystems which provide good diffusion and confusion– diffusion – dissipates statistical structure of

plaintext over bulk of ciphertextplaintext over bulk of ciphertext– confusion – makes relationship between

ciphertext and key as complex as possibleciphertext and key as complex as possible

36

Cryptology





– transposition

37

Cryptographic systems

• can characterize by:– type of encryption operations used

• substitution / transposition / productp p

– number of keys used• single-key or private / two-key or publicsingle-key or private / two-key or public

– way in which plaintext is processedbl k / t• block / stream

38

Type of operations

• Fundamental requirement: no information is lost (all operations are reversible)

• Substitution: each element in the plaintextSubstitution: each element in the plaintext (bit, letter, group of bits or letters) is mapped into another elementmapped into another element

• Transposition: elements in the plaintext are rearranged.

39






40

Symmetric Encryption

• AKA conventional/private-key/single-key• sender and recipient share a common key• all classical encryption algorithms are• all classical encryption algorithms are

private-key• was only type prior to invention of public-

key in 1970’skey in 1970 s

41

Symmetric Cipher Model

42

43

Requirements

• two requirements for secure use of t i tisymmetric encryption:

– a strong encryption algorithm– a secret key known only to sender / receiver

Y = EK(X)K( )X = DK(Y)

• assume encryption algorithm is knownassume encryption algorithm is known• implies a secure channel to distribute key

44

Public-Key Cryptography

• probably most significant advance in the 3000 hi t f t h3000 year history of cryptography

• uses two keys – a public & a private keyy p p y• asymmetric since parties are not equal • uses clever application of number theoretic• uses clever application of number theoretic

concepts to functionl th th l i• complements rather than replaces private

key crypto45


• public-key/two-key/asymmetric cryptography involves the use of two keys:involves the use of two keys: – a public-key, which may be known by anybody, and

can be used to encrypt messages, and verifycan be used to encrypt messages, and verify signatures

– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• is asymmetric because– those who encrypt messages or verify signatures

cannot decrypt messages or create signatures

46


47

Why Public-Key Cryptography?

• developed to address two key issues:– key distribution – how to have secure

communications in general without having to t t KDC ith ktrust a KDC with your key

– digital signatures – how to verify a message i t t f th l i d dcomes intact from the claimed sender

• public invention due to Whitfield Diffie & Martin Hellman at Stanford U. in 1976– known earlier in classified community

48

Public-Key Characteristics

• Public-Key algorithms rely on two keys ith th h t i ti th t it iwith the characteristics that it is:

– computationally infeasible to find decryption k k i l l i h i kkey knowing only algorithm & encryption key

– computationally easy to en/decrypt messages h h l ( /d ) k i kwhen the relevant (en/decrypt) key is known

– either of the two related keys can be used for i i h h h d f d iencryption, with the other used for decryption

(in some schemes)

49

Public-Key Cryptosystems

50






51

Block vs Stream Ciphers

• block ciphers process messages in into bl k h f hi h i th /d t dblocks, each of which is then en/decrypted

• like a substitution on very big charactersy g– 64-bits or more

• stream ciphers process messages a bit orstream ciphers process messages a bit or byte at a time when en/decrypting

• man c rrent ciphers are block ciphers• many current ciphers are block ciphers• hence are focus of course

52

Cryptology





– transposition

53

Classical Substitution Ciphers

• where letters of plaintext are replaced by other letters or by numbers or symbols

• or if plaintext is viewed as a sequence ofor if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bitplaintext bit patterns with ciphertext bit patterns

54

Caesar Cipher

• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• first attested use in military affairs• replaces each letter by 3rd letter on• example:

meet me after the toga partymeet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB

55

Caesar Cipher

• can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y za b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C

• mathematically give each letter a numbery ga b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25

• then have Caesar cipher as:C ( ) ( k) d (26)C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)

56

Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers – A maps to A,B,..Z

• could simply try each in turn p y y• a brute force search• given ciphertext just try all shifts of letters• given ciphertext, just try all shifts of letters• do need to recognize when have plaintext• eg. break ciphertext “PHHW PH DIWHU

WKH WRJD SDUWB"57

58

Monoalphabetic Cipher

• rather than just shifting the alphabet ld h ffl (j bl ) h l bi il• could shuffle (jumble) the letters arbitrarily

• each plaintext letter maps to a different random i h lciphertext letter

• hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyz i hCipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplacelettersCipherte t WIRFRWAJUHYFTSDVFSFUUFYA

59

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

Monoalphabetic Cipher Security

• now have a total of 26! = 4 x 1026 keys • with so many keys, might think is secure • but would be !!!WRONG!!!• but would be !!!WRONG!!!• problem is language characteristics

60

Language Redundancy and Cryptanalysis

• human languages are redundant• letters are not equally commonly used • in English e is by far the most common letter g y• then T,R,N,I,O,A,S • other letters are fairly rare• other letters are fairly rare • cf. Z,J,K,Q,X • have tables of single, double & triple letter

frequencies

61

English Letter Frequencies

62

Frequencies in Cryptanalysis• key concept - monoalphabetic substitution ciphers do

not change relative letter frequencies h• discovered by Arabian scientists in 9th century

• calculate letter frequencies for ciphertext• compare counts/plots against known values • if Caesar cipher look for common peaks/troughs p p g

– peaks at: A-E-I triple, NO pair, RST triple– troughs at: JK, X-Z

• for monoalphabetic must identify each letter– tables of common double/triple letters help

63

Example Cryptanalysis

• given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZUZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

• count relative letter frequencies• guess P & Z are e and t• guess ZW is th and hence ZWP is the• proceeding with trial and error fially get:p g y g

it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow

64

representatives of the viet cong in moscow

Playfair Cipher

• not even the large number of keys in a monoalphabetic cipher provides security

• one approach to improving security was toone approach to improving security was to encrypt multiple letters h i l• the Playfair Cipher is an example

• invented by Charles Wheatstone in 1854,invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair

65

Playfair Key Matrix

• a 5X5 matrix of letters based on a keyword • fill in letters of keyword (sans duplicates) • fill rest of matrix with other letters• fill rest of matrix with other letters• eg. using the keyword MONARCHY

MONARCHYBDEFGIKLPQST

66UVWXZ

Encrypting and Decrypting• plaintext encrypted two letters at a time:

1 if a pair is a repeated letter insert a filler like 'X'1. if a pair is a repeated letter, insert a filler like X , eg. "balloon" encrypts as "ba lx lo on"

2. if both letters fall in the same row, replace each with l i h ( i b k f d)letter to right (wrapping back to start from end),

eg. “ar" encrypts as "RM" 3. if both letters fall in the same column, replace each , p

with the letter below it (again wrapping to top from bottom), eg. “mu" encrypts to "CM"

4 otherwise each letter is replaced by the one in its row4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)

67

Security of the Playfair Cipher

• security much improved over monoalphabetici h 26 26 676 di• since have 26 x 26 = 676 digrams

• would need a 676 entry frequency table to analyse ( 26 f l h b i )(verses 26 for a monoalphabetic)

• and correspondingly more ciphertext • was widely used for many years (eg. US & British

military in WW1) • it can be broken, given a few hundred letters • since still has much of plaintext structure

68

Hill cipher

• Hill 1929• The encryption algorithm takes m

successive plaintext letters and substitutessuccessive plaintext letters and substitutes for them m ciphertext letters.

{ i ibl i }• K = {m m invertible matrices over Z26 }• Example: m = 3Example: m 3

69

Hill cipher

• Hill cipher completely hides single letter frequencies (i.e. Hill cipher is strong against ciphertext only attack.)p y )

• Hill cipher can be easily broken with a known plaintext attack (only needknown plaintext attack (only need mplaintext-ciphertext pairs).

• Example: m = 3

70

Polyalphabetic Ciphers

• another approach to improving security is to use multiple cipher alphabetsmultiple cipher alphabets

• called polyalphabetic substitution ciphersk l i h d i h l h b• makes cryptanalysis harder with more alphabets to

guess and flatter frequency distribution k l hi h l h b i d f h• use a key to select which alphabet is used for each

letter of the message h l h b i• use each alphabet in turn

• repeat from start after end of key is reached

71

Vigenère Cipher

• simplest polyalphabetic substitution cipher is the Vi è Ci hVigenère Cipher

• effectively multiple caesar ciphers • key is multiple letters long K = k1 k2 ... kd • ith letter specifies ith alphabet to usei letter specifies i alphabet to use • use each alphabet in turn

f f d l i• repeat from start after d letters in message• decryption simply works in reverse

72

Example

• write the plaintext out

• eg using keyword deceptive• eg using keyword deceptivekey:l i t t di d lfplaintext: wearediscoveredsaveyourself

ciphertext:

73

Example

• write the plaintext out • write the keyword repeated above it

• eg using keyword deceptive• eg using keyword deceptivekey: deceptivedeceptivedeceptivel i t t di d lfplaintext: wearediscoveredsaveyourself

ciphertext:

74

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key y p y

encrypt the corresponding plaintext letter• eg using keyword deceptive• eg using keyword deceptive

key: deceptivedeceptivedeceptivel i t t di d lfplaintext: wearediscoveredsaveyourself

ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

75

Aids

• simple aids can assist with en/decryption • expand into a Vigenère Tableau (see text

Table 2 3)Table 2.3)

76

77

Security of Vigenère Ciphers

• have multiple ciphertext letters for each l i t t l ttplaintext letter

• hence letter frequencies are obscuredq• but not totally lost• start with letter frequencies• start with letter frequencies

– see if look monoalphabetic or notif h d d i b f• if not, then need to determine number of alphabets, since then can attach each

78

Kasiski Method

• method developed by Babbage / Kasiski i i i i h i l i d• repetitions in ciphertext give clues to period

• so find same plaintext an exact period apart which results in the same ciphertext of course, could also be random fluke

• eg repeated “VTW” in previous example– suggests size of 3 or 9gg– then attack each monoalphabetic cipher individually

using same techniques as before

79

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key y p y• encrypt the corresponding plaintext letter• eg using keyword deceptive• eg using keyword deceptive

key: deceptivedeceptivedeceptivel i t t di d lfplaintext: wearediscoveredsaveyourself

ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

80

One-Time Pad (1/3)• If a truly random key as long as the message is used, the

cipher will be securecipher will be secure. • It is called a One-Time pad (OTP)

P=C=K=(Z2)n, n ≥1( ) , ≥k = (k1, k2, …, kn ) x = (x1, x2, …, xn )( 1 2 n )y = (y1, y2, …, yn )

ek(x) = (x1 k1, x2 k2, …, xn kn)dk(y) = (y1 k1, y2 k2, …, yn kn)

81

One-Time Pad (2/3)

• One-Time pad is unbreakable since if k is d h i d ( h i i hrandom then y is random too (that is, ciphertext

bears no statistical relationship to the plaintext) d f l i t t & i h t t hand for any plaintext & any ciphertext there

exists a key mapping one to other.• In practice, two fundamental difficulties

– Supplying truly random keys of large volumn is a significant task

– Key distribution and protection are problematic

82

One-Time Pad (3/3)

• One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security. q g y g y

83

Cryptology





– transposition

84

Transposition Ciphers

• now consider classical transposition or permutation ciphers

• these hide the message by rearranging thethese hide the message by rearranging the letter order

i h l i h l l d• without altering the actual letters used

85

Rail Fence cipher

• write message letters out diagonally over a number of rows

• eg. write message out as:m e m a t r h t g p r ye t e f e t e o a a t

86

Rail Fence cipher

• write message letters out diagonally over a number of rows

• then read off cipher row by rowthen read off cipher row by row• eg. write message out as:

m e m a t r h t g p r ye t e f e t e o a a t

• giving ciphertextMEMATRHTGPRYETEFETEOAAT

87

Row Transposition Ciphers

• a more complex schemeit l tt f t i• write letters of message out in rows over a

specified number of columnsh d h l di• then reorder the columns according to some

key before reading off the rowsK 3 4 2 1 5 6 7Key: 3 4 2 1 5 6 7Plaintext: a t t a c k p

o s t p o n ed u n t i l tw o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

88

Product Ciphers

• ciphers using substitutions or transpositions are b f l h i inot secure because of language characteristics

• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition – but a substitution followed by a transposition makes a

new much harder cipher

• this is bridge from classical to modern ciphers89

g p

Question?

90

Network SecurityNetwork Securityailab.cs.nchu.edu.tw/course/NetworkSecurity/101/NS02.pdf · – monoalphabetic: Caesar Playfair Hillmonoalphabetic: Caesar, Playfair, Hill – polyalphabetic:

Documents