Foundations of Network and Computer Security J J ohn Black Lecture #2 Aug 26 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Advertisements

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Cryptography and Network Security Chapter 3
Week 2 - Friday.  What did we talk about last time?  Substitution ciphers  Vigenère ciphers  One-time pad.
Theoretical Probability Distributions We have talked about the idea of frequency distributions as a way to see what is happening with our data. We have.
Foundations of Network and Computer Security J J ohn Black Lecture #2 Aug 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Computers in Society Encryption. Representing Sensory Experience Some objects correspond to human sensory experience – these representations are created.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5831, Fall 2004.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #6 Sep 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 31 st 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #4 Sep 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5831, Fall 2007.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 30 st 2005 CSCI 6268/TLEN 5831, Fall 2005.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
CSCI 5857: Encoding and Encryption
Section 2.1: Shift Ciphers and Modular Arithmetic The purpose of this section is to learn about modular arithmetic, which is one of the fundamental mathematical.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Lec. 5 : History of Cryptologic Research II
Pseudo-Random Functions 1/22 Encryption as Permutation Assume cryptosystem correct and P = C If x  x’ then E K (x)  E K (x’) So, no y is hit by more.
Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 3-6, 9-12, 13, 15.
Symmetric-Key Cryptography
Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.
Some Number Theory Modulo Operation: Question: What is 12 mod 9?
Cryptography Part 1: Classical Ciphers Jerzy Wojdyło May 4, 2001.
Cryptograpy By Roya Furmuly W C I H D F O P S L 7.
Traditional Symmetric-Key Ciphers
Data Security and Encryption (CSE348) 1. Lecture # 3 2.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Lecture 2: Introduction to Cryptography
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Lecture 3 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.
Crypto in information security
Foundations of Network and Computer Security
Basic Encryption Methods
Cryptography Lecture 6.
Cryptography Lecture 7.
Foundations of Network and Computer Security
Foundations of Network and Computer Security
Chapter -2 Block Ciphers and the Data Encryption Standard
Cryptography Lecture 4.
Block Ciphers (Crypto 2)
Padding Oracle Attacks
Cryptography Lecture 16.
Florida State University
Presentation transcript:

Foundations of Network and Computer Security J J ohn Black Lecture #2 Aug 26 th 2009 CSCI 6268/TLEN 5550, Fall 2009

Slides now Available online rado.edu/tegrityutils/getcour serss.asp?courseid=CSCI http://engineeringonline.colo rado.edu/tegrityutils/getcour serss.asp?courseid=CSCI Write it down; won’t post to web page

Laws DMCA –Felten RIAA/SDMI case most famous 2001 SDMI challenge –Many believe it’s the right idea, but a bad law –All reverse-engineering is sketchy CALEA (1994) –Communications Assistance for Law Enforcement Act –2004 ruling says VoIP must provide compliance Has withstood all court challenges Patriot Act

Case Study Accountant for crime ring –Used PGP Pretty Good Privacy Phil Zimmerman –Feds seized computer Couldn’t read files! –Subpoena for keylogger –Worked like a charm!

Policy Government has attempted to control encryption before –Skipjack –Key Escrow –Clipper Chip Ultimately failed due to massive protest from “privacy advocates” –Electronic Frontier Foundation (John Gilmore)

Economist Survey Please read it Main points –Security is a MUCH broader topic than just SSL and viruses –Firewalls don’t always work –Economics are a factor –And more... From 2002 but still very relevant stuff

What IS Computer Security? Cryptography –Mostly based in mathematics Network Services –Offense: Overflows, SQL injection, format strings, etc –Defense: Firewalls, IDSes, Sandboxing, Honeypots Software Engineering –You have to find all flaws, they only have to find one Policy –Laws affect profoundly our security and privacy, as we have already seen

What IS Computer Security? Soft Science –Trust Models (Bell-LaPadula, Insider Threat, etc) –Economics, Game Theory –Social Engineering Education –Students become our programmers Insufficient training in security issues Various –Credit Card Scanners Should you trust your CC# on the Internet? –ATM story

Cryptography Introduction to cryptography –Why? We’re doing things bottom-up Crypto is a fundamental building block for securing networks, but by NO MEANS a panacea –Often done well Breaking the crypto is often not the easiest way in –Instead exploit some of those other holes! –Long history –Based on lots of math

In the Beginning… “Classical” cryptography –Caesar cipher aka shift cipher A  Z, B  A, C  B, etc… We are shifting by -1 or, equivalently, by 25 Here the “domain” is A…Z and shifts are done modulo 26 –Ex: What happens to “IBM” with a shift of 25?

Kerckhoff –Kerckhoff’s principal Assume algorithm is public and all security rests with the “key” The opposite philosophy is sometimes called “security thru obscurity” –Often dubious »Experts say you want people to see the algorithm… the more analysis it sees, the better! –Used in military settings however »Why give them any information?? »Skipjack was this way

What is a “key”? We have a basic enciphering mechanism –We just saw the Caesar cipher The “key” is the “variable” part of the algorithm –What was our key with the Caesar cipher? –How many keys were possible? –Why is this cipher insecure?

Digression on Blocksize The “blocksize” of a cipher is the size, in bits, of its domain –Caesar took 26 inputs, so about 4.7 bit blocksize –We take lg(|D|) to compute blocksize Often it’s already specified in bits –Keysize is analogous What was the keysize of the Caesar cipher? A “blockcipher” always outputs the same number of bits as it takes in –Ciphers induce a “permutation” on their domain This means they are 1-to-1 Without this, we couldn’t decipher!

Improving Caesar Substitution Cipher –We allow each {A,…, Z} to map to any other character in this set Ex: A  Q, B  S, C  A, etc… We must still ensure a 1-to-1 mapping! How many mappings are possible? What is the key here? What is the keysize? –Is exhaustive key-search feasible here?

Exhaustive Key-search We had possible keys –Keysize is lg of this, or about 88.4 bits –Infeasible to exhaustively search even with a lot of money and resources! Rule of Thumb –2 30 quite easily –2 40 takes a while, but doable (exportable keysize!) –2 50 special hardware, parallelism important –2 60 only large government organizations –2 70 approaching the (current) limits of imagination

So Substitution Cipher is Secure? Nope –Ever do the Sunday Cryptograms? –Attacks: Frequency analysis –etaoinshrdlu… Diphthongs, triphthongs –ST, TH, not QX Word lengths –A and I are only 1-letter words Other statistical measures –Index of Coincidence

What did we just Implicitly Assume? What assumption was made in these attacks? What was a central feature of the Substitution Cipher which permitted these attacks? (hard) How can we repair these problems?

Small Blocksizes are Bad Ok, we had a blocksize of < 5 bits –So fix it! –Try 64 bits instead –All is well? How many permutations are there now? –2 64 ! ≈ –Stirling’s formula: What is the keysize (in bits)? –About 2 70 bits! Yow! –1TB is 2 40 * 2 3 = 2 43

Key is too Large We can’t store 2 70 bit keys –What can we do then? –Idea: instead of representing ALL 2 64 ! permutations we select a “random looking” subset of them! We will implement the map via an algorithm Our subset will be MUCH smaller than the set of all permutations

Example Blockcipher Suppose we have 64-bit blocksize Suppose we have 64-bit keys –Notice this is FAR smaller than bit keys, so we will be representing a vastly smaller set of permutations –Select a key K at random from {0,1} 64 {0,1} 64 is the set of all length-64 binary strings Let C = P ⊕ K –Here ⊕ means XOR

Digression on Terminology Note that we used specific letters in our formula C = P ⊕ K –P is the “plaintext” –C is the “ciphertext” –K is usually used for “key” Call this blockcipher X –X : {0,1} 64 x {0,1} 64  {0,1} 64 –This means E takes two 64-bit strings and produces a 64-bit output

Looking at Blockcipher X First, is it even a valid cipher? –Is it 1-to-1? Basic facts on xor’s: –A ⊕ A = 0 A ⊕ B = B ⊕ A –A ⊕ 0 = A A ⊕ (B ⊕ C) = (A ⊕ B) ⊕ C So prove 1-to-1: –Suppose P  P’ but C = C –Then P ⊕ K = P’ ⊕ K –So P ⊕ K ⊕ K = P’ ⊕ K ⊕ K –And P ⊕ 0 = P’ ⊕ 0 –so P = P’, contradiction

So it’s Syntactically Valid What about its security? –It’s terrible, but before we can really look more closely at it we need to learn more about what “secure” means –A second problem is that we still haven’t said how to “encrypt,” only to “encipher” Encryption handles a bunch of variable-length messages Enciphering handles inputs of one fixed size; ergo the term “blockcipher”

Background So really we’ve been talking about things like encryption and security without proper definitions! –Although it may be a pain, definitions are a central (and often ignored) part of doing “science” –You will see textbooks teach cryptography without defining the terms they use –We have an intuitive sense of these things, but we can’t do science without writing down precise meanings for the terms we’re using –The network security part of the course won’t be much like this

Blockciphers One of the most basic components –Used EVERYWHERE in cryptography –Blockcipher E maps a k-bit key K and an n-bit plaintext P to an n-bit ciphertext C –Requirement: for any fixed K, E(K, ●) is a permutation (ie, is 1-to-1) E P K C

Security Intuition: –A “secure” blockcipher under a (uniformly-chosen) random key should “look random” More precisely (but still informal): –Suppose you are given a black-box which contains blockcipher E with a secret, random, fixed key K embedded within it –Suppose you are also given another black-box (looks identical) which has a permutation  from n-bits to n-bits embedded within it, and  was chosen uniformly at random from the set of all 2 n ! possible permutations –You are allowed to submit arbitrary plaintexts and ciphertexts of your choice to either box –Could you tell which was which using a “reasonable” amount of computation?

Blockcipher Security (cont.) A “good” blockcipher requires that, on average, you must use a TON of computational resources to distinguish these two black-boxes from one another –A good blockcipher is therefore called “computationally indistinguishable” from a random permutation –If we had bit keys, we could have perfect 64-bit blockciphers –Since we are implementing only a small fraction, we had better try and ensure there is no computationally- simple way to recognize this subset

Blockcipher Security (cont.) If we can distinguish between black-boxes quickly, we say there is a “distinguishing attack” –Practical uses? –Notice that we might succeed here even without getting the key! Certainly getting the key is sufficient since we assume we know the underlying algorithm What is the attack if we know the key?

Theme to Note Note that our notion of security asks for MORE than we often need in practice –This is a common theme in cryptography: if it is reasonable and seemingly achievable to efficiently get more than you might need in practice, then require that your algorithms meet these higher requirements.

Our Blockcipher X So is X secure under this definition? –No, simple distinguishing attack: Select one black-box arbitrarily (doesn’t matter which one) Submit plaintext P=0 64 receiving ciphertext C Submit plaintext P’=1 64 receiving ciphertext C’ If black-box is our friend X (under key K) then we will have –C = K and C’ = K ⊕ 1 64 –So if C ⊕ C’ = 1 64 we guess that this box is blockcipher X –If not, we guess that this box is the random permutation

Analysis of X (cont.) What is the probability that we guess wrong? –Ie, what is the chance that two random distinct 64-bit strings are 1’s complements of each other? –1/( ) … about 1 in Note that this method does not depend on the key K