Chapter 8, slide: 1 ECE/CS 372 – introduction to computer networks Lecture 18 Announcements: r Final exam will take place August 13 th,2012 r HW4 and Lab5 are posted and are due Wednesday Acknowledgement: slides drawn heavily from Kurose & Ross
Chapter 8, slide: 2 Chapter 8: Network Security Goals: r understand principles of network security: cryptography and its many uses beyond “confidentiality” authentication message integrity r Example: securing
Chapter 8, slide: 3 Q: what should Bob & Alice be concerned about? r eavesdrop: messages are intercepted r change: messages are modified r impersonation: entire communication is hijacked by replacing sender or receiver by himself r denial of service: prevent services (e.g., by overloading resources) Bob, Alice want to communicate “securely” sender receiver Messages data Alice Bob Trudy confidentiality integrity authentication availability r Trudy is an enemy (intruder): “bad” guy
Chapter 8, slide: 4 Who might Bob, Alice be? … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e.g., on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates
Chapter 8, slide: 5 What is network security? Goals of network security: Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Availability: services must be accessible and available to users
Chapter 8, slide: 6 Chapter 8 roadmap r Principles of cryptography r Message integrity r Securing
Chapter 8, slide: 7 Cryptography r Cryptography allows a sender to disguise a message so that an intruder can’t gain information from it “ confidentiality ” plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B All terms marked in red are crypto terminology
Chapter 8, slide: 8 Types of cryptography symmetric key - both sender and receiver use identical key e.g., sender A encrypts with the key receiver B decrypts with same key public/private keys - two keys (public and private) are to be used e.g., sender A encrypts with B’s public key receiver B decrypts with its Private key
Chapter 8, slide: 9 Symmetric key cryptography symmetric key crypto: Bob and Alice share/know same (symmetric) key: K r Q: how do Bob and Alice agree on key value? plaintext ciphertext K A-B encryption algorithm decryption algorithm A-B K plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B
Chapter 8, slide: 10 Symmetric key cryptography monoalphabetic cipher: substituting one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?: A: brute force (how hard?) how many possibilities? 26! Q: what is the encryption & decryption key?: A: the mapping
Chapter 8, slide: 11 Symmetric key cryptography polyalphabetic cipher: multiple monoalphabetic ciphers Eg.: C1, C2, C2, C3 (with 3 monoalphabetic cipher keys) First letter, apply C1 Second letter, apply C2 Third letter, apply C2 Fourth letter, apply C3 Then, repeat r Harder to break! By avoiding patterns, same letter may appear in different positions r Key is “C1, C2, C2, C3”
Chapter 8, slide: 12 Symmetric key cryptography block cipher: msg is encrypted in blocks of k bits (independently) r Each k-bit block is encrypted/mapped r Possible mappings: 2 k ! r Hard to break Problem r Hard to implement, with k=64, sender and receiver need to store a mapping table of 2 64 entries !! Huge!! Solution r Use of functions: break blocks into smaller chunks
Chapter 8, slide: 13 Block Cipher r one pass through: one input bit affects eight output bits 64-bit input T1T1 8bits 64-bit scrambler 64-bit output loop for n rounds T2T2 T3T3 T4T4 T6T6 T5T5 T7T7 T8T8 r multiple passes: each input bit affects all output bits
Chapter 8, slide: 14 Cipher Block Chaining Problem w/ Cipher Block r if input block is repeated, it produces same cipher text: t=1 m(1) = “HTTP/1.1” block cipher c(1) = “k329aM02” … r cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1) c(0) transmitted to receiver in clear what happens in “HTTP/1.1” scenario from above? t=17 m(17) = “HTTP/1.1” block cipher c(17) = “k329aM02” + m(i) c(i) block cipher c(i-1)
Chapter 8, slide: 15 ECE/CS 372 – introduction to computer networks Lecture 19 Announcements: r Final exam will take place August 13 th,2012 r HW4 and Lab5 are posted and are due Wednesday Acknowledgement: slides drawn heavily from Kurose & Ross
Chapter 8, slide: 16 Public key cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? public key cryptography r radically different approach r Two keys Public key: encryp. key known to all Private key: decryp. key known only to receiver r Sender uses public key only to encryp r Reciever uses both keys to decryp.
Chapter 8, slide: 17 Public key cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B - r Note: only Bob is able to understand (decrypt) message m. Because only Bob has Bob’s private key r This assures “confidentiality”
Chapter 8, slide: 18 Public key encryption algorithms need K ( ) and K ( ) such that B B.. given public key K, it should be impossible to compute private key K B B Requirements: 1 2 RSA: Rivest, Shamir, Adleman algorithm + - K (K (m)) = m B B
Chapter 8, slide: 19 RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -
Chapter 8, slide: 20 RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute c = m mod n e (i.e., remainder when m is divided by n) e 2. To decrypt received bit pattern, c, compute m = c mod n d (i.e., remainder when c is divided by n) d m = (m mod n) e mod n d Magic happens! c
Chapter 8, slide: 21 RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). letter m m e c = m mod n e l c m = c mod n d c d letter l encrypt: decrypt:
Chapter 8, slide: 22 Another RSA example: Bob chooses p=5, q=11. Question: Find (n,e) and (n,d) Step 1: Compute n = pq, z = (p-1)(q-1) Step 2: Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). Step 3: Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). Step 4: Public key is (n,e). Private key is (n,d). K B + K B -
Chapter 8, slide: 23 RSA: another important property The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!
Chapter 8, slide: 24 Chapter 8 roadmap r Principles of cryptography r Message integrity r Securing
Chapter 8, slide: 25 Message Integrity/Authentication Bob receives msg from Alice, wants to ensure: Authentication: message originally came from Alice Integrity: message not changed since sent by Alice Cryptographic Hashing: r What: take input m, produce fixed length value, H(m) e.g., as in Internet checksum r Properties of H: given m = H(x), (x unknown), it is computationally infeasible to determine x. difficult to find x y such that H(x) = H(y) note: Internet checksum fails this requirement! r Examples widely used hash functions: MD5, SHA
Chapter 8, slide: 26 Internet checksum: poor crypto hash function r Internet checksum has some properties of hash function: ü produces fixed length digest (16-bit sum) of message ü is many-to-one r But given message with given hash value, it is easy to find another message with same hash value: I O U B O B 49 4F E F 42 message ASCII format B2 C1 D2 AC I O U B O B 49 4F E F 42 message ASCII format B2 C1 D2 AC different messages but identical checksums!
Chapter 8, slide: 27 MAC: Message Authentication Code m s (shared secret) (message) H(. ) H(m+s) public Internet append m H(m+s) s compare m H(m+s) H(. ) H(m+s) (shared secret) r Does MAC solve Integrity ?? How ?? Authentication ?? How ?? r Any problem ?? Secret key distribution ?? r So we can’t really authenticate via MAC alone via Hashing via secret key
Chapter 8, slide: 28 Digital Signatures via Public Key Crypto simple digital signature for message m: r Bob “signs” m by encrypting with his private key K B, creating “signed” message, K B (m) - - Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, m public key encryption algorithm Bob’s private key K B - Bob’s message, m, signed (encrypted) with his private key K B - (m)
Chapter 8, slide: 29 Digital Signatures via Public Key Crypto (more) r suppose Alice receives msg m, digital signature K B (m) r Alice verifies m signed by Bob by applying Bob’s public key K B to K B (m) then checks K B (K B (m) ) = m. r if K B (K B (m) ) = m, whoever signed m must have used Bob’s private key Alice thus verifies that: ü Bob signed m. ü No one else signed m. ü Bob signed m and not m’. -
Chapter 8, slide: 30 MAC via private/public keys m Alice’s private key (message) m public Internet append m compare m K A - K (m) A - A - A - Alice’s public key K A + K (m) A - m m r Note: only Alice would have had her private key r This assures “authentication”
Chapter 8, slide: 31 Digital Signatures via Public Key Crypto (more) Problem r Signing data by encryption and decryption is computationally expensive r Imagine encrypting (signing) huge files of data !!! - Solution r Sign hashed output of original msg (sign H(m) only) r Recall hash algorithms turn large msgs into small, fixed length msg r … signed MAC is the solution
Chapter 8, slide: 32 large message m H: hash function H(m) digital signature (encrypt) Bob’s private key K B - + Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: K B (H(m)) - encrypted msg digest K B (H(m)) - encrypted msg digest large message m H: hash function H(m) digital signature (decrypt) H(m) Bob’s public key K B + equal ? Digital signature = signed MAC = authentication + integrity
Chapter 8, slide: 33 Public Key Certification Problem with public key: r When Alice obtains Bob’s public key (from web site, , diskette), how does she know it is Bob’s public key, not Trudy’s? solution: r trusted certification authority (CA)
Chapter 8, slide: 34 Certification Authorities r Certification Authority (CA): binds public key to particular entity, E. r E registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA: CA says “This is E’s public key.” Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA - K CA (K ) B +
Chapter 8, slide: 35 Certification Authorities r when Alice wants Bob’s public key: gets Bob’s certificate apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key K B + digital signature (decrypt) CA public key K CA + K B + - K (K ) B +
Chapter 8, slide: 36 Get Bob’s public key from CA CA’s private key (Bob’s public key) public Internet append compare K CA - CA’s public key K CA + K B + r Alice just got Bob’s public key (authenticated key) r Of course, here we assume that you have CA’s public key !!! Need to get it physically !!! K B + K B + - K CA (K ) B + K B + - K CA (K ) B + K CA (K ) B + - K B + K B +
Chapter 8, slide: 37 Chapter 8: Recap So far: r Cryptography & confidentiality Symmetric key Public key: A wants to send msg m to B. What does A send? A sends K B + (m); hence, ONLY B understands m by applying K B - (K B + (m)) => confidentiality r Authentication & integrity MAC (Msg Authen. Code): requires symmetric key Signed MAC: A -> B A sends (m,K A - (m)) to B, Hence, All get m by applying K A + (K A - (m)); Comparison => authen. + integrity, but NOT confidentiality Note: Sender applies receiver’s public key Note: Sender applies its private key
Chapter 8, slide: 38 Chapter 8 roadmap r Principles of cryptography r Message integrity r Securing
Chapter 8, slide: 39 Secure (confidentiality) Alice: generates random symmetric private key, K S. encrypts message with K S (for efficiency) also encrypts K S with Bob’s public key. sends both K S (m) and K B (K S ) to Bob. Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + A B Bob: uses his private key to decrypt and recover K S uses K S to decrypt K S (m) to recover m Note that to provide confidentiality, sender encrypts with receiver’s public key (ONLY receiver should see msg)
Chapter 8, slide: 40 Secure (authen. + integrity) Alice wants to provide sender authentication/integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ) H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare A B Again note that to provide authenticate/integrity, sender encrypts with its private (all can understand msg)
Chapter 8, slide: 41 Secure (all: confid. + auth. + integrity) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS A
Chapter 8, slide: 42 The end of class! Acknowledgement: slides drawn heavily from Kurose & Ross