8: Network Security 8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users

8: Network Security 8-2 Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice want to communicate “securely” r Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

8: Network Security 8-3 Who might Bob, Alice be? r … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e.g., on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates r other examples?

8: Network Security 8-4 There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! m eavesdrop: intercept messages m actively insert messages into connection m impersonation: can fake (spoof) source address in packet (or any field in packet) m hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place m denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

8: Network Security 8-5 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B

8: Network Security 8-6 Symmetric key cryptography substitution cipher: substituting one thing for another m monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?:  brute force (how hard?)  other?

8: Network Security 8-7 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution pattern in mono alphabetic substitution cipher r Q: how do Bob and Alice agree on key value? plaintext ciphertext K A-B encryption algorithm decryption algorithm A-B K plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B

8: Network Security 8-8 Symmetric key crypto: DES DES: Data Encryption Standard r US encryption standard [NIST 1993] r 56-bit symmetric key, 64-bit plaintext input r How secure is DES? m DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months r making DES more secure: m use three keys sequentially (3-DES) on each datum m use cipher-block chaining

8: Network Security 8-9 AES: Advanced Encryption Standard r new (Nov. 2001) symmetric-key NIST standard, replacing DES r processes data in 128 bit blocks r 128, 192, or 256 bit keys r brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES r block ciphers: DES, 3DES, Blowfish, AES

8: Network Security 8-10 Cipher Block Chaining r cipher block: if input block repeated, will produce same cipher text: t=1 m(1) = “HTTP/1.1” block cipher c(1) = “k329aM02” … r cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1) m c(0) transmitted to receiver in clear m what happens in “HTTP/1.1” scenario from above? + m(i) c(i) t=17 m(17) = “HTTP/1.1” block cipher c(17) = “k329aM02” block cipher c(i-1)

8: Network Security 8-11 Public key cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? public key cryptography r radically different approach [Diffie- Hellman76, RSA78] r sender, receiver do not share secret key r public encryption key known to all r private decryption key known only to receiver

8: Network Security 8-12 Public key cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B -

8: Network Security 8-13 Public key encryption algorithms need K ( ) and K ( ) such that B B.. given public key K, it should be impossible to compute private key K B B Requirements: 1 2 RSA: Rivest, Shamir, Adleman algorithm + - K (K (m)) = m B B

8: Network Security 8-14 RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -

8: Network Security 8-15 RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute c = m mod n e (i.e., remainder when m is divided by n) e 2. To decrypt received bit pattern, c, compute m = c mod n d (i.e., remainder when c is divided by n) d m = (m mod n) e mod n d Magic happens! c

8: Network Security 8-16 RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. letter m m e c = m mod n e l c m = c mod n d c d letter l encrypt: decrypt:

8: Network Security 8-17 RSA: Why is that m = (m mod n) e mod n d (m mod n) e mod n = m mod n d ed Useful number theory result: If p,q prime and n = pq, then: x mod n = x mod n yy mod (p-1)(q-1) = m mod n ed mod (p-1)(q-1) = m mod n 1 = m (using number theory result above) (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 )

8: Network Security 8-18 RSA: another important property The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!

Applications of Identity Based Encryption (IBE) r Bob encrypts mail with pub-key = m Easy to use: no need for Bob to lookup Alice’s cert m Bob can send mail to Alice even if Alice has no cert r Bob encrypts with pub-key = || current- date” m Short lived private keys: revocation + mobility m Bob can send mail to be read at future date r Concept proposed by Shamir in 1980’s r First fully-functional scheme found in 2001 by Boneh and Franklin

Definition of IBE r Setup m input: a security parameter t m output: params and master-key r Extract – run by a private key generator m input: params, master-key, and ID ∈ {0,1}* m output: d ID r Encrypt m input: params, ID ∈ {0,1}*, M ∈ M m output: C r Decrypt m input: params, d ID, C ∈ C m output: M

Security properties of Crypto schemes r Formalization of the notion that no algorithm breaks a crypto system m defined via a game between an Adversary and a Challenger m no polynomially bound Adversary wins the game with non- negligible advantage r Semantic security against a chosen ciphertext attack m No polynomially bound adversary wins the following game with non-negligible advantage

A Game with the adversary r Adversary picks messages M 0, M 1 and a public key ID r Challenger picks a random b ∈ {0,1} and sends C=Encrypt(params, ID, M b ) m chooses a security parameter t and runs Setup m keeps the master-key m gives the Adversary params r The Adversary issues n queries m extraction query on other people ID i m decryption query ID i, C i Queries Challenge Answer Choose target Challenger Adversary

The Game cont’d r The Adversary outputs b’ r The Adversary wins if b=b’ | Prob (the attacker wins) – ½ | should be negligible This game can be made adaptive to model a stronger adversary

8: Network Security 8-24 Message Integrity Bob receives msg from Alice, wants to ensure: r message originally came from Alice r message not changed since sent by Alice Cryptographic Hash: r takes input m, produces fixed length value, H(m) m e.g., as in Internet checksum r computationally infeasible to find two different messages, x, y such that H(x) = H(y) m equivalently: given m = H(x), (x unknown), can not determine x. m note: Internet checksum fails this requirement!

8: Network Security 8-25 Message Authentication Code m s (shared secret) (message) H(. ) H(m+s) public Internet append m H(m+s) s compare m H(m+s) H(. ) H(m+s) (shared secret)

8: Network Security 8-26 MACs in practice r MD5 hash function widely used (RFC 1321) m computes 128-bit MAC in 4-step process. m arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x r SHA-1 is also used m US standard [ NIST, FIPS PUB 180-1] m 160-bit MAC

8: Network Security 8-27 Digital Signatures cryptographic technique analogous to hand- written signatures. r sender (Bob) digitally signs document, establishing he is document owner/creator. r verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

8: Network Security 8-28 Digital Signatures simple digital signature for message m: r Bob “signs” m by encrypting with his private key K B, creating “signed” message, K B (m) - - Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, m public key encryption algorithm Bob’s private key K B - Bob’s message, m, signed (encrypted) with his private key K B - (m)

8: Network Security 8-29 Digital Signatures (more) r suppose Alice receives msg m, digital signature K B (m) r Alice verifies m signed by Bob by applying Bob’s public key K B to K B (m) then checks K B (K B (m) ) = m. r if K B (K B (m) ) = m, whoever signed m must have used Bob’s private key Alice thus verifies that: ü Bob signed m. ü No one else signed m. ü Bob signed m and not m’. non-repudiation: Alice can take m, and signature K B (m) to court and prove that Bob signed m. -

8: Network Security 8-30 large message m H: hash function H(m) digital signature (encrypt) Bob’s private key K B - + Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: K B (H(m)) - encrypted msg digest K B (H(m)) - encrypted msg digest large message m H: hash function H(m) digital signature (decrypt) H(m) Bob’s public key K B + equal ? Digital signature

8: Network Security 8-31 Public Key Certification public key problem: r When Alice obtains Bob’s public key (from web site, , diskette), how does she know it is Bob’s public key, not Trudy’s? solution: r trusted certification authority (CA)

8: Network Security 8-32 Certification Authorities r Certification Authority (CA): binds public key to particular entity, E. r E registers its public key with CA. m E provides “proof of identity” to CA. m CA creates certificate binding E to its public key. m certificate containing E’s public key digitally signed by CA: CA says “This is E’s public key.” Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA - K CA (K ) B +

8: Network Security 8-33 Certification Authorities r when Alice wants Bob’s public key: m gets Bob’s certificate (from Bob or elsewhere). m apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key K B + digital signature (decrypt) CA public key K CA + K B + - K (K ) B +

8: Network Security 8-34 Secure Alice:  generates random symmetric private key, K S.  encrypts message with K S (for efficiency)  also encrypts K S with Bob’s public key.  sends both K S (m) and K B (K S ) to Bob.  Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

8: Network Security 8-35 Secure Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m  Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

8: Network Security 8-36 Secure (continued) Alice wants to provide sender authentication message integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ) H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare

8: Network Security 8-37 Secure (continued) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

8: Network Security 8-38 Pretty good privacy (PGP) r Internet encryption scheme, de-facto standard. r uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. r provides secrecy, sender authentication, integrity. r inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ hFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message:

8: Network Security 8-39 Secure sockets layer (SSL) r provides transport layer security to any TCP-based application using SSL services. m e.g., between Web browsers, servers for e-commerce (https) r security services: m server authentication, data encryption, client authentication (optional) TCP IP TCP enhanced with SSL TCP socket Application TCP IP TCP API SSL sublayer Application SSL socket

8: Network Security 8-40 SSL: three phases 1. Handshake: r Bob establishes TCP connection to Alice r authenticates Alice via CA signed certificate r creates, encrypts (using Alice’s public key), sends master secret key to Alice m nonce exchange not shown SSL hello certificate K A + (MS) TCP SYN TCP SYNACK TCP ACK decrypt using K A - to get MS create Master Secret (MS) Alice may be amazon.com

8: Network Security 8-41 SSL: three phases 2. Key Derivation: r Alice, Bob use shared secret (MS) to generate 4 keys: m E B : Bob->Alice data encryption key m E A : Alice->Bob data encryption key m M B : Bob->Alice MAC key m M A : Alice->Bob MAC key r encryption and MAC algorithms negotiable between Bob, Alice

8: Network Security 8-42 SSL: three phases 3. Data transfer H( ). MBMB b 1 b 2 b 3 … b n d dH(d) d H( ). EBEB TCP byte stream block n bytes together compute MAC encrypt d, MAC, seq. # SSL seq. # dH(d) Type Ver Len SSL record format encrypted using E B unencrypted Procedure similar to a secure described earlier

2: Application Layer 43 Slides credits r J.F Kurose and K.W. Ross