Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Published byNathen Hamp Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena."— Presentation transcript:

1 Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena

2 Course Administration HW/Lab 1 Posted Labs are active starting this week – Please only attend the sessions you registered for Everyone receiving my emails? Lecture slides worked okay? 4/27/2015Lecture 4: Crypto, and Email Security2

3 Outline of Today’s lecture Hash Functions – Properties – Birthday Paradox – Generic Design Message Authentication Code Key Distribution – Private Key Setting – Public Key Setting Email Security 4/27/2015Lecture 4: Crypto, and Email Security3

4 Hash Functions 4/27/2015Lecture 4: Crypto, and Email Security4

5 Cryptographic Hash Functions Requirements of cryptographic hash functions: – Can be applied to data of any length. – Output is fixed length, usually very short – Relatively easy to compute h(x), given x – Function is deterministic – Infeasible to get x, given h(x). One-wayness property – Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property – Infeasible to find any pair x and y (x ≠ y) such that h(x) = h(y). Strong-collision resistance property or just collision resistance 4/27/2015Lecture 4: Crypto, and Email Security5

6 Some Applications of Hash Functions In general, can be used as a checksum for large amounts of data Password hashing Digital signatures Message authentication codes (will study in a bit) Used also in RSA-OAEP, and many other cryptographic constructions 4/27/2015Lecture 4: Crypto, and Email Security6

7 Hash Output Length How long should be the output (n bits) of a cryptographic hash function? To find collision - randomly select messages and check if hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? Birthday paradox - a collision can be found in roughly sqrt(N) = 2 (n/2) trials for an n bit hash – In a group of 23 (~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) Hence n should be at least 160 4/27/2015Lecture 4: Crypto, and Email Security7

8 Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is: 4/27/2015Lecture 4: Crypto, and Email Security8

9 Generic Hash Function – Merkle- Damgard Construction This design for H() is collision-resistant given that h() is collision resistant Intuitively, this is because there is a avalanche effect – even if the inputs differ in just 1 bit, the outputs will be completely different IV is a known public constant 9

10 An Illustrative Example from Wikipedia 104/27/2015Lecture 4: Crypto, and Email Security

11 Practical Examples SHA-1 – Output 160 bits – B’day attack requires 2 80 calls – Faster attacks 2 69 calls http://infosec.sdu6.edu.cn/uploadfile/papers/Finding%20Collisions%20in %20the%20Full%20SHA-1.pdf MD5 – Output is 128 bits, so B’day attack requires 2 64 calls only – Faster attacks to find a collision: http://eprint.iacr.org/2004/199.pdf Better use stronger versions, such as SHA-256 Although, these attacks are still not practical – they only find two random messages that collide 114/27/2015Lecture 4: Crypto, and Email Security

12 Further Reading Stallings Chapter 3 HAC Chapter 9 4/27/2015Lecture 4: Crypto, and Email Security12

13 Message Authentication Codes 4/27/2015Lecture 4: Crypto, and Email Security13

14 Message Authentication Codes Provide integrity as well as authentication Send (m, MAC); MAC is created on m using the key shared between two parties Has to be deterministic to enable verification – Unlike encryption schemes We want MAC to be as small and as secure as possible Can not provide non-repudiation – Why not? 144/27/2015Lecture 4: Crypto, and Email Security

15 MAC – Functions KeyGen – outputs a key MAC – creates a checksum on m using key K Verify – validates whether the checksum on m is computed correctly – Just create MAC and compare 4/27/2015Lecture 4: Crypto, and Email Security15

16 Security Notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 164/27/2015Lecture 4: Crypto, and Email Security

17 Can encryption be used as a MAC? No, not in general Intuitively because encryption achieves properties different from MAC See a counter-example: – One-time pad as a MAC – bad idea! However, you can use 3-DES or AES as a building block for MAC 4/27/2015Lecture 4: Crypto, and Email Security17

18 MAC Based on Block Cipher in the CBC mode – CBC-MAC 184/27/2015Lecture 4: Crypto, and Email Security

19 CBC-MAC Note that this is deterministic – IV = [0] – Unlike CBC encryption Only the last block of the output is used as a MAC This is secure under CMA attack – For pre-decided fixed-length messages – Intuitively because of the presence of an avalanche effect 4/27/2015Lecture 4: Crypto, and Email Security19

20 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC 2104. Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 204/27/2015Lecture 4: Crypto, and Email Security

21 HMAC Block size b bits. K + - K padded with bits on the left to make b bits. ipad – 0110110 (ox36) repeated b/8 times. opad – 1011100 (0x5c) repeated b/8 times. Essentially HHMAC K = H[(K + xor opad) || H[(K + xor ipad) || M]] 214/27/2015Lecture 4: Crypto, and Email Security

22 Security of HMAC Security related to the collision resistance of the underlying hash function http://www.cse.ucsd.edu/~mihir/papers/hma c.html 224/27/2015Lecture 4: Crypto, and Email Security

23 Further Reading Stallings Chapter 3 HAC Chapter 9 234/27/2015Lecture 4: Crypto, and Email Security

24 Key Distribution 4/27/2015Lecture 4: Crypto, and Email Security24

25 Key Distribution Cryptographic primitives seen so far assume – In private key setting: Alice and Bob share a secret key which is unknown to Oscar. – In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 254/27/2015Lecture 4: Crypto, and Email Security

26 “Private Key” Distribution: An Attempt Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). – Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. – Trent generates random session key K and sends E K A (K) to Alice and E K B (K) to Bob. – Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack! 26

27 Session Key Exchange with KDC – Needham- Schroeder Protocol A -> KDC ID A || ID B || N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E K A ( K || ID B || N 1 || E K B (K || ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E K B (K || ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(N 2 )) (Sure I can!) Dennig-Sacco (replay) attack on the protocol 274/27/2015Lecture 4: Crypto, and Email Security

28 Session Key Exchange with KDC – Needham- Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A || ID B || N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E K A ( K || ID B || N 1 || E K B (TS1, K || ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2), E K B (TS1, K || ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1) (OK Alice, here is a proof that I am really Bob) 284/27/2015Lecture 4: Crypto, and Email Security

29 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can OTP make for a good MAC? Can H(K||m) make for a good MAC? Does HMAC provide non-repudiation? 294/27/2015Lecture 4: Crypto, and Email Security

30 Key Distribution Cryptographic primitives seen so far assume – In private key setting: Alice and Bob share a secret key which is unknown to Oscar. – In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 304/27/2015Lecture 4: Crypto, and Email Security

31 Public Key Distribution Public announcements (such as email) – Can be forged Public directory – Can be tampered with Public-key certification authority (CA) (such as verisign) – This is what we use in practice – CA issues certificates to the users 314/27/2015Lecture 4: Crypto, and Email Security

32 Naming and Certificates Certification authority’s vouch for the identity of an entity - Distinguished Names (DN). /O=UAB/OU=CIS/CN=Nitesh Saxena – Although CN may be same, DN is different. Policies of certification – Authentication policy What level of authentication is required to identify the principal. – Issuance policy Given the identity of principal will the CA issue a certificate? 324/27/2015Lecture 4: Crypto, and Email Security

33 Types of Certificates CA’s vouch at some level the identity of the principal. Example – Verisign: – Class 1 – Email address – Class 2 – Name and address verified through database. – Class 3- Background check. 334/27/2015Lecture 4: Crypto, and Email Security

34 Public Key Certificate Public Key Certificate – Signed messages specifying a name (identity) and the corresponding public key. Signed by whom – Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA’s public key. 344/27/2015Lecture 4: Crypto, and Email Security

35 Public Key Certificate 35 Note: Mechanism of certification and content of certificate, will vary but at the minimum we have email verification and contains ID and Public Key. 4/27/2015Lecture 4: Crypto, and Email Security

36 Certificate Verification/Validation 364/27/2015Lecture 4: Crypto, and Email Security

37 Certificate Revocation CA also needs some mechanism to revoke certificates – Private key compromised. – CA mistake in issuing certificate. – Particular service the certificate grants access to may no longer exist. – CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) – a list of every certificate that has been revoked but not expired. – CRL’s quickly grow large! CRL’s distributed periodically. – What about time period between revocation and distribution of CRL? Other mechanisms – OCSP (online certificate status protocol) 374/27/2015Lecture 4: Crypto, and Email Security

38 X.509 Clearly, there is a need for standardization – X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA). 384/27/2015Lecture 4: Crypto, and Email Security

39 X.509 Certificate 394/27/2015Lecture 4: Crypto, and Email Security

40 Advantages of CA Over KDC CA does not need to be on-line all the time! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. 404/27/2015Lecture 4: Crypto, and Email Security

41 Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses – issuance of digital certificates to users and servers – end-user enrollment software – integration with corporate certificate directories – tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust – PKI providers. Your own PKI using Mozilla/Microsoft certificate servers 414/27/2015Lecture 4: Crypto, and Email Security

42 Problems with PKI – Private Key Where and how is private key stored? – Host – encrypted with pass phrase – Host – encrypted by OS or application – Smart Card Assumes secure host or tamper proof smartcard. 424/27/2015Lecture 4: Crypto, and Email Security

43 Problems with PKI - Conflicts X.509, and PGP remain silent on conflicts. They assume CA’s will ensure that no conflicts arise. But in practice conflicts may exist – – John A. Smith and John B. Smith may live at the same address. 434/27/2015Lecture 4: Crypto, and Email Security

44 Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled  How do you trust CA from country XYZ (your favorite prejudice). 444/27/2015Lecture 4: Crypto, and Email Security

45 Further Reading Stallings Chapter 4 HAC Chapter 12 454/27/2015Lecture 4: Crypto, and Email Security

46 Further Reading X.509 page http://www.ietf.org/html.charters/pkix- charter.html http://www.ietf.org/html.charters/pkix- charter.html Ten Risks of PKI - http://www.schneier.com/paper-pki.html http://www.schneier.com/paper-pki.html 464/27/2015Lecture 4: Crypto, and Email Security

47 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do? 474/27/2015Lecture 4: Crypto, and Email Security

48 Some Questions Sometimes when you access an https web- site, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? 484/27/2015Lecture 4: Crypto, and Email Security

49 Email Security via PGP 4/27/2015Lecture 4: Crypto, and Email Security49

50 Email Security Email is one of the most widely used and regarded network services By default, email communication is NOT “secure” – may be inspected either in transit, or by suitably privileged users on destination system – may be impersonated/spoofed Lecture 4: Crypto, and Email Security4/27/201550

51 Email Security Enhancements Confidentiality – protection from disclosure Authentication – of sender of message Message integrity – protection from modification Non-repudiation of origin – protection from denial by sender Lecture 4: Crypto, and Email Security4/27/201551

52 Pretty Good Privacy (PGP) Open source, freely available software package for secure e-mail De facto standard for secure email Developed by Phil Zimmermann Selected best available crypto algorithms to use Runs on a variety of platforms like Unix, PC, Macintosh and other systems Originally free (now also have commercial versions available) Lecture 4: Crypto, and Email Security4/27/201552

53 PGP Operation – Authentication Just use digital signatures: 1.Sender creates message 2.Generates a digital signature for the message 3.Use SHA-1 to generate 160-bit hash of message 4.Signed hash with RSA using sender's private key, and is attached to message 5.Receiver uses RSA with sender's public key to decrypt and recover hash code 6.Receiver verifies received message using hash of it and compares with decrypted hash code Lecture 4: Crypto, and Email Security4/27/201553

54 PGP Operation – Confidentiality 1.Sender generates a message 2.Generates a128-bit random number as session key 3.Encrypts the message using CAST-128 / IDEA / 3DES in CBC mode with session key 4.Session key encrypted using RSA with recipient's public key and attached to the msg 5.Receiver uses RSA with private key to decrypt and recover session key 6.Session key is used to decrypt message Lecture 4: Crypto, and Email Security4/27/201554

55 PGP Operation – Confidentiality & Authentication Can use both services on the same message – create signature & attach it to the message – encrypt both message & signature – attach RSA encrypted session key This sequence is preferred because --one can store the plaintext message/file and its signature --no need to decrypt the message/file again Lecture 4: Crypto, and Email Security4/27/201555

56 PGP Operation – Compression PGP compresses messages to save space for e-mail transmission and storage By default, PGP compresses message after signing but before encrypting – so can store uncompressed message & signature for later verification – Encryption after compression strengthens security (because compression has less redundancy) uses ZIP compression algorithm Lecture 4: Crypto, and Email Security4/27/201556

57 PGP Operation – Email Compatibility When using PGP will have binary data (8-bit octets) to send (encrypted message, etc) However, email was designed only for text Hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm – maps 3 bytes to 4 printable chars – also appends a CRC PGP also segments messages if too big (maximum length 50,000 octets) Lecture 4: Crypto, and Email Security4/27/201557

58 PGP Operation – Summary Lecture 4: Crypto, and Email Security4/27/201558

59 PGP Session Keys Need a session key for each message – of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES Uses random inputs taken from – actual keys hit – keystroke timing of a user – mouse movement Lecture 4: Crypto, and Email Security4/27/201559

60 PGP Public & Private Keys Since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message – Could send full public-key with every message – But, this is inefficient Rather use a key identifier based on key – is least significant 64-bits of the key – will very likely be unique also use key ID in signatures Lecture 4: Crypto, and Email Security4/27/201560

61 PGP Key Rings each PGP user has a pair of keyrings: – public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID – private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted key (encrypted with a hashed passphrase) security of private keys thus depends on the pass-phrase security Lecture 4: Crypto, and Email Security4/27/201561

62 PGP Message Generation Lecture 4: Crypto, and Email Security4/27/201562

63 PGP Message Reception Lecture 4: Crypto, and Email Security4/27/201563

64 PGP Key Distribution Public keys for encrypting session keys / verifying signatures. Private keys for decrypting session keys / creating signatures. Where do these keys come from and on what basis can they be trusted? Lecture 4: Crypto, and Email Security4/27/201564

65 PGP Key Distribution PGP adopts a trust model called the web of trust. No centralized authority Individuals sign one another’s public keys, these “certificates” are stored along with keys in key rings. PGP computes a trust level for each public key in key ring. Users interpret trust level for themselves. Lecture 4: Crypto, and Email Security4/27/201565

66 PGP Key Distribution Issues Original intention was that all e-mail users would contribute to web of trust. Reality is that this web is sparsely populated. How should security-unaware users assign and interpret trust levels? Later versions of PGP support X.509 certs. Lecture 4: Crypto, and Email Security4/27/201566

67 PGP in Practice PGP plugins available – Standalone Email clients – Browser (e.g., FireGPG) – SecureGmail (Chrome extension) – Mailvelope You will be playing around with this as part of Lab 1 (Problem 1) Lecture 4: Crypto, and Email Security4/27/201567

68 References Chapter 8 of Stallings Lecture 4: Crypto, and Email Security4/27/201568

Download ppt "Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena."

Similar presentations

Email Security 1. email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.

Security 1. is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.
Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.

Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.
Lecture 5: Email security: PGP Anish Arora CSE 5473 Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CSE 5473 Introduction to Network Security.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Chapter 5 Electronic mail security. Outline Pretty good privacy S/MIME Recommended web sites.

Chapter 5 Electronic mail security. Outline Pretty good privacy S/MIME Recommended web sites.
1 Pertemuan 12 E-mail Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
NS-H0503-02/11041 E-mail Security. NS-H0503-02/11042 Email Security email is one of the most widely used and regarded network services currently message.

NS-H / Security. NS-H / Security is one of the most widely used and regarded network services currently message.
Electronic mail security

Electronic mail security
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Lecture 9: Email Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
Chapter 31 Network Security

Chapter 31 Network Security
Lecture 4.2: Key Distribution CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 4.2: Key Distribution CS 436/636/736 Spring 2014 Nitesh Saxena.
Electronic Mail Security

Electronic Mail Security
Cryptography and Network Security Chapter 18

Cryptography and Network Security Chapter 18

Similar presentations

Ads by Google