Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CS120: Lecture 16 MP Johnson Hunter Acknowledgement: some material from Greg Whalen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CS120: Lecture 16 MP Johnson Hunter Acknowledgement: some material from Greg Whalen."— Presentation transcript:

1 1 CS120: Lecture 16 MP Johnson Hunter mpjohnson@gmail.com Acknowledgement: some material from Greg Whalen

2 2 Agenda Security: “Only the paranoid survive” (Andy Grove) Crypto: –Idea of Crypto –Private-key –Public-key Security tips –On web –In public machines –Crypto on the web

3 3 Crypto: definitions Convert to unintelligible form –Reversible –But only by intended recipient Original msg: “plaintext” Encrypted message: “ciphertext” Other services: –Integrity checking: no tampering –Authentication/digital signatures: not an imposter

4 4 Types of crypto schemes Secret-key: one secret key –Also called private-key Public-key: two keys –Public and private Related: hash functions

5 5 Simple private-key schemes Caesar cipher (shift): –A  D, B  E –“key” = shift distance –Only 26 possible codes –Can beak easily (how?) General substitution –Each letter  some other letter –“key” = mapping function –26! Possible schemes –Can break with stats – letter frequencies One-time pad –First convert message to bits –Random bitstring xor-ed to text

6 6 Simple private-key schemes Book of one-time pads –Used in World War II, Cold War –Two agents have a book of codes –Each code used once, in order Messages intercepted when people used same code multiple times –Got lazy –Frequencies of letters

7 7 Computational Difficulty What’s secret is just a finite bitstring Most schemes can be broken –Brute force: try all possible keys The longer the key, the more secure –n+1 bits  brute force search is twice as hard (why?)

8 8 Brute-force attacks Common key lengths: 56 bits, 64 bits, 128 Recall time for 2^100 –Through with millions of processors, may be able to break in parallel For this reason, export restrictions on long-key crypto Some systems come in “US” and “International” (crippled) versions –Long keys v. short keys

9 9 Secret-key crypto algs Same key is used for encryption and decryption Eg: Substitution codes, DES, AES, IDEA Procedure: –Agree on key (but how?) –Communicate over insecure channel

10 10 Secret key v. secret algorithm Natural idea: use a secret algorithm Hard to keep secret if used widely: –Reverse engineering, “social engineering” Also: publishing, criticism gives confidence that algorithm is computationally secure –Crypto-design as science

11 11 New topic: Public-key crypto Invented/published in 1975 –RSA, Diffie-Hellman, British intel Two keys: private (d), public (e) –Encryption: public key; Decryption: private key –Signing: private key; Verification: public key Much slower than secret key cryptography

12 12 Public-key crypto Data transmission: –A encrypts msg using e_B –Sends to B –B decrypts with d_B In practice, public keys are called certificate, available to browser automatically over web But public-key is slow…

13 13 Public-key crypto: dig sig Given your private key, you can sign msg When I receive, I verify with your pubic key Since only you have your private key, this convinces me that: –You’re really you –The message is the one you wrote –Eg: “Sell IBM” –Eg: “Sell Imclone at 60”

14 14 Why is RSA secure? One way is easy one way is hard Private key = two primes p,q Public key = n = p*q n is used in encryption alg To decrypt, need p and q But factoring a (large) number into primes is hard

15 15 Hybrid algs But public-key is very slow compared to private key In practice, people use hybrid algs Procedure: 1.I pick random number 2.Encrypt with your public key and send to you 3.You decrypt 4.Now we share secret info – a “session key” 5.Now we can use this for private-key crypto

16 16 Security: browser Many webpages have active parts –Flash, Java applets, ActiveX, Scripting  opportunities for hacking –Viruses, spyware, etc. 1.Rec: turn security to medium or high 2.Rec: get a toolbar/popup-blocker 3.Rec: get virus, spyware software –Microsoft Anti-Spyware is free

17 17 Security: public machines Safe: don’t use pub machines for anything that reqs login Or at least: not for anything sensitive (financial) Machines could have keyloggers –Record each key pressed –Save to file or email to address –http://yro.slashdot.org/yro/05/11/18/1356205.shtml?tid=158&tid=172http://yro.slashdot.org/yro/05/11/18/1356205.shtml?tid=158&tid=172 –http://www.theregister.co.uk/2003/07/19/guilty_plea_in_kinkos_keystroke/http://www.theregister.co.uk/2003/07/19/guilty_plea_in_kinkos_keystroke/ –2003: Queens guy installed keylogger on machines at Kinkos –got 450 people’s banking passwords Somewhat safe: don’t type your passwords in order

18 18 Security: other devices Most wireless routers come with a default name and password Many people don’t change these –  can get wifi access through them Also with OSs, databases, etc. –Blank root password on Linux… Same thing with web-based security cams –Default/no passwords –Also: urls all have same form –Can do an “in-url” search to find unsecured security cams

19 19 Security: deleting files When you delete a file, it’s not really deleted from disk It’s space is just set to “available” –It may now be overwritten in the future Can get tools that physically overwrite info –Overwrite with all 0s –Overwrite with random numbers, many times

20 20 New topic: security on the web Authentication –If you want to pay Amazon with your credit card, how does the site know it’s really you? –If you enter your credit card, how do you know it’s really Amazon? Maybe it’s a phishing site… Secrecy –When you enter your credit card, will an eavesdropper be able to see it?

21 21 Security on the web Obvious soln: passwords –What’s the problem? Slightly less obvious soln: passwords + encryption Traditional encryption: “symmetric” / “private key” –DES, AES – fast – solves problem? “Newer” kind: “asymmetric” / “public key” –Public key is published somewhere –Private key is top secret –RSA – slow – solves problem?

22 22 Authentication on the web Neither private- nor public-key suffices But together they do! –“hybrid” protocol“ for authentication SSL(HTTPS)-style algorithm: 1.You pick a random number 2.Encrypt with Amazon’s cert, send to them 3.Amazon decrypts it, and sends it back to you –Since Amazon figured it out, it must be them

23 23 Authentication on the web Now you trust that it’s really Amazon –Assuming Amazon’s private key is secure… But: What if, say, someone else guessed your password? –Another way: What if you claim someone guessed yours? Soln: same process, but in reverse –But now you need to get your own cert…

24 24 Encryption on the web What about secrecy? Again, a (related) hybrid protocol: –Amazon just sent you their public-key cert –When you log in to Amazon, 1.You pick another random number (“session key”) 2.You encrypt it (with their cert) and send it to them 3.They decrypt it (with their private key) Now, you both share a secret key can now encrypt passwords, credit cards, etc.

25 25 ssh This is what ssh gives you Like telnet –Command-prompt log-in across Internet But secure –Encryption –Two-way pub-key authentication –Or just one-way pub-key + password

26 26 Review: hybrid algs online Used for encryption & authentication Used in https/ssl & ssh Hybrid protocol: –Amazon just sent you their public-key cert –When you log in to Amazon, 1.You pick another random number (“session key”) 2.You encrypt it (with their cert) and send it to them 3.They decrypt it (with their private key) Now, you both share a secret key can now encrypt passwords, credit cards, etc.

27 27 New topic: Hash functions Function that hashes the message –Creates a “digest” f(x) is easy to compute f^-1(y) is impossible –Can’t recover the message from the hash Popular hash functions: –MD5, SHA-1 Applications: 1.Authentication Send a message and its hash

28 28 Hash apps 2.Hashing passwords –Website doesn’t need to know pass to verify it –On choosing pass, website stores its hash –On login, compares hash of entered pass to hash on file 3.RFID for car keys –Key remote has unique hash ftn inside –On req, car sends key a number –Key hashes and returns –If correct result, car opens

29 29 Simple protocol: rot13 To encrypt letter: –Advance letter forward 13 places –Wrap if necessary To decrypt letter: –Same protocol! To code: pull out each char, treat as number, build output string

30 30 Review: hybrid algs Combine public-key and private-key Used for encryption & authentication Used in https/ssl & ssh Hybrid protocol: –Amazon just sent you their public-key cert –When you log in to Amazon, 1.You pick another random number (“session key”) 2.You encrypt it (with their cert) and send it to them 3.They decrypt it (with their private key) Now, you both share a secret key can now encrypt passwords, credit cards, etc.

31 31 New topic: Hash functions Function that hashes the message –Creates a “digest” f(x) is easy to compute f^-1(y) is impossible –Can’t recover the message from the hash Popular hash functions: –MD5, SHA-1

32 32 Hash apps 1.Authentication –Send a message and its hash 2.Hashing passwords –Website doesn’t need to know pass to verify it –On choosing pass, website stores its hash –On login, compares hash of entered pass to hash on file 3.RFID for car keys –Key remote has unique hash ftn inside –On req, car sends key a number –Key hashes and returns –If correct result, car opens

Download ppt "1 CS120: Lecture 16 MP Johnson Hunter Acknowledgement: some material from Greg Whalen."

Similar presentations

Cryptology Making & Breaking Codes & Ciphers. AJ 1152 Cryptology Cryptography –Science of creating codes or ciphers Cryptanalysis –Science of breaking.

Cryptology Making & Breaking Codes & Ciphers. AJ 1152 Cryptology Cryptography –Science of creating codes or ciphers Cryptanalysis –Science of breaking.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Introduction to Cryptography

Introduction to Cryptography
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.

Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.

Similar presentations

Ads by Google