Chap. 7: Confidentiality using symmetric encryption & Introduction to public-key cryptosystems

Jen-Chang Liu, 2004

Adapted fromLecture slides by Lawrie Brown

Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of the group. The secret name is never mentioned …The native thinks that a stranger knowing his secret name would have special power to work him ill by means of magic.

-The Golden Bough, Sir James George Frazer

Motivation and outline symmetric encryption is used to

provide message confidentialityQ: Where to put the encryption

mechanism? How to distribute the secret key?

Placement of encryption function Traffic confidentiality Key distribution

Confidentiality using Symmetric Encryption 機密性

What to encrypt and where the encryption function should be located

consider typical scenario:

(1)Eavesdropping bymembers

(2) dial-in,then intrude

(3) Tap into wire

(4) Monitor traffic

Typical scenario and attacks

consider typical scenario workstations on LANs access other

workstations & servers on LAN LANs interconnected using switches/routers with external lines or radio/satellite links

consider attacks and placement in this scenario snooping from another workstation use dial-in to LAN or server to snoop use external router link to enter & snoop monitor and/or modify traffic one external

links

Placement of encryption have two major placement alternatives link encryption

encryption occurs independently on every link

implies must decrypt traffic between links requires many devices, but paired keys for

all links end-to-end encryption

encryption occurs between original source and final destination

need devices at each end with shared keys

Placement of encryption (cont.)

One sharedkey

One keyfor each link

Problems with routing In a packet-switching network, we need packet

header to route packets Link encryption: so packet must be decrypted

before routing Vulnerable at each switch node

End-to-end encryption: must leave headers in clear, so network can correctly route information

hence although contents protected, traffic pattern is not protected

ideally want both at once end-to-end protects data contents over entire

path and provides authentication link protects traffic flows from monitoring

Placement of encryption over OSI model

can place encryption function at various layers in OSI Reference Model

OSI model and packetization

Application levelencryption

TCP levelencryption Link level

encryption

Placement of encryption over OSI model (cont.)

Outline Placement of encryption function Traffic confidentiality Key distribution

Traffic Analysis In packet-switching network, the

packet header cannot be encrypted Traffic analysis is monitoring of

communications flows between parties Ex. know who is talking to whom in

military usage Traffic analysis reveals

Identities of partners How frequently the partners are

communicating Message pattern, message length,

quantity of messages, …

Defense against traffic analysis

link encryption obscures header details but overall traffic volumes in networks and

at end-points is still visible

Traffic padding

Outline Placement of encryption function Traffic confidentiality Key distribution

Model for Network Security

Key Distribution symmetric schemes require both

parties to share a common secret key issue is how to securely distribute this

key often secure system failure due to a

break in the key distribution scheme

Key Distribution methods given parties A and B have various

key distribution alternatives:1. A can select key and physically deliver to

B2. third party can select & physically deliver

key to A & B3. if A & B have communicated previously

can use previous key to encrypt a new key4. if A & B have secure communications with

a third party C, C can relay key between A & B

Not suitablefor largesystems

Initial distribution?

Scale of key distribution problem

A network with N hosts => N(N-1)/2 pairs

Node-level encryption N(N-1)/2

Application-level encryption 10 applications/node

Key distribution center (KDC)

Key distribution

center (KDC)

KDC shares a unique key (master key) with each user to distributesecret key (session key) between a pair of users: scale of key distribution problem reduces to N

EMK1 (Secret key)

Secret key Secret key

EMK2 (Secret key)

Key Distribution Scenariononce: an identifierthat differs for each request

Session key Identifier for A (ex. address)

Master key Ka Master key Kb

(avoid replay attack)

1. Verify the original request2. Avoid replay attack

Hierarchical key control

…

KDC

…

KDC

KDC

a b

Session key lifetime Short session key lifetime

Key exchanges frequently => more secure Long session key lifetime

Reduce key exchange time, and network capacity Two connection protocol

(session<connection) Connectionless protocol (ex. UDP, HTTP)

Not to use a new key for each session, use a given session key for a fixed period of time

Connection-oriented protocol (ex. TCP) The same key for the connection; or update the key

periodically if the connection has long lifetime

Transparent key control scheme

End-to-end encrypt at network (transport) layer, which is transparent to users

? No authentication

Front-end processor (FEP)

data

header

Decentralized key control KDC trusted? Decentralized: assume there is one

master key for each pair of end systems

shared master key

session key

Master key are used for a short time, cryptanalysis is difficult

Nonce for authentication

Introduction to public-key cryptosystems

Introduction to public-key cryptosystems

Recall: symmetric ciphers One secret key, shared by sender and

receivers (symmetric) Based on substitution and permutation Problem:

Key distribution Digital signature: a kind of signature used in

paper document

Deffie and Hellman proposed the public-key cryptosystem to address the above two problems in 1976

Preview of public-key systems

Features of public-key system Asymmetric: a public key and a private key Algorithm based on mathematical functions

Fallacies Public-key is more secure than symmetric

encryption Public-key encryption is a general-purpose

technique that will make symm. encrypt. obsolete

Key distribution is trivial is easier for public-key encryption than symmetric encryption

Public-key encryption One-key for encryption A different but related key for decryption

It is computational infeasible to determine the decryption key given the crypto. algorithm and the encryption key

Steps in public-key encryption

1. Each user generates a pair of keys for encryption and decryption(In RSA, these two keys can exchange 加解密皆

可 )

2. One key (public key) is announced publicly. The other key is kept private.

Q: key distribution problem? (Chap. 10)

3. Bob sends encrypted message to Alice using Alice’s public key.

4. Only Alice can decrypt the message using her private key.

Comparison between symmetric and public-key encryption

Math. formulation of public-key system

Y = EKU (X)b

X = DKR (Y)b

What E and D can achieve this?

Requirement for public-key cryptography

Diffie and Hellman (1976) proposed the system without the algorithm for E and D. They laid out the requirement: It is computationally easy to generate a pair of keys It is computationally easy for a sender to encrypt It is computationally easy for a receiver to decrypt It is computationally infeasible for an opponent,

knowing the public key, to determine the private key

It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext

Y = EKU (X)b

X = DKR (Y)b

The algorithms that satisfy public-key requirement

RSA (Rivest-Shamir-Adleman) 1978 Number theory

Elliptic curve cryptography

Trap-door one-way function

Public-key encryption is a one-way function Every function value has a unique inverse

domain targetY=f(X): easy

X=f-1 (Y): infeasible ( > polynomial time)

• It is hard to determine the complexity to compute the inverse• Not a traditionally complexity problem, which focuses on the worst-case or average-case complexity

Trap-door one-way function (cont.)

Open a trap-door using the private key…

domain targetY=f(X): easy

X=f-1 (Y): infeasible ( > polynomial time)

X=fK-1 (Y): easy if trap-door K is known

( ~ polynomial time)

Public-key system for authentication 身份認證

Recall: the problem of digital signature

• Only Bob has the private keyto encrypt !!!

(server asdigital signature)

Authentication issues (Chap. 13)

Encrypt entire message? No necessary. Encrypt the authenticator: a

small block of bits that is a function of the document

Change of document will change the authenticator

Digital signature is confidential? No. Any one who has the public-key can

decrypt What to do? => double use of the public-key

system

Public-key system for both confidentiality and authentication

Public-key cryptanalysis Brute-force attack: search the private

key Solution: use large keys Tradeoffs: complexity of encrypt/decrypt

using large keys security using large keys Public-key system are currently too slow for

general-purpose use, only used for key management and signature application

Compute private key given the public key Not proved to be infeasible

Public-key cryptanalysis (cont.)

Probable-message attack Ex. encrypt 56-bit DES key

Public-keyencryption

56-bitDES key C

Public-key

Attack:

Public-keyencryption

C1

Public-key

000…000000…001000…010000…011….111…111

Try allDES Key

C2

C3

…

Ck= C

Solution: append thingsin the plaintext