ISSN: 2088-6365 Economic: Jurnal Ekonomi dan Hukum Islam ...
CSCI 6365
description
Transcript of CSCI 6365
![Page 1: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/1.jpg)
CSCI 6365
• Network Security and Management
• Instructor: Bin Fu, Ph.D
• Office: ENGR 3.280
• Phone: 381-3635
• Email: [email protected]
• Web: http://cs.panam.edu/~binfu/
![Page 2: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/2.jpg)
Textbook
Textbook: Cryptography and Network Security, by William Stallings, Fourth Edition
![Page 3: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/3.jpg)
Topics
• Symmetric ciphers
• Block ciphers and DES
• Public key cryptography (RSA)
• Hash functions
• Key management
• Network Authentications
• IP security
• Web security
• Software security, etc
![Page 4: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/4.jpg)
Exam, Assignment and Grade
• Midterm: 20%
• Final: 25%
• 4 assignments: 30%
• Attendance and Exercises in class: 25%
![Page 5: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/5.jpg)
Chapter 1 – Introduction
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
—The Art of War, Sun Tzu
![Page 6: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/6.jpg)
Background
• Information Security requirements have changed in recent times
• traditionally provided by physical and administrative mechanisms
• computer use requires automated tools to protect files and other stored information
• use of networks and communications links requires measures to protect data during transmission
![Page 7: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/7.jpg)
Definitions
• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of interconnected networks
![Page 8: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/8.jpg)
Services, Mechanisms, Attacks
• need systematic way to define requirements
• consider three aspects of information security:– security attack– security mechanism– security service
• consider in reverse order
![Page 9: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/9.jpg)
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and providing security requirements
• for us it provides a useful, if abstract, overview of concepts we will study
![Page 10: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/10.jpg)
Security Services
• X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers
• RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources
• X.800 defines it in 5 major categories
![Page 11: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/11.jpg)
Security Services (X.800)
• Authentication - assurance that the communicating entity is the one claimed
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized disclosure
• Data Integrity - assurance that data received is as sent by an authorized entity
• Non-Repudiation - protection against denial by one of the parties in a communication
![Page 12: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/12.jpg)
Security Mechanisms (X.800)
• specific security mechanisms:– encipherment, digital signatures, access
controls, data integrity, authentication exchange, traffic padding, routing control, notarization
• pervasive security mechanisms:– trusted functionality, security labels, event
detection, security audit trails, security recovery
![Page 13: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/13.jpg)
Classify Security Attacks as
• passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
![Page 14: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/14.jpg)
Model for Network Security
![Page 15: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/15.jpg)
Model for Network Security
• using this model requires us to: – design a suitable algorithm for the security
transformation – generate the secret information (keys) used by
the algorithm – develop methods to distribute and share the
secret information – specify a protocol enabling the principals to use
the transformation and secret information for a security service
![Page 16: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/16.jpg)
Model for Network Access Security
![Page 17: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/17.jpg)
Model for Network Access Security
• using this model requires us to: – select appropriate gatekeeper functions to
identify users – implement security controls to ensure only
authorised users access designated information or resources
• trusted computer systems can be used to implement this model
![Page 18: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/18.jpg)
Summary
• have considered:– computer, network, internet security def’s– security services, mechanisms, attacks– X.800 standard– models for network (access) security
![Page 19: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/19.jpg)
Cryptography
Theoretical impact Application impact
Cryptography
AlgebraNumber theory
Complexity theory
Security
![Page 20: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/20.jpg)
Two parts of cryptography
• Symmetric ciphers
If the encryption is known, then decryption is known. Examples: DES, AES
• Public Key (non-symmetric cipher)
Even the encryption is know, the decryption is still unknown. Example: RSA
![Page 21: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/21.jpg)
Basic Concepts in Cryptography
• Plaintext: Original intelligible message
• Encryption algorithm: convert plaintext into ciphertext
• Key: One of inputs to encryption algorithm. Different key determines different encryption output
• Ciphertext: output of encryption, unintelligible data
• Decryption algorithm: takes the ciphertext and key to generate plaintext
![Page 22: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/22.jpg)
Model of Cryptosystem
Encryption DecryptionMessage Message
Key
Secure channel
Cryptanalyst
X Y X
'X
'K
K
![Page 23: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/23.jpg)
Encryption and Decryption
• Message X • Encryption key K • Ciphertext Y
Encryption function:
Decryption function:
)(XEY K
)(YDX K
![Page 24: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/24.jpg)
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
![Page 25: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/25.jpg)
Caesar Cipher
• Plain to Cipher mapping
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L MN O PQ RS TUVW XYZ A BC
• Plain to Cipher mapping
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: DWWDFK DW P LGQLJ KW
![Page 26: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/26.jpg)
Two functions
• a b c …. Z
• 0 1 2 … 25
• The encryption function is
E(p)=p+3 (mod 26)
• The Decryption function is
D(c)=(c-3) (mod 26)
![Page 27: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/27.jpg)
Key space and security
• The number of keys for Caesar cipher is 26
• It is easy to break by brute-force attack via trying all possible keys
![Page 28: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/28.jpg)
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
![Page 29: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/29.jpg)
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
![Page 30: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/30.jpg)
Statistics for English Letters• Frequency of 26 Letters
E(12.7%) T(9.0%) A(8.1%) O(7.5%) I(6.9%) N(6.7%) S( 6.3%) H(6.0%) R(5.9%) D(4.2%) L(4.0%) C( 2.7%) U(2.7%) M(2.4%) W(2.3%) F(2.2%) G(2.0%) Y(1.9%) P(1.9%) B(1.4%)
V(0.9%) K(0.7% ) X(0.15%)J(0.15%) Q(0.09%)
Z(0.07%)
![Page 31: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/31.jpg)
Cipher Analysis
• Select a cipher long enough
• Analysis the frequency of all letters
• Find the mapping of letters
![Page 32: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/32.jpg)
Multiple Substitutes
• A letter may be assigned different cipher symbols
e3,7,23
• It makes it much harder to attack via statistic message
![Page 33: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/33.jpg)
Playfair Cipher
• Key: monarchy
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
![Page 34: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/34.jpg)
Pairing before Encryption• Pair up letters
walk(wa)(lk)
• Insert filler letter for a pair with the same letter
balloon(ba)(lx)(lo)(on)
![Page 35: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/35.jpg)
Encryption Rules
ar RM
plaintext letters in the same row are replaced by the letter to the right (circularly)
• muCM plaintext letters in the same column are replaced by the letter to the beneath (circularly)
• bpHS plaintext letters are replaced by the letter that lie in its own row and column
![Page 36: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/36.jpg)
Advantage of playfair over monoalphabetic
• Multiple substitutes
• Making the frequency analysis more difficulty
![Page 37: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/37.jpg)
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
![Page 38: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/38.jpg)
Encryption rules• Keyword: dece
• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
![Page 39: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/39.jpg)
Polyalphabetic Cipher
• 26 letters: a b c d e f …….
a A B C D E F …….
b B C D E F G …….
c C D E F G H …….
d D E F G H I …….
e E F G H I J …….
f F G H I J K …….
……
![Page 40: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/40.jpg)
Advantage
• Each plaintext letter may be mapped to any of the 26 letters.
![Page 41: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/41.jpg)
Basic Properties of Mod
• For integers x, y, and k,
x=y (mod k)
if there is another integer z such that x-y=z*k
• Example: x=7, y=11, k=4
3=11 (mod 4)
• If x=y(mod k) iff x and y have the same remainder when divided by k
![Page 42: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/42.jpg)
Mod k
• Assume
x=y(mod k) and
u=v(mod k)
we have:
x+u=y+v(mod k)
x*u=y*v(mod k)
![Page 43: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/43.jpg)
Hill Cipher
• Take m successive plaintext letters and substitutes for them m ciphertext letters
• Each letter is assigned a numerical value
• The Substitution is via a linear transformation
![Page 44: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/44.jpg)
Hill Cipher
26mod
3
2
1
333231
232221
131211
3
2
1
p
p
p
kkk
kkk
kkk
c
c
c
26mod
26mod
26mod
3332321313
3232221212
3132121111
pkpkpkc
pkpkpkc
pkpkpkc
![Page 45: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/45.jpg)
Matrix Multiplication
• For two matrixes nmkjmlji bBaA
,, ,
ABC
nlkicC
,
m
jkjjiki bac
1,,,
![Page 46: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/46.jpg)
Properties of matrix product
• Associative: (AB)C=A(BC)
• IA=AI=A, where I is the unit matrix
1 0 0 … 0
I= 0 1 0 … 0
0 0 1 … 0
……
0 0 0 … 1
![Page 47: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/47.jpg)
Inverse of matrix
• For matrix , if there is another matrix
such that AB=I, where I is the unit
matrix. B is called the inverse of A, denoted by
nnjiaA
,
nnjibB
,
1AB
![Page 48: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/48.jpg)
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
![Page 49: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/49.jpg)
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
![Page 50: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/50.jpg)
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
![Page 51: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/51.jpg)
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
![Page 52: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/52.jpg)
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
![Page 53: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/53.jpg)
Conclusion
• Hill cipher is easy to break by plaintext attack.
![Page 54: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/54.jpg)
Problems
1. Encrypt the plaintext with Polyalphabetic Cipher with the key decedece: BEEF
2. The ciphertext is from playfair encryption. Convert the it into plaintext. Show each of your steps:
SENASXFNMG
Name Email
![Page 55: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/55.jpg)
Encryption for binary message
• iff a and b are different
• Encryption:
• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext
iii kpc
1ba
![Page 56: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/56.jpg)
Decryption for binary message
• Decryption:
• pi= i-th binary digit of plaintext• ki= i-th binary digit of key• ci=i-th binary digit of ciphertext
i
iiii
iiiii
p
pkkp
kkpkc
0)(
)(
![Page 57: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/57.jpg)
Transposition techniques
• Encryption is by some permutation on the plaintext
• Plaintext: attack postponed until two am xyz
• Write the message in row:
a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
• Read by column:
aodwtsuottnaaptmcoixknlypetz
![Page 58: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/58.jpg)
Transposition techniques
• Permute the order of columns
Key: 4 3 1 2 5 6 7
a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
• Ciphertext:
ttna aptm tsuo aodw coix knly petz
![Page 59: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/59.jpg)
Second round
• Input: ttna aptm tsuo aodw coix knly petz
• Permute the order of columns
Key: 4 3 1 2 5 6 7
t t n a a p t
m t s u o a o
d w c o i x k
n l y p e t z
• Ciphertext:
nscy auop ttwl tmdn aoie paxt tokz
![Page 60: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/60.jpg)
Two basic methods
• Substitution
monoalphabetic cipher
polyalbpabetic cipher
• Permutation
transposition
![Page 61: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/61.jpg)
Block Cipher
• Block cipher: a block of plaintext is treated as a whole and used to produce a ciphertext of the same length
• Mapping can be described by a table
00 11
01 10
10 00
11 01• Key size for n bits block is
nn2
![Page 62: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/62.jpg)
Principal of block cipher
• Diffusion
The plaintext is dissipated into long range of the ciphertext
• Confusion
Make the relationship between ciphertext and the key as complicated as possible
![Page 63: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/63.jpg)
Diffusion
• Let each plaintext digit affect many cipher digits• Example 1: Hill cipher
• Example 2: For message M=m1, m2, m3, ……
Let the ciphertext
26mod
3
2
1
333231
232221
131211
3
2
1
p
p
p
kkk
kkk
kkk
c
c
c
k
iinn my
1
![Page 64: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/64.jpg)
Diffusion and confusion
• Confusion makes the statistics information of plaintext be dissipated
• Confusion is usually achieved by substitution
![Page 65: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/65.jpg)
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of x.
• It is impossible to find different x and y with f(x)=f(y)
![Page 66: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/66.jpg)
Protocol• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
![Page 67: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/67.jpg)
Problem
The following cipher text is from the transposition method with the key 4132. Get the plaintext back.
OCLTG NNENT OAEOH NESPI
Name:
![Page 68: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/68.jpg)
DES
• Data Encryption Standard (DES) was established by National Bureau of Standard in 1977
• Most widely used encryption scheme, especially in financial applications
![Page 69: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/69.jpg)
DES
• DES is a block cipher
• Each plaintext block is a 64 bits {0,1} string
• Each ciphertext block is a 64 bits {0,1} string
• The key size is 56 bits {0,1} string
• It is a combination of substitution and permutation
![Page 70: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/70.jpg)
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
![Page 71: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/71.jpg)
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
![Page 72: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/72.jpg)
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
![Page 73: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/73.jpg)
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
![Page 74: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/74.jpg)
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
![Page 75: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/75.jpg)
0L 0R
f
1R1L
f
2R2L
16R16L
.................
![Page 76: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/76.jpg)
One Round Feistel Cipher
• One round
1iL 15L
f
15R
16L 16R
16k
![Page 77: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/77.jpg)
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
![Page 78: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/78.jpg)
Decryption
• Inverse of the DES
),()','( 141422 LRRL
),()','( 131333 LRRL
),()','( 001616 LRRL
),()','( 151511 LRRL
.....................
![Page 79: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/79.jpg)
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
![Page 80: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/80.jpg)
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
![Page 81: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/81.jpg)
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
![Page 82: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/82.jpg)
Design of f• Strict avalanche criterion:
When input bit I is inverted, any output bit j of S-box should change with probability 1/2
• Bit independent criterion:
Output bits j and k should change independently when any input bit i is inverted
• The two criterions depend on the design of S-box, which has been studied a lot:
![Page 83: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/83.jpg)
Choice of parameters
• Block size: larger size means greater security, and less efficiency
• Key size: larger key size means greater security, and slower speed
• Number of rounds: Single round is inadequate
![Page 84: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/84.jpg)
Choice of parameters
• Block size: larger size means greater security, and less efficiency
• Key size: larger key size means greater security, and slower speed
• Number of rounds: Single round is inadequate
![Page 85: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/85.jpg)
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
![Page 86: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/86.jpg)
E table
• E is a fixed expansion that maps 32 bits to 48 bits
Each entry of E determines which bit to select from 32 bits
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
![Page 87: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/87.jpg)
P table
• P is a fixed 32 bits permutation 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
![Page 88: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/88.jpg)
Key generation
Input 56 bits key K= for i=1,2,9,16; otherwise
for i=1 to 16 do
5621 ......kkk1iv 2iv
),()(1 00 DCKPCT
)( 1 iii vCC )( 1 iii vDD
),(2 iii DCPCK
bits28
bits48 bits28
![Page 89: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/89.jpg)
PC1 and PC2
• PC1(K) is the permutation of 56 bits of K
• PC2(C,D) selects 48 bits from the 56 bits input through a table
![Page 90: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/90.jpg)
Electronic Codebook Mode• ECB:
• It may be possible to substitute message
NPPP ,......,, 21
NCCC ,......,, 21
bits64 bits64 bits64
![Page 91: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/91.jpg)
Cipher Block Chaining Mode
• Encryption: ][ 1 jjKj PCEC
Encrypt Encrypt Encrypt
1C2C kC
K K K
IV 1P2P
NP
1NC
......
![Page 92: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/92.jpg)
IV
• IV should be a confidential message• It is used for encrypting the first block
)( 11 PIVEC K
)( 11 CDIVP K
![Page 93: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/93.jpg)
Decryption
• Decryption of CBC
jjjjjKj PPCCCDC 111 ][
)()]([][ 11 jjjjKKjK PCPCEDCD
![Page 94: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/94.jpg)
CBC Decryption
• Decryption:
Decrypt Decrypt Decrypt
1C 2C kC
K K K
IV
1P 2P NP1NC
......
![Page 95: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/95.jpg)
Cipher Feedback Mode
• CFB
))((11 IVESPC Ks
))((11 IVESCP Ks
))((11 IVESPC Ks
![Page 96: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/96.jpg)
CBF
• CFB
Encrypt Encrypt EncryptK
IV
bitss bitss bitss
K K......
bitss bitss bitss
bitss
bitss 1MC
bitss _64 bitss _64 bitss _64
bitss _64 bitss _64 bitss _64
1C 2CMC
1P 2P MPbitss bitss bitss
shift shiftshift
![Page 97: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/97.jpg)
CBF Decryption
K
IV
Encrypt Encrypt Encrypt
bitss bitss bitss
K K......
bitss bitss bitss
bitss
bitss 1MC
bitss _64 bitss _64 bitss _64
bitss _64 bitss _64 bitss _64
1C 2C MC
2P MP
shift shiftshift
1P
![Page 98: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/98.jpg)
Problems
a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
d) Does DES require that the function f is invertible? Why?
(note: a function f is not invertible if for some )
Name:
)()(, yfxfyx
![Page 99: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/99.jpg)
Problem 1
Key: d e c edece: Plaintex: BEEFCiphtertext: ECAD
Explanation for the first cipher text• The key “d” determines the row number “d”• The plaintext “b” determines column number “b”• The cipher letter is at the intersection of row “d” and
column “b”, which is “E”
![Page 100: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/100.jpg)
Encryption rules• Keyword: dece
• Key: d e c e d e c e d e c e d • Plaintext: f d e f e c a b c c c e d• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”• The plaintext “f” determines column number “f”• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
![Page 101: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/101.jpg)
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
![Page 102: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/102.jpg)
Symmetric Encryption
• The key for the decryption is the same as the key for encryption.
• Examples: DES, AES
![Page 103: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/103.jpg)
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
![Page 104: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/104.jpg)
Divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• c|b to denote that c is a divisor of b.
• Examples: 4|16, 2|10, 3|27
![Page 105: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/105.jpg)
Modular
• Given two positive integer n and any integer a, there are integers r and q such that:
• r is the residue (remainder) when divided by n• is the largest integer at most x. e.g.
rqna
naqnr ,0
rna )(mod
x 38.3
![Page 106: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/106.jpg)
Mod n
• Given integers x and n>1, x (mod n) is the remainder of x divided by n.
• Example 7 (mod 4)=3 10 (mod 3)=1
• Define if x (mod n)=y (mod n)
• iff (x-y) =n*z for some integer z
)(mod nyx
)(mod nyx
![Page 107: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/107.jpg)
Mod n• Assume
we have:
)(mod nvyux
)(mod nyx )(mod nvu
)(mod nvyux
)(mod** nvyux
![Page 108: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/108.jpg)
System Zn
• The set Zn={0,1,2,…,n-1}. It has two operations + and *
• For a,b in Zn, a+b is (a+b)(mod n), and a*b is (ab)(mod n)
• Z5={0,1,2,3,4}
2+3=0 (mod 5) 2*4=3 (mod 5) 4*4 =1 (mod 5)
![Page 109: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/109.jpg)
Properties of Modular Arithmetic
• Commutative:
• Associative:
• Distributive:
• Identities
• Additive inverse (-x)
nyxwnyxw
nyxwnyxw
mod))((mod))((
mod))((mod))((
nwxnxw
nwxnxw
mod)(mod)(
mod)(mod)(
nwywxnwyx
nywxwnyxw
mod))()((mod))((
mod))()((mod))((
nwnw
nwnw
modmod)1(
modmod)0(
nnxnx mod0mod))((
![Page 110: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/110.jpg)
Zn
• Commutative:
• Associative:
• Identities
• Additive inverse (-w)
(Zn,+) is an abelian group
nyxwnyxw mod))((mod))((
nwxnxw mod)(mod)(
nwnw modmod)0(
nnxnx mod0mod))((
![Page 111: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/111.jpg)
Properties of Modular Arithmetic
• Commutative:• Associative:• Distributive:
• Identities
nyxwnyxw mod))((mod))((
nwxnxw mod)(mod)(
nwywxnwyx
nywxwnyxw
mod))()((mod))((
mod))()((mod))((
nwnw modmod)1(
![Page 112: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/112.jpg)
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
![Page 113: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/113.jpg)
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
![Page 114: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/114.jpg)
Example
• gcd(1970,1066)=• gcd(1066,904)=• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
16290411066
904106611970
![Page 115: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/115.jpg)
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
![Page 116: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/116.jpg)
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
![Page 117: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/117.jpg)
TheoremFor two positive integers a and b with c=gcd(a,b),
there are two integers p and q such that p*a+q*b=c
![Page 118: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/118.jpg)
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
![Page 119: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/119.jpg)
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
![Page 120: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/120.jpg)
Number Theory
• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized into product of primers:
0,...,,
...
,...
21
21
2121
k
k
ek
ee
eee
ppp
pppn k
![Page 121: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/121.jpg)
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
![Page 122: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/122.jpg)
Proof
• Since gcd(a,m)=1, there are integers u and v such that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
![Page 123: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/123.jpg)
Observations
• For two different primers p and q, gcd(p,q)=1 and
• If prime number p is different from each of the primers
(it is possible that for different i,and j), then
1),gcd( mqp
kqqq ,...,, 21
1)...,gcd( 21 kqqqp
ji qq
![Page 124: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/124.jpg)
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
Where , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have
It contradicts that gcd(p,x)=1
,
,
ypn
xpnf
e
fe 0
ypx ef
![Page 125: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/125.jpg)
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
)(mod11 pa p
![Page 126: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/126.jpg)
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
![Page 127: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/127.jpg)
Proof
We have )(mod)!1()!1(1 pppa p
)(mod0)!1)(1( 1 ppa p
1))!1(,gcd( pp
)(mod0)1( 1 pa p
)(mod11 pa p
![Page 128: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/128.jpg)
Euler Function
For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1
Define to be the number of elments in
Example, ={1, 3,7,9}
For every prime number p,
)(n
*nZ
*nZ
*10Z
1)( pp
![Page 129: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/129.jpg)
Theorem
If m and n are positive integers with gcd(m,n)=1, then
)()()( nmmn
![Page 130: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/130.jpg)
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
Foundation for RSA public key encryption
)(mod1)( na n
![Page 131: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/131.jpg)
Proof
Let be the elements in
Claim: is a permutation of
)(21 ,...,, naaa )(n *nZ
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
![Page 132: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/132.jpg)
Finite Fields
• Cryptography depends on number theory and algebra
• Number theory: factorization,…
• Algebra: finite field theory,…
• AES will be built on the finite field theory
![Page 133: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/133.jpg)
Group
A group is a set of elements with operation
• Closure: If , then • Associative: For a,b,c in G• Identity element: There is an e in G s.t.
for all a in G• Inverse element : For each a in G there is a’ in G s.t.
),( G
Gba , Gba cbacba )()(
aeaae
eaaaa ''
![Page 134: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/134.jpg)
Infinite Group and Abelian Group
• Infinite Group: If is a group and G is an infinite set, it is called infinite group
• Abelian group: If is a group and
for all elements a,b in G
),( G
),( G abba
![Page 135: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/135.jpg)
Group Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+) is a group.
• Let M3={0,1,2} and a+b is defined as (a+b) (mod 3)
(M3,+) is a group of 3 elements.
![Page 136: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/136.jpg)
Ring
A ring is
• is an abelian group • Closure under multiplication: If a, b are in R, so is• Associativity of multiplication:• Distributive laws:
),,( R
),( Rba )()( cbacba
)()()( cabacba
)()()( cbcacba
![Page 137: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/137.jpg)
Ring Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+,*) is a ring.
• Let M3={0,1,2} and a+b, a*b are defined as (a+b) (mod 3) and (ab)(mod 3) respectively
(M3,+,*) is a ring of 3 elements.
![Page 138: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/138.jpg)
Commutative Ring
A ring is commutative if it satisfies
for all a, b in R
A ring is integral domain if it satisfies
1) It is commutative
2) It has element 1 in R such that
3) If a,b in R have , then a=0 or b=0
),,( R
abba
),,( R
aaa 110 ba
![Page 139: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/139.jpg)
Field
A field is
• is an integral domain• Multiplicative inverse: For each a in F except 0, there is
another , called the inverse element of a, such that
),,( F
),,( F
1a
111 aaaa
![Page 140: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/140.jpg)
ZpIf p is a primer number, (Zp, +,x) is a field.
![Page 141: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/141.jpg)
ZpIf p is a primer number, (Zp, +,x) is a field.
Proof. For each a in {1,2,…,p-1}
a*1, a*2, …, a*(p-1) are different from each other (mod p)
The list is a permutation of 1,2,…, p-1
So, there is a*b in the list with a*b=1 (mod p)
The element is the inverse of a.
![Page 142: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/142.jpg)
Zp
• Assume , where a,x,y are in {1,2,…p-1}
We have
Since p is a primer, we have or
It is impossible that
We have
So,
)(mod payax )(| ayaxp
)(| yxap
ap | )(| yxp
ap |)(| yxp
)(mod pyx
![Page 143: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/143.jpg)
Zn
• (Z3,+, x) is a field
• (Z4,+,x) is not a field
![Page 144: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/144.jpg)
Problems
• Z5=({0,1,2,3,4},+, *). The + and * operations are under mod 5. Find the inverse for each element if it exists.
• Z6=({0,1,2,3,4,5},+, *). The + and * operations are under mod 6. Find the inverse for each element if it exists.
• Is Z5 or Z6 a field?
![Page 145: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/145.jpg)
Symmetric Encryption
• The key for the decryption is the same as the key for encryption.
• Examples: DES, AES
![Page 146: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/146.jpg)
Asymmetric Techniques
• The key for encryption is different from the key for decryption
• Example: RSA
![Page 147: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/147.jpg)
Number Theory
• A number p is a primer if it can not be expressed as p=st such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized into product of primers:
0,...,,
...
,...
21
21
2121
k
k
ek
ee
eee
ppp
pppn k
![Page 148: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/148.jpg)
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
![Page 149: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/149.jpg)
Proof
• Since gcd(a,m)=1, there are integers u and v such that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
![Page 150: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/150.jpg)
Observations
• For two different primers p and q, gcd(p,q)=1 and
• If prime number p is different from each of the primers
(it is possible that for different i,and j), then
1),gcd( mqp
kqqq ,...,, 21
1)...,gcd( 21 kqqqp
ji qq
![Page 151: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/151.jpg)
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
Where , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have
It contradicts that gcd(p,x)=1
,
,
ypn
xpnf
e
fe 0
ypx ef
![Page 152: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/152.jpg)
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
)(mod11 pa p
![Page 153: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/153.jpg)
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
![Page 154: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/154.jpg)
Proof
We have )(mod)!1()!1(1 pppa p
)(mod0)!1)(1( 1 ppa p
1))!1(,gcd( pp
)(mod0)1( 1 pa p
)(mod11 pa p
![Page 155: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/155.jpg)
Euler Function
For a positive integer n, is the set of all positive integers m<n with gcd(m,n)=1
Define to be the number of elments in
Example, ={1, 3,7,9}
For every prime number p,
)(n
*nZ
*nZ
*10Z
1)( pp
![Page 156: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/156.jpg)
Theorem
If m and n are positive integers with gcd(m,n)=1, then
)()()( nmmn
![Page 157: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/157.jpg)
ProofThe table below contains all elements in 1,2,…,mn-1
Each column has elements k with gcd(k,n)=1.
mn
m
)1(
.
0
1)1(
.
1
1
mn
m
......
......
......
......
)1()1(
.
)1(
1
mmn
mm
m
)(n
![Page 158: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/158.jpg)
Proof
• For two elements a,b in each column, gcd(m,a)=gcd(m,b).
• There are columns with gcd(m,a)=1, where a is an element in the column.
)(m
![Page 159: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/159.jpg)
A special case
• Let p and q are two different prime numbers
• and
• We have
1)( pp 1)( qq
)1)(1()()()( qpqppq
![Page 160: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/160.jpg)
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
Foundation for RSA public key encryption
)(mod1)( na n
![Page 161: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/161.jpg)
Proof
Let be the elements in
Claim: is a permutation of
)(21 ,...,, naaa )(n *nZ
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
![Page 162: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/162.jpg)
Proof
If
Then
Since gcd(a,n)=1, there is an integer b,c with a*b+n*c=1
)(mod naaaa ji
)(mod0 naaaa ji )(mod0)( naaa ji
)(mod1 nab
![Page 163: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/163.jpg)
Proof
From
We have
So,
We have proven the claim.
)(mod0)( naaba ji
)(mod0)( naaa ji
)(mod naa ji
)(mod0)( naa ji
![Page 164: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/164.jpg)
Proof
By the Claim that is a permutation of
We have ))(mod)...()((... )(21)(21 naaaaaaaaa nn
)(mod,...,, )(21 naaaaaa n
)(21 ,...,, naaa
))(mod...(... )(21)(
)(21 naaaaaaa nn
n
![Page 165: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/165.jpg)
Proof
Since
We have
There are integers b and c with
1)...,gcd( )(21 naaan
1),gcd(,...,1),gcd(,1),gcd( )(21 nananan
1)...( )(21 ncbaaa n
)(mod1)...( )(21 nbaaa n
![Page 166: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/166.jpg)
Proof
By
and
We have
))(mod...(... )(21)(
)(21 naaaaaaa nn
n
)(mod1)...( )(21 nbaaa n
)(mod)...()...( )(21)(
)(21 nbaaaabaaa nn
n
)(mod1 )( na n
![Page 167: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/167.jpg)
A special case
• Let p and q are two prime numbers, and n=pq.
• Since
• Let a be a number with gcd(a,n)=1 , then
)1)(1()()()( qpqppq
)(mod1)1)(1()( naa qpn
)(mod1)1)(1( naa qp
![Page 168: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/168.jpg)
Problems
1. Compute
2. Write all elements in
3. Compute and
*33Z
)7(mod380
)13( )26(
![Page 169: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/169.jpg)
Public key
• A revolution of cryptography.
• Previous methods are mainly based on the permutation and substitution
• Public key is based on mathematical function
![Page 170: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/170.jpg)
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
![Page 171: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/171.jpg)
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
![Page 172: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/172.jpg)
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
![Page 173: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/173.jpg)
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
![Page 174: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/174.jpg)
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
![Page 175: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/175.jpg)
RSA Example
• Choose two primers p=7 and q=13. N=7x13=91• Compute• Choose e=5• Compute d by 72x(-2)+5x29=1 and get d=29• Public key (N, e) = ( 91,5)• Message m=3.• Ciphertext • Decryption
72126)13()7()91(
)91(mod6124335 c
)91(mod36129 dc
![Page 176: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/176.jpg)
Problems in RSA
• How to obtain two large prime numbers p and q?
• How to choose e and d with ed=1?
• How to compute for large e and d?
))((mod N
))((mod, Ncm de
![Page 177: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/177.jpg)
Compute
Let a and n be two positive integers
Use the recursive equation:• If n is even:• If n=2k+1 is odd:
• Let T(n) be the number of multiplications.
na
22/ )( nn aa 2)( kn aaa
2)()( 2 nTnT
)(log2)( nnT
![Page 178: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/178.jpg)
Example
• Compute f(29)= # of multiplications• f(29)=3*f(14)*f(14)=• f(14)=f(7)*f(7)=• f(7)=3*f(3)*f(3)=• f(3)=3*f(1)*f(1)=
• The total number of multiplications is 2+1+2+2=7
2932)14(*3 f
2)7(f2)3(*3 f2)1(*3 f 2
2
1
2
![Page 179: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/179.jpg)
Testing Primality
Design an algorithm for testing if a number is prime
Input n>0
For (i=2; i ; i=i+1){
if n=0(mod i)=0 return no
}
return yes.
Total number of steps is
n
)( nO
![Page 180: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/180.jpg)
Testing Primality
Use Fermat Theorem:
If p is a primer, a is a positive integer with gcd(p,a)=1, then
It is necessary, but not sufficient. In other words, there exists a composite number that also has such a property
)(mod11 pa p
![Page 181: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/181.jpg)
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1, then
Furthermore,
)(mod11 pa p
1| 1 pap
)1)(1()1( 2/)1(2/)1(1 ppp aaa
1| 2/)1( pap 1| 2/)1( papor
)(mod12/)1( pa p
,So
,So
,So
![Page 182: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/182.jpg)
Testing Primality
If p is not a primer, for most of 0<a<p, it does not satisfy both
)(mod11 pa p
)(mod12/)1( pa p
and
![Page 183: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/183.jpg)
Algorithm
Input integer p>0
randomly select integer
if ( )
return (definitely) “composite”
else
return “prime “
or),0( pa
)(mod12/)1( pa p 1),gcd( pa
![Page 184: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/184.jpg)
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 5.0
![Page 185: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/185.jpg)
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
k)5.0(
![Page 186: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/186.jpg)
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1 , and
for some even number j
Then,
)(mod1 pa j
1| jap
)1)(1()1( 2/2/ jjj aaa
1| 2/ jap 1| 2/ japor
)(mod12/ pa j
,So
,So
,So
![Page 187: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/187.jpg)
Testing Primality
If p is odd, a is a positive integer with gcd(p,a)=1 ,
, where q is a odd number
Consider the list:
If p is a prime number, there exists with
If p is a composite number, for a random a: 0<a<p, it has probability there exists i<k
qp k21
ki
)(mod12 pa qi
qqqq k2,...,2,2, 2
4/1)(mod12 pa qi
![Page 188: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/188.jpg)
Algorithm
Input odd integer p>0
let
randomly select integer
for (i=0 to k-1 ) do
{ if ( )
return “prime”
}
return “composite “
),0( pa
)(mod12 pa qi
qp k21
![Page 189: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/189.jpg)
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 4/1
![Page 190: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/190.jpg)
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
k)( 41
![Page 191: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/191.jpg)
A Free Book
A computational introduction to number theory and algebra
By Victor Shoup
>500 pages pdf file
![Page 192: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/192.jpg)
Problem
How many times should you repeat the first primality algorithm so that it has <0.0001 chance to give a wrong answer?
![Page 193: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/193.jpg)
Midterm
• October 14, 2010 (Thursday)
• Class time
• Close book
![Page 194: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/194.jpg)
Key management
• Distribution of public key
• Use of public key encryption to distribute secret key
![Page 195: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/195.jpg)
Public announcement of public key
• Uncontrolled public-key distribution
A
aKU
aKU
aKU
![Page 196: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/196.jpg)
Publicly Available Directory
• Public-key publication• KU: public key. KR: private key
A
aKU
Public-key directory
B
bKU
![Page 197: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/197.jpg)
Publicly Available Directory
• Public-key publication
A
1|| timerequest
B
Public-keyauthority
]1||Re||[ TimequestKUKR bE
2|| timerequest
]2||Re||[ TimequestKUKR aE
]||[ 1NIDE AKUb
]||[ 21 NNEKUa
][ 2NEbKU
![Page 198: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/198.jpg)
Public-Key Certificate
• Exchange of Public-key Certificates
A
aKU
B
Certificateauthority
],,1[ aAauth KUIDTimeKRA EC
bKU
AC
BC
],,2[ bBauth KUIDTimeKRB EC
![Page 199: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/199.jpg)
Public-Key Certificate
Simple public-key encryption to establish a session key
A BAA IDKU ||
][ sKU KEa
![Page 200: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/200.jpg)
It is a secure for an active attack
• A generates and sends B• E intercepts , creates and sends
to B• B generates a secret key, and sends • E intercepts , learns • E sends to A
},{ aa KRKU },,{ Aa IDAKU
},,{ Aa IDAKU },{ ee KRKU
},,{ Ae IDAKU
sK ][ sKU KEe
][ sKU KEe sK
][ sKU KEa
![Page 201: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/201.jpg)
Secret Key distribution with authentication
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
![Page 202: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/202.jpg)
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]]||[[ 2 sKRKU KNEEab
![Page 203: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/203.jpg)
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
![Page 204: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/204.jpg)
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
![Page 205: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/205.jpg)
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
![Page 206: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/206.jpg)
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
![Page 207: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/207.jpg)
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
![Page 208: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/208.jpg)
Generation of Secret Key by A
User A computes
)(mod)( qYK AXB
![Page 209: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/209.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 210: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/210.jpg)
Generation of Secret Key by B
User B computes
)(mod)( qYK BXA
![Page 211: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/211.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 212: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/212.jpg)
Midterm 2008
• 90-100: 1
• 80-89: 2
• 70-79: 4
• 50-60: 2
![Page 213: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/213.jpg)
Problem 1
1. a) What is the plaintext attack? b)Which of the following encryption methods can be easily broken by the plaintext attack? Briefly explain your answer.
(1) Monoalphbetic Cipher (2) Hill Cipher (3) DES (4)RSA
![Page 214: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/214.jpg)
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
![Page 215: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/215.jpg)
Solution
• Monoalphbetic Cipher
• Hill Cipher
![Page 216: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/216.jpg)
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
![Page 217: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/217.jpg)
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
![Page 218: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/218.jpg)
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
![Page 219: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/219.jpg)
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
![Page 220: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/220.jpg)
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
![Page 221: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/221.jpg)
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
![Page 222: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/222.jpg)
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
![Page 223: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/223.jpg)
Conclusion
• Hill cipher is easy to break by plaintext attack.
![Page 224: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/224.jpg)
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
![Page 225: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/225.jpg)
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage 2.
• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is
based on that
The 16 rounds of stages are described by …1)( 1 IPIP
![Page 226: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/226.jpg)
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
![Page 227: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/227.jpg)
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
![Page 228: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/228.jpg)
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
![Page 229: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/229.jpg)
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
![Page 230: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/230.jpg)
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
![Page 231: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/231.jpg)
0L 0R
f
1R1L
f
2R2L
16R16L
.................
![Page 232: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/232.jpg)
Stage 3
• Output
Output block
is the inverse of IP
),( 16161 LRIP
1IP
![Page 233: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/233.jpg)
One Round Feistel Ciper
• One round
1iL 15L
f
15R
16L 16R
16k
![Page 234: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/234.jpg)
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
![Page 235: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/235.jpg)
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
![Page 236: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/236.jpg)
Decryption
• First stage
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()',('' 116161001 kLfRkRfLR
151 ' RL
1515151515151 ),()),((' LkRfkRfLR
![Page 237: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/237.jpg)
Part b)
• Permutation: IP, Left to Right and Right to left in each of 16 stages.
• Substitution: S-box in each of those 16 stages.
![Page 238: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/238.jpg)
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
![Page 239: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/239.jpg)
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
![Page 240: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/240.jpg)
Problem 3
3. a) Use the Euclidean algorithm to compute the gcd(904,162).
b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n). You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.
![Page 241: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/241.jpg)
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
![Page 242: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/242.jpg)
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
![Page 243: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/243.jpg)
Solution
• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
![Page 244: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/244.jpg)
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
![Page 245: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/245.jpg)
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
![Page 246: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/246.jpg)
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
![Page 247: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/247.jpg)
Problem 4
4. a) In the RSA system, the public key of a given user is e=41, n=3599. What is the private key? Show each step of your calculation.
b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems? Why do we need large primer numbers for RSA?
![Page 248: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/248.jpg)
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
![Page 249: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/249.jpg)
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
![Page 250: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/250.jpg)
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
![Page 251: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/251.jpg)
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
![Page 252: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/252.jpg)
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
![Page 253: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/253.jpg)
Solution
Part 1.
n=59*61.
The inverse of e=41 is d=2081 (mod 3480).
3480)161(*)159()( n
![Page 254: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/254.jpg)
Solution
3480=41*84+36
41=36*1+5
36=5*7+1
1=36-5*7=36-7*(41-36*1)
=8*36-7*41
=8*(3480-41*84)-7*41
=8*3480-679*41.
2801=-679(mod 3480)
![Page 255: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/255.jpg)
Part b.
If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).
![Page 256: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/256.jpg)
Part c.
• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
With a pair of messages a and
, we can find d from discrete log.)(mod nad
)(mod nay d
![Page 257: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/257.jpg)
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
![Page 258: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/258.jpg)
exponent( int a, int e, int m):
int exponent(int a, int e, int m){ int temp;
if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {
temp=exponent(a, e/2, m);return (temp*temp)%m;
}else{
temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;
};}
![Page 259: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/259.jpg)
Bad Implementation
return (temp*temp*a)%m;
![Page 260: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/260.jpg)
primality(int p)
int primality(int p){ int a, temp;
if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;
}
![Page 261: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/261.jpg)
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
![Page 262: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/262.jpg)
Bad Implementation
a=rand()%p;
![Page 263: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/263.jpg)
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
![Page 264: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/264.jpg)
Problem 55. a) How many multiplications does it take for
computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
)1234(mod5596
![Page 265: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/265.jpg)
Solution
• It takes 12 multiplications
555
555
5555
555
5555
555
5555
555
555
2
224
449
9918
181837
373774
7474149
149149298
298298596
![Page 266: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/266.jpg)
Midterm 2010
• 90-100: 1
• 80-89: 7
• 70-79: 5
• 60-70: 3
• <60: 1
![Page 267: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/267.jpg)
Problem 1
1.a)Which of the following encryption methods use substitution method? B) Which of them use the permutation method? C)Which of them use both methods? Briefly explain your answer.
(1) Monoalphbetic Cipher (2) Playfair cipher (3) Transposition cipher (4) Hill Cipher (5) DES (6) RSA
![Page 268: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/268.jpg)
Solution
• Substitution: Monoalphbetic Cipher, Playfair cipher, Hill Cipher, DES
• Permutation: Transposition cipher, DES.
• Both: DES
![Page 269: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/269.jpg)
Monoalphabetic Cipher
• Plain letters to cipher letters
a b c d e f g h i j k l m n o p q r s t u v w x y z
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
![Page 270: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/270.jpg)
Monoalphabetic Cipher
• Plain:
a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
![Page 271: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/271.jpg)
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with
I is a mxm matrix that has all ones on the main diagonal, and all zeros beyond the main diagonal
1K
IKK 1
![Page 272: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/272.jpg)
Encryption and Decryption
• Encryption:
• Decryption:
26mod)( KPPEC K
PIPKPKCKCDP K 11 26mod)(
![Page 273: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/273.jpg)
Example
17 17 5• K= 21 18 21
2 2 19
4 9 15 • = 15 17 6
24 0 17
1K
![Page 274: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/274.jpg)
Example
443 442 442 1 0 0
K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
1K
![Page 275: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/275.jpg)
Hill Cipher Security
333231
232221
131211
333231
232221
131211
333231
232221
131211
ppp
ppp
ppp
kkk
kkk
kkk
ccc
ccc
ccc
KCP
KPC
1
![Page 276: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/276.jpg)
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is easy to inverse).
![Page 277: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/277.jpg)
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage 2.
• B) All 16 rounds of stage 2 • C) The invertibility of stage 1 and stage 3 is
based on that
The 16 rounds of stages are described by …1)( 1 IPIP
![Page 278: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/278.jpg)
Three stages
• Stage 1: apply a fixed permutation IP
IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
• Stage 3: Output
Output block
),( 00 RL
),( 16161 LRIP
1 ii RL
),( 11 iiii kRfLR
![Page 279: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/279.jpg)
Stage 1
• Apply a fixed permutation IP
IP(Input Block)
• is the left 32 bits
• is the right 32 bits
• IP is a fixed permutation function
),( 00 RL
0L
0R
![Page 280: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/280.jpg)
Stage 2
• 16 rounds of operations (i=1,2,…,16)
• Function f is called “S”-box function (“S” for substitution)• The is a 48-bit key, a substring of the 56-bit input
key
1 ii RL
),( 11 iiii kRfLR
ik
![Page 281: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/281.jpg)
One Round Feistel Ciper
• One round
1iL 1iL
f
1iR
iL iR
![Page 282: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/282.jpg)
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
![Page 283: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/283.jpg)
0L 0R
f
1R1L
f
2R2L
16R16L
.................
![Page 284: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/284.jpg)
Stage 3
• Output
Output block
is the inverse of IP
),( 16161 LRIP
1IP
![Page 285: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/285.jpg)
One Round Feistel Ciper
• One round
1iL 15L
f
15R
16L 16R
16k
![Page 286: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/286.jpg)
Decryption
• First stage:
• Second stage:
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()','('' 116161001 kLfRkRfLR
151 ' RL
1516151615151 ),()),((' LkRfkRfLR
![Page 287: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/287.jpg)
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
![Page 288: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/288.jpg)
Decryption
• First stage
),()),(()( 161616161 LRLRIPIPcIP )','( 00 RL
1601 '' LRL
)',()',('' 116161001 kLfRkRfLR
151 ' RL
1515151515151 ),()),((' LkRfkRfLR
![Page 289: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/289.jpg)
Part b)
• Permutation: IP, Left to Right and Right to left in each of 16 stages.
• Substitution: S-box in each of those 16 stages.
![Page 290: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/290.jpg)
Function ),( 1 ii KRf
1iRiK
1S 2S 3S 4S 5S 6S 7S 8S
P
E
32
48
48
32
32
68
48
6
4
)))(((),( 11 iiii KRESPKRf
![Page 291: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/291.jpg)
Function
• (a) : Expansion from 32 bits to 48 bits• (b) each Bi is 6 bits• (c )
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d)
)))(((),( 11 iiii KRESPKRf
)( 1 iRET),...,(' 81 BBKTT i
))(),...,(),(('' 882211 BSBSBST
)''(''' TPT
![Page 292: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/292.jpg)
Problem 3
3. a) Use the Euclidean algorithm to compute the gcd(78,104). Show your steps.
b) Prove that Euclidean algorithm takes at most 2log n divisions to compute gcd(m,n) with m<n. You can assume that dividing integer a by another integer b gives both the quotient q and the remainder r with a=b*q+r.
![Page 293: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/293.jpg)
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b, gcd(a,b) is the greatest positive integer c such that c is the divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
![Page 294: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/294.jpg)
Modular
• Assume a and b are two positive integers
• This is a recursive equation since the second item goes down
rqba
baqbr ,0
),gcd(),gcd( rbba
![Page 295: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/295.jpg)
Solution
• gcd(104,78)=• gcd(78,26)=26 026378
26781104
![Page 296: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/296.jpg)
Solution
• gcd(904,162)=• gcd(162,94)=• gcd(94,68)=• gcd(68,26)=• gcd(26,16)=• gcd(16,10)=• gcd(10,6)=• gcd(6,4)=• gcd(4,2)=2 0224
2416
46110
610116
1016126
1626268
2668194
68941162
941625904
![Page 297: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/297.jpg)
Euclid algorithm
• Assume a1 and a2 are two positive integers
3211 aaqa 230 aa
4322 aaqa 340 aa
5433 aaqa 450 aa .......
mmmm aaqa 122 10 mm aa
mmm aqa 11
![Page 298: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/298.jpg)
Observation
Each can be expressed as for some integers
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since and inductive assumption
and ,
we have
ia
22122 avaua iii
iiii aaqa 122
21 avaua iii
ii vu ,
21111 avaua iii
iiiiiii aavqvauqu 21221122 )()(
iiiiii aavauqavau )( 211122212
![Page 299: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/299.jpg)
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
• If , we have
• In another words,
3211 aaqa 2
1
123 ,0 aaqaa ),gcd(),gcd( 3221 aaaa
4322 aaqa 3
2
234 ,0 aaqaa ),gcd(),gcd( 4332 aaaa
)(1 3232 aaaa 232aa
2/)( 232 aaa
2/)( 2324 aaaa
![Page 300: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/300.jpg)
Problem 4
• 4. a) In the RSA system, the public key of a given user is e=3, n=55. What is the private key? Show each step of your calculation.
• b) Why does the security of RSA depend on the intractability of factorization and discrete logarithm problems?
• c) Why do we need large primer numbers for RSA?
![Page 301: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/301.jpg)
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
![Page 302: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/302.jpg)
RSA Key Setup
• Choose two random big prime numbers p and q• Compute N=pq• Compute • Choose random such that • Compute the integer d such that
• Publicize (N,e) as the public key• Keep d as the private key and destroy p,q and
)1)(1()( qpN)(Ne 1))(,gcd( Ne
))((mod1 Ned
)(N
![Page 303: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/303.jpg)
RSA Encryption• Let m<N be a confidential message• Cipher text is made by
)(mod Nmc e
![Page 304: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/304.jpg)
RSA Decryption
• Plaintext is obtained by
)(mod Ncm d
![Page 305: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/305.jpg)
RSA Principal
Since ,
we have
If
then and
))((mod1 Nde )(1 Nkde
)(mod)()(1 Nmmmmc NkNkedd
,1),gcd( Nm)(mod1)( Nm N )(mod1)( Nm Nk
)(mod1)( Nmmmmc Nkd
![Page 306: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/306.jpg)
Solution
Part 1.
n=5*11.
The inverse of e=3 is d=27 (mod 40).
40)111(*)15()( n
![Page 307: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/307.jpg)
Solution
40=13*3+1
1=40-13*3
27=-13(mod 40)
![Page 308: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/308.jpg)
Part b.
If n=p*q can be factorized easily, one can comput (p-1)*(q-1) and find d with e*d=1(mod (p-1)(q-1)).
![Page 309: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/309.jpg)
Part c.
• If factorization is easy, we can find p and q for n=p*q. With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
With a pair of messages a and
, we can find d from discrete log.)(mod nad
)(mod nay d
![Page 310: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/310.jpg)
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
![Page 311: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/311.jpg)
exponent( int a, int e, int m):
int exponent(int a, int e, int m){ int temp;
if (e==1) return a%m;if (e==0) return 1;if (e%2==0) {
temp=exponent(a, e/2, m);return (temp*temp)%m;
}else{
temp=exponent(a, e/2, m);return (((temp*temp)%m)*a)%m;
};}
![Page 312: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/312.jpg)
Bad Implementation
return (temp*temp*a)%m;
![Page 313: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/313.jpg)
primality(int p)
int primality(int p){ int a, temp;
if (p<=1) return 0;if (p==2) return 1;a=1+(rand()%(p-1));if (gcd(a, p)>1) return 0;temp=exponent(a, (p-1)/2,p);if ((temp!=1)&&(temp!=p-1)) return 0;return 1;
}
![Page 314: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/314.jpg)
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
![Page 315: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/315.jpg)
Bad Implementation
a=rand()%p;
![Page 316: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/316.jpg)
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
![Page 317: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/317.jpg)
Problem 55. a) How many multiplications does it take for
computing by using fast exponentiation algorithm? Show the steps of your calculation. You only need to get the number of multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
)1234(mod5596
![Page 318: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/318.jpg)
Solution
• It takes 12 multiplications
555
555
5555
555
5555
555
5555
555
555
2
224
449
9918
181837
373774
7474149
149149298
298298596
![Page 319: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/319.jpg)
Problem 6
6 . Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the private key. Assume n=pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Show that the RSA system can be broken.
![Page 320: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/320.jpg)
Solution
• Assume that the block m has a common factor with n.
• The plain text m is encrypted into the cipher text
• The cipher text c also has a common factor with n.
• Compute gcd(c,n) to get one of the two factors, and also the second.
• With two factors and public key, compute private key
)(mod nmc publicK
![Page 321: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/321.jpg)
Problem 7
7. Users A and B use the Diffie-Hellman key exchange method with a common prime q=7 and primitive root a=3. If user A has private key =2, and use B has private key =4, what is the shared secret key? Show the steps of your calculation.
![Page 322: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/322.jpg)
Solution
• A Calculates
• B Calculates
• A Calculates
• B Calculates
• The shared key is 2.
)(mod2932 qa AX )(mod48134 qa BX
)(mod2164)( 2 qa AB XX
)(mod2162)( 4 qa BA XX
![Page 323: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/323.jpg)
Key management
• Distribution of public key
• Use of public key encryption to distribute secret key
![Page 324: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/324.jpg)
Public announcement of public key
• Uncontrolled public-key distribution
A
aKU
aKU
aKU
![Page 325: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/325.jpg)
Publicly Available Directory
• Public-key publication• KU: public key. KR: private key
A
aKU
Public-key directory
B
bKU
![Page 326: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/326.jpg)
Publicly Available Directory
• Public-key publication
A
1|| timerequest
B
Public-keyauthority
]1||Re||[ TimequestKUKR bE
2|| timerequest
]2||Re||[ TimequestKUKR aE
]||[ 1NIDE AKUb
]||[ 21 NNEKUa
][ 2NEbKU
![Page 327: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/327.jpg)
Public-Key Certificate
• Exchange of Public-key Certificates
A
aKU
B
Certificateauthority
],,1[ aAauth KUIDTimeKRA EC
bKU
AC
BC
],,2[ bBauth KUIDTimeKRB EC
![Page 328: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/328.jpg)
Public-Key Certificate
Simple public-key encryption to establish a session key
A BAA IDKU ||
][ sKU KEa
![Page 329: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/329.jpg)
It is a secure for an active attack
• A generates and sends B• E intercepts , creates and sends
to B• B generates a secret key, and sends • E intercepts , learns • E sends to A
},{ aa KRKU },,{ Aa IDAKU
},,{ Aa IDAKU },{ ee KRKU
},,{ Ae IDAKU
sK ][ sKU KEe
][ sKU KEe sK
][ sKU KEa
![Page 330: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/330.jpg)
Secret Key distribution with authentication
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
![Page 331: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/331.jpg)
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]]||[[ 2 sKRKU KNEEab
![Page 332: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/332.jpg)
Secret Key distribution with authentication
• Assume A and B know each others public keys
• Public-key distribution of secret keys
A B
]||[ 1 AKU IDNEb
]||[ 21 NNEKUa
]][[ sKRKU KEEab
][ 2NEbKU
![Page 333: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/333.jpg)
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
![Page 334: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/334.jpg)
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
![Page 335: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/335.jpg)
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
![Page 336: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/336.jpg)
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
![Page 337: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/337.jpg)
Generation of Secret Key by A
User A computes
)(mod)( qYK AXB
![Page 338: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/338.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 339: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/339.jpg)
Generation of Secret Key by B
User B computes
)(mod)( qYK BXA
![Page 340: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/340.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 341: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/341.jpg)
Authentication
• Masquerade: illegal insertion message to network
• Content modification: change content of message
• Sequence modification: modification to a sequence of message
• Timing modification: delay or replay of message
• Source repudiation: denial of transmission by source
• Destination repudiation: denial of receipt by destination
![Page 342: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/342.jpg)
Two levels of authentication
• Produce an authenticator
• Verify the authenticity of a message
![Page 343: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/343.jpg)
Authentication Methods
• Message encryption
• Message authentication (MAC)
• Hash function
![Page 344: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/344.jpg)
Symmetric Encryption
• Encrypt the message M with key K shared by A and B
M ME D
)(MEK
K K
Source nDestinatio
![Page 345: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/345.jpg)
Message Encryption
Append checksum to message M and encrypt them together
MM
F
D
))(||( MFMEK
KSource
nDestinatio
F(M)E
M
F(M)
F
K
Comparison
![Page 346: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/346.jpg)
Public Key encryption
• Public key encryption: confidentiality
M ME D
)(MEbKU
bKU bKR
Source nDestinatio
![Page 347: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/347.jpg)
Public Key
• Encryption:
• Decryption
)(XEY publicKey
)(YDX privateKey
![Page 348: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/348.jpg)
Public Key encryption
• Public key encryption: authentication and signature
M ME D
)(MEaKR
aKR aKU
Source nDestinatio
![Page 349: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/349.jpg)
Public Key encryption
• Public key encryption: confidentiality, authentication and signature
M ME D
)]([ MEEab KREU
aKR bKR
Source nDestinatio
E D
)(MEaKR
bKU aKU
)(MEaKR
![Page 350: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/350.jpg)
Message Authentication Code
• Use a secret key to generate a small fixed-size block of data, MAC, that is appended to the message
• M = input message• C = MAC function• K = shared secret key• MAC = message authentication code
)(MCMAC K
![Page 351: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/351.jpg)
Message Authentication
Append MAC to message
MM
C C
K
Comparison
)(MCKK
![Page 352: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/352.jpg)
Message Authentication
Authentication and confidentiality
MC
M
2KSource
nDestinatio
Comparison
1K))(||(
12MCME KK
ED
2K
)(1
MCK
C
1K
![Page 353: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/353.jpg)
Hash Function
• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)
• There is no key to control hash function
![Page 354: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/354.jpg)
Hash
Message plus concatenated hash code is encrypted using symmetric encryption
MH
M
2KSource
nDestinatio
Comparison
))(||( MHMEK
ED
K
)(MH
H
![Page 355: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/355.jpg)
Hash Function
• A hash function accepts a variable-size message M as input and produces a fixed-size output, H(M)
• There is no key to control hash function
![Page 356: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/356.jpg)
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
![Page 357: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/357.jpg)
Hash
Message plus concatenated hash code is encrypted using symmetric encryption
MH
M
2KSource
nDestinatio
Comparison
))(||( MHMEK
ED
K
)(MH
H
![Page 358: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/358.jpg)
Protocol• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
![Page 359: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/359.jpg)
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of x.
• It is impossible to find different x and y with f(x)=f(y)
![Page 360: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/360.jpg)
Birthday attack
• Among k people, what is the probability that two of them have the same birthday
![Page 361: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/361.jpg)
Counting
• K people: • The number of cases that all of them have different
birthdays:
• The number of all possible k birthdays
)!365(!365)1365(...364365 kk
k365
kppp ,...,, 21
![Page 362: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/362.jpg)
Probability
• K people:
• The probability that k people have different birthdays
)!365(365!356
365
)!365(!365
),365(kkk
kkQ
kppp ,...,, 21
![Page 363: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/363.jpg)
Birthday Paradox
• K people:
• The probability that at least 2 people have same birthday
)!365(365!3561),365(1),365(
kkkQkP
kppp ,...,, 21
999.0)100,365(
7.0)30,365(
5072.0)23,365(
P
P
P
![Page 364: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/364.jpg)
Counting
• Select k random numbers between 1 and n: • The number of cases that all of them are different
• The number of all possible k possibilities
)1(...)1( knnn
kn
kppp ,...,, 21
![Page 365: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/365.jpg)
Probability
• K numbers between 1 and n:
• The probability that k numbers are different
kn
knnnknQ )1)...(1(),(
kppp ,...,, 21
![Page 366: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/366.jpg)
Birthday Paradox
• K numbers between 1 and n
• The probability that at least 2 of them are the same.
)1)...(1)(1(1
...1
1
),(1),(
121
121
)1)...(1(
nk
nn
nkn
nn
nn
nn
n
knnnk
knQknP
kppp ,...,, 21
![Page 367: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/367.jpg)
Birthday Paradox
• For , consider the function
0')'(
1)'0(
,)'(
x
x
exf
f
exf
0x xexf )(
2/')'()'0()0()(: fxffxfTaloy x0
xe x 1
![Page 368: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/368.jpg)
Birthday Paradox
nkk
nk
nknn
nk
nn
nkn
nn
nn
nn
n
knnn
e
e
eee
knQknP
k
2/)1(
/)...21(
)/)1(()/2()/1(
121
121
)1)...(1(
1
1
...1
)1)...(1)(1(1
...1
1
),(1),(
![Page 369: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/369.jpg)
Birthday Paradox
Let
nkkeknQknP 2/)1(1),(1),(
nnnk
e
e
e
nkk
nkk
nkk
18.12ln2
2
2/1
12/1
2/)1(
2/)1(
2/)1(
![Page 370: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/370.jpg)
Attack Hash
• Hash function H has possible values
• Select k random values and apply H to them
• If , it has collision H(x)=H(y) for different x and y with big chance.
mk 2
m2
![Page 371: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/371.jpg)
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
What is the probability R(n,k) that two sets are not disjoint?
},...,,{ 21 kxxx },...,,{ 21 kyyy
![Page 372: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/372.jpg)
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
• The probability that does not match is
• The probability that no match in to is
• The probability that no match in to is
},...,,{ 21 kxxxX },...,,{ 21 kyyyY
1y 1xn11
Y 1x kn )1( 1
Y X2
)1())1(( 11 kn
kkn
![Page 373: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/373.jpg)
Overlap between two sets
Given two sets and
Each element has random value between 1 and n
is the probability that at least one match in Y to X
},...,,{ 21 kxxxX },...,,{ 21 kyyyY
2
)1(1),( 1 knknR
),( knR
![Page 374: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/374.jpg)
Overlap between two sets
Since for x>0,
nk
n
e
e
knR
k
kn
2
21
2
1
)(1
)1(1),( 1
xex 1
![Page 375: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/375.jpg)
Overlap between two sets
Let ,
nk
eknR2
1),(
nnnk
e
e
nk
nk
nk
83.0)2(ln
2ln
2
12/1
2
2
2
![Page 376: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/376.jpg)
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature• Opponent generates variations type 1 messages • Opponent generates variations type 2 messages• Find a type 1 message x and type 2 message y such that
Hash(x)=Hash(y)• Get the signature from the boss for the type 1 message X
the signature is • Send out y||
2/2m
2/2m
))(( XHashEK
))(( XHashEK
![Page 377: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/377.jpg)
Variations of the same message
to introduce Afred,
the jewellery buyer for
……..
variations
This isletterI writingam
toyou to
you
newnewly edappo int
chiefsenior
2/2m
![Page 378: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/378.jpg)
A simple hash function
• Message M is partitioned into m blocks of n bits
mnmmm
n
n
m
bbbB
bbbB
bbbB
BBBM
,,2,1
2,2,22,12
1,1,21,11
21
...
......
...
...
||...||||
![Page 379: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/379.jpg)
A simple hash function
• Hash function value
is defined as
mnnnn
m
m
bbbc
bbbc
bbbc
,2,1,
,22,21,22
,12,11,11
...
......
...
...
nccc ...21
![Page 380: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/380.jpg)
A simple hash function
• Message M is partitioned into m blocks of n bits
mnmmm
n
n
m
bbbB
bbbB
bbbB
BBBM
,,2,1
2,2,22,12
1,1,21,11
21
...
......
...
...
||...||||
![Page 381: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/381.jpg)
Rabin’s Hash
• A message M is partitioned into
• = initial value
• Encrypted with DES with 64 bits output.• It is weak for birthday attack
0H
NMMM ,...,, 21
)( 1 iMi HEHi
NHG
![Page 382: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/382.jpg)
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature• Calculate the hash code G• Construct the desired messages• Compute for • Opponent generates blocks Xs • Opponent generates blocks Ys• Find a X block and Y block:• Form message with encrypted
signature
2/2m
2/2m
][][ 2 GDHE YNX
)(GEK
221 ,...,, NQQQ
][ 1 iQi HEHi
2,...,2,1 Ni
YXQQQ N ,,,...,, 221
![Page 383: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/383.jpg)
Davies and Price variation
• A message M is partitioned into
• = initial value0H
NMMM ,...,, 21
11)( iiMi HHEHi
NHG
![Page 384: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/384.jpg)
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
![Page 385: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/385.jpg)
Hash Design
• IV = initial value b=length of input block• CV= chaining variable f=compression algorithm• L = number of input blocks Y= input block• N = length of hash code
0CVIV 1CV1LCV
0Y1Y 1LY
b b b
n n n nf f f
LCV
n
![Page 386: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/386.jpg)
Principle
• The hash function is collision resistant if the compression function is collision resistant
![Page 387: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/387.jpg)
MD5
• 128 bits Hash
0Y 1YqY 1LY
512 512 512 512
5MDH5MDH 5MDH 5MDH
... ...
128 128 128 128
IV 1CV qCV 1LCV
bit128
Message
lengthpadding )5121( bits
)2mod( 64KbitsK
0..10
![Page 388: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/388.jpg)
Step 1: Padding
• Append (1 to 512) bits so that the total message length is =448(mod 512)
• At least one bit is appended
![Page 389: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/389.jpg)
Step 2: Append Length
64 bits are used for storing the length of the message.
If the message is longer than 64 bits. Only low-order 64 bits are used. It is modular
Expanded message:
642
110 ,...,, LYYY
![Page 390: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/390.jpg)
Step 3: Initialize buffer
128-bit buffer to hold four words (A,B,C,D)
10325476
98
89
67452301
D
BADCFEC
EFCDABB
A
![Page 391: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/391.jpg)
Step 4: Process message in 512 bit
MD5 has four similar rounds
Each round uses one of the four functions F, G, H and I
Each round has 16 similar steps
All 512 bits are used in each round
a
![Page 392: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/392.jpg)
MD5 Processing
• a
512
qY qCVbit128
A
A
A
B
B
B
C
C
C
D
D
D
1qCV
][],16...1[, iXTF
]2[],32...17[, iXTG
]3[],48...33[, iXTH
]4[],64...49[, iXTI
![Page 393: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/393.jpg)
Compression function
sCLS
A B C D
A B C D
g][kX
][iT
![Page 394: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/394.jpg)
MD5 compression function
• 16 steps operating on the buffer ABCD• Each step is of the form
• a,b,c,d = four words of the buffer • g = one of the functions F, G, H, I• <<<s = circular left shift by s bits• X[k] = M[q*16+k]= k-th word in the q-th 512-bit block• T[i] = the i-th 32-bit word in matrix T• + = addition modulo
)])[][),,((( siTkXdcbgaba
322
![Page 395: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/395.jpg)
Four functions
• The function g can be any of the four functions
)()(),,( cbcbdcbF
)()(),,( dcdbdcbG
dcbdcbH ),,(
dbcdcbI )(),,(
![Page 396: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/396.jpg)
Functions T
• T has 64 entriesT[1…64]. Each entry is 32bit word
• T[i] is the integer part of
• The i is in the radians
))(sin(232 iabs
.......
242070]3[
75678]2[
47876]1[
DBT
BCET
AADT
![Page 397: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/397.jpg)
Digital Signature
• Verify the author , date and time• Authenticate the content • Be verifiable by third party
![Page 398: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/398.jpg)
Digital Signature
• X: sender• Y: receiver• A: arbiter
X
Arbiter
Y
![Page 399: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/399.jpg)
Digital Signature
• : the key shared between x and A• : the key shared between A and y• M : message• H : hash function• ID : identification number • T : timestamp
)](||[||: MHIDEMAX XK xa
]||)](||[||||[: TMHIDEMIDEYA XKXK xaay
xaK
ayK
![Page 400: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/400.jpg)
Digital Signature
• X: sender• Y: receiver• A: arbiter
)](||[|| MHIDEM XK xa
X
Arbiter
Y
]||)](||[||||[ TMHIDEMIDE XKXK xaay
![Page 401: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/401.jpg)
Digital Signature
• Y stores M and
• Y sends to the
arbiter A to settle disputes.
• Both sides trust the arbiter A.
]||)](||[||||[ TMHIDEMIDE XKXK xaay
]||)](||[||||[ TMHIDEMIDE XKXK xaay
![Page 402: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/402.jpg)
Problem
• The arbiter can see the message
![Page 403: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/403.jpg)
Arbiter does not see the message
• .
))]((||[||][||: MEHIDEMEIDAXxyxaxy KXKKX
]||))]((||[||][||[: TMEHIDEMEIDEYAxyxaxyay KXKKXK
messagehide _
![Page 404: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/404.jpg)
Problem
• The arbiter can form an alliance with the sender to deny a signed message.
![Page 405: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/405.jpg)
Public Key Approach
• KR: private key• KU: public key.
])][(||[||: MEEIDEIDAXxyx KRKUxKRX
]||]][[||[: TMEEIDEYAxya KRKUXKR
![Page 406: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/406.jpg)
Mutual Authentication
Two issues:
• Confidentiality
• Timeliness
![Page 407: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/407.jpg)
Some attacks
• Simply replay: copy a message and replay it later
• Repetition: Replay a timestamped message within the valid time window
![Page 408: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/408.jpg)
Two approaches
• Timestamp: make sure it is fresh message
• Challenge: A sends B a nonce and expects that B’s reply contains it. Make sure it is fresh message from B.
![Page 409: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/409.jpg)
One-way Authentication
• KDC: responsible for generating the short term key.• A: sender B: receiver• Session key. shared between A and KDC• shared between B and KDC.
][||]||[:
]]||[||||||[:
||||:
1
1
MEIDKEBA
IDKENIDKEAKDC
NIDIDKDCA
sb
ba
KAsK
AsKBsK
BA
:sK :aK
:bK
![Page 410: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/410.jpg)
Public key One-way Authentication
A: sender B: receiver
It is confidential, but no signature
][||][: MEKEBAsb KsKU
![Page 411: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/411.jpg)
Public key One-way Authentication
A: sender B: receiver
Hard to deny
)]([||: MHEMBAaKR
![Page 412: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/412.jpg)
Public key One-way Authentication
A: sender B: receiver
Confidential and hard to deny and
)]]([||[: MHEMEBAab KRKU
![Page 413: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/413.jpg)
Mutual Authentication
• KDC: responsible for generating the short term key.• A: sender• B: receiver
)]([:
][:
]||[:
]]||[||||||[:
||||:
2
2
1
1
NfEBA
NEAB
IDKEBA
IDKENIDKEAKDC
NIDIDKDCA
s
s
b
ba
K
K
AsK
AsKBsK
BA
![Page 414: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/414.jpg)
Problem
• Attacker can replay the message at step 3
• If the attacker can intercept the message at step 4, he can impersonate A to send B some message.
![Page 415: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/415.jpg)
Mutual Authentication
• T: timestamp
)]([:
][:
]||||[:
]]||||[||||||[:
||:
1
1
NfEBA
NEAB
TIDKEBA
TIDKETIDKEAKDC
IDIDKDCA
s
s
b
ba
K
K
AsK
AsKBsK
BA
![Page 416: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/416.jpg)
Time check
tTClock ||
![Page 417: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/417.jpg)
Avoid replay attack
• The replay attack can be avoided by checking the timestamp.
![Page 418: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/418.jpg)
Mutual Authentication
.
][||]||||[:
||]||||[||]||||||[:
]||||[||||:
||:
bKbsAK
bbsAKbsaBK
baAKbB
aA
NETKIDEBA
NTKIDETKNIDEAKDC
TNIDENIDKDCB
NIDBA
sb
ba
b
![Page 419: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/419.jpg)
Mutual Authentication
.B have received the message from A
Prevent the replay attack Session Key
bbsAKbsaBK NTKIDETKNIDEAKDCba
||]||||[||]||||||[:
![Page 420: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/420.jpg)
Mutual Authentication
. Prevent the replay attack
][||]||||[: bKbsAK NETKIDEBAsb
![Page 421: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/421.jpg)
Public Key Approach
AS: the authentication server
Clock synchronization is needed
]]||[[||]||||[||]||||[:
]||||[||]||||[:
||:
TKEETKUIDETKUIDEBA
TKUIDETKUIDEAAS
IDIDASA
SKRKUbBKRaAKR
bBKRaAKR
BA
abasas
asas
![Page 422: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/422.jpg)
Mutual Authentication
• KDC: responsible for generating the short term key.• A: sender B: receiver
][:
]||]||||[[:
]]||||[[||]||[:
][||||:
]||[:
]||[:
||:
bK
bBsaKRKU
BsaKRKUaAKR
aKUAB
AaKU
bBKR
BA
NEBA
NIDKNEEAB
IDKNEEKUIDEBKDC
NEIDIDKDCB
IDNEBA
KUIDEAKDC
IDIDKDCA
s
authb
authbauth
auth
b
auth
![Page 423: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/423.jpg)
Mutual Authentication
Tell KDC for the intention to establish a secure connection with B
A gets the public key of B from KDC
]||[:
||:
bBKR
BA
KUIDEAKDC
IDIDKDCA
auth
![Page 424: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/424.jpg)
Mutual Authentication
A tells B the intention for secure communication
Tell KDC Na so that KDC can stamp the session key with the nonce
][||||:
]||[:
aKUAB
AaKU
NEIDIDKDCB
IDNEBA
auth
b
![Page 425: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/425.jpg)
Mutual Authentication
• The session key is tied with
• Tell B the public key of A • B can verify it is from the KDC
]]||||[[||]||[: BsaKRKUaAKR IDKNEEKUIDEBKDCauthbauth
aN
![Page 426: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/426.jpg)
Mutual Authentication
• Encrypt it with A’s public key. The key is fresh for A
• Tell B that A has the session key now.
][:
]||]||||[[:
bK
bBsaKRKU
NEBA
NIDKNEEAB
s
autha
![Page 427: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/427.jpg)
Mutual Authentication
The nonce is for A
][:
]||]||||||[[:
]]||||[[||]||[:
][||||:
]||[:
]||[:
||:
bK
bBAsaKRKU
BsaKRKUaAKR
aKUAB
AaKU
bBKR
BA
NEBA
NIDIDKNEEAB
IDKNEEKUIDEBKDC
NEIDIDKDCB
IDNEBA
KUIDEAKDC
IDIDKDCA
s
authb
authbauth
auth
b
auth
![Page 428: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/428.jpg)
Chapter 14 – Authentication Applications
![Page 429: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/429.jpg)
Authentication Applications
• will consider authentication functions
• developed to support application-level authentication & digital signatures
• will consider Kerberos – a private-key authentication service
• then X.509 directory authentication service
![Page 430: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/430.jpg)
Kerberos
• trusted key server system from MIT
• provides centralised private-key third-party authentication in a distributed network– allows users access to services distributed
through network– without needing to trust all workstations– rather all trust a central authentication server
• two versions in use: 4 & 5
![Page 431: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/431.jpg)
Kerberos Requirements
• first published report identified its requirements as:– security– reliability– transparency– scalability
• implemented using an authentication protocol
![Page 432: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/432.jpg)
Authentication with AS
• CAS: IDc||Pc||IDv
• ASC: Ticket
• C: IDc||Ticket
Ticket=E(Kv, [IDc||ADc||IDv])
![Page 433: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/433.jpg)
Items
• C =client
• AS =authentication server
• V =server
• IDc =identifier of user on C
• IDv =identifier of V
• Pc =password of user on C
• ADc=network address of C
• Kv =secret encryption key shared by AS and V
![Page 434: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/434.jpg)
More Secure Authentication
Once per user logon session:• CAS: IDc||IDtgs• ASC: E(Kc, )
Once per type of service:• CTGS: IDc||IDv||• TGSC:
Once per service session:• CV
tgsTicket
tgsTicket
vTicket
])||||||||[,( 11 LifetimeTSIDADIDKETicket tgsCCtgstgs
])||||||||[,( 22 LifetimeTSIDADIDKETicket vCCvv
![Page 435: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/435.jpg)
Items
• TGS: Ticket granting server (TGS)
• TS: Time stamp
![Page 436: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/436.jpg)
Kerberos 4 Overview
• A basic third-party authentication scheme
• have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)– users subsequently request access to other
services from TGS on basis of users TGT
![Page 437: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/437.jpg)
Kerberos 4 Overview
![Page 438: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/438.jpg)
Kerberos Realms
• a Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server
• this is termed a realm– typically a single administrative domain
• if have multiple realms, their Kerberos servers must share keys and trust
![Page 439: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/439.jpg)
Kerberos Version 5
• developed in mid 1990’s• provides improvements over v4
– addresses environmental shortcomings• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
– and technical deficiencies• double encryption, non-std mode of use, session keys,
password attacks
• specified as Internet standard RFC 1510
![Page 440: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/440.jpg)
X.509 Authentication Service
• part of CCITT X.500 directory service standards– distributed servers maintaining some info database
• defines framework for authentication services – directory may store public-key certificates
– with public key of user
– signed by certification authority
• also defines authentication protocols • uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
![Page 441: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/441.jpg)
ITU-T
• ITU telecommunication standardization sector (ITU-T) coordinates standards for telecommunications on behalf of the international telecommunication union (ITU)
![Page 442: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/442.jpg)
X.509 Certificates
• issued by a Certification Authority (CA), containing: – version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
![Page 443: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/443.jpg)
X.509 Certificates
![Page 444: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/444.jpg)
Make Certification
Unsigned certificate,User ID, Public Key
Encryption with CA PR
Hashing of unsigned cert.
Unsigned certificate,User ID, Public Key
Encryption with
![Page 445: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/445.jpg)
Obtaining a Certificate
• any user with access to CA can get any certificate from it
• only the CA can modify a certificate
• because cannot be forged, certificates can be placed in a public directory
![Page 446: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/446.jpg)
CA Hierarchy
• if both users share a common CA then they are assumed to know its public key
• otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to
validate other CA's – each CA has certificates for clients (forward) and
parent (backward)
• each client trusts parents certificates • enable verification of any certificate from one CA
by users of all other CAs in hierarchy
![Page 447: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/447.jpg)
CA{V, SN, AI, CA, TA, A, Ap}
• V: version • SN: Serial number, an integer unique within the issuing CA• AI: Signature algorithm identifier, the algorithm used to
sign the certficate• CA:Issuer nuame, X. 500 name of the CA that created and
signed this certificate.• TA: Period of time, first and last valid dates• A: Subject name, name of the user to whom this certificate
refers, certificate the public key • AP: Issuer unique indentifier for indenting CA
![Page 448: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/448.jpg)
CA Hierarchy Use
![Page 449: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/449.jpg)
Certificate Revocation
• certificates have a period of validity• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CA’s maintain list of revoked certificates– the Certificate Revocation List (CRL)
• users should check certs with CA’s CRL
![Page 450: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/450.jpg)
Authentication Procedures
• X.509 includes three alternative authentication procedures:
• One-Way Authentication
• Two-Way Authentication
• Three-Way Authentication
• all use public-key signatures
![Page 451: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/451.jpg)
One-Way Authentication
• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message
• message must include timestamp, nonce, B's identity and is signed by A
![Page 452: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/452.jpg)
One way
• The identity of B is singed with A’s public key.
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
![Page 453: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/453.jpg)
Items
• time stamp
• a nonce
• signed with A’s private key.
:At
:An
:sgn Data BID
![Page 454: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/454.jpg)
Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
• reply includes original nonce from A, also timestamp and nonce from B
![Page 455: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/455.jpg)
Two-way
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB
![Page 456: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/456.jpg)
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
• has reply from A back to B containing signed copy of nonce from B
• means that timestamps need not be checked or relied upon
![Page 457: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/457.jpg)
Three-way
]},[,sgn,,,{ abbBAA KPUEDataIDrtA
]},[,sgn,,,,{ baaAABB KPUEDatarIDrtB
}{ BrA
![Page 458: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/458.jpg)
X.509 Version 3
• has been recognised that additional information is needed in a certificate – email/URL, policy details, usage constraints
• rather than explicitly naming new fields defined a general extension method
• extensions consist of:– extension identifier– criticality indicator– extension value
![Page 459: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/459.jpg)
Certificate Extensions
• key and policy information– convey info about subject & issuer keys, plus
indicators of certificate policy
• certificate subject and issuer attributes– support alternative names, in alternative
formats for certificate subject and/or issuer
• certificate path constraints– allow constraints on use of certificates by other
CA’s
![Page 460: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/460.jpg)
Summary
• have considered:– Kerberos trusted key server system– X.509 authentication and certificates
![Page 461: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/461.jpg)
Problem
Let message M=10111011 01011110 00011011
1) Assume that n=8. Compute the simple hashing function value h(M).
2) Find another different message M’ such that h(M)=h(M’).
3) Does the simple hashing function satisfy the requirements for general hashing function?
![Page 462: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/462.jpg)
Some New approaches for Preventing Software Tampering
Bin Fu, Uni. of New Orleans
Golden Richard III, Uni. of New Orleans
Yixin Chen Uni. of New Orleans
Adbo Husseiny Tech. Int. of Virginia
![Page 463: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/463.jpg)
Software protection
• Global economic impact of software piracy was $11billion in 2001,.
• 40% of commerical software in use is pirated.
![Page 464: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/464.jpg)
Password• Check Password before running the software
• The password checking may be bypassed
Check password
![Page 465: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/465.jpg)
#define realPassword 5413
……..
read(password);
if (password!= realPassword)
print("password is incorrect");
else run the software
![Page 466: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/466.jpg)
Problems with the password checking
• It is easy to bypass by removing the part of code checking the password
• The password is released in the code.
![Page 467: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/467.jpg)
Method 1
• Select a hashing function h( )
• Select multiple constants and changed them (offline)
c1’c1-h(password+1);
c2’c2-h(password+2);
• Recover them from the correct password (online)
c1c1’+h(password+1)
c2c2’+h(password+2)
![Page 468: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/468.jpg)
Solve Quadratic Equation
02 cbxx
It has two roots:
2
42
1
cbbx
2
42
2
cbbx
![Page 469: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/469.jpg)
#define c1 2.0
#define c2 4.0
void quadratic(double b, double c, double *root1,
double *root2){
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
For solving the equation
02 cbxx
![Page 470: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/470.jpg)
#include <stdio.h> #include <math.h> #define realPassword 2314 #define c1 2.0 #define c2 4.0 void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main(){ double b, c, root1, root2; int password; scanf("%d", &password); if (password!= realPassword) { printf("password is incorrect"); } else { scanf("%lf, %lf", &b, &c); quadratic(b,c, &root1, &root2); printf("%lf, %lf", root1, root2); }}
![Page 471: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/471.jpg)
//offline for computing e1 and e2
#define d1 e1 //e1=c1-hash(realPassword+1)
#define d2 e2 //e2=c2-hash(realPassword+2)
double c1,c2;
void main() {
…….
scanf("%d", &password);
c1=d1+hash(password+1);
c2=d2+hash(password+2);
………
![Page 472: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/472.jpg)
#include <stdio.h> #include <math.h> #include ``hash.h'' #define d1 e1 #define d2 e2 double c1,c2; void quadratic(double b, double c, double *root1, double *root2) { double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double b,c, root1, root2; int password; scanf("%d", &password); c1=d1+hash(password+1); c2=d2+hash(password+2); scanf("%lf",&b); scanf("%lf",&c); quadratic(b,c, &root1, &root2); printf("%lf, %lf",root1, root2); }
![Page 473: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/473.jpg)
Hardness to break
• The attacker has to understand the algorithm to considerable level in order to recover those constants
• If attacker knows some of the constants the security depends on the hardness of the invertibility of the hashing function
![Page 474: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/474.jpg)
Method 2
• Multiple constants are hidden in an array
• Only correct password can find their correct addresses
![Page 475: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/475.jpg)
int main(){ double b,c,root1, root2; int password; double constants[array_size]={ 3.12, 4.0, 5.12, 4.13, 2.0, 5.16, 2.17, 3.0, 7.52, 6.9, 8.73, 9.23, 9.0, 8.42, 7.29, 5.9, 1.92, 9.2, 3.92, 6.63, 8.7, 8.36, 9.15, 1.0, 4.91, 4.9, 7.19, 2.76, 5.8, 8.79, 5.32, 4.9, 9.30, 2.9, 8.17, 9.26, 7.2, 3.12, 3.56, 3.7, 7.98, 6.8, 3.32, 5.78, 4.6, 1.26, 4.32, 2.8, 3.10, 5.3, 3.83, 4.28, 7.9, 3.64, 4.57, 4.9, 2.23, 3.8, 3.87, 6.12, 4.5, 4.98, 0.00, 9.0 }; scanf("\%d", &password); c1=constants[hash(password+1)]; c2=constants[hash(password+2)]; c3=constants[hash(password+3)]; c4=constants[hash(password+4)]; ……..}
![Page 476: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/476.jpg)
Correct Password gives correct memory addresses
• For correct password p, h(p+1)=4, h(p+2)=1, h(p+3)=23, h(p+4)=62.
• c1=const[4]=2.0; c2=const[1]=1.0; c3=const[23]=1.0; c4=const[62]=0.0;
![Page 477: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/477.jpg)
Combine Two Methods (Off Line)
• Select two hashing functions h_address( ) and h_value
• Select some constants c1, c2
• Compute c1’=c1-h_value(p+1) and c2’c2-h_value(p+2)
• Save c1’ at h_address(p+1) and c2’ at h_address(p+2)
![Page 478: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/478.jpg)
Combine Two Methods (On Line)
• Read the password p
• Fetch c1’ from h_address(p+1) and c2’ from h_address(p+2)
• Recover c1 by c1’+h_value(p+1) and c2 by c2+h_value(p+2)
![Page 479: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/479.jpg)
Hide the password
• Offline: let q=hash(password)
• Online:
read p
if (hash(p)==q) then accept
else reject
• Security: collision is hard for hash( )
![Page 480: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/480.jpg)
Apply the method to obfuscation
• Define function pointers array
• Let the password determine the functions called by giving the address to the corresponding pointers
![Page 481: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/481.jpg)
#define c0 0#define c1 1#define c2 2#define c3 3double temp; int (*a[4])();double b, c, root1, root2;int step0( ) {temp=sqrt(b*b-4.0*c); return 0; }int step1( ) {root1=(-b+temp)/2.0; return 0; }int step2( ) {root2=(-b-temp)/2.0; return 0; }int quadratic( ) {a[c0](); a[c1](); a[c2](); return 0; }int main(){ //assign function pointers to the array a[ ] below a[0]=step0; a[1]=step1; a[2]=step2; a[3]=quadratic;
![Page 482: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/482.jpg)
Method 3
• Select multiple constants and changed them (offline)
c1’c1-h(password+1); c2’c2-h(password+2);
c3’c3-h(password+3); c4’c4-h(password+4);
• Recover them from the correct password (online)
c1c1’+h(password+1); c2c2’+h(password+2);
c3c3’+h(password+3); c4c4’+h(password+4);
![Page 483: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/483.jpg)
Conclusions
• Protect software by password
Method 1: change multiple constants
Method 2: Rearrange multiple constants
• Future research: Protect software by hardware
![Page 484: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/484.jpg)
The End
Thank You
![Page 485: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/485.jpg)
Client and Server
Client
Client
Client
Server
![Page 486: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/486.jpg)
Application protocol
TCP protocol
IP protocol
Ethernet protocol
Ethernet
Web client
TCP
IP
Ethernet driver
Web server
TCP
IP
Ethernet driver
![Page 487: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/487.jpg)
Router A
Rounter B
Router C
Router D
Router E D1D2
D3
![Page 488: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/488.jpg)
Design Philosophy
FTP,WEB
TCP
IP
Application Service
Reliable Transport Service
Connectionless Packet Delivery Service
![Page 489: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/489.jpg)
Port Number
• TCP allows multiple application programs on a machine
• Protocol number identify the ultimate destination within a machine
• End point is represented by (host_ip_address, port)
![Page 490: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/490.jpg)
Learn Networking
• Packet header
• Buffer management
![Page 491: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/491.jpg)
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
![Page 492: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/492.jpg)
TCP handshaking Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
![Page 493: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/493.jpg)
TCP sends packets Client Server
send packet1
receive packet1
receive ACK1 send ACK1
send packet2
receive packet2
send ACK2
receive ACK2
![Page 494: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/494.jpg)
Sliding Window Algorithm
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
Only send the packets in the window at one moment
Window moves right after leftmost is acknowledged
![Page 495: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/495.jpg)
Algorithm Properties• Remember which packets unacknowledged
• Move past all acknowledged packets
• Retransmit the lost packet when it is expired
• The window size changes based on the bandwidth
![Page 496: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/496.jpg)
Example of size four send p1
send p2 receive p1, send A1
send p3 receive p2, send A2
send p4 receive p3, send A3
receive p4, send A4
receive A1
receive A2
receive A3
receive A4
![Page 497: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/497.jpg)
TCP segment format
Source port(16b) Destination port(16b)
Sequence number(32b)
Acknowledgement number(32b)
Hlen(4b) Reserved(6b) Code bits(6b) Window(16b)
Checksum(16b) ….
Data
![Page 498: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/498.jpg)
TCP Header• Source port: TCP port number of source end• Destination port: TCP port number of destination end• Sequence number: Position in sender’s byte stream• Acknowledgement number: Number of bytes expect to
receive • Hlen: Length of header measured in 32b. (maybe 20bytes)• Code bits: Purpose of the segment such as reset connection,
end of the byte stream, etc• Window: Buffer size• Checksum: Data integrity
![Page 499: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/499.jpg)
Internet Protocol (IP)• Unreliable, connectionless delivery
• Routing over internet
• Rules for unreliable delivery
Error message,
Discard packet
![Page 500: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/500.jpg)
IP datagram format
Vers(4b) Hlen(4b) ServiceType(8b) TotalLength(16b)
Identification(16b) Flad(4b) FragmentOffset(12b)
TimeToLive(8b) Protocol(8b) HeaderChecksum(16b)
SourceIPAddress(32b)
DestinationIPAddress(32b)
IPOptions(24b) Padding(8b)
Data …….
![Page 501: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/501.jpg)
IP • Vers: IP version to create the datagram
• Hlen: datagram header length measured in 32b
• ServiceType: precedence(3b), D(1b), T(1b), R(1b),
• TotalLength: the total length of datagram in bytes
• Identification: Determine which datagram it belongs
• FragmentOffset: Offset in the original datagram
• Checksum: Data integrity
• TimeToLive: Maximum time to stay over internet. Decreased by one by each router.
![Page 502: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/502.jpg)
IP routing
• Find path to send the packet
• Routing table
• Routing protocolsrouter
router
router
routerM M
router
![Page 503: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/503.jpg)
Socket Address • struct in_addr_t{
in_addr_t s_addr; //32 bit IPv4 address
};
• struct sockaddr_t{
unit8_t sin_len; //length of structure
sa_family_t sin_family; //AF_INET
in_port_t sin_port; //16 bit port number
struct in_addr sin_addr; //32 bit IPv4 address
char sin_zero[8]; //unused
};
![Page 504: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/504.jpg)
Generic Socket Address
• struct sockaddr{
uint8_t sa_len;
sa_family_t sa_family; //address family:AF_xx
char sa_data[14]; //prot.-specific address
};
![Page 505: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/505.jpg)
bind( )
• #include <sys/socket.h>
• int bind(int sockfd,
const sockaddr *myaddr,
socklen_t addrlen)
• Get the local protocol address to a socket
![Page 506: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/506.jpg)
listen( )
• #include <sys/socket.h>
• int listen(int sockfd, int backlog)
• Return 0 if OK, -1 on error
• Converts unconnected into a passive socket, indicating the kernel should accept incoming connection request
![Page 507: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/507.jpg)
listen( )• sockfd: socket descriptor returned by socket
function
• Backlog: maximum sum of two queues
incomplete connection queue: before the third hand connections
completed connection queue: after the third hand connections
![Page 508: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/508.jpg)
Two Queues for Connection
accept
completed
connections
incomplete
connections
Arriving SYN
server
TCP
![Page 509: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/509.jpg)
accept( )• #include <sys/socket.h>
• int accept(int sockfd,
struct sockaddr *cliaddr,
socklen_t *addrlen)
• Called by TCP for returning completed connection from the front of completed connection queue
![Page 510: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/510.jpg)
Connect( )
• #include <sys/socket.h>
• int connect(int sockfd,
const struct sockaddr *servaddr,
socklen_t addrlen);
• Returns 0 if OK, -1 on error
• Establish a connection with a TCP server
![Page 511: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/511.jpg)
Connect( )• Sockfd: socket descriptor returned by socket
function
• Servaddr: socket address structure with IP address and port number of server
• Addrlen: the length of socket address structure
![Page 512: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/512.jpg)
A web site for source code
• Address:
http://www.kohala.com/start/unpv12e.html
• Download Source code
• Execute the commands in README
• Book: Unix Network Programming,
by Richard Stevens
![Page 513: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/513.jpg)
Application protocol
TCP protocol
IP protocol
Ethernet protocol
Ethernet
Web client
TCP
IP
Ethernet driver
Web server
TCP
IP
Ethernet driver
![Page 514: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/514.jpg)
Port Number
• TCP allows multiple application programs on a machine
• Protocol number identify the ultimate destination within a machine
• End point is represented by (host_ip_address, port)
![Page 515: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/515.jpg)
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
![Page 516: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/516.jpg)
TCP handshaking Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
![Page 517: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/517.jpg)
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
![Page 518: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/518.jpg)
IP Security
• have considered some application specific security mechanisms– eg. Kerberos, SSL/HTTPS
• however there are security concerns that cut across protocol layers
• would like security implemented by the network for all applications
![Page 519: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/519.jpg)
IPSec
• general IP Security mechanisms
• provides– authentication– confidentiality– key management
• applicable to use over LANs, across public & private WANs, & for the Internet
![Page 520: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/520.jpg)
IPSec Uses
![Page 521: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/521.jpg)
Benefits of IPSec
• in a firewall/router provides strong security to all traffic crossing the perimeter
• is resistant to bypass
• is below transport layer, hence transparent to applications
• can be transparent to end users
• can provide security for individual users if desired
![Page 522: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/522.jpg)
IP Security Architecture
• specification is quite complex
• defined in numerous RFC’s– incl. RFC 2401/2402/2406/2408– many others, grouped by category
• mandatory in IPv6, optional in IPv4
![Page 523: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/523.jpg)
IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets– a form of partial sequence integrity
• Confidentiality (encryption)
• Limited traffic flow confidentiality
![Page 524: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/524.jpg)
Security Associations
• a one-way relationship between sender & receiver that affords security for traffic flow
• defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier
• has a number of other parameters– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
![Page 525: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/525.jpg)
Authentication Header (AH)
• provides support for data integrity & authentication of IP packets– end system/router can authenticate user/app– prevents address spoofing attacks by tracking
sequence numbers
• based on use of a MAC– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key
![Page 526: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/526.jpg)
Original IP
• Before AH
Orig IP hdr TCP Data4IPv
DataTCPdest
dest,routingOrig IP
hdr6IPv
![Page 527: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/527.jpg)
Transport Mode AH
• After AH
Orig IPhdr
AH TCP Data4IPv
DataTCPdest
AH dest,routingOrig IP
hdr6IPv
tedAuthentica
tedAuthentica
![Page 528: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/528.jpg)
Tunnel Mode AH
• Format
Orig IPhdr
AH TCP Data
4IPv
DataTCPext
headersAH ext headerOrig IP
hdr6IPv
tedAuthentica
tedAuthentica
New IPhdr
New IPhdr
![Page 529: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/529.jpg)
Authentication Header
![Page 530: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/530.jpg)
Transport & Tunnel Modes
![Page 531: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/531.jpg)
Encapsulating Security Payload (ESP)
• provides message content confidentiality & limited traffic flow confidentiality
• can optionally provide the same authentication services as AH
• supports range of ciphers, modes, padding– incl. DES, Triple-DES, RC5, IDEA, CAST etc– CBC most common– pad to meet blocksize, for traffic flow
![Page 532: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/532.jpg)
Encapsulating Security Payload
![Page 533: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/533.jpg)
Transport vs Tunnel Mode ESP
• transport mode is used to encrypt & optionally authenticate IP data– data protected but header left in clear– can do traffic analysis but is efficient– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet– add new header for next hop– good for VPNs, gateway to gateway security
![Page 534: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/534.jpg)
Transport Mode ESP
• Format
Orig IPhdr
ESPhdr
TCP DataESPtrlr
ESPauth4IPv
ESPauth
ESPtrlr
DataTCPdestESP
hdr dest,routing
Orig IPhdr
6IPv
Encrypted
tedAuthentica
Encrypted
tedAuthentica
![Page 535: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/535.jpg)
Tunnel Mode ESP
• Format
4IPv
ESPhdr
Orig IPhdr
TCP DataESPtrlr
ESPauth
ESPauth
ESPtrlr
DataTCPexthdr
ESPhdr
orig IPhdr
exthdr
6IPv
New IPhdr
New IPhdr
Encrypted
tedAuthentica
Encrypted
tedAuthentica
![Page 536: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/536.jpg)
Items
• ESP trailer: Padding, Pad length, etc.
• ESP auth: ESP authentication.
![Page 537: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/537.jpg)
Combining Security Associations
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s– form a security bundle
• have 4 cases (see next)
![Page 538: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/538.jpg)
Combining Security Associations
![Page 539: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/539.jpg)
Key Management
• handles key generation & distribution• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management– sysadmin manually configures every system
• automated key management– automated system for on demand creation of keys
for SA’s in large systems– has Oakley & ISAKMP elements
![Page 540: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/540.jpg)
Oakley
• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses– cookies, groups (global params), nonces, DH
key exchange with authentication
• can use arithmetic in prime fields or elliptic curve fields
![Page 541: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/541.jpg)
ISAKMP
• Internet Security Association and Key Management Protocol
• provides framework for key management
• defines procedures and packet formats to establish, negotiate, modify, & delete SAs
• independent of key exchange protocol, encryption alg, & authentication method
![Page 542: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/542.jpg)
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
![Page 543: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/543.jpg)
Global Public Elements
• Primer number
• Primitive root of q
( (mod q)
is a permutation of 1,2,3,…,q-1)
q
132 ,...,,, q
![Page 544: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/544.jpg)
User A Key Generation
• Select private
• Compute public
AX
AY
qX A
)(mod qY AXA
![Page 545: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/545.jpg)
User B Key Generation
• Select private
• Compute public
BX
BY
qX B
)(mod qY BXB
![Page 546: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/546.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 547: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/547.jpg)
User A Key Generation
• A:
))(mod(
)(mod)(
)(mod))(mod(
)(mod)(
q
q
qYK
AB
AB
AB
A
XX
XX
XX
XB
![Page 548: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/548.jpg)
Final Presentation
• Final a related security paper in the last five years published in a good journal or conference
• Read it carefully.• Describe the security problem that deals• Describe the solution• Possible future development• Find the current background in that line.• Every one talks about 30 minutes• No single paper can be shared by two people.
![Page 549: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/549.jpg)
Evaluation
• Presentation
• The quality of the paper that you selected
• The slides that you made
• Problem and solution.
• Your effort in proposing any future research plan in the similar topic.
![Page 550: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/550.jpg)
Aggressive Key Exchange
• The communications:
]||||||||||[,,,,,,,,_,: EHAOgGRPNIDIDSNIDIDNIDPEHAOgGRPKEYXOKCKYRI xIRIKIIRI
xI
]|||||||||||||||[,,,,,,,,,_,: EHASggGRPNNIDIDSNNIDIDNIDPEHASgGRPKEYXOKCKYIR xyIRIRKRIRIR
xR
]||||||||||||[,,,,,,,,,_,,: EHASggGRPNIDIDSNNIDIDNIDPEHAOgGRPKEYXOKCKYCKYRI yxIRIKIRIRI
xRI
![Page 551: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/551.jpg)
Protocol for Key Management
• The communications:
]||||||||||[
,,,,,,
,,_,
:
EHAOgGRPNIDIDS
NIDIDNIDPEHAOg
GRPKEYXOKCKY
RI
xIRIKI
IRIx
I
![Page 552: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/552.jpg)
Protocol for Key Management
• The communications:
]|||||||||||||||[
,,,,,,,
,,_,
:
EHASggGRPNNIDIDS
NNIDIDNIDPEHASg
GRPKEYXOKCKY
IR
xyIRIRKR
IRIRx
R
![Page 553: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/553.jpg)
Protocol for Key Management
• The communications:
]||||||||||||[
,,,,,,,
,,_,,
:
EHASggGRPNIDIDS
NNIDIDNIDPEHAOg
GRPKEYXOKCKYCKY
RI
yxIRIKI
RIRIx
RI
![Page 554: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/554.jpg)
• I=Initiator• R=Responder• = Initiator, responder cookies• =Key exchange message type• GRP= Name of Diffie-Hellman group for this exchange• =Public key of initiator, responder;• EHAO, EHAS=Encryption, hash authentication functions,
offered and selected• NIDP=Indicates encryption is not used for remainder of this
message• =Random nonce supplied by initiator, responder • =Indicates the signature over X using
private key (signing key) of initiator, responder
RI CKYCKY ,
KEYXOK
yx gg ,
RI NN ,
][],[ XSXS KRKI
![Page 555: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/555.jpg)
ISAKMP
![Page 556: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/556.jpg)
Summary
• have considered:– IPSec security framework– AH– ESP– key management & Oakley/ISAKMP
![Page 557: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/557.jpg)
Chapter 17 – Web Security
![Page 558: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/558.jpg)
Web Security
• Web now widely used by business, government, individuals
• but Internet & Web are vulnerable• have a variety of threats
– integrity– confidentiality– denial of service– authentication
• need added security mechanisms
![Page 559: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/559.jpg)
SSL (Secure Socket Layer)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard known as TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end service
• SSL has two layers of protocols
![Page 560: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/560.jpg)
SSL Architecture
![Page 561: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/561.jpg)
SSL Architecture
• SSL session– an association between client & server– created by the Handshake Protocol– define a set of cryptographic parameters– may be shared by multiple SSL connections
• SSL connection– a transient, peer-to-peer, communications link– associated with 1 SSL session
![Page 562: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/562.jpg)
Parameters for a session
• Session identifier:
• Peer Certificate: An X509.v3 certificate
• Compression method
• Cipher spec: data encryption algorithm and hash
• Master key: 48 bits shared between client and server
• Is resumable: whether the session can be used for newconnections
![Page 563: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/563.jpg)
Parameters for a connection
• Server and client random: chosen for each connection
• Server write MAC secret key: Used for MAC
• Client write MAC secret key: Used for MAC
• Server write key: Used for encryption
• Client write key: Used for encryption
• Initialization vector:
• Sequence number: for each transmitted message
![Page 564: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/564.jpg)
SSL Record Protocol
• confidentiality– using symmetric encryption with a shared
secret key defined by Handshake Protocol– IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128– message is compressed before encryption
• message integrity– using a MAC with shared secret key– similar to HMAC but with different padding
![Page 565: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/565.jpg)
SSL Record FormatContent type Major version Minor version
Compressedlength
Plaintext compressed
MAC(0, 16, or 20 bytes)
encrypted
![Page 566: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/566.jpg)
SSL Record Operation
• adata
Fragment
Compress
MacAdd
headerrecordSSLAppend
Encrypt
![Page 567: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/567.jpg)
SSL Change Cipher Spec Protocol
• one of 3 SSL specific protocols which use the SSL Record protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use
![Page 568: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/568.jpg)
SSL Alert Protocol
• conveys SSL-related alerts to peer entity• severity
• warning or fatal
• specific alert• unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
• compressed & encrypted like all SSL data
![Page 569: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/569.jpg)
SSL Handshake Protocol
• allows server & client to:– authenticate each other– to negotiate encryption & MAC algorithms– to negotiate cryptographic keys to be used
• comprises a series of messages in phases– Establish Security Capabilities– Server Authentication and Key Exchange– Client Authentication and Key Exchange– Finish
![Page 570: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/570.jpg)
SSL Handshake Protocol
![Page 571: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/571.jpg)
Phase 1
• Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers
![Page 572: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/572.jpg)
Phase 2
• Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase
![Page 573: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/573.jpg)
Phase 2 Format
• Server-parameters: about certificate, key-exchange protocol (Diffie-Hellman)
• Hash(clientHello.random||serverHello.random||serverParams)
![Page 574: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/574.jpg)
Phase 3
• Client sends certificate if requested. Client sends key exchange. Client may send certificate verification
![Page 575: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/575.jpg)
Phase 4
• Change cipher suite and finish handshake protocol.
![Page 576: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/576.jpg)
TLS (Transport Layer Security)
• IETF standard RFC 2246 similar to SSLv3• with minor differences
– in record format version number– uses HMAC for MAC– a pseudo-random function expands secrets– has additional alert codes– some changes in supported ciphers– changes in certificate negotiations– changes in use of padding
![Page 577: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/577.jpg)
Secure Electronic Transactions (SET)
• open encryption & security specification• to protect Internet credit card transactions• developed in 1996 by Mastercard, Visa etc• not a payment system• rather a set of security protocols & formats
– secure communications amongst parties– trust from use of X.509v3 certificates– privacy by restricted info to those who need it
![Page 578: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/578.jpg)
SET Components
![Page 579: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/579.jpg)
SET Transaction
1. customer opens account2. customer receives a certificate3. merchants have their own certificates4. customer places an order5. merchant is verified6. order and payment are sent7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service10. merchant requests payment
![Page 580: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/580.jpg)
Dual Signature
• customer creates dual messages– order information (OI) for merchant– payment information (PI) for bank
• neither party needs details of other
• but must know they are linked
• use a dual signature for this– signed concatenated hashes of OI & PI
![Page 581: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/581.jpg)
Dual Signature
• DS=
• PI: Payment information (credit card number, etc)
• OI: Order information
• H: Hashing function• PRc: Private key of the customer
))])(||)(([,( OIHPIHHPRE c
![Page 582: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/582.jpg)
Digests
• OIMD: Order information digest.
• PIMD: Payment information digest.
• POMD: Payment order message digest
)(OIH
)(PIH
))(||)(( OIHPIHH
![Page 583: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/583.jpg)
Purchase Request – Customer
![Page 584: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/584.jpg)
Purchase Request – Merchant
![Page 585: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/585.jpg)
Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key
3. processes order and forwards the payment information to the payment gateway for authorization (described later)
4. sends a purchase response to cardholder
![Page 586: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/586.jpg)
Payment Gateway Authorization
1. verifies all certificates2. decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block3. verifies merchant's signature on authorization block4. decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block5. verifies dual signature on payment block6. verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer7. requests & receives an authorization from issuer8. sends authorization response back to merchant
![Page 587: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/587.jpg)
Payment Capture
• merchant sends payment gateway a payment capture request
• gateway checks request
• then causes funds to be transferred to merchants account
• notifies merchant using capture response
![Page 588: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/588.jpg)
Summary
• have considered:– need for web security– SSL/TLS transport layer security protocols– SET secure credit card payment protocols
![Page 589: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/589.jpg)
A new authentication
• Public key approach: every message has an unique signature
• ElGammal scheme: every message has multiple signatures
![Page 590: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/590.jpg)
ElGammal Signature Scheme
Let p be a primer .
Let be a primitive root of p.
Let be secret number.
Public:
Secret:
a
)(mod pa
,,pa
),,,( apK
![Page 591: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/591.jpg)
ElGammal Signature Scheme
With
For a random ,
Define
),(),(
)1(mod)( 1
kxsignature
pkax
K
k
),,,( apK 11: pkk
![Page 592: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/592.jpg)
ElGammal Signature Scheme
With and
)(mod
),,(
p
truexonverificati
x
,x
![Page 593: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/593.jpg)
Explain
This is because
)(mod pxkaka
![Page 594: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/594.jpg)
Misuse One
If the random number k is released, it is easy to get the secret number a
)1(mod)(
)1)(mod(
)1(mod)(
1
1
pkxa
paxk
pkax
![Page 595: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/595.jpg)
Misuse Two
If same k is used for two signatures and
for and respectively
)(mod
)(mod22
11
p
px
x
),( 1 ),( 21x 2x
![Page 596: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/596.jpg)
Misuse Two
From
we have
Since
)(mod
)(mod22
11
p
px
x
)(mod2121 pxx
)(mod pk
)(mod2121 )( pxxk
![Page 597: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/597.jpg)
Misuse Two
From
we have
Since
)(mod
)(mod22
11
p
px
x
)(mod2121 pxx
)(mod pk
)(mod2121 )( pxxk
![Page 598: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/598.jpg)
Misuse Two
It is equivalent to
Let
We have
)(|
)1(|
)(|
21
21
xxd
pd
d
)1(mod)( 2121 pxxk
)1,gcd( 21 pd
![Page 599: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/599.jpg)
Misuse Two
We have
for
Select one of them to have
)1(mod')'('
)'(mod)'('
)'(mod''
1
1
ppixk
pxk
pkx
1,...,2,1,0 pi
)(mod pk
![Page 600: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/600.jpg)
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and
Let be a q-th root modulo p.
Let be secret number
Public:
Secret:
)1(| pq
)(mod pa
,,,qpa
),,,,( aqpK
a 11 qa
![Page 601: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/601.jpg)
Digital Signature Standard
With
For a random ,
Define
),(),(
)(mod)(
)))(mod(mod(
12
11
1
kxsignature
e
xe
qkax
qp
K
k
),,,,( aqpK 11: pkk
![Page 602: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/602.jpg)
Digital Signature Standard
With and
)(mod
),,(
21 p
truexonverificati
ee
,x
![Page 603: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/603.jpg)
Explain
This is because
)(mod
1
11
11
21
)(
pk
ax
ax
x
ee
![Page 604: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/604.jpg)
Chapter 16 – IP Security
If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.
—The Art of War, Sun Tzu
![Page 605: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/605.jpg)
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and
Let be a q-th root modulo p:
Let be secret number
Public:
Secret:
)1(| pq
)(mod pa
,,,qpa
),,,,( aqpK
a 11 qa
)(mod1 pq
![Page 606: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/606.jpg)
Digital Signature Standard
With
For a random ,
Define
),(),(
)(mod)(
)))(mod(mod(
12
11
1
kxsignature
e
xe
qkax
qp
K
k
),,,,( aqpK 11: pkk
![Page 607: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/607.jpg)
Digital Signature Standard
With and
)(mod
),,(
21 p
truexonverificati
ee
,x
![Page 608: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/608.jpg)
Explain
This is because
)(mod
1
11
11
21
)(
pk
ax
ax
x
ee
![Page 609: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/609.jpg)
Intrusion Detection
![Page 610: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/610.jpg)
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
![Page 611: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/611.jpg)
Chapter 18 – Intruders
They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the code he would prove his loyalty to London Central beyond a doubt.—Talking to Strange Men, Ruth Rendell
![Page 612: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/612.jpg)
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local• can identify classes of intruders:
– masquerader– misfeasor– clandestine user
• varying levels of competence
![Page 613: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/613.jpg)
Intruders
• clearly a growing publicized problem– from “Wily Hacker” in 1986/87– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
![Page 614: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/614.jpg)
Intrusion Techniques
• aim to increase privileges on system• basic attack methodology
– target acquisition and information gathering – initial access – privilege escalation – covering tracks
• key goal often is to acquire passwords• so then exercise access rights of owner
![Page 615: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/615.jpg)
Password Guessing
• one of the most common attacks• attacker knows a login (from email/web page etc) • then attempts to guess password for it
– try default passwords shipped with systems– try all short passwords– then try by searching dictionaries of common words– intelligent searches try passwords associated with the user (variations
on names, birthday, phone, common words/interests) – before exhaustively searching all possible passwords
• check by login attempt or against stolen password file • success depends on password chosen by user• surveys show many users choose poorly
![Page 616: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/616.jpg)
Password Capture
• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,
email) – extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user• users need to be educated to use suitable
precautions/countermeasures
![Page 617: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/617.jpg)
Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can– block if detected quickly– act as deterrent– collect info to improve security
• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between
![Page 618: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/618.jpg)
Approaches to Intrusion Detection
• statistical anomaly detection– threshold– profile based
• rule-based detection– anomaly– penetration identification
![Page 619: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/619.jpg)
Audit Records
• fundamental tool for intrusion detection
• native audit records– part of all common multi-user O/S– already present for use– may not have info wanted in desired form
• detection-specific audit records– created specifically to collect wanted info– at cost of additional overhead on system
![Page 620: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/620.jpg)
Statistical Anomaly Detection
• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector
• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter
![Page 621: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/621.jpg)
Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time– counter, gauge, interval timer, resource use
• use various tests on these to determine if current behavior is acceptable– mean & standard deviation, multivariate, markov
process, time series, operational
• key advantage is no prior knowledge used
![Page 622: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/622.jpg)
Examples
• Counter: number of logins by a single users
• Gauge: number of outgoing messages for a user process
• Interval timer: length of time between successive logins to an account.
• Resource utilization: number of pages printed during a user session and time consumed by a program execution.
![Page 623: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/623.jpg)
Rule-Based Intrusion Detection
• observe events on system & apply rules to decide if activity is suspicious or not
• rule-based anomaly detection– analyze historical audit records to identify usage
patterns & auto-generate rules for them– then observe current behavior & match against
rules to see if conforms– like statistical anomaly detection does not require
prior knowledge of security flaws
![Page 624: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/624.jpg)
Rule-Based Intrusion Detection
• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness
patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &
codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules
![Page 625: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/625.jpg)
Rule examples
• Users should not read files in other users’ personal directories.
• Users must not write other users’ files
• Users who log in after hours often access the same files they used before
• Users do not generally open disk devices directly but rely on high-level commands
• Users should not be logged in more than once to the same system
• Users do not make copies of system programs
![Page 626: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/626.jpg)
Base-Rate Fallacy
• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record
![Page 627: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/627.jpg)
Distributed Intrusion Detection
• traditional focus is on single systems• but typically have networked systems• more effective defense has these working
together to detect intrusions• issues
– dealing with varying audit record formats– integrity & confidentiality of networked data– centralized or decentralized architecture
![Page 628: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/628.jpg)
Distributed Intrusion Detection - Architecture
![Page 629: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/629.jpg)
Distributed Intrusion Detection – Agent Implementation
![Page 630: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/630.jpg)
Honeypots
• decoy systems to lure attackers– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator can respond
• are filled with fabricated information• instrumented to collect detailed information on
attackers activities• may be single or multiple networked systems
![Page 631: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/631.jpg)
Password Management
• front-line defense against intruders
• users supply both:– login – determines privileges of that user– password – to identify them
• passwords often stored encrypted– Unix uses multiple DES (variant with salt)– more recent systems use crypto hash function
![Page 632: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/632.jpg)
Managing Passwords
• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to
something they can remember • protect password file from general access• set technical policies to enforce good passwords
– minimum length (>6) – require a mix of upper & lower case letters, numbers,
punctuation – block know dictionary words
![Page 633: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/633.jpg)
Managing Passwords• may reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group
• may enforce periodic changing of passwords • have system monitor failed login attempts, &
lockout account if see too many in a short period
• do need to educate users and get support • balance requirements with user acceptance
![Page 634: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/634.jpg)
Proactive Password Checking
• most promising approach to improving password security
• allow users to select own password
• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)
to detect poor choices
![Page 635: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/635.jpg)
Statistical Anomaly Detection
• threshold detection– count occurrences of specific event over time– if exceed reasonable value assume intrusion– alone is a crude & ineffective detector
• profile based– characterize past behavior of users– detect significant deviations from this– profile usually multi-parameter
![Page 636: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/636.jpg)
Conditional Probability
• Pr[A|B]• Pr[AB]• Pr[B]
]Pr[
]Pr[]|Pr[
B
ABBA
![Page 637: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/637.jpg)
Bayes Theorem• E1, E2,…, En are mutually exclusive events
]Pr[]|Pr[]Pr[1
ii
n
i
EEAA
]Pr[]|Pr[
]Pr[]|Pr[
]Pr[
]Pr[]|Pr[]|EPr[
1
i
ii
n
i
iiii
EEA
EEA
A
EEAA
![Page 638: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/638.jpg)
Diagram
• E1, E2, E3, E4
1E2E
4E3E
![Page 639: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/639.jpg)
Dice
• Calculate the probability that a sum of 8 on the roll of two dice assume one dice even
• A={Sum of 8}
• B={at least one dice even}
• Pr[A|B]=(36-3x3)/36=1/9
• Pr[AB]=3/36=1/12 for (2,6), (4,4) and (6,2)
• Pr[A|B]=(1/12)/(3/4)=1/4
![Page 640: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/640.jpg)
Problem
• Compute the probability that sum is 7 of two roll of two dice under the condition one dice is odd.
![Page 641: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/641.jpg)
Summary
• have considered:– problem of intrusion– intrusion detection (statistical & rule-based)– password management
![Page 642: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/642.jpg)
Base-Rate Fallacy
• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record
![Page 643: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/643.jpg)
Intruders
• clearly a growing publicized problem
• may seem benign, but still cost resources
• may use compromised system to launch other attacks
![Page 644: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/644.jpg)
Intruders
• significant issue for networked systems is hostile or unwanted access
• either via network or local• can identify classes of intruders:
– masquerader– misfeasor– clandestine user
• varying levels of competence
![Page 645: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/645.jpg)
Password Capture
• another attack involves password capture – watching over shoulder as password is entered – using a trojan horse program to collect– monitoring an insecure network login (eg. telnet, FTP, web,
email) – extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user• users need to be educated to use suitable
precautions/countermeasures
![Page 646: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/646.jpg)
Password Checking
• Let H(x) be a hashing function with one way propoerty
• For a password y with id u, Z=H(y) is saved for u.
• When a password y’ is typed for u, fetch z and check if
)'(yhZ
![Page 647: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/647.jpg)
Honeypots
• decoy systems to lure attackers– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator can respond
• are filled with fabricated information• instrumented to collect detailed information on
attackers activities• may be single or multiple networked systems
![Page 648: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/648.jpg)
Managing Passwords
• need policies and good user education • ensure every account has a default password • ensure users change the default passwords to
something they can remember • protect password file from general access• set technical policies to enforce good passwords
– minimum length (>6) – require a mix of upper & lower case letters, numbers,
punctuation – block know dictionary words
![Page 649: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/649.jpg)
Managing Passwords• may reactively run password guessing tools
– note that good dictionaries exist for almost any language/interest group
• may enforce periodic changing of passwords • have system monitor failed login attempts, & lockout
account if see too many in a short period • do need to educate users and get support • balance requirements with user acceptance • be aware of social engineering attacks
![Page 650: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/650.jpg)
Proactive Password Checking
• most promising approach to improving password security
• allow users to select own password
• but have system verify it is acceptable– simple rule enforcement (see previous slide)– compare against dictionary of bad passwords– use algorithmic (markov model or bloom filter)
to detect poor choices
![Page 651: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/651.jpg)
Rule-Based Intrusion Detection
• rule-based penetration identification– uses expert systems technology– with rules identifying known penetration, weakness
patterns, or suspicious behavior– rules usually machine & O/S specific– rules are generated by experts who interview &
codify knowledge of security admins– quality depends on how well this is done– compare audit records or states against rules
![Page 652: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/652.jpg)
#define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void main() { …… address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is the correct realPassword). }
![Page 653: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/653.jpg)
#include <stdio.h> #include <math.h> #define d1 2.0 #define d2 4.0 #define realPassword 2314 int address; double c1,c2; double a[10000]; void quadratic(double b, double c, double *root1, double *root2)\{ double temp; temp=sqrt(b*b-c2*c); *root1=(-b+temp)/c1; *root2=(-b-temp)/c1; } void main() { double root1,root2; int password; address=realPassword; // We may use another name instead of the realPassword. a[address]=0; c2=d2; scanf("%d", &password); a[password]=d1; c1=a[address]; //c1 gets d1 if password is correct (equal to realPassword). scanf("%lf", &a[0]); // read the parameter b scanf("%lf", &a[1]); // read the parameter c quadratic(a[0], a[1], &root1, &root2); printf("%lf, %lf", root1, root2); }
![Page 654: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/654.jpg)
the vulnerability of web servers
Here only talk about the web application with PHP.
1. PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
2. PHP provided a lot of useful functions to make programming easier, but attackers also can use these functions to do something unexpected.
![Page 655: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/655.jpg)
This form will allow the web browser user to upload a file from their local to the remote web server.
<FORM METHOD="POST" ENCTYPE="multipart/form-data">
<INPUT TYPE="FILE" NAME=“upload">
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE“ VALUE="10240">
<INPUT TYPE="SUBMIT“ NAME=“Submit Query”>
</FORM>
It looks as follow:
![Page 656: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/656.jpg)
This function is obviously useful but also brings risk.
While the attackers ultimate goal is obviously to be able to execute commands on the remote web server and they can't achieve that by using
files on their local machine.
Therefore they need to get PHP code define into a file local to the remote machine. This sounds like an impossible task initially but file upload comes to the rescue. If the attacker creates a file on their machine containing PHP code to be executed then upload it, PHP will be kind enough to save the attacker’s file.
![Page 657: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/657.jpg)
Simple example
This is a upload form, it allows students to upload their homework to the “upload” folder in the remote web server, but it doesn’t have any control for the upload file, in other words the students can submit any kind of files.
![Page 658: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/658.jpg)
Simple example
In order to let students check whether they submit their homework successful, the web server will give a list of all the files in the “upload” folder to the client, allow students to view the filenames.
![Page 659: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/659.jpg)
Simple example
But if somebody submit a PHP file like that, and execute it in remote web server, then jack’s homework will be deleted, obviously it is important files for jack.
ex. “ ./ ” means the current
directory
![Page 660: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/660.jpg)
Solution
• Forbid some unsafe functions by configuring parameters of the web server.
ex. Set “safe_mode on” in “php.ini” file, its effort include: 1. restrict which commands can be executed 2. restrict which functions can be used 3. If you want, you can remove file upload completely
• Adding some codes in the uploading program to forbid files which are executable or dangerous. We also can use some simple codes change the uploading file’s extension to make them unexecutable.
![Page 661: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/661.jpg)
Cryptography and Network Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
![Page 662: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/662.jpg)
Chapter 20 – Firewalls
The function of a strong position is to make the forces holding it practically unassailable
—On War, Carl Von Clausewitz
![Page 663: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/663.jpg)
Introduction
• seen evolution of information systems
• now everyone want to be on the Internet
• and to interconnect networks
• has persistent security concerns– can’t easily secure every system in org
• need "harm minimisation"
• a Firewall usually part of this
![Page 664: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/664.jpg)
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services– only authorized traffic is allowed
• auditing and controlling access– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defence
![Page 665: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/665.jpg)
Firewall Limitations
• cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats– eg disgruntled employee
• cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types. It is
impossible to scan all files and emails.
![Page 666: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/666.jpg)
Firewalls – Packet Filters
![Page 667: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/667.jpg)
Firewalls – Packet Filters
• simplest of components
• foundation of any firewall system
• examine each IP packet (no context) and permit or deny according to rules
• hence restrict access to services (ports)
• possible default policies– that not expressly permitted is prohibited – that not expressly prohibited is permitted
![Page 668: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/668.jpg)
Firewalls – Packet Filters
![Page 669: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/669.jpg)
Attacks on Packet Filters
• IP address spoofing– fake source address to be trusted– add filters on router to block
• source routing attacks– attacker sets a route other than default– block source routed packets
• tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check
![Page 670: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/670.jpg)
Firewalls – Stateful Packet Filters
• examine each IP packet in context– keeps tracks of client-server sessions– checks each packet validly belongs to one
• better able to detect bogus packets out of context
![Page 671: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/671.jpg)
Firewalls - Application Level Gateway (or Proxy)
![Page 672: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/672.jpg)
Firewalls - Application Level Gateway (or Proxy)
• use an application specific gateway / proxy • has full access to protocol
– user requests service from proxy – proxy validates request as legal – then actions request and returns result to user
• need separate proxies for each service – some services naturally support proxying – others are more problematic – custom services generally not supported
![Page 673: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/673.jpg)
Firewalls - Circuit Level Gateway
![Page 674: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/674.jpg)
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general outbound connections
• SOCKS commonly used for this
![Page 675: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/675.jpg)
Bastion Host
• highly secure host system • potentially exposed to "hostile" elements • hence is secured to withstand this • may support 2 or more net connections• may be trusted to enforce trusted separation
between network connections• runs circuit / application level gateways • or provides externally accessible services
![Page 676: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/676.jpg)
Firewall Configurations
![Page 677: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/677.jpg)
Firewall Configurations
![Page 678: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/678.jpg)
Firewall Configurations
![Page 679: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/679.jpg)
Access Control
• given system has identified a user • determine what resources they can access• general model is that of access matrix with
– subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed
• can decompose by– columns as access control lists– rows as capability tickets
![Page 680: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/680.jpg)
Access Control Matrix
![Page 681: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/681.jpg)
Trusted Computer Systems
• information security is increasingly important • have varying degrees of sensitivity of information
– cf military info classifications: confidential, secret etc
• subjects (people or programs) have varying rights of access to objects (information)
• want to consider ways of increasing confidence in systems to enforce these rights
• known as multilevel security– subjects have maximum & current security level – objects have a fixed security level classification
![Page 682: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/682.jpg)
Bell LaPadula (BLP) Model
• one of the most famous security models• implemented as mandatory policies on system • has two key policies: • no read up (simple security property)
– a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object
• no write down (*-property)– a subject can only append/write to an object if the current
security level of the subject is dominated by (<=) the classification of the object
![Page 683: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/683.jpg)
Reference Monitor
![Page 684: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/684.jpg)
Evaluated Computer Systems
• governments can evaluate IT systems• against a range of standards:
– TCSEC, IPSEC and now Common Criteria
• define a number of “levels” of evaluation with increasingly stringent checking
• have published lists of evaluated products– though aimed at government/defense use– can be useful in industry also
![Page 685: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/685.jpg)
Summary
• have considered:– firewalls– types of firewalls– configurations– access control– trusted systems
![Page 686: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/686.jpg)
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that H(x)=h: One-way property
• Given x, it is computational hard to find y such that H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that H(x)=H(y): Strong collision resistance
![Page 687: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/687.jpg)
Pseudorandom Number Generator
Applications:
• Key generation
• Randomized algorithm
• Authentication protocols
• ……
![Page 688: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/688.jpg)
Randomness
• Uniform distribution: The frequency of each number should be approximately the same.
• Independence: No one value in the sequence can be inferred from the others
• Unpredictability
![Page 689: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/689.jpg)
Linear Generator
A sequence of numbers is generated by
: starting value
a: the multiplier
c: the increment
m: the modulus
))(mod(1 mcaXX nn
0X )0( 0 mX )0( ma )0( mc
m0
![Page 690: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/690.jpg)
Requirements for linear generator
• Generate all numbers between 0 and m
• Look random
• Should implement efficient with 32-bit arithmetic
![Page 691: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/691.jpg)
Linear Generator
A sequence of numbers is generated by
))(mod(1 mcaXX nn
1231 m
1680775 a
0c
)12(mod16807 311 nn XX
![Page 692: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/692.jpg)
Linear Generator weakness
If m,c,a are known, then once a single number is discovered, then all subsequent numbers are known
If it is known that a linear generator is used, he can still solve the equations:
))(mod(
))(mod(
))(mod(
43
32
21
mcaXX
mcaXX
mcaXX
![Page 693: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/693.jpg)
Generator with DES
C is a counter with period N
mKKey :
C
1C
Encryption
]1[ CEXmKi
![Page 694: CSCI 6365](https://reader035.fdocuments.net/reader035/viewer/2022062315/56815847550346895dc59be2/html5/thumbnails/694.jpg)
Blum Blum Shub Generator
Choose two prime numbers p=q=3(mod 4)
Let n=pq
Choose a random number s relatively prime to n
for i=1 to
)(mod20 nsX
)2(mod
)(mod)( 21
ii
ii
XB
nXX