EE579T/4 #1 Spring 2002 © 2000-2002, Richard A. Stanley WPI EE579T / CS525T Network Security 4:...

Spring 2002© 2000-2002, Richard A. Stanley

WPI EE579T/4 #1

EE579T / CS525TNetwork Security

4: Asymmetric Cryptography

Prof. Richard A. Stanley


WPI EE579T/4 #2

Overview of Tonight’s Class

• Roadmap to the future

• Review of last week’s class

• Class projects overview

• Security in the news

• Asymmetric cryptography


WPI EE579T/4 #3

Course Syllabus - 1

1 Computer Security Review2 Introduction to Networking3 Symmetric Block Ciphers4 Asymmetric Cryptography5 Authentication6 Security Protocols7 Vulnerability Assessment


WPI EE579T/4 #4

Course Syllabus - 2

8 SNMP Security9 Firewalls10 Intro. to Network-Based Attacks11 Viruses, Worms, VPNs, EXAM12 Network Security Law13 Project Presentations14 Project Presentations


WPI EE579T/4 #5

Scheduling Administrivia

• We will have 14 class sessions. There is one additional week built into the schedule in case a class must be cancelled

• The preceding syllabus is subject to adjustment, so don’t build your dreams on it

• Exam may be of the take-home variety or may be in class. Decision yet to be taken.


WPI EE579T/4 #6

Last Week -1

• Symmetric key cryptography uses one key, shared by all users of the cipher

• There are many weaknesses to basic crypto algorithms like the Vernam cipher

• Feistel ciphers provide a more complex algorithm that permits iterative encryption

• Feistel cipher decryption uses same process as encryption, making process simpler


WPI EE579T/4 #7

Last Week - 2

• Block ciphers are widely used• Most commonly used block cipher today is

TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key

size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence


WPI EE579T/4 #8

Linux: The Secure Choice?

• Out of the box, Linux is “DREADFULLY INSECURE” say two researchers

• Administrators warned to– set up a firewall– decrease number of privileged programs– tighten configurations– reduce number of paths to root– deploy intrusion detection.

Source: newsforge.com


WPI EE579T/4 #9

Windows More Secure than Linux?

• SecurityFocus study on security vulnerabilities reveals– Linux software holes outnumbered Windows

more than 2-to-1

– Through August 2001, an aggregate of Linux products suffered 96 vulnerabilities

– Windows NT/2000 suffered 42 vulnerabilities

– Fifth straight year Windows beat Linux in this survey


WPI EE579T/4 #10

LAN Switch Insecurities• Cisco Catalyst LAN switches risk denial-of-

service attack stemming from a buffer-overflow vulnerability in the Telnet option– process can crash and force switch to reload– Cisco Catalyst switches, series 4000, 5000 and

6000 and also 2948G and 2900 models running CatOS are affected

– flaw has already been exploited

• Cisco offering free upgrades by Feb. 4.

Source: The Register


WPI EE579T/4 #11

Course Projects• Teams or individuals?

• Identify, through research, a meaningful computer security problem (reported on as historical or one you can hypothesize)

• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?

• Prepare report and present to the class


WPI EE579T/4 #12

DES Enciphering Computation

Feistel round


WPI EE579T/4 #13

DES Decryption• As DES is a Feistel cipher, decryption uses the

same engine as does encryption

• For decryption:– The DES engine is precisely the same as the

encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


WPI EE579T/4 #14

Cipher Function, f(Rn,Kn)


WPI EE579T/4 #15

DES Mathematics

• Only two functions used– XOR– Data permutation or shifting

• At the heart of the DES engine, inside the f-box, is a Vernam cipher machine!

• Vernam, by itself, is insecure. What makes DES secure?


WPI EE579T/4 #16

Symmetric Crypto Keys

• Ideally, are purely random numbers• This is possible because:

– The keys are prepositioned at each end

– Random numbers can be generated by capturing stellar noise, diode shot noise, etc.

– The parties need only agree on where in the key stream to start

– The key does not have to obey any mathematical function other than randomness

• Many implementations use pseudo-random


WPI EE579T/4 #17

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.

• Session– Valid only for current communications session– Destroyed after session terminates


WPI EE579T/4 #18

Key Distribution Problem

• Secret keys must be prepositioned at all locations before secure communications can occur.

• How to do this?– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class


WPI EE579T/4 #19

Asymmetric Cryptography• Also known as public key cryptography• Until Diffie-Hellman in 1976, this concept was

heretical. It is still counterintuitive.– NSA, British Secret Service claim to have invented

years before, but kept secret

• Key has two parts– Public: everybody knows or can know– Private: only holder knows critical!!!

• Based on large prime numbers


WPI EE579T/4 #20

The Original Goal

• Diffie and Hellman did not set out to invent a new kind of cryptography

• The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means– i.e. to solve the key distribution problem

• This is still the primary use of the D-H exchange


WPI EE579T/4 #21

But then...

• Diffie-Hellman key exchanges proved immensely useful

• Others found that there other uses for this general crypto principle and algorithms were developed for encrypting data– RSA– El Gamal– etc.


WPI EE579T/4 #22

Asymmetric CryptographyAlice

Bob’s public key

Bob

Bob’s private key

Alice’s message


WPI EE579T/4 #23

Something Different

• Clearly, asymmetric crypto differs in a basic way from symmetric crypto– The keys are mathematically related, and

cannot be purely random numbers– The algorithms are quite different from the

universe of Feistel ciphers and S-boxes

• Is this a replacement for symmetric crypto, or a complement to it?


WPI EE579T/4 #24

Asymmetric Crypto Properties

• The encryption function is one-way• The encryption process is fungible

– Can encrypt with public key and decrypt with private key, and vice versa

• So what?– Could this approach be used to sign documents?– Can a signed document be used for authentication?


WPI EE579T/4 #25

Modulus Arithmetic• In modulus arithmetic, the “value” of a

number is the remainder when the number is divided by the modulus– e.g. 11 mod 5 = 1

• Clearly, there are many numbers that have the same modular representation– e.g. 21 mod 5 = 1 , 41 mod 5 = 1, etc.

• For a modulus of n, the maximum value is n-1


WPI EE579T/4 #26

So What?

• Asymmetric cryptography is based on modulus arithmetic

• Modulus arithmetic makes it computation-ally infeasible to recover the number whose modulus is stated, provided certain conditions are met

• You can cheat: the Windows calculator has a modulus arithmetic mode


WPI EE579T/4 #27

Diffie-Hellman Key Exchange-1

• Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret

• Alice chooses a large random integer x and sends to Bob: X=gx mod n

• Bob chooses a large random integer y and sends to Alice: Y=gy mod n

• NB: x and y are never transmitted


WPI EE579T/4 #28

Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret

key, k, that they can share for communications

• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k


WPI EE579T/4 #29

Diffie-Hellman Security

• D-H security depends on the difficulty of factoring large numbers (size of n)

• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search

• Caveats– n must be large

– ((n-1)/2) should also be prime

– g can be small -- even one digit


WPI EE579T/4 #30

Diffie-Hellman Drawbacks

• Slow!– Computationally intensive– Requires several communications exchanges

• Example:– Using D-H to set up a session key in a cellular

telephone could take nearly one minute!

• So, other key exchange protocols have been established that are more efficient


WPI EE579T/4 #31

Why Do We Want to Do This?

• Symmetric cryptography is fast

• Asymmetric cryptography is slow – As much as 1000X slower than symmetric

• Therefore, we want to use the slow asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly


WPI EE579T/4 #32

Crypto Weaknesses

• All cryptosystems depend on the security of the key for their security– If a symmetric system, he who has the key

reads the mail– Asymmetric systems rely on the private key

remaining private. Is this a good assumption?

• Attacks on assumptions work better than attacks on the front door


WPI EE579T/4 #33

Cryptosystems Compared

• Symmetric key– Same key both ends

– Key management a problem; requires secure side channel

– Fast

– Message length < key length

• Asymmetric key– Two keys

• Public key, known to all

• Private key, known to owner alone

– Key management less of a problem

– Computationally intensive, so it is slow


WPI EE579T/4 #34

Asymmetric Crypto Uses?

• Only good for key exchange?

• As it turns out, NO– Other algorithms useful for providing data

secrecy, like symmetric cryptography– Can be used to provide

• confidentiality

• integrity

• authenticity

Next time!


WPI EE579T/4 #35

RSA Encryption Algorithm

• Ron Rivest, Adi Shamir, Len Adelman– First published 1978, from MIT– Block cipher, asymmetric key– Plain and cipher texts are integers between 0

and n-1, for some n that is part of the keys

• Like all asymmetric key systems, RSA depends for security on the difficulty of factoring large numbers


WPI EE579T/4 #36

RSA Mechanics

• C = ciphertext– C = Me mod n

• M = plaintext– M = Cd mod n = (Me)d mod n = Med mod n

• Both parties know n, e

• Only the receiving party knows d


WPI EE579T/4 #37

Therefore...

• Public key: KU = {e,n}

• Private key: KR = {d,n}

• Requirements for this to work:– e, d, n exist such that Med = M mod n for all

M<n– Easy to calculate Me and C for M<n– Infeasible to calculate d given e, n

• Computationally secure if e, n sufficiently large


WPI EE579T/4 #38

Important Definitions

• Euler’s totient function, (n) – Defined as the number of positive integers < n

and relatively prime to n– Can show that if n=pq, (n) = (p-1)(q-1)

• Relatively prime numbers– a and b (integers) are relatively prime if they

have no prime factors in common• i.e. only common prime factor is unity


WPI EE579T/4 #39

RSA Example

• Select two primes: p = 7, q = 17

• Calculate n = pq = 7 x 17 = 119

• Calculate (n) = (p-1)(q-1) = 6 x 16 = 96

• Select e relatively prime to & less than (n) – In this example e = 5

• Calculate d = e-1 mod (n) = 77

• KU = {5, 119} KR = {77, 119}Public key Private key


WPI EE579T/4 #40

RSA Encrypt/Decrypt

• Using KU, KR we have calculated, let M=19 (plaintext)– KU = {5, 119} KR = {77, 119}

• Encryption:– Me mod n = 195 mod 119 = 66 = C (ciphertext)

• Decryption– Cd mod n = 6677 mod 119 = 19 = M (plaintext)

• Q.E.D.

Public key e , n Private key d, n


WPI EE579T/4 #41

RSA Importance

• With Diffie-Hellman, RSA is the most widely used asymmetric key algorithm

• RSA was patented by its inventors, but the patents expired in 2000

• RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc.


WPI EE579T/4 #42

Breaking RSA

• Discover the private key, d– Easy to do if p and q, factors of n, are known– Hard part is factoring n– Factoring 129-digit n has been done

• Find eth roots mod n– Not known to be equivalent to factoring– No general methods known

• Brute force key search


WPI EE579T/4 #43

Practical RSA Security

• Choose sufficiently large n– 129 digits 428 bits, which has been factored– Too close to 512 bits for comfort– So, choose n > 1000 bits (1024, 2048, 4096)– Evaluate how long security is required, as

longer keys require more computation, and are therefore slower to encrypt/decrypt

• Guard the private key carefully!


WPI EE579T/4 #44

Hashing: the Final Tool

• Encryption seeks to obscure plaintext with a key, so that the plaintext can be recovered

• Hash functions produce fixed-length output given variable-length input, such that the hash output will change substantially if even a single bit of the input is changed– Similar to checksum or CRC for data integrity– Depends on hash function being one-way


WPI EE579T/4 #45

Hash Function Uses / Benefits

• Verify the integrity of a block of data– e.g. a message

• Faster to compute than encrypted version of input

• Always produces an output of known and fixed length– Useful in many applications


WPI EE579T/4 #46

Hash Function Requirements

• Hash value h = H(x), where H is the hash function of some input x– Input x can be of any length

– Output H(x) has fixed length

– H(x) relatively easy to compute for any x

– H(x) is one-way

– H(x) is collision-free


WPI EE579T/4 #47

Hashing Terms

• One way– H(x) is one way if it is computationally infeasible to

find x such that H(x) = h

– i.e. H(x) is hard to invert

• Collisions– weakly collision-free: given x, computationally

infeasible to find y x such that H(x) = H(y)

– strongly collision-free: computationally infeasible to find any two messages x and y such that H(x) = H(y)


WPI EE579T/4 #48

Hash Function Example

Source: RSA Laboratories, Inc.


WPI EE579T/4 #49

Common Hash Functions

Algorithm MD2 MD4 MD5 SHA-1

Output length 128 bits 128 bits 128 bits 160 bits

Block size 128 bits 512 bits 512 bits 512 bits

Specification RFC 1319 RFC 1320 RFC 1321 FIPS 180-1


WPI EE579T/4 #50

Types of Hash

• “Standard”– Message is input to the hash function– Hash calculated according to the standard– Same message always produces same hash

• Keyed, or secure, hash– Message is one input to the hash function– Secret key is another input (cf. Slide 21)– Output depends on both key and message


WPI EE579T/4 #51

So What?

• Hash functions can be used to provide– Fast integrity check on data

• Asymmetric key cryptography can provide– Session key negotiation– User authentication (with some help)

• We now have all the cryptographic tools needed to provide confidentiality, integrity, and authentication


WPI EE579T/4 #52

Summary• Both symmetric and asymmetric crypto have their uses

in communications

• Symmetric keys can be purely random, but asymmetric keys are mathematically related

• Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications

• Combining symmetric, asymmetric, and hash functions can go a long ways towards mitigating network security problems.


WPI EE579T/4 #53

Homework

• Scan Stallings, Chapter 4.1

• Read Stallings, Chapter 4.2

• Do problems 3.2, 3.5a, 3.5d, 3.6, 3.12

• If you have not already done so, finalize your project team, and select a candidate research topic. This information is due next week at the latest.

EE579T/4 #1 Spring 2002 © 2000-2002, Richard A. Stanley WPI EE579T / CS525T Network Security 4:...

Documents

Transcript of EE579T/4 #1 Spring 2002 © 2000-2002, Richard A. Stanley WPI EE579T / CS525T Network Security 4:...