Course Overview Course Requirements EECS 498-7/8 ◊ Cryptography and Network Security: ◊ www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security ◊ Monday & Friday, 9:00 – 10:30 William Stallings Wednesday, 9:00 - 10:00 Prentice-Hall 1005 Dow ISBN 0130914290 4 credits ◊ Weekly (or more) homework + programming ◊ EECS Technical Elective? assignments: 50% Peter Honeyman ◊ Presumably -- working on it. ◊ Exams: 25% ea. Center for Information Technology Integration Outline of Lectures Outline of Lectures Computer Security ◊ Models of security ◊ Number theory ◊ Host security & network security ◊ Asymmetric key cryptography ◊ Equally important ◊ Classical encryption ◊ Message authentication ◊ Often no clear boundary between them ◊ Substitution and transposition ciphers ◊ Digital signatures ◊ Examples ◊ Symmetric key cryptography ◊ Applications ◊ Morris’ Internet worm ◊ DES, AES, others ◊ Kerberos ◊ Mitnick’s attack on Shimomura ◊ Confidentiality ◊ SSL, X.509, and PKI ◊ Credit card theft from e-commerce sites ◊ Key distribution ◊ IPSec ◊ Distributed denial of service attacks ◊ Random number generation 1
X.800 Security Services X.800 Security Services X.800 Security Services ◊ Data integrity ◊ Authentication ◊ Data confidentiality ◊ Protection from unauthorized modification, ◊ Peer entity identification ◊ Protection from unauthorized disclosure insertion, deletion, replay ◊ Guards against masquerade and unauthorized replay ◊ Granularity ◊ Granularity ◊ Data origin ◊ Session ◊ Session, message, or field(s) ◊ Useful in connectionless communication ◊ Message ◊ Connection-oriented or connectionless ◊ Fields in a message ◊ Access control ◊ Detection and/or recovery ◊ Traffic analysis ◊ Prevent unauthorized use of resources ◊ Presupposes some sort of authentication X.800 Security Services X.800 Security Mechanisms Security Attacks ◊ Nonrepudiation ◊ Encryption ◊ Passive attacks ◊ Interception ◊ Digital signature ◊ Origin (sender) ◊ Traffic analysis ◊ Access control ◊ Destination (receiver) ◊ Active attacks ◊ Data integrity ◊ Availability ◊ Masquerade ◊ Authentication exchange ◊ Security? Reliability? ◊ Replay ◊ Traffic padding ◊ Content modification ◊ Routing control ◊ Denial of service ◊ Notarization 2
Model for Network Security Model for Network Security Designing a Security Service ◊ Sender injects message, receiver extracts it ◊ Select an algorithm for the security-related ◊ Principals transformation (cipher) ◊ Sender and receiver communicate over information ◊ Sender channel ◊ Generate the security-related information to be ◊ Receiver used by the algorithm (keys) ◊ Sender and receiver provide security-related ◊ Adversary information ◊ Select a method for distribution of security-related information (key distribution) ◊ Trusted third party ◊ Possibly shared with or generated by T3P ◊ Security-related transformation is applied to ◊ Select a protocol for the communicating principals message that uses the security algorithm (cryptographic protocol) ◊ Adversary may control information channel Classical Encryption Symmetric Key Cryptography Dimensions of Cryptography ◊ Symmetric , or single-key encryption ◊ Sender combines plaintext and key to produce ◊ Type of operations used in cipher ciphertext ◊ Substitution ◊ Model: Fig 2.1, p. 25 ◊ Called enciphering or encryption ◊ Transposition key ◊ Y = E(K, X) or Y = E K (X) ◊ Number of keys ◊ Receiver combines ciphertext and key to recover ◊ Symmetric vs. asymmetric �laintextplaintextpl Kdksfvkmv.dp[shk �laintextplaintextpl ciphertext aintextplaintextplai munhgsee22g49ghl;, aintextplaintextplai ntextplaintextplaint ,g00f9kfckmcvlvvpn ntextplaintextplaint ◊ Plaintext processing extplaintextplaintex ,.ddejrt6yo7074kdn extplaintextplaintex tplaintextp�laintext syug253tdbhbdjnfije tplaintextp�laintext ◊ Called deciphering or decryption plaintextplaintextpl 88uyy4e6wews3srcf plaintextplaintextpl encrypt decrypt aintextplaintextplai dbghk,k,lophp0u=k;’l aintextplaintextplai ntextplaintextplaint ’,.gkmfcubdyew6534 ntextplaintextplaint ◊ Block cipher extplaintextplaintex uhd7dubfncvlfr0of9 extplaintextplaintex ◊ X = D(K, Y) or X = D K (Y) tplaintextplaintextp r5954r9d82512e5e tplaintextplaintextp laintextplaintextplai 67ewppee[l;fmdfpk[f laintextplaintextplai ◊ Stream cipher ntextplaintextplaint fpfgmglndw83fxo93 ntextplaintextplaint ◊ Cryptography is the study of ciphers extplaintextplaintex ckldoed0d23dcbndx extplaintextplaintex 3
Cryptosystem Model Goals of Cryptanalysis Cryptanalytic Attacks ◊ Fig. 2.2, p. 26 augments earlier model in two ways ◊ In all cases, cryptanalyst has complete knowledge of ◊ Recover plaintext the cipher and some ciphertext to be decoded ◊ Key distribution via secure channel ◊ Recover key ◊ Adversary cryptanalyzes ciphertext ◊ Ciphertext only ◊ Adversary has complete information about the ◊ Most common attack encryption and decryption methods ◊ Known plaintext ◊ Only the key is secret ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Kerckhoff’s principle, 1883 ◊ Surprisingly easy to obtain or infer plaintext ◊ Necessary for any practical cipher ◊ Chosen plaintext ◊ Alternatively, refer to all the secret information as the key ◊ Cryptanalyst has plaintext-ciphertext pair(s) ◊ Example: gzip | dd conv=swab | tr -c ◊ Cryptanalyst (somehow) was able to select the plaintext and force its encryption Cryptanalysis Unconditionally Secure Cipher Computationally Secure Cipher ◊ Chosen ciphertext ◊ A cipher is unconditionally secure if no ◊ A cipher is computationally secure if amount of ciphertext suffices to determine ◊ The cost of breaking the cipher exceeds the value ◊ Cryptanalyst has plaintext-ciphertext pair(s) of the encrypted information, or uniquely the plaintext ◊ Cryptanalyst (somehow) was able to select the ◊ The time required to break the cipher exceeds ciphertext and force its decryption ◊ Shannon showed that there is only one cipher that the useful lifetime of the information is unconditionally secure ◊ Chosen text ◊ Key size plays an important role ◊ It is not practical in most instances ◊ Cryptanalyst is able to produce chosen plaintext ◊ So does computational power and chosen ciphertext pairs ◊ Table 2.2, p. 26 4
Exhaustive Search and Key Size Computationally Secure Cipher Substitution Ciphers ◊ Plaintext characters are replaced by other plaintext Key @ 1 per m sec @ 1 per picosec ◊ Note that DES can no longer be considered characters according to some rule computationally secure 32 bits 35.8 min 2.15 ms ◊ Caesar cipher: E(C) = P + 3 (mod 26), D(P) = C - 3 ◊ Cracking DES: Secrets of Encryption (mod 26) 56 bits 1,142 years 10.01 hours Research, Wiretap Politics & Chip Design , ◊ ROT13: E(C) = P + 13 (mod 26), D = E 128 bits 5.4 ¥ 10 24 5.4 ¥ 10 18 Electronic Frontier Foundation, John Gilmore ◊ General Caesar cipher: E(C) = P + k (mod 26) years years (Editor), O'Reilly & Associates, ISBN: ◊ k is the key 6.4 ¥ 10 12 6.4 ¥ 10 6 years Substitution ◊ Cryptanalysis: try k = 0, …, 25 1565925203 years ◊ Works for known (or probable) plaintext Caesar Ciphers Monoalphabetic Substitution Cipher Polygram Substitution Cipher ◊ Cryptanalysis is easy because ◊ Let S = {A, B, …, Z} ◊ Playfair ◊ E(P i P i+1 ) = C i C i+1 through key-based 5 ¥ 5 transformation ◊ Algorithm is known ◊ Let P : S Æ S be a permutation table ◊ Only 26 keys to try ◊ Cryptanalysis: digram frequency ◊ Key space is now 26! ª 2 88 ◊ Known or probable plaintext ◊ Hill cipher ◊ Much too large to search ◊ Defeating cryptanalysis ◊ C = KP , where C and P are d -dimensional column vectors and ◊ But this is still easy to cryptanalyze through K is a nonsingular d ¥ d matrix ◊ Pre-scramble plaintext, e.g., compress it ◊ P = K -1 C letter frequency analysis ◊ Increase the key space ◊ Hides d -1 letter sequence analysis ◊ E(C) = P + k (mod 26), k = 0, …, 1,000,000? :-) ◊ ETAOINSHRDLU or something like that ◊ Easily broken with known plaintext 5
Polyalphabetic Substitution Cipher Periodic Substitution Ciphers Periodic Substitution Ciphers ◊ E: S Æ 2 S , pick one ◊ Special class of polyalphabetic substitution ciphers ◊ Vigenère autokey system: after key is ◊ Example: Vigenère cipher exhausted, use plaintext for running key ◊ Typically a set of monoalphabetic substitution rules is used ◊ Each key letter determines one of 26 Caesar ciphers ◊ Can still detect regularities, e.g., E encrypted ◊ C i = E(P i ) = P i + k i mod(key length) ◊ Key determines which rule to use with E ◊ Given a sufficient amount of ciphertext, common sequences are repeated, exposing the period ◊ Frequently occurring letters in the key will be used to encrypt frequently occur plaintext letters Vernam Cipher Transposition Rotor Machines ◊ Key length equal to plaintext length ◊ Rail-fence technique ◊ Enigma, ca. WWII ◊ Ri-ec ehiu ◊ A.k.a. “one-time pad” ◊ Each rotor corresponds to a substitution alfnetcnqe ◊ Generalization: columnar technique cipher ◊ Plaintext and ciphertext are statistically ◊ Cuathq independent ◊ A one-rotor machine produces a omrenu ln cie polyalphabetic cipher with period 26 ◊ Unconditionally secure (Shannon, 1948) ◊ Augment with permuted rows ◊ Generalization: multiple transpositions ◊ Output of each rotor is input to next rotor ◊ Key generation and distribution are difficult ◊ Does not change letter frequencies 6
Recommend
More recommend
