CSE 543 - Computer Security Lecture 3 - Principles September 4, - - PowerPoint PPT Presentation

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 3 - Principles September 4, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Data Encryption Standard (DES)

• Introduced by the US NBS

(now NIST) in 1972

• Signaled the beginning of

the modern area of cryptography

• Block cipher

– Fixed sized input

• 8-byte input and a 8-byte

key (56-bits+8 parity bits)

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Cryptanalysis of DES

• DES has an effective 56-bit key length

– Wiener: $1,000,000 - 3.5 hours (never built) – July 17, 1998, the EFF DES Cracker, which was built for less than $250,000 < 3 days – January 19, 1999, Distributed.Net (w/EFF), 22 hours and 15 minutes (over many machines) – We all assume that NSA and agencies like it around the world can crack (recover key) DES in milliseconds

• What now? Give up on DES?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Variants of DES

• DESX (XOR with separate keys ~= 60-bits)

– Linear cryptanalysis

• Triple DES (three keys ~= 112-bits)

– keys k1, k2, k3

• c = E( D( E( p, k1), k2), k3)

E E D k1 k2 k3 p c

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Advanced Encryption Standard (AES)

• Result of international NIST bakeoff between

cryptographers

– Intended as replacement for DES – Rijndael (pronounced “Rhine-dall”) – Currently implemented in many devices and software, but not yet fully embraced – Cryptography community is actively vetting the the theory and implementations (stay tuned)

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Public Key Cryptography

• Public Key cryptography

– Each key pair consists of a public and private component: k+ (public key), k- (private key) D( E(p, k+), k- ) = p D( E(p, k-), k+ ) = p

• Public keys are distributed (typically) through public

key certificates

– Anyone can communicate secretly with you if they have your certificate – E.g., SSL-base web commerce

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

How do you use such cryptosystems?

• Can’t use a secret by myself

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Needham and Schroeder

• This is where they come in

– Symmetric and public key systems are being invented (DES, Diffie-Hellman, RSA) – Network computation is somewhat common – Want to setup a general approach to secure network communication

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Authenticated Interactive Communication

• Scenario

– Two principals, A and B – Principal A wants to send a secure message to principal B – They have never met

• What do we need to proceed?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Trusted Third Party

• Authentication Server
• What is it entrusted to do?

– Maintains a database of keys for each principal

• KAS where A is the principal and S is the authentication server

– Generate information necessary for principal A to initiate a communication with principal B

• A --> AS: A, B, IA
• AS --> A: {IA, B, KAB, {KAB, A}KBS}KAS
• A --> B: {KAB, A}KBS
• B --> A: {IB}KAB
• A --> B: {IB - 1}KAB

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What Do The Messages Mean?

• First and Second Messages

– A --> AS: A, B, IA – AS --> A: {IA, B, KAB, {KAB, A}KBS}KAS – A --> B: {KAB, A}KBS – B --> A: {IB}KAB – A --> B: {IB - 1}KAB

• A asks to communicate with B
• AS provides A with the basis to set it up

– Session key: KAB – Ticket: {KAB, A}KBS – Protected by the key that is shared between A and the server: KAS

• Why is it OK for the first message to be ‘in the clear’?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What do the messages mean?

• Third message

– A --> AS: A, B, IA – AS --> A: {IA, B, KAB, {KAB, A}KBS}KAS – A --> B: {KAB, A}KBS – B --> A: {IB}KAB – A --> B: {IB - 1}KAB

• What does this message contain?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

What do the messages mean?

• Fourth and Fifth Messages

– A --> AS: A, B, IA – AS --> A: {IA, B, KAB, {KAB, A}KBS}KAS – A --> B: {KAB, A}KBS – B --> A: {IB}KAB – A --> B: {IB - 1}KAB

• A and B now have the key: KAB
• They need to prove that they can really use it

– Why does A believe that B really has the key? – Why does B believe that A really has the key?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Other Protocols

• Public key: discuss next week
• One-way communication

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

One-way communication

• Goal: Enable secrecy and integrity when the sender

is no longer ‘online’

• With symmetric key:

– Encrypt email with session key (obtained from AS) – Put ticket in the email header

– A --> B: {KAB, A}KBS

• Why is this sufficient?
• How do we ensure freshness?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Trustworthiness

• How do you ensure their trustworthiness?
• Do you need to do anything on the clients to ensure

the security of the protocol?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Alternatives

• Can you devise a shorter protocol?

– with the same properties – or slightly weaker, but perhaps useful properties