ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half - - PowerPoint PPT Presentation

ilab
SMART_READER_LITE
LIVE PREVIEW

ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half - - PowerPoint PPT Presentation

Aug 20, 2023 410 likes •940 views

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is divided into two halves: Basics of

slide-1
SLIDE 1

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

ilab

Lab 7 Basics of Cryptography / Security I

slide-2
SLIDE 2

Internetpraktikum 2

Testate – 2nd Half of Term

This lecture is divided into two halves:

Basics of Cryptography

  • Repetition/introduction to cryptography
  • Major part of this lecture

Security I

  • “Non-crypto concepts for network security”, e.g.: Firewalls
  • Minor part of this lecture

The understanding of “Basics of Cryptography” is mandatory for

all oral exams in this half of the term.

You can either:

Do an oral exam exclusively about this lecture. Do another oral exam. Here we do not ask questions about “BoC” but assume that you have the good understanding of cryptography.

slide-3
SLIDE 3

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

First Part: Basics of Cryptography

The following slides are relevant for all second oral exams about Labs 6 – 10.

slide-4
SLIDE 4

Internetpraktikum 4

Security Objectives

Confidentiality (“Vertraulichkeit”)

It should be impossible, that an attacker is able to eavesdrop (and understand) data sent

Integrity (“Integrität”)

It should be impossible that modifications to data remain undetected

Authenticity (“Authentizität”)

… of data: It should be possible to identify the sender of the data … of the communication partner: It should be possible to identify the communication partner

Non-repudiation (“Nicht Abstreitbarkeit”)

It should be impossible, that the sender of a message repudiates that she has sent the message

slide-5
SLIDE 5

Internetpraktikum 5

Attack Vectors on Communication

Passive Attacks Passive Attacks Active Attacks Active Attacks

Eavesdropping of data sent/ user accounts Faked identities Traffic Analysis Replay/delay of messages Insertion/deletion of messages Denial of service Modification of messages

Passive (Eavesdropping) Active (Modification) Alice Bob

slide-6
SLIDE 6

Internetpraktikum 6

(A)symmetric Cryptography

Symmetric Cryptograpy

All communication instances

share the same symmetric key

Pros:

  • Low computational costs
  • Short keys

Cons:

  • Key exchange difficult (needs

second channel)

  • No non-repudiation (as all have

the same key)

Asymmetric (public key) Cryptography

Everybody has a key pair

(public/private key)

Pros:

  • Public keys can (should) be

made public

  • Non-repudiation

Cons:

  • High computational costs
  • Longer keys
slide-7
SLIDE 7

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Symmetric Crypto

slide-8
SLIDE 8

Internetpraktikum 8

Symmetric Crypto

Alice and Bob exchanged a shared symmetric key k over a secure

channel

Alice encrypts the message using k and some algorithm and sends the

ciphertext to Bob.

Bob decrypts the ciphertext using k and the same algorithm Alice Bob

Message

Encryption

Ciphertext

Alice

Message

Decryption

Ciphertext

Bob

slide-9
SLIDE 9

Internetpraktikum 9

Data Encryption Standard (DES / 3DES)

Data Encryption Standard (DES)

Developed in the seventies by IBM and NSA. Was official US encryption standard. Block length 64 Bit Key length 56 Bit No working attacks known except brute force

  • Unfortunately today's machines are fast enough for brute force… ☺

Slow

3DES – Triple DES

DES is applied three times with different keys. Usually:

  • Cyphertext = EncryptK1(DecryptK2(EncryptK1(Plaintext)))
  • Plaintext = DecryptK1(EncryptK2(DecryptK1(Cyphertext)))
  • Key length 2 x 56 = 112 Bit

Still safe Triple slow

slide-10
SLIDE 10

Internetpraktikum 10

Advanced Encryption Standard (AES)

DES is not safe anymore, 3DES is too slow, so a successor is needed NIST started a tendering procedure, lot‘s of candidates After 5 years the Rijndael-Cipher was chosen to be the AES Properties of AES (Rijndael):

Block cipher, Block size 128, 192 or 256 Bit Key length 128, 192 or 256 Bit Very efficient Safe

  • No working attacks (publicly) known
  • But: Advancements in crypto analysis of AES could become problematic in

future

slide-11
SLIDE 11

Internetpraktikum 11

Encryption Modes of Block Ciphers

1

XOR

1 2

XOR

2 3

XOR

3 1 IV CBC-Modus:

IV: Initialization vector Plaintext block Cyphertext block

Many symmetric crypto algorithms work on blocks of e.g. 128 bit length Electronic Codebook (ECB)

Blockwise encryption “Same input, same output” (critical with padding) As blocks do not depend on each

  • ther the attacker is able to

exchange/delete/repeat blocks

Cipher Block Chaining (CBC)

Blocks depend on each other

Other modes:

Output feedback mode, Cipher feedback mode, …

slide-12
SLIDE 12

Internetpraktikum 12

Stream Cipher

Stream ciphers XORs

a data stream with a generated key stream

The major problem is the generation of a non predictable (and

endless) keystream with a short key as seed

If the key stream is predictable, the cipher is weak Stream ciphers are based on pseudo random number generators

Stream ciphers often are used close to hardware, e.g. inside mobile

phones or WLAN (RC4)

slide-13
SLIDE 13

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Asymmetric Cryptography

slide-14
SLIDE 14

Internetpraktikum 14

Asymmetric Encryption

  • Bob has a private and public key. Bob gives the public key to Alice.
  • Alice encrypts a message using Bobs public key.
  • Bob decrypts the ciphertext using his private key.
  • Idea: Nobody except Bob is able to decrypt the message

Alice Bob

Message

Encryption

Ciphertext

Alice

Message

Decryption

Ciphertext

Bob

slide-15
SLIDE 15

Internetpraktikum 15

Asymmetric Signature (1)

  • Some asymmetric crypto algorithms can be used for signature purposes.
  • Bob signs (encrypts) a message using his private key
  • Everybody that knows Bobs public key is able to decrypt (verify) the

ciphertext

  • Idea: As only Bob has Bob‘s private key, nobody else is able to generate the

signature

  • Provides authenticity of messages and non-repudiation
  • (Works a little different in real life)

Message

Encryption

„Signed“ Message

Bob

Message

Decryption

„Signed“ Message

Alice

slide-16
SLIDE 16

Internetpraktikum 16

RSA

Developed 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman.

  • Steps:
  • Select p, q: prime (p != q; p, q big. (The bigger, the better))
  • Compute N = p * q (RSA modulus)
  • Compute phi(N) = (p-1) * (q-1) (Euler‘s totient function)
  • Select e (1 < e < phi(N)); e and phi(N) have no common divisor
  • Compute d with d * e ≡ 1 mod phi (N)

Public Key: N, e

Private Key: N, d

Security of RSA is closely related to the prime factorization problem:

N (and e) is publicly known. N can not be factorized to p and q efficiently (=quickly). If one had p and q, he could easily can compute d the valued

slide-17
SLIDE 17

Internetpraktikum 17

Encryption (asymmetric)

Asymmetric Encryption algorithms are some magnitudes slower than

symmetric algorithms

The currently smallest key length still regarded as safe is 1024 bit Used in real life: hybrid encryption systems

Step one: User authentication and exchange of a symmetric session key using public key cryptography Step two: Encryption of data using the symmetric session key

  • Long sessions might need to perform re-keying, e.g. every one hour

09.11.2005: RSA-640 broken A workgroup at the BSI has solved the “RSA-640 Challenge” using the “General Number Field Sieve (GNFS) method. The researchers used for the factorization of both 320 bit long prime factors of a 193 digit long number about 5 months of computational time on a 80 dual-core 2,2ghz Opteron cluster. Source: http://www.heise.de/newsticker/meldung/65957

slide-18
SLIDE 18

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

(Cryptographic) Hash Functions

slide-19
SLIDE 19

Internetpraktikum 19

Hash Functions

Hash Functions map an input of arbitrary length to a value inside a

hash space

Size of this hash space: e.g. 160bit

This value is referred to as Hash Value (“fingerprint”)

Message (arbitrary length)

Hash function 00 00 … FF FF … 8f 7d 35 ..

slide-20
SLIDE 20

Internetpraktikum 20

Hash Functions - Collisions

A cryptographic hash function needs to be collision resistant It must be practically infeasible to generate a collision:

m1, m2 with H(m1) = H(m2) with m1 != m2

Note: As hash functions map a long string to a short one it is not

possible to avoid collisions

  • BUT: it must not be possible to efficiently (quickly) find such collisions
  • Simple method:
  • 1. Create (randomly) a message, create hash of this message
  • 2. Check if desired hash value equals hash value created above
  • 3. If not, start at 1.
  • For a good 160 bit hashing function one needs in average 2159 tries

Message 1 (arbitrary length) Same Hash Value Message 2 (arbitrary length)

slide-21
SLIDE 21

Internetpraktikum 21

Hash Functions

MD5

Must be considered broken

SHA-1 (160 bit)

Currently often used as “default hash function” Not broken yet, but significant advancements in cryptoanalysis of SHA-1 In future, SHA-1 needs to be replaced, NIST recommends to use SHA-1 with more output bits, e.g. SHA-256

Currently NIST started a tendering procedure for finding a SHA-1

successor

slide-22
SLIDE 22

Internetpraktikum 22

What about CRC32?

  • CRC32 is an error detection code that is based on polynomial division
  • Used for finding transmission errors in Ethernet/WLAN
  • Often used in compression algorithms, too
  • Detects:
  • all 1Bit-Errors
  • every uneven amount of flipped bits
  • all „burst errors“ with length < 32 bit
  • CRC was used within cryptographic protocols for integrity protection, e.g. WEP
  • That was a dumb idea
  • CRC is meant to detect random errors
  • The method never was designed to withstand targeted attacks!
  • CRC is not collision resistant, i.e. it is simple to find collisions

CRC32 is not a cryptographic hash function

slide-23
SLIDE 23

Internetpraktikum 23

Digital Signatures

Digital signatures combine cryptographic hash functions with

asymmetric cryptography (e.g. RSA).

Message Hash

Hash funct. Private Key

Signature

Message + Signature gets send

Sender Receiver

Message Hash

Hash funct. Public Key

Signature Hash

Check if equal

slide-24
SLIDE 24

Internetpraktikum 24

Digital Signatures and Encryption

  • If a message is signed, the content is sent in plain text with the

signature “attached”

  • This can be desired, e.g. if stations in between need to understand

messages, too

  • Used during session establishment for Voice over IP
  • If encryption is additionally desired, two steps are needed:
  • 1. Creation of the signature with the private key of the sender
  • 2. Encryption with the public key of the receiver
slide-25
SLIDE 25

Internetpraktikum 25

Key Dependant Hash Functions (1)

(also referred to as “Message Authentication Code” ( MAC)) Goal: Provide integrity and authenticity of messages without expensive

asymmetric cryptography

Idea: The hash value also depends on a shared symmetric key Pro:

fast (no asymmetric crypto used)

Con:

both communication partners need to share the same key

slide-26
SLIDE 26

Internetpraktikum 26

Key Dependant Hash Functions (2)

Sender: Message + Hash will be sent Receiver: An attacker is able to modify the message but he cannot compute the

correspondent hash value because he does not know the key used.

Message (abitrary length)

MAC

160 Bit MAC Message (arbitrary length)

MAC

160 Bit MAC

Received 160 Bit MAC

Check if equal

slide-27
SLIDE 27

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Certificates & Web-of-Trust

slide-28
SLIDE 28

Internetpraktikum 28

Why do we need certificates and Webs-of-Trust?

Public-key cryptography makes only sense, if we can make sure that a

certain public key really belongs to a certain entity.

Approaches:

“Do-it-yourself”

  • Exchange the public keys manually between communication partners
  • (Actually the safest solution, does not scale obviously)

Use a Certificate Authority (CA)

  • CA’s are some kind of notary that vouch that a certain public key belongs to a

certain entity

Use a Web-of-Trust

  • Not one notary vouches for the legitimacy of a public key, but many users.
slide-29
SLIDE 29

Internetpraktikum 29

Certificate Authorities

Need to be trusted by all communication partners (“Trusted Third

Party”)

The CA also owns a private and public key

The public key is publicly well known, e.g. they are often included in web browsers, mail clients, etc. The private key is used for signing the Certificate.

CA issues Certificates that can be used to verify the communication

partner’s identity

CA

slide-30
SLIDE 30

Internetpraktikum 30

Certificates

Information signed by a CA that maps a public key to some entity

name (e.g. a person or a web server)

Contains at least

Public Key Name of the entity Duration of validity Information about the CA that signed the certificate Signature

slide-31
SLIDE 31

Internetpraktikum 31

Certificate creation (1)

Bob owns an asymmetric key pair He sends his public key to the CA over a secure channel Additionally he needs to send some proof of identity, e.g. his ID card

This first step is not technical… This first step is essential for the quality and credibility of the certificate

I am Bob. Really!

slide-32
SLIDE 32

Internetpraktikum 32

Certificate creation (2)

The CA creates the certificate: Finally the CA signs the Certificate with its private key. Finally, the certificate is sent to Bob Certificate Owner: Bob Example, Example Street 123, 12345 Exampletown Owner‘s Public Key: AEF75309CC9643AC896437FF Issuer: Example CA Valid till: 31.12.2011 Revocationlist URL: http://exampleca.com/revocationlist Certificate Owner: Bob Example, Example Street 123, 12345 Exampletown Owner‘s Public Key: AEF75309CC9643AC896437FF Issuer: Example CA Valid till: 31.12.2011 Revocationlist URL: http://exampleca.com/revocationlist Signature of Example CA

slide-33
SLIDE 33

Internetpraktikum 33

Certificate Revocation

Situations exist, when certificates need to be made invalid:

If Bob‘s private key is stolen („compromised“). If somebody managed to receive a certificate for an identity she doesn‘t have (a valid certificate for a fake identity).

This process is called revocation For this purpose, the CA publishes a list of revoked certificates,

slide-34
SLIDE 34

Internetpraktikum 34

Using certificates (1)

Alice wants to send a message to Bob. For making sure that she really

talks to Bob, she requests Bob‘s certificate

Bob Alice Bobs Certificate

slide-35
SLIDE 35

Internetpraktikum 35

Using certificates (2)

Alice now checks the following

Name of the CA and if the CA is „trustworthy“ The „owner field“ matches with the name of the person she wants to talk to The validity of the certificate Validity of the signature for this step, Alice needs the public key of the CA

  • This key is publicly available

Alice checks the revocation list and tests, if the certificate is revoked (marked as invalid)

If all steps are ok, the certificate is valid!

slide-36
SLIDE 36

Internetpraktikum 36

Bobs Certificate

Using certificates (3)

After verification, Alice takes Bob‘s public key out of the certificate,

and uses the public key to encrypt the message for Bob

Only Bob has the corresponding key for decrypting the message

Message

Encryption Encrypted Message

Message

Decryption

Encrypted Message

Alice Bob

slide-37
SLIDE 37

Internetpraktikum 37

Problematic Aspects of Certificates (1)

Major problem: user‘s do not understand what certificates are. A study of Carnegie Mellon University from 2009 showed that users

are more likely to ignore „technical“ error messages related to well known and „trustworthy“ pages than for sites they do not know this is a big mistake!

Source: Peter Gutmann

slide-38
SLIDE 38

Internetpraktikum 38

Problematic Aspects of Certificates (2)

Who decides which CA is „trustworthy“? Who decides which CA certificate is part of the webbrowser or mail

client?

Who controls the behavior of CAs and removes them from the list of

trusted CAs?

Conclusion:

CA’s are a good thing. But never forget: CA’s are not inerrable!

Alternative:

Web-of-Trust

slide-39
SLIDE 39

Internetpraktikum 39

Web-of-Trust

Instead of having one notary, multiple people vouch for the legitimacy

  • f an public key.

I.e. they sign the public key using their private key. Public key and signatures are made public on keyservers

Example:

Alice signs Bob‘s public key Trudy signs Bob‘s public key Tom already has Alice‘s and Trudy‘s public key Tom trusts Alice and Trudy Tom can use Alice‘s and Trudy‘s public key to validate the signatures for Bob‘s key Tom can be confident to trust into Bob‘s key

slide-40
SLIDE 40

Internetpraktikum 40

GPG Keyring

slide-41
SLIDE 41

Internetpraktikum 41

GPG Keyring – Creation of Signatures

slide-42
SLIDE 42

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Second Part: Security I

slide-43
SLIDE 43

Internetpraktikum 43

Non-crypto Mechanisms for Network Security

Access control

Authenticate a user and determine if she is allowed to use a service

Firewalls

Filter traffic between two networks due to a certain policy

(Intrusion detection)

Monitor traffic and try to find anomalies that are caused by an attacker

slide-44
SLIDE 44

Internetpraktikum 44

Access Control

Can be done on different layers: On Network Layer (e.g. WLAN Access Control)

802.1x (“port-based Network Access Control)

  • Access Point is “Policy Enforcement Point” (PEP)
  • PEP “asks” Policy Decision Point (PDP) whether the user is allowed to enter

the network or not

On Network/Transport layer

Firewalls, e.g. only grant access to the server from a specific IP

On Application Level: Access Rules

Access control lists, e.g. Linux/NT file system, AFS, etc. Policy sets / Policy languages for more complex scenarios

slide-45
SLIDE 45

Internetpraktikum 45

Firewalls (1)

Firewalls never are only „hardware and software“ but always a whole

security concept

Packet filters filter messages according to source/destination address + Ports (TCP/UDP) Ingress/egress filtering Application Layer Gateways (Access Control, Logging) Often network address translation (NAT) used Outer Perimeter Inner Perimeter

Internet

Servers

Intranet „Demilitarized Zone“

slide-46
SLIDE 46

Internetpraktikum 46

Firewall (1)

Strategies:

Default-Deny

  • Packets that are not explicitly allowed, are discarded
  • Pro: (more or less) safe
  • Cons: Not very comfortable for the user

Default-Permit

  • Packets that are not explicitly forbidden, are allowed
  • Pro: more convenient
  • Cons: Less safe
slide-47
SLIDE 47

Internetpraktikum 47

Firewall (2)

Firewalls operate on different layers of the ISO/OSI model Layer 2

Filter MAC addresses E.g. only MAC addresses may send packets, that are „known“

Layer 3

Filter IP addresses E.g. only allows traffic from a certain address space

Layer 4

Filter ports E.g. only allows traffic from a certain application

Application Layer Proxy

„Understands“ payload in packets They scan for viruses, check on content (text, pictures), www addresses, etc.

slide-48
SLIDE 48

Internetpraktikum 48

Firewall Mechanisms

Analysis of incoming/outgoing packets (Packet Filtering)

  • Check header fields, e.g. flags, IP-addresses und port numbers
  • Allowed or disallowed traffic is specified in a access list

– incoming deny *.*.*.*, 23 blocks port 23 (telnet) – outgoing permit 129.13.*.*, 80 allows http only for IP=129.13.x.y

Network Address Translation (NAT)

  • Multiplexes one public address to several private addresses using port numbers
  • Machines inside the private network are not directly reachable (e.g. 192.168.x.y)
  • NAT gateway performs translation for incoming packets

Proxy Services

  • A service, e.g. http, is only reachable via a gateway (http proxy)
  • Permitted applications have a gateway that controls access
  • Sometimes authentication needed for session establishment
  • Filter on application layer, e.g. ftp-get is allowed, ftp-put is forbidden
  • Detailed rights management and logging
slide-49
SLIDE 49

Internetpraktikum 49

Firewall Architectures (1)

Consists of a machine that filters packets E.g.:

A standard computer (e.g. Linux PC) routing and filtering software A dedicated router with filtering software

Filters according to protocol, IP/Ports, TCP flags

Firewall

Internet

Packet Filtering Router

The Simple Packet Filter Architecture

Denied Traffic Permitted Traffic

slide-50
SLIDE 50

Internetpraktikum 50

Firewall Architectures (2)

Dual-Homed-Host offers:

Proxy-Services Packet Filtering

Bastion Host = publically reachable within the internet Cons

All traffic flows through the Bastion Host. The Bastion Host can be a bottle neck

The Dual-Homed Host Architecture Firewall

Internet

Dual-Homed Bastion Host

slide-51
SLIDE 51

Internetpraktikum 51

Firewall Architectures (3)

  • A outer network (perimeter network, DMZ) is located between two packet filters

(Internet, Intranet)

  • The inner packet filter prevents harm in case the bastion host is compromized:
  • E.g. sniff traffic in the intranet
  • Inside the DMZ, often machines are located that offer services for the internet,

e.g. Webserver

The Screened Subnet Architecture Firewall

Internet

Bastion Host Demilitarized Zone (DMZ)

Both packet filters can be realized within

  • ne firewall. Using this solution, traffic

does not need to flow through the DMZ. Also known as Triple-Homed FW.

Internet

DMZ