Outline Security Protocols Societal issues and cryptography CS - - PDF document

1

Lecture 8 Page 1 CS 239, Winter 2003

Security Protocols CS 239 Computer Security February 10, 2003

Lecture 8 Page 2 CS 239, Winter 2003

Outline

• Societal issues and cryptography
• Key recovery cryptosystems
• Designing secure protocols
• Basic protocols

–Key exchange

Lecture 8 Page 3 CS 239, Winter 2003

Legal and Political Issues in Cryptography

• Cryptography is meant to help keep

secrets

• But should all secrets be kept?
• Many legal and moral issues

Lecture 8 Page 4 CS 239, Winter 2003

Societal Implications of Cryptography

• Criminals can conceal communications

from the police

• Citizens can conceal taxable income

from the government

• Terrorists can conceal their activities

from governments trying to stop them

Lecture 8 Page 5 CS 239, Winter 2003

Problems With Controlling Cryptography

• Essentially, it’s mostly algorithms
• If you know the algorithm, you can

have a working copy easily

• At which point, you can conceal your

secrets from anybody –To the strength the algorithm provides

Lecture 8 Page 6 CS 239, Winter 2003

Governmental Responses to Cryptography

• They vary widely
• Some nations require government

approval to use cryptography

• Some nations have no laws governing

it at all

• The US laws less restrictive than they

used to be

2

Lecture 8 Page 7 CS 239, Winter 2003

The US Government Position on Cryptography

• All forms of cryptography are legal to

use in the US

• BUT

–Some minor restrictions on exporting cryptography to other countries

• The NSA used to try to keep a lid on

cryptographic research

Lecture 8 Page 8 CS 239, Winter 2003

US Restrictions on Cryptographic Exports

• Rules changed in 2000
• Greatly liberalizing cryptographic

exports

• Almost all cryptography is exportable
• Exception is for government use by a

handful of countries –Those the US government currently doesn’t like

Lecture 8 Page 9 CS 239, Winter 2003

Cryptographic Source Code and Free Speech

• US government took Phil

Zimmermann to court over PGP

• Court ruled that he had a free-speech

right to publish PGP source

• Eventually, appeals courts also found

in favor of Zimmermann

Lecture 8 Page 10 CS 239, Winter 2003

Other Nations and Cryptography

• Generally, most nations have few or no

restrictions on cryptography

• A group of treaty signatories have export

restrictions similar to US’s

• Some have strong restrictions

– China, Russia, Vietnam, a few others

• A few have laws on domestic use of crypto

– E.g., Australia, UK, India have laws that demand decryption with court order

Lecture 8 Page 11 CS 239, Winter 2003

Key Recovery Cryptosystems

• An attempt to balance:

– Legitimate societal security needs

• Requiring strong encryption

– And legitimate governmental and law enforcement needs

• Requiring access to data
• How can you have strong encryption and

still satisfy governments?

Lecture 8 Page 12 CS 239, Winter 2003

Idea Behind Key Recovery

• Use encryption algorithms that are highly

secure against cryptanalysis

• But with mechanisms that allow legitimate

law enforcement agency to: – Obtain any key with sufficient legal authority – Very, very quickly – Without the owner knowing

3

Lecture 8 Page 13 CS 239, Winter 2003

Proper Use of Data Recovery Methods

• All encrypted transmissions (or saved data)

must have key recovery methods applied

• Basically, the user must cooperate

– Or his encryption system must force him to cooperate – Which implies everyone must use this form of cryptosystem

Lecture 8 Page 14 CS 239, Winter 2003

Methods to Implement Key Recovery

• Key registry method

–Register all keys before use

• Data field recovery method

–Basically, keep key in specially encrypted form in each message –With special mechanisms to get key

• ut of the message

Lecture 8 Page 15 CS 239, Winter 2003

Problems With Key Recovery Systems

• Requires trusted infrastructures
• Requires cooperation (forced or voluntary)
• f all users
• Requires more trust in authorities than

many people have

• International issues
• Performance and/or security problems with

actual algorithms

Lecture 8 Page 16 CS 239, Winter 2003

The Current Status of Key Recovery Systems

• Pretty much dead
• US tried to convince everyone to use

them –Skipjack algorithm, Clipper chip

• Very few agreed
• US is moving on to other approaches

to dealing with cryptography

Lecture 8 Page 17 CS 239, Winter 2003

Basics of Security Protocols

• Work from the assumption (usually) that

your encryption is sufficiently strong

• Given that, how do you design the exchange
• f messages to securely achieve a given

result?

• Not nearly as easy as you probably think

Lecture 8 Page 18 CS 239, Winter 2003

Security Protocols

• A series of steps involving two or more

parties designed to accomplish a task with suitable security

• Sequence is important
• Cryptographic protocols use cryptography
• Different protocols assume different levels
• f trust between participants

4

Lecture 8 Page 19 CS 239, Winter 2003

Types of Security Protocols

• Arbitrated protocols

–Involving a trusted third party

• Adjudicated protocols

–Trusted third party, after the fact

• Self-enforcing protocols

–No trusted third party

Lecture 8 Page 20 CS 239, Winter 2003

Participants in Security Protocols

Alice Bob Carol David

Lecture 8 Page 21 CS 239, Winter 2003

And the Bad Guys

Eve Who only listens passively Who is actively malicious Mallory And sometimes Alice or Bob might cheat

Lecture 8 Page 22 CS 239, Winter 2003

Trusted Arbitrator

Trent A disinterested third party trusted by all legitimate participants Arbitrators often simplify protocols, but add

• verhead

Lecture 8 Page 23 CS 239, Winter 2003

Key Exchange Protocols

• Often we want a different encryption key

for each communication session

• How do we get those keys to the

participants? – Securely – Quickly – Even if they’ve never communicated before

Lecture 8 Page 24 CS 239, Winter 2003

Key Exchange With Symmetric Encryption and a Arbitrator

• Alice and Bob want to talk securely

with a new key

• They both trust Trent

–Assume Alice & Bob each share a key with Trent

• How do Alice and Bob get a shared

key?

5

Lecture 8 Page 25 CS 239, Winter 2003

Step One

Alice Bob Trent KA KA KB KB Alice Requests Session Key for Bob Who knows what at this point?

Lecture 8 Page 26 CS 239, Winter 2003

Step Two

Alice Bob Trent KA KA KB KB KS EKA(KS), EKB(KS) EKA(KS), EKB(KS) Who knows what at this point?

Lecture 8 Page 27 CS 239, Winter 2003

Step Three

Alice Bob Trent KA KA KB KB KS EKA(KS), EKB(KS) KS EKB(KS) KS Who knows what at this point?

Lecture 8 Page 28 CS 239, Winter 2003

What Has the Protocol Achieved?

• Alice and Bob both have a new session

key

• The session key was transmitted using

keys known only to Alice and Bob

• Both Alice and Bob know that Trent

participated

• But there are vulnerabilities

Lecture 8 Page 29 CS 239, Winter 2003

Problems With the Protocol

• What if the initial request was grabbed

by Mallory?

• Could he do something bad that ends

up causing us problems?

• Yes!
• (And there are also replay problems)

Lecture 8 Page 30 CS 239, Winter 2003

The Man-in-the-Middle Attack

• A class of attacks where an active

attacker interposes himself secretly in a protocol

• Allowing alteration of the effects of the

protocol

• Without necessarily attacking the

encryption

6

Lecture 8 Page 31 CS 239, Winter 2003

Applying the Man-in-the-Middle Attack

Alice Bob Trent KA KA KB KB Mallory KM KM Alice Requests Session Key for Bob Alice Requests Session Key for Mallory Who knows what at this point? More precisely, what do they think they know?

Lecture 8 Page 32 CS 239, Winter 2003

Trent Does His Job

Alice Bob Trent KA KA KB KB Mallory KM KM EKA(KS), EKM(KS)

Lecture 8 Page 33 CS 239, Winter 2003

Alice Gets Ready to Talk to Bob

Alice Bob Trent KA KA KB KB Mallory KM KM EKM(KS) KS EKM(KS) EKM(KS) KS Mallory can now masquerade as Bob

Lecture 8 Page 34 CS 239, Winter 2003

Really Getting in the Middle

Alice Bob Trent KA KA KB KB Mallory KM KM KS KS Mallory can also ask Trent for a key to talk to Bob KS1 KS1 EKM(KS1), EKB(KS1) EKB(KS1)

Lecture 8 Page 35 CS 239, Winter 2003

Mallory Plays Man-in-the- Middle

Alice Bob Mallory KS KS KS1 KS1

Alice’s big secret

EKS(Alice’s big secret) EKS(Alice’s big secret)

Alice’s big secret

EKS1(Alice’s big secret)

Alice’s big secret Bob’s big secret

EKS1(Bob’s big secret) EKS1(Bob’s big secret)

Bob’s big secret

EKS(Bob’s big secret) EKS(Bob’s big secret)

Bob’s big secret

Lecture 8 Page 36 CS 239, Winter 2003

Defeating the Man In the Middle

• Problems:

1). Trent doesn’t really know what he’s supposed to do 2). Alice doesn’t verify he did the right thing

• Minor changes can fix that

1). Encrypt request with KA 2). Include identity of other participant in response - EKA(KS, Bob)

7

Lecture 8 Page 37 CS 239, Winter 2003

Applying the First Fix

Alice Bob Trent KA KA KB KB Mallory KM KM EKA(Alice Requests Session Key for Bob) Mallory can’t read the request And Mallory can’t forge or alter Alice’s request

Lecture 8 Page 38 CS 239, Winter 2003

Key Exchange With Public Key Cryptography

• With no trusted arbitrator
• Alice sends Bob her public key
• Bob sends Alice his public key
• Alice generates a session key and sends it to

Bob encrypted with his public key, signed with her private key

• Bob decrypts Alice’s message with his

private key

• Encrypt session with shared session key

Lecture 8 Page 39 CS 239, Winter 2003

Basic Key Exchange Using PK

Bob Alice KEA , KDA KEB , KDB

Alice’s PK is KDA Bob’s PK is KDB EKEA(EKDB(KS)) KS

Bob verifies the message came from Alice

EKDB(KS)

Bob extracts the key from the message

KS

Lecture 8 Page 40 CS 239, Winter 2003

Man-in-the-Middle With Public Keys

Bob Mallory Alice KEA , KDA KEM , KDM KEB , KDB

Alice’s PK is KDA Alice’s PK is KDM

Now Mallory can pose as Alice to Bob

Lecture 8 Page 41 CS 239, Winter 2003

And Bob Sends His Public Key

Bob Mallory Alice KEA , KDA KEM , KDM KEB , KDB

Bob’s PK is KDM Bob’s PK is KDB

Now Mallory can pose as Bob to Alice

Lecture 8 Page 42 CS 239, Winter 2003

Alice Chooses a Session Key

Bob Mallory Alice KEA , KDA KEM , KDM KEB , KDB Bob and Alice are sharing a session key

EKEA (EKDM(KS)) EKEM (EKDB(KS))

But they’re unknowingly sharing it with Mallory, too

8

Lecture 8 Page 43 CS 239, Winter 2003

Defeating This Man-in-the- Middle Attack

• Use Rivest and Shamir’s interlock

protocol

• Doesn’t require any authorities
• Essentially, send stuff in pieces of an

encrypted whole

• The man in the middle has little chance
• f correctly dealing with pieces

Lecture 8 Page 44 CS 239, Winter 2003

Using the Interlock Protocol

• Alice sends Bob her public key
• Bob sends Alice his public key
• Alice encrypts the message in Bob’s

public key and sends half of it to Bob

• Bob encrypts his message in Alice’s

public key and sends half of it to Alice

• Alice sends her other half to Bob

Lecture 8 Page 45 CS 239, Winter 2003

Continuing the Interlock Protocol

• Bob puts Alice’s two halves together

and decrypts

• Bob sends the other half of his

encrypted message to Alice

• Alice puts Bob’s halves together and

decrypts

Lecture 8 Page 46 CS 239, Winter 2003

Why Does This Protocol Help?

• Because the man in the middle must

provide half of an encrypted message before he gets all of it

• Consider one part of the attack -

–Mallory wants to translate the message in Alice’s public key into Mallory’s public key

Lecture 8 Page 47 CS 239, Winter 2003

What Does Mallory Do?

• Mallory has deceptively sent out her public

key to Bob and Alice – Claiming it’s theirs – And Mallory knows their public keys

• Alice send Mallory half of an encrypted

message

• Now Mallory must send Bob half an

encrypted message

Lecture 8 Page 48 CS 239, Winter 2003

Mallory’s Situation

Bob Mallory Alice KEA , KDA KEM , KDM KEB , KDB

KEA KEA KEA

9

Lecture 8 Page 49 CS 239, Winter 2003

Mallory’s Problem

• Mallory can’t yet decrypt Alice’s message

– Since he only has half of it

• Mallory must provide Bob two matching

halves eventually – And one right now

• Mallory’s only choice is to generate a new

message before he knows the real message

Lecture 8 Page 50 CS 239, Winter 2003

Mallory’s Only Option

Bob Mallory Alice KEA , KDA KEM , KDM KEB , KDB

KEA KEA KEA KEM KEM KEM KEM Lecture 8 Page 51 CS 239, Winter 2003

Why Is This A Problem For Mallory?

• Mallory must now spoof proper

contents of Bob and Alice’s conversation

• Without knowing the real contents

until later

• Bob and Alice are likely to notice

problems quickly

Lecture 8 Page 52 CS 239, Winter 2003

Is This Generally Feasible?

• Not really
• Assumes Bob has a useful, unguessable

message before Alice’s message arrives

• Not really the way the world works
• If Mallory can guess Bob’s message, he can

play the standard man-in-the-middle game

Lecture 8 Page 53 CS 239, Winter 2003

Diffie/Hellman Key Exchange

• Securely exchange a key

–Without previously sharing any secrets

• Alice and Bob agree on a large prime n

and a number g –g should be primitive mod n

• n and g don’t need to be secrets

Lecture 8 Page 54 CS 239, Winter 2003

Exchanging a Key in Diffie/Hellman

• Alice and Bob want to set up a session

key –How can they learn the key without anyone else knowing it?

• Protocol assumes authentication
• Alice chooses a large random integer x

and sends Bob X = gxmod n

10

Lecture 8 Page 55 CS 239, Winter 2003

Exchanging the Key, Con’t

• Bob chooses a random large integer y

and sends Alice Y = gy mod n

• Alice computes k = Yx mod n
• Bob computes k’ = Xy mod n
• k and k’ are both equal to gxymod n
• But nobody else can compute k or k’

Lecture 8 Page 56 CS 239, Winter 2003

Why Can’t Others Get the Secret?

• What do they know?

– n, g, X, and Y – Not x or y

• Knowing X and y gets you

k

• Knowing Y and x gets you k’
• Knowing X and Ygets you nothing

– Unless you compute the discrete logarithm to obtain x or y