Outline Security Protocols • Societal issues and cryptography CS 239 • Key recovery cryptosystems Computer Security • Designing secure protocols February 10, 2003 • Basic protocols –Key exchange Lecture 8 Lecture 8 Page 1 Page 2 CS 239, Winter 2003 CS 239, Winter 2003 Legal and Political Issues in Societal Implications of Cryptography Cryptography • Cryptography is meant to help keep • Criminals can conceal communications secrets from the police • But should all secrets be kept? • Citizens can conceal taxable income from the government • Many legal and moral issues • Terrorists can conceal their activities from governments trying to stop them Lecture 8 Lecture 8 Page 3 Page 4 CS 239, Winter 2003 CS 239, Winter 2003 Problems With Controlling Governmental Responses to Cryptography Cryptography • Essentially, it’s mostly algorithms • They vary widely • If you know the algorithm, you can • Some nations require government have a working copy easily approval to use cryptography • At which point, you can conceal your • Some nations have no laws governing secrets from anybody it at all –To the strength the algorithm • The US laws less restrictive than they provides used to be Lecture 8 Lecture 8 Page 5 Page 6 CS 239, Winter 2003 CS 239, Winter 2003 1
The US Government Position on US Restrictions on Cryptography Cryptographic Exports • Rules changed in 2000 • All forms of cryptography are legal to use in the US • Greatly liberalizing cryptographic exports • BUT • Almost all cryptography is exportable –Some minor restrictions on exporting • Exception is for government use by a cryptography to other countries handful of countries • The NSA used to try to keep a lid on –Those the US government currently cryptographic research doesn’t like Lecture 8 Lecture 8 Page 7 Page 8 CS 239, Winter 2003 CS 239, Winter 2003 Cryptographic Source Code and Other Nations and Cryptography Free Speech • Generally, most nations have few or no • US government took Phil restrictions on cryptography Zimmermann to court over PGP • A group of treaty signatories have export • Court ruled that he had a free-speech restrictions similar to US’s right to publish PGP source • Some have strong restrictions – China, Russia, Vietnam, a few others • Eventually, appeals courts also found • A few have laws on domestic use of crypto in favor of Zimmermann – E.g., Australia, UK, India have laws that demand decryption with court order Lecture 8 Lecture 8 Page 9 Page 10 CS 239, Winter 2003 CS 239, Winter 2003 Key Recovery Cryptosystems Idea Behind Key Recovery • An attempt to balance: • Use encryption algorithms that are highly – Legitimate societal security needs secure against cryptanalysis • Requiring strong encryption • But with mechanisms that allow legitimate – And legitimate governmental and law law enforcement agency to: enforcement needs – Obtain any key with sufficient legal • Requiring access to data authority • How can you have strong encryption and – Very, very quickly still satisfy governments? – Without the owner knowing Lecture 8 Lecture 8 Page 11 Page 12 CS 239, Winter 2003 CS 239, Winter 2003 2
Proper Use of Data Recovery Methods to Implement Methods Key Recovery • All encrypted transmissions (or saved data) • Key registry method must have key recovery methods applied –Register all keys before use • Basically, the user must cooperate • Data field recovery method – Or his encryption system must force him –Basically, keep key in specially to cooperate encrypted form in each message – Which implies everyone must use this –With special mechanisms to get key form of cryptosystem out of the message Lecture 8 Lecture 8 Page 13 Page 14 CS 239, Winter 2003 CS 239, Winter 2003 Problems With Key The Current Status of Key Recovery Systems Recovery Systems • Requires trusted infrastructures • Pretty much dead • Requires cooperation (forced or voluntary) • US tried to convince everyone to use of all users them • Requires more trust in authorities than –Skipjack algorithm, Clipper chip many people have • Very few agreed • International issues • US is moving on to other approaches • Performance and/or security problems with to dealing with cryptography actual algorithms Lecture 8 Lecture 8 Page 15 Page 16 CS 239, Winter 2003 CS 239, Winter 2003 Basics of Security Protocols Security Protocols • Work from the assumption (usually) that • A series of steps involving two or more your encryption is sufficiently strong parties designed to accomplish a task with • Given that, how do you design the exchange suitable security of messages to securely achieve a given • Sequence is important result? • Cryptographic protocols use cryptography • Not nearly as easy as you probably think • Different protocols assume different levels of trust between participants Lecture 8 Lecture 8 Page 17 Page 18 CS 239, Winter 2003 CS 239, Winter 2003 3
Types of Security Protocols Participants in Security Protocols • Arbitrated protocols –Involving a trusted third party • Adjudicated protocols Alice Bob –Trusted third party, after the fact • Self-enforcing protocols David –No trusted third party Carol Lecture 8 Lecture 8 Page 19 Page 20 CS 239, Winter 2003 CS 239, Winter 2003 And the Bad Guys Trusted Arbitrator And sometimes Trent Alice or Bob A disinterested third party trusted by all Eve might cheat Mallory legitimate participants Who only listens Who is actively Arbitrators often simplify protocols, but add passively malicious overhead Lecture 8 Lecture 8 Page 21 Page 22 CS 239, Winter 2003 CS 239, Winter 2003 Key Exchange With Symmetric Key Exchange Protocols Encryption and a Arbitrator • Often we want a different encryption key • Alice and Bob want to talk securely for each communication session with a new key • How do we get those keys to the • They both trust Trent participants? –Assume Alice & Bob each share a – Securely key with Trent – Quickly • How do Alice and Bob get a shared – Even if they’ve never communicated before key? Lecture 8 Lecture 8 Page 23 Page 24 CS 239, Winter 2003 CS 239, Winter 2003 4
Step One Step Two K A K B K A K B Alice Alice Bob Bob E KA ( K S ), Alice E KB ( K S ) Who knows Who knows Requests what at this what at this Session E KA ( K S ), point? point? Key for E KB ( K S ) Trent Bob Trent K A K B K A K B K S Lecture 8 Lecture 8 Page 25 Page 26 CS 239, Winter 2003 CS 239, Winter 2003 What Has the Protocol Step Three Achieved? K S • Alice and Bob both have a new session E KB ( K S ) K A K B key Alice Bob • The session key was transmitted using E KA ( K S ), keys known only to Alice and Bob K S E KB ( K S ) Who knows • Both Alice and Bob know that Trent what at this participated point? • But there are vulnerabilities Trent K A K B K S Lecture 8 Lecture 8 Page 27 Page 28 CS 239, Winter 2003 CS 239, Winter 2003 Problems With the Protocol The Man-in-the-Middle Attack • A class of attacks where an active • What if the initial request was grabbed attacker interposes himself secretly in a by Mallory? protocol • Could he do something bad that ends • Allowing alteration of the effects of the up causing us problems? protocol • Yes! • Without necessarily attacking the • (And there are also replay problems) encryption Lecture 8 Lecture 8 Page 29 Page 30 CS 239, Winter 2003 CS 239, Winter 2003 5
Applying the Man-in-the-Middle Trent Does His Job Attack K A K B K A K B K M K M Alice Alice Bob Bob Mallory Mallory E KA ( K S ), Alice More precisely, Who knows Alice E KM ( K S ) Requests what do they think what at this Requests Session they know? Session point? Key for Key for Mallory Trent Trent K A K B K A K B Bob K M K M Lecture 8 Lecture 8 Page 31 Page 32 CS 239, Winter 2003 CS 239, Winter 2003 Alice Gets Ready to Talk to Bob Really Getting in the Middle E KM ( K S ) K A K B K A K B K M K M Alice Alice K S1 Bob Bob K S K S E KM ( K S1 ), Mallory Mallory K S K S E KB ( K S1 ) E KM ( K S ) Mallory can now E KB ( K S1 ) E KM ( K S ) K S1 masquerade as Mallory can also Bob ask Trent for a key to talk to Trent Trent K A K B K A K B Bob K M K M Lecture 8 Lecture 8 Page 33 Page 34 CS 239, Winter 2003 CS 239, Winter 2003 Mallory Plays Man-in-the- Defeating the Man In the Middle Middle • Problems: 1). Trent doesn’t really know what he’s Alice K S1 Bob supposed to do K S Mallory 2). Alice doesn’t verify he did the right thing K S Alice’s big secret K S1 • Minor changes can fix that Bob’s big secret Alice’s big secret E KS ( Alice’s big secret ) E KS1 ( Alice’s big secret ) 1). Encrypt request with K A E KS ( Alice’s big secret ) E KS1 ( Bob’s big secret ) E KS ( Bob’s big secret ) 2). Include identity of other participant in E KS1 ( Bob’s big secret ) E KS ( Bob’s big secret ) response - E KA ( K S , Bob) Alice’s big secret Bob’s big secret Bob’s big secret Lecture 8 Lecture 8 Page 35 Page 36 CS 239, Winter 2003 CS 239, Winter 2003 6
Recommend
More recommend