Preview question Which of these is a cryptographic primitive based on a Feistel cipher design? CSci 5271 A. DES Introduction to Computer Security Networking (cont’d) and cryptography B. AES Stephen McCamant C. DSA University of Minnesota, Computer Science & Engineering D. CBC E. HMAC Outline TCP Brief introduction to networking, (cont’d) Some classic network attacks Transmission Control Protocol: provides reliable Announcements intermission bidirectional stream abstraction Crypto basics Packets have sequence numbers, acknowledged in Stream ciphers order Block ciphers and modes of operation Missed packets resent later Hash functions and MACs Building a secure channel Flow and congestion control Routing Where do I send this packet next? Flow control: match speed to slowest link Table from address ranges to next hops “Window” limits number of packets sent but not ACKed Core Internet routers need big tables Congestion control: avoid traffic jams Maintained by complex, insecure, cooperative Lost packets signal congestion protocols Additive increase, multiplicative decrease of rate Internet-level algorithm: BGP (Border Gateway Protocol) Below IP: ARP DNS Address Resolution Protocol maps IP addresses to Domain Name System: map more memorable and lower-level address stable string names to IP addresses E.g., 48-bit Ethernet MAC address Hierarchically administered namespace Based on local-network broadcast packets Like Unix paths, but backwards Complex Ethernets also need their own routing (but ✳❡❞✉ server delegates to ✳✉♠♥✳❡❞✉ server, etc. called switches)
DNS caching and reverse DNS Classic application: remote login Killer app of early Internet: access supercomputers To be practical, DNS requires caching at another university Of positive and negative results Telnet: works cross-OS But, cache lifetime limited for freshness Send character stream, run regular login program Also, reverse IP to name mapping rlogin: BSD Unix Based on special top-level domain, IP address written Can authenticate based on trusting computer connection backwards comes from (Also rsh, rcp) Outline Packet sniffing Brief introduction to networking, (cont’d) Some classic network attacks Watch other people’s traffic as it goes by on network Announcements intermission Easiest on: Crypto basics Old-style broadcast (thin, “hub”) Ethernet Stream ciphers Wireless Block ciphers and modes of operation Or if you own the router Hash functions and MACs Building a secure channel Forging packet sources TCP spoofing Forging source address only lets you talk, not listen Source IP address not involved in routing, often not Old attack: wait until connection established, then checked DoS one participant and send packets in their place Change it to something else! Frustrated by making TCP initial sequence numbers Might already be enough to fool a naive UDP unpredictable protocol But see Oakland’12, WOOT’12 for fancier attacks, keyword “off-path” ARP spoofing rlogin and reverse DNS rlogin uses reverse DNS to see if originating host is on whitelist Impersonate other hosts on local network level How can you attack this mechanism with an honest Typical ARP implementations stateless, don’t mind source IP address? changes Now you get victim’s traffic, can read, modify, resend
rlogin and reverse DNS Outline Brief introduction to networking, (cont’d) rlogin uses reverse DNS to see if originating host is Some classic network attacks on whitelist Announcements intermission How can you attack this mechanism with an honest Crypto basics source IP address? Stream ciphers Remember, ownership of reverse-DNS is by IP Block ciphers and modes of operation address Hash functions and MACs Building a secure channel Midterms Project meetings Graded midterms will be given back on Monday Next round of meetings next week 10/28-11/1 Grades will also be on Canvas by then Mostly same times as before, will confirm by email There may be a difficulty adjustment Outline -ography, -ology, -analysis Brief introduction to networking, (cont’d) Some classic network attacks Cryptography (narrow sense): designing encryption Announcements intermission Cryptanalysis: breaking encryption Crypto basics Cryptology: both of the above Stream ciphers Code (narrow sense): word-for-concept substitution Block ciphers and modes of operation Cipher: the “codes” we actually care about Hash functions and MACs Building a secure channel Caesar cipher Keys and Kerckhoffs’s principle Advance three letters in alphabet: The only secret part of the cipher is a key ❆ ✦ ❉❀ ❇ ✦ ❊❀ ✿ ✿ ✿ Security does not depend on anything else being Decrypt by going back three letters secret Internet-era variant: rot-13 Modern (esp. civilian, academic) crypto embraces Easy to break if you know the principle openness quite strongly
Symmetric vs. public key Goal: secure channel Leaks no content information Symmetric key (today’s lecture): one key used by all Not protected: size, timing participants Messages delivered intact and in order Public key: one key kept secret, another published Or not at all Techniques invented in 1970s Even if an adversary can read, insert, and delete Makes key distribution easier Depends on fancier math traffic One-time pad Computational security More realistic: assume adversary has a limit on Secret key is truly random data as long as message computing power Encrypt by XOR (more generally addition mod Secure if breaking encryption is computationally alphabet size) infeasible Provides perfect, “information-theoretic” secrecy E.g., exponential-time brute-force search No way to get around key size requirement Ties cryptography to complexity theory Key sizes and security levels Crypto primitives Difficulty measured in powers of two, ignore small Base complicated systems on a minimal number of constant factors simple operations Power of attack measured by number of steps, aim Designed to be fast, secure in wide variety of uses for better than brute force ✷ ✸✷ definitely too easy, probably ✷ ✻✹ too Study those primitives very intensely Modern symmetric key size: at least ✷ ✶✷✽ Attacks on encryption Certificational attacks Known ciphertext Good primitive claims no attack more effective than Weakest attack brute force Any break is news, even if it’s not yet practical Known plaintext (and corresponding ciphertext) Canary in the coal mine Chosen plaintext E.g., ✷ ✶✷✻✿✶ attack against AES-128 Chosen ciphertext (and plaintext) Also watched: attacks against simplified variants Strongest version: adaptive
Fundamental ignorance Relative proofs Prove security under an unproved assumption We don’t really know that any computational cryptosystem is secure In symmetric crypto, prove a construction is secure if the primitive is Security proof would be tantamount to proving Often the proof looks like: if the construction is insecure, P ✻ ❂ ◆P so is the primitive Crypto is fundamentally more uncertain than other Can also prove immunity against a particular kind of parts of security attack Random oracle paradigm Pseudorandomness and distinguishers Claim: primitive cannot be distinguished from a truly Assume ideal model of primitives: functions selected random counterpart uniformly from a large space In polynomial time with non-negligible probability Anderson: elves in boxes We can build a distinguisher algorithm to exploit any Not theoretically sound; assumption cannot be weakness satisfied Slightly too strong for most practical primitives, but a But seems to be safe in practice good goal Open standards A certain three-letter agency How can we get good primitives? National Security Agency (NSA): has primary Open-world best practice: run competition, invite responsibility for “signals intelligence” experts to propose then attack Dual-mission tension: Run by neutral experts, e.g. US NIST Break the encryption of everyone in the world Help US encryption not be broken by foreign powers Recent good examples: AES, SHA-3 Outline Stream ciphers Brief introduction to networking, (cont’d) Some classic network attacks Closest computational version of one-time pad Announcements intermission Key (or seed) used to generate a long Crypto basics pseudorandom bitstream Stream ciphers Closely related: cryptographic RNG Block ciphers and modes of operation Hash functions and MACs Building a secure channel
Recommend
More recommend
