Foundations of Network and Computer SecurityEconomist SurveyWhat IS Computer Security?Slide 4CryptographyIn the Beginning…KerckhoffWhat is a “key”?Digression on BlocksizeImproving CaesarExhaustive Key-searchSo Substitution Cipher is Secure?What did we just Implicitly Assume?Small Blocksizes are BadKey is too LargeExample BlockcipherDigression on TerminologyLooking at Blockcipher XSo it’s Syntactically ValidBackgroundBlockciphersSecurityBlockcipher Security (cont.)Slide 24Theme to NoteOur Blockcipher XAnalysis of X (cont.)Foundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #2Aug 25th 2005CSCI 6268/TLEN 5831, Fall 2005Economist Survey•Please read it•Main points–Security is a MUCH broader topic than just SSL and viruses–Firewalls don’t always work–Economics are a factor–And more...What IS Computer Security?•Cryptography–Mostly based in mathematics•Network Services–Offense: Overflows, SQL injection, format strings, etc–Defense: Firewalls, IDSes, Sandboxing, Honeypots•Software Engineering–You have to find all flaws, they only have to find one•Policy–Laws affect profoundly our security and privacy, as we have already seenWhat IS Computer Security?•Soft Science–Trust Models (Bell-LaPadula, Insider Threat, etc)–Economics, Game Theory–Social Engineering•Education–Students become our programmers•Insufficient training in security issues•Various–Credit Card Scanners•Should you trust your CC# on the Internet?–ATM storyCryptography•Introduction to cryptography–Why?•We’re doing things bottom-up•Crypto is a fundamental building block for securing networks, but by NO MEANS a panacea–Often done well•Breaking the crypto is often not the easiest way in–Instead exploit some of those other holes!–Long history–Based on lots of mathIn the Beginning…•“Classical” cryptography–Caesar cipher aka shift cipher•A  Z, B  A, C  B, etc…•We are shifting by -1 or, equivalently, by 25•Here the “domain” is A…Z and shifts are done modulo 26–Ex: What happens to “IBM” with a shift of 25?Kerckhoff–Kerckhoff’s principal•Assume algorithm is public and all security rests with the “key”•The opposite philosophy is sometimes called “security thru obscurity”–Often dubious»Experts say you want people to see the algorithm… the more analysis it sees, the better!–Used in military settings however»Why give them any information??»Skipjack was this wayWhat is a “key”?•We have a basic enciphering mechanism–We just saw the Caesar cipher•The “key” is the “variable” part of the algorithm–What was our key with the Caesar cipher?–How many keys were possible?–Why is this cipher insecure?Digression on Blocksize•The “blocksize” of a cipher is the size, in bits, of its domain–Caesar took 26 inputs, so about 4.7 bit blocksize–We take lg(|D|) to compute blocksize•Often it’s already specified in bits–Keysize is analogous•What was the keysize of the Caesar cipher?•A “blockcipher” always outputs the same number of bits as it takes in–Ciphers induce a “permutation” on their domain•This means they are 1-to-1•Without this, we couldn’t decipher!Improving Caesar•Substitution Cipher–We allow each {A,…, Z} to map to any other character in this set•Ex: A  Q, B  S, C  A, etc…•We must still ensure a 1-to-1 mapping!•How many mappings are possible?•What is the key here?•What is the keysize?–Is exhaustive key-search feasible here?Exhaustive Key-search•We had 403291461126605635584000000 possible keys–Keysize is lg of this, or about 88.4 bits–Infeasible to exhaustively search even with a lot of money and resources!•Rule of Thumb–230 quite easily–240 takes a while, but doable (exportable keysize!)–250 special hardware, parallelism important–260 only large government organizations–270 approaching the (current) limits of imaginationSo Substitution Cipher is Secure?•Nope–Ever do the Sunday Cryptograms?–Attacks:•Frequency analysis–etaoinshrdlu…•Diphthongs, triphthongs–ST, TH, not QX•Word lengths–A and I are only 1-letter words•Other statistical measures–Index of CoincidenceWhat did we just Implicitly Assume?•What assumption was made in these attacks?•What was a central feature of the Substitution Cipher which permitted these attacks? (hard)•How can we repair these problems?Small Blocksizes are Bad•Ok, we had a blocksize of < 5 bits–So fix it!–Try 64 bits instead–All is well?•How many permutations are there now?–264! ¼ 2270–Stirling’s formula:•What is the keysize (in bits)?–About 270 bits! Yow!–64 GB is 26 * 230 * 23 = 239Key is too Large•We can’t store 270 bit keys–What can we do then?–Idea: instead of representing ALL 264! permutations we select a “random looking” subset of them!•We will implement the map via an algorithm•Our subset will be MUCH smaller than the set of all permutationsExample Blockcipher•Suppose we have 64-bit blocksize•Suppose we have 64-bit keys–Notice this is FAR smaller than 270-bit keys, so we will be representing a vastly smaller set of permutations–Select a key K at random from {0,1}64•{0,1}64 is the set of all length-64 binary strings•Let C = P © K–Here © means XORDigression on Terminology•Note that we used specific letters in our formula C = P © K–P is the “plaintext”–C is the “ciphertext”–K is usually used for “key”•Call this blockcipher X–X : {0,1}64 £ {0,1}64  {0,1}64 –This means E takes two 64-bit strings and produces a 64-bit outputLooking at Blockcipher X•First, is it even a valid cipher?–Is it 1-to-1?•Basic facts on xor’s:–A © A = 0 A © B = B © A–A © 0 = A A © (B © C) = (A © B) © C•So prove 1-to-1:–Suppose P  P’ but C = C–Then P © K = P’ © K –so P © P’ = K © K –and P © P’ = 0 –so P = P’, contradictionSo it’s S y ntac tically Valid•What about its security?–It’s terrible, but before we can really look more closely at it we need to learn more about what “secure” means–A second problem is that we still haven’t said how to “encrypt,” only to “encipher”•Encryption handles a bunch of variable-length messages•Enciphering handles inputs of one fixed size; ergo the term “blockcipher”Background•So really we’ve been talking about things