CPS110: Landon Cox Page 1 of 10 Secure communication and computation Hardware reality: insecure networks Attacker can eavesdrop on data going over the wire Attacker can modify data Attacker can insert new data or messages Attack can delete data Attacker can replay old messages (eavesdrop, then insert later) Attacker can spoof identity, by pretending to send a message from our IP address Man-in-the-middle attack: eavesdrop and delete the original message, insert a new message that pretends to be from the original sender Secure communication Confidentiality: attacker should not be able to understand data the send sends Authentication: assure receiver that the message is from the right sender Freshness: attacker should not be able to replay an old request No denial-of-service (we don’t know how to do this) Encryption Encryption is the main tool used to provide secure communication Basic idea Encrypt(clear text, e-key) = cipher text Decrypt(cipher text, d-key) = clear text Encrypt and decrypt algorithms are usually public Shouldn’t be able to deduce d-key from (clear text, cipher text) pairsCPS110: Landon Cox Page 2 of 10 Symmetric key encryption e-key = d-key (i.e. symmetric) Only sender and receiver know the key (sometimes this is called “secret key” encryption) Analogous to writing data on a floppy and placing the floppy inside a box with a padlock, then sending the box to the receiver via an untrusted courier. When the receiver gets the box and opens it, he/she knows: The true sender wrote the data on the floppy (authentication) Nobody other than the sender has read the floppy (confidentiality) Symmetric-key encryption algorithms are fast E.g. I send message to the registrar with a student’s grade Encrypt(“B”, key) Can someone modify the message? How do the sender and receiver get a shared secret key in the first place?CPS110: Landon Cox Page 3 of 10 Public-key (asymmetric) encryption e-key ≠ d-key Typically, encrypt() == decrypt() (we’ll just call it crypt ()) Crypt (clear text, e-key) = cipher-text-1 Crypt(cipher-text-1, d-key) = clear text Crypt(clear text, d-key) = cipher-text-2 Crypt(cipher-text-2, e-key) = clear text Note that Cipher-text-1 ≠ cipher-text-2 Crypt(cipher-text-2, d-key) ≠ clear text Crypt(cipher-text-1, e-key) ≠ clear text E-key is called the “public key” Everyone knows the value of everyone’s public keys D-key is called the “private key” Only the sender knows his/her own private key Difficult to guess private key, even if you know the public key, crypt(), and lots of encrypted pairs. Using public-key encryption to authenticate sender “from lpcox” crypt (message, lpcox-private) Anyone can read this message (no confidentiality) Only lpcox can generate this message; others can verify that lpcox generated the message by decrypting it with lpcox-public Why include “from lpcox”? This is called a “digital signature.” Can detect any change to the data. Using public-key encryption for privacy Crypt(message, receiver-public) Anyone can send this message (no authentication) Only receiver can read it Using public-key encryption for authentication and privacy Crypt (“from lpcox” crypt(message, lpcox-private), receiver-public) Only receiver can read this; only lpcox can send it Does the following work? “from lpcox” crypt((crypt(message, receiver-public), lpcox-private)CPS110: Landon Cox Page 4 of 10 Public-key encryption used in SSL (secure sockets layer, used in web https) Ssh (secure shell) Pgp (secure mail) Problems with public-key encryption More computationally expensive than symmetric-key encryption. Solve by using public-key to exchange a short-lived symmetric key (session key) How to change my public key? How to trust authenticity of published public keys? E.g. A wants to communicate with B, so A and B must learn each other’s public keys (A-public and B-public). Villain has two public keys V-public1 and V-public2. What if villain manages to convince A that B’s public key is V-public1? And what if villain can convince B that A’s public key is V-public2? A sends signed and sealed message with the wrong key: crypt(“from A” crypt(message, A-private), V-public1) How to authenticate the published public key? pgp: verify the “fingerprint” of a public key via the telephone or a trusted web server SSL example: your web browser wants to communicate with e-trade. You want to ensure that only e-trade can see your messages; e-trade wants to be sure that you are really who you say you are. Step 1: assure you that your messages can be read only by e-trade E-trade has public key, but how to learn this securely? Certification authority (e.g. verisign) vouches for the authenticity of e-trade’s public key E-trade sends you their public key, digitally signed by verisign: crypt(“e-trade’s public key is X”, verisign-private) I decrypt with verisign’s public key and see that verisign is vouching for e-trade’s public key Once I have e-trade’s public key, e-trade and I can set up a shared session key (could be secret key) Any problem with this?CPS110: Landon Cox Page 5 of 10 Step 2: assure e-trade that you are really who you say you are Most clients don’t have a certified public key from verisign You send you password (encrypted with the secret session key) E-trade decrypts with you password to verify that this session key is really from you. Replay attacks Example using symmetric-key encryption (same is possible with public-key encryption) I send message to bank using symmetric-key encryption encrypt(“transfer $100 to Duke”, key) Evil Duke administrator eavesdrops and saves the encrypted message, then replays it later. Bank transfers another $100 to Duke. How to defend against this attack?CPS110: Landon Cox Page 6 of 10 How to pick a nonce that doesn’t require anyone to keep any state (allow only probabilistic guarantee of freshness)? General security Hardware reality: Collection of processor, memory, disks, network interfaces that can be used by anyone to do anything Or could turn it off, leaving you with hardware that won’t do anything for