Securing Communication Cryptography EE 122 Intro to Communication Networks Fall 2006 MW 4 5 30 in Donner 155 Vern Paxson TAs Dilip Antony Joseph and Sukun Kim http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley 1 Announcements No lecture this Weds Nov 22 My office hours Weds Nov 22 are by request i e send email in advance don t be shy Next week s office hours are by appointment for Monday Nov 27 plus possibly Tuesday Nov 28 I m traveling Tues Fri Guest lecture Weds Nov 29 Prof Ion Stoica What new or more in depth topic s would you like covered in the penultimate lecture Proposed so far security multimedia wireless What particular review topics for final lecture 2 1 Goals of Today s Lecture Finish discussion of tunneling Requirements for secure communication Technology for secure communication cryptography Symmetric encryption secret key Asymmetric encryption public key Cryptographic hash functions integrity signatures Classes of attacks on cryptosystems Public Key Infrastructure PKI time permitting 3 Example Tunneling IP over Email From doesnt matter bogus com To my buddy tunnel decapsulators R us Subject Here s my IP datagram IP header version 4 IP header len 5 IP ID 11234 IP src 1 2 3 4 IP dst 5 6 7 8 IP payload 0xa144bf2c0102 Program receives this legal email and builds an IP packet corresponding to description in email body injects it into the network How can a firewall detect this 4 2 Tunneling con t E g IP over ICMP Encode an IP datagram as the payload of a ping packet E g Skype over HTTP Encode Skype message in URL of requests or header fields or cookies of replies Note 1 to tunnel the sender and receiver must both cooperate Note 2 tunneling has many legitimate uses too E g overlay networks that forward packets along paths different from what direct routing would pick E g Virtual Private Networks VPNs Make a remote machine look like it s local to its home network Tunnel encrypts traffic too for privacy 5 Requirements for Secure Communication Authentication who is this actor Attacker counterpart spoofing Authorization is this actor allowed to do what they request Attacker counterpart compromise Accountability Attribution who did this activity For messages non repudiation Sender can t later claim didn t send it Receiver can t claim didn t receive it Attacker counterpart framing Integrity do messages arrive in their original form 6 3 Requirements for Secure Communication Confidentiality is communication free from eavesdropping Attacker counterpart sniffing man in the middle Availability can you use the network a service when you want to Attacker counterpart Denial of Service DoS theft ofservice Audit forensics what occurred in the past A broader notion of accountability attribution Appropriate use policies regarding use of resources E g no spam no games during business hours etc 7 Securing Communication Cryptography Cryptography communication in the presence of adversaries Studied for thousands of years See the Simon Singh s The Code Book for an excellent highly readable history Central goal how to encode information so that an adversary can t extract it but a friend can General premise there is a key possession of which allows decoding but without which decoding is infeasible Thus key must be kept secret and not guessable 8 4 Symmetric Key Encryption Same key for encryption and decryption When used for communication central problem is key distribution How do the parties agree on the key How big should the key be What can you do with a huge key One time pad huge key of random bits To encrypt just XOR with the key same to decrypt Provably secure provided You never reuse the key and it really is random unpredictable Spies actually use these 9 Shorter Symmetric Keys One way to approximate a one time pad generate a very good pseudo random number stream And XOR the plaintext with it to get the ciphertext Key is the seed used to initialize the generator More general algorithms that produce keyed permutations of their input Permutation different inputs mapped to different outputs Necessary so that decryption recovers a unique original Key selects between zillions of possible permutations Works with a block size e g 64 bits To encrypt a stream can encrypt blocks separately or link them Note output is same size as input other than padding 10 5 Operation of Symmetric Key Cipher 11 Using Symmetric Keys Both the sender and the receiver use the same secret keys Plaintext Encrypt with secret key Plaintext Internet Decrypt with secret key Ciphertext 12 6 Symmetric Crypto for Authentication Client s secret key CHK client Server s secret key SHK server E x C HK Does CHK SHK Notation E m k encrypt message m with key k E x K 1 SH E y 1 x y nonces random values Avoid replay attacks e g attacker impersonating client or server K session key used for data communication E K E y S CHK SHK E m e HK ssage K minimize of messages containing CHK SHK 13 Symmetric Key Ciphers DES AES Data Encryption Standard DES Developed by IBM in 1970s standardized by NBS NIST 56 bit key decreased from 64 bits at NSA s request Still fairly strong other than brute forcing the key space But custom hardware can crack a key in 24 hours Today many financial institutions use Triple DES DES applied 3 times with 3 keys totaling 168 bits Advanced Encryption Standard AES Replacement for DES standardized in 2002 Key size 128 192 or 256 bits How fundamentally strong are they No one knows no proofs exist 14 7 Integrity Cryptographic Hashes Basic building block for integrity hashing Associate hash with byte stream receiver verifies match Assures data hasn t been modified either accidentally or maliciously TCP checksum a very simple weak such hash Lets us succinctly refer to large data items Approach Sender computes a digest of message m i e H m H is a publicly known hash function Send digest d H m to receiver in a secure way e g Using another physical channel Using encryption Upon receiving m and d receiver re computes H m to see whether result agrees with d 15 Operation of Hashing for Integrity corrupted msg Plaintext Plaintext NO Digest MD5 Internet digest Digest MD5 digest 16 8 Cryptographically Strong Hashes Desired properties when faced with an adversary Hard to invert Given hash adversary can t find input that produces it Hard to find collisions Adversary can t find two inputs that produce the same hash Someone cannot alter the message without
View Full Document
Unlocking...