11Securing Communication:CryptographyEE 122: Intro to Communication NetworksFall 2006 (MW 4-5:30 in Donner 155)Vern PaxsonTAs: Dilip Antony Joseph and Sukun Kimhttp://inst.eecs.berkeley.edu/~ee122/Materials with thanks to Jennifer Rexford, Ion Stoica,and colleagues at Princeton and UC Berkeley2Announcements• No lecture this Weds, Nov 22• My office hours Weds Nov 22 are by request:i.e., send email in advance (don’t be shy!)• Next week’s office hours are by appointment forMonday Nov 27 (plus possibly Tuesday Nov 28)– I’m traveling Tues-Fri• Guest lecture Weds Nov 29, Prof. Ion Stoica• What new (or more in-depth) topic(s) would youlike covered in the penultimate lecture?– Proposed so far: security, multimedia, wireless• What particular review topics for final lecture?23Goals of Today’s Lecture• Finish discussion of tunneling• Requirements for secure communication• Technology for secure communication:cryptography– Symmetric encryption (secret key)– Asymmetric encryption (public key)– Cryptographic hash functions (integrity, signatures)• Classes of attacks on cryptosystems• Public Key Infrastructure (PKI)– (time permitting)4Example: Tunneling IP over EmailFrom: [email protected]: [email protected]: Here’s my IP datagramIP-header-version: 4IP-header-len: 5IP-ID: 11234IP-src: 1.2.3.4IP-dst: 5.6.7.8IP-payload: 0xa144bf2c0102…Program receives this legal email and builds an IP packetcorresponding to description in email body …… injects it into the networkHow can a firewall detect this??35Tunneling, con’t• E.g., IP-over-ICMP:– Encode an IP datagram as the payload of a “ping” packet• E.g., Skype-over-HTTP:– Encode Skype message in URL of requests or headerfields (or cookies) of replies• Note #1: to tunnel, the sender and receiver mustboth cooperate• Note #2: tunneling has many legitimate uses too– E.g., overlay networks that forward packets along pathsdifferent from what direct routing would pick– E.g., Virtual Private Networks (VPNs) Make a remote machine look like it’s local to its home network Tunnel encrypts traffic too for privacy6Requirements for Secure Communication• Authentication: who is this actor?– Attacker counterpart: spoofing• Authorization: is this actor allowed to do what theyrequest?– Attacker counterpart: compromise• Accountability/Attribution: who did this activity?– For messages, non-repudiation Sender can’t later claim didn’t send it Receiver can’t claim didn’t receive it– Attacker counterpart: framing• Integrity: do messages arrive in their original form?47Requirements for Secure Communication• Confidentiality: is communication free fromeavesdropping?– Attacker counterpart: sniffing, man-in-the-middle• Availability: can you use the network / a servicewhen you want to?– Attacker counterpart: Denial-of-Service (DoS), theft-of-service• Audit/forensics: what occurred in the past?– A broader notion of accountability/attribution• Appropriate use: policies regarding use ofresources– E.g., no spam; no games during business hours; etc.8Securing Communication: Cryptography• Cryptography: communication in the presence ofadversaries• Studied for thousands of years– See the Simon Singh’s The Code Book for an excellent,highly readable history• Central goal: how to encode information so that anadversary can’t extract it …– … but a friend can• General premise: there is a key, possession ofwhich allows decoding, but without which decodingis infeasible– Thus, key must be kept secret and not guessable59Symmetric Key Encryption• Same key for encryption and decryption• When used for communication, central problem iskey distribution– How do the parties agree on the key?• How big should the key be?• What can you do with a huge key?• One-time pad: huge key of random bits– To encrypt: just XOR with the key! (same to decrypt)– Provably secure! …. provided: You never reuse the key … … and it really is random/unpredictable– Spies actually use these10Shorter Symmetric Keys• One way to approximate a one-time pad: generatea (very good) pseudo-random number stream– And XOR the plaintext with it to get the ciphertext– Key is the “seed” used to initialize the generator• More general: algorithms that produce keyedpermutations of their input– Permutation = different inputs mapped to different outputs– Necessary so that decryption recovers a unique original– Key selects between zillions of possible permutations– Works with a block size (e.g., 64 bits) To encrypt a stream, can encrypt blocks separately, or link them– Note: output is same size as input (other than padding)611Operation of Symmetric Key Cipher12Using Symmetric Keys• Both the sender and the receiver use the samesecret keysInternetEncrypt withsecret keyDecrypt withsecret keyPlaintext PlaintextCiphertext713Symmetric Crypto for Authentication• Client’s secret key: CHK• Server’s secret key: SHK• Does CHK = SHK?• Notation: E(m,k) – encryptmessage m with key k• x, y: nonces (random values)– Avoid replay attacks, e.g., attackerimpersonating client or server• K – session key used for datacommunication– minimize # of messages containingCHK / SHKE(x, CHK)E(x+1, SHK), E(y,SHK)E(y+1, CHK)E(K,SHK)clientserverE(message …, K)14Symmetric Key Ciphers - DES & AES• Data Encryption Standard (DES)– Developed by IBM in 1970s, standardized by NBS/NIST– 56-bit key (decreased from 64 bits at NSA’s request)– Still fairly strong other than brute-forcing the key space But custom hardware can crack a key in < 24 hours– Today many financial institutions use Triple DES= DES applied 3 times, with 3 keys totaling 168 bits• Advanced Encryption Standard (AES)• Replacement for DES standardized in 2002• Key size: 128, 192 or 256 bits• How fundamentally strong are they?• No one knows (no proofs exist)815Integrity: Cryptographic Hashes• Basic building block for integrity: hashing– Associate hash with byte-stream, receiver verifies match Assures data hasn’t been modified, either accidentally - ormaliciously– TCP checksum a very simple (weak) such hash• Lets us succinctly refer to large data items• Approach:- Sender computes a digest of message m, i.e., H(m)- H() is a publicly known hash function- Send digest (d = H(m)) to receiver in a secure way, e.g., Using another physical
View Full Document
Unlocking...