Steenkiste & Eckhardt, SCS, CMU1Lecture 24Security - TechnologyPeter SteenkisteSchool of Computer ScienceCarnegie Mellon University15-441 NetworkingMutilated by Dave Eckhardt, F'04, S'06Steenkiste & Eckhardt, SCS, CMU2OutlinelTextbook coverage»Chapter 8»Do not get bogged down in mathematics of DES, RSA»Do understand how to use them to get jobs donelSecurity threats and techniques.lEncryption»Private-key, public-keylHashinglIP security (IPsec)Steenkiste & Eckhardt, SCS, CMU3Security ThreatslImpersonation.»Pretend to be another user with the intent of getting access to information or serviceslSecrecy.»Get access to the contents of packetslMessage integrity.»Change a message unbeknownst to the sender or receiverlRepudiation»Denying having sent a messagelBreaking into systems.»To steal or destroy contentslDenial of service.»Flooding the system so users with legitimate needs cannot get serviceSteenkiste & Eckhardt, SCS, CMU4Active Versus Passive ThreatsActive ThreatsPassive ThreatsRelease ofMessage ContentsTraffic AnalysisReplayImpersonateModifying ofMessage contentsDenial ofServiceSteenkiste & Eckhardt, SCS, CMU5Three Levels of DefenselUsing firewalls to limit access to the network.»Packets that cannot enter the network cannot cause harm»Packets that do not leave the network cannot leak secretslSecuring the infrastructure at the network layer (IP).»Host to host or at a finer grain»Can be viewed as management tool: can be done without knowledge of applicationslApplication level security.»Communicating peers execute protocols to secure their communication channel»Essential for critical applications: end-to-end security»Requires effort from both application developers and usersSteenkiste & Eckhardt, SCS, CMU6Encryption Ciphertext = E(plaintext, KE) Plaintext = D(ciphertext, KD) Algorithm = E(), D()lAlgorithm should generally be public»Otherwise when (!!) it is cracked you won't hear about it»Easier to get known-good software implementations»Encourages fast hardware implementationslKeys are generally kept private»Easier to change a key than an algorithmlGiven the ciphertext, it must be “very difficult” to calculate the plaintext without KD »Difficult = computationally very expensive»Resistant to known attacksSteenkiste & Eckhardt, SCS, CMU7Special Cases Ciphertext = E(plaintext, KE) Plaintext = D(ciphertext, KD) Algorithm = E(), D()lDetails»E() and D() may be the same function»KE and KD may be the same key»This is called symmetric encryptionSteenkiste & Eckhardt, SCS, CMU8Perfect Encryption: One-Time Padl“Pad” = large nonrepeating set of truly random key letterslAlgorithm often simple»KE == KD, E() == D() == XOR()lPerfect if and only if »Key bits are truly random»Key bits are never re-usedTBFRGFARFM......................ONETIMEPADplaintextone-time padIPKLPSFHGQciphertextSteenkiste & Eckhardt, SCS, CMU9Simple ApplicationslMaintain secrecy of messagelProve identity by knowing a key»two parties must have a shared secretA: m = “secret msg”m’ = E(m, KE)A⇒B: m’B: m = D(m’, KD)A: m = “I am A”m’ = E(m, KE)A⇒B: m, m’B: verify m = D(m’, KD)Steenkiste & Eckhardt, SCS, CMU10Public Key versus Private KeyCryptographylPrivate key (symmetric, e.g., DES)»Two parties share (keep private) a key k»Encrypt plaintext using k»Also decrypt ciphertext using k -- symmetriclPublic key (asymmetric, e.g., RSA)»Keys come in pairs, Kprivate and Kpublic»Kprivate is kept private by its owner»Kpublic is published»Sender encrypts with recipient’s public key C=E(M, Kpublic)»Recipient uses private key to decrypt M=D(C, Kprivate)»Must be “impossible” to derive private key from publicSteenkiste & Eckhardt, SCS, CMU11Authentication RevisitedlParties must share a secret before they can communicate.lNeed a separate channel to establish the shared key.lDistribution of keys is easier: public directory of public keyslStill need a way to reliably distribute public keys.A: m = “I am A”m’ = {m}ksharedA⇒B: m, m’B: verify m’ = {m}ksharedA: m = “I am A”m’ = {m}kprivateA⇒B: m, m’B: verify m = {m’}kpublicPrivate keyPublic keySteenkiste & Eckhardt, SCS, CMU12Data Encryption StandardDESlExample of symmetric-key cryptography.lBasically permutes the bits based on a 56-bit key.»Substitution: reduce the relationship between plaintext and ciphertext»Diffusion: move the bits aroundlHow secure is DES?»It is becoming less secure as computers get faster»DES has recently been “cracked” by teams of volunteers using both lots of idle workstations, and special-purpose hardwarelSecurity can be improved by running the algorithm several times, e.g. Triple-DES»Odd fact: 2DES is less safe than DES!Steenkiste & Eckhardt, SCS, CMU13DES AlgorithmlUse a 64-bit key to encrypt data in 64-bit blocks»Actually 56-bit key: every 8th bit is parityl16 “rounds”»The 56-bit key K is used to generate 16 48-bit keys K1…K16, one for each roundlIn each round:»Substitution (S-boxes)»Permutation (P-boxes)MCK1K2K16KSteenkiste & Eckhardt, SCS, CMU14RSA AlgorithmlExample of a public key system.»Name based on the names of its founderslKey pair based on a pair of large prime numbers.»Different key sizes can be used»Larger key sizes are harder to crack but also result in more expensive encryption and decryptionlEncryption and decryption is based on exponentiation and remainder calculation.lThe security of RSA is based on the fact that there is no known algorithm for quickly factoring large numbersSteenkiste & Eckhardt, SCS, CMU16Public vs. Private Key SystemslScale of key management.»If N users want to communicate securely, private key systems require Nx(N-1)/2 keys while public key systems require only N key pairslComputational cost.»Public key cryptography is much more expensive than private key cryptographylCompromise: use public key system to agree on temporary private keyslOr: use an authentication server to reduce the key management complexity of private key systems.»Authentication server versus public key serverSteenkiste & Eckhardt, SCS, CMU17Cryptanalysis: Types of AttacklGoal: recover plaintext or key.lBasic assumptions»Attacker has complete access to the communications (ciphertext)»Cryptanalyst knows the cryptographic algorithms (and protocols)lCiphertext-only»Given C1 = EK(M1), C2 = EK(M2), … , CN = EK(MN)»Deduce M1, M2, … , MN, or
View Full Document
Unlocking...