Announcements No lecture this Weds Nov 22 My office hours Weds Nov 22 are by request i e send email in advance don t be shy Securing Communication Cryptography Next week s office hours are by appointment for Monday Nov 27 plus possibly Tuesday Nov 28 I m traveling Tues Fri EE 122 Intro to Communication Networks Guest lecture Weds Nov 29 Prof Ion Stoica Fall 2006 MW 4 5 30 in Donner 155 Vern Paxson TAs Dilip Antony Joseph and Sukun Kim What new or more in depth topic s would you like covered in the penultimate lecture Proposed so far security multimedia wireless http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley What particular review topics for final lecture 1 Goals of Today s Lecture Example Tunneling IP over Email Finish discussion of tunneling From doesnt matter bogus com To my buddy tunnel decapsulators R us Subject Here s my IP datagram Requirements for secure communication Technology for secure communication cryptography IP header version 4 IP header len 5 IP ID 11234 IP src 1 2 3 4 IP dst 5 6 7 8 IP payload 0xa144bf2c0102 Symmetric encryption secret key Asymmetric encryption public key Cryptographic hash functions integrity signatures Classes of attacks on cryptosystems Public Key Infrastructure PKI time permitting 3 Tunneling con t Program receives this legal email and builds an IP packet corresponding to description in email body injects it into the network How can a firewall detect this 4 Requirements for Secure Communication E g IP over ICMP Authentication who is this actor Encode an IP datagram as the payload of a ping packet E g Skype over HTTP Attacker counterpart spoofing Authorization is this actor allowed to do what they request Encode Skype message in URL of requests or header fields or cookies of replies Attacker counterpart compromise Note 1 to tunnel the sender and receiver must both cooperate Accountability Attribution who did this activity For messages non repudiation Sender can t later claim didn t send it Receiver can t claim didn t receive it Note 2 tunneling has many legitimate uses too E g overlay networks that forward packets along paths different from what direct routing would pick E g Virtual Private Networks VPNs Make a remote machine look like it s local to its home network Tunnel encrypts traffic too for privacy 2 Attacker counterpart framing Integrity do messages arrive in their original form 5 6 1 Securing Communication Cryptography Requirements for Secure Communication Confidentiality is communication free from eavesdropping Cryptography communication in the presence of adversaries Attacker counterpart sniffing man in the middle Studied for thousands of years Availability can you use the network a service when you want to See the Simon Singh s The Code Book for an excellent highly readable history Attacker counterpart Denial of Service DoS theft ofservice Central goal how to encode information so that an adversary can t extract it Audit forensics what occurred in the past but a friend can A broader notion of accountability attribution General premise there is a key possession of which allows decoding but without which decoding is infeasible Appropriate use policies regarding use of resources E g no spam no games during business hours etc 7 Symmetric Key Encryption 8 Shorter Symmetric Keys Same key for encryption and decryption One way to approximate a one time pad generate a very good pseudo random number stream When used for communication central problem is key distribution And XOR the plaintext with it to get the ciphertext Key is the seed used to initialize the generator How do the parties agree on the key More general algorithms that produce keyed permutations of their input How big should the key be What can you do with a huge key Permutation different inputs mapped to different outputs Necessary so that decryption recovers a unique original Key selects between zillions of possible permutations Works with a block size e g 64 bits One time pad huge key of random bits To encrypt just XOR with the key same to decrypt Provably secure provided You never reuse the key and it really is random unpredictable Spies actually use these Thus key must be kept secret and not guessable To encrypt a stream can encrypt blocks separately or link them Note output is same size as input other than padding 9 Operation of Symmetric Key Cipher 10 Using Symmetric Keys Both the sender and the receiver use the same secret keys Plaintext Encrypt with secret key Plaintext Internet Decrypt with secret key Ciphertext 11 12 2 Symmetric Crypto for Authentication Client s secret key CHK client Server s secret key SHK Does CHK SHK Notation E m k encrypt message m with key k x y nonces random values Avoid replay attacks e g attacker impersonating client or server K session key used for data communication Symmetric Key Ciphers DES AES Data Encryption Standard DES server Developed by IBM in 1970s standardized by NBS NIST 56 bit key decreased from 64 bits at NSA s request Still fairly strong other than brute forcing the key space E x C HK K y SH K E 1 SH E x E y 1 CHK But custom hardware can crack a key in 24 hours Today many financial institutions use Triple DES DES applied 3 times with 3 keys totaling 168 bits HK E K S Advanced Encryption Standard AES Replacement for DES standardized in 2002 Key size 128 192 or 256 bits E me ssage K minimize of messages containing CHK SHK How fundamentally strong are they 13 Integrity Cryptographic Hashes No one knows no proofs exist 14 Operation of Hashing for Integrity Basic building block for integrity hashing Associate hash with byte stream receiver verifies match Assures data hasn t been modified either accidentally or maliciously TCP checksum a very simple weak such hash corrupted msg Plaintext Plaintext NO Lets us succinctly refer to large data items Approach Sender computes a digest of message m i e H m Digest MD5 H is a publicly known hash function Send digest d H m to receiver in a secure way e g Internet digest Digest MD5 digest Using another physical channel Using encryption Upon receiving m and d receiver re computes H m to see whether result agrees with d 15 Cryptographically Strong Hashes 16 Effects of Cryptographic Hashing Desired properties when faced with an adversary Hard to invert Given hash adversary can t find input that produces it Hard to find collisions Adversary can t find two inputs that produce the same hash Someone cannot alter the
View Full Document