computer network security...key exchange ìinsecure communica-ons channel ì eve can see everything!...
Post on 13-Apr-2021
2 Views
Preview:
TRANSCRIPT
ìComputer Network SecurityCOMP 178 | Spring 2021 | University of the Pacific | Jeff Shafer
Cryptography:Key Exchange,
Public Key Cryptography,Authen8ca8on
ìKey Exchange
Spring 2021Computer Network Security
2
Challenge – Exchanging Keys
Spring 2021Computer Network Security
3
🙋
👨⚕ 👳
👩💻
👨🏭
👨🎤 𝐸𝑥𝑐ℎ𝑎𝑛𝑔𝑒𝑠 =𝑛 𝑛 − 1
2 =)6(6 − 1
2 = 15
The more par@es in communica@on, the more keys that need to be securely exchanged
Do we have to use out-of-band methods? (e.g., phone?)
Key Exchange
ì Insecure communica-ons channelì Eve can see everything!
ì Alice and Bob agree on a shared secret (“key”) that Eve doesn’t knowì Despite Eve seeing
everything!
Spring 2021Computer Network Security
4
🙋(alice)
👨💼(bob)
😈(eve)
Spring 2021Computer Network Security
5
Proposed public key cryptography.Diffie-Hellman key exchange.
Whitfield Diffie and Martin Hellman, “New directions in cryptography,” in IEEE Transactions on Information Theory, vol. 22, no. 6, Nov 1976.
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
6
(1) It’s easy to mix two colors: + =
(2) Mixing two or more colors in a different order results in the same color:
+ + =
+ + =
(3) Mixing colors is one-way(Impossible to determine which colors went in to produce final result)
https://www.crypto101.io/
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
7
🙋(alice)
👨💼(bob)
😈(eve)
(1) Start with public color ▇ – share across network(2) Alice picks secret color ▇ and mixes it to get ▇(3) Bob picks secret color ▇ and mixes it to get ▇
+
=
Mix
+
=
Mix
🔐 🔐
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
8
🙋(alice)
👨💼(bob)
😈(eve)
(4) Alice and Bob exchange their mixed colors (▇,▇)(5) Eve will see the mixed colors too (▇,▇)(6) Alice adds her secret color ▇ to Bob’s mix ▇ = ▇(7) Bob adds his secret color ▇ to Alice’s mix ▇ = ▇
Mix Mix
🔐 🔐
==Eve can’t calculate ▇ !!
(secret keys were never shared)
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
9
🙋(alice)
👨💼(bob)
🔐
🔐 Mix
Mix
=+
+
(order doesn’t matter)
=
=
Diffie-Hellman Math
Spring 2021Computer Network Security
10
𝑦 ≡ (𝑔!) 𝑚𝑜𝑑 (𝑝)
y is defined as equal to gx modulo pp = prime number (modulus)g = base integerx = random integer
Assump&on: Compu&ng y is easy!But compu&ng x given y, g, and p is very hard!
Discrete Logarithm Problem
Diffie-Hellman Math
Spring 2021Computer Network Security
11
🙋(alice)
👨💼(bob)
+
=
Mix
+
=
Mix
🔐 🔐
(1) Public color ▇ is a large prime number p and base g(2) Alice secret color ▇ is random integer rA(3) Bob secret color ▇ is random integer rB(4) Alice mixed color ▇ is mA(5) Bob mixed color ▇ is mB(6) Exchange mA and mB
𝑚! ≡ (𝑔"!) 𝑚𝑜𝑑 (𝑝)𝑚# ≡ (𝑔"") 𝑚𝑜𝑑 (𝑝)
Diffie-Hellman Math
Spring 2021Computer Network Security
12
🙋(alice)
👨💼(bob)
🔐
🔐 Mix
Mix+
+
=
=
𝑠# ≡ 𝑚!"" 𝑚𝑜𝑑 (𝑝)
𝑠* = 𝑠+
𝑠! ≡ 𝑚#"! 𝑚𝑜𝑑 (𝑝)
Diffie-Hellman Math
ì Doesn’t have to be modular divisionì Could be ellip,c curvesì Could be supersingular isogeny key exchangeì Could be <other math words>…
Spring 2021Computer Network Security
13
ìPublic Key Cryptography
Spring 2021Computer Network Security
14
Public Key Cryptography
ì Asymmetric cryptography
ì Sending data to Alice?ì Use her public Key
ì Alice receives your data?ì She decrypts it with her private key
Spring 2021Computer Network Security
15
Spring 2021Computer Network Security
16
RSA encryp@on methodFirst public key method
Ron L. Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM (February 1978)
Public-Key Algorithms
ì Key exchange algorithmsì Allows two parties to agree on a shared secret across an
insecure mediumì Example: Diffie-Hellman
ì Encryption algorithmsì Allows sender to encrypt without having to agree first on
a shared secretì Example: RSA
ì Signature algorithmsì Allows sender to sign information using sender’s private
key and receiver to validate using sender’s public key
Spring 2021Computer Network Security
17
Public-Key Encryption
Spring 2021Computer Network Security
18
Public key encryption is awesome!
Should we use it everywhere?
Caveat – Performance
ì Rarely use public key encryption by itself
ì Reasons:ì Size (RSA can’t encrypt anything larger than its modulus,
i.e. 4096 bits)ì Performance
ì RSA 2048 encryption: 0.08 megacycles/operation (256B)ì RSA 2048 decryption: 3.25 megacycles/operationì AES-GCM: 2-4 cycles per byte
ì https://www.cryptopp.com/benchmarks.html
Spring 2021Computer Network Security
19
Hybrid cryptosystem – Use public-key algorithms to coordinate keys, and then use symmetric ciphers (shared key) for bulk opera@ons
ìAuthenticated Encryption
Spring 2021Computer Network Security
20
Motivation
Spring 2021Computer Network Security
21
What if the a<acker ac)vely manipulatesdata instead of passively observing it?
Motivation
Spring 2021Computer Network Security
22
🙋(alice)
👨💼(bob)
😈(eve
pretending to be bob)
How do we protect against this scenario?
😈(eve
pretending to be alice)
DH Exchange DH Exchange
🙋(alice)
👨💼(bob)
😈(eve)
Cease fire!
SDFJKWERVHU
Cease fire! Attack at Dawn!
KJFSDEROIXCVK
Attack at Dawn!
Warning!
Spring 2021Computer Network Security
23
Encryption without authentication is almost certainly wrong…
Attackers don’t need to decrypt to modify ciphertext
Authentication
ì Goal: Add information to message that only the real sender (not Eve!) could have computed
ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key
ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and
verified with public key
Spring 2021Computer Network Security
24
Message Authentication Code (MAC)
ì Small piece of information used to verify message integrity / authenticity (“Tag”)
ì Key is shared secret between Alice and Bob
Spring 2021Computer Network Security
25
Message(arbitrarylength ciphertextor plaintext)
K
MAC
(Secret key)
Tag(fixed length)
Message
K
MAC
(Secret key)
Tag
Valid?
🙋(Sender)
👨💼(Receiver)
Message Authentication Code (MAC)
ì Authen2cate and Encryptì Used by SSHì Authen?cate and
encrypt plaintext separately
ì C = E(KC ,P) and t=MAC(KM ,P)
ì Send C and t
Spring 2021Computer Network Security
26
How to combine ciphertext with a MAC?
Message Authentication Code (MAC)
ì Authenticate, then Encryptì Used by TLSì Authenticate plaintext, then
encrypt {plaintext, tag}ì t=MAC(KM ,P) thenì C = E(KC , {P|t})ì Send C (t is part of C)
Spring 2021Computer Network Security
27
How to combine ciphertext with a MAC?
Message Authentication Code (MAC)
ì Encrypt, then Authen2cate ì Used by IPSecì Standard ISO/IEC 19772:2009ì Encrypt plaintext, then
authen?cate ciphertextì C = E(KC , P) then
t=MAC(KM ,C)ì Send C and t
Spring 2021Computer Network Security
28
How to combine ciphertext with a MAC?
Message Authentication Code (MAC)
ì Which to choose?ì Authen?cate and Encryptì Authen?cate, then Encryptì Encrypt, then Authen?cate
ì Consider what the receiver does to reverse process
ì When you receive a message, the very first thingyou do should be to authenJcate itì Anything else risks CERTAIN DOOM (eventually)
Spring 2021Computer Network Security
29
How to combine ciphertext with a MAC?
– Modern Best Practice
h"ps://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
AEAD
ì We can do beKer sJll! What if authenJcaJon was part of our encrypJon scheme, and not a separate step?
ì Authen2cated Encryp2on with Associated Data (AEAD)ì Messages have two parts – example: emails
ì Content (encrypt!)ì Metadata (authenMcate, but plaintext)
Spring 2021Computer Network Security
31
A E
EncryptedAuthenticated
AEAD Modes
ì Galois Counter Mode (GCM) – Good!ì Not patent encumberedì SSH, TLS 1.2, OpenVPNì Standardized in ISO/IEC 19772:2009ì Can be used by itself (authentication-only): GMAC
ì Many other AEAD modesì EAX, OCB 2.0, CCM, Key Wrap, …
Spring 2021Computer Network Security
32
Modes of Operation
Encryp'on-OnlyNo Authen'ca'on
ì Counter (CTR) – Best!
ì Cipher Block Chaining (CBC) – Good
ì Electronic Code Book (ECB)– Don’t use!
ì Also ran: CFB, OFB, XTS, …
MACs – Message Integrity Only, No Encryp'on
ì GMAC - Good
ì HMAC – Goodì But why are you just
authenticating and not encrypting?
ì Also ran: ALG1-6, CMAC
Spring 2021Computer Network Security
33
Remember our Block Cipher Modes of Operation?
Modes of Operation
Authenticated Encryption (Encrypt + Auth)
ì GCM – Good!
ì CCM – Good!
ì Also-ran: EAX, OCB 2.0, Key Wrap, …
Spring 2021Computer Network Security
34
Remember our Block Cipher Modes of Operation?
Repeating the Warning…
Spring 2021Computer Network Security
35
Encryption without authentication is almost certainly wrong…
A8ackers don’t need to decrypt to modify ciphertext
Authentication
ì Goal: Add information to message that only the real sender (not Eve!) could have computed
ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key
ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and
verified with public key
Spring 2021Computer Network Security
36
Signatures
ì RSA-based signatures
ì Digital Signal Algorithm (DSA)
ì Elliptic Curve Digital Signature Algorithm (ECSDA)
Spring 2021Computer Network Security
37
top related