security module – part 1 spring 2006 v.t. raja, ph.d., oregon state university
Post on 22-Dec-2015
215 views
TRANSCRIPT
![Page 1: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/1.jpg)
Security Module – Part 1Security Module – Part 1Spring 2006Spring 2006
V.T. Raja, Ph.D.,V.T. Raja, Ph.D.,
Oregon State UniversityOregon State University
![Page 2: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/2.jpg)
Security Module – Part 1Security Module – Part 1
• Outline– Identify and explain characteristics of a
secure communication– Ciphers and Symmetric Key Cryptography
![Page 3: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/3.jpg)
ConfidentialityConfidentiality
• Alice wants the following to be confidential:– The fact that she is communicating with Bob– Timing of communication– Frequency of communication
• Only Alice and Bob should be able to understand the contents of the transmitted message; Should not be understood by eavesdropper Trudy.
![Page 4: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/4.jpg)
ConfidentialityConfidentiality
• Alice and Bob could represent two real users, or a client and a server, or 2 DNS servers, or 2 routers etc.
• Confidentiality often relies on cryptographic techniques.
![Page 5: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/5.jpg)
Message IntegrityMessage Integrity
• Content of communication is not altered maliciously or by accident
• Message integrity relies on cryptographic techniques
![Page 6: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/6.jpg)
Non-repudiationNon-repudiation
• Assume sender transmitted document “D”. • Non-repudiation:
– Sender unable to successfully deny in court having transmitted document D.
• Non-repudiation also relies on cryptography techniques
![Page 7: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/7.jpg)
AuthenticationAuthentication
• Both sender and receiver should be able to confirm identity of other party involved in communication
• Confirm that the other party is indeed who/what they claim to be
• Authentication relies on authentication techniques, several of which rely on cryptographic techniques
![Page 8: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/8.jpg)
Availability and Access ControlAvailability and Access Control
– Can communication occur in first place?• Detect breaches and respond to attacks
– Are entities seeking to gain access to resources allowed to do so only if they have the appropriate access rights, and perform their access in a well-defined manner?
![Page 9: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/9.jpg)
CryptographyCryptography
• Symmetric Key and Public Key Cryptography• Basic Terminology
– Plain Text • Original data – not disguised
– Cipher (Encrypted) Text• Disguised data – looks unintelligible to intruder• Data disguised using encryption algorithm
– Key• A string of #s or characters used as input to encryption
algorithm to disguise plain text
![Page 10: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/10.jpg)
Ciphers and Symmetric Key CryptographyCiphers and Symmetric Key Cryptography
• Symmetric Key:
– Alice and Bob use same key to encrypt and decrypt
• Ciphers
– Caesar Cipher– Mono and Poly alphabetic Ciphers
• Symmetric Key Cryptography Techniques
– Data Encryption Standard (DES); Triple DES (3DES)
– Advanced Encryption Standard (AES)
![Page 11: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/11.jpg)
CiphersCiphers
• Caesar Cipher– Each letter in plaintext is substituted with letter that is
K letters later– Wrap around is allowed (i.e., z followed by letter a)– If K = 3, a in plaintext becomes d in cipher text
b in plaintext becomes e in cipher text
Participation Exercise:
Once it is known that Caesar cipher is being used, it is easy to break the code (only 25 possible key values).
![Page 12: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/12.jpg)
Ciphers Ciphers (Continued)(Continued)
• Monoalphabetic Cipher– Improvement on Caesar Cipher– Rather than substituting according to a regular pattern
– any letter can be substituted for any other letter, as long as each letter has a unique substitute letter, and vice versa.
– Example of a monoalphabetic cipher
Plain Text: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher Text: m n b v c x z a s d f g h j k l p o i u y t r e w q
![Page 13: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/13.jpg)
Ciphers Ciphers (Continued)(Continued)
• Polyalphabetic Encryption– Use multiple monoalphabetic/Caesar ciphers
– Use a specific monoalphabetic/Caesar cipher to encode a letter in a specific position in the plain text
– This implies that same letter appearing in different positions in the plaintext might be encoded differently.
Example: 2 Caesar ciphers; K = 5, K = 19
For every 5 bits in the plain text use the 2 Caesar ciphers in the following pattern: C1, C2, C2, C1, C2
![Page 14: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/14.jpg)
Symmetric Key CryptographySymmetric Key Cryptography
• Data Encryption Standard (DES)
– Published in 1977, and updated in 1993
– For commercial and non-classified U.S. Govt. use
– Encodes plaintext in 64-bit chunks using 64-bit key
– Eight of the 64 bit-key are odd parity bits• So actual key is perceived as 56-bits.
– Objective: Scramble data and key so that every bit of the cipher text depends on every bit of the data and every bit of the key
![Page 15: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/15.jpg)
How well does DES work?How well does DES work?
• In 1997 RSA Data Security Inc., ( A network security company) launched a DES challenge contest to crack a short phrase it had encrypted using a 56-bit DES.
• Winning team took 4 months to decode; volunteers throughout the
Internet systematically explored key space. – Claimed 10K cash prize after testing only a quarter of the key space
(about 18 quadrillion keys)
• In 1999, RSA launched another DES challenge.
• Message was decrypted in little over 22 hours by a network of volunteers and a special purpose computer called “Deep Crack”.– Claimed 250 K cash prize. Not bad for a day’s work?
![Page 16: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/16.jpg)
Symmetric Key CryptographySymmetric Key Cryptography
• Triple DES (3 DES)
– If 56-bit DES is considered to be insecure, one can simply run the algorithm multiple times, using a different key each time
– DES run three times (with a different 56-bit key at beginning of each time DES is run).
![Page 17: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/17.jpg)
Symmetric Key CryptographySymmetric Key Cryptography
• Advanced Encryption Standard (AES)– NIST – in Nov 2001 announced successor to DES. – AES is also a symmetric key algorithm that processes
data in 128-bit blocks– AES can operate with 128-bit keys, 192-bit keys, and
256-bit keys– NIST estimated that a machine that could crack a 56-
bit DES in one second (i.e. Try 255 keys per second) would take approximately 149 trillion years to crack a 128-bit AES key
![Page 18: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/18.jpg)
Symmetric Key DistributionSymmetric Key Distribution
• Disadvantage of Symmetric Key Cryptography: – 2 communicating parties have to agree upon
their secret key ahead of time in a secure manner.
• Since sender and receiver do not meet face to face in the networking world , they need a trusted intermediary
![Page 19: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/19.jpg)
Symmetric Key CryptographySymmetric Key Cryptography
• Trusted Intermediaries for symmetric key distribution:
– Key Distribution Center (KDC)
– Kerberos
![Page 20: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/20.jpg)
Key Distribution Center (KDC)Key Distribution Center (KDC)
• A server that shares a different secret symmetric key with each registered user.
• This key might be manually installed at the server when a user first registers.
• KDC knows the secret key of each user, and each user can communicate securely with KDC using this key.
![Page 21: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/21.jpg)
KDC for Alice and BobKDC for Alice and Bob
• Assume Alice and Bob use KDC for their communication.
• Assume Alice’s secret key known to Alice and KDC is KA-KDC; Assume Bob’s secret key known to Bob and KDC is KB-KDC.
• Assume Alice wishes to send an encrypted message to Bob while using KDC as the trusted intermediary.
![Page 22: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/22.jpg)
Example: Alice and BOB using KDCExample: Alice and BOB using KDC
1. Using her key, Alice sends a message to KDC saying that she (A) wants to communicate with Bob (B). We denote this message as:
KA-KDC(A, B). 2. a. KDC decrypts KA-KDC(A, B).
b. KDC generates a random number R1, which is a “nonce” that will be used as symmetric key by Alice and Bob during their communication.
c. KDC sends Alice R1, and a pair of values A and R1 encrypted using Bob’s key. We denote this message sent to Alice by KDC as:
KA-KDC(R1, KB-KDC(A, R1)).
![Page 23: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/23.jpg)
Example: Alice and BOB using KDCExample: Alice and BOB using KDC
3. Alice decrypts message and extracts symmetric key R1. Alice extracts and forwards (although she cannot decrypt)
KB-KDC(A, R1) to Bob.
4. Bob decrypts and understands that he is to use R1 as symmetric key to converse with Alice.
![Page 24: Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d795503460f94a5c352/html5/thumbnails/24.jpg)
KerberosKerberos
• Authentication service developed by MIT• Very similar to KDC• Has additional functions such as:
– Time stamp for validity of nonce R1. – Has info about which users have access privileges to
which services on which network servers. • The authentication server in Kerberos parlance,
is referred to as the Ticket Granting Server• Sending KB-KDC(A, R1) to A in the previous
example is referred in Kerberos as granting a ticket to Bob’s services.