Download EE579S Computer Security

ECE579S
Computer & Network Security
Professor Richard A. Stanley, P.E.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #1
Overview of Tonight’s Class
• Administration
• Is computer security a problem, or just an
interesting topic?
• What is different between computer security
and network security?
• Computer security objectives and
approaches
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #2
Organizational Details
• Prof. Stanley contact information
–
–
–
–
Office:
Hours:
Phone:
Email:
Spring 2011
© 2000-2011, Richard A. Stanley
Atwater-Kent 303, but rarely there
by appointment, preferably after class
(508) 269-6482
[email protected]
WPI
ECE579S/1 #3
Administrivia
• Class will normally meet 8:00 AM – 1:00
PM every Friday here. Please be on time.
• We will hold 8 classes; cancellations will be
announced in advance (except weather)
• Breaks as needed
• If class is cancelled for bad weather, you
should receive notice. Double-check with
ECE Dept. (5231) or with me if in doubt.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #4
Recall
• We need to set up a way for notification of
cancelled/late classes
• Please put the following information on the
sheet going around:
– Name
– Email
– Telephone
• Volunteer to be at the top of the list?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #5
Course Text
• Computer Security Handbook, 5th
Edition, by Bosworth, et al. ISBN is 9780471716525. To be published 09 Feb 09 by
Wiley.
• Additional material will be in the form of
handouts
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #6
Course Web Page
• http://ece.wpi.edu//courses/ee579sw/ECE579S/
• Slides will be posted to the page before
class, barring any unfortunate problems
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #7
Policies
• Homework is due at the class following the one in
which it is assigned. It will be accepted--with a
one grade penalty--up to the second class after that
in which it is assigned, but not after that, except in
truly emergency situations. By definition,
emergencies do not occur regularly.
• There is a difference between working in teams
and submitting the same work. If work is a team
product, it must be clearly labeled as such.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #8
Elements of the Course
• Assignments: There will be weekly assignments,
which will be graded
• Presentation: At the end of the course, student
teams will present a report prepared on a
cryptography-related subject. The presentation
should be well-prepared and should give an overview
of a special topic in cryptography (e.g. eCash,
wireless security, SSL, biometric authentication
systems etc.).
• Examinations: There will be a two written
examinations that will cover all topics discussed in
class. The questions will range from mild to hard.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #9
Research Projects
• Teams of 3-5 individuals per project
• Research an information assurance-related
topic
• Prepare a report on the research
• Present findings
– Note: a presentation is not the report copied
into PowerPoint
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #10
Grading
• Grade components
–
–
–
–
Course exams (35%)
Homework (20%)
Class participation (10%)
Course project (35%)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #11
My Peculiarities
• I am not a word-counter. When given, word
counts are for general guidance only.
• Bad news doesn’t improve with age. If there are
problems, let’s deal with them as soon as they
arise.
• Expect to find ties to historical events in class –
not a bad idea to use those for hints as to how
some problems develop and expand.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #12
Getting to Know You
• My interest and experience in this area
• Your interests and expertise in this area
– Cryptography?
– Networking?
• Where we might go with this course
• What you would like from the course
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #13
Computer Security
versus
Network Security
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #14
Computer security involves
preventing, detecting, and responding
to unauthorized actions on a
computer system.
Network security means the same
thing for a group of networked
computers
Information Assurance covers all the
things we do to protect information
from unauthorized disclosure and
exploitation
Spring 2011
ECE579S/1 #15
WPI
© 2000-2011, Richard A. Stanley
Chicken vs. Egg?
To understand network security, you must first understand
computer security. There is no “easy” way around this.
To practice information assurance, you need to know both
computer and network security, as well as quite a lot of
other topics, which we will cover.
We are going to find that this subject crosses many boundaries
of skills and “jurisdiction.” This can be both an opportunity and
a curse.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #16
One View
Network
Security
IA
Spring 2011
© 2000-2011, Richard A. Stanley
Computer
Security
WWW
Security
WPI
ECE579S/1 #17
Computer Security: What’s the
Big Deal?
•
•
•
•
Not a new problem
Not just a creation of the press
Not just for rocket scientists
As professionals, failure to understand and
implement appropriate security can come
back to haunt you in terms of liability and
reputation
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #18
Points to Ponder
• Majority of businesses reported attacks
against their networks in 2007
– Almost 20% of these were targeted
• Average financial losses over $350,000 per
organization, highest in last five years
• Financial fraud displaced viruses as the first
place problem
Source: "Issues and Trends: 2007 CSI/FBI Computer Crime and Security Survey"
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #19
Recent Events
• WikiLeaks
– Is this a computer security problem?
• Denial of Service attacks
– Both from WikiLeaks supporters and totally
unrelated
• …and?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #20
Virtual Warfare
“Cyberspace is another domain in which the U.S.
military may face rapidly growing risk.
Information technology (IT) permeates every
aspect of its operations, from logistics and
command and control to targeting and guidance.
As the dependence on IT has grown, so, too, has
vulnerability to disruptions, especially dirsuptions
of battle networks linking U.S. forces.”
Andrew J. Krepinevich, Jr, “The Pentagon’s Wasting Assets,”
Foreign Affairs Vol 88, No. 4 (July/August 2009), pg. 25.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #21
It Isn’t Getting Better
• Security surveys show a clear trend in
security problems: UPWARDS
• Nature of attacks constantly changing
• Evidence of nation-state participation
• Who among you has not seen or heard at
least one computer security news story in
the past month?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #22
An Object Lesson
Willie Sutton, 1901-1980. Bank Robber.
Q: “Why do you rob banks, Willie?”
A: “Because that’s where the money is!”
This quote is probably the best-known criminal quote around.
One problem: Willie never said it.
BUT... He said “I probably would have said it if anyone had asked me.”
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #23
Where’s The Money?
• Historically, money was something held to
have intrinsic value (e.g., gold, silver)
• Paper money, until recently, was merely a
promise to pay in gold or silver
• So, money really was in the banks
• Money today is merely a unit of information
• ... And it is kept in computers!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #24
The “Willie Factor”
• Computer crime exists because computers
are the repositories of things of value
– Money
• This is a common target in industrial attacks
– Information that is valuable or can be made so
• This is especially true in government networks, most
particularly in defense-related networks
• Thieves look for low-hanging fruit
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #25
A Dilemma
• Security is something most users want, but
that most know little about
• Security gets in the way of using the
computer system
• The tighter the security, the harder the
system is to use, and the more likely it is
that the users will bypass security measures
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #26
Is A Secure Computer Possible?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #27
The Totally Secure System
• Is relatively simple to build
• Is useless for any practical purposes
Our job is to learn how to design
computer systems to provide the
necessary level of security without
going overboard.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #28
Why Isn’t This Topic More
Theoretical?
In theory, there is no difference
between theory and practice.
In practice, there is.
Yogi Berra
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #29
Why Is A Proof Elusive?
• A secure system must be secure under all
conditions of operation
• This, in turn, demands proof that there is no
condition under which it could operate that
is insecure, i.e. the negative proposition.
• But, formal logic teaches us it is impossible
to prove a negative
• Q.E.D.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #30
That Said...
• We will define a secure computer
• We will learn how to create a secure
computer
• If it is useless, why?
– If it can’t exist, we will never know how close
we are to achieving security
– It is a goal towards which we must work
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #31
Consider the Automobile
• A perfectly safe automobile does not exist,
and cannot exist
• However, we still strive to build safer autos
– This is a legitimate engineering pursuit
– It is socially irresponsible to do otherwise
– Much of the efforts are based on approaching
an unachievable goal
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #32
Responsibilities
• Customers expect “reasonably secure”
handling of their sensitive data
• The Devil is in the details
–
–
–
–
What is “reasonable?”
What is “secure?”
What data is “sensitive?”
When is it your responsibility?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #33
What’s the Problem?
• Financial liability
– Due diligence
– Simple negligence
– Gross negligence
• Goodwill
• One bad press release cancels 1000 attaboys
This is a “you bet your business” issue
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #34
A Curious Property of
Information
• Information is the only thing that can be
stolen and still leave the owner in
possession of it
• This poses some serious problems, which
the course will address
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #35
Security Aspects
•
•
•
•
•
•
•
Confidentiality
Integrity
Availability
Accountability
Nonrepudiation
Risk management
Reliability and safety
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
Security is a
multidisciplinary
problem
ECE579S/1 #36
Problem is Multidisciplinary
•
•
•
•
•
•
•
Engineering
Computer science
Sociology
Economics
Law and ethics
Management
and ...
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #37
Role of Technology
• Technology is a useful tool, not a panacea.
• A clear policy, evenly enforced, is the most
critical element of success.
• Don’t ignore the fundamentals.
– Many computers have been compromised by
not revoking a former employee’s password
– Most of the threat comes from within
– The problem is not just maliciousness
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #38
Security Objectives
Integrity
A–I-C
Availability
Confidentiality
Protect, detect and recover from
insecurities
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #39
Data vs. Information
• Data represents information
• Information is the interpretation of data
This is not as obvious as it appears on the surface!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #40
So What?
• Protecting the data may not protect the
information
• It is possible to create information from a
wide variety of data sources
– e.g. Wehrmacht order of battle pre-1939
• The problem is more complex than just
putting an armed guard at the door
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #41
Biggest Problem? Learning to
Think Like a Crook!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #42
One View:
Security = Asset protection
Risk Analysis
Protect
Detect
Correct
Manage
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #43
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #44
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #45
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #46
Manage
Manage
• Policy
• Real-time
• Audit performance of safeguards
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #47
Another View:
Focus of Control
Applications
User
(Subject)
Policy
Protection
Resource
(Object)
Hardware
Should protection focus on data, operations, or users?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #48
Man-Machine Scale
Applications
Services
OS
OS kernel
Hardware
In which layer(s) should security be implemented?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #49
Controls
• Centralized
– Simple to conceive and implement
– Bottleneck
• Decentralized
– May be more efficient
– Difficult to implement and maintain
Where to put security tasks and enforcement?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #50
The Security Perimeter
• How to keep attackers out of the “layer
below” where security is implemented?
–
–
–
–
–
Recovery tools
Devices
Memory release
Backup
Memory dumps
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #51
One More Time
Computer security involves
preventing, detecting, and responding
to unauthorized actions on a
computer system.
Network security means the same
thing for a group of networked
computers
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #52
Why Networks Matter
• If computers cannot be secured individually,
the network cannot be secure
• Networking makes the most individually
secure computer on the network only as
secure as the least individually secure
computer on the network.
• Networking offers new vulnerabilities
• Speed of mischief increases exponentially
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #53
And Most Especially...
• Mobile code is a basic staple of the Internet,
and other networks as well
– This a wholly new paradigm
• Users are not usually aware of mobile code
• Novelty and convenience trump security
every time
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #54
Analogy
• One can easily define the security perimeter
of a single computer. You can probably
even literally “put your arms around it.”
• One cannot easily define the perimeter of a
group of networked computers, except
under a set of trivial conditions that are
meaningless in practice.
• So, where to put the security? And HOW to
make it happen?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #55
Network Primer
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #56
Networks
• A network is an interconnected group of
communicating devices.
• Two primary network types
– Circuit-switched (connection oriented)
– Packet-switched (connectionless)
• Span
– WAN, MAN, LAN
– So what? Nothing magic about the name.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #57
Data Networks
• Almost exclusively packet switched
– Higher efficiency than circuit-switched
– Computationally intensive to provide
– Packet loss rate is often very high
• Largely due to collisions rather than circuit faults
– Require extensive protocols to operate
• X.25
• IP
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #58
Network Topology
• The topology of a network is a view of its
interconnections, as they would be seen by an
observer looking down from great height
• Topology is important because it has implications
for security
• Three major topologies:
– star
– buss
– ring
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #59
Star Topology
The orange lines depict one
star -- this slide actually shows
a star-star architecture.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #60
Buss Topology
Buss
In a buss topology, all signals pass by all terminals
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #61
Ring Topology
A ring is simply a buss with
the ends connected to one another.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #62
How To Get There?
• Every destination on the network must have
an address, just as every postal destination
must have an address
– Addresses must be unique
– Network must know how to recognize address
– Various addressing schema, e.g.
• Ethernet
• IP
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #63
Two Network Technologies
• Token ring
– Users remain silent until they receive token
– Pioneered by IBM, not widely used
• Ethernet
–
–
–
–
Carrier-sense, multiple access/collision detect
Binary exponential backoff on collision sense
This is a radio network!  Another vulnerability
Most widely used architecture today, largely because it
is less expensive than token ring
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #64
Other Network Technologies
• Fiber-Distributed Data Interconnect (FDDI)
– Self-healing, 100 Mbps dual ring
• Frame relay
– Packet data service, built on X.25
• Synchronous Optical Network (SONET)
• Asynchronous Transfer Mode (ATM)
– Can operate at gigabit speeds
• 53 byte packets; 5 of the bytes are overhead
These are of interest in networking, but not security per se;
they will not be discussed further in this course
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #65
Topology Misconceptions
• The physical interconnection of network
elements does not necessarily reflect the
logical network topology
– Ethernet is logically a buss architecture
– Ethernet, connected using hubs, uses a physical
star interconnection
– Ethernet, connected using coaxial cable, uses a
physical buss interconnection
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #66
Some Network Security Issues
• Users not necessarily registered at the node they
are accessing
– How to authenticate users?
– What is basis for access control decisions?
• Some options:
–
–
–
–
User ID
User address
Service being invoked
Cryptographic-based solutions
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #67
Ethernet Misconceptions
• IEEE 802.3 = Ethernet
– Nope! Pure Ethernet is 802.2
• All Ethernets are created equal
– Vendor implementation issues
• The faster the network speed, the faster I
can work
– Signaling speed  data throughput
• Ethernet maps to the internet
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #68
CSMA/CD Throughput
Signaling speed
~40%
Throughput
Users
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #69
Ethernet Addresses
• 48 bits long
• Address space managed by the IEEE
• Formerly fixed in hardware at time of
manufacture, but increasingly in EEPROM
• Hardware must recognize at least it’s own
physical address and the network multicast
address, and possibly alternate addresses
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #70
Ethernet Frame
NOTE: The proper term in this context for groups of 8 bits is an octet, not a byte.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #71
Network Size
• Networks cannot grow to be arbitrarily large
–
–
–
–
Address space
Physical interconnection limitations
Increasing collisions as users increase
Protocol/OS/machine incompatibilities
• So, how to extend the ability to interconnect
an arbitrarily large number of computers?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #72
The ARPANET
• Father of the Internet; first elements in 1969
• Began as an attempt to conduct and share research
to ensure continuity of communications after
nuclear war, so
– Connectionless
– Assured delivery
– Self-reconfiguring (sort of)
• Demonstrated feasibility of internetworking
disparate computer networks and machines
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #73
Internetworking
• Internetworking is the interconnection of
networks
• The Internet is an internetwork; all
internetworks are not the Internet
• Very few modern networks exist in
isolation; most are internetworked
• This has important security and legal
implications
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #74
Internetworking Concepts
• Networks are interconnected by routers or
gateways
– More about this later in the course
• Routers route a packet using the destination
network address, not the destination host
address
– Analogous to the world postal system and how
letters are routed
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #75
Internetwork Architecture
Net 1
Spring 2011
© 2000-2011, Richard A. Stanley
R
WPI
Net 2
ECE579S/1 #76
Extended Internetworking
Net 1
Clearly, this can be
extended ad infinitum,
to form very large
internetworks.
Spring 2011
© 2000-2011, Richard A. Stanley
R
Net 2
R
Net 3
WPI
ECE579S/1 #77
Some Terms
• TCP = transmission control protocol
• IP = internet protocol
• These protocols have become widely used
outside the formally-defined Internet
• They have some serious flaws, but they
work
– They were not planned to have/need security
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #78
Class-Based IP Addressing
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #79
Class Discrimination
• Address space is 32 bits long (IPv4)
– Therefore, at most 232 possible addresses (or
4,294,967,296 in decimal notation)
• Easy to extract netid from address
• There is not a one-to-one correspondence
between IP addresses and physical devices
– Consider the router
• Address with hostid=0 refers to network
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #80
IP Addressing Weaknesses
• If a host moves to another network, its IP
address must change
• If a network grows beyond its class size (B
or C), it must get a new address of the next
larger size
• Because routing is by IP address, the path
taken by packets to a multiple-addressed
host depends on the address used
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #81
IP Address Presentation
• Usually done in dotted decimal, e.g.,
10000000 00001010 00000010 00011110
is usually written as
128.10.2.30
• What class of network address is this?
• As you see, each notation has its uses
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #82
Consider This Address
• 256.75.301.116
• What type of network is represented by this
address?
• Why?
– In dotted decimal, no number can exceed 255,
as that is the value of 28-1
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #83
Address Limits
Class
A
B
C
D
E
Spring 2011
© 2000-2011, Richard A. Stanley
Lowest Address
0.1.0.0
128.0.0.0
192.0.1.0
224.0.0.0
240.0.0.0
WPI
Highest Address
126.0.0.0
191.255.0.0
223.255.255.0
239.255.255.255
247.255.255.255
ECE579S/1 #84
Classless Routing
• Class-based routing has limitations, as you
can readily see
• This has led to the development of Classless
Internet Domain Routing, or CIDR, e.g.
178.201.0.0/24
• In today’s documents, addresses are usually
stated in CIDR format
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #85
IP Address Presentation
• Usually done in dotted decimal, e.g.,
10000000 00001010 00000010 00011110
is usually written as
128.10.2.30
• What class of network address is this?
• As you see, each notation has its uses
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #86
Consider This Address
• 256.75.301.116
• What type of network is represented by this
address?
• Why?
– In dotted decimal, no number can exceed 255,
as that is the value of 28-1
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #87
Reserved Addresses
• First Quad=127 is used for loopback
– Traffic doesn’t leave the computer
– Routed to the IP input queue
– Usually see 127.0.0.1
• Unregistered addresses
– Class A
– Class B
– Class C
Spring 2011
© 2000-2011, Richard A. Stanley
10.0.0.0 thru 10.255.255.255
172.16.0.0 thru 172.31.255.255
192.168.0.0 thru 198.168.255.255
WPI
ECE579S/1 #88
The Future of IP
• IPv4 has shortcomings that are becoming
important for modern networking
• The IETF’s solution is a new version of IP,
Version 6, written as IPv6
–
–
–
–
Increased address space (128 vs. 32 bits)
Support for network autoconfiguration
Better support for routing
Better security support
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #89
IPv6 Issues
• It is not backwards compatible with IPv4
– Given the change in address space alone, how could it be?
– Requires translator to go v4v6, vice versa
• Huge investment in installed IPv4 mitigates against rapid
changeover
– But the Defense Department is going there now
• Network address translation (NAT) helps reduce need for
new address space
• Some services, like IPSec, now available for IPv4
• Bottom line: changeover not likely to be quick except in
defense applications
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #90
Ports and Sockets
• Ports are associated with services, e.g.,
– Port 53 is usually the domain name service
(DNS)
– Port 80 is usually the hypertext transfer
protocol service
• A socket is the combination of an IP address
and a port, e.g. 192.168.2.45:80
• Sockets enable multiple simultaneous
services to run on a single address
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #91
Address Registration
• Internet Corporation for Assigned Names and
Numbers (ICANN) handles:
– IP address space allocation
– protocol parameter assignment
– domain name system management
– root server system management functions
• Only essential to register addresses that appear on
the global network, but registration is preferred
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #92
Routing
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #93
Protocols
• A protocol is simply an agreed-upon
exchange of information required to
perform a given task
– IP is a protocol
– So is TCP
• Networks utilize protocols to accomplish all
the important tasks they perform
• Layered protocols are common
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #94
ISO Protocol Model
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #95
Protocol Layering
• Refers to a protocol running on top of
another protocol
• Layered protocols are designed so that layer
n at the destination receives exactly the
same object sent by layer n at the source
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #96
TCP/IP Layering Model
Application
Application-specific
messages/streams
Transport
TCP Packets
Internet
IP Datagrams
Network Interface
Ethernet/Token Ring
Hardware
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #97
Some Common Protocols
• ARP maps IP addresses to physical addresses
• RARP determines IP address at startup
• IP provides for assured connectionless datagram
delivery
• ICMP handles error and control messages
• UDP defines user datagrams (no assurance of
delivery)
• IKE handles crypto key management functions
• TCP provides reliable stream transport
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #98
How Protocol Layering Works
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #99
Protocol Layering & Internet
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #100
Important Boundaries
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #101
TCP
• Assumes little about underlying network
• Reliable delivery characteristics:
–
–
–
–
–
Stream orientation
Virtual circuit connection
Buffered transfer
Unstructured stream
Full duplex connection
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #102
Positive Acknowledgement
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #103
Positive Acknowledgement
With Lost Packet
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #104
Sliding Window
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #105
Positive ACK With Sliding
Window
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #106
TCP
• A communications protocol, NOT a piece of
software
• Provides
–
–
–
–
Data format
Data acknowledgement for reliable transfer
How to distinguish multiple destinations
How to set up and break down a session
• Very complex
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #107
Conceptual TCP Layering
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #108
Internet Round Trip Delays
This data is old, but
still meaningful if you
ignore the absolute values
of the delays.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #109
Delays
• Cannot be avoided or predicted (except
statistically)
– Packet delivery times will vary
– Many packets will simply be lost
• So, as a network designer...
–
–
–
–
–
How long do you wait to assume nondelivery?
How do you slide the window?
How do you back off on collision detect?
How do you respond to congestion?
…etc.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #110
Establishing a TCP Session
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #111
Ending a TCP Session
This implies that a TCP session could be left “half open.” That is true.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #112
TCP State Machine
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #113
Other Network Protocols
•
•
•
•
•
•
NetBIOS
NetBUI
IPX
X.25
ATM
Message: TCP/IP is not the only show in
town BUT...it is the most popular show in town
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #114
Network Facts
• Most computers today are connected to a
network (consider the Internet), at least for
part of the time they are in operation
• Most local networks are internetworked
• How to provide authenticity, integrity,
confidentiality, availability?
• Cryptography can help provide all the
security services except availability
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #115
Network Summary--1
• Security is a real need in real systems
• Defense systems are particularly attractive
targets
• The issues involved cross the disciplines of
computer science, engineering, and
management
• Several models can be visualized for the
security mechanisms
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #116
Network Summary--2
• Networks and internetworking have become
ubiquitous
• Networking allows interconnection of
computers without much concern for the
local OS or machine architecture
• Networking raises many serious security
issues, which must be solved for networks
to be useful in modern business settings
• The pace of network security problem
development far exceeds the pace of their
solution
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #117
Cryptography Primer
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #118
Overview of the Cryptology
Field
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #119
Types of Cryptosystems
• Symmetric key
– Since times B.C.E. to today
– Also called private key, which has become
confusing
• Asymmetric key
– Invented in 1976
– Also called public key systems
• Hybrid Systems
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #120
The Players
• Alice: commonly used to denote the sender
of cryptographic traffic
• Bob: commonly used to indicate the
recipient of that traffic
• Eve: an eavesdropper
• Oscar: a generalized “bad guy”
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #121
Symmetric Key Cryptosystems
• Problem Statement: Alice and Bob want to
communication over an un-secure channel (e.g.,
computer network, satellite link). They want to
prevent Oscar (the bad guy) from listening.
• Solution: Use of private-key cryptosystems (these
have been around since ancient times) such that if
Oscar reads the encrypted version y of the
message x over the unsecured channel, he will not
be able to understand its content because x is what
really was sent.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #122
Symmetric Key Cryptography
Alice
Bob
Shared private key
Alice’s message
Shared private key
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #123
Enigma
Perhaps the most famous
cipher machine in history.
This is an early model. Later test
versions had as many as five rotors.
Standard Kriegsmarine machines had
four rotors after about 1943.
Enigma was a tactical machine-designed for battlefield use.
Even today, Enigma would provide
excellent security…IF no errors
occurred on the part of the operators.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #124
Sigaba
Similar in theory
to Enigma.
Designed for strategic
(fixed station) use; note
direct punching of
teletypewriter paper
tape for transmission.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #125
Symmetric Key Cryptosystems
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #126
Definitions
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #127
Kerckhoffs’ Principle
• Secrecy must reside solely in the key
– It is assumed that the attacker knows the
complete details of the cryptographic algorithm
and implementation
• A. Kerckhoffs was a 19th century Dutch
cryptographer
• Ergo, Security by obscurity doesn’t work!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #128
Enigma and Sigaba
• Illustrate the validity of Kerckhoff’s
theorem
• Even when cryptanalysts were armed with a
nearly perfect replication of the Enigma
logic, brute-force keyspace search was
useless for providing practical results
• The key needed to be discovered!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #129
Simple Block Ciphers
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #130
Other Crypto Systems
• Substitution ciphers
– Most famous is the Caesar cipher:
monoalphabetic substitution with offset = 3
– Transposition ciphers in this group
– Children’s decoders usually in this category
• Book ciphers
• Codebooks
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #131
Problem Areas
• Languages have well-known statistics
–
–
–
–
E.g., “e” is most common letter in English
This can be exploited for cryptanalysis
Thus, substitution ciphers are not very secure
Similar problems plague book ciphers, etc.
• The only way to achieve true security is to
make the ciphertext appear as random as
possible
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #132
Modern Cryptography Uses
Electronic Digital Systems
• Advantages:
– Speed
– Accuracy
– Ability of using complex mathematics
• Disadvantages
– Complex equipment
– Electronic vulnerabilities
– Key management
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #133
Symmetric Ciphers
• Same code at each end
• Important that message length < cipher
length
• Billions of combinations possible
• Codes changed frequently
• Each circuit requires a code pair
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #134
Cipher Example
(Mauborgne/Vernam)
• Encipher
• Decipher
• Plain: 001 010 011 100
• +key: 111 011 010 101
• Cipher: 110 001 001 001
• Cipher: 110 001 001 001
• +key: 111 011 010 101
• Plain: 001 010 011 100
The ciphertext is simply the plain text added to the key,
modulo 2. This is a reversible process, as seen above.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #135
How to Achieve Good
Cryptography?
• Well-reviewed algorithms
– So weaknesses cannot “hide” until after
implementation
• Excellent key generation & management
– To maintain secrecy of the key
• Algorithms that are sufficiently complex so
as to not permit feasible exhaustive attacks
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #136
Feistel Ciphers: Characteristics
• Special class of iterated block ciphers
• Ciphertext calculated from plaintext by
repeated application of the same
transformation or round function
• Encryption and decryption are
structurally identical (subkey order
reversed for decryption)
• Fast, even in software implementation
• Easily analyzed (i.e., deficiencies more
readily found by analysis)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #137
Feistel Ciphers in Operation
• Plaintext split into two halves
• Round function f is applied to
one half using a subkey
• Output of f is XOR’d with the
other half of the plaintext
• Two halves are swapped
• Process repeated for n rounds
• No swap after last round
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #138
DES: Feistel Applied
• DES: Data Encryption Standard
• Formal specification -- FIPS PUB 46-3, last
affirmed 25 October 1999
http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
• Describes two cryptographic algorithms
– DES
– TDEA (commonly referred to as 3DES)
• DES based on IBM Lucifer cipher of 1974
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #139
DES Characteristics
• 64-bit block cipher
• 56-bit key, with additional 8 bits used for
error checking (odd parity on each byte)
• Four operating modes (not unique to DES)
–
–
–
–
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #140
Subkey Generation
• Creating the subkeys in a Feistel cipher has
a major effect on the overall security of the
algorithm
– Possible to create weak keys
– Changes in the subkey algorithm can result in
effectively different realizations of the
algorithm
• DES is based on Feistel rounds, and uses a
complex method of subkey generation
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #141
DES Enciphering Computation
Feistel round
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #142
Initial Permutation
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #143
Cipher Function, f(Rn,Kn)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #144
How Can This Happen?
• Turn 32-bit plaintext into 48-bit output
• Add to 48-bit key
• Get 32-bit output
?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #145
Details
• E-function takes the input to the Feistel
round and expands it to 48 bits
• S boxes (for substitution) permute bits to
produce the proper output
• Inverse permutation (IP-1) restores bit order
after the 16 Feistel rounds
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #146
S-box Example
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #147
Key Scheduling
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #148
Principal Operating Modes
(FIPS PUB 81)
• Electronic Code Book (ECB)
– Encrypts one block at a time with selected key
– Vulnerability: repeated plaintext can reveal
key, and then all cipher blocks can be decrypted
• Cipher Block Chaining (CBC)
– Input to each block is the output of the previous
block next plaintext block
– Initial block XOR’d with an Initialization
Vector (IV)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #149
ECB
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #150
CBC
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #151
Additional Modes -1
• Cipher Feedback Mode
– previous ciphertext block encrypted and output
XOR’d with plaintext block to produce current
ciphertext block
– can use feedback that is less than one full data
block
– initialization vector used as “seed” for the
process.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #152
CFB
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #153
Additional Modes -2
• Output Feedback Mode (OFB)
– similar to CFB mode except data XOR’d with
each plaintext block is generated independently
of both the plaintext and ciphertext
– initialization vector s0 used as “seed” for a
sequence of data blocks si
– each data block si derived from encryption of
the previous data block si-1
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #154
OFB
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #155
Importance of DES
• Ubiquitous, U.S. federal standard
• When standardized, 56-bit key made cipher
computationally secure
– This is no longer the case
– DES has been broken using brute force attacks
in hours, using desktop PCs
• Immediate fix: Triple Data Encryption
Algorithm (or Triple DES, 3DES)
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #156
TDEA
Encryption
Decryption
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #157
TDEA Realities
• Two keying options
– Three separate keys (as shown previous slide)
– Two keys; EK1 = EK3
– Resultant key lengths of 168 or 112 bits
• For mathematical reasons we won’t go into here,
3-key TDEA is only about twice as secure as DES,
not 3 times as secure
• Implemented in hardware, 3-key TDEA can
achieve throughputs approaching 1 Gbps
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #158
TDEA Advantages
• Thoroughly analyzed, unlikely to have any
hidden vulnerabilities
• Much less vulnerable to brute force attack
than DES
• Can be implemented in silicon, with very
fast throughput
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #159
TDEA Disadvantages
• Algorithm produces slow software
implementations
• Limited to 64-bit block size
• Trebles the key distribution problem of DES
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #160
DES Decryption
• As DES is a Feistel cipher, decryption uses
the same engine as does encryption
• For decryption:
– The DES engine is precisely the same as the
encryption engine -- it is not run in reverse
(e.g. with the input coming in the “bottom”)
– Instead, the key schedule is run in reverse; i.e.
the first subkey used is K16, then K15, etc.,
finishing with K1
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #161
DES Mathematics
• Only two functions used
– XOR
– Data permutation or shifting
• At the heart of the DES engine, inside the
f-box, is a Vernam cipher machine!
• Vernam, by itself, is insecure. What makes
DES secure?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #162
Symmetric Crypto Keys
• Ideally, are purely random numbers
• This is possible because:
– The keys are prepositioned at each end
– Random numbers can be generated by capturing stellar
noise, diode shot noise, etc.
– The parties need only agree on where in the key stream
to start
– The key does not have to obey any mathematical
function other than randomness
• Many implementations use pseudo-random
numbers, which are not truly random
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #163
AES: The Next Generation
• Advanced Encryption Standard (FIPS PUB 197)
–
–
–
–
Established to counter weaknesses of DES
Adopted as U. S. standard November 26, 2001
Became effective May 26, 2002
Based on Rijndael algorithm
• Joan Daemen and Vincent Rijmen, Belgians, authors
– Key lengths of 128, 192, and 256 bits
– Block size of 128 bits
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #164
Rijndael Structure
• Rijndael is not a Feistel cipher; rather, it
uses substitution boxes
• “...typically part of the bits of the
intermediate state are simply transposed
unchanged to another position”
• “...[each] round transformation is composed
of three distinct invertible uniform
transformations”
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #165
AES’ Future
• Clearly intended to replace DES & TDEA
• Designed for efficient software
implementation
• Not yet as thoroughly analyzed as DES
• Many implementations on the market
Probably a long coexistence of TDEA &
AES
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #166
Breaking Symmetric Ciphers
• Brute force
– Inelegant, but sometimes effective if enough
computing power can be brought to bear
– If cipher is complex enough, this doesn’t work
• Exploit errors
– Same message enciphered in two codes
– Plaintext attack
– Exploit operator errors
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #167
Brute Force Attacks on
Symmetric Cryptosystems
Assume a number N, having L decimal digits (N@10L).
Now posit a computer capable of 1010 divisions/second.
The computer can factor any N, using the trial division method,
in approximately N0.5/1010 seconds.
If N has 100 digits, this process will require approximately
1040 seconds.
However, the currently estimated age of the Universe is
only approximately 3.8 x 1017 seconds!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #168
Key Types
• Permanent
– Used for a fixed, prearranged period of time
– Typically used for applications such as key
distribution, government communications, etc.
• Session
– Valid only for current communications session
– Destroyed after session terminates
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #169
Key Distribution Problem
• Secret keys must be prepositioned at all
locations before secure communications can
occur.
• How to do this?
– Secure physical transport
– Secure electronic transport
• The search for a way to accomplish this led to the
development of public key cryptography, which we
will look at next
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #170
Asymmetric Ciphers
• Also known as public key cryptography
• Until Diffie-Hellman in 1976, this concept
was heretical. It is still counterintuitive.
• Key has two parts
– Public: everybody knows or can know
– Private: only holder knows
• Based on large prime numbers
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #171
Asymmetric Cryptography
Alice
Bob
Bob’s private key
Alice’s message
Bob’s public key
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #172
Curious Public Key Properties
• The encryption function is one-way
• The encryption process is fungible
– Can encrypt with public key and decrypt with
private key, and vice versa
• So what?
– How about using this approach to sign
documents?
– Can a signed document be used for
authentication?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #173
The Original Goal
• Diffie and Hellman did not set out to invent
a new kind of cryptography
• The goal was to find a way to establish
symmetrical session keys without prior
placement of the keys by some other means
– i.e. to solve the key distribution problem
• This is still the primary use of the D-H
exchange
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #174
But then...
• Diffie-Hellman key exchanges proved
immensely useful
• Others found that there other uses for this
general crypto principle and algorithms
were developed for encrypting data
– RSA
– El Gamal
– etc.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #175
Something Different
• Clearly, asymmetric crypto differs in a basic
way from symmetric crypto
– The keys are mathematically related, and
cannot be purely random numbers
– The algorithms are quite different from the
universe of Feistel ciphers and S-boxes
• Is this a replacement for symmetric crypto,
or a complement to it?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #176
Asymmetric Crypto Properties
• The encryption function is one-way
• The encryption process is fungible
– Can encrypt with public key and decrypt with
private key, and vice versa
• So what?
– Could this approach be used to sign
documents?
– Can a signed document be used for
authentication?
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #177
How Does It Work?
• Asymmetric cryptography is based on
modulus arithmetic
• Modulus arithmetic makes it computationally infeasible to recover the number whose
modulus is stated, provided certain
conditions are met
• You can cheat: the Windows calculator has
a modulus arithmetic mode
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #178
Diffie-Hellman Key Exchange-1
• Alice and Bob agree on a large prime, n and
g, where g is primitive mod n. These need
not be kept secret
• Alice chooses a large random integer x and
sends to Bob: X=gx mod n
• Bob chooses a large random integer y and
sends to Alice: Y=gy mod n
• NB: x and y are never transmitted
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #179
Diffie-Hellman Key Exchange-2
•
•
•
•
Alice computes k=Yx mod n
Bob computes k’=Xy mod n
But k = k’ = gxy mod n
Therefore, Bob and Alice now have a secret
key, k, that they can share for
communications
• Eavesdroppers know only n, g, X, and Y,
not x or y, which are required to compute k
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #180
Diffie-Hellman Security
• D-H security depends on the difficulty of factoring
large numbers (size of n)
• It is computationally infeasible to recover x and y
from the data known to an eavesdropper by any
means other than exhaustive key search
• Caveats
– n must be large
– ((n-1)/2) should also be prime
– g can be small -- even one digit
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #181
Diffie-Hellman Drawbacks
• Slow!
– Computationally intensive
– Requires several communications exchanges
• Example:
– Using D-H to set up a session key in a cellular
telephone could take nearly one minute!
• So, other key exchange protocols have been
established that are more efficient
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #182
Asymmetric Crypto Uses?
• Only good for key exchange?
• As it turns out, NO
– Other algorithms useful for providing data
secrecy, like symmetric cryptography
– Can be used to provide
• confidentiality
• integrity
• authenticity
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #183
RSA Encryption Algorithm
• Ron Rivest, Adi Shamir, Len Adelman
– First published 1978, from MIT
– Block cipher, asymmetric key
– Plain and cipher texts are integers between 0 and n-1,
for some n that is part of the keys
• Like all asymmetric key systems, RSA depends
for security on the difficulty of factoring large
numbers
– There is a problem here
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #184
RSA Mechanics
• C = ciphertext
– C = Me mod n
• M = plaintext
– M = Cd mod n = (Me)d mod n = Med mod n
• Both parties know n, e
• Only the receiving party knows d
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #185
Therefore...
• Public key: KU = {e,n}
• Private key: KR = {d,n}
• Requirements for this to work:
– e, d, n exist such that Med = M mod n for all
M<n
– Easy to calculate Me and C for M<n
– Infeasible to calculate d given e, n
• Computationally secure if e, n sufficiently large
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #186
Important Definitions
• Euler’s totient function, (n)
– Defined as the number of positive integers < n
and relatively prime to n
– Can show that if n=pq, (n) = (p-1)(q-1)
• Relatively prime numbers
– a and b (integers) are relatively prime if they
have no prime factors in common
• i.e. only common prime factor is unity
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #187
RSA Example
•
•
•
•
Select two primes: p = 7, q = 17
Calculate n = pq = 7 x 17 = 119
Calculate (n) = (p-1)(q-1) = 6 x 16 = 96
Select e relatively prime to & less than (n)
– In this example e = 5
• Calculate d = e-1 mod (n) = 77
• KU = {5, 119}
KR = {77, 119}
Public key
Spring 2011
© 2000-2011, Richard A. Stanley
This bit is
perhaps unclear
Private key
WPI
ECE579S/1 #188
Another View
• d = e-1 mod (n) looks difficult, as e-1 < 1
• Multiply both sides by e, which gives
de = 1 mod (n), where (n) = 96 in this case
• e has been selected as being 5, therefore we
must now find the value for d that satisfies
the above equation
• 77 is that value, as 5 x 77 = 1 mod 96
77 x 5 = 385 = 4 x 96 + 1
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #189
RSA Encrypt/Decrypt
• Using KU, KR we have calculated, let
M=19 (plaintext)
– KU = {5, 119}
Public key
e
,
n
KR = {77, 119}
Private key
d,
n
• Encryption:
– Me mod n = 195 mod 119 = 66 = C (ciphertext)
• Decryption
– Cd mod n = 6677 mod 119 = 19 = M (plaintext)
• Q.E.D.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #190
RSA Importance
• Together with Diffie-Hellman, RSA is the
most widely used asymmetric key algorithm
• RSA was patented by its inventors, but the
patents expired in 2000
• RSA is now freely usable by anyone, and is
widely incorporated into common products,
such as web browsers, VPN devices, etc.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #191
Breaking RSA
• Discover the private key, d
– Easy to do if p and q, factors of n, are known
– Hard part is factoring n
– Factoring 200-digit n has been done
• Find eth roots mod n
– Not known to be equivalent to factoring
– No general methods known
• Brute force key search
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #192
Practical RSA Security
• Choose a sufficiently large n
– 200 digits  663 bits, which has been factored
• 9 May 2005, Jens Franke, et al., Univ. of Bonn
– So, choose n > 1000 bits (1024, 2048, 4096)
– Evaluate how long security is required, as
longer keys require more computation, and are
therefore slower to encrypt/decrypt
• Guard the private key carefully!
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #193
Why Do We Want to Do This?
• Symmetric cryptography is fast
• Asymmetric cryptography is slow
– As much as 1000X slower than symmetric
• Therefore, we want to use the slow
asymmetric crypto -- which does not require
prepositioning of keys -- to create and/or
exchange symmetric session keys so that
data can be exchanged quickly
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #194
Crypto Summary
• Both symmetric and asymmetric crypto
have their uses in communications
• Symmetric keys can be purely random, but
asymmetric keys are mathematically related
• Symmetric crypto is much faster than
asymmetric, which leads to combining the
types in practical applications
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #195
Homework
• Read Bishop, Chapters 9 & 11
• Prove that decryption in a Feistel cipher can be
done by applying the encryption algorithm to the
ciphertext, with the key schedule reversed.
• Suppose a sequence of plaintext blocks, x1…xn,
yields the ciphertext sequence y1…yn. Suppose
that one ciphertext block, say yi, is transmitted
incorrectly. Show that the number of plaintext
blocks that will be decrypted incorrectly is equal
to one in ECB or EFB modes, and equal to two if
CBC or CFB modes are used.
Spring 2011
© 2000-2011, Richard A. Stanley
WPI
ECE579S/1 #196