Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
ECE579S Computer & Network Security Professor Richard A. Stanley, P.E. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #1 Overview of Tonight’s Class • Administration • Is computer security a problem, or just an interesting topic? • What is different between computer security and network security? • Computer security objectives and approaches Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #2 Organizational Details • Prof. Stanley contact information – – – – Office: Hours: Phone: Email: Spring 2011 © 2000-2011, Richard A. Stanley Atwater-Kent 303, but rarely there by appointment, preferably after class (508) 269-6482 [email protected] WPI ECE579S/1 #3 Administrivia • Class will normally meet 8:00 AM – 1:00 PM every Friday here. Please be on time. • We will hold 8 classes; cancellations will be announced in advance (except weather) • Breaks as needed • If class is cancelled for bad weather, you should receive notice. Double-check with ECE Dept. (5231) or with me if in doubt. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #4 Recall • We need to set up a way for notification of cancelled/late classes • Please put the following information on the sheet going around: – Name – Email – Telephone • Volunteer to be at the top of the list? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #5 Course Text • Computer Security Handbook, 5th Edition, by Bosworth, et al. ISBN is 9780471716525. To be published 09 Feb 09 by Wiley. • Additional material will be in the form of handouts Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #6 Course Web Page • http://ece.wpi.edu//courses/ee579sw/ECE579S/ • Slides will be posted to the page before class, barring any unfortunate problems Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #7 Policies • Homework is due at the class following the one in which it is assigned. It will be accepted--with a one grade penalty--up to the second class after that in which it is assigned, but not after that, except in truly emergency situations. By definition, emergencies do not occur regularly. • There is a difference between working in teams and submitting the same work. If work is a team product, it must be clearly labeled as such. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #8 Elements of the Course • Assignments: There will be weekly assignments, which will be graded • Presentation: At the end of the course, student teams will present a report prepared on a cryptography-related subject. The presentation should be well-prepared and should give an overview of a special topic in cryptography (e.g. eCash, wireless security, SSL, biometric authentication systems etc.). • Examinations: There will be a two written examinations that will cover all topics discussed in class. The questions will range from mild to hard. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #9 Research Projects • Teams of 3-5 individuals per project • Research an information assurance-related topic • Prepare a report on the research • Present findings – Note: a presentation is not the report copied into PowerPoint Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #10 Grading • Grade components – – – – Course exams (35%) Homework (20%) Class participation (10%) Course project (35%) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #11 My Peculiarities • I am not a word-counter. When given, word counts are for general guidance only. • Bad news doesn’t improve with age. If there are problems, let’s deal with them as soon as they arise. • Expect to find ties to historical events in class – not a bad idea to use those for hints as to how some problems develop and expand. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #12 Getting to Know You • My interest and experience in this area • Your interests and expertise in this area – Cryptography? – Networking? • Where we might go with this course • What you would like from the course Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #13 Computer Security versus Network Security Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #14 Computer security involves preventing, detecting, and responding to unauthorized actions on a computer system. Network security means the same thing for a group of networked computers Information Assurance covers all the things we do to protect information from unauthorized disclosure and exploitation Spring 2011 ECE579S/1 #15 WPI © 2000-2011, Richard A. Stanley Chicken vs. Egg? To understand network security, you must first understand computer security. There is no “easy” way around this. To practice information assurance, you need to know both computer and network security, as well as quite a lot of other topics, which we will cover. We are going to find that this subject crosses many boundaries of skills and “jurisdiction.” This can be both an opportunity and a curse. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #16 One View Network Security IA Spring 2011 © 2000-2011, Richard A. Stanley Computer Security WWW Security WPI ECE579S/1 #17 Computer Security: What’s the Big Deal? • • • • Not a new problem Not just a creation of the press Not just for rocket scientists As professionals, failure to understand and implement appropriate security can come back to haunt you in terms of liability and reputation Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #18 Points to Ponder • Majority of businesses reported attacks against their networks in 2007 – Almost 20% of these were targeted • Average financial losses over $350,000 per organization, highest in last five years • Financial fraud displaced viruses as the first place problem Source: "Issues and Trends: 2007 CSI/FBI Computer Crime and Security Survey" Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #19 Recent Events • WikiLeaks – Is this a computer security problem? • Denial of Service attacks – Both from WikiLeaks supporters and totally unrelated • …and? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #20 Virtual Warfare “Cyberspace is another domain in which the U.S. military may face rapidly growing risk. Information technology (IT) permeates every aspect of its operations, from logistics and command and control to targeting and guidance. As the dependence on IT has grown, so, too, has vulnerability to disruptions, especially dirsuptions of battle networks linking U.S. forces.” Andrew J. Krepinevich, Jr, “The Pentagon’s Wasting Assets,” Foreign Affairs Vol 88, No. 4 (July/August 2009), pg. 25. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #21 It Isn’t Getting Better • Security surveys show a clear trend in security problems: UPWARDS • Nature of attacks constantly changing • Evidence of nation-state participation • Who among you has not seen or heard at least one computer security news story in the past month? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #22 An Object Lesson Willie Sutton, 1901-1980. Bank Robber. Q: “Why do you rob banks, Willie?” A: “Because that’s where the money is!” This quote is probably the best-known criminal quote around. One problem: Willie never said it. BUT... He said “I probably would have said it if anyone had asked me.” Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #23 Where’s The Money? • Historically, money was something held to have intrinsic value (e.g., gold, silver) • Paper money, until recently, was merely a promise to pay in gold or silver • So, money really was in the banks • Money today is merely a unit of information • ... And it is kept in computers! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #24 The “Willie Factor” • Computer crime exists because computers are the repositories of things of value – Money • This is a common target in industrial attacks – Information that is valuable or can be made so • This is especially true in government networks, most particularly in defense-related networks • Thieves look for low-hanging fruit Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #25 A Dilemma • Security is something most users want, but that most know little about • Security gets in the way of using the computer system • The tighter the security, the harder the system is to use, and the more likely it is that the users will bypass security measures Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #26 Is A Secure Computer Possible? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #27 The Totally Secure System • Is relatively simple to build • Is useless for any practical purposes Our job is to learn how to design computer systems to provide the necessary level of security without going overboard. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #28 Why Isn’t This Topic More Theoretical? In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #29 Why Is A Proof Elusive? • A secure system must be secure under all conditions of operation • This, in turn, demands proof that there is no condition under which it could operate that is insecure, i.e. the negative proposition. • But, formal logic teaches us it is impossible to prove a negative • Q.E.D. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #30 That Said... • We will define a secure computer • We will learn how to create a secure computer • If it is useless, why? – If it can’t exist, we will never know how close we are to achieving security – It is a goal towards which we must work Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #31 Consider the Automobile • A perfectly safe automobile does not exist, and cannot exist • However, we still strive to build safer autos – This is a legitimate engineering pursuit – It is socially irresponsible to do otherwise – Much of the efforts are based on approaching an unachievable goal Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #32 Responsibilities • Customers expect “reasonably secure” handling of their sensitive data • The Devil is in the details – – – – What is “reasonable?” What is “secure?” What data is “sensitive?” When is it your responsibility? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #33 What’s the Problem? • Financial liability – Due diligence – Simple negligence – Gross negligence • Goodwill • One bad press release cancels 1000 attaboys This is a “you bet your business” issue Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #34 A Curious Property of Information • Information is the only thing that can be stolen and still leave the owner in possession of it • This poses some serious problems, which the course will address Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #35 Security Aspects • • • • • • • Confidentiality Integrity Availability Accountability Nonrepudiation Risk management Reliability and safety Spring 2011 © 2000-2011, Richard A. Stanley WPI Security is a multidisciplinary problem ECE579S/1 #36 Problem is Multidisciplinary • • • • • • • Engineering Computer science Sociology Economics Law and ethics Management and ... Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #37 Role of Technology • Technology is a useful tool, not a panacea. • A clear policy, evenly enforced, is the most critical element of success. • Don’t ignore the fundamentals. – Many computers have been compromised by not revoking a former employee’s password – Most of the threat comes from within – The problem is not just maliciousness Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #38 Security Objectives Integrity A–I-C Availability Confidentiality Protect, detect and recover from insecurities Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #39 Data vs. Information • Data represents information • Information is the interpretation of data This is not as obvious as it appears on the surface! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #40 So What? • Protecting the data may not protect the information • It is possible to create information from a wide variety of data sources – e.g. Wehrmacht order of battle pre-1939 • The problem is more complex than just putting an armed guard at the door Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #41 Biggest Problem? Learning to Think Like a Crook! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #42 One View: Security = Asset protection Risk Analysis Protect Detect Correct Manage Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #43 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #44 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #45 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #46 Manage Manage • Policy • Real-time • Audit performance of safeguards Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #47 Another View: Focus of Control Applications User (Subject) Policy Protection Resource (Object) Hardware Should protection focus on data, operations, or users? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #48 Man-Machine Scale Applications Services OS OS kernel Hardware In which layer(s) should security be implemented? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #49 Controls • Centralized – Simple to conceive and implement – Bottleneck • Decentralized – May be more efficient – Difficult to implement and maintain Where to put security tasks and enforcement? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #50 The Security Perimeter • How to keep attackers out of the “layer below” where security is implemented? – – – – – Recovery tools Devices Memory release Backup Memory dumps Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #51 One More Time Computer security involves preventing, detecting, and responding to unauthorized actions on a computer system. Network security means the same thing for a group of networked computers Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #52 Why Networks Matter • If computers cannot be secured individually, the network cannot be secure • Networking makes the most individually secure computer on the network only as secure as the least individually secure computer on the network. • Networking offers new vulnerabilities • Speed of mischief increases exponentially Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #53 And Most Especially... • Mobile code is a basic staple of the Internet, and other networks as well – This a wholly new paradigm • Users are not usually aware of mobile code • Novelty and convenience trump security every time Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #54 Analogy • One can easily define the security perimeter of a single computer. You can probably even literally “put your arms around it.” • One cannot easily define the perimeter of a group of networked computers, except under a set of trivial conditions that are meaningless in practice. • So, where to put the security? And HOW to make it happen? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #55 Network Primer Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #56 Networks • A network is an interconnected group of communicating devices. • Two primary network types – Circuit-switched (connection oriented) – Packet-switched (connectionless) • Span – WAN, MAN, LAN – So what? Nothing magic about the name. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #57 Data Networks • Almost exclusively packet switched – Higher efficiency than circuit-switched – Computationally intensive to provide – Packet loss rate is often very high • Largely due to collisions rather than circuit faults – Require extensive protocols to operate • X.25 • IP Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #58 Network Topology • The topology of a network is a view of its interconnections, as they would be seen by an observer looking down from great height • Topology is important because it has implications for security • Three major topologies: – star – buss – ring Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #59 Star Topology The orange lines depict one star -- this slide actually shows a star-star architecture. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #60 Buss Topology Buss In a buss topology, all signals pass by all terminals Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #61 Ring Topology A ring is simply a buss with the ends connected to one another. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #62 How To Get There? • Every destination on the network must have an address, just as every postal destination must have an address – Addresses must be unique – Network must know how to recognize address – Various addressing schema, e.g. • Ethernet • IP Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #63 Two Network Technologies • Token ring – Users remain silent until they receive token – Pioneered by IBM, not widely used • Ethernet – – – – Carrier-sense, multiple access/collision detect Binary exponential backoff on collision sense This is a radio network! Another vulnerability Most widely used architecture today, largely because it is less expensive than token ring Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #64 Other Network Technologies • Fiber-Distributed Data Interconnect (FDDI) – Self-healing, 100 Mbps dual ring • Frame relay – Packet data service, built on X.25 • Synchronous Optical Network (SONET) • Asynchronous Transfer Mode (ATM) – Can operate at gigabit speeds • 53 byte packets; 5 of the bytes are overhead These are of interest in networking, but not security per se; they will not be discussed further in this course Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #65 Topology Misconceptions • The physical interconnection of network elements does not necessarily reflect the logical network topology – Ethernet is logically a buss architecture – Ethernet, connected using hubs, uses a physical star interconnection – Ethernet, connected using coaxial cable, uses a physical buss interconnection Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #66 Some Network Security Issues • Users not necessarily registered at the node they are accessing – How to authenticate users? – What is basis for access control decisions? • Some options: – – – – User ID User address Service being invoked Cryptographic-based solutions Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #67 Ethernet Misconceptions • IEEE 802.3 = Ethernet – Nope! Pure Ethernet is 802.2 • All Ethernets are created equal – Vendor implementation issues • The faster the network speed, the faster I can work – Signaling speed data throughput • Ethernet maps to the internet Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #68 CSMA/CD Throughput Signaling speed ~40% Throughput Users Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #69 Ethernet Addresses • 48 bits long • Address space managed by the IEEE • Formerly fixed in hardware at time of manufacture, but increasingly in EEPROM • Hardware must recognize at least it’s own physical address and the network multicast address, and possibly alternate addresses Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #70 Ethernet Frame NOTE: The proper term in this context for groups of 8 bits is an octet, not a byte. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #71 Network Size • Networks cannot grow to be arbitrarily large – – – – Address space Physical interconnection limitations Increasing collisions as users increase Protocol/OS/machine incompatibilities • So, how to extend the ability to interconnect an arbitrarily large number of computers? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #72 The ARPANET • Father of the Internet; first elements in 1969 • Began as an attempt to conduct and share research to ensure continuity of communications after nuclear war, so – Connectionless – Assured delivery – Self-reconfiguring (sort of) • Demonstrated feasibility of internetworking disparate computer networks and machines Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #73 Internetworking • Internetworking is the interconnection of networks • The Internet is an internetwork; all internetworks are not the Internet • Very few modern networks exist in isolation; most are internetworked • This has important security and legal implications Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #74 Internetworking Concepts • Networks are interconnected by routers or gateways – More about this later in the course • Routers route a packet using the destination network address, not the destination host address – Analogous to the world postal system and how letters are routed Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #75 Internetwork Architecture Net 1 Spring 2011 © 2000-2011, Richard A. Stanley R WPI Net 2 ECE579S/1 #76 Extended Internetworking Net 1 Clearly, this can be extended ad infinitum, to form very large internetworks. Spring 2011 © 2000-2011, Richard A. Stanley R Net 2 R Net 3 WPI ECE579S/1 #77 Some Terms • TCP = transmission control protocol • IP = internet protocol • These protocols have become widely used outside the formally-defined Internet • They have some serious flaws, but they work – They were not planned to have/need security Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #78 Class-Based IP Addressing Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #79 Class Discrimination • Address space is 32 bits long (IPv4) – Therefore, at most 232 possible addresses (or 4,294,967,296 in decimal notation) • Easy to extract netid from address • There is not a one-to-one correspondence between IP addresses and physical devices – Consider the router • Address with hostid=0 refers to network Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #80 IP Addressing Weaknesses • If a host moves to another network, its IP address must change • If a network grows beyond its class size (B or C), it must get a new address of the next larger size • Because routing is by IP address, the path taken by packets to a multiple-addressed host depends on the address used Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #81 IP Address Presentation • Usually done in dotted decimal, e.g., 10000000 00001010 00000010 00011110 is usually written as 128.10.2.30 • What class of network address is this? • As you see, each notation has its uses Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #82 Consider This Address • 256.75.301.116 • What type of network is represented by this address? • Why? – In dotted decimal, no number can exceed 255, as that is the value of 28-1 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #83 Address Limits Class A B C D E Spring 2011 © 2000-2011, Richard A. Stanley Lowest Address 0.1.0.0 128.0.0.0 192.0.1.0 224.0.0.0 240.0.0.0 WPI Highest Address 126.0.0.0 191.255.0.0 223.255.255.0 239.255.255.255 247.255.255.255 ECE579S/1 #84 Classless Routing • Class-based routing has limitations, as you can readily see • This has led to the development of Classless Internet Domain Routing, or CIDR, e.g. 178.201.0.0/24 • In today’s documents, addresses are usually stated in CIDR format Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #85 IP Address Presentation • Usually done in dotted decimal, e.g., 10000000 00001010 00000010 00011110 is usually written as 128.10.2.30 • What class of network address is this? • As you see, each notation has its uses Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #86 Consider This Address • 256.75.301.116 • What type of network is represented by this address? • Why? – In dotted decimal, no number can exceed 255, as that is the value of 28-1 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #87 Reserved Addresses • First Quad=127 is used for loopback – Traffic doesn’t leave the computer – Routed to the IP input queue – Usually see 127.0.0.1 • Unregistered addresses – Class A – Class B – Class C Spring 2011 © 2000-2011, Richard A. Stanley 10.0.0.0 thru 10.255.255.255 172.16.0.0 thru 172.31.255.255 192.168.0.0 thru 198.168.255.255 WPI ECE579S/1 #88 The Future of IP • IPv4 has shortcomings that are becoming important for modern networking • The IETF’s solution is a new version of IP, Version 6, written as IPv6 – – – – Increased address space (128 vs. 32 bits) Support for network autoconfiguration Better support for routing Better security support Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #89 IPv6 Issues • It is not backwards compatible with IPv4 – Given the change in address space alone, how could it be? – Requires translator to go v4v6, vice versa • Huge investment in installed IPv4 mitigates against rapid changeover – But the Defense Department is going there now • Network address translation (NAT) helps reduce need for new address space • Some services, like IPSec, now available for IPv4 • Bottom line: changeover not likely to be quick except in defense applications Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #90 Ports and Sockets • Ports are associated with services, e.g., – Port 53 is usually the domain name service (DNS) – Port 80 is usually the hypertext transfer protocol service • A socket is the combination of an IP address and a port, e.g. 192.168.2.45:80 • Sockets enable multiple simultaneous services to run on a single address Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #91 Address Registration • Internet Corporation for Assigned Names and Numbers (ICANN) handles: – IP address space allocation – protocol parameter assignment – domain name system management – root server system management functions • Only essential to register addresses that appear on the global network, but registration is preferred Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #92 Routing Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #93 Protocols • A protocol is simply an agreed-upon exchange of information required to perform a given task – IP is a protocol – So is TCP • Networks utilize protocols to accomplish all the important tasks they perform • Layered protocols are common Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #94 ISO Protocol Model Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #95 Protocol Layering • Refers to a protocol running on top of another protocol • Layered protocols are designed so that layer n at the destination receives exactly the same object sent by layer n at the source Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #96 TCP/IP Layering Model Application Application-specific messages/streams Transport TCP Packets Internet IP Datagrams Network Interface Ethernet/Token Ring Hardware Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #97 Some Common Protocols • ARP maps IP addresses to physical addresses • RARP determines IP address at startup • IP provides for assured connectionless datagram delivery • ICMP handles error and control messages • UDP defines user datagrams (no assurance of delivery) • IKE handles crypto key management functions • TCP provides reliable stream transport Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #98 How Protocol Layering Works Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #99 Protocol Layering & Internet Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #100 Important Boundaries Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #101 TCP • Assumes little about underlying network • Reliable delivery characteristics: – – – – – Stream orientation Virtual circuit connection Buffered transfer Unstructured stream Full duplex connection Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #102 Positive Acknowledgement Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #103 Positive Acknowledgement With Lost Packet Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #104 Sliding Window Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #105 Positive ACK With Sliding Window Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #106 TCP • A communications protocol, NOT a piece of software • Provides – – – – Data format Data acknowledgement for reliable transfer How to distinguish multiple destinations How to set up and break down a session • Very complex Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #107 Conceptual TCP Layering Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #108 Internet Round Trip Delays This data is old, but still meaningful if you ignore the absolute values of the delays. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #109 Delays • Cannot be avoided or predicted (except statistically) – Packet delivery times will vary – Many packets will simply be lost • So, as a network designer... – – – – – How long do you wait to assume nondelivery? How do you slide the window? How do you back off on collision detect? How do you respond to congestion? …etc. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #110 Establishing a TCP Session Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #111 Ending a TCP Session This implies that a TCP session could be left “half open.” That is true. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #112 TCP State Machine Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #113 Other Network Protocols • • • • • • NetBIOS NetBUI IPX X.25 ATM Message: TCP/IP is not the only show in town BUT...it is the most popular show in town Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #114 Network Facts • Most computers today are connected to a network (consider the Internet), at least for part of the time they are in operation • Most local networks are internetworked • How to provide authenticity, integrity, confidentiality, availability? • Cryptography can help provide all the security services except availability Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #115 Network Summary--1 • Security is a real need in real systems • Defense systems are particularly attractive targets • The issues involved cross the disciplines of computer science, engineering, and management • Several models can be visualized for the security mechanisms Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #116 Network Summary--2 • Networks and internetworking have become ubiquitous • Networking allows interconnection of computers without much concern for the local OS or machine architecture • Networking raises many serious security issues, which must be solved for networks to be useful in modern business settings • The pace of network security problem development far exceeds the pace of their solution Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #117 Cryptography Primer Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #118 Overview of the Cryptology Field Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #119 Types of Cryptosystems • Symmetric key – Since times B.C.E. to today – Also called private key, which has become confusing • Asymmetric key – Invented in 1976 – Also called public key systems • Hybrid Systems Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #120 The Players • Alice: commonly used to denote the sender of cryptographic traffic • Bob: commonly used to indicate the recipient of that traffic • Eve: an eavesdropper • Oscar: a generalized “bad guy” Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #121 Symmetric Key Cryptosystems • Problem Statement: Alice and Bob want to communication over an un-secure channel (e.g., computer network, satellite link). They want to prevent Oscar (the bad guy) from listening. • Solution: Use of private-key cryptosystems (these have been around since ancient times) such that if Oscar reads the encrypted version y of the message x over the unsecured channel, he will not be able to understand its content because x is what really was sent. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #122 Symmetric Key Cryptography Alice Bob Shared private key Alice’s message Shared private key Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #123 Enigma Perhaps the most famous cipher machine in history. This is an early model. Later test versions had as many as five rotors. Standard Kriegsmarine machines had four rotors after about 1943. Enigma was a tactical machine-designed for battlefield use. Even today, Enigma would provide excellent security…IF no errors occurred on the part of the operators. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #124 Sigaba Similar in theory to Enigma. Designed for strategic (fixed station) use; note direct punching of teletypewriter paper tape for transmission. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #125 Symmetric Key Cryptosystems Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #126 Definitions Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #127 Kerckhoffs’ Principle • Secrecy must reside solely in the key – It is assumed that the attacker knows the complete details of the cryptographic algorithm and implementation • A. Kerckhoffs was a 19th century Dutch cryptographer • Ergo, Security by obscurity doesn’t work! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #128 Enigma and Sigaba • Illustrate the validity of Kerckhoff’s theorem • Even when cryptanalysts were armed with a nearly perfect replication of the Enigma logic, brute-force keyspace search was useless for providing practical results • The key needed to be discovered! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #129 Simple Block Ciphers Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #130 Other Crypto Systems • Substitution ciphers – Most famous is the Caesar cipher: monoalphabetic substitution with offset = 3 – Transposition ciphers in this group – Children’s decoders usually in this category • Book ciphers • Codebooks Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #131 Problem Areas • Languages have well-known statistics – – – – E.g., “e” is most common letter in English This can be exploited for cryptanalysis Thus, substitution ciphers are not very secure Similar problems plague book ciphers, etc. • The only way to achieve true security is to make the ciphertext appear as random as possible Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #132 Modern Cryptography Uses Electronic Digital Systems • Advantages: – Speed – Accuracy – Ability of using complex mathematics • Disadvantages – Complex equipment – Electronic vulnerabilities – Key management Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #133 Symmetric Ciphers • Same code at each end • Important that message length < cipher length • Billions of combinations possible • Codes changed frequently • Each circuit requires a code pair Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #134 Cipher Example (Mauborgne/Vernam) • Encipher • Decipher • Plain: 001 010 011 100 • +key: 111 011 010 101 • Cipher: 110 001 001 001 • Cipher: 110 001 001 001 • +key: 111 011 010 101 • Plain: 001 010 011 100 The ciphertext is simply the plain text added to the key, modulo 2. This is a reversible process, as seen above. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #135 How to Achieve Good Cryptography? • Well-reviewed algorithms – So weaknesses cannot “hide” until after implementation • Excellent key generation & management – To maintain secrecy of the key • Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #136 Feistel Ciphers: Characteristics • Special class of iterated block ciphers • Ciphertext calculated from plaintext by repeated application of the same transformation or round function • Encryption and decryption are structurally identical (subkey order reversed for decryption) • Fast, even in software implementation • Easily analyzed (i.e., deficiencies more readily found by analysis) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #137 Feistel Ciphers in Operation • Plaintext split into two halves • Round function f is applied to one half using a subkey • Output of f is XOR’d with the other half of the plaintext • Two halves are swapped • Process repeated for n rounds • No swap after last round Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #138 DES: Feistel Applied • DES: Data Encryption Standard • Formal specification -- FIPS PUB 46-3, last affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf • Describes two cryptographic algorithms – DES – TDEA (commonly referred to as 3DES) • DES based on IBM Lucifer cipher of 1974 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #139 DES Characteristics • 64-bit block cipher • 56-bit key, with additional 8 bits used for error checking (odd parity on each byte) • Four operating modes (not unique to DES) – – – – Electronic Codebook (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #140 Subkey Generation • Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm – Possible to create weak keys – Changes in the subkey algorithm can result in effectively different realizations of the algorithm • DES is based on Feistel rounds, and uses a complex method of subkey generation Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #141 DES Enciphering Computation Feistel round Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #142 Initial Permutation Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #143 Cipher Function, f(Rn,Kn) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #144 How Can This Happen? • Turn 32-bit plaintext into 48-bit output • Add to 48-bit key • Get 32-bit output ? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #145 Details • E-function takes the input to the Feistel round and expands it to 48 bits • S boxes (for substitution) permute bits to produce the proper output • Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #146 S-box Example Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #147 Key Scheduling Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #148 Principal Operating Modes (FIPS PUB 81) • Electronic Code Book (ECB) – Encrypts one block at a time with selected key – Vulnerability: repeated plaintext can reveal key, and then all cipher blocks can be decrypted • Cipher Block Chaining (CBC) – Input to each block is the output of the previous block next plaintext block – Initial block XOR’d with an Initialization Vector (IV) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #149 ECB Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #150 CBC Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #151 Additional Modes -1 • Cipher Feedback Mode – previous ciphertext block encrypted and output XOR’d with plaintext block to produce current ciphertext block – can use feedback that is less than one full data block – initialization vector used as “seed” for the process. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #152 CFB Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #153 Additional Modes -2 • Output Feedback Mode (OFB) – similar to CFB mode except data XOR’d with each plaintext block is generated independently of both the plaintext and ciphertext – initialization vector s0 used as “seed” for a sequence of data blocks si – each data block si derived from encryption of the previous data block si-1 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #154 OFB Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #155 Importance of DES • Ubiquitous, U.S. federal standard • When standardized, 56-bit key made cipher computationally secure – This is no longer the case – DES has been broken using brute force attacks in hours, using desktop PCs • Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES) Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #156 TDEA Encryption Decryption Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #157 TDEA Realities • Two keying options – Three separate keys (as shown previous slide) – Two keys; EK1 = EK3 – Resultant key lengths of 168 or 112 bits • For mathematical reasons we won’t go into here, 3-key TDEA is only about twice as secure as DES, not 3 times as secure • Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #158 TDEA Advantages • Thoroughly analyzed, unlikely to have any hidden vulnerabilities • Much less vulnerable to brute force attack than DES • Can be implemented in silicon, with very fast throughput Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #159 TDEA Disadvantages • Algorithm produces slow software implementations • Limited to 64-bit block size • Trebles the key distribution problem of DES Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #160 DES Decryption • As DES is a Feistel cipher, decryption uses the same engine as does encryption • For decryption: – The DES engine is precisely the same as the encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”) – Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #161 DES Mathematics • Only two functions used – XOR – Data permutation or shifting • At the heart of the DES engine, inside the f-box, is a Vernam cipher machine! • Vernam, by itself, is insecure. What makes DES secure? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #162 Symmetric Crypto Keys • Ideally, are purely random numbers • This is possible because: – The keys are prepositioned at each end – Random numbers can be generated by capturing stellar noise, diode shot noise, etc. – The parties need only agree on where in the key stream to start – The key does not have to obey any mathematical function other than randomness • Many implementations use pseudo-random numbers, which are not truly random Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #163 AES: The Next Generation • Advanced Encryption Standard (FIPS PUB 197) – – – – Established to counter weaknesses of DES Adopted as U. S. standard November 26, 2001 Became effective May 26, 2002 Based on Rijndael algorithm • Joan Daemen and Vincent Rijmen, Belgians, authors – Key lengths of 128, 192, and 256 bits – Block size of 128 bits Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #164 Rijndael Structure • Rijndael is not a Feistel cipher; rather, it uses substitution boxes • “...typically part of the bits of the intermediate state are simply transposed unchanged to another position” • “...[each] round transformation is composed of three distinct invertible uniform transformations” Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #165 AES’ Future • Clearly intended to replace DES & TDEA • Designed for efficient software implementation • Not yet as thoroughly analyzed as DES • Many implementations on the market Probably a long coexistence of TDEA & AES Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #166 Breaking Symmetric Ciphers • Brute force – Inelegant, but sometimes effective if enough computing power can be brought to bear – If cipher is complex enough, this doesn’t work • Exploit errors – Same message enciphered in two codes – Plaintext attack – Exploit operator errors Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #167 Brute Force Attacks on Symmetric Cryptosystems Assume a number N, having L decimal digits (N@10L). Now posit a computer capable of 1010 divisions/second. The computer can factor any N, using the trial division method, in approximately N0.5/1010 seconds. If N has 100 digits, this process will require approximately 1040 seconds. However, the currently estimated age of the Universe is only approximately 3.8 x 1017 seconds! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #168 Key Types • Permanent – Used for a fixed, prearranged period of time – Typically used for applications such as key distribution, government communications, etc. • Session – Valid only for current communications session – Destroyed after session terminates Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #169 Key Distribution Problem • Secret keys must be prepositioned at all locations before secure communications can occur. • How to do this? – Secure physical transport – Secure electronic transport • The search for a way to accomplish this led to the development of public key cryptography, which we will look at next Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #170 Asymmetric Ciphers • Also known as public key cryptography • Until Diffie-Hellman in 1976, this concept was heretical. It is still counterintuitive. • Key has two parts – Public: everybody knows or can know – Private: only holder knows • Based on large prime numbers Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #171 Asymmetric Cryptography Alice Bob Bob’s private key Alice’s message Bob’s public key Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #172 Curious Public Key Properties • The encryption function is one-way • The encryption process is fungible – Can encrypt with public key and decrypt with private key, and vice versa • So what? – How about using this approach to sign documents? – Can a signed document be used for authentication? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #173 The Original Goal • Diffie and Hellman did not set out to invent a new kind of cryptography • The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means – i.e. to solve the key distribution problem • This is still the primary use of the D-H exchange Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #174 But then... • Diffie-Hellman key exchanges proved immensely useful • Others found that there other uses for this general crypto principle and algorithms were developed for encrypting data – RSA – El Gamal – etc. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #175 Something Different • Clearly, asymmetric crypto differs in a basic way from symmetric crypto – The keys are mathematically related, and cannot be purely random numbers – The algorithms are quite different from the universe of Feistel ciphers and S-boxes • Is this a replacement for symmetric crypto, or a complement to it? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #176 Asymmetric Crypto Properties • The encryption function is one-way • The encryption process is fungible – Can encrypt with public key and decrypt with private key, and vice versa • So what? – Could this approach be used to sign documents? – Can a signed document be used for authentication? Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #177 How Does It Work? • Asymmetric cryptography is based on modulus arithmetic • Modulus arithmetic makes it computationally infeasible to recover the number whose modulus is stated, provided certain conditions are met • You can cheat: the Windows calculator has a modulus arithmetic mode Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #178 Diffie-Hellman Key Exchange-1 • Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret • Alice chooses a large random integer x and sends to Bob: X=gx mod n • Bob chooses a large random integer y and sends to Alice: Y=gy mod n • NB: x and y are never transmitted Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #179 Diffie-Hellman Key Exchange-2 • • • • Alice computes k=Yx mod n Bob computes k’=Xy mod n But k = k’ = gxy mod n Therefore, Bob and Alice now have a secret key, k, that they can share for communications • Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #180 Diffie-Hellman Security • D-H security depends on the difficulty of factoring large numbers (size of n) • It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search • Caveats – n must be large – ((n-1)/2) should also be prime – g can be small -- even one digit Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #181 Diffie-Hellman Drawbacks • Slow! – Computationally intensive – Requires several communications exchanges • Example: – Using D-H to set up a session key in a cellular telephone could take nearly one minute! • So, other key exchange protocols have been established that are more efficient Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #182 Asymmetric Crypto Uses? • Only good for key exchange? • As it turns out, NO – Other algorithms useful for providing data secrecy, like symmetric cryptography – Can be used to provide • confidentiality • integrity • authenticity Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #183 RSA Encryption Algorithm • Ron Rivest, Adi Shamir, Len Adelman – First published 1978, from MIT – Block cipher, asymmetric key – Plain and cipher texts are integers between 0 and n-1, for some n that is part of the keys • Like all asymmetric key systems, RSA depends for security on the difficulty of factoring large numbers – There is a problem here Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #184 RSA Mechanics • C = ciphertext – C = Me mod n • M = plaintext – M = Cd mod n = (Me)d mod n = Med mod n • Both parties know n, e • Only the receiving party knows d Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #185 Therefore... • Public key: KU = {e,n} • Private key: KR = {d,n} • Requirements for this to work: – e, d, n exist such that Med = M mod n for all M<n – Easy to calculate Me and C for M<n – Infeasible to calculate d given e, n • Computationally secure if e, n sufficiently large Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #186 Important Definitions • Euler’s totient function, (n) – Defined as the number of positive integers < n and relatively prime to n – Can show that if n=pq, (n) = (p-1)(q-1) • Relatively prime numbers – a and b (integers) are relatively prime if they have no prime factors in common • i.e. only common prime factor is unity Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #187 RSA Example • • • • Select two primes: p = 7, q = 17 Calculate n = pq = 7 x 17 = 119 Calculate (n) = (p-1)(q-1) = 6 x 16 = 96 Select e relatively prime to & less than (n) – In this example e = 5 • Calculate d = e-1 mod (n) = 77 • KU = {5, 119} KR = {77, 119} Public key Spring 2011 © 2000-2011, Richard A. Stanley This bit is perhaps unclear Private key WPI ECE579S/1 #188 Another View • d = e-1 mod (n) looks difficult, as e-1 < 1 • Multiply both sides by e, which gives de = 1 mod (n), where (n) = 96 in this case • e has been selected as being 5, therefore we must now find the value for d that satisfies the above equation • 77 is that value, as 5 x 77 = 1 mod 96 77 x 5 = 385 = 4 x 96 + 1 Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #189 RSA Encrypt/Decrypt • Using KU, KR we have calculated, let M=19 (plaintext) – KU = {5, 119} Public key e , n KR = {77, 119} Private key d, n • Encryption: – Me mod n = 195 mod 119 = 66 = C (ciphertext) • Decryption – Cd mod n = 6677 mod 119 = 19 = M (plaintext) • Q.E.D. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #190 RSA Importance • Together with Diffie-Hellman, RSA is the most widely used asymmetric key algorithm • RSA was patented by its inventors, but the patents expired in 2000 • RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #191 Breaking RSA • Discover the private key, d – Easy to do if p and q, factors of n, are known – Hard part is factoring n – Factoring 200-digit n has been done • Find eth roots mod n – Not known to be equivalent to factoring – No general methods known • Brute force key search Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #192 Practical RSA Security • Choose a sufficiently large n – 200 digits 663 bits, which has been factored • 9 May 2005, Jens Franke, et al., Univ. of Bonn – So, choose n > 1000 bits (1024, 2048, 4096) – Evaluate how long security is required, as longer keys require more computation, and are therefore slower to encrypt/decrypt • Guard the private key carefully! Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #193 Why Do We Want to Do This? • Symmetric cryptography is fast • Asymmetric cryptography is slow – As much as 1000X slower than symmetric • Therefore, we want to use the slow asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #194 Crypto Summary • Both symmetric and asymmetric crypto have their uses in communications • Symmetric keys can be purely random, but asymmetric keys are mathematically related • Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #195 Homework • Read Bishop, Chapters 9 & 11 • Prove that decryption in a Feistel cipher can be done by applying the encryption algorithm to the ciphertext, with the key schedule reversed. • Suppose a sequence of plaintext blocks, x1…xn, yields the ciphertext sequence y1…yn. Suppose that one ciphertext block, say yi, is transmitted incorrectly. Show that the number of plaintext blocks that will be decrypted incorrectly is equal to one in ECB or EFB modes, and equal to two if CBC or CFB modes are used. Spring 2011 © 2000-2011, Richard A. Stanley WPI ECE579S/1 #196