CSE 511 Cryptology and NW Security

1
CSE 511 Cryptology and NW Security

• Dr M. Sakalli
• Marmara University

2
As quoted in the lecture slides by Lawrie Brown,
and site http//williamstallings.com/Crypto3e.htm
l, in chapter 1 of Introduction
So much material cluttering information channels,
Ill keep it lean, so that you can digest the
main concepts and the materials. M. Sakalli

• The art of war teaches us to rely not on the
  likelihood of the enemy's not coming, but on our
  own readiness to receive him not on the chance
  of his not attacking, but rather on the fact that
  we have made our position unassailable. The Art
  of War, Sun Tzu

3

• Introduction
• Symmetric Ciphers
• Classical encryption techniques, chaining, ECB,
  CBC, CFB, OFB.. Message integrity or
  confidentiality.. Not both.
• Block ciphers and data encryption standard.
• Differential and Linear Cryptanalysis.
• Finite fields
• Advanced encryption standard, Using block ciphers
  in real-world
• Confidentiality, Random Number Generators.
• Public-Key Encryption and Hashing Functions
• Introduction to number theory, public key
  cryptography RSA, Key Management (Diffie-Hellman
  key exchange, 1976)
• Massage authentication Cryptography and RSA
• Hash, SHA and MAC management, whirlpool (adapted
  as AES). Digital Signatures.

4
Part 3-4 Applications

• NW Security
• Kerberos, X.509. Authentication prt over
  non-secure NW.
• Email, PGP signatures, certifying mail, privacy
  (via encryption), S/MIME,
• IP Security, Web security SSL secure sockets
  Layer, TSL Transport Secr L
• System Security
• System security.
• Intrusion detection,
• Malicious software. DOS.
• Firewalls.
• IEEE 802.11 Wireless LAN Security (WEP)

4
5
Layer by Layer

• - i.e. _________________
• __________ firewalls/VPNs
• OS security ________________
  ----------------
• --------------- virus protection
  ______________________
• --------------------------
  - web security - SSL
• ------- --------------
• _______________________________________________
  __________
• CRYPTO
• -------------------------------------------------
  -------------------------------------------
• Midterm exam I 30 (Friday, Oct. 24)
• Final exam 40 (Tue, Dec. 9, 130pm)
• Assignments 30
• The later you submit your homework, the lower you
  will be marked.

6
From the statistics of Computer Emergency
Response Team (CERT)

• Vulnerabilities reported seems saturated by the
  2002.
• Weaknesses of OS, NWs, isp, dns, routers.

7
From the statistics of Computer Emergency
Response Team (CERT)

• The incidents reported has increased, attacks are
  sophisticated and possibly automated and causing
  greater amounts of damage.

8
The OSI architecture

• The systematic approach of OSI security
  architecture, compromises security in three
  stages implemented to complement and be
  integrated with each other
• Attack mechanisms
• Defence mechanisms
• The services
• RFC 2828
• Threats are the possibilities of the breaching
  security rules.
• An attack is an assault and/or a deliberate
  action to inflict damage on the other side.

9
Security Mechanisms (X.800)

• OSI specific security mechanisms
• encipherment, digital signatures, access
  controls, data integrity, authentication
  exchange, traffic padding, routing control,
  notarization
• Non OSI pervasive security mechanisms
• trusted functionality, security labels, event
  detection, security audit trails, security
  recovery

10
Internet standards and RFCs

• The Internet society
• Internet Architecture Board (IAB)
• Internet Engineering Task Force (IETF)
• Internet Engineering Steering Group (IESG)

11
Distributed Security, Digital and Global Security

• Computer Security Internal and external
  protection mechanisms against attacks and
  malicious applications..
• Network Security LAN and the ISP level.
• Web and Internet Security During transmission
  between routers, and there cyber law to enforce
  the bodies thwarting the hackers.

12
Passive Security Attacks

• Eavesdropping Shoulder surfing of typing or
  recordings
• 1487, from O.E. eavesdropper "place around a
  house where the rainwater drips off the roof,"
  from eave (q.v.) drip. Technically, "one who
  stands at walls or windows to overhear what's
  going on inside.
• Monitoring the traffic
• Capturing packets..
• Analyzing the traffic flows ..
• Solution is CRYPTOLOGY.

13
Active Security Attacks

• Intrusion by capturing messages
• Preventing (DOS) the service,
• Interrupting..
• Impersonating, masquerading of one entity as some
  other, modifying or replaying the previous or
  fabricating new messages or viral attack..
• Enciphering, authentication and security
  protocols are the solution..

14

• The main reason for cryptology is to hide for
  surviving protecting privacy, preventing
  intrusion.
• Secrecy, masking the message traffic can be
  visible, in the case of data confidentiality
  evading passive attacks.
• Authentication, 1- Identity check of the peer
  entities, 2- data origin auth, prevent
  interference and masquerading, not preclude
  passive attacks. Certificates
• Integrity of the message In connectionless
  service (assuring that message is not altered),
  MACs, CRC..
• Nonrepudiation (undeniable producer or receiver).
  
• 1412, "repudiation," from L.L. repulsionem, noun
  of action from repellere (see repel),.
• Oblivious transfer without leaving any trace of
  inf transferred,
• Zero knowledge proofs Prove possession of
  certain information without conveying an ID..
• https - "s" is for SSL

15
Model 1-Securing a communication channel
Possible PT
Key (cipherkey)
Key (cipherkey)
16
Model II- Network Access Security Model

• Requires access control
• Selecting gatekeeper functions to identify users.
• Security methodologies to authenticate users, to
  ensure only authorised users can access to
  designated information or resources.
• Using trusted computer networks.

17

• Cryptology is the mathematics of concealing
  messages by scrambling under some constraints
  applied open cipher that are..
• Applicable duration of the cipher..
• Space, physical environment. Communications,
  Storage area..
• Complexity, vs simplicity, human factor..
• The cost..

18

• if both the encryption and decryption keys are
  the same, then the method employed is
  symmetric... Otherwise asymmetric.
• "Crypto graphy" both Greek 'krypte graphic'
  meaning hidden (or vault) writing
• Cryptanalysis (cryptanalyst, cryptoanalyst) is
  the art of cracking the codes.
• An adversary, eavesdropper, hacker, imposter..
• Cryptology Cryptography cryptanalysis..
• Cryptograms are roughly divided into Ciphers and
  Codes.
• Perfect security and entropic security.
  (Shannon), an adversary does not have any
  information at all about the secret which is
  equivalent to saying that the random variable
  constituting the secret and the random variable
  modeling the adversarys knowledge must be
  independent. H(x)H(XY) for adversary, H(XYK)0
  for recipient.

19
Steganography and cryptography

• BC 499. Histiaeus detained in Sasu island eagerly
  wanted to send a message to his regent to revolt
  against to Persians. The only way he found was to
  shave the head of his messenger, and (tattoo)
  write the message on his scalp, and then waited
  for the hair to regrow. On reaching his
  destination the messenger, was instructed to
  shave his head, so that Aristogoras the mayor of
  Miletus could read the message. Herodotus.
• an alternative to encryption
• hides existence of message
• using only a subset of letters/words in a longer
  message marked in some way
• using invisible ink
• hiding in LSB in graphic image or sound file
• has drawbacks
• high overhead to hide relatively few info bits
• Watermarking.
• Steganography
• covered writing
• hides the existence of a message
• Cryptography
• hidden writing
• hide the meaning of a message

20
A very brief history

• Substitution cipher is the oldest cipher
• Secret key K is a table lookup A --gt C
• Breaking Some single letter for example
  substituted for E, will have the same frequency
  if the message is not too short, then itll be
  easy to figure out which letter is substituted
  for E, (or such), which is the occurring as
  frequent asE, etc. Abu al-Kindi's "A Manuscript
  on Deciphering Cryptographic Messages..
• Vigenère (1523 - 1570)
• Rotor (1800 - 1950) WWII Enigma machine
• 1974 DES developed by IBM, 1st good cipher
• 1977 Diffie Hellman, public key crypto
• Symmetric ciphers info theoretic approach
  (Shannon)
• -- privacy against eavesdropping
• -- make substitution cipher secure
• -- one-time pad very fast, key as long as
  message why is this secure?

21
Greeks belt Spartan skytale..

• In 405 BC One of the earliest examples of
  transposition crypt was used by Lysander of
  Sparta. When the belt of messenger was wound
  around a wood with a correct diameter, message
  could appear.

22

• http//www.bbc.co.uk/history/ancient/egyptians/dec
  ipherment_01.shtml
• Decipherment of Egyptian hieroglyphs.
• Jean-François Champollion, 1801.
• Ra-me??-s-s..
• Sun in coptic, sounds ra, and wind sound ss..

• Unsolved ciphers Folger scripts after 1717ies..
  Freemasonary
• (http//www.canonbury.ac.uk/lectures/folger.htm)

23

• The Adventure of the Dancing Men, one of the
  Sherlock Holmes short stories by AC Doyle,
  Detective solves it with frequency analysis.
  ELSIE PREPARE TO MEET THY GOD
• Not deciphered yet related to a bank deposit wt a
  US bank.
• Allegedly issued to a General Wang in Shanghai,
  1933
• 300 Million transaction 1.8 kg Gold bars?.. .

24

• MARY QUEEN OF SCOTS sent messages to her
  supporters by using a weak cipher for her
  assassinating Queen Elizabeth I, but the messages
  were intercepted, and deciphered with frequency
  analysis, and Mary executed for treason in 1587.
  
• Johannes Trithemius
• 1499 Steganographia
• Polygraphia (1518) the first printed book on
  cryptography

25

• WWWII, Germans Enigma. Turing.
• Marian Rejewski, Bombe, Purple.