Information%20Security%20Frank%20Yeong-Sung%20Lin%20Department%20of%20Information%20Management%20National%20Taiwan%20University

1
Information SecurityFrank Yeong-Sung
LinDepartment of Information ManagementNational
Taiwan University
EMBA 2009 Information Systems and
Applications Lecture II
2
Information Security
Information security can be roughly divided into
4 areas

• Secrecy keep information unrevealed
• Authentication determine the identity of whom
  you are talking to
• Nonrepudiation make sure that someone cannot
  deny the things he/she had done
• Integrity control make sure the message you
  received has not been modified

3
Information Security (contd)
Information security functionality can be
distributed across several protocol layers

• Physical layer protect transmission link from
  wire tapping
• Data link layer link encryption
• Network layer firewall, packet filter
• Application layer authentication,
  non-repudiation, integrity control, (and
  secrecy/confidentiality)

4
Information Security (contd)
A number of essential concepts to begin with

• Risk management
• threats, vulnerabilities, assets, damages and
  probabilities
• balancing acts
• all cryptosystems may be compromised
• Notion of chains (Achilles' heel)
• Notion of buckets (products, policies, processes
  and people)
• Defense in-depth
• Average vs. worst cases
• Backup, restoration and contingency plans

5
Traditional Cryptography
Passive intruder (listens only)
Active intruder (alters message)
DK( EK( P)) P
Plaintext P
EK( P)
Encryption
Decryption
key K
key K

• The model depends on a stable public algorithm
  and a key
• The work factor for breaking the system by
  exhaustive search of the key space is exponential
  in the key length
• Two categories Substitution ciphers vs.
  transposition ciphers

6
Traditional Cryptography (contd)

• Simplified model of traditional cryptography

7
Traditional Cryptography (contd)

• Model of traditional cryptography

8
Substitution Cipher

• Caesar cipher
• Every letter is shifted by k positions, e.g., k
  3 and a becomes D, b becomes E,
• For example, attack becomes DWDDFN
• Mono-alphabetic substitution

Plaintext abcdefghijklmnopqrstuvwxyz ciphertext
QWERTYUIOPASDFGHJKLZXCVBNM

• The key space is 26! 4x1026
• Still the cipher may be broken easily by taking
  advantage of the frequency statistics of English
  text (e.g., e, a, th, er, and, the appear very
  often)

9
Substitution Cipher (contd)

• Relative frequency of letters in English text

10
Transposition Ciphers
M E G A B U C K 7 4 5 1 2 8 3 6 p l e a s e t r a
n s f e r o n e m i l l i o n d o l l a r s t o m
y s w i s s b a n k a c c o u n t s i x t w o t w
o a b c d
Plaintext pleasetransferonemilliondollarsto
myswissbankaccountsixtwotwo Ciphertext
AFLLSKSOSELAWAIATOOSSCTCLNMOMANT
ESILYNTWRNNTSOWDPAEDOBUOERIRICXB

• Plaintext is written horizontally, while the
  ciphertext is read out by column, starting with
  the lowest key column
• To break the transposition cipher
• guess a probable word or phrase (e.g.,
  milliondollars)
• try to determine the key length, then order the
  columns
• Another related example regarding Newton

11
Other Interesting Ciphers

• Chinese poems
• Clubs and leather stripes
• Invisible ink (steganography in general)
• Books
• Code books
• Enigma
• XOR
• Ej/vu3z8h96

12
Two Fundamental Cryptographic Principles

• First principle
• All encrypted messages must contain redundancy to
  prevent active intruders from tricking the
  receiver into acting on a false message
• However, the same redundancy makes it easier for
  passive intruders to break the system
• Second principle
• Some measures must be taken to prevent active
  intruders from playing old messages, e.g., use
  time stamp to
• filter out duplicate messages within a certain
  time
• incoming messages that are too old are discarded

13
Secret-Key Algorithms

• Consists of sequence of transpositions and
  substitutions

S-box (Substitution)
Product cipher
P-box (Permutation)
14
Data Encryption Standard (DES)

• Plaintext is encrypted in blocks of 64 bits
• DES is basically a mono-alphabetic substitution
  cipher using a 64-bit character

64 bit plaintext
Li-1
Ri-1
Initial transposition
K1
Iteration 1
56-bit key
K16
Li-1 Å f(Ri-1, Ki)
Iteration 16
32 bit swap
Inverse transposition
32 bits Li
32 bits Ri
64 bit ciphertext
15
DES Chaining

• DES may be vulnerable to active intruders

Name
Bonus
Leslie
0000010
Intruder may copy the block to one row above
Kimberly
0100000
8 bytes
8 bytes

• DES chaining

P0
P1
P2
P3
C0
C1
C2
C3




IV
D
D
D
D
Exclusive OR
Key




E
E
E
E
C0
C1
C2
C3
P0
P1
P2
P3
16
Breaking DES

• Exhaustive search of key space 256 7x1016
• can use multiple computers to do search in
  parallel
• Running DES twice consecutively with two
  different 56-bit keys creates a key space of 2112
  5x1033
• but it still can be broken by the
  meet-in-the-middle attack in Q (257) time,
  because

Ci EK2 (EK1 (Pi)) DK2(Ci)
EK1(Pi)
17
Triple DES Encryption
K1
K2
K1
K1
K2
K1
P
C
C
P
E
D
E
D
E
D
Encryption
Decryption

• Using EDE (2 encryption and 1 decryption) instead
  of EEE is for backward compatibility (when K1
  K2) with single-stage DES system
• Using EEE with 3 different keys is basically
  unbreakable nowadays

18
Public-Key Algorithms

• Encryption (E) and Decryption (D) algorithms must
  meet the following requirements
• E and D are different
• D(E(P)) P
• It is exceedingly difficult to deduce D from E
• Everyone has a pair of keys public key (E) and
  private key (D)
• Public key is made known to the world
• Private key is to be kept private all the time

A
B
EB(P1)
P1
DB(EB(P1)) P1
EB
DB
DA(EA(P2)) P2
EA(P2)
P2
DA
EA
19
Principles of Public-Key Cryptosystems
20
Principles of Public-Key Cryptosystems (contd)

• Requirements for PKC
• easy for B (receiver) to generate KUb and KRb
• easy for A (sender) to calculate C EKUb(M)
• easy for B to calculate M DKRb(C)
  DKRb(EKUb(M))
• infeasible for an opponent to calculate KRb from
  KUb
• infeasible for an opponent to calculate M from C
  and KUb
• (useful but not necessary) M DKRb(EKUb(M))
  EKUb(DKRb(M)) (true for RSA and good for
  authentication)

21
Principles of Public-Key Cryptosystems (contd)
22
Principles of Public-Key Cryptosystems (contd)

• The idea of PKC was first proposed by Diffie and
  Hellman in 1976.
• Two keys (public and private) are needed.
• The difficulty of calculating f -1 is typically
  facilitated by
• factorization of large numbers
• resolution of NP-completeness
• calculation of discrete logarithms
• High complexity confines PKC to key management
  and signature applications

23
Principles of Public-Key Cryptosystems (contd)
24
Principles of Public-Key Cryptosystems (contd)
25
Principles of Public-Key Cryptosystems (contd)

• Comparison between conventional and public-key
  encryption

26
Principles of Public-Key Cryptosystems (contd)

• Applications for PKC
• encryption/decryption
• digital signature
• key exchange

27
Principles of Public-Key Cryptosystems (contd)
28
Principles of Public-Key Cryptosystems (contd)
29
Principles of Public-Key Cryptosystems (contd)
30
RSA Algorithms

• Developed by Rivest, Shamir, and Adleman at MIT
  in 1978
• First compute the following parameters
• Choose two large primes, p and q (typically gt
  10100)
• Compute n pxq and z (p-1)x(q-1)
• Choose d, which is a number relatively prime to z
• Find e such that (exd) mod z 1
• Divide the plaintext into blocks of k bits, where
  2k lt n
• To encrypt P, compute C Pe mod n
• To decrypt C, compute P Cd mod n
• Public key (e, n), private key (d, n)

31
The RSA Algorithm (contd)

• Formats Little Theorem If p is prime and a is a
  positive integer not divisible by p, then
• a p-1 ? 1 mod p.
• Example a 7, p 19
• 72 49 ? 11 mod 19
• 74 121 ? 7 mod 19
• 78 49 ? 11 mod 19
• 716 121 ? 7 mod 19
• a p-1 718 7162 ? 7?11 ?
  1 mod 19

32
The RSA Algorithm (contd)
33
The RSA Algorithm (contd)
34
The RSA Algorithm (contd)

• Example 1
• Select two prime numbers, p 7 and q 17.
• Calculate n p ? q 7?17 119.
• Calculate F(n) (p-1)(q-1) 96.
• Select e such that e is relatively prime to F(n)
  96 and less than F(n) in this case, e 5.
• Determine d such that d ? e 1 mod 96 and d lt
  96.The correct value is d 77, because 77?5
  385 4?961.

35
The RSA Algorithm (contd)

36
The RSA Algorithm (contd)

• The security of RSA
• brute force This involves trying all possible
  private keys.
• mathematical attacks There are several
  approaches, all equivalent in effect to factoring
  the product of two primes.
• timing attacks These depend on the running time
  of the decryption algorithm.

37
The RSA Algorithm (contd)

• To avoid brute force attacks, a large key space
  is required.
• To make n difficult to factor
• p and q should differ in length by only a few
  digits (both in the range of 1075 to 10100)
• both (p-1) and (q-1) should contain a large prime
  factor
• gcd(p-1,q-1) should be small
• should avoid e lt n and d lt n1/4

38
The RSA Algorithm (contd)

• To make n difficult to factor (contd)
• p and q should best be strong primes, where p is
  a strong prime if
• there exist two large primes p1 and p2 such that
  p1p-1 and p2p1
• there exist four large primes r1, s1, r2 and s2
  such that r1p1-1, s1p11, r2p2-1 and s2p21
• e should not be too small, e.g. for e 3 and C
  M3 mod n, if M3 lt n then M can be easily
  calculated

39
The RSA Algorithm (contd)
40
The RSA Algorithm (contd)

• Major threats
• the continuing increase in computing power (100
  or even 1000 MIPS machines are easily available)
• continuing refinement of factoring algorithms
  (from QS to GNFS and to SNFS)

41
The RSA Algorithm (contd)
42
The RSA Algorithm (contd)
43
RSA Algorithms (contd)

• The security of RSA is based on the difficulty of
  factoring large numbers
• It takes 4x109 years for factoring a 200-digit
  number
• It takes 1025 years for factoring a 500-digit
  number
• RSA is too slow to actually encrypt large volumes
  of data, so it is primarily used for
  distributions of one-time session key for use
  with DES algorithms

44
The RSA Algorithm (contd)
45
Elliptic Curve Cryptography (ECC)

• For the same length of keys, faster than RSA
• For the same degree of security, shorter keys are
  required than RSA
• Standardized in IEEE P1363
• Confidence level not yet as high as that in RSA
• Much more difficult to explain than RSA

46
Elliptic Curve Cryptography (contd)

• Computational effort for cryptanalysis of
  elliptic curve cryptography compared to RSA

47
Elliptic Curve Cryptography (contd)
48
Key Management

• The distribution of public keys
• public announcement
• publicly available directory
• public-key authority
• public-key certificates
• The use of public-key encryption to distribute
  secret keys
• simple secret key distribution
• secret key distribution with confidentiality and
  authentication

49
Key Management (contd)

• Public announcement

50
Key Management (contd)

• Public announcement (contd)
• advantages convenience
• disadvantages forgery of such a public
  announcement by anyone

51
Key Management (contd)

• Publicly available directory

52
Key Management (contd)

• Publicly available directory (contd)
• elements of the scheme
• name, public key entry for each participant in
  the directory
• in-person or secure registration
• on-demand entry update
• periodic publication of the directory
• availability of secure electronic access from the
  directory to participants
• advantages greater degree of security

53
Key Management (contd)

• Publicly available directory (contd)
• disadvantages
• need of a trusted entity or organization
• need of additional security mechanism from the
  directory authority to participants
• vulnerability of the private key of the directory
  authority (global-scaled disaster if the private
  key of the directory authority is compromised)
• vulnerability of the directory records

54
Key Management (contd)

• Public-key authority

55
Key Management (contd)

• Public-key authority (contd)
• stronger security for public-key distribution can
  be achieved by providing tighter control over the
  distribution of public keys from the directory
• each participant can verify the identity of the
  authority
• participants can verify identities of each other
• disadvantages
• bottleneck effect of the public-key authority
• vulnerability of the directory records

56
Key Management (contd)

• Public-key certificates

57
Key Management (contd)

• Public-key certificates (contd)
• to use certificates that can be used by
  participants to exchange keys without contacting
  a public-key authority
• requirements on the scheme
• any participant can read a certificate to
  determine the name and public key of the
  certificates owner
• any participant can verify that the certificate
  originated from the certificate authority and is
  not counterfeit
• only the certificate authority can create
  update certificates
• any participant can verify the currency of the
  certificate

58
Key Management (contd)

• Public-key certificates (contd)
• advantages
• to use certificates that can be used by
  participants to exchange keys without contacting
  a public-key authority
• in a way that is as reliable as if the key were
  obtained directly from a public-key authority
• no on-line bottleneck effect
• disadvantages need of a certificate authority

59
Key Management (contd)

• Simple secret key distribution

60
Key Management (contd)

• Simple secret key distribution (contd)
• advantages
• simplicity
• no keys stored before and after the communication
• security against eavesdropping
• disadvantages
• lack of authentication mechanism between
  participants
• vulnerability to an active attack (opponent
  active only in the process of obtaining Ks)
• leak of the secret key upon such active attacks

61
Key Management (contd)

• Secret key distribution with confidentiality and
  authentication

62
Key Management (contd)

• Secret key distribution with confidentiality and
  authentication (contd)
• provides protection against both active and
  passive attacks
• ensures both confidentiality and authentication
  in the exchange of a secret key
• public keys should be obtained a priori
• more complicated

63
Diffie-Hellman Key Exchange

• First public-key algorithm published
• Limited to key exchange
• Dependent for its effectiveness on the difficulty
  of computing discrete logarithm

64
Diffie-Hellman Key Exchange (contd)

• Diffie-Hellman key exchange
• n, g large prime number with additional
  conditions
• n and g may be made public
• x, y large (say, 512-bit) numbers

1
n, g, gx mod n
Alice
Bob computes (gx mod n)y gxy mod n
Bob
Alice computes (gy mod n)x gxy mod n
2
gy mod n

• gxy mod n the secret key
• it is very difficult to find x given gx mod n

65
Diffie-Hellman Key Exchange (contd)

• Define a primitive root of of a prime number p as
  one whose powers generate all the integers from 1
  to p-1.
• If a is a primitive root of the prime number p,
  then the numbers
• a mod p, a2 mod p, , ap-1 mod p
• are distinct and consists of the integers from
  1 to p-1 in some permutation.
• Not every number has a primitive root.

66
Diffie-Hellman Key Exchange (contd)

• For any integer b and a primitive root a of prime
  number p, one can find a unique exponent i such
  that
• b ai mod p, where 0 ? i ? (p-1).
• The exponent is referred to as the discrete
  algorithm, or index, of b for the base a, mod p.
• This value is denoted as inda,p(b).

67
Diffie-Hellman Key Exchange (contd)
68
Diffie-Hellman Key Exchange (contd)

• Example
• q 97 and a primitive root a 5 is
  selected.
• XA 36 and XB 58 (both ? 97).
• YA 536 50 mod 97 and
• YB 558 44 mod 97.
• K (YB) XA mod 97 4436 mod 97 75 mod 97.
• K (YA) XB mod 97 5058 mod 97 75 mod 97.
• 75 cannot easily be computed by the opponent.

69
Diffie-Hellman Key Exchange (contd)

• How the algorithm works

70
Diffie-Hellman Key Exchange (contd)
71
Diffie-Hellman Key Exchange (contd)

• q, a, YA and YB are public.
• To attack the secrete key of user B, the opponent
  must compute
• XB inda,q(YB). YB aXB mod q.
• The effectiveness of this algorithm therefore
  depends on the difficulty of solving discrete
  logarithm.

72
Attack on Diffie-Hellman Key Exchange

• Bucket brigade attack

Alice picks x
Trudy picks z
Bob picks y
1
n, g, gx mod n
2
n, g, gz mod n
Trudy
Alice
Bob
3
gz mod n
4
gy mod n

• (gxz mod n) becomes the secret key between Alice
  and Trudy, while (gyz mod n) becomes the secret
  key between Trudy and Bob

73
Authentication Protocols

• Authorization
• verifies what a process is permitted to do
• Authentication
• verifies the identity of the process that you are
  talking to
• public and private keys are used for
  authentication, and for establishing the session
  key (a secret key)
• all data communicated is then encrypted using
  secret key cryptography

74
Authentication Based on a Shared Secret Key

• Challenge-response protocol

1
A
Challenge
2
Response
RB
KAB shared secret key between Alice and Bob
KAB(RB)
3
Challenge
Alice
After step 3, Bob verifies Alices identity
Bob
4
Response
RA
KAB(RA)
5
Session key if needed
After step 5, Alice verifies Bobs identity
KAB(KS)
6
75
Authentication Based on a Shared Secret Key
(contd)

• Can we reduce the number of messages exchanged,
  e.g.,

Challenge
A, RA
1
Response/ Challenge
RB, KAB(RA)
Alice
Bob
2
Response
KAB(RB)
3

• Only three, instead of five, messages are
  exchanged

76
Authentication Based on a Shared Secret Key
(contd)

• The shortened protocol can be defeated by a
  reflection attack

A, RT
1
RB, KAB(RT)
First session
2
Trudy
A, RB
3
Bob
Second session
4
RB2, KAB(RB)
KAB(RB)
5
First session
77
Authentication Using a Key Distribution Center

• Need a trusted Key Distribution Center (KDC)
• Wide-mouth frog simplest KDC authentication
  protocol

1
A, KA(B, KS)
Alice
KDC
Bob
2
KB(A, KS)

• Replay attack
• an intruder can just replay message 2 (and any
  following messages) to Bob later, and Bob has no
  way to tell if it is a second connection from
  Alice

78
Authentication Using Public-Key

• Assume both sides already know each others
  public keys
• This is not a trivial assumption as explained
  previously

EB(A, RA)
1
EA(RA, RB, KS)
Alice
Bob
2
Alice verified Bobs identity
Ks(RB)
3
Bob verified Alices identity
79
Digital Signatures

• What is needed is a system by which one party can
  send a signed message to another party such
  that
• The receiver can verify the claimed identity of
  the sender
• The sender cannot later repudiate the contents of
  the message
• The receiver cannot possibly have concocted the
  message itself

80
Secret-Key Signatures

• Assumes a central authority, say Big Brother
  (BB), that knows everyones secret key

A, KA(B, RA, t, P)
Alice
Bob
BB
KB(A, RA, t, P, KBB(A, t, P))

• Bob has KBB(A, t, P), which is proof that Alice
  sent message P at time t
• To guard against replaying attack
• A message is discarded if its timestamp is too
  old
• For a recent message, it is discarded if RA is
  duplicate

81
Public-Key Signatures

• Assumes both D(E(P)) P and E(D(P)) P (RSA
  algorithm has such property)

Alices computer
Alices private key DA
Bobs public key EB
EB(DA(P))
DA(P)
P
Bobs computer
Transmission line
Bobs private key DB
Alices public key EA
DA(P)
P

• Bob has P and DA(P), which is proof that Alice
  sent P

82
Message Digests

• It is often desirable to send signed plaintext
  documents because encrypting the complete
  document may take too much time
• Message Digest (MD) hash plaintext to a
  fixed-length bit string such that
• Given P, it is easy to compute MD(P)
• Given MD(P), it is effectively impossible to find
  P
• No one can generate two messages that have the
  same message digest

m bits
P
MD(P)
83
Message Digests (contd)

• Public-key message digest

P, DA(MD(P))
Alice
Bob

• Most widely used message digest functions
• MD5
• SHA (Secure Hash Algorithm)
• An m-bit MD system may be possibly broken in Q
  (2m/2) time (referred as birthday attack in text)

84
Message Digests (contd)
85
Discussions

• What do you think are the major security threats
  in the Internet? What are possible measures and
  strategies to address such threats?
• What products, policies and processes of your
  company are worth recommending?