Title: Information%20Security%20Frank%20Yeong-Sung%20Lin%20Department%20of%20Information%20Management%20National%20Taiwan%20University
1Information SecurityFrank Yeong-Sung
LinDepartment of Information ManagementNational
Taiwan University
EMBA 2009 Information Systems and
Applications Lecture II
2Information Security
Information security can be roughly divided into
4 areas
- Secrecy keep information unrevealed
- Authentication determine the identity of whom
you are talking to - Nonrepudiation make sure that someone cannot
deny the things he/she had done - Integrity control make sure the message you
received has not been modified
3Information Security (contd)
Information security functionality can be
distributed across several protocol layers
- Physical layer protect transmission link from
wire tapping - Data link layer link encryption
- Network layer firewall, packet filter
- Application layer authentication,
non-repudiation, integrity control, (and
secrecy/confidentiality)
4Information Security (contd)
A number of essential concepts to begin with
- Risk management
- threats, vulnerabilities, assets, damages and
probabilities - balancing acts
- all cryptosystems may be compromised
- Notion of chains (Achilles' heel)
- Notion of buckets (products, policies, processes
and people) - Defense in-depth
- Average vs. worst cases
- Backup, restoration and contingency plans
5Traditional Cryptography
Passive intruder (listens only)
Active intruder (alters message)
DK( EK( P)) P
Plaintext P
EK( P)
Encryption
Decryption
key K
key K
- The model depends on a stable public algorithm
and a key - The work factor for breaking the system by
exhaustive search of the key space is exponential
in the key length - Two categories Substitution ciphers vs.
transposition ciphers
6Traditional Cryptography (contd)
- Simplified model of traditional cryptography
7Traditional Cryptography (contd)
- Model of traditional cryptography
8Substitution Cipher
- Caesar cipher
- Every letter is shifted by k positions, e.g., k
3 and a becomes D, b becomes E, - For example, attack becomes DWDDFN
- Mono-alphabetic substitution
Plaintext abcdefghijklmnopqrstuvwxyz ciphertext
QWERTYUIOPASDFGHJKLZXCVBNM
- The key space is 26! 4x1026
- Still the cipher may be broken easily by taking
advantage of the frequency statistics of English
text (e.g., e, a, th, er, and, the appear very
often)
9Substitution Cipher (contd)
- Relative frequency of letters in English text
10Transposition Ciphers
M E G A B U C K 7 4 5 1 2 8 3 6 p l e a s e t r a
n s f e r o n e m i l l i o n d o l l a r s t o m
y s w i s s b a n k a c c o u n t s i x t w o t w
o a b c d
Plaintext pleasetransferonemilliondollarsto
myswissbankaccountsixtwotwo Ciphertext
AFLLSKSOSELAWAIATOOSSCTCLNMOMANT
ESILYNTWRNNTSOWDPAEDOBUOERIRICXB
- Plaintext is written horizontally, while the
ciphertext is read out by column, starting with
the lowest key column - To break the transposition cipher
- guess a probable word or phrase (e.g.,
milliondollars) - try to determine the key length, then order the
columns - Another related example regarding Newton
11Other Interesting Ciphers
- Chinese poems
- Clubs and leather stripes
- Invisible ink (steganography in general)
- Books
- Code books
- Enigma
- XOR
- Ej/vu3z8h96
12Two Fundamental Cryptographic Principles
- First principle
- All encrypted messages must contain redundancy to
prevent active intruders from tricking the
receiver into acting on a false message - However, the same redundancy makes it easier for
passive intruders to break the system - Second principle
- Some measures must be taken to prevent active
intruders from playing old messages, e.g., use
time stamp to - filter out duplicate messages within a certain
time - incoming messages that are too old are discarded
13Secret-Key Algorithms
- Consists of sequence of transpositions and
substitutions
S-box (Substitution)
Product cipher
P-box (Permutation)
14Data Encryption Standard (DES)
- Plaintext is encrypted in blocks of 64 bits
- DES is basically a mono-alphabetic substitution
cipher using a 64-bit character
64 bit plaintext
Li-1
Ri-1
Initial transposition
K1
Iteration 1
56-bit key
K16
Li-1 Å f(Ri-1, Ki)
Iteration 16
32 bit swap
Inverse transposition
32 bits Li
32 bits Ri
64 bit ciphertext
15DES Chaining
- DES may be vulnerable to active intruders
Name
Bonus
Leslie
0000010
Intruder may copy the block to one row above
Kimberly
0100000
8 bytes
8 bytes
P0
P1
P2
P3
C0
C1
C2
C3
IV
D
D
D
D
Exclusive OR
Key
E
E
E
E
C0
C1
C2
C3
P0
P1
P2
P3
16Breaking DES
- Exhaustive search of key space 256 7x1016
- can use multiple computers to do search in
parallel - Running DES twice consecutively with two
different 56-bit keys creates a key space of 2112
5x1033 - but it still can be broken by the
meet-in-the-middle attack in Q (257) time,
because
Ci EK2 (EK1 (Pi)) DK2(Ci)
EK1(Pi)
17Triple DES Encryption
K1
K2
K1
K1
K2
K1
P
C
C
P
E
D
E
D
E
D
Encryption
Decryption
- Using EDE (2 encryption and 1 decryption) instead
of EEE is for backward compatibility (when K1
K2) with single-stage DES system - Using EEE with 3 different keys is basically
unbreakable nowadays
18Public-Key Algorithms
- Encryption (E) and Decryption (D) algorithms must
meet the following requirements - E and D are different
- D(E(P)) P
- It is exceedingly difficult to deduce D from E
- Everyone has a pair of keys public key (E) and
private key (D) - Public key is made known to the world
- Private key is to be kept private all the time
A
B
EB(P1)
P1
DB(EB(P1)) P1
EB
DB
DA(EA(P2)) P2
EA(P2)
P2
DA
EA
19Principles of Public-Key Cryptosystems
20Principles of Public-Key Cryptosystems (contd)
- Requirements for PKC
- easy for B (receiver) to generate KUb and KRb
- easy for A (sender) to calculate C EKUb(M)
- easy for B to calculate M DKRb(C)
DKRb(EKUb(M)) - infeasible for an opponent to calculate KRb from
KUb - infeasible for an opponent to calculate M from C
and KUb - (useful but not necessary) M DKRb(EKUb(M))
EKUb(DKRb(M)) (true for RSA and good for
authentication)
21Principles of Public-Key Cryptosystems (contd)
22Principles of Public-Key Cryptosystems (contd)
- The idea of PKC was first proposed by Diffie and
Hellman in 1976. - Two keys (public and private) are needed.
- The difficulty of calculating f -1 is typically
facilitated by - factorization of large numbers
- resolution of NP-completeness
- calculation of discrete logarithms
- High complexity confines PKC to key management
and signature applications
23Principles of Public-Key Cryptosystems (contd)
24Principles of Public-Key Cryptosystems (contd)
25Principles of Public-Key Cryptosystems (contd)
- Comparison between conventional and public-key
encryption
26Principles of Public-Key Cryptosystems (contd)
- Applications for PKC
- encryption/decryption
- digital signature
- key exchange
27Principles of Public-Key Cryptosystems (contd)
28Principles of Public-Key Cryptosystems (contd)
29Principles of Public-Key Cryptosystems (contd)
30RSA Algorithms
- Developed by Rivest, Shamir, and Adleman at MIT
in 1978 - First compute the following parameters
- Choose two large primes, p and q (typically gt
10100) - Compute n pxq and z (p-1)x(q-1)
- Choose d, which is a number relatively prime to z
- Find e such that (exd) mod z 1
- Divide the plaintext into blocks of k bits, where
2k lt n - To encrypt P, compute C Pe mod n
- To decrypt C, compute P Cd mod n
- Public key (e, n), private key (d, n)
31The RSA Algorithm (contd)
- Formats Little Theorem If p is prime and a is a
positive integer not divisible by p, then - a p-1 ? 1 mod p.
- Example a 7, p 19
- 72 49 ? 11 mod 19
- 74 121 ? 7 mod 19
- 78 49 ? 11 mod 19
- 716 121 ? 7 mod 19
- a p-1 718 7162 ? 7?11 ?
1 mod 19
32The RSA Algorithm (contd)
33The RSA Algorithm (contd)
34The RSA Algorithm (contd)
- Example 1
- Select two prime numbers, p 7 and q 17.
- Calculate n p ? q 7?17 119.
- Calculate F(n) (p-1)(q-1) 96.
- Select e such that e is relatively prime to F(n)
96 and less than F(n) in this case, e 5. - Determine d such that d ? e 1 mod 96 and d lt
96.The correct value is d 77, because 77?5
385 4?961.
35The RSA Algorithm (contd)
36The RSA Algorithm (contd)
- The security of RSA
- brute force This involves trying all possible
private keys. - mathematical attacks There are several
approaches, all equivalent in effect to factoring
the product of two primes. - timing attacks These depend on the running time
of the decryption algorithm.
37The RSA Algorithm (contd)
- To avoid brute force attacks, a large key space
is required. - To make n difficult to factor
- p and q should differ in length by only a few
digits (both in the range of 1075 to 10100) - both (p-1) and (q-1) should contain a large prime
factor - gcd(p-1,q-1) should be small
- should avoid e lt n and d lt n1/4
38The RSA Algorithm (contd)
- To make n difficult to factor (contd)
- p and q should best be strong primes, where p is
a strong prime if - there exist two large primes p1 and p2 such that
p1p-1 and p2p1 - there exist four large primes r1, s1, r2 and s2
such that r1p1-1, s1p11, r2p2-1 and s2p21 - e should not be too small, e.g. for e 3 and C
M3 mod n, if M3 lt n then M can be easily
calculated
39The RSA Algorithm (contd)
40The RSA Algorithm (contd)
- Major threats
- the continuing increase in computing power (100
or even 1000 MIPS machines are easily available) - continuing refinement of factoring algorithms
(from QS to GNFS and to SNFS)
41The RSA Algorithm (contd)
42The RSA Algorithm (contd)
43RSA Algorithms (contd)
- The security of RSA is based on the difficulty of
factoring large numbers - It takes 4x109 years for factoring a 200-digit
number - It takes 1025 years for factoring a 500-digit
number - RSA is too slow to actually encrypt large volumes
of data, so it is primarily used for
distributions of one-time session key for use
with DES algorithms
44The RSA Algorithm (contd)
45Elliptic Curve Cryptography (ECC)
- For the same length of keys, faster than RSA
- For the same degree of security, shorter keys are
required than RSA - Standardized in IEEE P1363
- Confidence level not yet as high as that in RSA
- Much more difficult to explain than RSA
46Elliptic Curve Cryptography (contd)
- Computational effort for cryptanalysis of
elliptic curve cryptography compared to RSA
47Elliptic Curve Cryptography (contd)
48Key Management
- The distribution of public keys
- public announcement
- publicly available directory
- public-key authority
- public-key certificates
- The use of public-key encryption to distribute
secret keys - simple secret key distribution
- secret key distribution with confidentiality and
authentication
49Key Management (contd)
50Key Management (contd)
- Public announcement (contd)
- advantages convenience
- disadvantages forgery of such a public
announcement by anyone
51Key Management (contd)
- Publicly available directory
52Key Management (contd)
- Publicly available directory (contd)
- elements of the scheme
- name, public key entry for each participant in
the directory - in-person or secure registration
- on-demand entry update
- periodic publication of the directory
- availability of secure electronic access from the
directory to participants - advantages greater degree of security
53Key Management (contd)
- Publicly available directory (contd)
- disadvantages
- need of a trusted entity or organization
- need of additional security mechanism from the
directory authority to participants - vulnerability of the private key of the directory
authority (global-scaled disaster if the private
key of the directory authority is compromised) - vulnerability of the directory records
54Key Management (contd)
55Key Management (contd)
- Public-key authority (contd)
- stronger security for public-key distribution can
be achieved by providing tighter control over the
distribution of public keys from the directory - each participant can verify the identity of the
authority - participants can verify identities of each other
- disadvantages
- bottleneck effect of the public-key authority
- vulnerability of the directory records
56Key Management (contd)
57Key Management (contd)
- Public-key certificates (contd)
- to use certificates that can be used by
participants to exchange keys without contacting
a public-key authority - requirements on the scheme
- any participant can read a certificate to
determine the name and public key of the
certificates owner - any participant can verify that the certificate
originated from the certificate authority and is
not counterfeit - only the certificate authority can create
update certificates - any participant can verify the currency of the
certificate
58Key Management (contd)
- Public-key certificates (contd)
- advantages
- to use certificates that can be used by
participants to exchange keys without contacting
a public-key authority - in a way that is as reliable as if the key were
obtained directly from a public-key authority - no on-line bottleneck effect
- disadvantages need of a certificate authority
59Key Management (contd)
- Simple secret key distribution
60Key Management (contd)
- Simple secret key distribution (contd)
- advantages
- simplicity
- no keys stored before and after the communication
- security against eavesdropping
- disadvantages
- lack of authentication mechanism between
participants - vulnerability to an active attack (opponent
active only in the process of obtaining Ks) - leak of the secret key upon such active attacks
61Key Management (contd)
- Secret key distribution with confidentiality and
authentication
62Key Management (contd)
- Secret key distribution with confidentiality and
authentication (contd) - provides protection against both active and
passive attacks - ensures both confidentiality and authentication
in the exchange of a secret key - public keys should be obtained a priori
- more complicated
63Diffie-Hellman Key Exchange
- First public-key algorithm published
- Limited to key exchange
- Dependent for its effectiveness on the difficulty
of computing discrete logarithm
64Diffie-Hellman Key Exchange (contd)
- Diffie-Hellman key exchange
- n, g large prime number with additional
conditions - n and g may be made public
- x, y large (say, 512-bit) numbers
1
n, g, gx mod n
Alice
Bob computes (gx mod n)y gxy mod n
Bob
Alice computes (gy mod n)x gxy mod n
2
gy mod n
- gxy mod n the secret key
- it is very difficult to find x given gx mod n
65Diffie-Hellman Key Exchange (contd)
- Define a primitive root of of a prime number p as
one whose powers generate all the integers from 1
to p-1. - If a is a primitive root of the prime number p,
then the numbers - a mod p, a2 mod p, , ap-1 mod p
- are distinct and consists of the integers from
1 to p-1 in some permutation. - Not every number has a primitive root.
66Diffie-Hellman Key Exchange (contd)
- For any integer b and a primitive root a of prime
number p, one can find a unique exponent i such
that - b ai mod p, where 0 ? i ? (p-1).
- The exponent is referred to as the discrete
algorithm, or index, of b for the base a, mod p. - This value is denoted as inda,p(b).
67Diffie-Hellman Key Exchange (contd)
68Diffie-Hellman Key Exchange (contd)
- Example
- q 97 and a primitive root a 5 is
selected. - XA 36 and XB 58 (both ? 97).
- YA 536 50 mod 97 and
- YB 558 44 mod 97.
- K (YB) XA mod 97 4436 mod 97 75 mod 97.
- K (YA) XB mod 97 5058 mod 97 75 mod 97.
- 75 cannot easily be computed by the opponent.
69Diffie-Hellman Key Exchange (contd)
70Diffie-Hellman Key Exchange (contd)
71Diffie-Hellman Key Exchange (contd)
- q, a, YA and YB are public.
- To attack the secrete key of user B, the opponent
must compute - XB inda,q(YB). YB aXB mod q.
- The effectiveness of this algorithm therefore
depends on the difficulty of solving discrete
logarithm.
72Attack on Diffie-Hellman Key Exchange
Alice picks x
Trudy picks z
Bob picks y
1
n, g, gx mod n
2
n, g, gz mod n
Trudy
Alice
Bob
3
gz mod n
4
gy mod n
- (gxz mod n) becomes the secret key between Alice
and Trudy, while (gyz mod n) becomes the secret
key between Trudy and Bob
73Authentication Protocols
- Authorization
- verifies what a process is permitted to do
- Authentication
- verifies the identity of the process that you are
talking to - public and private keys are used for
authentication, and for establishing the session
key (a secret key) - all data communicated is then encrypted using
secret key cryptography
74Authentication Based on a Shared Secret Key
- Challenge-response protocol
1
A
Challenge
2
Response
RB
KAB shared secret key between Alice and Bob
KAB(RB)
3
Challenge
Alice
After step 3, Bob verifies Alices identity
Bob
4
Response
RA
KAB(RA)
5
Session key if needed
After step 5, Alice verifies Bobs identity
KAB(KS)
6
75Authentication Based on a Shared Secret Key
(contd)
- Can we reduce the number of messages exchanged,
e.g.,
Challenge
A, RA
1
Response/ Challenge
RB, KAB(RA)
Alice
Bob
2
Response
KAB(RB)
3
- Only three, instead of five, messages are
exchanged
76Authentication Based on a Shared Secret Key
(contd)
- The shortened protocol can be defeated by a
reflection attack
A, RT
1
RB, KAB(RT)
First session
2
Trudy
A, RB
3
Bob
Second session
4
RB2, KAB(RB)
KAB(RB)
5
First session
77Authentication Using a Key Distribution Center
- Need a trusted Key Distribution Center (KDC)
- Wide-mouth frog simplest KDC authentication
protocol
1
A, KA(B, KS)
Alice
KDC
Bob
2
KB(A, KS)
- Replay attack
- an intruder can just replay message 2 (and any
following messages) to Bob later, and Bob has no
way to tell if it is a second connection from
Alice
78Authentication Using Public-Key
- Assume both sides already know each others
public keys - This is not a trivial assumption as explained
previously
EB(A, RA)
1
EA(RA, RB, KS)
Alice
Bob
2
Alice verified Bobs identity
Ks(RB)
3
Bob verified Alices identity
79Digital Signatures
- What is needed is a system by which one party can
send a signed message to another party such
that - The receiver can verify the claimed identity of
the sender - The sender cannot later repudiate the contents of
the message - The receiver cannot possibly have concocted the
message itself
80Secret-Key Signatures
- Assumes a central authority, say Big Brother
(BB), that knows everyones secret key
A, KA(B, RA, t, P)
Alice
Bob
BB
KB(A, RA, t, P, KBB(A, t, P))
- Bob has KBB(A, t, P), which is proof that Alice
sent message P at time t - To guard against replaying attack
- A message is discarded if its timestamp is too
old - For a recent message, it is discarded if RA is
duplicate
81Public-Key Signatures
- Assumes both D(E(P)) P and E(D(P)) P (RSA
algorithm has such property)
Alices computer
Alices private key DA
Bobs public key EB
EB(DA(P))
DA(P)
P
Bobs computer
Transmission line
Bobs private key DB
Alices public key EA
DA(P)
P
- Bob has P and DA(P), which is proof that Alice
sent P
82Message Digests
- It is often desirable to send signed plaintext
documents because encrypting the complete
document may take too much time - Message Digest (MD) hash plaintext to a
fixed-length bit string such that - Given P, it is easy to compute MD(P)
- Given MD(P), it is effectively impossible to find
P - No one can generate two messages that have the
same message digest
m bits
P
MD(P)
83Message Digests (contd)
- Public-key message digest
P, DA(MD(P))
Alice
Bob
- Most widely used message digest functions
- MD5
- SHA (Secure Hash Algorithm)
- An m-bit MD system may be possibly broken in Q
(2m/2) time (referred as birthday attack in text)
84Message Digests (contd)
85Discussions
- What do you think are the major security threats
in the Internet? What are possible measures and
strategies to address such threats? - What products, policies and processes of your
company are worth recommending?