Theory and Design of Network Security

About This Presentation

Title:

Theory and Design of Network Security

Description:

number of elements in reduced set of residues is called the Euler Totient Function (n) ... Euler Totient Function (n) to compute (n) need to count number of ... – PowerPoint PPT presentation

Number of Views:174

Avg rating:3.0/5.0

Slides: 108

Provided by: can73

Category:

more less

Transcript and Presenter's Notes

Title: Theory and Design of Network Security

1
Theory and Design of Network Security

Part I Cryptography Basics and Public key
Infrastructure
Unit 1 Public-key Cryptography, Authentication
and Digital Signature

2
Reference

William Stallings. Cryptography and Network
Security Principles and Practice (Fourth
Edition). Prentice Hall, 2005.

3
Public Key Cryptography

Problems of symmetric key
Key Distribution
Need a secure channel

?
Key
Secure Channel
4
Public Key Cryptography

KDC (Key Distribution Center)

5
Public Key Cryptography

Key Storage
n users in the system. Each one needs n-1 keys.
There are n(n-1)/2 keys in the system.
1000 users in the system. Each one needs 999
keys. There are 499500 keys in the system.

6
Public Key Distribution

Diffie Hellman 1976
Public key distribution method
How to realize the digital signature?

Public Value
secret
secret
Share a common key
7
Diffie-Hellman Key Exchange

Diffie and Hellman 1976
A number of commercial products employ this key
exchange technique
This algorithm enables two users to exchange key
securely

8
Algorithm of Diffie-Hellman (1/2)
9
Algorithm of Diffie-Hellman (2/2)
10
Example of D-H Key Exchange
5
XA 36 XB58
q97
YA53650 mod 97 YB55844 mod 97
K(YB)XA mod 97 4436 75 nod 97 K(YA)XB mod
97 5058 75 nod 97
11
Diffie-Hellman
12
Primitive Roots

From Eulers theorem have aø(n)mod n1
consider ammod n1, GCD(a,n)1
must exist for m ø(n) but may be smaller
once powers reach m, cycle will repeat
If smallest is m ø(n) then a is called a
primitive root
a, a2, , aø(n) are distinct (mod n)
If p is prime, then successive powers of a
"generate" the group mod p
a, a2,, ap-1 are distinct (mod p)
These are useful but relatively hard to find

13
Powers of Integers, Modulo 19
14
Discrete Logarithms

The inverse problem to exponentiation is to find
the discrete logarithm of a number modulo p
That is to find x where ygx mod p
Written as xlogg y mod p
If g is a primitive root then always exists,
otherwise may not
x log3 4 mod 13 (x st 3x 4 mod 13) has no
answer
x log2 3 mod 13 4 by trying successive powers
Computing exponentiation is relatively easy,
finding discrete logarithms is generally a hard
problem

15
Example of DL
16
Public Key Cryptosystem
17
Public Key Cryptosystem
18
Public Key Cryptosystem

Encryption

19
Public Key Cryptosystem

Authentication

20
PKC vs. SKC
21
PKC for Secrecy
22
PKC for Secrecy

Secrecy
Ciphertext Y EKUb(X)
Receiver B can recover the plaintext using his
private key KRb
DKRb(Y) DKRb(EKUb(X)) X

23
RSA Cryptosystem

1977 by Ron Rivest, Adi Shamir, and Len Adleman
(MIT)
The first secure practical public key
cryptosystem
A block cipher in which the plaintext and
ciphertext are integers between 0 and n-1 for
some n

24
Math Background (RSA)

Factorization Problem
How to factorize an integer 48770428682337401 ?
Is 223092871 a factor of 48770428682337401?
It is difficult to factorize Npq if both p and
q are large prime numbers

25
Prime Numbers

prime numbers only have divisors of 1 and self
they cannot be written as a product of other
numbers
note 1 is prime, but is generally not of
interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory
list of prime number less than 200 is
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199

26
Prime Factorisation

to factor a number n is to write it as a product
of other numbers na b c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number
the prime factorisation of a number n is when its
written as a product of primes
eg. 91713 3600243252

27
Relatively Prime Numbers GCD

two numbers a, b are relatively prime if have no
common divisors apart from 1
eg. 8 15 are relatively prime since factors of
8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the
only common factor
conversely can determine the greatest common
divisor by comparing their prime factorizations
and using least powers
eg. 300213152 182132 hence
GCD(18,300)2131506

28
Modular Arithmetic

aqn r 0ltr lt n q a/n
Congruent modulo
(a mod n) (b mod n)

29
Modular Arithmetic Operations

(a mod n)( b mod n) mod n (ab) mod n
(a mod n)-( b mod n) mod n (a-b) mod n
(a mod n) ?( b mod n) mod n (a ? b) mod n
Example
11 mod 8 3 15 mod 8 7
(11 mod 8) (15 mod 8) 10 mod 8 2

30
Properties of Modular Arithmetic(1/3)

Define Zn
Commutative laws
Associative laws
Distributive laws
Identities
(0w) mod n w mod n
(1 ? w) mod n w mod n
Additive inverse (-w)
For each there exits a z such that
wz0 mod n

31
Properties of Modular Arithmetic(2/3)

If (ab)?(ac) mod n then b ?c mod n
If (a ? b)?(a ? c) mod n then b ?c mod n
If a is relatively prime to n
For example
6 ?318 ?2 mod 8
6 ?742 ?2 mod 8
Yet 3 ?7 mod 8

32
Properties of Modular Arithmetic(3/3)

If p is a prime number, then all the elements of
Zp are relatively prime to p
Multiplicative inverse (w-1)
For each there exists a z such that w
?z ?1 mod p
For each and gcd(w,n)1, there exists a
z such that w ?z ?1 mod n

33
Finding the Multiplicative Inverse

Finding the GCD
gcd(a,b)gcd(b, a mod b)
gcd(55,22)gcd(22,55 mod 22)gcd(22,11)11
Euclids Algorithm
Page 115

34
Euclid's GCD Algorithm

An efficient way to find the GCD(a,b)
Euclid's Algorithm to compute GCD(a,b)

EUCLID(a,b)
A ?a B ?b
If B0 return Agcd(a,b)
R A mod B
A ? B
B ? R
goto 2

35
Example GCD(1970,1066)

1970 1 x 1066 904 gcd(1066, 904)
1066 1 x 904 162 gcd(904, 162)
904 5 x 162 94 gcd(162, 94)
162 1 x 94 68 gcd(94, 68)
94 1 x 68 26 gcd(68, 26)
68 2 x 26 16 gcd(26, 16)
26 1 x 16 10 gcd(16, 10)
16 1 x 10 6 gcd(10, 6)
10 1 x 6 4 gcd(6, 4)
6 1 x 4 2 gcd(4, 2)
4 2 x 2 0 gcd(2, 0)

36
Extended Euclids Algorithm

Extended Euclid(m,b)

(A1,A2,A3) ?(1,0,m) (B1,B2,B3) ?(0,1,b)
If B30 return A3gcd(m,b) no inverse
If B31 return B3gcd(m,b) B2b-1 mod m
(T1,T2,T3) ?(A1-QB1, A2-QB2, A3-QB3)
6. (A1,A2,A3) ? (B1,B2,B3)
7. (B1,B2,B3) ? (T1, T2, T3)
8. goto 2

Find b-1 such that bb-11 mod m
Page 119
37
Fermat's Theorem

ap-1 mod p 1
where p is prime and gcd(a,p)1
also known as Fermats Little Theorem
useful in public key and primality testing

38
Euler Totient Function ø(n)

when doing arithmetic modulo n
complete set of residues is 0..n-1
reduced set of residues is those numbers
(residues) which are relatively prime to n
eg for n10,
complete set of residues is 0,1,2,3,4,5,6,7,8,9
reduced set of residues is 1,3,7,9
number of elements in reduced set of residues is
called the Euler Totient Function ø(n)

39
Euler Totient Function ø(n)

to compute ø(n) need to count number of elements
to be excluded
in general need prime factorization, but
for p (p prime) ø(p) p-1
for p.q (p,q prime) ø(p.q) (p-1)(q-1)
eg.
ø(37) 36
ø(21) (31)(71) 26 12

40
Euler's Theorem

a generalisation of Fermat's Theorem
aø(n)mod N 1
where gcd(a,N)1
eg.
a3n10 ø(10)4
hence 34 81 1 mod 10
a2n11 ø(11)10
hence 210 1024 1 mod 11

41
Primality Testing

often need to find large prime numbers
traditionally sieve using trial division
ie. divide by all numbers (primes) in turn less
than the square root of the number
only works for small numbers
alternatively can use statistical primality tests
based on properties of primes
for which all primes numbers satisfy property
but some composite numbers, called pseudo-primes,
also satisfy the property

42
Miller Rabin Algorithm

a test based on Fermats Theorem
algorithm is
TEST (n) is
1. Find integers k, q, k gt 0, q odd, so that
(n1)2kq
2. Select a random integer a, 1ltaltn1
3. if aq mod n 1 then return (maybe prime")
4. for j 0 to k 1 do
5. if (a2jq mod n n-1)
then return(" maybe prime ")
6. return ("composite")

43
Probabilistic Considerations

if Miller-Rabin returns composite the number is
definitely not prime
otherwise is a prime or a pseudo-prime
chance it detects a pseudo-prime is lt ¼
hence if repeat test with different random a then
chance n is prime after t tests is
Pr(n prime after t tests) 1-4-t
eg. for t10 this probability is gt 0.99999

44
Prime Distribution

prime number theorem states that primes occur
roughly every (ln n) integers
since can immediately ignore evens and multiples
of 5, in practice only need test 0.4 ln(n)
numbers of size n before locate a prime
note this is only the average sometimes primes
are close together, at other times are quite far
apart

45
The RSA Algorithm (1/2)
46
The RSA Algorithm (2/2)
47
RSA Example
48
RSA Example
N119 pq 717 e5 ed 1 mod 616 d77
49
Security of RSA

Three possible approaches to attacking the RSA
algorithm
Brute force
Trying all possible private keys
Mathematical attacks
Timing attacks

50
Factoring Problem

Factor n into its two prime factos. This enable
calculation of ?(n) (p-1)(q-1), which enables
determination of d e 1 mod ?(n) .
Determine ?(n) directly, without first
determining p and q.
Determine d directly, without first determining
?(n)

51
Factoring Problem

For a large n with large prime factors, factoring
is a hard problem, but not as hard as it used to
be.
1977 three inventors of RSA issue Mathematical
Games
100 reward
1994 RSA-129 (428 bits) breaking

52
Progress of Factorization
53
Constraints of RSA

Key Requirement
Key size in the range of 1024 to 2018 bits
p and q should differ in length by only a few
digits. Thus, both p and q should be on the order
of 1075 to 10100.
Both (p-1) and (q-1) should contain a large
prime factor
gcd(p-1,q-1) should be small

54
Timing Attacks

Proceeds bit by bit
Modular exponentiation method
bi1 slow bi0 fast

c0 d1 for ik to 0 do c2c d(dd)
mod n if bi1 then cc1 d(da)
mod n return d
55
Timing Attacks

Countermeasures
Constant exponentiation time
Degrade performance
Random delay
Blinding
Multiply the ciphertext by a random number before
performing exponentiation.

56
Message Authentication

Authentication Requirement
Possible attacks on the network
Disclosure
Traffic analysis
Masquerade
Content modification
Sequence modification
Timing modification
Repudiation

57
Authentication Functions

Message encryption
The ciphertext of the entire message serves as
its authenticator
Message authentication code (MAC)
A public function of the message and a secret key
that produces a fix-length value that serves as
the authenticator
Hash Function
A public function that maps a message of any
length into a fixed-length hash value, which
serves as the authenticator

58
Message Encryption
(A)
Conventional encryption confidentiality and
authentication
59
Message Encryption
(B)
Public-key encryption confidentiality
60
Message Encryption
(C)
Public-key encryption authentication and
signature
61
Message Encryption
(D)
Public-key encryption confidentiality,
authentication And signature
62
Error Control

Append an error-detecting code (frame check
sequence, FCS) or checksum to each message before
encryption

Internal error control
63
Error Control
External error control
64
TCP-level Encryption
65
Example of TCP Segment
The receiver can be assured of the proper
sequence because an attacker cannot successfully
alter the sequence number
66
Reference Link vs. End-to-End Encryption
67
Link Encryption

Each vulnerable communications link is equipped
on both ends with an encryption device.
All traffic over all communications links is
secure.
Disadvantage the message must be decrypted each
time it enters a packet switch.
Each pair of nodes that share a link should share
a unique key, with a different key used on each
link. Thus, many keys must be provided.

68
End-to-End Encryption

The encryption process is carried out at the two
end systems.
The data in encrypted form are then transmitted
unaltered across the network to the destination
terminal or host.
The destination shares a key with the source and
so is able to decrypt the data.
The host may encrypt only the user data portion
of the packet and must leave the header in the
clear.
Provide a degree of authentication
To achieve greater security, both link and
end-to-end encryption are needed.

69
Comparison
70
Logical Placement of End-to-End Encryption

Network-layer encryption
Front-end processor function

71
Scope
72
Encryption Strategies
73
MAC

The use of a secret key to generate a small
fixed-size block of data
That is appended to the message
A MAC function is similar to encryption. One
difference is that MAC algorithm need not be
reversible
It is less vulnerable to being broken than
encryption

74
MAC

Three situations in which a message
authentication code is used
The same message is broadcast to a number of
destinations
It is cheaper and more reliable to have only one
destination responsible for monitoring
authenticity
An exchange one side has a heavy load and cannot
afford the time to decrypt all incoming message.
Message being chosen at random for checking
Authentication of a computer program in plaintext
is an attractive service
The computer program can be executed without
having to decrypt it every time

75
MAC

Other rationales
For some applications, it may not be concern to
keep message secret, but it is important to
authenticate message
SNMPv3separates the functions of confidentiality
and authentication
Separation of authentication and confidentiality
functions affords architectural flexibility
Perform authentication at the application level
but to provide confidentiality at a lower level
A user may wish to prolong the period of
protection beyond the time of reception and yet
allow processing the message content

76
MAC
Message authentication
77
MAC
Message authentication and confidentiality Authen
tication tied to plaintext
78
MAC
Message authentication and confidentiality Authen
tication tied to ciphertext
79
Hash Function

Definition
A hash function accepts a variable-size message M
as input and produces a fixed-size hash code H(M)
Sometime called a message digest
Hash Algorithm
MD5
RFC 1321 developed by Ron Rivist at MIT
Secure Hash Algorithm (SHA)
FIPS PUB 180 in 1993 (NIST) 180-1 in 1995
FISP Federal Information Processing Standard

80
Hash Function
81
Requirements of Hash

H can be applied to a block of data of any size
H produces a fixed-length output
H(x) is relatively easy to compute for any given
x, making both hardware and software
implementations practical
For any given code h, it is computationally
infeasible to find x such that H(x)h. This is
sometimes referred to in the literature as the
one-way property
For any given block x, it is computationally
infeasible to find y?x with H(y)H(x). This is
sometimes referred to as weak collision
resistance
It is computationally infeasible to find any pair
(x,y) such that H(x)H(y). This is sometimes
referred to as strong collision resistance

82
Requirements of Hash
83
Basic Use of Hash (A)
84
Basic Use of Hash (B)
85
Basic Use of Hash (C)
86
Comparison of SHA-1 and MD5

Brute force attack for SHA-1 is harder (160 vs
128 bits for MD5)
SHA-1 is not vulnerable to any known attacks
(compared to MD4/5) ??
(Speed) SHA-1 is a little slower than MD5 (80 vs
64 steps)
Both designed is simple and compact

87
Revised Secure Hash Standard

NIST have issued a revision FIPS 180-2 and adds 3
additional hash algorithms SHA-256, SHA-384,
SHA-512.
Designed for compatibility with increased
security provided by the AES cipher
Structure detail are similar to SHA-1 and hence
analysis should be similar.

88
Comparison of SHA Properties
89
Digital Signature

Dispute of message authentication
Message authentication protects two parties who
exchange messages from any third party. However,
it does not protect the two parties against each
other.
Several forms of dispute between the two are
possible

90
Problem of Authentication

The following disputes could arise
Receiver may forge a different message and claim
that it came from sender.
Sender can deny sending the message

91
Properties

The digital signature is analogous to the
handwritten signature. It must have the following
properties
It must be able to verify the author and the date
and time of the signature
It must be able to authenticate the contents at
the time of the signature
The signature must be verifiable by third
parties, to resolve dispute

92
Requirements (1/2)

The signature must be a bit pattern that depends
on the message being signed
The signature must use some information unique to
the sender, to prevent both forgery and denial
It must be relatively easy to produce the digital
signature
It must be relatively easy to recognize and
verify the digital signature

93
Requirements (2/2)

It must be computationally infeasible to forge a
digital signature, either by constructing a new
message for an existing digital signature or by
constructing a fraudulent digital signature for a
given message
It must be practical to retain a copy of the
digital signature in storage

94
Digital Signature Concept
95
Dispute Concept
Verify Judge
Signers Digital Signature
Third Party
Dispute
Sender
Receiver
96
RSA Digital Signature
97
Digital Signature Standard (DSS)

The National Institute of Standards and
Technology (NIST) has published Federal
Information Processing Standard FIPS PUB 186,
known as the Digital Signature Standard (DSS).
The DSS makes use of the Secure Hash Algorithm
(SHA)
The DSS was originally proposed in 1991 and
revised in 1993 in response to public feedback
concerning the security of the scheme

98
DSS Concept (1/2)

The DSS uses an algorithm that is designed to
provide only the digital signature function
Unlike RSA, it cannot be used for encryption or
key exchange

99
DSS Concept (2/2)
100
DSS Algorithm

Discrete Logarithms (page 228-233)
Consider the equation
y gx mod p
Given g,x,and p, it is straightforward matter to
calculate y
Given y, g, and p, it is, in general, very
difficult to calculate x
Computational complexity
e((ln p)1/3ln(ln p))2/3

101
DSS Algorithm

Setup
p large prime bit length of between 512 and 1024
bits in increments of 64 bits 2L-1 lt p lt 2L and
512 lt L lt 1024
q prime divisor of (p-1) and 2159 lt q lt
2160,i.e., the length is 160 bits
g h(p-1)/q mod p,1lth lt p-1 ,h is an integer
(I.e., gq 1 mod p)

102
DSS Algorithm