Network Security

1
Network Security
2
Three tools

• Hash Function
• Block Cipher
• Public Key / Private Key

3
Hash Functions

• We used SHA-1 in our project.
• SHA-1 takes no more than 264 bits as input and
  returns a 160-bit output.
• SHA stands for Secure Hash Function.
• Other hash functions include MD5 which returns
  128 bits, and the SHA-2 functions.

4
What are needed from these functions?

• Collision resistance.
• Informally, you cannot find two strings with the
  same hash.
• One-way.
• Informally, given the hash, you cannot
  reconstruct the original string.

5
Security

• Here, cannot means computationally infeasible.
• There is no absolute security. If you have all
  the resources in the world, nothing is secure
  from you.

6
Birthday Attack

• If there are x people in the room, what is the
  probability that there are at least two people
  having the same birthday?

7
Birthday Attack

• The probability that no same birthday is
  (365/365)(364/365)(363/365)((365-x1)/365)
• From wiki

8
Birthday Attack

• Consider one strategy to break the SHA-1 Try
  random strings until a collision is found.
• How many strings you think you need until a
  collision is found?
• Roughly, if you try of 280 times, the probability
  of getting a collision is gt0.5.
• In 2005, Xiaoyun Wang found a flaw in SHA-1 such
  that it is possible to find a collision in 269
  calculations.

9
Block Cipher

• The basic need given a message in plain text,
  encrypt it, such that no one can know the content
  of the message. But the receiver should be able
  to decrypt it to produce the original message.
• Like simple substitution.

10
Block Cipher

• AES is a Block Cipher, means that it maps a
  fixed-length (128 bits) input to a fixed-length
  (128 bits) output.
• Given the same input bits, the Block Cipher
  always returns the same output bits. So, it is a
  mapping from the input to the output.
• The decryption algorithm is just the reverse
  mapping.

11
The Key

• The AES algorithm is known to the world. So if
  you can use AES to encrypt your data, anyone will
  be able to use the AES to decrypt your data and
  you achieved nothing.
• So, you must make your encryption unique, even if
  you are using a well-known algorithm.
• How?
• By having a key. The encryption result for one
  key is unique to other keys.

12
How AES works

• AES takes 128-bit input and turn it into 128-bit
  output with the help of a 128 bit key (or 192, or
  256). (Skype uses 256 bit key)
• The key is expanded into 11 sub-keys (K0, K1, ,
  K10.)
• s M xor K0.
• Then the following is executed 10 rounds.
• s SBOX(s).
• s shift_row(s).
• s mix_col(s) if not the last round
• s s xor Ki.
• Return s.

13
How AES works

• The S BOX simply maps the input to an output
  according to a predetermined mapping.
• The shift_row() does the following. Regard the
  16-byte s as a 4 by 4 matrix.

s0 s4 s8 s12 s1 s5 s9 s13 s2 s6
s10 s14 s3 s7 s11 s15
s0 s1 s2 s3 s5 s9 s13 s1 S10 s14 s2
s6 s15 s3 s7 s11

• The mix_col() does the following. ai is 4 bytes.

02 02 01 01 01 02 03 01 01 02 02 03
03 01 01 02
a0 a1 a2 a3
a0 a1 a2 a3

14
AES

• AES can also be used for other purposes.
• For example, you can pick a random key, then use
  AES to generate random numbers.

15
Cipher Modes

• ECB Electronic Code Book Mode. Break the entire
  file into blocks, and encode every block
  individually.
• Problems. The example in the book. You can
  replace a block if it is good for you.
• If you know the message is ltnamegt followed by
  ltsalarygt, you can replace your salary with
  someone elses salary if you know that he/she
  makes more than you do, without knowing exactly
  the content!

16
CBC Cipher Block Chaining

• Encryption
• C0 E(P0 xor IV).
• C1 E(P1 xor C0), and so on.
• IV is transmitted in plain text.
• Decryption
• P0 IV xor D(C0)
• P1 C0 xor D(C1), and so on.
• So, same message wont result in the same code.

17
Stream Cipher Mode

• T0 E(IV).
• T1 E(T0), and so on.
• C P xor T.
• Dont use the same stream twice.

18
Counter mode

• Ti E(IVi).
• Ci Pi xor Ti.
• The advantage is that you can randomly access any
  block.
• Used by Skype. Often called ICM (Integer counter
  mode).
• ECB also supports random access. Does it have the
  same problem as ECB? No, because the IVs are
  different.

19
Public Key / Private Key

• Consider Skype, how do you think that two Skype
  users can share the same AES key?

20
Public Key / Private Key

• Everyone has a public key and private key.
• With Bs public key (pkB) A can encode data that
  only B can decode with his private key (skB)
  because other people does not have Bs private
  key.
• D_skBE_pkB(W) W
• E_pkBD_skB(W) W

21
Public Key /Private key

• So, A can choose a 128-bit string W as the
  session key and send E_pkB(W) to B. B runs the
  decryption algorithm to get D_skBE_pkB(W) W.
• Skype actually asks two ends to both contribute
  128 bits to make the 256-bit session key.

22
The RSA algorithm

• Most common, the RSA algorithm is used to get the
  public key/private key.
• Choose two large primes, p and q.
• Compute npq and z(p-1)(q-1).
• Choose a large number relatively prime to z and
  call it d.
• Find e such that ed 1 mod z. (such e must
  exist)
• (e,n) is the public key for encoding and (d,n) is
  the private key for decoding.

23
The RSA algorithm

• To encrypt a message
• CMe mod n.
• To decrypt
• M Cd mod n.
• The rules are satisfied
• D_skBE_pkB(M) M
• E_pkBD_skB(M) M.

24
An example

• Let p3, q11,
• n33, z20.
• Choose d7, because 7 and 20 have no common
  factors
• For e, it must satisfy 7e 1 mod 20, which gives
  us e3.
• So the public key is (3,33) and the private key
  is (7,33).
• If M19,
• C193 mod 33 6859 mod 33 28
• 287 mod 33 13492928512 mod 33 19

25
Why is RSA secure?

• The problem is, given (d,n), can you figure out
  e?
• You can try to find p and q given n. If you
  indeed can, then you get z. Given z and d, you
  get e.
• But it is difficult to factor large numbers.

26
ssh-keygen

• Try type ssh-keygen t rsa
• The secret key will be saved as .ssh\ id_rsa
  and the public key will be saved as .ssh\
  id_rsa.pub