Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Transcription

1 Part I

2 Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services

3 Cryptography Cryptography (code making) is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. Cryptography is not the only means of providing information security, but rather one set of techniques. Cryptanalysis (code breaking) is the study of mathematical techniques for attempting to defeat information security services. Cryptology is the study of cryptography and cryptanalysis. A cryptosystem generally describes a set of cryptographic primitives used to provide information security services.

4 Cryptographic Objectives (1) Confidentiality is a service used to keep the content of information from all but those authorized to have it. Sometimes secrecy or privacy are used synonymously. Encryption is a cryptographic technique to achieve confidentiality; but access control to information may yield confidentiality without encryption at all. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data integrity includes such things as insertion, deletion, substitution, replay.

5 Cryptographic Objectives (2) Authentication is a service related to identification. With entity authentication parties in a communication should identify each other. Information communicated over a channel should be authenticated as to origin (data origin authentication), date of origin and time sent (timeliness) and data content. Data origin authentication implicitly provides data integrity. Non repudiation is a service which prevents an entity from denying previous commitments or actions. A resolution mechanism should assist resolving disputes.

6 Security Threats Loss of confidentiality: An attacker obtains information; e.g. by eavesdropping Loss of integrity: An attacker manipulates data. Denial of service: An attacker inhibits the service provided. Masquerade: An attacker operates under a false identity. Replay: An attacker plays back some previous information. Repudiation: An attacker claims not to have obtained or provided a service. Unauthorized access: An attacker obtains access to some information or to systems.

7 Damage Caused average harm per incident Insider Abuse of Net Access $93,530 97% Unauthorized Access By Insiders $142,680 55% Denial of Service System Penetration By Outsiders $116,250 $103,142 32% 31% Theft of Proprietary Info 25% $1,847,652 Sabotage $163,740 13% Source: 1999 CSI/FBI Computer Crime & Security Survey

8 Types of Attack Passive attack: The attackers only monitors (intercepts, eavesdrops) the communication channel; e.g. by using a network monitor. The attacker threatens only the confidentiality of data. Such attacks usually cannot be detected by the communicating entities, but using encryption may counter such an attack. Active attack: The attacker attempts to delete, add, or alter the data on the transmission channel. The attacker threatens data integrity, authentication or confidentiality. Such attacks can be detected, but usually cannot be prevented.

9 Real-World Attacks Virus 74% Unauthorized access Denial of service 22% 39% System penetration Theft of data Telecom fraud 14% 16% 21% Sabotage Financial fraud Telecom eavesdropping Wiretapping 1% 9% 13% 13% Source: Computer Security Institute, 1998

10 Some Attacks on Encryption Schemes Ciphertext-only attack: The attacker attempts to deduce the plaintext or encryption key just by intercepting ciphertext. Strength of attack Known-plaintext attack: The attacker obtains some plaintext and corresponding ciphertext. Chosen-plaintext attack: The attacker is able to obtain ciphertext upon chosen plaintext. This may enable the attacker then to deduce plaintext of unseen ciphertext. Chosen-ciphertext attack: The attacker is able to obtain plaintext upon chosen ciphertext; e.g. by misusing the decryption device. The attacker may then be able to deduce plaintext from different ciphertexts.

11 Some Attacks on Cryptographic Protocols Brute force attack: With a given plaintext-ciphertext pair the attacker searches the key space exhaustively in order to reveal the key. Known-key attack: The attacker uses some old keys and is able to deduce new keys. Replay attack: The attacker records a communication session and replays (substitutes) some parts or the entire session at some later point in time. Impersonation (Masquerade) attack: The attacker masquerades as a legitimate entity. Dictionary (code book) attack: The attacker builds a table of known plaintextciphertext pairs; then he can quickly determine the plaintext upon obtained ciphertext. With another method, the attacker builds a table with computed ciphertexts for all keys and a fixed plaintext. Differential cryptanalysis: The attacker observes ciphertext pairs where the corresponding plaintext pairs have a certain difference. Combination attack: Combination of several attack techniques.

12 Some Conclusions... Key spaces and plaintext spaces should be large and must convey sufficient entropy. Statistical properties in plaintext should be avoided; compression before encryption is a good practice. Keys should not be used for ever. Example: K K K K English ASCII Plaintext Keys: Permutations on ASCII characters Key Space = 256! > number of atoms in universe But: cipher can be broken by statistical properties of English text.

13 The Process of Building Secure Systems 1. Define security goals, security assets to be protected and consider the target security policy. 2. Inspect the system and perform a security threat analysis and risk assessment; consider the potential attacker and his capabilities. 3. Define of security requirements and derived security services for the target system. 4. Define a security concept with technical, organizational measures; Design a target security architecture with security mechanisms and crypto algorithms. 5. Construct, build and test the secured system. 6. Re-evaluate of the secured system against security goals, investigate new threats identified, monitor theoretic and practical attacks against the system, assess of the residual risk. 7. Iterate of steps 1-6 for improved security.

14 Example: UMTS Security Engineering System assumptions Service requirements Threat analysis security requirements features instances (e.g. confidentiality on the air interface) security features (confidentiality, integrity etc...) security mechanisms security architecture System architecture

15 Secure Systems as a Chain of Security Components Auth Random Encryption Key Management Audit The overall security of a system is only as strong as its weakest component. Thus, it is wise to design sound security and not to over-engineer just a single part. Weakest point or part in system

16 Remarks There is no 100% secure system. But: Security can be increased step-by-step to make security weaknesses become more and more less likely. One approach could be to mandate that the effort necessary for a successful of attack is higher than the perceived value of information obtained. Cryptographic security techniques are a very useful tool for building secure systems. Other means and non-cryptographic techniques usually support this.

17 Security Services Authentication: Ensuring the identity of communicating entities. Authorization: Granting privileges to entities. Access control: Preventing unauthorized use of resources. Confidentiality: Preventing disclosure of information to unauthorized entities. Integrity: Property that data has not been altered or destroyed in an unauthorized manner. Key management: Generation, storage, distribution, deletion, archiving and application of cryptographic keys.

18 Authentication Authentication is the process of proving an identity. Authentication protocols may rely on cryptography or may be non cryptographic. Distinguish between authentication of persons and authentication of entities (computers, messages,..)

19 Authentication of Persons Persons may authenticate by Something they know passwords, PINs, onetime passwords (TANs), Something they possess magnetic stripe cards, security tokens, keys,.. Something intrinsic to them (Biometry) fingerprint, voice characteristics, iris pattern, dynamic handwritten signature characteristics, face recognition,...

20 Authentication of Entities Entity authentication assures the identity of communicating systems. This service can be performed by symmetric or by asymmetric algorithms. The entity holds some identification information which is authenticated by the knowledge of the corresponding secret or private key. Challenge-response or zero-knowledge protocols are applied to convince communication entities about the knowledge of these keys without revealing them over the channel.

21 Authentication of Messages Authentication of data (data origin authentication) assures the origin of information. This holds for asymmetric encryption. Since public keys are known to anybody, everyone can send confidential but unauthenticated messages. The security service can be achieved by MACs and digital signatures assuming that unauthorized entities can not access the involved secret or private key.

22 Confidentiality Confidentiality protects information against unauthorized disclosure. Cryptographic algorithms require the knowledge of secret or private keys to access data that is encrypted by symmetric or asymmetric algorithms. This security service can be achieved by symmetric or asymmetric encryption assuming that unauthorized entities can not access the involved secret or private key.

23 Integrity Integrity of information allows the detection of manipulated data. Cryptographic algorithms require the knowledge of secret or private keys to access data encrypted by symmetric asymmetric algorithms. This security service can be achieved by encryption (assuming high redundancy and error propagation), message authentication codes (MACs) or by digital signatures assuming that unauthorized entities can not access the involved secret or private key.

24 Key Generation Cryptographic keys should be generated randomly within their key spaces. In practice, pseudo random generators are used to create cryptographic keys. If there is not enough randomness in the process of key generation, then an attacker may successful in searching a significant subset of the key space in short time. This happened with Netscape Navigator 1.1 SSL where only system time and process IDs were used to create cryptographic keys which were found equivalent to just 20 bits instead of a 128 bit key. (see Dr. Dobb s Journal, Jan. 1996, p ).

25 Key Management Key management refers to generation, storage, distribution, deletion, archiving and application of cryptographic keys. The quality of cryptographic security services relies on the protection of cryptographic keys against unauthorized access. The generation, application, storage and exchange of cryptographic keys are of specific interest here.

26 Key Application and Storage There is no protection against unauthorized access to keys which are stored on hard discs of PCs. On UNIX systems, there is no protection against root. Even with secure operating systems, keys could be revealed by observing data traffic on system buses. When these threats can not be tolerated, specific means of key storage are required: The required services can be supported by smart cards and specific hardware devices which are integrated into hosts. See: NIST Security Requirements for Cryptographic Modules, FIPS Publ , 1994.

27 Key Exchange Session keys have to be exchanged in a protected way for communication purposes. Protection concerns confidentiality, integrity and authenticity for symmetric keys as well as integrity and authenticity for public keys. Typically, already established secret keys or public keys between entities are used for this purpose: so called master keys or key encryption keys.

28 Authenticity of Public Keys Everyone could issue a public key p together with some identification information ID as (p, ID). How can the correctness of ID be trusted? Certificates that are issued by a trusted certification authority (CA) solve this problem: cert = (p, ID, E s-ca (p, ID)) Identification is done by presenting certificates. Authentication is done by proving knowledge of the corresponding private key.