Hugo Fruehauf, ViaLogy LLC, Rev 5-091

Transcription

1 Telecom and Internet Data Traffic Crypto Security Basics Hugo Fruehauf, ViaLogy LLC, Rev 5-091

2 Focus of this Presentation Encrypted TCP/IP packet data will be the norm for future wired and wireless networks via IPsec and other standard and non-standard protocols This presentation focuses on the encryption world as a whole, so that the technology-basics are more fully understood These insights may aid in achieving functional compatibility of crypto/key-exchange architectures in upcoming: Synchronized and asynchronous wired and wireless IP networks The particularities of high data rate IP backbones 2

3 Focus (cont.) Encryption Options OSI Internet Application (Payload) Presentation Session Transport 4 3 Application Layer (Payload) Host to Host (Transport Layer) Encryption can be at any layer: The lower in the stack, the more secure, but more complex as to compatibility with the receiving end TCP Packet DATA OH+P Pad Key A B TRANSPORT MODE 3 Network 2 Internet- Working Layer IP ESP IPsec C D A B TCP DATA TUNNEL MODE IP ESP IP TCP DATA 2 1 Data Link Physical 1 Network I/O (Network Access Layer) NAL IP ESP IP TCP DATA OSI - Open Systems Interconnection (Reference Model ) ESP- Encapsulating Security Payload TCP- Transmission Control Protocol TCP Addresses A and B ; Routing Addresses C and D NAL 3

4 Agenda Security Concepts Security Implementations Key Exchange Issues Principles of Cryptographic Algorithms DES, 3DES, AES, and SHA Encryption Modes IPsec and the Network Summary 4

5 Security Concepts 5

6 The Basic Four in Security Peer Authentication The process of proving one s identity; ensuring that t only the intended parties are participating Data Confidentiality (Encryption) Ensuring that the data is not disclosed to unintended parties Data Transit Integrity Ensuring the data has not changed while in transit; protecting data from third-part alterations Data Origin Authentication & Replay Protection (Nonrepudiation) Proof of delivery for the sender and proof of senders identity for the recipient; ensuring source authenticity has not been violated 6

7 The Basic Four in Security Peer Authentication - The process of proving one s identity; ensuring that only the intended parties are participating This includes ID, Authorization, ti and Access Control (in increasing order of security) Password, Passphrase, ID Number Magnetic Strip Card SmartCard (chip based) Digital Certificate (PKI) Biometrics (human anatomy) Combinations of the above 7

8 The Basic Four in Security Data Confidentiality (Encryption) - Ensuring that the data is not disclosed d to unintended d parties (in increasing order of security) Pi Private Networks, Lease Lines Asymmetric Cryptography (PKI) of data Symmetric Cryptography p y of data Related to all crypto schemes Crypto Algorithm Crypto Mode Key Management Key Length Hash Functions 8

9 The Basic Four in Security Data Transit Integrity - Ensuring the data has not changed while in transit; protecting ti data from third-part t alterations (in increasing order of security) SW for comparing Data/Files (no protection however) Checksums & CRCs Now is the time for all good = Now is the time for all good A06511A6EF9C43DDC50BB34 = A650 MICs (Message Integrity Codes or Checks) hash function crypto algorithms MACs (Message Authentication Codes or Checks) keyed hash HMAC (Hugo MAC*) keyed hash inside a keyed hash *Hugo Krawczyk 9

10 The Basic Four in Security Data Origin Authentication & Replay Protection (Nonrepudiation) - Proof of delivery for the sender and proof of senders identity for the recipient; ensuring source authenticity has not been violated Systemizing the individual security elements Sender - Message encryption with receiver s Public Key - Hashing the message - Encrypting the hash value with his Private Key (his digital signature) Receiver - Message decryption with his Private Key -Decrypting hash value with senders Public Key - Comparing hash values for integrity of data 10

11 Security Implementations 11

12 Three Main Categories of Encryption Symmetric (Secret-Key) Cryptography Single, same key for encryption and decryption Pros Fast crypto process, low latency, most secure Cons Key exchange security RSA Asymmetric (Public-Key) Cryptography p y and DH Asymmetric (Key Agreement) Cryptography RSA Two Keys (Public & Private), one encrypts, one decrypts DH Symmetric Key generation/agreement g on each end Pros Secure key exchange/agreement logistics (PKI) Cons Slow crypto process Hash Function (One-Way) Cryptography Message Digest, plaintext not recoverable from ciphertext Pros Good for data integrity and nonrepudiation Cons Slows down overall system, adds latency RSA Rivest, Shamir, Adleman DH Diffie-Hellman 12

13 Symmetric (Secret-Key) Cryptography Symmetric Key must be exchanged first, physically or electronically Physical Key Exchange Electronic Key Exchange Encrypt Network Decrypt Data to be Encrypted Sender Decrypted Data Receiver Symmetric Key Best for secure high speed data encryption/decryption 13

14 RSA Asymmetric (Public-Key) Cryptography Public Key Infrastructure (PKI) simplified Validation System Receiver s Public Key Encrypt Public Key Data Base Public Key Network Private Key Decrypt Data to be Encrypted Decrypted Data Sender Receiver Good for exchanging symmetric keys OK for low-speed data encryption/decryption 14

15 Symmetric Key Exchange via RSA Asymmetric Cryptography Validation System Receiver s Public Key Public Key Data Base Public Key Generates Symmetric Key Encrypt Network Private Key Key Exchange Decrypt Symmetric Key Rcv d Data Traffic Encrypt Data to be Encrypted Sender Receiver Decrypt Decrypted Data 15

16 Symmetric Key Agreement via DH Asymmetric Cryptography Private Key Public Key Database Private Key DH Math Public Key Public Key DH Math Network Generate Symmetric Key Encrypt Decrypt Generate Symmetric Key Party A Data to be Encrypted Decrypted Data Party B Good for symmetric key generation (agreement) OK for low-speed data encryption/decryption 16

17 Hash Function (One-Way) Cryptography Hashing An algorithm that digests data and re-presents its bits and bit patterns by a numerical equivalent - a Hash Value Single bit change in the data, may change half of the bits in the resultant hash-value Nonreversible algorithm; hash value can t reproduce data MAC (Hash) Message Authentication Code algorithm is Symmetric Key-dependant hash for more security Hash is mainly used in the Digital Signature process and for data integrity 17

18 Hash Function Cryptography for Data Integrity and Nonrepudiation Sender Receiver s Public Key Public Key Database Receiver s Private Key Receiver Data to be Encrypted Encrypted Encrypted Data Key Exchange Data Decrypt Data Decrypted Data OPTIONAL Keyed HASH Senders Private Key HASH Hash Value Network HASH Decrypt 111 Hash Value Hash Value Hash Value Verify Data Integrity and Nonrepudiation Encrypt Hash Value Senders Public Key 18

19 Public-Key Registration and Certification Process Complete Application 2 Applicant Applicant s Browser Generates Key Material Public Key Private Key (Not Sent back to RA) 3 Registration Authority 4 Send to RA Create Certificate 6 Request 1 5 Deliver Certificate Application Review Application Name Org Key Signature Date Send 9 Certificate to Applicant 7 Send to CA 8 Generate Certificate Certificate Issuer 19

20 What is in a certificate? DN: cn=hugo Fruehauf Serial #: Start: :00 End: :00 Name of Owner Serial Number Period of Validity Revocation Data CRL: cn=crl2 Name of issuing CA CA DN: o=acme, c=us Key: Public key CAs Digital Signature 20

21 Key Exchange Issues 21

22 Key Exchange Issues Symmetric Crypto Same Key Encrypts Must move Symmetric Key across somehow Decrypts Key Exchange Method: Phone (not secure), unless secure phone is used Mail (not secure) Courier (better) Open Network (ok if not being targeted) Verbal (generally not secure) Physical (secure, but not practical) PKI (secure) 22

23 Key Exchange Issues (cont.) RSA Asymmetric Crypto No Key moves across Two Math Related Keys One Encrypts One Decrypts (and visa-versa) Key Exchange Method: Network-math (secure) RSA Encryption of a Symmetric Key Symmetric Key moves across securely Key Exchange Method: Symmetric key encrypted by RSA key (secure) 23

24 Key Exchange Issues (cont.) DH Asymmetric Crypto Independently generate same Symmetric Key Key Exchange Method: No Key moves across Encrypts Decrypts No key exchange, key generated at each terminal (secure) Hashing Crypto Plain or Ciphertext Message Digest for Integrity, authentication Data, Valuepartofdata Data, Text Text Hash Hash Value Value Must move Symmetric Key across somehow Key Exchange Method for keyed hash (HMAC): Same as issues with Symmetric key 24

25 Key Exchange Issues (cont.) Synchronized Symmetric Crypto No actual Key moves across (3) Practical Key Change Methods: (A) Flag - PNs generate Keys at all terminals and flag for Key-Change Issues: Flag in data stream; key material moves across network -- Start-latency and interruption of data traffic for re-keying -- Need long-term Key (Setup Parameters) (B) Synchronous - PNs generate Keys at all terminals and synchronously do Key-Change (time or event activated) Issues: Data loss since clocks cannot be perfectly synchronized (at 10 Gbits data rate, 1 us time error = 10 Mbits of data loss) -- Need long-term Key (Setup Parameters) (C) Non-Precision Sync (what I call NPS ) - PNs generate Keys at all terminals and autonomously do Key-Change (best of the three) Issues: Need long-term Key (Setup Parameters) PN Pseudo Random Number Generator 25

26 Key Exchange Issues (cont.) (C) Non-Precision Sync Symmetric Crypto No Key moves across Basic Functionality: All terminal PNs autonomously generate 3 keys: (key for the present crypto period, the previous, and the next) Sending terminal uses present crypto period key Receiving terminal(s) decrypt with all 3 keys simultaneously Encrypted PN-generated packet header match determines the right key at the receiving terminals (can also use: AH, ESP, SN, etc., for ID) Terminal sync need only be better than key-change period Each terminal s computer clock is good enough for key sync, aided by a periodic NTP check (or other clock options) The Key Generator PNs of new terminals coming on line are autonomously updated via a crypto-midnight process AH Authentication Header; ESP Encapsulating Security Payload; SN Packet Serial No. 26

27 Non-Precision Sync (NPS) Functionality (1) Long- Term Key Setup Time/ Event Sync Long- Term Key Setup Time/ Event Sync Generation of Short- Term Symmetric Keys Prior Present Next Time Time Time PC Clock Generation of Short- Term Symmetric Keys Prior Present Next Time Time Time PC Clock Data In Encrypt Network Encrypt Data In Decryptors Decryptors Data Out Data Out (1) Patent No s. 6,590,981 (StealthKey TM ); 7,20,696; and 7,149,308 27

28 Non-Precision Sync Functionality (cont.) 8:00:00 8:00:15 8:00:30 8:00:45 A B C D Sender Clock Sender Key Gen Engine Network Data Encryptor Key B :00:15 8:00:00 8:00:15 8:00:30 8:00:45 A B C D Time Offset Expected between Sender and Receiver Clocks Receiver Clock Ahead Receiver Key Gen Engine Data Decryptor Key A Data Decryptor Key B 8:00:15 Data Decryptor Key C 8:00:00 8:00:30 Sender & Receiver s Key Period Match 28

29 Non-Precision Sync Functionality (cont.) PKG 8:00:00 8:00:15 8:00:30 8:00:45 A B C D Sender Clock Sender Key Gen Engine Network Data Encryptor Key B :00:15 8:00:00 8:00:15 8:00:30 8:00:45 B C D Time Offset Expected between Sender and Receiver Clocks Receiver Clock Ahead Receiver Key Gen Engine Data Decryptor Key B Data Decryptor Key C 8:00:30 Data Decryptor Key D 8:00:15 8:00:45 Receiver Clock switches to next Key Period Receiver uses Previous Key Period to Match Sender 29

30 Non-Precision Sync Functionality (cont.) PKG 8:00:00 8:00:15 8:00:30 8:00:45 A B C D Sender Clock Sender Key Gen Engine Network Data Encryptor Key C :00:30 8:00:00 8:00:15 8:00:30 8:00:45 B C D Time Offset Expected between Sender and Receiver Clocks Receiver Clock Ahead Receiver Key Gen Engine Data Decryptor Key B Data Decryptor Key C 8:00:30 Data Decryptor Key D 8:00:15 8:00:45 Sender Clock Switches to next increment Sender & Receiver s Key Period Match 30

31 Principles of Cryptographic Algorithms 31

32 Typical Crypto Algorithm Concept Crypto Cypto Key AES Plain Packets (Plaintext) Encrypted Packets (Ciphertext) 32

33 Typical Crypto Algorithm Process Plain Packets Encrypted Packets Key Permutation Rounds A key controls the encryption/decryption algorithm to transform the data into ciphertext and back to plaintext In a cryptosystem, plaintext is acted upon by a known algorithm (set of mathematical rules) to determine the transformation process to ciphertext 33

34 Most popular Crypto Modes ECB Electronic Codebook The algorithm encrypts the key-length blocks with the same key ECB has a security flaw plaintext-repeats always produce the same ciphertext block, therefore exploitable by analysis A fast crypto mode process, but not very secure CBC Cipher Block Chaining Ensures that plaintext-repeats produce different ciphertext blocks, although encrypted with the same key Algorithm input is XOR d with the preceding ciphertext t block The slowest crypto mode process, but probably the most secure 34

35 Crypto Modes (cont.) Counter Mode (CM) Uses sequence numbers as the input to the algorithm Instead of using the output of the encryption algorithm to fill the register, the input to the register is a counter After each block encryption, the counter increments by some constant, generally by 1 Counter does not have to be secure, can use any random- sequence generator The sequence of values is encrypted with the key, ECB-style The ECB pseudorandom key-stream output is XOR d with the plaintext to produce the ciphertext The fastest crypto mode process and probably the next best security to CBC 35

36 DES, 3DES, AES and SHA 36

37 Data Encryption Standard (DES) A Symmetric-Key Algorithm; 56-bit Key Block Cipher (OLD) DES block 64-bits (8-bit overhead for parity error detection) DES operates on 64-bit blocks of data Overview of DES Algorithm Initial permutation of the plaintext without a key Split permuted data into right and left 32-bit columns 16 identical rounds where data is combined with a key After 16 th round, combine the right and left columns again Do final permutation (the inverse of the initial permutation) High speed hardware implementation With a 0.18u chip and a 200 MHz clock x 64 bits = 12.8 Gbps (ideal), + crypto mode time and related latency DES in ECB mode will run near ideal pipe speed DES in CBC mode, ~ 1 to 2 Gbps possible 37

38 Data Encryption Standard (3DES) 3DES; a 3 x DES process (getting OLD); (2DES not secure) Although a 168-bit Key Block Cipher, is considered only 2x more secure than DES; effective 112-bit key Overview of 3DES Algorithm Basically runs like DES, except 48 rounds (3 x 16 rounds) Generally uses 2-Key mode Encrypt 1 st 16 rounds with 1 st key Decrypt 2 nd 16 rounds with 2 nd key Encrypt 3 rd 16 rounds with using the 1 st key again 3-Key m1ode as above but using 3 separate keys High speed hardware implementation With a 0.18u chip and a 200 MHz clock x 64 bits = 12.8 Gbps (ideal), + crypto mode time and related latency (3 x DES?) 3DES in ECB mode will run near ideal pipe speed 3DES in CBC mode, ~ 1 to 2 Gbps possible 38

39 Advanced Encryption Standard (AES) AES: aka Rijndael A Symmetric-Key algorithm; 128/192/256-bit Key BC Rounds are whole-byte operations, more efficient than DES NIST approved in 2001; expected to replace 3DES in time Overview of AES Algorithm AES operates on 128-bit blocks, independent of key length 10 Rounds if both block and key length are 128-bits 12 Rounds if either block or key length is 192-bits 14 Rounds if either block or key length is 256-bits 1 st step Add Round Key (XOR g a subkey with the block), 2 nd do the rounds, 3rd Mix Column (matrix multiplication) High speed hardware implementation With a 0.18u chip and a 200 MHz clock x 128 bits = 25.6 Gbps (ideal), + crypto mode time and related latency AES in Counter Mode, expect 25 Gbps pipe speed BC Block Cipher 39

40 Secure Hash Algorithm (SHA) (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512) A 1-way algorithm that digests the message to produce a message digest or hash value, which represents the bits and sequence of bits of the message Extensively used for data integrity, authentication and to secure of the Digital Signature process Based on MIT Ron Rivest s MD4 and sister MD5 algorithms Overview of SHA-1 (SHA, Version 1) Algorithm Pad message to be multiples of 512-bit blocks Append 64-bits to the message, which represents the message length before padding Do the algorithm 4 rounds of 20 operations each SHA-1 limited to a message length of 264 bits SHA-1 provides a 160-bit digest (hash value) 40

41 Secure Hash Algorithm (cont.) Message Authentication Codes (MACs) Keyed Hash To create a MAC-SHA-1 hash a shared symmetric key along with hashing the message Attach the resultant digest to the message Do the same on the other end with the shared symmetric key Compare the digest to the digest attached to the message HMAC Keyed-keyed Hash Special hash h designed d by Hugo Krawczyk, Ran Canetti, and Mihir Bellare Outside Key Pad value (opad) and Inside Key Pad value (ipad) ipad =64element 64-element array (0 x 36) opad = 64-element array (0 x 5C) HMAC (Key, Message) = H(K XOR opad, H(K XOR ipad, M) IPsec uses HMAC exclusively IPsec Internet Protocol Security 41

42 SHA Process Sender A4DF1 Hash Algorithm 10057EAAFCBB 887AAEDD 27A5C Data Packet or File, Plaintext or ciphertext Hash Value (160-bits) Strips off Hash Value, hashes the data and compares its Hash Value to the appended one Receiver Append Hash Value EAAFCBB Network With HMAC Hash with a Key 27A5C Keyed Hash Value Strips off Keyed Hash Vl Value, uses Hash hkey previously transferred, hashes and compares values 42

43 IPsec and the Network 43

44 IPsec Internet Protocol security (IPsec) a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level: Peer Authentication Data Confidentiality (Encryption) Data Transit Integrity Data Oi Origini Authentication ti ti & Replay Protection ti (Nonrepudiation) see earlier section, Chart 4 ff IPsec is supported by the Microsoft Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 operating systems and is integrated with the Active Directory service. IPsec policies can be assigned through Group Policy, which allows IPsec settings to be configured at the domain, site, or organizational unit level. l 44

45 IPsec Basics IPsec Internet Protocol Security Provides a defined, robust, and extensible way to secure IP traffic through symmetric, asymmetric, and hash functions cryptography IPsec tunnels and encrypts IP packets exchanged between gateways, routers, servers, and hosts For Storage Networks, data traffic converted to IP traffic between islands and within the fabric ISP Internet Subnet IPsec AH/ESP + IKE WAN LAN 45

46 IPsec Network Applications OSI Internet Application (Payload) Presentation Session Transport 4 3 Application Layer (Payload) Host to Host (Transport Layer) Encryption can be at any layer: The lower in the stack, the more secure, but more complex as to compatibility with the receiving end TCP Packet DATA OH+P Pad Key A B TRANSPORT MODE 3 Network 2 Internet- Working Layer IP ESP IPsec C D A B TCP DATA TUNNEL MODE IP ESP IP TCP DATA 2 1 Data Link Physical 1 Network I/O (Network Access Layer) NAL IP ESP IP TCP DATA OSI - Open Systems Interconnection (Reference Model ) ESP- Encapsulating Security Payload TCP- Transmission Control Protocol TCP Addresses A and B ; Routing Addresses C and D NAL 46

47 IPsec Basics (cont.) Data Protection Modes ESP DES-CBC Transform HMAC-MD5 HMAC-SHA Cryptographic Modes Layer 3 Psec OS SI Network A B IP C D IP or AH or both ESP ESP X Confidentiality IX X X Data Integrity X X Source Authentication X X Replay Protection A B IP Transport Mode DATA Tunnel Mode DATA ESP trlr ESP trlr IKE Internet Key Exchange PKI (DH Key Agreement) Security Associations Hash Selection Authentication Method etc. Data Traffic Modes Key Exchange Modes TCP Addresses A and B ; Routing Addresses C and D 47

48 Summary 48

49 Summary First, hard to take facts about crypto-functional network security: 1. The commercial industry has not embraced crypto-functional network security in a major way (excluding the military): a. A 10% premium for secure SW/HW implementations was thought to be sellable, but turned out not to be the case b. PKI (DCs) has been around for decades, but its use is far from universal 2. Low data rate ( , etc.) crypto-functional security is available for about $300/year, but how many of us actually use it? a. For MS Office 2007, click Outlook, Help, Security Options, Security, Get a Digital ID; this will bring you to a site for selection of a DC company: 3. High data rate crypto-functional security is usually hard to implement, requiring security professionals (inside company or contracted): a. For symmetric key infrastructures, issues will revolve around key exchange b. This requires a separate key manager/server architecture on the network c. With all well and done, the fact remains that >90% of security breeches come from within the company, carelessness or intentional breeches 49

50 Summary (cont.) Second, there is actually good news about network security: 1. For medium data rate IPsec functionality, the MS Windows Server 2003 (and new Rev s) has matured, providing transparent : a. Said to be at reasonable comparative cost b. Does not require a professional security staff c. Has eight network architecture scenarios d. Base document available at: l 2. Cisco (and others) equivalent IPsec servers available now 3. For pipe speed crypto-functional ti security, there is hope that t future crypto chips will find themselves on the PC motherboard, next to the up. These will be equipped with transparent key change systems; more functional IKE, StealthKey, or other 50

51 Backup charts 51

52 Things you don t want in the digital data stream for Security Reasons Don t want REPEATS of bit sequences (often called collisions) Repeats of ciphertext related to the ECB encryption mode or the encryption algorithm used Replaying of frames after reset of the ESP Sequence Number Repeats in the CBC encryption mode (reset of permutation sequences) Counter reset in the Counter Mode encryption mode Packet sequence number rollovers Don t want FLAGS followed by an event Flags or bit sequences related to a Key-Change Time ticks, time marks, or TOD related to key changes Initialization preambles Don t want Precision SYNCHRONIZATION elements in general 52

53 Need for 10 Gbps Replaying of frames after reset of ESP Sequence Number (SN) Collisions in CBC Mode Counter reset in Counter Mode (CM) Same key for the 2 32 or 2 64 set of frames: 32 bit SN: 2 32 frames 64 bit SN: 2 64 frames Re-keying: 32 bit SN, frames of 64 bytes: 220 seconds 32 bit SN, frames of 2112 bytes: 121 min 64 bit SN: Not relevant Same key for the 2 32 or 2 64 set of blocks: 3DES: 2 32 blocks AES-128: 2 64 blocks Re-keying: 3DES: 27.5 seconds AES-128: Not relevant Re-keying must be before counter reset! Re-keying: 3DES, AES-128, frames of 64 bytes: 220 seconds 3DES, AES-128, frames of 2112 bytes: 121 min 53

54 Exhaustive Key Search Key Size (bits) Time (1ųs/test) Time (1ųs/10 6 test) mins 2.15 msec days 550 msec years hours 64 ~500,000 years 107 days x years 5 x years For comparison, the lifetime of the universe (assuming it is closed) is estimated at years 54