24. Principles of Network Security/ Internet Attacks and Defenses

Transcription

1 24. Principles of Network Security/ Internet Attacks and Defenses n Basic principles n Symmetric encryption n Public-key encryption n Signatures, authentication, message integrity n Denial-of-Service & Distributed Denial-of- Service n Attacks on the Internet Routing System n General Defense Mechanisms John DeHart Based on material from Jon Turner, Roch Guerin and Kurose & Ross

2 Course Evaluation Time n Nov. 17 Dec 9 n Please complete it. n They are helpful to us. n 2

3 Four Elements of Network Security n Confidentiality» only sender, intended receiver should understand message» sender encrypts message, receiver decrypts n Authentication» sender, receiver want to confirm identity of each other» Use of certification of authenticity issued by trusted entity n Message integrity» sender, receiver want to ensure message not altered (in transit, or afterwards) without detection n Access and availability» services must be accessible and available to users 3

4 4 A Traditional Model of Security Alice Bob channel data, control messages data Secure Sender Secure Receiver data Trudy n Alice & Bob want to communicate securely n Trudy (intruder) may intercept, delete, add, and modify messages

5 The Language of Cryptography K A Alice s encryption key Bob s decryption K B key plaintext encryption algorithm ciphertext decryption algorithm plaintext m plaintext message K A (m) ciphertext, encrypted with key K A m = K B (K A (m)) Note that K A and K B need not be identical, i.e., symmetric vs. asymmetric encryption 5

6 Simple Encryption Scheme n Substitution cipher» substituting one thing for another» Mono-alphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Encryption key: mapping from set of 26 letters to set of 26 letters (26! Possible mappings to choose from) 6

7 Breaking an Encryption Scheme n Cipher-text only attack» Trudy just has ciphertext she can analyze» two approaches: brute force: search through all keys statistical analysis e.g., using fact that e is most common letter n Known-plaintext attack» Trudy has at least some plaintext corresponding to ciphertext» e.g., in mono-alphabetic cipher, Trudy determines pairings for a,l,i,c,e,b,o, n Chosen-plaintext attack» Trudy can get ciphertext for chosen plaintext n Ideally, an encryption scheme should be resistant to even a chosen-plaintext attack 7

8 Block Cipher Encryption (1) n Transposition block cipher» Changing the order of the input» a.k.a. a scrambler 3-bit block: bit transposed block: input: ciphertext: Encryption key: permutation of k-bit blocks (k!=6 distinct permutations for k=3, i.e., key of size log 2 k! or log 2 3! = 3 bits) Why 3 bits? What do we use the 3 bits to identify? 8

9 Block Cipher Encryption (2) n Substitution block cipher» Maps a k-bit block to another uniquely distinct k-bit block» k-bit block input is one out of 2 k possible input» Substitution applies permutation to all possible 2 k inputs input: x8 decoder ciphertext: blocks permutation 3x8 decoder Encryption key: permutation among 2 3 =8 3-bit blocks (8! =40,320 distinct permutations, i.e., key of size log 2 8! = 16 bits Why 16 bits? What do we use the 16 bits for? 9

10 Symmetric Key Cryptography K S K S plaintext message, m encryption algorithm ciphertext K S (m) decryption algorithm plaintext m=k S (K S (m)) n Symmetric key cryptography» Bob and Alice share same (symmetric) key: K S» e.g., key is knowing substitution pattern in mono alphabetic substitution cipher n Main issue: how do Bob and Alice agree on key value?» need a separate, secure channel (to exchange key)» governments can use couriers, but that s not a practical solution for individuals over the Internet 10

11 Block Ciphers n DES is an example of a block cipher» encrypts fixed length chunks separately (each chunk is a letter in an alphabet of size 2 k, where k is the chunk size in bits) n Naive implementation can be vulnerable» if each block is encrypted in the same way, repeated clear-text blocks produce repeated cipher-text blocks» statistics of repeated blocks can aid attacker n Cipher Block Chaining (CBC) used to address this» makes identical clear-text blocks look different when encrypted» example: each clear-text block m is xor-ed with a different random value before encryption start with random Initialization Vector (IV) and xor this with first block before encrypting (IV sent to receiver, but need not be secret) before encrypting each subsequent block, xor it with the ciphertext of the previous block 11

12 General Cipher Block Chaining n Repeat across independent blocks (IV = Initial Vector can be sent in the clear) Block 1 Block 2 Block 3 Block 4 IV XOR DES DES DES DES Cipher 1 Cipher 2 Cipher 3 Cipher 4 n Any other cipher block encryption can be used in lieu of DES 12

13 Data Encryption Standard (DES) n Block cipher with cipher block chaining» 56-bit symmetric key, 64-bit plaintext input n How secure is it?» DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day in January 1999» no known good analytic attack» Has been withdrawn as a NIST standard. n More secure variant» 3DES: encrypt 3 times with 3 different keys» Advanced Encryption Standard (AES) replaced DES in 2001 processes data in 128 bit blocks 128, 192, or 256 bit keys a computer that could break DES in one second (by brute force) would need 149 trillion years to break AES 13

14 DES Cipher DES operation (encryption by obfuscation) n encrypt 64 bit chunks n initial permutation n 16 identical rounds of function application, each using different 48 bits of key = F(56 bit key) n final permutation 14

15 Public Key Cryptography n The problem with symmetric keys» They require sender & receiver to know a shared secret key» ok for governments perhaps, but no good for public internet n Public key cryptography» radically different approach [Diffie-Hellman76, RSA78]» built around idea of one-way functions that are easy to compute, but computationally difficult to invert» uses two keys public key known to all (used to encrypt messages) private key known only to message recipient (used to decrypt)» since no common shared key, allows communication with strangers over insecure network» drawback: computationally expensive for large messages in practice, used to encrypt and share symmetric keys 15

16 16 Public Key Cryptography K +B Bob s public key K B Bob s private key plaintext message, m encryption encryption algorithm algorithm ciphertext K +B (m) decryption algorithm plaintext message m=k B (K +B (m))

17 One-Way Functions n Function that is easy to compute, hard to invert» example: easy to multiply two large prime numbers, but hard to find prime factors of a large composite number no known method that is substantially better than trial-and error a 300 digit number has about candidate factors n Key idea leading to practical public-key encryption» compute product of two large primes and make product public, while keeping prime factors private» product can be used to encrypt message, but to decrypt it, you must know the prime factors n RSA method based on this idea» named for its inventors Rivest, Shamir and Adelman n Alternate one-way functions have been proposed» based on variety of hard (NP-complete) computational problems 17

18 18 Background: Modulo Arithmetic n x mod n = remainder of x when divided by n n Basic properties [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) (b mod n)] mod n = (a b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n n Consequently, (a mod n) d mod n = a d mod n = [(a mod n) l mod n]* [(a mod n) d-l mod n] mod n n Example: a=14, n=10, d=3: (a mod n) d mod n = (14 mod 10) 3 mod 10 = 4 3 mod 10 = 64 mod 10 = 4 a d = 14 3 = 2744 a d mod 10 = 4

19 19 Creating an RSA Key Pair 1. Choose two large prime numbers p, q (say, 1024 bits long) and compute n=pq 2. Choose a number e<(p 1)(q 1) with no common factor >1 with (p 1) (q 1), i.e., e and (p 1)(q 1) are relatively prime 3. Choose a number d such that ed 1 is a multiple of (p 1)(q 1) equivalently, d = (k(p 1)(q 1)+1)/e for some positive integer k 4. Public key K + =(n,e), private key K =(n,d) 5. Advertise K + but keep K private, and discard (do not disclose) p and q (if p and q are known, e and d can be easily inferred) Example with small numbers: p=5, q=7, n=35, (p 1)(q 1)=24, e=5, d=29 (d = (6*4*6+1)/5 = 29 for k=6, p-1=4, q-1=6, e=5 ) Dependent on having an efficient way to generate large prime numbers and efficient ways to select e and d

20 20 RSA Encryption/Decryption Sending encrypted message to owner of (K + K ) n Given (n,e), (n,d) as discussed, and message m<n» m MUST be less than n n Encrypt by computing K + (m) = c = m e mod n n Decrypt by computing K (c) = c d mod n = m (you need to know d to successfully decrypt a message) n This works because c d mod n = (m e mod n) d mod n = m ed mod n = m ed mod (p 1)(q 1) mod n * = m 1 mod n = m ** * by the magic of number theory ** since ed mod (p-1)(q-1) = 1 by construction of d and m<n

21 From number theory, p & q prime with n = pq implies a b mod n = a bmod[( p 1)( q 1)] mod n So that ( ) m e mod n d mod n = = m m ed ed mod n [ mod( p 1)( q 1) ] mod n Since ed=1 mod (p-1)(q-1) by construction of d = = m m 1 mod n

22 RSA Encryption/Decryption Sending encrypted message to owner of (K + K ) n p and q are prime. n = pq n Then number theory gives us:» x y mod n = x y mod (p-1)(q-1) mod n n Choose e<(p 1)(q 1) such that e and (p 1)(q 1), relatively prime n Choose d such that ed 1 is a multiple of (p 1)(q 1)» ed = k(p 1)(q 1)+1 for some positive integer k» ed mod (p-1)(q-1) = (k(p-1)(q-1) + 1) mod (p-1)(q-1) = 1 Because (xy + 1) mod y = 1 n Message m < n n Encrypt: K + (m) = c = m e mod n n Decrypt: K (c) = c d mod n = m n This works because c d mod n = (m e mod n) d mod n = m ed mod n = m ed mod (p 1)(q 1) mod n (number theory) = m 1 mod n (see above) = m (m < n) 22

23 Simple RSA Example 1. Pick p=7, q=11 prime» n = pq = 77, z = (p-1)(q-1) = Choose Encryption key e<n such that e & z are relatively prime:» e = pick Decryption key d such that ed [mod z] = 1» d = 53 (53 x 17 = 901 which mod 60 is 1) 4. Pub. Key: (n,e)=(77,17); Priv. Key: (n,d)=(77,53) n Assume message value of m = 9 encode it as c = 9 17 [mod 77] = 4, decode this as 4 53 [mod 77] = 9 Note: If too big, compute x y mod v progressively, i.e., (x mod v) y mod v 23

24 Simple RSA Example encode it as c = 9 17 [mod 77] = 4, decode this as 4 53 [mod 77] = 9 Note: If too big, compute x y mod v progressively, i.e., (x mod v) y mod v c = 9 17 [mod 77] = ((9 2 mod 77) 8 * (9 mod 77)) mod 77 = ((81 mod 77) 8 * 9) mod 77 = ((4 mod 77) 8 * 9) mod 77 = ((256 mod 77) * (256 mod 77) * 9) mod 77 = (25 * 25 * 9) mod 77 = ((125 mod 77) * (5 * 9 mod 77)) mod 77 = (48 * 5 * 9) mod 77 = ((240 mod 77) * (9 mod 77)) mod 77 = ( 9 * 9) mod 77 = 4 24

25 Simple RSA Example encode it as c = 9 17 [mod 77] = 4, decode this as 4 53 [mod 77] = 9 Note: If too big, compute x y mod v progressively, i.e., (x mod v) y mod v c = 9 17 [mod 77] = ((9 2 mod 77) 8 * (9 mod 77)) mod 77 = ((81 mod 77) 8 * 9) mod 77 = ((4 mod 77) 8 * 9) mod 77 = ((4 6 mod 77) * (4 2 * 9 mod 77)) mod 77 = ((4096 mod 77) * (16 * 9 mod 77)) mod 77 = (15 * 16 * 9) mod 77 = (3 * 80 * 9) mod 77 = (3 * 3 * 9) mod 77 = 4 25

26 More About RSA Operation n To break RSA, need to find d, given e and n» this can be done if we know (p 1)(q 1), but that requires knowing p and q» and that requires being able to factor n, which is hard n Session keys» exponentiation required by RSA is expensive for large values because multiplication time grows as product of the number of bits» in practice, use RSA to exchange session keys for use with symmetric encryption method like AES n Keys can also be reversed useful for authentication» Sign with K (private) and verify signature with K + (public) K (K + (m)) = m ed mod n = m = m de mod n = K + (K (m)) 26

27 Elements of Network Security n Confidentiality» only sender, intended receiver should understand message» sender encrypts message, receiver decrypts n Authentication» sender, receiver want to confirm identity of each other» Use of certification of authenticity issued by trusted entity n Message integrity» sender, receiver want to ensure message not altered (in transit, or afterwards) without detection n Access and availability» services must be accessible and available to users 27

28 Digital Signatures n Authentication n Digital signatures allow user to sign a document in a way that can t be forged» this ensures that user cannot repudiate a signed document n A can sign a message by encrypting it using A s private key» message can then be decrypted using A s public key» so long as no one but A has access to the private key, the message must have come from A n A can also encrypt message using B s public key to provide privacy» K +B (K A (m))=c => K +A (K B (c))=m» Only B can decrypt it and B can confirm it came from A. 28

29 Certificate Authorities n Public-key systems require a secure way of making public keys available» can t simply start by exchanging public keys in the clear, as this allows a man-in-the-middle attack intruder, sitting between A and B, can substitute its own public key, causing A to encrypt messages using intruder s public key intruder can then snoop on messages and re-encrypt using B s public key, so B can t detect intrusion n Certificate Authority (CA) vouches for the association between a user and their public key» CA provides Bob with signed certificate of Bob s identity CA encrypts Bob s identifier and public key using CA s private key» so, Alice decrypts certificate using CA s public key public keys for reputable CAs built in to browsers» security depends on trustworthiness/reliability of CAs 29

30 Elements of Network Security n Confidentiality» only sender, intended receiver should understand message» sender encrypts message, receiver decrypts n Authentication» sender, receiver want to confirm identity of each other» Use of certification of authenticity issued by trusted entity n Message integrity» sender, receiver want to ensure message not altered (in transit, or afterwards) without detection n Access and availability» services must be accessible and available to users 30

31 Verifying Message Integrity n How do we prevent an intruder from tampering with messages?» can encrypt and sign messages, but is this necessary? n Use a hash function h to produce message digest» sender computes h(m) and sends pair (m,h(m+s)=mac) s is a shared secret, hash value is Message Authentication Code» receiver computes h(m+s) and compares to received value» requires hash function that is hard to invert MD5, SHA-1, SHA-2, SHA-3 are commonly used cryptographic hash functions n Can also use this to reduce effort for digital signatures» sender encrypts h(m) and sends pair (m, K (h(m)))» receiver computes h(m) and compares it to received value, after decrypting it using sender s public key 31

32 Sample Material from Arbor Networks 2014 Report n Report originating primarily from ISPs and ICPs n DDoS traffic attacks are the main threat with many exceeding the 100Gbps (up to over 300 Gbps)» Bandwidth/volumetric attacks are the most common, but sophisticated application layer attacks are on the rise http GET flood attacks are among the most common application layer DDoS attacks https has become a main target for application layer attacks» DNS based attacks remain common and effective, e.g., DNS reflection/ amplification attacks» Most DDoS attacks target customer sites, but there is a growing number of DDoS attacks against the Internet infrastructure n Data centers have been a main target of attacks (attacks often overwhelm their Internet connectivity) n In contrast, cloud services have surprisingly not seen too many attacks n Defense solutions that are IPv6 capable remain rare 32

33 Elements of Network Security n Confidentiality» only sender, intended receiver should understand message» sender encrypts message, receiver decrypts n Authentication» sender, receiver want to confirm identity of each other» Use of certification of authenticity issued by trusted entity n Message integrity» sender, receiver want to ensure message not altered (in transit, or afterwards) without detection n Access and availability» services must be accessible and available to users 33

34 Traffic Attacks & Defenses Overview n Access and Availability n Traffic attacks: The goal is to overwhelm the target s resources at either the network or host/application level» Network attacks DNS amplification attack: Requires access to open DNS server and use of spoofed addresses (that of the target) Bandwidth flooding: If you have a large enough botnet, you can generate lots of traffic without resorting to address spoofing» Application attacks TCP SYN attack: Seeks to exhaust server state resources by opening lots of fake connections HTTP GET flood: Same concept but with HTTP TCP shrew attacks: takes advantage of TCP s own behavior (more on later slide) n Defenses: Aimed at detecting, redirecting, and preventing attacking packets from reaching their target (or the target s network)» Address filtering: Primarily aimed at countering address spoofing» Unicast Reverse Path Filtering (urpf): Discards traffic arriving from incorrect or invalid interface (only works when routing is symmetric)» Black holes and sink holes: Used to attract unwanted traffic (backscatter) or redirect traffic for attack target 34

35 First Some Definitions n Bogon prefix» route that should never appear in an internet routing table. Private, reserved, unallocated, etc.» Often used by attackers as their source address.» IANA maintains bogon list» IPv4 bogon list is shrinking as address space is used up. n Internet Background Noise (IBN)» Packets addressed to addresses or ports where there is no network device to receive them. n Backscatter» IBN resulting from DDoS attack using spoofed addresses 35

36 RFC Report from the IAB workshop on Unwanted Traffic n n n n n n n n An underground economy» Uses IRC servers for coordination» Large number of vulnerable systems fuels the market» Locality of most laws conflicts with enforcement on a global Internet scale Backbone provider are not overly concerned about traffic attacks on their networks Access providers and their clients bear the brunt of the impact of traffic attacks» Motivated to foster the deployment of security solutions in their customers (slow adoption though 40% adoption rate per month) Enterprise network are typically better equipped with security solution» Awareness of the cost impact of attacks DNS is increasingly being attacked, and there is concern about the maturity of security extensions (DNSSEC) Main vulnerabilities» Address spoofing and its use in DDoS attacks» Route hijacking» Complexity of hard security solutions Main solutions» BCP 38 and BCP 84 (not consistently deployed)» ACLs (performance impact), black-hole routing (does the attacker s job ), and urpf (works well only in some situations)» Firewalls and app level gateways (expensive and potential performance issues) Future solutions» Information and policy sharing across stake-holders» Flow-level and deep packet inspection tools 36

37 Network Ingress Filtering n Defeating Denial of Service Attacks which employ IP Source Address Spoofing BCP 38 (RFC 2827)» BCP: Internet Best Current Practices n Covers cases involving spoofing of both unreachable as well as valid addresses» The latter can translate into a double attack, i.e., the spoofed source may now be filtered by the domain under attack, or the response traffic may swamp the unwitting source, e.g., as with a DNS amplification attack n Filter traffic entering router from a known domain to ensure that source address is from that domain. n Mentions the possibility of urpf to verify source. urpf: Unicast Reverse Path Forwarding» Not recommended because of the prevalence of asymmetric routing 37

38 Black-Hole Router n Helps identify attacks when they start, including on the network infrastructure itself n Also called Network Telescope» Targets the dark/unused address space of Internet. n Advertise reachability to prefix in bogon address space n Inferring DDoS attacks from backscatter measurements» Assumes that attackers use randomly selected spoofed addresses, with responses from victims sent back to those random source addresses» Extrapolates frequency, magnitude, and types of attacks from backscatter responses sent to address located in a quiet /8 network (1/256 th of the Internet address space) 38

39 39 Sink Holes n The network equivalent of a honey pot: One or more dedicated network/router that seeks to attract or divert attack traffic and support its analysis» A double monitoring and defense role» Advertise host route for server under attack Diverts all attack traffic to sink hole network» Advertise default route in local domain Pulls in all internal (and external) junk traffic, e.g., to bogon address space n Other uses» Monitoring scanning of infrastructure addresses (pre-attack) By advertising default route of routed for bogon IPs» Monitoring activity on dark space (worms for locally infected clients)» Capture backscatter, i.e., responses (from attack victims) to bogon address space and addresses spoofed by attackers

40 DNS Attacks n Redirecting traffic to an attacker by hijacking DNS replies» Faking a response to a query requires only spoofing a source address and guessing an ID field value (DNS has no authentication)» This together with DNS caching behavior makes it easy to implement various DoS attacks a.k.a. cache poisoning (setting the TTL value of the reply to a high value will ensure that resolvers keep the fake answer for a long time)» The scope of cache poisoning can range from a single client to a slave primary server handling an entire zone (the attack then targets the zone transfer messages)» DNSSEC (RFCs 4033, 4035) adds one-way authentication to DNS responses, i.e., provides data integrity and origin authentication 40

41 DNS Attacks (continued) n DNS Amplification Attack» Attacker issues DNS request with source address spoofed to target machine Request asks for large amount of data, type ANY.» Amplification is a function of the number of replies that can be directed to the host under attack, and the size of those replies (creating fake DNS records that can be used during attacks can significantly augment the size of the DNS replies) n DNSSEC does not prevent DNS amplification attacks» They only require spoofing the source address of DNS queries, but depend on access to open DNS servers 41

42 Application Layer attacks: Low-Rate TCP- Targeted Denial of Service Attacks n Most servers now have mechanisms to defend against TCP SYN attacks, so attackers need to be a bit more creative n Rather than blast traffic to swamp a server, take advantage of TCP s behavior to mount effective attacks that are harder to detect (low rate) n Relies on sending properly timed short periodic bursts of packets» Packet bursts induce multiple losses and delay retransmissions for RTO RTO: Retransmission TimeOut» Another burst after another RTO can result in many/most flows experiencing repeated time-outs n Effective even in the presence of flows with heterogeneous RTO and RTT values» Select appropriate intermediate RTO value» Can actually force the time-out synchronization of heterogeneous flows n Neither router based schemes (RED-PD) nor end-host based schemes (RTO randomization) are able to successfully detect or diffuse the attacks 42

43 Attack on Routing Protocols n Attacks basically involve either disrupting the router s timely access to routing information, e.g., through standard DoS attacks, or injecting false routing information n Avoiding those problems calls for securing routers communications, e.g., through authentication (MD5), and limiting/filtering who can talk to a router and the kind of information they can send, e.g., TTL hack or route filters» MD5 authentication is expensive, so that it could itself be used to mount a DoS attack on a router» As a general rule, routers should not be accessible or visible from the outside (make it hard to mount application layer attacks on them)» Enable bogus route filtering at peering points» Limit TTL of incoming routing protocol packets (your peer is typically close one hop- so that limiting TTL values will prevent most remote attacks)» Use urpf at the edges to validate origin of protocol messages (symmetric routing usually holds for direct connections or connection to nearby peer) n Introduce Secure Origin BGP (sobgp) 43

44 Some OSPF Attacks n MaxAge OSPF attack is essentially a DoS attack that affects the reachability of the target subnets as they are flushed from the database n The Sequence++ attack can trigger instabilities by having the attacker and owning router continuously generate new LSAs n Sending lots of T5 LSAs from a compromised ASBR can overwhelm the routing tables of internal routers n All those attacks, except possibly the last one, can be defeated through proper LSA authentication 44

45 RFC BGP Security Vulnerabilities Analysis n BGP s three main vulnerabilities 1. No strong protection for integrity and freshness of messages, and peer authenticity, except for TCP MD5 2. No ability to validate the authority of an AS to announce a prefix 3. No ability to validate the authenticity of path attributes n BGP attacks» Resetting a BGP session and deleting all the associated routing information» Hijacking prefixes by advertising shorter paths» Diverting prefix traffic (through attacker s AS) by advertising longer prefixes 45

46 BGP Man-In-The-Middle Attacks n Man-in-the-Middle attack» Hijack address block by advertising more specific prefixes, but ultimately deliver the traffic to its intended destination (can still sniff or alter traffic) n Detection is difficult» Can easily defeat traceroute through TTL increases» Can easily omit including its own AS number to avoid association with the attack» An external monitor with global perspective is needed n Detection mechanisms» External monitor that knows about all your legal prefix advertisements Needs to peer at multiple locations to make sure it has enough coverage» Cross-check with registry systems» Use information from the two AS_PATH segments present in a man-inthe-middle attack, i.e., check if ASes from first segment actually see the more specific prefixes 46

47 BGPSEC draft-ietf-sidr-bgpsec-protocol-10 draft-ietf-sidr-bgpsec-overview-05 n Introduces extensions to BGP to protect the integrity of the AS_PATH and validate the authority of the source AS to originate a route» Addition of a BGPSEC_Path_Signature attribute that includes a nested sequence of signatures protecting the AS_PATH segments as they are built n Additional processing required to validate the integrity of the AS_PATH and the origin AS authority» This involves information retrieved from both the BGP message and from a local cache of information extracted from valid RPKI objects n A chicken-and-egg adoption dilemma» Useful only when most of the Internet has adopted it, and requires some significant modifications to existing operational procedures 47

48 48 Exercises 1. Consider a system for distributing keys, based on the existence of a central key master. Every user has an individual key known to them and the key master. When two users want to communicate, they request a new session key from the key master, which creates a key and sends a copy to each, using their individual key. Does such a system really help with the key distribution problem? Could such a system be made secure? What vulnerabilities might it have? Any other drawbacks?

49 Exercises 1. Consider a system for distributing keys, based on the existence of a central key master. Every user has an individual key known to them and the key master. When two users want to communicate, they request a new session key from the key master, which creates a key and sends a copy to each, using their individual key. Does such a system really help with the key distribution problem? Could such a system be made secure? What vulnerabilities might it have? Any other drawbacks? A system closely related to this system is the basis of the Kerberos system that has been effectively used for key distribution in local networks. There are, however, a number of issues that need to be addressed to offer a meaningful solution. One of them is the fact that the approach is open to replay attacks. Another is the need for synchronization between parties before they can communicate securely. Without this, one side may need to buffer messages, which would allow simple DoS attacks. One approach to handle this issue is to have the server send both keys (encrypted) to on party, and have that party forward the second key to the other party before sending any data. Other issues with the basic version of such a system is scalability because of reliance on a centralized server 49

50 Exercises 2. Consider a simple block cipher that uses 4 bit blocks, where each block is encrypted by adding 3 to it and discarding any overflow bits. So for example, becomes To make this more secure, we add cipher block chaining. Suppose the initial vector is What is the cipher text corresponding to the following clear text?

51 Exercises 2. Consider a simple block cipher that uses 4 bit blocks, where each block is encrypted by adding 3 to it and discarding any overflow bits. So for example, becomes To make this more secure, we add cipher block chaining. Suppose the initial vector is What is the cipher text corresponding to the following clear text? We start by adding (mod 2) 1011 to 0101, which gives 1110, to which we add 3=0011 to get 0001 after discarding the overflow bits. Next 0001 is added (mod 2) to 1011, which gives 1010, to which we add 3 to get Finally, 1101 is added (mod 2) to 0011, which gives 1110, to which we add 3 to get Hence the resulting three cipher blocks are

52 52 Exercises 3. Consider the RSA key pair (91,5), (91,29). Assume the first is the encryption key and the second is the decryption key. What is the encrypted value of the number 10? (Hint: 10 2 mod 91=9)

53 Exercises 3. Consider the RSA key pair (91,5), (91,29). Assume the first is the encryption key and the second is the decryption key. What is the encrypted value of the number 10? (Hint: 10 2 mod 91=9) Recall that given (n,e), (n,d) and message m<n Encrypt by computing K + (m) = c = m e mod n Decrypt by computing K (c) = c d mod n = m So c = 10 5 mod 91 = (10 2 mod 91)*(10 2 mod 91)*10 mod 91 = 9*9*10 mod 91 = 810 mod 91 = 82 53

54 54 Exercises 4. Consider (31,5), (31,11) as a possible RSA key pair. Does it satisfy the requirements for such a key pair (ignore the fact that the values are too small)? Why or why not? What about (77,5), (77,43)? What about (77,7), (77,43)?

55 Exercises 4. Consider (31,5), (31,11) as a possible RSA key pair. Does it satisfy the requirements for such a key pair (ignore the fact that the values are too small)? Why or why not? What about (77,5), (77,43)? What about (77,7), (77,43)? n=31 is a prime number itself, and so cannot be the product of two primes, i.e., be of the form n=pq with p,q>1. Hence (31,5), (31,11) cannot be a possible RSA key pair. n=77=7*11 is the product of two primes, but e =5 <n has a factor in common with (p-1)(q-1)= 60 = 5*3*2, namely 5. Hence, (77,5), (77,43) is also not a possible RSA key pair. Note that it is also not possible to find a d value that satisfies 5*d=k*60+1, since any such d is of the form d = 5*k+0.2. (77,7), (77,43) satisfies the conditions that 77=n=pq=7*11 is the product of two primes and e=7 is relatively prime with (p-1)(q-1)=60. We also have d = 43 = (5*6*10+1)/7, which satisfies the condition d = (k(p 1)(q 1)+1)/e. Hence (77,7), (77,43) is a valid RSA key pair. 55

56 56 Exercises 5. Construct a valid RSA key pair using p=11, q=13.

57 Exercises 5. Construct a valid RSA key pair using p=11, q=13. We have n = 143, and (p-1)(q-1) = 10*12 = 120 =2*2*2*3*5. We can, therefore, choose e = 7*11 = 77. Next, we need to pick d so that d = (k(p 1)(q 1)+1)/e = (k*120+1)/77 for some value of k. A value of k = 34 yields d = (34*120+1)/77 = 53. Hence, (143,77), (143,53) is a valid RSA key pair. 57

58 58 Exercises 6. Suppose that we distributed public keys by simply posting them on the internet on a public web site. Users would then retrieve keys using their web browser and http. Why is this not an acceptable solution to the key distribution problem? How might you change it to make it workable? How does this compare to the approach that uses certificate authorities?

59 Exercises 6. Suppose that we distributed public keys by simply posting them on the internet on a public web site. Users would then retrieve keys using their web browser and http. Why is this not an acceptable solution to the key distribution problem? How might you change it to make it workable? How does this compare to the approach that uses certificate authorities? Posting a key on the Internet does not address the issue of certifying the association of an entity s identity with the key. Addressing this issue would require that the hosting company of the public web site on which keys are posted, perform an identity verification step of the stated identity of the entity posting the key. This is in a sense similar to the verification step that is required from any Certification Authority. 59