Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Transcription

1 Network Security Gaurav Naik Gus Anderson, Philadelphia, PA

2 Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14: Key Agreement, Management and Distribution Feb 19: Applications: SSL, SSH, and IPSEC Feb 21: Security Lab: OpenSSL CA and Wireshark

3 Public Key Cryptography, Hash Functions, and Digital Signatures Gaurav Naik, Philadelphia, PA

4 Agenda Public Key Crypto Systems Cryptographic Hash Functions Digital Signatures Public Key Infrastructure and Trust

5 Public Key Systems Public Key Encryption Each party has a PAIR of keys (K, K -1 ) D K -1 [E K [M]] = M E encryption function (one-way) D decryption function M is the message K is public and used by anyone to encrypt K -1 is the private key - used for decryption only

6 Public Key Systems One-way Function E must be a one-way function Y= E K [x] f: {0,1} * -> {0,1} * is a trapdoor function, iff f(x) is a one way function -- given that it becomes feasible to compute f -1. Given y, find x such that y = f(x)

7 A bit of history PK Crypto concept invented in 1976 by Diffie and Hellman Approach described by Rivest, Shamir, and Adleman (RSA) in 1978 Most proposals have been broken RSA and El Gamal are viable

8 Public Key Systems Notation E - Encryption Function D - Decryption Function M - Plaintext Message C - Encrypted Message (Cipher text) K - Public Key K -1 - Private Key

9 Public Key Systems RSA Key Generation 2 prime numbers of the same size (p and q) Need to prevent discovery of p and q by exhaustive search n = p * q Select e, 1 < e < (p-1)(q-1) s.t. gcd(e, (p-1)(q-1)) = 1 Euclidian algorithm for determing whether 2 numbers are coprimes Compute d, 1 < d < (p-1)(q-1) s.t. e * d 1 mod (p- 1)(q-1) Public Key, K is (e, n) Private Key, K -1 is (d)

10 Public Key Systems RSA Encryption Introducing: Alice and Bob Used by Rivest in original paper Bob wishes to send Alice a message, M Alice has provided Bob with her public key K(e, n) Bob encrypts the message, M as follows: C = M e mod n (m < n)

11 Public Key Systems RSA Decryption Alice receives the encrypted message C, and wishes to reveal the secret message M M = C K-1 mod n = (M e ) d mod n = M ed mod n C K-1 = M mod n

12 Public Key Systems Example, Key Generation 2 prime numbers of the same size (p and q) p = 7, q = 17 (not large) n = p * q n = 119 Select e, 1 < e < (p-1)(q-1) s.t. gcd(e, (p-1)(q-1)) = 1 6 * 16 = 96, e = 5 Compute d, 1 < d < (p-1)(q-1) s.t. e * d 1 mod (p- 1)(q-1) d = 5-1 mod 96 = 77 Public Key, K is (e, n) e = 5, n = 119 Private Key, K -1 is (d) d = 77

13 K (5, 119) K -1 (77) Public Key Systems Example Encryption Bob wishes to send Alice the message, M. M = 19 Bob encrypts the message using Alice s public key, K C = M e mod n (m < n) C = 19 5 mod 119 = 66

14 K (5, 119) K -1 (77) Public Key Systems Example Decryption Alice receives the message, C C = 66 Alice applies the following function: M = C K-1 mod n = M mod n M = mod 119 = 19 mod 119

15 Agenda Public Key Crypto Systems Cryptographic Hash Functions Digital Signatures Public Key Infrastructure and Trust

16 Hash Functions Math Basics Function [ Given 2 sets, X and Y, a function f: x -> y is a relation that uniquely associates members of X with members of Y ] Image [ is set the set of y that have at least one preimage ] Injection [ one to one ] Surjection [ onto ] Bijection [ one to one and onto ] Inverse

17 Hash Functions Integrity and Authentication As opposed to Encryption Which does not protect messages from modification during transmit How can we ensure that a message arriving at the destination is in its original form as sent by the sender?

18 Hash Functions Hash Functions Maps of message of size n bits to a fixed length strength m bits -- where m < n. Mapping of many-to-one -- collisions can occur Applications Data Integrity Message Authentication One-time passwords Digital Signatures (more on this later)

19 Hash Functions Hash Function Requirements Preimage resistance Given h, it should be hard to find any M, s.t. h = H(M) 2nd preimage resistance Give an input m 1, it should be hard to find another input, m 2 (not equal to m 1 ) s.t. H(M 1 ) = H(M 2 ) (weak collision resistance) Collision-resistant It should be hard to find any 2 messages, M 1 and M 2 s.t. H(M 1 ) = H(M 2 )

20 Hash Functions Birthday Paradox Given a group of people, the minimum number of people s.t. 2 will share the same birthday with probability > 0.5 is only 23. In general: given a random variable that is an integer with uniform distribution 1 and n and a selection of k instances, k < n of the random variable, what is the probability there is at least one duplicate? k n For the birthday problem

21 Hash Functions Data Integrity Hash function, H Publicly known algorithm Alice and Bob again.. Alice sends Bob a message, M. Along with M, she also sends the output, G 1, of the hash function H. G 1 = H(M) Bob receives the message, M and Alice s hash G 1. He re-computes the hash,g 2 using the same hash function H. If G 1 = G 2, then the message was not tampered with in transit.

22 Message Authentication Codes Requires shared secret key, K Hash Functions

23 Hash Functions MAC Example H, hash function Public S, Secret Key Shared between Alice and Bob A, Output of MAC Function Alice wants to send Bob a message, M. She computes, A 1 = MAC(M, H, S) Bob computes, A 2 = MAC(M, H, S). If A 1 = A 2, then message is from Alice Why? A 1 could have only been produced by the person who knew S.

24 Hash Functions MD5 Designed in 1991 by. Rivest Message Digest 5 RFC 1321 (128-bit output) Wide variety of applications Checking the integrity of files Store UNIX passwords Several weaknesses been discovered in the last 5 years Latest can find a collision within 1 minute on a laptop computer

25 Hash Functions SHA Hash Functions SHA - Secure Hash Standard. Published by NIST in 1993 (originally designed by the NSA) Produces a 160-bit hash. Similar applications to MD5. Approved for protecting unclassified US Gov t documents SHA-0, SHA-1, SHA-224, SHA-256, SHA- 384, and SHA

26 Agenda Public Key Crypto Systems Cryptographic Hash Functions Digital Signatures Public Key Infrastructure and Trust

27 Digital Signatures Digital Signatures? RSA/Public Key Secrecy Confidentiality Digital Signatures Authenticity / Integrity

28 Digital Signatures Wait What about hashes and MACs? MACs versus Hash Functions MACs provide protection against oracle attacks MACs versus Digital Signatures MACs don t provide non-repudiation* Based on a shared symmetric key * Anyone who can verify a MAC, can produce one

29 Digital Signatures Why? In the non-online world, how do we verify things? you buy something at the store, cashier will verify signature on your credit card Sign the back of a check How about in the electronic world?

30 Digital Signatures Digital Signatures What is a digital signature? A string that associates a message with some entity that produced the message What should it provide? Authentication (who sent the msg?) Data Integrity (was the message tampered with) Non-Repudiation

31 Digital Signatures The pieces Signing Input: message, and some private key Output: signature Verification Input: public key, message, and signature

32 Digital Signatures Attack Models Key-only attack Attacker is given only the public signing key Known message attack attacker is given valid signatures for a variety of messages known by the attacker but not chosen by the attacker chosen message attack attacker first learns signatures on arbitrary messages of the attacker's choice

33 Digital Signatures The Enemy Given enough time (and horsepower), one can always forge a digital signature Total Break (discovering the secret) Universal forgery (ability to forge signature for any messages) Selective Forgery (ability to forge signature on a message of choice)

34 Digital Signatures and Hash Functions Digital Signatures Hash of the message, M, is signed. NOT the entire message efficiency: hashing is faster than signing compatibility: message length integrity: longer message would have to be split into blocks and signed Function must be: Pre-image resistant Weak collision resistant Strong collision resistant

35 The Signing Process Diagram from:

36 Validation Process Diagram from:

37 Digital Signatures RSA Digital Signatures Recall: RSA Key Generation 2 prime numbers of the same size (p and q) Need to prevent discovery of p and q by exhaustive search n = p * q Select e, 1 < e < (p-1)(q-1) s.t. gcd(e, (p-1)(q-1)) = 1 Euclidian algorithm for determing whether 2 numbers are co-primes Compute d, 1 < d < (p-1)(q-1) s.t. e * d 1 mod (p-1)(q-1) Public Key, K is (e, n) Private Key, K -1 is (d)

38 Digital Signatures RSA Signing Alice wants to send Bob a message M. Alice will: Verify 0 < M < n G 1 = H(M) S 1 = G 1 d mod n Send S 1 along with M Bob will: G 2 = H(M) S 2 e mod n = G 2 S 1 = S 2?

39 Agenda Public Key Crypto Systems Cryptographic Hash Functions Digital Signatures Public Key Infrastructure and Trust

40 Public Key Infrastructure Public Keys and Trust Bob has keys: K b, K b -1 Alice has keys: K a, K a -1 How does Bob obtain Alice s public key? How does Bob know Alice s key really belongs to Alice?

41 Public Key Infrastructure Public Key Distribution Typically we assume that Bob has Alice s public key He has verified this by some other means Key Distribution Methods Public Announcement Public Directory Both methods can easily be forged/tampered

42 Public Key Infrastructure Public Key Infrastructure Diagram from:

43 Public Key Infrastructure X.509 X.509: ITU-T Standard for the public key infrastructure (1988) Defines the concept of a Certificate Certificates are issued and signed by a strict hierarchy of certificate authorities (CAs) Defines the concept of CRLs - Certificate Revocation Lists Used by most major crypto/security applications: SSL, SSH, IPSEC, etc.

44 Public Key Infrastructure X.509 Certificates Allow key exchange Binds an identity to a public key The contents of the cert are signed by the CA This can be verified by using the CA s public key Version, serial number, algorithm ID, issuer, validity, owner name, key-info, issuer unique ID, owner unique ID, extension, signature of cert

45 Public Key Infrastructure Verifying Certificates Signature of CA must verify Date Validity What happens if the user s private key is compromised? Users must check the CRL

46 Public Key Infrastructure CA Hierarchy Everyone can t use the same CA Scalability problems CAs form hierarchy Each CA has certificates for clients (forward) and parent (backward) Each client trusts parent certificates Certificates are trusted if the signature of the CA verifies A chain of CAs (head is called root CA)

47 Problem with Certificates Management and Distribution of Certificates Issues: Detection of a compromise secret key Delay of publishing the CRL The CRL can get HUGE!

48 Public Key Infrastructure Problems with CRLs Must check the CRL every time Delay between revocation and detection of revocation Key owner is responsible for protection of private key Abuse only takes seconds Not suitable for real-time online applications CRLs are valid for 24 hours - certs are valid for years

49 Next Class Key Management, Agreement, and Distribution

50 Additional Slides

51 one.drexel.edu certificate

52 one.drexel.edu

53 expired certificate

54 Cert from a non-trusted CA