Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Transcription

1 IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown, Chapter 6 Intrusion Detection. Final Exam The Registrar has released the final exam schedule. You can find your complete schedule in BANNER. The final exam for this course is: May 4, 4:00 5:50 PM Note the change in time from the regular course meeting time. The on-line syllabus has been updated. Rescheduling Final Exams If a student is scheduled to take three or more final exams on the same day, the student may request that exams be rescheduled. The course with the highest catalog number will reschedule the exam. Full details are here: (scroll to the bottom) Kerberos An authentication system Based on Needham-Schroeder with modification that messages carry timestamps Central server plays role of trusted third party ( Cathy ) Ticket Issuer vouches for identity of requester of service Authenticator Identifies sender Idea User u authenticates to Kerberos server Obtains ticket T u,tgs for ticket granting service (TGS) User u wants to use service s: User sends authenticator A u, ticket T u,tgs to TGS asking for ticket for service TGS sends ticket T u,s to user User sends A u, T u,s to server as request to use s Details follow Ticket Credential saying issuer has identified ticket requester Example ticket issued to user u for service s T u,s = s { u u s address valid time k u,s } k s where: k u,s is session key for user and service Valid time is interval for which ticket valid u s address may be IP address or something else 1

2 Authenticator Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example: authenticator user u generates for service s A u,s = { u generation time k t } k u,s where: k t is alternate session key Generation time is when authenticator generated Problems Relies on synchronized clocks (Denning- Sacco modification of Ottway-Rees) If not synchronized and old tickets, authenticators not cached, replay is possible Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes Public Key Key Exchange Here interchange keys known e A, e B Alice and Bill s public keys known to all d A, d B Alice and Bill s private keys known only to owner Simple protocol k s is desired session key Problem and Solution Vulnerable to forgery or replay Because e B known to anyone, Bill has no assurance that Alice sent message Simple fix uses Alice s private key k s is desired session key Alice { k s } e B Bill Alice { { k s } d A } e B Bill Notes The key exchange can include a message enciphered with k s Assumes Bill has Alice s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack Solution to this (binding identity to keys) was discussed as public key infrastructure (PKI) Simple Hash Functions Cryptographically secure hash functions are used in message authentication, digital signatures All hash functions process input a block at a time in an iterative fashion One of simplest hash functions is the bit-by-bit exclusive-or (XOR) of each block C i = b i1 b i2... b im effective data integrity check on random data less effective on more predictable data virtually useless for data security 2

3 SHA Secure Hash Functions SHA originally developed by NIST/NSA in 1993 Was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS , also Internet RFC3174 produces 160-bit hash values NIST issued revised FIPS in 2002 adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512 with 256/384/512-bit hash values same basic structure as SHA-1 but greater security NIST intend to phase out SHA-1 use The MD5 and SHA Hashes The MD5 hash code is 128 bits; SHA is 160. So, there are or possible hashes (a lot!) The probability that two messages have the same hash code is very small. Can a message be especially crafted to have the same hash code as an arbitrary message? (Not easily.) That is the strength of the MD5 and SHA algorithms. Collision Attack A collision attack is an attack that attempts to create a message with the same hash code as some other message. A source program has a given MD5 hash. h Can you insert malicious code in the program, then change it in some other way such that it has the same MD5 hash as the good program? HMAC Widespread interest a MAC using a cryptographic hash due to speed and code availability Must incorporate key into use of hash algorithm HMAC (RFC2104) widely supported used in IPsec, TLS & SET HMAC treats hash as black box HMAC proven secure if embedded hash function has reasonable cryptographic strength Security of HMAC Security is predicated on underlying hash strength Attacker computes output even with random secret IV brute force key O(2 n ), or use birthday attack or attacker finds collisions in hash function even when IV is random and secret ie. find M and M' such that H(M) = H(M') birthday attack O( 2 n/2 ) MD5 secure in HMAC since only observe RSA Public-Key Encryption by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key alg uses exponentiation of integers modulo a prime encrypt: C = M e mod n decrypt: M = C d mod n = (M e ) d mod n = M both sender and receiver know values of n and e only receiver knows value of d public-key encryption algorithm with public key PU = {e, n} & private key PR = {d, n}. 3

4 RSA Example Attacks on RSA Brute force trying all possible private keys use larger key, but then slower Mathematical attacks (factoring n) see improving algorithms (QS, GNFS, SNFS) currently bit keys seem secure Timing attacks (on implementation) use - constant time, random delays, blinding Chosen ciphertext attacks (on RSA properties) Diffie-Hellman Key Exchange First public-key type scheme proposed By Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 Practical method to exchange a secret key Used in a number of commercial products Security relies on difficulty of computing discrete logarithms Diffie-Hellman Problem: how to share a secret over an unsecure channel without public key encryption. Sender S and Recipient R agree on two values, α and q. q is prime; α is the primitive i i root of q. This is unencrypted, so an attacker can learn α and q. S and R generate secret numbers s and r. Simplified Diffie-Hellman S sends q s to R R sends q r to S S computes (q r ) s R computes (q s ) r They are equal, so S and R have a shared secret An attacker must factor q s and q r to derive r, s. (How long will that take?) Real Diffie-Hellman Example Given prime number q = 353 primitive root α = 3 A and B each compute their public keys A computes Y A = 3 97 mod 353 = 40 B computes Y B = mod 353 = 248 Then exchange and compute secret key: for A: K = (Y B ) XA mod 353 = mod 353 = 160 for B: K = (Y A ) XB mod 353 = mod 353 = 160 Attacker must solve: 3 a mod 353 = 40 which is hard desired answer is 97, then compute key as B does 4

5 Other Public-Key Algorithms Digital Signature Standard (DSS) FIPS PUB 186 from 1991, revised 1993 & 96 uses SHA-1 in a new digital signature alg cannot be used for encryption Elliptic curve cryptography (ECC) equal security for smaller bit size than RSA seen in standards such as IEEE P1363 still very new, but promising based on a mathematical construct known as the elliptic curve (difficult to explain) Questions 5