Lecture 23 Cryptography CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross Slideshow and powerpoint viewer: What is network security? • Confidentiality: onl

What is network security? • Confidentiality: only sender, intended receiver should “understand” message contents – sender encrypts message – receiver decrypts message • Authentication: sender, receiver want to confirm identity of each other • Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection • Availability: services must be accessible and available to users

Friends and enemies: Alice, Bob, Trudy • well-known in network security world • Bob, Alice (lovers!) want to communicate “securely” • Trudy (intruder) may intercept, delete, add messages Alice Bob channel data, control messages data secure sender secure receiver Trudy data

There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: A lot! – eavesdrop: intercept messages – actively insert messages into connection – impersonation: can fake (spoof) source address in packet (or any field in packet) – hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place – denial of service: prevent service from being used by others (e.g., by overloading resources)

The language of cryptography m plaintext message KA(m) ciphertext, encrypted with key KA m = KB(KA(m)) plaintext Alice’s K encryptio A n key encryption ciphertext algorithm Bob’s K decryptio Bn key decryption plaintext algorithm 5

Simple encryption scheme substitution cipher: substituting one thing for another – monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Key: mapping from set of 26 letters to set of 26 letters 6

Polyalphabetic encryption • n monoalphabetic cyphers, M1,M2,…,Mn • Cycling pattern: – e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; • For each new plaintext symbol, use subsequent monoalphabetic pattern in cyclic pattern – dog: d from M1, o from M3, g from M4 • Key: the n ciphers and the cyclic pattern 7

Breaking an encryption scheme • Cipher-text only attack – Trudy has ciphertext that she can analyze – Two approaches: • Search through all keys: must be able to differentiate resulting plaintext from gibberish • Statistical analysis • Known-plaintext attack – trudy has some plaintext corresponding to some ciphertext • eg, in monoalphabetic cipher, trudy determines pairings for a,l,i,c,e,b,o, • Chosen-plaintext attack – trudy can get the cyphertext for some chosen plaintext 8

Types of Cryptography • Crypto often uses keys: – Algorithm is known to everyone – Only “keys” are secret • Symmetric key cryptography – Involves the use one key • Public key cryptography – Involves the use of two keys • Hash functions – Involves the use of no keys – Nothing secret: How can this be useful? 9

Symmetric key cryptography • Bob and Alice share same (symmetric) key: K – e.g., key is knowing substitution pattern in mono alphabetic substitution cipher • Q: how do Bob and Alice agree on key value? KS KS plaintext encryption ciphertext message, m algorithm K (m) S decryption plaintext algorithm m = KS(KS(m)) 10

Two types of symmetric ciphers • Stream ciphers – encrypt one bit at time • Block ciphers – Break plaintext message in equal-size blocks – Encrypt each block as a unit 11

Stream Ciphers • Combine each bit of keystream with bit of plaintext to get bit of ciphertext – m(i) = ith bit of message – ks(i) = ith bit of keystream – c(i) = ith bit of ciphertext – c(i) = ks (i) m(i) – m(i) = ks (i) c(i) key pseudo random keystream generator keystream 12

RC4 Stream Cipher • RC4 is a popular stream cipher – Extensively analyzed and considered good – Key can be from 1 to 256 bytes – Used in WEP for 802.11 – Can be used in SSL 13

Block ciphers • Message to be encrypted is processed in blocks of k bits (e.g., 64-bit blocks) • 1-to-1 mapping is used to map k-bit block of plaintext to k-bit block of ciphertext Example with k=3: input output 000 110 001 111 010 101 011 100 input output 100 011 101 010 110 000 111 001 What is the ciphertext for 010110001111 ? 14

Block ciphers • How many possible mappings for k=3? – How many 3-bit inputs? – How many permutations of the 3-bit inputs? • 40,320 ; not very many! • In general, 2k! mappings – huge for k=64 • Table approach requires table with 264 entries, each entry with 64 bits • Instead use function that simulates a randomly permuted table 15

Prototype function • If only a single round, then one bit of input affects at most 8 bits of output – In 2nd round, the 8 affected bits get scattered and inputted into multiple substitution boxes • Encrypting a large message – Split message into 64-bit bloks? – If same block of plaintext appears twice, will give same cyphertext 17

Cipher Block Chaining (CBC) • Have encryption of current block depend on result of previous block – c(i) = KS( m(i) c(i-1) ) – m(i) = KS( c(i)) c(i-1) • How do we encrypt first block? – Initialization vector (IV): random block = c(0) – Change IV for each message (or session) • Guarantees that even if the same message is sent repeatedly, the ciphertext will be completely different each time 18

Symmetric key crypto: DES • DES: Data Encryption Standard – 56-bit symmetric key, 64-bit plaintext input – Block cipher with cipher block chaining • How secure is DES? – DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day – No known good analytic attack • making DES more secure: – 3DES: encrypt 3 times with 3 different keys • actually encrypt, decrypt, encrypt 20

AES: Advanced Encryption Standard • new (Nov. 2001) symmetric-key NIST standard, replacing DES – processes data in 128 bit blocks – 128, 192, or 256 bit keys • brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES 22

Public Key Cryptography • Symmetric key crypto – requires sender, receiver know shared secret key – How to agree on key in first place? • particularly if never “met” • Public key cryptography – radically different approach [Diffie-Hellman76, RSA78] – sender, receiver do not share secret key – public encryption key known to all – private decryption key known only to receiver 23

Public key cryptography + Bob’s public B key K K plaintext encryption ciphertext + message, m algorithm K (m) B - Bob’s private B key decryption plaintext algorithm message - + m = KB (K (m)) B 24

Public key encryption algorithms Requirements . . + 1 need K B( ) and K- ( ) such that B - + K (K (m)) = m B B 2 + given public keyBK , it should be impossible to compute private key K B RSA: Rivest, Shamir, Adelson algorithm 25

Prerequisite: modular arithmetic • x mod n = remainder of x when divide by n • Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n • Thus (a mod n)d mod n = ad mod n • Example: x=14, n=10, d=2: (x mod n)d mod n = 42 mod 10 = 6 xd = 142 = 196 xd mod 10 = 6 26

RSA: getting ready • A message is a bit pattern • A bit pattern can be uniquely represented by an integer number – Thus encrypting a message is equivalent to encrypting a number • Example – m= 10010001 • This message is uniquely represented by number 145 – To encrypt m, we encrypt the corresponding number, which gives a new number (cyphertext) 27

RSA: Creating public/private key pair 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e

RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). Encrypting 8-bit messages. encrypt: decrypt: bit pattern m me 0000l000 12 24832 c 17 c = me mod n 17 d c m = cd mod n 481968572106750915091411825223071697 12 30

Why does RSA work? • Must show that cd mod n = m where c = me mod n • Fact: for any x and y: xy mod n = x(y mod z) mod n – where n= pq and z = (p-1)(q-1) • Thus, cd mod n = (me mod n)d mod n = med mod n = m(ed mod z) mod n = m1 mod n =m 31

RSA: another important property The following property will be very useful later: - + K (K (m)) B B + = m= K (K (m)) B B use public key first, followed by private key use private key first, followed by public key Result is the same! 32

RSA: another important property - + Why K (K (m)) B B + = m= K (K (m)) B B ? Follows directly from modular arithmetic: (me mod n)d mod n = med mod n = mde mod n = (md mod n)e mod n 33

Why is RSA Secure? • Suppose you know Bob’s public key (n,e) – How hard is it to determine d? • Essentially need to find factors of n without knowing the two factors p and q • Fact: factoring a big number is hard • Generating RSA keys – Have to find big primes p and q – Approach: make good guess then apply testing rules 34

Session keys • Exponentiation is computationally intensive • DES is at least 100 times faster than RSA Session key, KS • Bob and Alice use RSA to exchange a symmetric key KS • Once both have KS, they use symmetric key cryptography 35