Beruflich Dokumente
Kultur Dokumente
Merike Kaeo
merike@doubleshotsecurity.com
Steven M. Bellovin
https://www.cs.columbia.edu/~smb
1
Topics To Cover
• Symmetric Keys
• Asymmetric Keys
• Hash Functions
• Encryption
• Signing
2
Cryptography Is Used For?
• Authentication Protocols
• Data Origin Authentication
• Data Integrity
• Data Confidentiality
3
Crypto Basics
• Building Blocks
– Crypto algorithm: specifies the mathematical transformation that
is performed on data to encrypt/decrypt
– Stream cipher: encrypts a digital stream one bit at a time (RC4)
– Block cipher: transforms data in fixed-size blocks, one block at a
time
• DES (56-bit keys; 64-bit blocksize
• AES (128-, 192-, and 256-bit keys; 128-bit blocksize)
• Good Crypto Algorithm Properties
– Algorithm is NOT proprietary
– Analyzed by public community to show that there are no
serious weaknesses
– Explicitly designed for encryption
4
What is a Cryptosystem?
5
Caution
6
Kerckhoff’s Law (1883)
7
X-OR Function
1 xor 1 = 0 0 xor 0 = 0
1 xor 0 = 1 0 xor 1 = 1
RESULT: 1 0 1 1 0 1 1 0
RESULT: 0 1 1 0 0 1 0 1
8
Block Cipher Modes
9
Electronic Code Book (ECB)
Plaintext Plaintext Plaintext
Block 1 Block 2 Block 3
Used primarily to transmit encrypted keys; very weak if used for general
Purpose encryption – never use it for a file or message
10
Cipher Block Chaining (CBC)
Plaintext Plaintext Plaintext
Block 1 Block 2 Block 3
12
Error Propagation in CBC Mode
• Look at the decryption process, where C′ is a garbled
version of C:
P1 = {C1}k−1 ⊕ IV
P2 = {C’2}k−1 ⊕ C1
P3 = {C3}k−1 ⊕ C’2
P4 = {C4}k−1 ⊕ C3
• P1 depends only on C1 and IV , and is unaffected
• P2 depends on C2 and C1, and hence is garbled
• P3 depends on C3 and C2, and is also garbled. The enemy can
control the change to P3
• P4 depends on C4 and C3, and not C2; it thus isn’t affected
• Conclusion: Two blocks change, one of them predictably
13
Selecting A Block Cipher Mode
14
Public Key Encryption
Private Public
Private Public
Public
1
2
Router A Router B
16
Authentication and Integrity (2)
Private Public
3 4
Encrypted
Cleartext ENCRYPT DECRYPT Cleartext
Router A Router B
3. Router A encrypts packet with its private key and sends
encrypted packet to Router B
4. Router B receives encrypted packet and decrypts with
Router A’s public key
Since only Router A has its private key, you are reasonably
Certain the data came from Router A
17
Data Confidentiality (1)
Private Public
Public
1
2
Router A Router B
18
Data Confidentiality (2)
Public
Private 4
3
Encrypted
Cleartext ENCRYPT DECRYPT Cleartext
Router A Router B
3. Router A encrypts packet with router B’s public key & sends
encrypted packet to Router B
4. Router B receives encrypted packet and decrypts with its’
private key
Sensitive Sensitive
ENCRYPT Internet DECRYPT
Information Information
Cleartext Cleartext
Ciphertext
20
Triple DES (3DES)
K1 K2 K3
Plaintext
ENCRYPT DECRYPT ENCRYPT Ciphertext 1
Block 1
21
AES
22
Why AES Instead of 3DES
23
Key Length
Key Length (in bits) Number of Combinations
40 240 = 1,099,511,627,776
The longer the keys the harder a brute force attack becomes
24
Cryptographic Keys
25
Producing Effective Keys
Pseudo-random
Input Pseudo-randomOutput
number
27
Creating Traffic Keys
28
The Key Setup Problem
29
Secret Key Scalability
If nothing else, what happens if Alice and Bob run out of shared
keys?
30
Solutions
31
Key Technology (e.g. Diffie-Hellman)
a,p
XA XB
XA is Alice’s random number; XB is Bob’s
By exchanging numbers in the clear, two entities can
determine a new unique number (Z), known only to them
32
DH Man-in-the Middle Attack
a,p
XA XB
YA YB
33
Key Distribution Protocol
Here
key
’s a k
• The KDC sets up the session
ey
• It’s secure—if done right, and
if the KDC is trustworthy
Alice
Bob
34
Protocol Security
35
Some Protocol Security Issues
36
Digital Signatures
37
Digital Signatures
38
But…
39
Hash Algorithm
40
Why So Many?
42
Computing a Keyed-MAC
43
MD-5 Based Authentication (RFC 2385)
Routing Update
Router A
Hash
Function
Hash
44
MD-5 Based Authentication
Hash
Function
The Routing Update and
the Preconfigured Shared
Key are used as Input to
the Hash Function
• No key management
– Single, manually provisioned long-term secret used for all
conversations
– Key must be changed at both ends simultaneously
– (See RFC 4808 for how to work around that)
• It uses an older, pre-HMAC scheme
• But—it’s real, it exists today, and can be used on most
production routers to protect BGP traffic and
authenticate the other end
46
Digital Signatures versus MACs
47
RSA Public Key Cryptography
48
Generating RSA Keys
KeyE
( Usually 65,537 )
KeyD
Generate P,Q
P,Q
49
Whose Key is It?
50
Public Key Infrastructure
51
PKI Components
• Certification Authority
– A trusted authority which issues digital certificates
– Also publishes CRL (Certificate Revocation List)
• Registration Authority
– An entity that is trusted by the CA to vouch for the identity of users to a
CA
• This entity is only trusted by the CA
• Generally relies on operational controls and cryptographic security rather
than physical security
• Repository
– An electronic site that holds certificates and certificate status
information
• Need not be a trusted system since all information is tamper-evident
• Most commonly accesses via LDAP
• Theoretically could be accesses using HTTP, FTP or even electronic mail
52
Digital Certificate Lifecycle
Key Pair Generated
Certificate Issued
Keypair Expired
53
Check Certificates on Windows XP
• Windows maintains
certificates in certificate
stores
• View a certificate store
from the Run dialog
box by opening
Certmgr.msc
• Sample personal
certificate is shown
• A certificate is signed
by its issuing CA
54
What’s In A Certificate?
55
Who Can Be a CA?
56
The Browser CA Problem
57
The Diginotar Case
58
Protecting Browsers: DANE
60