Unit 6: Cryptography Fundamentals

Cryptography overview Symmetric Cryptography Fundamentals Asymmetric Cryptography concepts and fundamentals Hash Functions Message Authentication, MAC, HMAC Steganography For more about cryptographic algorithms (CSC 333)

TDC 377-98-701, Autumn 2012

6-1

Overview

Cryptography is crucial: it is the key building block for many other security services. Without it: no eCommerce, no Authentication services, no secure logins. It is a key component that will allow: Confidentiality Services, Integrity Services and Authentication Services. What does Cryptography means?

Origin of the word: from Greek: Crypto Secret Graph Writing Not a new concept: was used by Roman: Ceasar Cipher

http://www.secretcodebreaker.com/caesar-cipher.html

Note: there is another way to transfer a message in secret: Steganography. (Youve used it in Mini Lab #4. Will cover later)

TDC 377-98-701, Autumn 2012

6-2

Overview

Encryption is the process of taking a message (in cleartext or plaintext format) and transform it (in a format often called ciphertext) so that its meaning cannot be understood. Decryption is the process of taking the Ciphertext and transforming it back to Cleartext. To encrypt a message, you will use an encryption algorithm and an encryption key. To decrypt a message, you will use a decryption algorithm and a decryption key.

TDC 377-98-701, Autumn 2012

6-3

Characteristics of Encryption Algorithms

The Encryption/Decryption algorithms must have the following characteristics:

Efficient: It must minimize amount of memory and time required to run it. Secure and/or reliable. We can have 2 ways to ensure the eavesdropper can not decrypt the data without the decryption key: Make the algorithm secret. The opponent does not know HOW to decrypt the data. The keys further protects it. Make the algorithm public. The opponent knows how to decrypt the data but has no known weaknesses and the only way to decrypt the data is to try all possible keys. This types of attacks are known as brute force attacks.
6-4

TDC 377-98-701, Autumn 2012

Keep algorithm Secret

You can hide the method/algorithm used by implementing it in hardware devices or through a compiled algorithm.

In software: you can be target of reverse engineering: almost always feasible to decompile/reverse engineer it. In hardware: Much harder to analyze but the secrecy can be compromised by:

A disgruntled employee. A disgruntled or careless vendor.

Now if the algorithm used to encrypt has a flaw: an attacker may be able to decrypt the data even without knowing the key. By keeping the method secret, it was not subject to the analysis of it by cryptanalysts that may identify weakness before large deployment. Note: Currently, no methods exist to determine if an encryption algorithm has a weakness: the only way we determine that an encryption algorithm is secure (and therefore only subject to brute-force attacks) is by letting Cryptanalyst study it. If after time passes, nobody find a weakness: it is probably reliable and has no known weaknesses. Side note: This extends to many important aspects of security: Can we really prove a system is secured (well sure: unplug the power cord)? but we can prove it is not secure.
6-5

TDC 377-98-701, Autumn 2012

Cases Studies: Make method secret

Lets take a look at some concrete solutions that used this secrecy to secure the encrypted the data:

Cable TV Scrambling DVD Encoding

TDC 377-98-701, Autumn 2012

6-6

Cases Studies: Make method secret

Cable/Sat TV Scrambling

Rely on hardware encoding/scrambling Many places you can find cheap descrambler for sale. Manufacturers rely on difficulty to analyze hardware functions and reproduce it.

TDC 377-98-701, Autumn 2012

6-7

Cases Studies: Make method secret

DVD Encoding

Movie industry spent years developing a standard for encryption. After development they simply released it. Not for review, but the full product (DVD) that relied on the standard. Encryption keys were assigned to manufacturers and decryption keys based on them were distributed to all DVD reader manufacturers to build in all DVD readers. Two ooopps happened:

A DVD software reader improperly protected one decryption key and it was made public. Several (2 initially I think) security technologists (SoupaFr0g and Canman) reversed engineered decoded the encryption algorithm used.

Soon after a software program (DeCSS) was released that allows one to pull the decrypted data off the DVD disk and play/save it like any other multimedia file. What was the movie industry reaction: Sue them but the damage is done: nobody can order or afford the recall of all DVD players!

Lesson learned: Security by Secrecy does not work!

TDC 377-98-701, Autumn 2012

6-8

Make the algorithm public

The algorithm will be scrutinized by experts and if after some time, nobody find a weakness: chances are: there are none! So how do you defeat the encryption? The only way is by going through and trying all possible decryption keys! This is called a Brute Force attack. How many possible keys exist? It depends on the length/size of the key.

40 bits key 240 56 bits key 256 128 bits key 2128

In average you will need to go through the possible keys. However here is a fun question: how do you know you found the right key? Can you identify the plaintext? If it is English (or Chinese for that matter) it is easy but what if it is a binary file?

TDC 377-98-701, Autumn 2012

6-9

Make the algorithm public

So how do you protect the secrecy?

Use a longer key!!!

However the longer the key, the longer it takes to encrypt/decrypt the data. So we can establish that it will be possible for anybody to decrypt the data: the problem is not IF they can decrypt it but HOW LONG will it take to decrypt it! Make the cost of running a brute force attack longer than the value of the data. For example:

If it takes you 4 years to decode a credit card number that has a 2 years expiration, is it worth trying? If you need to build a $10,000.00 decryption machine to decrypt ordering information that will allow you to hijack $2,000,000.00 worth of data in 3 months, is it worth it? Interesting note: It is believed that, using current technology, one can build a brute force decoder that is able to decrypt a 56/64 bits encrypted DES traffic in near real time for less than $500,000.00. I do not have factual information that this device exist but I highly suspect it does!! So what is the lesson of that? DES encryption is not secured! Just secured from casual eavesdropper!

TDC 377-98-701, Autumn 2012

6-10

Case Study: Reliable Algorithm with long key: is it safe?

So the instructor mentioned that if you use an algorithm that has no known weakness (for example DES/3DES) with a long enough key (for example 128 bits) you are safe from eavesdropping. Is that really true? What could go wrong?

TDC 377-98-701, Autumn 2012

6-11

Case Study: Reliable Algorithm with long key: is it safe?

Case example: Law enforcement vs. child pornographer.

In 1998, Law enforcement hired a well recognized cryptanalyst to apprehend an individual suspected of transmitting child pornography. After getting a court order to sniff the traffic, they quickly determined that is was strongly encrypted. How did they determine that? Encrypted traffic has the inherent characteristic of been very blend: no patterns, no interesting characteristics. Large size also gave information on the type of information transmitted: it was large. So how do you defeat that? One solution would be to bring in the suspect and interrogate him hoping he will crack. Or another way: perform a search at the destination of the traffic. That is what they did, they found the destination and on the computer found the decryption key in plain view! Then they could decode the traffic and apprehend the suspect. What is the lesson? It does not matter of large you key is: if it is not protected, it is not safe!

TDC 377-98-701, Autumn 2012

6-12

Symmetric Encryption

The key used for encryption is the same as the key used for decryption. The algorithm used for decryption is just the reverse of the one used for encryption. What if many parties want to securely communicate? How many keys do we need? How do we manage these keys?

TDC 377-98-701, Autumn 2012

6-13

Asymmetric Encryption

Asymmetric Cryptology was the only (and most important) breakthrough is cryptographic science in 4000 years. Public Key encryption uses manipulation of message AND mathematical properties between the keys used. Instead of using only key, public key cryptography uses TWO keys that are linked together by mathematical properties.

Example: Create pair of keys (1/4, 4) Use a multiplication x4 to encrypt and x to decrypt Of course this is obvious to crack private key knowing public!

Now we have 2 keys, this has great consequences in term of confidentiality, key distribution and authentication: We can use one key as a public key and openly distribute it while keeping one key private for sole use by the party that generated the pair of keys. The key used for encryption is different than the key used for decryption. Also known as public key encryption.

TDC 377-98-701, Autumn 2012

6-14

Public key/Asymmetric cryptography Misconceptions

Public key/Asymmetric cryptography has several common misconceptions:

More secure than conventional encryption: WRONG security of the scheme only depends on the key length (assuming no flaw in encryption methods). Make conventional encryption obsolete: WRONG: because of much larger overhead of PK, usually it is only used for initial communication and to allow 2 parties to securely communicate and exchange a common symmetric key that will then be used for all communication encryption. Key distribution trivial: WRONG many aspects are difficult and advanced procedures must still be involved. The private keys must also be carefully protected. Also we need a method to trustfully and reliably distribute the public key. (That is where Certificate Authority helps us future unit)

TDC 377-98-701, Autumn 2012

6-15

Asymmetric/Public Key Overview

Diagram from Stallings textbook. (Not listed) Simple concept (complicated math theory behind) One key can encrypt, the other can decrypt (or vice-versa usually)

TDC 377-98-701, Autumn 2012

6-16

Asymmetric Cryptography Requirements

Its computationally easy to generate a pair of keys Its computationally easy to encrypt Its computationally easy to decrypt It is computationally infeasible for an opponent to derive the private key from the known public key It is computationally infeasible for an opponent to recover the original message from the ciphertext knowing only the public key. (useful but not necessary requirement) either of the 2 related keys can be used for encryption and the other for decryption. M=DK-pub[EK-priv(M)]=DK-priv[EK-pub(M)]
6-17

TDC 377-98-701, Autumn 2012

RSA Public-Key Encryption

Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT First published in 1978 Most widely accepted and implemented. Plaintext and ciphertext blocks treated as integers between 0 and n 1 for some n. Let M be the plaintext block and C be the corresponding cyphertext block C = Me mod n M = Cd mod n = (Me)d mod n = Med mod n Public key KU = {e,n}, private key KR = {d,n} It is possible to find values of e,d,n such that Med=M mod n for all M<n. Its relatively easy to encrypt and decrypt Its infeasible to determine d given e and n (met with large values of e and n.)
6-18

TDC 377-98-701, Autumn 2012

RSA (contd.)

TDC 377-98-701, Autumn 2012

6-19

RSA (contd.)

TDC 377-98-701, Autumn 2012

6-20

An RSA example

TDC 377-98-701, Autumn 2012

6-21

RSA Key Size

In April of 1994, a group used 1600 computer over the internet decoded a cipher (RSA using 129 decimal digits 428 bits) in 8 months NIST recommends

key size to be 1024 bits through 2010 2048-bit keys through 2030 3072-bit keys after that. See Table 4 in http://csrc.nist.gov/publications/nistpubs/80057/sp800-57-Part1-revised2_Mar08-2007.pdf
6-22

TDC 377-98-701, Autumn 2012

Block Encryption

How is encryption actually performed?

Block by block. Meaning we take a block of data (usually 64 bits) and encrypt it using the algorithm and the key. Repeat that for the full message by slicing it into blocks. 1. A given cleartext will create the same cyphertext. That means an attacker can potentially determine patterns and therefore analyze the cryptographic system. Solution: Cipher Block Chaining 2. What if I have a data stream that I want to encrypt or less than the block size? Solution: Cipher Feedback mode

What are the potential problems of this approach?

We will cover the concepts briefly in this class If student is interested in crypto details: take CSC 333
6-23

TDC 377-98-701, Autumn 2012

Cipher Block Chaining

Problem we are trying to address:

2 identical Plaintext blocks will result in 2 identical Cyphertext. This may allow an attacker to gather information on the type of traffic and assist in the attack of the key. So we want 2 identical plaintext to result in 2 different Cyphertext.

Basic idea: Instead of encrypting the plaintext, perform an XOR of the plaintext with the previous blocks Cyphertext. Then encrypt that result. Question what do you do for the messages first block?

Answer: Use a predetermined data block to XOR the first block with it. This initial block is known as the Initialization Vector or IV
6-24

TDC 377-98-701, Autumn 2012

Cipher Block Chaining

Illustration from Stallings Textbook

Cipher Block Chaining (CBC) m2 m3 (+) (+)

m1 IV (+)

E c1

E c2

E c3

Key

The 1st 64-bit message segment isXOR'ed with an initial vector (I V). Each following message segment isXOR'ed with the 1 preceding ciphertext segment.

TDC 377-98-701, Autumn 2012

6-25

Cipher Feedback Mode

Problem we are trying to address:

We are using a block-based encryption algorithm but we have to encrypt a data stream. Assume we want to send a plaintext message (M) of length K-bits Take an Initialization Vector (IV) Encrypt it Result is I = E(IV) Perform XOR between the Plaintext Message and the first K-bits of I - Result is C = M xor I Send C Shift I by K bits and insert C at the end This becomes the new block used for IV.

Solution:

TDC 377-98-701, Autumn 2012

6-26

Cleartext

Summary so far

Ciphertext

Symmetric encryption. Asymmetric encryption. Brute force attacks. 3 key aspects:

Use an algorithm with no weakness Use long keys Keep Keys safe The threat against an attacker is asymmetric: for the attacker to win, he/she only needs to mitigate 1 aspect. For you to win, you must properly protect each and every aspect This is typical of most aspect of network security in general.

TDC 377-98-701, Autumn 2012

6-27

Common Encryption Standards

Data Encryption System (DES)

Released in 1975 National standard adopted by the US. Symmetric-key 56-bits keys Block cipher encrypts data in 64-bits blocks In 1997, DES was cracked in 5 months. It is currently believed that a near real time DES decoder can be built. Even without it DES can be cracked in a matter of days or hours via Brute force attacks. DES no longer considered secured. The National Institute of Standards and Technology (NIST) initiated in 1997 an initiative for a new encryption standard to replace DES. But in these efforts take a lot of time. What should we do in the mean time? Response: 3DES!
6-28

TDC 377-98-701, Autumn 2012

Common Encryption Standards

3DES

Problem of DES: Key too short 3DES uses 3 successive iteration of DES with 3 keys (K1, K2, K3) making an effective key length of 168-bits. Actually 3DES is defined as follows:

C = Ek3 (Dk2 (Ek1 (M)) )

Why using a sequence of Encrypt-Decrypt-Encrypt instead of 3 encryptions? Note: 3DES is very processor intensive. On November 26, 2001 NIST announced the winning algorithm: Rijndael algorithm. Start to see it widely deployed because of better performance than 3DES and lower computational load. http://csrc.nist.gov/encryption/aes/

AES

TDC 377-98-701, Autumn 2012

6-29

Hash Function

A hash function is a one-way function that allows someone to calculate a fixed-size value (the Hash) based on a message. This hash will allow us to make sure that the message was not modified during the transit. The receiver can take the message, calculate the hash value and compare with the hash value that was transmitted with the message. If they match: the message was not modified/tampered with. This provides Integrity services: the message received was the message send.
6-30

TDC 377-98-701, Autumn 2012

Hash Function (contd.)

It does not provide authentication: anybody can compute a hash and attach it to the message. So, if in addition of integrity services, we want to also provide authentication services, what can we do?

Goal: we want the sender to create an hash based on the message and some other information that will prove that the legitimate sender is actually the one that create the hash and that the message or hash was not modified in transit.
Any suggestion? These services will be provided by a Message Authentication Code (MAC) AKA Hash Message Authentication Code (HMAC).
6-31

TDC 377-98-701, Autumn 2012

Message Authentication Code

3 popular solutions

Conventional Encryption. If 2 parties share an encryption key: the sender can encrypt the hash and send it. The receiver then decrypts it and recalculate the message hash. If it matches: it proves that the party that possessed the encryption key created the message and the hash. Asymmetric Encryption. Same idea but the sender uses his private key to encrypt the hash. The receiving party uses the senders public key to decrypt the hash and verify it. Shared Secret Value. Add a shared secret to the message, calculate the hash on (message || shared secret) then send message and hash. The receiver can only check the hash if he has the shared secret. Advantage: faster than encryption.
6-32

TDC 377-98-701, Autumn 2012

Message Authentication Code

TDC 377-98-701, Autumn 2012

6-33

Example of Asymmetric Encryption Usage

Now that we have seen Asymmetric encryption and HMAC, lets think about how we can use both to provide some concrete security services. In all the following examples, 2 parties (Alan A and Brian B) want to securely communicate over an insecure medium. Goal #1: Message must be authenticated and its integrity ensured.

Class discussion

Goal #2: The message must now also be encrypted.

Class discussion

Goal #3: This is a very large message. We want authentication, integrity, privacy and computing efficiency.

Class discussion
6-34

TDC 377-98-701, Autumn 2012

Steganography Fundamentals

Steganography (Stego in short) is the field of hiding a message within another message. With crypto: you hide the meaning of the message but someone can easily notice a message is been sent. In fact because encrypted messages have a very distinct characteristic (which is that they are very very blend no statistical characteristics) they can sometime trigger alarms and attention. In Stego: you hide the message within another message. An eavesdropper does not even notice that a message is been transmitted. In many cases, someone will want the message be first encrypted then hidden and sent. Stego also used for watermaking files Stego can be used in many file formats:

Most popular: images (Jpg, bmp, gif) Word documents Text Documents HTML MP3 files
6-35

TDC 377-98-701, Autumn 2012

Steganography

How does it work? You need a host file to be the medium to hide the message within. You can either generate a new host file or use an existing one. 3 main methods to add the message to the host file:

Injection Substitution Generate new file

TDC 377-98-701, Autumn 2012

6-36

Steganography - Injection

Many file types have fields or areas that are ignored or hidden. Add the data there! Example:

Hidden HTML fields In MS Word: use track revisions and erase data.

Using injection will alter the size of the host file.

6-37

TDC 377-98-701, Autumn 2012

Steganography - Substitution

The data in the host file is replaced or substituted by the hidden message. Usually try to substitute part of the host message that are insignificant. If hidden message is large and depending on the type of host file: degradation can occur. Example: replace the least significant bits (LSB) of an image. The human eye may not be able to detect it. Now if the hidden message is large and we change the 5 LSB bits of an image: a human eye will probably notice the poor quality of the image.

TDC 377-98-701, Autumn 2012

6-38

Steganography Generate New File

Another possible solution is to generate the host file based on the hidden message we want to transmit. For example: assuming the message can be read by taking every 4th letter starting with 2nd. You can create the following:

tHey wIsh a Bold Ones Back (HIBOB)

TDC 377-98-701, Autumn 2012

6-39

Steganography - Links

http://www.jjtc.com/Steganography/ http://www.cotse.com/tools/stega.htm

TDC 377-98-701, Autumn 2012

6-40