Professional Documents
Culture Documents
Wade Trappe
Wade Trappe
Wade Trappe
CS4236Computer Security II
Textbook: Introduction to Cryptography with Coding Theory by Wade Trappe and Lawrence Washington. Remaining: System & Network Security.
Useful if handy with Linux. Chapters 1 8, 11 13, 17 or as much of them as possible.
Marks for tutorials 10%. Each tutorial question will have marks. You must attempt enough questions to get at least 10 marks during the semester.
Caveats
I will not know all the answers. I hope not! Its unlikely that my lecture slides will be ready before the lecture. Mutual discussion is highly encouraged, blind copying is not. (Cheating | plagiarism) F in class. Give me regular feedback about speed and strenuity of the class. Start looking for paper to present.
YOU
ATTACKER
Wait...wait...wait
Breach: modication, fabrication. Availability [they want your bandwidth, cpu, disk]. Assets are accessible to authorized parties. Breach: interruption.
Separation of privileges. Two locks are better than one! Least privilege. Operate using the least privileges necessary to complete the job. Least common mechanism. Minimize the amount of mechanism common to more than one user and depended on by all users. Acceptability. Human interface should be easy to use.
Lessons: Blaine Burnham. Hear his keynote address at Usenix 2000 here.
add security later on.
Security is not an add on. Lets build it (get it to run) and Assurance matters. It takes a secret to keep a secret i.e., good key management is really hard. There are no silver bullets. Security is a system property. Composing components
Adapted from [Bon] and [CWP+ 99]. Extremely common bug. 1997: 16/28 CERT advisories. 1998: 9/13 CERT advisories. 1999: 6/12 CERT advisories. Often leads to total compromise of host. Requires expertise and patience (until someone posts an exploit). Cert statistics can be found here.
buf[0..n]
callee constructed
caller constructed
%ebp = frame pointer. %esp = stack pointer. %ebp+4 = return address. %ebp+8 = rst argument to function. Caller pushes args in reverse order. Callee creates frame linkage.
FP
buf
frame ptr
ret addr
str
buf
%ecx contains the 2nd arg to the syscall (argv) which is a pointer to the rst element of an array of (char *)s. The last element of the array is NULL. %ecx 0 /bin/sh\0
%edx contains the 3rd arg to the syscall (envp) points to an array of ptrs that ends in NULL. So what if we had %edx point to a location that contained the NULL pointer (0).
%esi now contains addr of /bin/sh save addr /bin/sh here terminate /bin/sh with \0 /bin/sh\0 , addr , NULL 11 for execve reg b /bin/sh reg c [addr of /bin/sh\0 , NULL] reg d NULL trap to kernel exit(0) if execve failed
save addr of /bin/sh on stack not NULL terminated else strcpy may stop Overview of Computer Security p.20
$
"
"
"
"
"
"
"
"
"
"
"
KeySpec
java.security.spec.KeySpecan interface that denotes the transparent (user-visible) representation of the key material that constitutes a key. Contains no methods or constants. Class SecretKeySpec implements KeySpec & SecretKey (more directly relevant for us). SecretKey is an interface that extends Key. So it can be used with Cipher. To generate a DES key for 0x0102030405060708, use:
byte[] desKey key = new byte[8] {0x01,...}; = new SecretKeySpec(key, "DES");
Tx or transformation algorithm/mode/padding.
A cipher can be initialized with cipher.init(int Cipher.ENCRYPT_MODE, Key key, AlgorithmParameterSpec IV). cipher.init(int Cipher.ENCRYPT_MODE, Key key). This generates its own IV which can be retrieved with cipher.getIV().
Cipher. . .
To encrypt a byte stream, use
byte[] encryptedBytes = cipher.update(buffer, 0, b_read); length(returned bytes) = length(argument bytes) No semantics specied in the Java API. Must collect a blocks worth of data.
Using Hashes
Subset of Java Crypto API p.30
X.500 Names
Loosely, an X.500 name is hierarchical and consists of the following attributes: Country: SG. State or Province: Singapore. Locality: Clementi. Organization: National University of Singapore. Organizational Unit: School of Computing. Common Name: Sandeep Kumar. Email Address: skumar@comp.nus.edu.sg.
Base 64 encoding
Look here for more information. There must be other references. Encode a sequence of octets using the characters [A-Za-z0-9+/] to represent 6 bits each. Use the character = for trailing padding. 6 bits of input represented as one printable character of 8 bits 33% expansion. Ex: 0x1F is Hw==. Is it?
Classical Ciphers
Pre DES
Receiver destination
key source
Shannons model. . .
Encryption encodes a message so its meaning is not obvious. For symmetric encryption P = D(K, E (K, P )). For asymmetric encryption P = D(KD , E (KE , P )). Security of a cryptosystem should rest entirely in the secrecy of the key, and not in the secrecy of the algorithm (Kerckhoffs).
Types of attacks
Cryptographers design their algorithms to resist the following increasingly aggressive attacks [Susan Landau].
Ciphertext-only: adversary has access to encrypted comms. Known-plaintext: adversary has some (plaintext, ciphertext). Chosen-text: the adversary chooses the plaintext to be encrypted. the ciphertext to be decrypted (chosen ciphertext). the plaintext to be encrypted depending on ciphertext received from previous requests (adaptive chosen plaintext).
d w w a f
d w
Afne Ciphers
A specic way to construct a permutation. Choose two integers and , with gcd(, 26) = 1, and consider the ciphering function y = x + Keyspace = 11 26. Easy to break with a ciphertext only attack.
and pairs to break this cipher using a ciphertext only attack. Most common digram: th, most common trigram: the.
Vigenre Cipher
Invented circa 1520. Applied arithmetic to ciphers. wha t anicedaytoday c ryptocryptocryp t y yy i tb. . . . . . . . . . . Use the Vigenre tableau to encrypt or decrypt messages. Its like n instances of Csars cipher. Or, its addition modulo 26 where a = 0, . . . , z = 25. Keyspace: 26n , n is the number of symbols in the key. It evens out the frequency disparity in the plaintext alphabet.
Vigenre Cipher. . .
Vigenres tableau (part of)
abcde fgh i j k l mnopqr s t u v wxyz a b c d abcde fgh i j k l mnopqr s t u v wxyz bcde fgh i j k l m n opqr s t u v w x yza cde fgh i j k l m n o pqr s t u v w x y zab de fgh i j k l m n o p qr s t uvw x y z abc
IC =
ni 2 1)
1 2 n(n
c1 , ck are shifted by the same amount, as are c2 , ck+1 etc. So we should nd the IC to be close to that of English! Because a monobetic transformation doesnt change the IC .
Index of Coincidence. . .
Another interpretation of IC is that its a measure of the variation between frequencies in a distribution [from the uniform] [P96, Section 2.3]. If represents a plaintext symbol, then P = 1. Lets nd the variation of a given distribution from a at distribution P = 1/||. var = = Now,
2 P ni n =z 1 2 =a P 26 =z 2 1 P =a 26
ni 1 n1
IC = var + const!
n (n 1)
Index of Coincidence. . .
IC is a predictor of key length when it is small. It cannot discriminate well for large key lengths. .038 = 1/26, which is what wed expect. keylen 1 2 3 4 5 10 large IC .068 .052 .047 .044 .044 .041 .038
Permutation Cipher
Columnar transposition. Consider the plain text howareyoudoing. Write this as two blocks of seven characters each h o w a r e y o u t o d a y The cipher text is the plaintext read in column order. So the cipher text is hoouwtaordeayy. Same letter frequencies as original text. Can be broken using a form of frequency analysis. Can be broken with a KPA.
Permutation Cipher. . .
Its a permutation on the position of PT symbols in the corresponding CT. For e.g., HELLOWORD might be transformed into LWHOEROLD. An example permutation is 1 2 3 4 5 6 7 8 9 = 3 5 1 4 2 7 9 6 9
Playfair cipher
1854 by Sir Charles Wheatstone. 5 5 matrix of letters constructed using a keyword [Sta99]. In general, insert a ller letter such as i between successive identical letters to avoid needing to encrypt pairs such as tt.
M C E L U O H F P V N Y G Q W A B I/J S X R D K T Z ATTACKATDAWN RSSRDERSBRNY
Playfair Cipher. . .
Used by the British Army in WW I. Frequency analysis more difcult. But still susceptible to digram frequency analysis. Flatter distribution than plaintext, nevertheless plenty of structure. Both digrams re and er common. So if pairs IG & GI are common, e, i, r, g probably form the corners of a square, such as e i e g or g r i r Last few rows of the matrix predictable. Each plaintext letter encrypts to one of ve ciphertext letters. h {c, y, b, d, f } in the previous example.
Hill Cipher
Invented by Lester Hill in 1929. A block cipher. A ciphertext letter depends on multiple plaintext letters! Strong against ciphertext only attack, but easily broken under known plaintext attack i.e., given a set of (P, C ) pairs, solve for K . det(K ) should be relatively prime to n in order for K to be invertible mod n. For a block size of 8, keyspace 2664 > 2 1090 . C = KP mod 26, 0 kij < 26
where a, b, n are constants. Its totally linear! For e.g., given the random sequence 958833456, 396607904, 2147285887 for n = 231 1, we have the equations 396607904 2147285887 396805664 a = = = = a 958833456 + b mod 2147483647 a 396607904 + b mod 2147483647 a 562225552 mod 2147483647 16807
Vernam Cipher
Gilbert Vernam, 1918. Choose keyword as long as plaintext with no statistical relationship to it [Sta99, pg. 40]. Works on bits. ci = p i k i One Time Pad (Joseph Mauborgne): Use a random key as long as the message, but only once!
Rotor Machines
Three rotors plus a reector. After every letter was encrypted, the rotor turned like an odometer. Each letter encrypted by effectively a new mono alphabetic substitution cipher.
Knapsack Encryption
Given a set of integers a1 , a2 , . . . an , nd whether a subset of them adds up to a given integer t. For example, for the set A = {4, 7, 33, 1, 12, 78, 11, 291} Is there a subset that adds up to 17? To 129? To encrypt text, say NUS IS GREAT, use the ASCII bit sequence of each character to select the set of numbers in the knapsack to add. So N = 0x4E = 01001110 = 7 + 12 + 78 + 11 = 108. U = 0x55 = 01010101 = 7 + 1 + 78 + 291 = 377. . . . . . .and so on. . . . . .
Knapsack Encryption. . .
Alternatively, the knapsack can have 16 numbers and you can encrypt two characters at a time. Suppose that
A = {4, 7, 33, 1, 12, 78, 11, 291, 101, 29, 1101, 561, 487, 9826, 791, 893} Then you encrypt the message as NU SI SG RE AT The difculty is that solving the general knapsack is as difcult for the recipient as it is for the enemy.
Make the problem difcult for the enemy but easy for the recipient! A superincreasing knapsack is one in which the integers in the knapsack form a superincreasing sequence. That is
k1
ak >
j =1
aj
Now supposing one were to ask if theres a subset of #s in the knapsack that add up to 2967, theres an easy way to nd it! But the problem is that solving a superincreasing knapsack is as easy for the enemy as it is for the recipient! So we try to confound the enemy by transforming a superincreasing knapsack into a random one.
En/decryption with MH Knapsacks Choose a prime m > ai . Choose a w rel. prime to m. Transform A into B such that bi = w ai mod m.
Lets say that m = 13917 for the example above and that w = 269. Then B = {6796, 411, 9897, 8029, 6714, 1734, 7163, 4911} To encode the character N which is 01001110, we might do 411 + 6714 + 1734 + 7163 = 16022. To decode this number, the recipient does 2691 16022 mod 13917 = 372516022 mod 13917 = 5854. Solving the superincreasing knapsack for 5854 gives the set 105 + 801 + 1662 + 3286!
The class P: problems that can be solved in time bounded by a polynomial function of the problem size. For example, sorting, nding the max of a set of numbers, multiplication, exponentiation. The class NP: problems that can be veried in polynomial time. For example, Hamiltonian cycle, CNF satisability. The class NP Complete: Problems in NP to which every other problem in NP can be reduced in polynomial time. If an NP Complete problem yields a polynomial time solution, then P = NP. In some sense then, these are the hardest problems to solve in the class NP. We know that P NP, that P = EXP. But is P = NP?
Lessons
Compress before you encrypt.
Number Theory
Chapter 3 of textbook
Modular Arithmetic
If a mod n = b, then a = c n + b. When you reduce a number a modulo n you usually want 0 b < n. Division Principle [Bar02, pg. 61]: Let n be a positive integer and let a be any integer. Then there is exactly one pair of integers (c, b), 0 b < n such that a=cn+b Examples: 17 mod 5 = 2. 5 mod 17 = 5. 8 mod 3 = 1.
Modular Arithmetic. . .
Some interesting properties of modular arithmetic: (a + b) mod n = (a mod n + b mod n) mod n (a b) mod n = (a mod n b mod n) mod n a
1
Modular Arithmetic. . .
Example: = = = = = = = = (1234103 (123432 + 1004245 )) mod 7 2103 (232 + 3245 )) mod 7 2102 2 (232 + 3245 )) mod 7 2334 2 (232 + 3245 )) mod 7 834 2 (232 + 3245 )) mod 7 134 2 (232 + 3245 )) mod 7 2 (4 + 5) mod 7 2 2 mod 7 4
Modular Arithmetic. . .
Or, it is
6764272377039604808006178055144906284633965782655606023664543731697675295138467674632079193559564693975100853574063429268655061579855616806952088963846232974182208488038849558763634180303504832472507246314833258013960116375880716395998061679941933095837785630560123826359207260539700679914567732449971041003694134911024550323643899333412749847654642971626166584986296154744033730885175975569766206580332174388028086818262058659186680791454906474093459490637896812299657407272406107888091704653742699714387717546200022361247224368645062455882516778860769297702055240071720372570557423808644154330408879925808925140855381986628240396957657417866896014997202537989607295158526258761846453044514479205381938683422173039265005451812870791033921812833308341319798689265312644584797363587786225724994494157639438659457878075595424441169423586430034659067491156897331743802635884549667238178909903984749431006079030838865685491827363683331151586843871472933347390828720939664198710347727796483110738685594792944199344858089699587734429853257643035321271289118720 mod 7 =4
Modular Exponentiation
Say you want to compute 6469 mod 7. You could compute Or, observe that That is 6
469
6 6 6 469 times
469 = 1110101012 = 28 + 27 + 26 + 24 + 22 + 20
28 27 26 24 22 20
=6 6 6 6 6 6
So instead compute each term individually with one multiply each. That is, compute 62 , 64 , 68 , 616 , 632 , 664 , 6128 , 6256 by repeated squaring.
GCD
The GCD of two numbers a and b is the largest integer that divides both a and b. GCD(a, b) = GCD(b, a mod b) If d|a & d|b (LHS) then d|b & d|a mod b (RHS). I.e., all divisors of LHS are also divisors of RHS. Similarly, if d|b & d|(a mod b) d|a.
Why doesnt GCD(a, b) = GCD(a, a mod b) work? Because you cant go in the reverse direction, i.e., d|a & d|(a mod b) that d|b. This is because if d|(a mod b) then d|(a kb) but it may be that d|k instead of b.
GCD. . .
| |
a%b
|
a
kb
| |
ax + by = d
Theorem [TW02, Page 64]. Let a and b be two integers, with at least one of a, b = 0, and let d = gcd(a, b). Then integers x, y such that ax + by = d In particular, if a and b are relatively prime, then integers x, y such that ax + by = 1 Proof: By induction on the GCD procedure.
Inverse
The inverse of an element x mod n is the element y s.t. xy = 1 (mod n) Consider the set of numbers modulo 9. Not every number has an inverse modulo 9. In fact, only numbers coprime to 9 have inverses!
Inverse mod 9
0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 7 8 2 0 2 4 6 8 1 3 5 7 3 0 3 6 0 3 6 0 3 6 4 0 4 8 3 7 2 6 1 5 5 0 5 1 6 2 7 3 8 4 6 0 6 3 0 6 3 0 6 3 7 0 7 5 3 1 8 6 4 2 8 0 8 7 6 5 4 3 2 1
EGCD
The Extended Euclidean Algorithm EGCD(f, d) permits one to nd d1 (mod f ) and f 1 (mod d) [provided that GCD(f, d) = 1] in addition to GCD(f, d). Start with the vectors (1, 0, f ) & (0, 1, d) and reduce one vector with another by subtracting a multiple of one from the second until the result has the third component 1.
EGCD. . .
Both vectors maintain the invariant f x1 + dx2 = x3 Eventually, you get an equation of the form f x1 + dx2 = 1 This gives x2 = d1 (mod f ) and x1 = f 1 (mod d).
Show examples of GCD & EGCD using RSA.pm and /bin/perl/egcd.
Modular Division
Proposition [TW02, Page 68]. Let a, b, c, n be integers with n = 0 and with GCD(a, n) = 1. If ab ac (mod n) then b c (mod n)
Example: 2 1 2 4 (mod 6), but 1 = 4 (mod 6). Solving ax c (mod n), GCD(a, n) = 1 is now easy.
Modular Division. . .
In the equation ax b (mod n), what if GCD(a, n) = d > 1?
b n Solve ( a ) x ( ) ( mod d d d ). Let the solution be x0 . Then ax0 b (mod n).
If d | b, there is no solution.
The solutions of ax b (mod n) are the unique values mod n that satisfy the equation above. The equation has d roots mod n, Each is distinct mod n, but mod n d.
Modular Division. . .
0
n d 2n d
n d
for
Primes
An integer a > 1 whose only divisors are the trivial divisors 1 and a is said to be a prime number [CLRS01]. Example: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, . . . . . . If n is a composite integer, then n has a prime factor not exceeding n. What this means is that in order to test a number n for primality, its sufcient to try dividing it by all primes n. There are innitely many primes [Ros93, Theorem 1.17]. n! + 1 cannot have a prime divisor n.
Primes. . .
(x), the numbers of primes n n/ log n as n . n/ log n as n . Even though the # of primes is , its density gets sparser and sparser as n . Approximately speaking, one would need to sample log n numbers to nd a prime close to n.
Use Gnuplot to plot [n=1:1000000] n/log(n),n to show how n/log(n) varies with n.
Primes. . .
Consider nding all primes 25 using the sieve of Eratosthenes. 1 6 11 16 21 2 7 12 17 22 3 8 13 18 23 4 9 14 19 24 5 10 15 20 25
Factorization
Find a factor of n by successively dividing n by primes 2 . . . n . To nd the factors of n, nd x y (mod n) with x2 y 2 (mod n) [TW02, Sec. 6.3]. Then, gcd(x y, n) gives a non trivial factor of n. Pollards p 1 method. Find a number x thats a multiple of p 1 where p is a non-trivial factor of n. Then for a rel. prime to n ( also rel. prime to p), or ax 1 is a possible non-trivial factor of n. See [TW02, Sec. 6.4] for details. ax 1 (mod p)
Fermats Theorem
For prime p and integer b not divisible by p, bp1 1 (mod p)
Consider P = 1b 2b 3b (p 2)b (p 1)b = bp1 (p 1)! 1 b = 2 b = 3 b = = (p 1) b because the residue system mod p is a eld and b has an inverse in it. Thus 1b, 2b, . . . merely enumerate the numbers 1 . . . (p 1) in some order. Canceling out (p 1)! from both sides [because (p 1)! is coprime to p] of the equation we get bp1 = 1.
Eulers theorem
It is a generalization of Fermats theorem. Denition: (n) is the # of positive integers < n that are relatively prime to n. For e.g., (9) = 1, 2, 3, 4, 5, 6, 7, 8 = 6. Theorem: If GCD(x, n) = 1, then If p is prime then (p) = (p 1). x(n) = 1 (mod n)
Eulers function
(pr ) = pr pr1 . Numbers not relatively prime to pr are p, 2p, . . . , pr p. That is pr1 1 numbers. Therefore, # of integers relatively prime to pr are pr 1 (pr1 1) = pr1 (p 1) If gcd(m, n) = 1 then (mn) = (m)(n) Follows from CRT. The pairs (x {(m)}, y {(n)}) are relatively prime to both m and n. Consider CRT 1 of (x, y ) to be a mod (mn). If gcd(a, mn) = 1, let gcd(a, m) = d = 1. Then d | a and d | m, so d | (a mod m).
Primitive Roots
g is a primitive root of n if ord(g ) = (n). Not all integers have primitive roots. Integers with primitive roots are of the form: 2, 4, p , 2p , p odd prime. When p is a prime, a primitive root mod p is a number whose powers yield every nonzero number mod p.
Primitive Roots. . .
0 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 10 1 11 2 1 4 9 16 6 17 11 7 5 5 7 3 1 8 8 7 7 1 7 12 4 1 5 9 4 5 1 15 9 5 6 1 7 7 7 11 1 7 1 14 2 6 16 9 8 4 8 1 9 6 5 4 16 9 10 11 12 13 14 15 16 17 18 1 1 1 1 1 3 1 6 4 1 12 1 5 1 1 10 1 5 1 18 17 15 11 1 1 1 4 16 7 5 6 17 7 7 11 1 9 9 5 14 8 2 3 7 7 16 13 18 16 10 11 14 12 17 13 1 7 16 4 1 7 11 1
17 11
9 17 11 6 4 8
11 17
6 11 17 9
5 11 9 16 1 7 18 11 12 1 8 4 2 1
7 11 1 6 6 7 4 9 5 16 11 3 8
7 11 1 17 1
7 11 1
18 11 12
7 18 11 12 1
6 16 11 4 17 1 13 16 1 11 7 1 8 1 3 1 8 8 7 9 6 5
11 15 17 18 1 11 7
1 11 7
1 11 7 6 5 4
1 11 7 7 7 15 2 5 9 4
1 12 11 18 1 13 17 12 1 14 1 16 1 17 1 18 6 9 4 8 11 1 15 16 12
1 12 11 18 7 7 7 7 3 17 5 4 5 6 9 18 18
1 12 11 18 7
14 11 10 16 18 2 4 6 11 13
17 10
13 11
12 16 15 1 14 1 9 1 7 17 6 1
10 17
1 16 9 11 5
11 16
1 17 4 11 16 6
Primitive Roots. . .
Let g be a primitive root for prime p [TW02, Sec. 3.7]. If n is an integer, then g n 1 (mod p) iff If j and k are integers, then g j g k (mod p) iff j k (mod p 1) n 0 (mod p 1)
CRT
See [Knu98, Section 4.3.2]. Alternative for doing arithmetic on large numbers. Have several moduli m1 , m2 , . . . , mr relatively prime in pairs and work on residues u mod mi instead of with u. Regard (u1 , u2 , . . . , ur ) as a new type of internal representation for u. Disadvantage: Cant test for >, overow, do division.
CRT. . .
Advantage: Parallelizes multiplication.
(u1 , u2 , . . . , ur ) + (v1 , v2 , . . . , vr ) = ((u1 + v1 ) mod m1 , . . . , (ur + vr ) mod mr ) (u1 , u2 , . . . , ur ) (v1 , v2 , . . . , vr ) = ((u1 v1 ) mod m1 , . . . , (ur vr ) mod mr ) (u1 , u2 , . . . , ur ) (v1 , v2 , . . . , vr ) = ((u1 v1 ) mod m1 , . . . , (ur vr ) mod mr ) You can see the above because uv mod mi = (u mod mi )(v mod mi ) mod mi (1) (2) (3)
This means that the representation of u v in the mi component should be (u mod mi ) (v mod mi ). Number Theoretic Theorems p.99
CRT. . .
Proof: Let m = m1 m2 mr and let u1 , u2 , . . . , ur be integers. Then there is exactly one integer u such that 0 u < m u uj (mod mj ), 1 j r
1 Let Mk = m/mk . Then GCD(Mk , mk ) = 1. So Mk mod mk exists. Let this be yk . yk is small, with 0 < yk < mk . Then
CRT Example
Let m1 = 9, m2 = 10, m3 = 11. Then m = 990. Suppose you wanted to nd 889899 mod 990. Find the representation of 889 in the new system, which (7, 9, 9). Now 889899 = (7, 9, 9)899 = (7899 mod 9, 9899 mod 10, 9899 mod 11) That is = (4, 9, 5). Convert this back to the integer = 49.
1 (mod p)
p1 2
If a 1, let a = g i . So g i(p1)/2 1. But g being a generator its ord is p 1 (p 1) | i(p 1)/2 i is even a is QR.
= p1 1.
26055(34807+1)/4 (mod 34807) = 33573. Example: Find all 1522756 mod 2325781. 2325781 = 523 4447. Both 523 and 4447 are 3 (mod 4). Use CRT to nd the four solutions.
Finite Fields
A eld F (sometimes denoted by Fq ) is a set of elements with two operations + and satisfying:
For every power pn of a prime, there is exactly one nite eld with pn elements, and these are the only nite elds.
F is closed under + and , commutative w.r.t + and , associative w.r.t + and , and distributes over +. 0 is the identity for +, 1 is the identity for . a F, a | a + (a) = 0.
Irreducible polynomial
Let F be a eld. A nonconstant polynomial f (x) F [x] is said to be irreducible if f (x) cannot be expressed as a product of two polynomials of lower degree [Gal02, Pg. 295]. f (x) = 2x2 + 4 is irreducible over R but reducible over C. f (x) = x2 + 1 is irreducible over Z3 but reducible over Z5 . Factors into (x + 2)(x + 3).
Examples
Show that x4 + x + 1 is irreducible in Z2 [x].
Atleast one factor is of degree 2. Possible choices are x2 + x +1, x2 +1, x + 1. None of them divide x4 + x + 1.
Block Ciphers
A block cipher of block size b bits species a permutation on b-bit values for each key. DES is a 64-bit block cipher while AES is a 128-bit block cipher.
b bits
k bits
b bits
Block Ciphers. . .
A b-bit block has 2b plaintext and ciphertext blocks. This means there are 2b ! permutations. Thus, a 64-bit block cipher with 80-bit key is not an anomaly.
DESHistory
Described in FIPS46-3. Late 60s Feisel worked on block ciphers. 1972 NBS (NIST) issued RFP. 1974 IBM developed and submitted LUCIFER (64 bit block, 128 bit key). NSA xed it (S-boxes). 1979 Adopted as a standard, accepted by the banking community. 1999 Broken in 22 hours using exhaustive key search.
DESProperties
Block size = 64 bits; key size = 56 bits. Software nightmare because of permutations and table lookups. Great for pipelining because each round can work on a different key. Key size too shortbrute force search possible. Exhibits strong avalanche effect [Sta99, pg. 73]. DESk (X ) = DESk (X ).
L1
R1 K1 F
R2
L2 K1 F
L2
R2 K2 F
R1
L1 K0 F
L3
R3
R0
L0
Input bit 58 goes to output bit 1. Bits are numbered from the top-left (1) to the bottom-right (64). Table shows the sequence of connections of output bits after IP.
Divide input into groups of four (eight sets). Convert each group into six by borrowing from adjacent members. Bit 32 in the input becomes bit 1 in the output etc. Bits are numbered from the left (1) to the right (64).
Take the rst and last bit of the input as a two bit binary number to index the row. Take the middle four bits as a binary number to index the column. Bits are numbered from the left (1) to the right (64).
So it seems that a transmission error affects at most two plaintext blocks in this case as well because in order to decrypt Ci , one only needs Ci and Ci1 .
DESProperties. . .
keys k in DES such that DESk (DESk (m)) = m
1 Or, keys k such that DESk (m) = DESk (m). These are called weak keys. These are keys that generate a key schedule in which
k1 = k2 = = k16
DESProperties. . .
keys k, k in DES such that m, c = DESk (m) m = DESk (c)
Or that DESk (DESk (m)) = m [x5c, Q. 67]. These are called semi-weak keys. The key schedule for k is the reverse of that of k .
Show my m4 diagram of propagating L0 , R0 to L16 , R16 .
DESProperties. . .
Weak keys in DES are [P96, Table 3-10]:
Left half Right half Weak Key Value zeros zeros 0101010101010101 ones ones FEFEFEFEFEFEFEFE zeros ones 1F1F1F1F0E0E0E0E ones zeros E0E0E0E0F1F1F1F1 Examples of semi-weak keys in DES are [P96, Table 3-11]:
(01F E 01F E 01F E 01F E, F E 01F E 01F E 01F E 01)
Avalanche Effect
PT or Key in CT.
Extra Credit: Study and present another block cipher and summarize it in a single page.
# of rounds the more the better. Design of the F function (provides confusion). Key Scheduling.
Approximately speaking, 00, 01, 10, 11 (1 bit ip, 0 no bit-ip) should be equiprobable. For all inputs, create 2(m1) pairs, one in which input bit i = 0 and the other in which the input bit i = 1 . . .See [WT85] for more details. Block Cipher Design Principles p.134
Cost Time 1 DES encryption/s > 1000 years Wiener $100K machine 35 hours Wiener $1 M machine 3.5 hours = 210 mins Wiener $10M machine 21 mins
Biham & Shamir 1989. O(247 ) time and O(247 )(M, C ) pairs on DES. If the S-boxes were random, a differential cryptanalytic attack would require O(220 ) time and O(220 )(M, C ) pairs.
Breaks DES in O(243 ) time and O(243 ) randomly chosen (M, C ) pairs [Mat93]. Essentially a known-plaintext attack.
Linear Cryptanalysis. . .
Find effective linear expressions for DES of the form P [i1 , i2 , . . . , ia ] C [j1 , j2 , . . . , jb ] = K [k1 , k2 , . . . , kc ]
that hold with probability p. |p 1/2| represents the effectiveness of the equation. Guess of eqn. if p > 1/2 and = otherwise. Can then determine one key bit K [k1 , k2 , . . . , kc ] as follows: Evaluate P [i1 , i2 , . . . , ia ] C [j1 , j2 , . . . , jb ] with N random samples. Let T of them evaluate to 0. If p > 1/2, guess K [k1 , k2 , . . . , kc ] = T /N . If p < 1/2, guess K [k1 , k2 , . . . , kc ] = T /N .
Given that for S5 (S box #5), the 4th input bit is related to the four output bits with probability 12/64, we can propagate this equation through a three round DES as follows (rounds 1 and 3) [Mat93]:
PH [7,18,24,29] F1 PL [22] [15] X1 K1
K2 F2 X2
K3
X2 [7, 18, 24, 29] PH [7, 18, 24, 29] = K1 [22] X2 [7, 18, 24, 29] CH [7, 18, 24, 29] = K3 [22] Canceling X2 [7, 18, 24, 29] we get a ,
PH [7, 18, 24, 29]CH [7, 18, 24, 29]PL [15]CL [15] = K1 [ Extra Credit: Break 5-round DES as described in [Mat93].
a Look at it this way: X [15] K [22] = P [7, 18, 24, 29] X [7, 18, 24, 29] and 1 1 H 2
X3 [15] K3 [22] = X2 [7, 18, 24, 29] CH [7, 18, 24, 29]
DES VariantsDouble-DES
If Ek (M ) is a symmetric cipher, then dene DEk1 ,k2 = Ek1 (Ek2 (M )) Pictorially, it is M Ek2 Ek1 C .
DES VariantsDouble-DES. . .
Susceptible to meet-in-the-middle attack. Given an (M, C ) pair: Step 1: Build the following table (sorted on Ek (M )) for all keys k
k1 k2 ki E k 1 (M ) E k 2 (M ) Eki (M )
1 Step 2: y , check if Ey (C ) is in the table for some key x. Then (x, y ) encrypts M C . For a k bit key, time 2k + 2k log 2k k 2k . That is, given enough space, DE is only as secure as E.
DES VariantsTriple-DES
If Ek (M ) is a symmetric cipher, then dene Key length = 112 bits for DES. Dk2 only for backward compatibility, could use E instead. 2KTEk1 ,k2 = Ek1 Dk2 Ek1
DES VariantsTriple-DES. . .
Effective key length is k bits in a CCA/CPA.
0 P A X K1 K2 B Y K1 C Z
For all keys k compute Dk2 (0) in a table T. Now, for each key k , nd p = Dk (0). Do a CPA on p to nd the corresponding z . From this (z, k ) nd y . See if y occurs in T. This is a possible pair of keys for T-DES. Except for an uncommon attack noted by Merkle, triple DES does yield the expected strength of 2112 [P96, Section 4.5].
DES VariantsTriple-DES. . .
Better to use three independent keys. Effective key length = 112 bits in a KPA (meet-in-the-middle). TEk1 ,k2 ,k3 = Ek1 Dk2 Ek3
DESX assumes DES to be an ideal cipher, i.e., 1 , 2 , . . . , 2|k| are independent random permutations. Extra Credit: Read [KR96] and summarize in one page.
Stream Ciphers
Lets approximate OTP with a pseudo-random OTP key. The pseudo-random generator seed is the key.
Goal: Choose taps and initial content so that the period is as long as possible. Hope for 2n 1 (exclude all 0s).
+ + t 1 k2 + + t 1 kn
Stream CipherRC4
Stream ciphers dont encrypt PT blocks directly. Invented in 1987 by Rivest. Reverse engineered and posted on the Cypherpunks mailing list in 1994. Seed: A permutation of the sequence (0 . . . 255) and two numbers 0 i, j < 256. Derived from the input key.
Stream CipherRC4. . .
do forever: i = (i+1) % 256 j = (j + S[i]) % 256 swap(S[i], S[j]) update register state t = (S[i] + S[j]) % 256 output S[t]
Is it secure? Cant prove it. 1997: Run generator for 1012 iterations. LSb of these 1012 bytes has slightly more 1s than 0s.
Features of Rijndael
Pronounced as Rhine-doll. Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). Allows only 128, 192, and 256-bit key sizes (unlike the other candidates). Variable block length of 128, 192, or 256 bits. All nine combinations of key/block length possible. A block is the smallest data size the algorithm will encrypt. Vast speed improvement over DES in both hardware and software implementations.
AES p.153
AES Transformations
The round transformation of Rijndael does not have a Feistel structure.
ByteSub is a non-linear byte substitution, the S-box is invertible. You take the multiplicative inverse of the byte in GF(28 ) and then apply an afne transformation in GF(2). ShiftRow is simple. In MixColumn, the columns of the state are considered as polynomials over GF(28 ) and multiplied with {03}x3 + {01}x2 + {01}x + {02} modulo x4 + 1. The inverse of MixColumn is similar to MixColumn. RoundKey addition is a straightforward bitwise XOR with the key.
AES p.154
Inverting AES
0 I B BS B B B B B @ BS BS I SR I MC . . . MC I 1 0 ARK I B SR1 ARK C C B C B C B C B C B A @ SR1 ARK ARK SR1 0 I SR1 SR1 SR1 I BS 1 BS 1 BS 1 I ARK 1 . . . ARK 1 I 1 ARK 1 M C 1 C C C C C C 1 A MC ARK 1
SR SR
I B BS 1 B B B B B @ BS 1 BS 1
I ARK 1 . . . ARK 1 I
1 ARK 1 M C 1 C C C C C C 1 A MC ARK 1
AES p.155
Inverting AES. . .
Each of BS, SR, MC, and ARK is invertible. BS and SR commute. (M C ARK ) = [({03}x3 + {01}x2 + {01}x + {02}) (s0i x3 + s1i x2 + s2i x + s3i )] (k0i x3 + k1i x2 + k2i x + k3i ) If E44 = M44 S44 + K44 , then to invert E , we have
1 1 E + M M4 44 4 44 K44 = S44
AES p.156
AES p.157
RSA
By denition (n) is the number of integers 0 < x < n that are relatively prime to n. Consider where p and q are distinct primes. Then (n) = (n 1) (p 1) (q 1) = (p 1) (q 1) n=pq
RSA p.158
RSA. . .
Choose large primes p and q differing by a few digits. Say one of 75 digits, the other of 100 digits. Both (p 1) and (q 1) should contain a large prime factor. Compute n = p q . Its hard to factor n. Choose e to be, say 65537. Public key = (e, n). Compute d e1 mod (n). Private key = (d, n). Infeasible to get d given (e, n). For a given message m, its encryption is c = me mod n. And to decrypt a cipher text c, compute m = cd mod n. ed m med m1 mod (n) m.
RSA p.159
An example of RSA
Let p = 57748729314142811323 and q = 5295757044745316310341. Then, n = 305823240090462151745038276856407276791143 (n) = 305823240090462151739684771082347817669480. Choose e = 65537, then d = e1 mod (n) = 59944845540718629190350345138224820571313 Encode a message NUS as its binary encoding (for example) to get 0x4e5553 = 5133651.
RSA p.160
An example of RSA. . .
To encrypt, nd
513365165537 mod 305823240090462151745038276856407276791143 = 217657393729141588774828799917624500652607 To decrypt, compute cd to get the original message.
RSA p.161
Breaking RSA
Brute force. Try all possible values of d. Given an (m, c) pair, nd a d such that cd = m. From this you might be able to factorize n [TW02, Exponent Factorization, Section 6.4]. Timing attacks. Do we need factorization to solve the RSA problem which is nding the eth root modulo n [MvOV96, Section 3.3]?
RSA p.162
Breaking RSA. . .
Mathematical attacks. Factor n. Find (n). But knowing (n) is equivalent to factoring n. Because n = pq, (n) = n (p + q ) + 1 and we have p + q = n + 1 (n) pq = (p + q )2 4n This gives equations for p + q and p q .
Show [Sta99, Fig. 6.9] on MIPS years needed to factor large n.
RSA p.163
Timing analysis
To compute ax , use modular exponentiation. Square and multiply (if the corresponding bit in x2 is 1). Suppose you have correctly guessed the rst (b 1) least signicant bits of the exponent. Now you want to guess the bth bit. Assume that the intermediate values for some as are such that the multiply at the bth bit takes excessive time! Then bth bit 1 correlation between the bth bit multiplication time and remaining time needed. bth bit 0 no such correlation.
RSA p.164
RSA p.165
Proof: x2 1 mod p means that p | (x2 1), or p | (x 1)(x + 1). Because p is prime, it divides either (x 1) or (x + 1). It cannot divide both because then itd divide their difference which is (x + 1) (x 1) = 2. Example: 5 mod 6 = 1 because 5 1 =
2 2 (51)(5+1) . 23
RSA p.166
Examples Is 125 prime? Lets try the Miller-Rabin test with base 2. (125 1) = 124 = 22 31. Now 231 = 23, 232 = 29, 292 = 91. So 125 simply fails the Fermat test and is not prime.
Is 561 prime? Lets try again with base 2. (561 1) = 560 = 24 35. Now 235 = 263, 2632 = 166, 1662 = 67, but 672 = 1! So 561 fails the Miller-Rabin primality test because we get 672 = 1 (mod 561) 561 is not RSA p.167 a prime.
RSA p.168
Discrete Logs
Let Zp = {0, 1, . . . , p 1}, p is prime and For 0 < g < p lets study the sequence g1, g2, g3, . . . We know from Fermats that g p1 1 (mod p).
Show [Sta99, Table 7.6]. Zp = {1, 2, . . . , p 1}
Discrete Logs. . .
The sequence g 1 , g 2 , g 3 , . . . ends in 1. If the sequence ends in 1, it clearly repeats itself after that.
If it does not, let g m = g x , g = 1, 0 < x. Then, g m (g xm 1) 0 which means that either p | (g xm 1), or p | g m . But p | g m because p | g . So g xm 1 mod p which is a contradiction. Zp is a cyclic group. Not every element of Zp is a generator. For e.g., 2 mod 7 = {1, 2, 4}. Logarithms are the inverse of exponentiation.
Discrete Logs. . .
Reals logx 1 = 0 logx x = 1 logx (yz ) = logx y + logx z logx (y r ) = r logx y Z p logg 1 (mod p) 0 logg g (mod p) 1 logg (yz ) (mod p) logg y + logg z (mod (p)) logg (y r ) (mod p) r logg y (mod (p))
Discrete Logs. . .
See the primitive roots table to explain generators. x = y mod p dlog y = x Discrete logs can be used to implement bit commitment and key exchange.
Given k , a , can you nd ak without knowledge of a? Because if you can, then you can nd r a = ak .
Hash Functions
A hash function accepts a variable-size message m as input and produces a xed-size hash code h(m), called its message digest. It is a function of all the bits of the message. Instead of signing and MACing messages, one can sign and MAC hash of messages. Much faster for signatures. MACs no slower than hashes.
Hash Functions. . .
A hash function should be [Sta99, Sec 8.4] Relatively easy to compute. Pre-image resistant. Means a one-way hash i.e., given y = h(x), cant [computationally] nd x. Second pre-image resistant. Useful for virus protection. Given x, h(x), cant nd x | h(x) = h(x ). Collision resistant. Cant nd arbitrary x, y | h(x) = h(y ) by just examining h. A simple hash function is the XOR of xed sized message blocks. Useless for data security. Trivial to compute pre-image and second pre-image. By the birthday paradox, if the hash size is 64 bits, then time for collision 232 (small). Typical hash size 160 bits.
Hash Functions. . .
Examples: MD5, SHA-1. Almost all real-life hash functions are iterative the Merkle-Damgrd construction. CV0 is xed and known for the hash function.
Y0 b Y1 b Y2 b
CV0
CV1
CV2
e e decreases because each product term < 1, hence P (n, k ) = 1 product increases which means that the probability of collision increases.
1 n (k1) n
1e
k(k1) 2n
(k1) n
, 1 x ex
MACs
A MAC hk (m) takes a secret k and a variable-size message m as input and produces a xed-size code such that An attacker capable of chosen message attack cannot do existential forgery i.e., construct hk (m) for an unknown m.
MACs p.179
CBC-MAC
See [Sta99, pg. 252]. Tail needed to prevent existential forgery.Classic construction used in the banking industry. Its secret key is the pair (k, k ).
M M M
Ek'
Ek
Ek
Ek
Ek
MACs p.180
MACs from CRHFs such as MD5 & SHA How about MACk (M ) = h(k ||M )? Bad idea because of Merkle-Damgrd construction. Consider the message M = km. This is hashed as km|pad . From this, construct the message M = km pad . This is hashed as km|pad pad2 . Without knowledge of k , one can How about MACk (M ) = h(M ||k )? Bad idea. You can do a birthday attack to get m, m such that Hi (m) = Hi (m ). So, collision is independent of k . How about MACk (M ) = h(k ||M ||k )? Envelope method. No serious attacks but no analysis either.
MACs p.181
MACs from CRHFs such as MD5 & SHA. . . HMAC [Sta99, pg. 294], [BCK96a] and [BCK96b]. Used in SSL, IPSec. 0 is used to pad k to full compression function block size for h, usually 512 bits.
512b 128/160b
[0 k ip] and [0 k op] are of compression function block size. Block size for MD5 = SHA-1 = 512 bits. Chaining variable size for MD5 = 128 bits, for SHA-1 = 160 bits. On a 200MHz Pentium, HMAC-MD5 clocked 28.5MB/s while HMAC-SHA-1 clocked 15.25MB/s. CBC-MAC on the other hand, clocked 4.7MB/s and IDEA-MAC clocked 3MB/s.
MACs p.182
Protocols
Adapted from [P96, Chapter 4]. A protocol is an orderly sequence of steps two or more parties take to accomplish some task. A good protocol should be Established in advance. Mutually subscribed to. Unambiguous. Complete.
For example, the hello protocol on phone connections.
We are interested in protocols by which mutually suspicious parties can interact with each other and be convinced of fairness.
Types of Protocols
Arbitratedtrusted third party involved in the interaction. Finding a mutually trustworthy third party? Availability of the third party (may become a bottleneck). Shares secrets with involved parties. Adjudicateddisinterested third party can judge fairness based on evidence. Detect failure after the fact. Self-Enforcingguarantees fairness. If either party cheats, it becomes evident to the other party.
Bob j
Alice
1. A, B . No nonceeveryone is loosely time synchronized. 2. {TS , L, Kab , B, {TS , L, Kab , A}Kbs }Kas 3. {TS , L, Kab , A}Kbs , {A, TA }Kab 4. {TA + 1}Kab
Kerberos V4
Adpated from [KPS95, Chapter 10] and [Sta99, Chapter 11]. Based on work by Needham and Schroeder [NS78]. KDC + library of subroutines used by distributed applications. Some modied applications: telnet, BSD rtools, NFS. KDC shares master key with each principal (each user and resource that will be using Kerberos). Bob knows that anyone who knows KAB is acting on Alices behalf.
Kerberos V4. . .
Alice registers with Kerberos and gets a ticket from the TGS. Alice WS. (Tx pwd DES key). WS AS. (AS_REQ to get a TGT). AS WS. (AS_REP KA {SA , T GT }).
Kerberos V4. . .
Alice wants to talk to Bob. Alices WS TGS. (TGS_REQ TGT + Authenticator) Authenticator SA {T S } (within 5 mins of current) TGT KKDC {Alice, SA }.
Kerberos V4. . .
Alice establishes communication with Bob. Alices WS Bob. (AP_REQ Bobs ticket + Authenticator) Authenticator KAB {T S } Bobs ticket KB {Alice, KAB }.
Kerberos Realms
Hard for everyone to trust a single KDC. Divide network intoo realms, each with its own KDC database. Principal (NAME , INSTANCE , REALM) for e.g., (leserv, jailbreak, R1). For humans, INSTANCE could be a role. Interrealm Authentication KDC in realm B is registered as a principal in realm A.
B
/B
3. A 4. A
o
K (C A )
K (CA |CB ) K (C B )
B
/B
5. A
Does this protocol provide client authentication? Also see the SSL protocol.
Alice k
gb
Bob
Both Alice and Bob compute g ab . g, p are known in advance. In practice, do this in a large subgroup of Zp . Subject to person-in-the-middle attack. Dife-Hellman problem: Given g a , g b , compute g ab . Certainly no harder than DLog. Does DLog hard DH secure? Open problem. (Strong evidence).
DH. . .person-in-the-middle
ga gp ) gq
Alice j
Eve i
) gb
Bob
Alice believes shes talking to Bob because messages make semantic sense. A simple challenge-response protocol from Alice to verify Bob succeeds. (Should ask for challenge+DH params for connection). Eve establishes shared key g aq with Alice, and g pb with Bob. Eve deciphers every message between Alice and Bob.
Dife-Hellman in practice
p = 1024 bit prime. g Zp , an element of order q .
Now a {0, 1, . . . , q 1} and b {0, 1, . . . , q 1}. Since q is 160 bits, g a (mod p) only needs 160 multiplies rather than 1024. A seven fold improvement!
Digital Signatures
Suppose you send e-mail to your bank to transfer $100 to Tims account. Why should the bank believe the e-mail came from you [unaltered]? Authentication ( integrity). If the bank transferred the money, maybe you can disavow the e-mail. Non-repudiation. In case of dispute, can it be settled by a neutral third party? Signatures basically provide non-repudiation that shared key systems do not.
With the aid of a trusted third party! A signature is the encryption of the message. EKS is S s encryption key, while EKR is Rs encryption key. A is the trusted third party (arbiter). S A : EKS (M ). A R : EKR (M, S, EKS (M )) . A says that S said M
Authentic but not private. S R : ER (DS (M )). But what if R decrypts the outer layer and reencrypts the inner message to create a new message EU (DS (M ))? This would make it appear as if S sent a signed message to U !
S R : DS (M ).
From [TW02, Sec. 8.2]. Prime p, Generator of Zp , i.e., ord = (p 1). Private key 1 a (p 2), Public key = a ,
Computing s seems to require knowledge of a (private key) & k , which requires the ability to compute discrete logs. Signature is the pair (r, s). Precomputing of (k, r) pairs is possible and signature generation is then cheap! Security Protocols p.204
Verication only requires (, r) both of which are public. Verication requires exponentiation! To derive the verication equation from rst principles, consider that s s ( )
s k k s
mod p
Look at [Sta99, pg. 229] for why we go from the rst equality which is Security Protocols p.205 mod (p 1) to the second equality which is mod p. Its because p 1 = (p).
For forgery, Eve needs to compute s for message m s.t. the verication eqn m = r r s (mod p)
is satised. Lets say she randomly chooses r = k . Then m s = logr r So, she must be able to compute discrete logs for base k . If she chooses r = k of small order, then its unclear whether DL(s) would exist for it.
A R : ( M , S, fs (M ),
e
).
Key Escrow
Provide strong security for communications while simultaneously allowing authorized government access to particular communications for law enforcement and national security purposes [DS94]. The EES uses SKIPJACK (64-bit block, 80-bit key) and a Law Enforcement Access Field (128-bit LEAF) transmitted with every message. Each Clipper chip has an 80-bit Device Unique key (KU ) and an 80-bit common Family Key (KF ). Key Exchange method unspecied. A session key KS is somehow generated.
Key Escrow. . .
Encryption could be used to conceal criminal and terrorist activities. By rendering communications immune from lawful interception, encryption threatens law enforcement and public safety. Special tamper-resistant hardware encryption device (Clipper and a Key Escrow System (KES).
Key Escrow. . .
The LEAF and IV are transmitted for synchronization and LEAF validation. Infeasible to deploy the system without transmitting a valid LEAF [Bla94]. Session key (KS ) is encrypted with the device KU . Unit id identies KU . The whole LEAF is encrypted under KF . The receiving chip is unable to extract KS from the LEAF.
LEAF = EKU (KS ) (80b) unit id (32b) E K F (. . . . . . ) cksum (16b)
Mental Poker
A B : EKA (C1 ) . . . EKA (C52 ). Ci = Jack of Spades. B chooses ve and sends to A: EKB (EKA (Ci )), . . . EKB (EKA (Cm )). A unlocks the ve that B has chosen [DKA (EKB (EKA (Ci ))), . . . , DKA (EKB (EKA (Cm )))] to yield [EKB (Ci ), . . . , EKB (Cm )] and sends them back to B . B can now get Ci . . . Cm .
Mental Poker. . .
To realize this scheme, one can use (Ci )
1
= Ci
If its heads, Pete will pay, if its tails, Nancy pays. So Pete ips a coin in his ofce and tells Nancy the result over the phone! Pete offers Nancy a choice of two. Nancy picks one but blinds it. She is committed to her
choice when she sends her selection to Pete.
Pete selects one of the above two blinded choices. Toss outcome depends on whether both made the same or different selections.
From [Sch97, Section 19.3]. A selects two large primes and computes n = p q . A sends n to B . [For p, q 3 (mod 4) theres a
deterministic method to nd square roots.]
B picks a random x < n and computes z = x2 mod n. B sends z to A. A computes the four square roots of z , x and y . A sends one of these four values, say , to B .
Consider the pair (a, b), a = x mod p, b = x mod q . By CRT, (a, b), (a, b), (a, b), (a, b) are square roots of z .
If B says hes won why should A believe him? Because B can now factor n with knowledge of and x. Because GCD( + x, n) = {p | q } If 2 x2 mod n, then n | (2 x2 ). If n | ( x)( + x) then for = x, p divides one of ( x) or ( + x) and q divides the other.
Bit Commitment
Adapted from [TW02, Section 7.3]. Alice wants to make a private statement that once made, cannot be changed. If computing discrete logs is hard, then Alice can commit a message m by making public c = m , where is a generator of Zp . The commitment c can be later veried because m c is a 1 : 1 onto operation.
OS Security p.224
OS Security p.225
OS Security p.226
OS Security p.227
Protecting Memory
Using a xed fence with non-relocatable programs that know the fence value at compile time. Protection in only one direction. You can shoot yourself in the foot. Cannot sub partition programs into ner granularity of protection.
OS Security p.228
Protecting Memory. . .
Using variable sized fences with programs compiled starting at address 0. Programs not relocated, rather indirection used with the fence value stored in a register. Provides relocation and protection at the same time.
OS Security p.229
Protecting Memory. . .
Base bounds registers. Provide both lower and upper bounds. Change it for every program at context switch. Use additional base bounds registers for ner granularity partitionsay code and data.
OS Security p.230
Protecting MemorySegmentation
Addresses are of the form seg #, offset . Segments can be separately relocated and protected. Each process would normally have its own segment table for address translation. Processes that want to share segments map them to the same segment numbers in their segment table.
OS Security p.231
Protecting MemorySegmentation. . .
Pros and Cons: Fine granularity of protection, on a per-segment basis. Can lead to fragmentation of main memory. Requires compaction. Sharing requires same segment numbers in all sharing processes because of inter segment references.
OS Security p.232
Paging
Addresses are of the form page #, offset . All pages are of the same size.
OS Security p.233
Segmentation+Paging
Break a segment into pages.
OS Security p.234
User Authentication
The process whereby a system is assured of the identity of the user involved in a protocol and that the user has actually participated. Message authentication itself provides no timeliness guarantees w.r.t. when the message was created. User authentication is a real-time process. Adapted from [Den04, Week 4].
OS Security p.235
OS Security p.236
User Authentication. . .
Alice Bob. Concerns: Eavesdropping, Exposing secrets on server. Goal: No secrets on the server + foil eavesdropping. Methods: Passwords, One-Time Passwords, Challenge-Response protocols, Zero-Knowledge authentication.
In typical environments, authentication has to be combined with session key exchange protocol (for encryption/authentication) to foil session hijacking.
OS Security p.237
Passwords
Used to authenticate people. Have low entropy ( 25 bits).
225 = 33554432, 2558 = 17878103347812890625.
OS Security p.238
Passwords. . .
Never store passwords on the server. Store the password hash instead. Dont need the ability to invert. If this le is exposed, an adversary can mount a dictionary attack. for(every { compute } lookup word h(w) file. w in dictionary)
h(w) in this
OS Security p.239
Passwords. . .
Unix uses a modied DES algorithm with 12 bits of salta two-char string from the set [a-zA-Z0-9./] . It is used to perturb the algorithm in one of 4096 different ways. Usually encrypts 0 with the key 25 times. The value stored in the password le is a series of 13 printable ASCII characters (the rst two characters are the 12-bit salt itself and the remaining 11 characters encode the 64-bit encryption of 0). See crypt(3). Suppose 10M words in dictionary, 12 bit salt: then we have 10M 4K = 40G encrypted passwords. Assuming average length of 8 bytes gives 320GB . If one encryption is done in one s, the dictionary can be encrypted in 40 109 106 = 4 104 s 10 hours.
OS Security p.240
PasswordsSalting
Salt makes dictionary attack harder. An attacker must hash every word in the dictionary 212 times. Logically, it looks like Alice salta h(Pa ||salta ) Bob saltb h(Pb ||saltb ) salta is 4 bits. To verify a users password, the system tries all 24 combinations of salta . Attackers work goes up by 16. Secret Salt. Store Alice|salta |h(Pa ||salta ||salta ) .
OS Security p.241
Biometrics
OS Security p.242
One-Time Passwords
Lamport hash (S/Key) based on hash-chain [KPS02, Section 12.2]. Alice remembers a password p. Bob (server) remembers (user, n, hn (p)). A B : A (I am Alice) B A: n A B : x = hn1 (p)
OS Security p.243
One-Time Passwords. . .
Pros and Cons Can only log in a nite # of times. No mutual authentication. Small n attack. What if Alice can be tricked into revealing h50 (p).
OS Security p.244
OS Security p.245
OS Security p.246
Turning on sticky bits turns on mod bits 111. Extra attributes on the ext2 FS. lsattr , chattr . 1 word (include/linux/ext2_fs.h) = { A (dont update atime) a (open append only) c (compress) d (mark for dump) i (immutable) s (zero blocks on delete) S (write synchronously) u (save contents on delete) } OS Security p.247
OS Security p.248
Network Security
OS Security p.249
Demuxing within a machine, in order delivery. End-to-end routing and addressing. Channel access, Framing. Bits, Encoding (Manchester), Modulation.
Port ScanningNmap
To nd services (exploitable communication channels) running on your machine. TCP header
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 Source port Destination port Sequence number Acknowledgement number (1 + last byte # recvd) Hdr len Reserved Code Window Checksum Urgent pointer Options if any padding DATA
CODE is 6 bits, from left to right: URG, ACK, PSH, RST, SYN, FIN.
Port scanning What ports are open on a machine? See nmap doc for details. TCP connect scanning. Can result in application-level logging. TCP SYN scanning aka stealth mode. Leads to denial of service in many OSes (half open conenctions). Could be logged. TCP FIN scanning. On *nix, this generates RST on a closed port and is ignored on open ports. Fragmentation scanning. Split TCP header (SYN) into multiple packets so intermediate lters cant lter it. UDP port scanning by received ICMP port unreachable messages. Parallelism may be limited by the hosts error limit rate.
Xmas tree scan: FIN|URG|PSH in an attempt to let the rewall pass the packet through. Network Security p.252
Why? Many security holes dependent on OS version. Scan a network for (OS, svc) pairs and wait for next exploit. Social engineering. How? Just telnet to the machine. Telnet to the ftp port (telnet mirror.nus ftp). DNS host info record. (nslookup, set type=hinfo, www.comp.nus.edu.sg). snmpwalk.
Remote OS detection via TCP/IP Stack Fingerprinting. . . Basically, look for things that are different among OSes and write a probe for the difference. Examples: FIN scan to known open port. Windows boxes will send RST back while *nix boxes will silently discard it. BOGUS ag returned on some Linuxes. (SYN+BOGUS) returns (ACK+BOGUS). ISN sampling. Some always use the same ISN! Random increments, true random, time-dependent model,. . . Dont Fragment bit in the IP header. TCP Initial window size (during handshake or on RST packets). AIX = 16165! ACK value on RST returned on a FIN|PSH|URG sent to a closed port?
Remote OS detection via TCP/IP Stack Fingerprinting. . . ICMP error message rate. Some systems such as Linux will rate limit the returned error messages. ICMP message quoting size. How much of the offending packet is returned. Only header+64 bits returned or more or the whole packet. TOS on ICMP port unreachables. Overlapping fragments for TCP. Fragmentation handling. TCP options, which ones supported, order of return,. . .
Remote OS detection via TCP/IP Stack Fingerprinting. . . Examples of Nmap conguration T5 (DF=N%W=0%ACK=S++%Flags=AR%Ops=). SYN to a closed port. T 5 is a predened test whose response should match the spec above. T6 (DF=N%W=0%ACK=O%Flags=R%Ops=). closed port. IP header
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 vers hlen svc type total len ident ags frag offset ttl protocol hdr checksum source ip addr dest ip addr ip options if any padding DATA
ACK to a
Active Attacks
Kill active TCP connections by sending RST. ARP spoong connections can be redirected through another host. See securitypronews for an exploit with EtterCap. TCP spoong with sequence number guessing. TCP connection hijacking.
ARP Spoong
Adapted from hackinthebox. A B C
If B will accept a gratuitous ARP reply, then A B : macc = maca and A C : macb = maca . Protocol ought to accept answers only for outstanding queries. In any event the answers are unauthenticated.
E
E sends SYN to A with source B . A responds with SYN+ACK to B . If E can guess the ISN in 2, it can respond with ACK+DATA before B can send RST. E might use a disconnected B , prevent it from sending the RST, or prevent 2 from reaching B .
a
S
The servers window should intersect with the clients with its left edge to the right of the clients left edge.
Consider sliding window protocols such as TCP. Data ow direction: C S . Client proposes ISN. Server proposes window size for ow control. Server discards any data outside the window i.e., < a, or > b and sends an ACK for a. Server cannot advance window without receiving data at seq num a. In a desynchronized state, it never will. Attacker can feed data starting at a to S . When S responds with an ACK, it falls outside C s window.
S C : ACKx+1 , SYN(ISN = s) X S : ACKs+1 , RST. S now thinks that C has broken the connection. But C has established its sending window to be [x, x + w]. Establish another connection between C and S . X S : SYN(ISN = a)
S C : ACKa+1 , SYN(ISN = s ). Ignored by C because ACK of a + 1 is outside its window of [x, x + w] and a SYN of s is probably outside of [s, s + w].
Another form exploits vulnerabilities to crash machines. Results in degradation of services on the network.
Locked up accounts.
Zombie
/
V ictim
A DDOS Attack
? Z << ~ << ~~ ~ << ~ ~ << ~ << /Z M MMM <<< @@ ~? MMM << @@~~ MMM << ~~@@@ MMM < ~ ~ &/ /Z 8AV q @@ ~? q q @@~~ qq q q @ ~ q ~ @@ q q ~ ~ qq q /Z @@ @@ @@ @
Z ? ~~ ~ ~~ ~ ~ A @@ / Z @@ @@ @ Z
Flooding Attacks
Smurf attack. Send ICMP ECHO to broadcast address with source address of victim. TCP SYN attack. Send SYN datagrams to victim with forged, non-existent source addresses. UDP ooding Send UDP datagrams at high volume to ports on the victim machine.
Logic Attacks
Ping of Death. Construct ICMP ECHO datagram as fragments such that the assembled datagram exceeds the 64K limit for IP datagrams. An IP datagram has a 13-bit frag offset specied in 8-byte units. Highest offset = 216 8! Problem is with IP reassembly. Land.
Send a datagram with the same source and destination address.
Defeating DDOS
Egress ltering. Stop spoofed packets from leaving your network. Stop your network from being used as an amplication site.
Disable IP directed broadcast on all systems.
Countering DOS
Simple cookies Would need to remember them.
start protocol
A
o
Countering DOS
Require clients to do work in order to connect [Juel99].
E.g., what 27-bit number has a SHA checksum of x?
Linux Netlter
Secure branch ofce connectivity over the Internet. Secure remote access over the Internet. Network Security p.275
IPSec. . .
We will restrict ourselves to IPv4 with IPSec in tunnel mode. Transport the original datagram in its entirety inside another one.
SAD
Encrypted
Authentication Header
Provides support for data integrity and authentication.
Prevents address spoong attacks. Guards against replay attacks.
The communicating parties must share a key. Next hdr Header len Reserved SPI Sequence # Authentication data/ICV (variable)
Authentication Header. . .
Authenticates its payload + immutable parts of the outer IP header.
Must support HMAC-MD5-96 & HMAC-SHA-1-96. Mutable elds set to 0 when computing ICV. Authentication Data eld set to 0 when calculating ICV. Problem for NAT.
Header len header size in 32-bit chunks 2. Sequence number is used to recognize replayed packets.
A new SA initializes it to 0. Anti-replay does not permit recycling past 232 1. Receiver should implement a window to check for replay.
Padding 0 255 bytes Pad length Next header Authentication data (variable/optional) Network Security p.282
VPN
NUS 137.132.0.0/16
home 218.186.0.0/16
137.132.1.1
218.186.1.1
137.132.3.1
ChangeCipherSpec (20)
Alert (21)
Handshake (22)
Application (23)
HelloRequest(0) CertificateRequest (13) ClientHello (1) ServerHelloDone (14) ChangeCipherSpec ServerHello (2) CertificateVerify (15) Certificate (11) ClientKeyExchange (16) ServerKeyExchange (12) Finished (20)
y z {
Client Hello
From an Ethereal trace (SSLv2).
Length (2 bytes). Client Hello (1 byte) = 0x01. Version (2 bytes) = 0x0301. SSL 3.1. Cipher Spec Length (2 bytes), say = . Session ID Length (2 bytes), probably = 0 for new connection. Challenge Length (2 bytes), say = x. Cipher specs of 3 bytes each, = /3. Challenge, x bytes.
Server Hello
Response is SSLv3. From server client. SSLV3 record layer: Handshake.
Type (1 byte) = Handshake (22). Version (2 bytes) = 0x0301. Length (2 bytes)
Payload can carry multiple messages. Handshake Type (1 byte) = Server Hello (2). Length (3 bytes). Why 3? Can it be split across a record? Version (2 bytes) = 0x0301. Random time (4 bytes). Random bytes (28 bytes). Session Id Length (1 byte). Network Security p.291 Session Id (32 bytes).
Certicate S C
Application data
SSLV3.1 record layer: Application data.
Type (1 byte) = Application data (23). Version (2 bytes) = 0x0301. Length (2 bytes), say = x. Payload is encrypted data of x bytes.
Certicates
A certicate binds a name to a key. From [Tho00, Appendix A.1]:
Version Serial Number Algorithm Id Issuer Validity Subject Subjects Public Key Issuer Unique Id (optional) Subject Unique Id (optional) Extensions (optional) Signature
Certicate Authority
Root CA
Everyone has roots certicate and trusts it. Trust ows from root leaf. Is trust transitive?
CA1
CA2
CA3
Getting a persons public key in order to communicate with them, say scott.mcnealy@sun.com? Use IBE.
JSSE SSLContext
KeyManager[..] I TrustManager[..]
tt t tt t tt t tt t tt t tt t t z t II II II II II II II II II I$
SSLContext
javax.net.ssl.SSLContext. Used to create both client and server SSL sockets. SSLContext.getSocketFactory().createSocket( url , 443 ); SSLContext.getServerSocketFactory();
JSSE SSLContext. . .
SSLContext sc = SSLContext.getInstance(TLS); sc.init(KeyManager[], TrustManager[], SecureRandom); KeyManagers are responsible for managing key material. For e.g., SunX509. TrustManagers manage the trust material that is used when making trust decisions. For e.g., SunX509.
JSSE Keystore
Represents a storage facility for cryptographic keys and certicates. Can be thought of as a hash table indexed by alias (a String), with the value being A [private_key, certicate_chain] tuple of type KeyStore.PrivateKeyEntry. A trusted certicate of type KeyStore.TrustedCerticateEntry. Others. . .
Or, use ssh -R 6001:localhost:6000 < R> . Tunnel set up when you ssh from L R.
Tunnels in Tandem
Tunnel X clients running on C to display on A. x RemoteForward 17439 localhost:6000. y RemoteForward 6001 localhost:17439. On C : typeset -x DISPLAY=localhost:1.0. x y
Netlter (hooks)
See the Netlter howto. NF_IP_PRE_ROUTING [ip_input.c:ip_rcv()], NF_IP_LOCAL_IN [ip_input.c:ip_local_deliver], NF_IP_FORWARD [ip_forward.c:ip_forward()], NF_IP_LOCAL_OUT [ip_output.c:(various functions)], and NF_IP_POST_ROUTING [ip_output.c:(various functions)]. Attach packet ltering rules at NF_IP_LOCAL_IN (for input) & NF_IP_LOCAL_OUT (for output).
Netlter callbacks
outside
/ P RE
/ rt_lkup
/ FWD
/ O
rt_lkup
/ P OST
local_in
into box
Safe Programming
Borrowed heavily from a talk by Alec Muffett and Casper Dik in 1998
General Remarks
Security is not an add-on. Adding cryptography to a house of cards doesnt make it a castle. Security is orthogonal to functionality. Functional testing will not usually reveal security problems. Better coding is essential. Secure programming is a mindset. Detect the unexpected. Abort sensibly if surprised. Test all return codes. Never trust your input. Random numbers how random are they?
On Commenting Code
Comment complicated blocks with non obvious side effects. Document why certain privileges and permissions are needed. Why setuid root, why setgid sys? Why owned by bin, writable by group mail?
On Trusting Input
Command line arguments? Environment variables? File descriptor table? Umask? Resource limits? Signal state (mask, pending)? CWD? Taint perl.
Bounds Checking
Never use gets, strcat, strcpy, sprintf etc. Be aware of how these functions treat NUL.
Using Randomness
Be careful when generating session keys, nonces, etc. whose impact on security is substantial.
See man 2 access. Check-and-use are not atomic. Any consecutive references to a le by name. find /tmp -mtime +7 -print | xargs rm -f. Attacker
creates /tmp/x/etc/passwd and quickly renames /tmp/x to /tmp/x2 and sumlinks /tmp/x to /.
What if the url was something like http://www./bin/rm -rf / 2> /dev/nullcomp...?
Tamper Resistance The Old Fashioned Way. Make code books heavy. Print sensitive information in water soluble ink, on cellulose nitrate for rapid destruction. Susceptible to surprise and sudden capture.
Power and clock transients can be used to affect decoding and execution of instructions. E.g., reveal extra bytes (perhaps keys). Safe Programming p.322
Administrivia
April 1, 2005
April 16th will be considered as extra class period.
Security problems with DNS. Rats and writing safer code. SSH tunneling. Vtuns. IPtables. Primes is in P. Steganography (Nasirs slides). Tamper resistance of Smart Cards. Pushback (for Congestion Control).
Administrivia p.325
References
A complete list of references can be found here.
References
[Bar02] [BCK96a] Thomas H. Barr. Invitation to Cryptology. Prentice Hall, 2002. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for message authentication. Proceedings of Crypto, 1996. An expanded version is available at http://www-cse.ucsd.edu/users/mihir. Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Message authentication using hash functionsthe hmac construction. Technical report, RSA Laboratories, 1996. Matt Blaze. Protocol failure in the escrowed encryption standard. Proceedings of Second ACM Conference on Computer and Communications Security, November 1994.
[BCK96b]
[Bla94]
[BM92]
Steven M. Bellovin and Michael Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In Proceedings of the Symposium on Research in Security and Privacy, Oakland, CA,Administrivia May p.326