Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Research Interests:
❍ Algorithm design and analysis
❍ Wireless networks
❍ Game theory
❍ Computational geometry
Contact Information
❍ Phone 312-567-5207
❍ Email: xli@cs.iit.edu
Office hours
❍ Monday 3:10PM – 4:10PM.
❍ Wednesday 3:10PM– 4:10PM.
❍ Or by contact: email xli@cs.iit.edu,
❍ phone 312 567 5207
❍ Cryptography and Network Security:
Principles and Practice; By William
Stallings Prentice Hall
Introduction
Xiang-Yang Li
Last 2 bits
principal principal
Security Security
transformation transformation
attacker
Cryptography and Network Security 19
Attacks, Services and Mechanisms
Security Attacks
❍ Action compromises the information security
❍ Could be passive or active attacks
Security Services
❍ Actions that can prevent, detect such attacks.
❍ Such as authentication, identification, encryption, signature, secret
sharing and so on.
Security mechanism
❍ The ways to provide such services
❍ Detect, prevent and recover from a security attack
Wiring,
eavesdrop
Replaced
intercept
info
Security Services
❍ Actions that can prevent, detect such attacks.
❍ Such as authentication, identification, encryption, signature, secret
sharing and so on.
Security mechanism
❍ The ways to provide such services
❍ Detect, prevent and recover from a security attack
Message
❍ Is treated as a non-negative integer hereafter
Decipher P = D(K2)(C)
Plaintext ciphertext
Encipher C = E(K1)(P)
Prime number
❍ P has only positive divisors 1 and p
Relatively prime numbers
❍ No common divisors for p and q except 1
Euclid's algorithm
❍ Find the GCD of two numbers a and b, a<b
Use fact if a and b have divisor d so does
a-b, a-2b …
d m a +n b
d a −b
d a −2 b
d a −3 b
d a −q b
❍ g1=a
❍ gi+1 = gi-1 mod gi
❍ when gi =0 then gcd(a,b) = gi-1
The algorithm terminates in O(log b) rounds
❍ Why?
❍ Every round, the total number of bits of a and b is decreased by at
least one
❍ Assume MnMn-1…M1=( c d
)
❍ Then ax0+by0=gcd(x0,y0)
❍ The above algorithm is to keep track of a,b,c,d, and xi,yi
values.
subtraction
❍ a-b mod n ≡ a+(-b) mod n
multiplication
❍ a b mod n
❍ derived from repeated addition
❍ Possible: a*b ≡ 0 where neither a, b ≡ 0 mod n
Example: 2*3 =0 mod 6
n = p × q
ϕ ( n ) = ( p − 1 ) ( q − 1 )
Proof:
❍ consider all reduced residues xi in
Zn*={x| 0<= x < n, gcd(x,n)=1}
❍ Then axi,1<=i <= φ(n) also form reduced residues set
❍ Using Π axi = Π xi mod n
Using Zn* and aZn* are same sets!
❍ We have aφ(n) Π xi = Π xi mod n
❍ Thus, aφ(n) =1 mod n
Using the fact that Π xi has inverse
Cryptography and Network Security 63
Fermat's Little Theorem
Let p be a prime and gcd(a,p)=1 then
❍ ap-1 mod p = 1
❍ Proof: similar to the proof of Euler’s theorem
❍ But consider all integers in Zp
Any improvement?
Cryptography and Network Security 69
Classification of Testing Primes
The Quick Tests for Small Numbers and Probable
Primes
❍ Finding Very Small Primes --- trivial division
❍ Fermat, Probable-Primality and Pseudoprimes
❍ Strong Probable-Primality and a Practical Test
The Classical Tests
❍ N-1 Tests (and Pepin's Test for Fermats)
❍ N+1 Tests (and the Lucas-Lehmer Test for Mersennes)
❍ A Combined Test -- and more
then n is prime.
then n is prime.
Conventional Methods
Xiang-Yang Li
Plaintext
ciphertext
Key source
Double Letter
❍ TH,HE,IN,ER,RE,ON,AN,EN,….
Triple Letter
❍ THE,AND,TIO,ATI,FOR,THA,TER,RES,…
s i/j m p l
e a b c d
f g h k n
o q r t u
v w x y z
Key: simple
Decryption
❍ P=K-1C mod 26
❍ Thus, we can decrypt iff gcd(det(K), 26) =1.
( − 1 )1 +1 K (− 1 ) 1+n
K
1 ,1 n ,1
−1
d e t( K )
− 1 1+n K
( ) (− 1 ) 2n
1 ,n K n ,n
k 1 ,1 k 1 , j −1 k 1 , j +1 k 1 ,n
k i − 1 ,1 k i −1 , j −1 k i −1 , j +1 k i −1 ,n
K i, j =
k i + 1 ,1 k i + 1 ,1 k i + 1 ,1 k i + 1 ,1
k n ,1 k n , j −1 k n , j +1 k n ,n
Japan commercial
German military
Cryptography and Network Security 142
Enigma Machine
Enigma encryption for two
consecutive letters —
current is passed into set of
rotors, around the reflector, and
back out through the rotors
again.
Letter A encrypts differently
with consecutive key presses,
first to G, and then to C. This is
because the right hand rotor has
stepped, sending the signal on a
completely different route.
Decryption
❍ P=C⊕K
Claude Shannon's work can be interpreted as
❍ that any information-theoretically secure cipher will be effectively
equivalent to the one-time pad algorithm. Hence one-time pads
offer the best possible mathematical security of any encryption
scheme, anywhere and anytime.
Cryptography and Network Security 147
One-time pad--cont
Drawbacks
❍ it requires secure exchange of the one-time pad material, which
must be as long as the message
❍ pad disposed of correctly and never reused
In practice
❍ Generate a large number of random bits,
❍ Exchange the key material securely between the users before
sending an one-time enciphered message,
❍ Keep both copies of the key material for each message securely
until they are used, and
❍ Securely dispose of the key material after use, thereby ensuring
the key material is never reused.
Examples
❍ A well-known stream cipher is RC4;
❍ others include: A5/1, A5/2, Chameleon, FISH, Helix. ISAAC,
Panama, Pike, SEAL, SOBER, SOBER-128 and WAKE.
Usage
❍ Stream ciphers are used in applications where plaintext comes in
quantities of unknowable length - for example, a secure wireless
connection
Cryptography and Network Security 150
Simplest Stream Cipher
Key Key
Strength
❍ Is unconditionally secure provided key is truly random
Block Ciphers
Xiang-Yang Li
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
57 49 41 33 25 17 9 14 17 11 24 1 5
1 58 50 42 34 26 18 3 28 15 6 21 10
10 2 59 51 43 35 27 23 19 12 4 26 8
19 11 3 60 52 44 36 16 7 27 20 13 2
63 55 47 39 31 23 15 41 52 31 37 47 55
7 62 54 47 38 30 22 30 40 51 45 33 48
14 6 61 53 45 37 29 44 49 39 56 34 53
21 13 5 28 20 12 4 46 42 50 36 29 32
Applications
❍ ATM transactions (encrypting PIN and so on)
❍ Oi = DESK1 (Oi-1)
❍ O-1=IV (initial value)
Semi-weak keys
❍ Only two sub-keys are generated on alternate rounds
❍ DES has 12 of these (in 6 pairs)
1998:
The EFF's US$250,000
DES cracking machine
contained 1,536 custom chips
and could brute force a DES key in a
matter of days —
the photo shows a DES Cracker
circuit board fitted
with several Deep Crack chips.
The COPACOBANA
machine, built for
US$10,000 by the
Universities of Bochum and
Kiel, contains 120 low-cost
FPGAs and can perform an
exhaustive key search on
DES in 9 days on average.
The photo shows the
backplane of the machine
with the FPGAs
❍ P=Dk1(Dk2(C))
It is proved that there is no key k3 such
that
❍ C=Ek2(Ek1(P))=Ek3(P)
But Meet-in-the-middle attack
❍ Each round
The sub-blocks are added (2,3), multiplied (1,4) with sub-
keys
The results are XORed [1,3] and [2,4] to 2 sub-blocks
The XOR results set as input of MA structure,
It outputs two subblocks
Results are then XORed with 2,4 and 1,3 subblocks respectively
The second and third sub-blocks are swapped
❍ Finally new sub-keys are combined with the sub-blocks
Decryption
❍ Much more complicated
❍ It needs the inverse of the encryption key
For addition, multiplication
a.k.a
Lab #1
x13 + x11 + x9 + x8 + x7 + x7 + x5 + x3 + x2 + x + x6 + x4 + x2 + x +1
= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 +1
These cancel
and
Irreducible Polynomial
Input block:
=
1 5 9 13 S1,0 S1,1 S1,2 S1,3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
2 6 10 14 S2,0 S2,1 S2,2 S2,3
3 7 11 15 S3,0 S3,1 S3,2 S3,3
XOR
S0,1
S0,0 S0,1 S0,2 S0,3
S1,0 S
S1,1
1,1 S1,2 S1,3 S’0,1
R0,1 S’0,0 S’0,1 S’0,2 S’0,3
S2,0 S2,1 S2,2 S2,3
S2,1 R0,0 R0,1 R0,2 R0,3
S3,0 S3,1 S3,2 S3,3 R S’1,0 S’
S’1,1
1,1 S’1,2 S’1,3
R1,0 R1,1
1,1 R
1,2 R1,3
S3,1 S’2,0 S’2,1 S’2,2 S’2,3
R2,0 R2,1 R2,2 R2,3 S’2,1
R2,1 S’3,0 S’3,1 S’3,2 S’3,3
R3,0 R3,1 R3,2 R3,3
S’3,1
R3,1 Cryptography and Network Security 228
SubBytes
Replace each byte in the state array with
its corresponding value from the S-Box
00 44 88 CC
11 55 99 DD
22 66 AA EE
33 77 BB FF
S3,1 S’3,1
state = in
out = state
state = in
InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, keySchedule[0, Nb-1])
out = state
Encryption Decryption
AddRoundKey AddRoundKey
SubBytes InvShiftRows
ShiftRows InvSubBytes
MixColumns AddRoundKey
AddRoundKey InvMixColumns
SubBytes InvShiftRows
ShiftRows InvSubBytes
AddRoundKey AddRoundKey
Computational infeasible
❍ To compute the private key using public key
❍ To recover the plaintext using ciphertext and public key
Easy
❍ The problem can be solved in polynomial time
Infeasible
❍ The effort to solve it grows faster than polynomial time
❍ For example: 2n
❍ It requires infeasible for all inputs, not just worst case
Algorithm:
❍ Encryption: C=Me mod n
❍ Decryption: M=Cd mod n
Elgamal Cryptosystem
❍ Expansion of the plaintext (double)
Knapsack System
❍ Already broken
❍ Encryption
Ciphertext C = E(x1,x2,…xn)=Σxiti mod p
❍ Decryption
Solve the subset summation problem (s, a-1C mod p)
Key agreement
❍ Protocol such two parties jointly establish secret key
over public communication channel
❍ Key is the function of inputs of two users
❍ Here ai,j=aj,i
Scheme
❍ Assume prime number p public and an integer c public
❍ Each user u has secret component au
Scheme
❍ Assume prime number p public and an integer c public
❍ Each user u chooses a secret component au (new!)
c au c au’
w v
u
c av’ c av
Authentication
Xiang-Yang Li
Mechanisms
❍ MAC: message authentication code
❍ Hash functions, security in hash functions
❍ Hash and MAC algorithms
MD5, SHA, RIPEMD-160, HMAC
Digital signatures
“I am Alice”
Failure scenario??
in a network,
Bob can not “see”
Alice, so Trudy simply
“I am Alice” declares
herself to be Alice
Alice’s
IP address
“I am Alice”
Failure scenario??
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later
plays it back to Bob
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s encrypted
IP addr password
“I’m Alice” record
and
Alice’s
OK playback
IP addr
still works!
Alice’s encrypted
“I’m Alice”
IP addr password
R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
drawbacks? be Alice!
Cryptography and Network Security 332
Authentication: ap5.0
ap4.0 requires shared symmetric key
can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
Bob computes
R + -
- KA(KA (R)) = R
K A (R) and knows only Alice
“send me your public key”
could have the private
+ key, that encrypted R
KA such that
+ -
K (K (R)) = R
A A
I am Alice I am Alice
R -
K (R)
T
R - Send me your public key
K (R) +
A K
T
Send me your public key
+
K
A +
K (m)
Trudy gets T
- +
+ m = K (K (m))
K (m)
A sends T T Alice
m to
- + encrypted with
m = K (K (m))
A A Alice’s public key
Cryptography and Network Security 334
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:
Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
problem is that Trudy receives all messages as well!
For authentication
❍ Encrypt using sender’s private key
❍ Assume the message is intelligible
❍ No confidentiality: everyone can decrypt
Requirements of MAC
❍ Size of MAC: n
❍ Size of key: k
❍ KDCA Eka(Ks|Idb|Na|Ekb(Ks|Ida))
❍ AB Ekb(Ks|Ida)
❍ BA Eks(Nb)
❍ AB Eks(f(Nb))
If Ks is compromised
❍ Vulnerable to replay attack
❍ Attacker can replay step 3
❍ Unless B remembers all previous session keys with A,
it can not tell that it is a replay!
❍ KDCA Eka(Ks|Idb|T|Ekb(Ks|Ida|T))
❍ AB Ekb(Ks|Ida|T)
❍ BA Eks(Nb)
❍ AB Eks(f(Nb))
Here T is timestamp assures the freshness
of the key Ks
❍ Rely on synchronized clock
❍ KDCA EKRau(Idb|KUb)
❍ AB EKUb(Na|Ida)
❍ BKDC Idb|Ida|EKUau(Na)
❍ KDCB EKRau(Ida|KUa)|EKUb(EkRau(Na|Ks|Ida|Idb))
❍ BA EKUa(EkRau(Na|Ks|Ida|Idb) | Nb)
❍ AB Eks(Nb)
countermeasures include
❍ use of sequence numbers (generally impractical)
❍ timestamps (needs synchronized clocks)
❍ challenge/response (using unique nonce)
Hash Algorithms
Xiang-Yang Li
Digital Signature
Xiang-Yang Li
RSA-PSS
❍ Use some more randomization to enhance security
❍ It was added in version 2.1 of PKCS #1 (see RFC 3447
).
❍ Primitive element g in Zp
Verifying
❍ Computes v1=gH(M) mod p
❍ Computes v2=yrrs mod p
❍ Test if v1= v2
DSA
❍ Based on the difficulty of discrete logarithm
❍ Based on Elgamal and Schnorr system
Verifying
❍ Computes w=s-1 mod q, u1=H(M)w mod q
❍ Computes u2=rw mod q,v=(gu1yu2 mod p) mod q
❍ Test if v=r
Deterministic signatures
❍ For each message, one valid signature exists
❍ RSA
Certificate
Xiang-Yang Li
Serial Number
❍ distinguish it from other certificates it issues. This
information is used in numerous ways, for example when a
certificate is revoked its serial number is placed in a
Certificate Revocation List (CRL).
Signature Algorithm Identifier
❍ This identifies the algorithm used by the CA to sign the
certificate.
Issuer Name
❍ The X.500 name of the entity that signed the certificate.
This is normally a CA. Using this certificate implies trusting
the entity that signed this certificate. root or top-level CA
certificates, the issuer signs its own certificate.
Cryptography and Network Security 449
cont
Validity Period
❍ This period is described by a start date and time and an end
date and time, and can be as short as a few seconds or
almost as long as a century. It depends on a number of
factors, such as the strength of the private key used to sign
the certificate or the amount one is willing to pay for a
certificate. This is the expected period that entities can
rely on the public value, if the associated private key has not
been compromised.
Subject Name
❍ The name of the entity whose public key the certificate
identifies. This name uses the X.500 standard, so it is
intended to be unique across the Internet.
Subject Public Key Information
❍ together with an algorithm identifier
Identification
Xiang-Yang Li
Tradeoff between
❍ false rejection (type I error)
❍ false acceptance (type II error)
Secret Sharing
Xiang-Yang Li
Schemes
❍ Shamir’s scheme
❍ Geometric techniques
❍ Matroid theory
❍ D computes
Value yt=K- Σyj mod n
❍ D distributes yi to person pi for all i
It is secure and easy
❍ Number n can be any number
❍ Easy to recover the key
p1 p2 p3 p4
c1 k-c
1
a1 a2
b2 k-b1-b2
b1
k-a1-a2
∧ ∧ ∧
k k
k
∨
k
Cryptography and Network Security 487
Cont.
Distribution
❍ (a1,b1) to p1
❍ (a2,c1) to p2
❍ (k-c1,b2) to p3
❍ (k-a1-a2,k-b1-b2) to p4
The sharer needs know
❍ The circuit used by dealer
❍ Which shares corresponding to which wires
The shared value is secret
Question
❍ Is there a bijection f from V1 to V2, so (u,v)∈E1 implies
that (f(u),f(v))∈E2
❍ If such bijection exists, then graphs G1 and G2 are said
to be isomorphic
❍ If such bijection does not exist, then graphs G1 and G2
are said to be non-isomorphic
Assumption
❍ Prover has unbounded computational power
❍ Verifier has limited computational power
Assumption
❍ Prover has unbounded computational power
❍ Verifier has limited computational power
Properties
❍ Concealing: verifier cannot detect b from f(x,b)
❍ Binding: sender can open the blob by revealing x
❍ Hence, the sender must use random x to mask b
Pseudo-random Number
Xiang-Yang Li
Fast computation
❍ The generator should be reasonably fast
Security
❍ The generator should be secure
❍ What is security level of PRNG?
K1,K2
DT
EDE
EDE
Si+1
Si
EDE
Ri
Networks
❍ Wireless LAN security 802.11
❍ IPsec
❍ Firewall
❍ Intrusions
Email Security
Xiang-Yang Li
authentication
❍ of sender of message
message integrity
❍ protection from modification
non-repudiation of origin
❍ protection from denial by sender
Maintain keys
❍ Its own public, private keys of a PGP entity
❍ Public keys of correspondents
Approach
❍ Sending the least significant 64 bits as key ID
❍ Need send the receiver’s public key ID used for
encrypting the session key
❍ Need send the sender’s public key ID, whose
corresponding private key used for signature
Approach
❍ Owner issues key revocation certificate, signed by
owner
❍ Using corresponding private key to sign the certificate
❍ Disseminate the certificate as widely and as quickly as
possible
signed data
❍ encoded message + signed digest
clear-signed data
❍ cleartext message + encoded signed digest
Security on WWW
Xiang-Yang Li
Internet Protocol
(IP)
SSL connection
❍ a transient, peer-to-peer, communications link
❍ associated with 1 SSL session
message integrity
❍ using a MAC with shared secret key
❍ similar to HMAC but with different padding
1.Handshake
`
2. Data transmission
Client Server
Client Hello
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
Client Server
Client Hello
Server Hello
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
Cryptography and Network Security 604
Certificate authority
Certificate Authority (CA) is a trusted
third party that helps identify the server.
How does everything work?
• Server sends ID, public key to CA
• CA creates and signs the server’s Certificate
• Client receives the Certificate from Server
• Client verifies the Certificate using the signature and
the CA’s public key
Internet Protocol
(IP)
OR
cleartext
SSL tunnel SSL tunnel
External
secure server SSL-aware proxy Enterprise environment
Encrypted data
Authentication
External
secure server S-HTTP-aware proxy Enterprise environment
Message-based encryption
Superset of HTTP: “outer” envelope
Specific headers added
S-HTTP message
S-HTTP headers
Request:
HTTP payload headers: Secure*Secure-HTTP/1.2
Security-Scheme, Encryption-Identity,
Certificate-Info… + regular HTTP headers Response:
Secure-HTTP/1.2 200 OK
HTTP message body
Basically the same as on SSL, since the ciphers are the same
Default values more secure in S-HTTP than SSL at the time
of proposal (e.g. DES vs. RC4)
S-HTTP generally stronger by design (more resilient to
proxy compromising)
More complex and wider specifications create a potential for
faulty implementations
No real-world use to field test the actual security of S-
HTTP
Web Security
D
Malicious Software
XiangYang Li
generic decryption
❍ use CPU simulator to check program signature &
behavior before actually running it
digital immune system (IBM)
❍ general purpose emulation & virus detection
❍ any virus entering org is captured, analyzed,
detection/shielding created for it, removed
Xiangyang Li
Attacks on Availability
❍ Denial of Service
Authentication servers
❍ RADIUS
Client authentication
❍ EAP
Source: http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
WRAP
❍ Provided for early vendor support
TKIP
❍ Carried over from WPA
Client Validation
Password-to-key mappings
Random number generation
802.1X
❍ Good interim solution
❍ Allows use of existing hardware
❍ Can still be attacked
802.11i
❍ May require hardware upgrades
❍ Very secure
❍ Nothing is ever guaranteed
IPsec
XiangYang Li
Confidentiality (encryption)
Limited traffic flow confidentiality
Firewalls
XiangYang Li
can decompose by
❍ columns as access control lists
❍ rows as capability tickets
rule-based detection
❍ anomaly
❍ penetration identification
profile based
❍ characterize past behavior of users
❍ detect significant deviations from this
❍ profile usually multi-parameter