Unformatted text preview: CS425/CSE424/ECE428 – Distributed Systems 3/10/11 Guest lecture by Nikita Borisov 1 Conﬁdentiality Integrity Availability 3/10/11 Guest lecture by Nikita Borisov 2 Unauthorized user Authentication Unauthorized use Authorization Untrusted network Secure channels 3/10/11 Guest lecture by Nikita Borisov 3 Make worst
case assumptions Network compromised Code / mechanism is known Nothing remains secret forever Separate policy from mechanism Cryptography for secure channels Identity management (PKI, passwords, etc.) for authentication Access control lists, capabilities for authorization 3/10/11 Guest lecture by Nikita Borisov 4 Science of enciphering data Cryptology (algorithm design) + cryptanalysis (breaking algorithms) History First algorithms thousands of years old Encryption driven by military, intelligence, and ﬁnancial uses Since 1970’s, subject of much open research Backbone of most Internet security mechanisms 3/10/11 Guest lecture by Nikita Borisov 5 Block cipher:
EK(P) = C DK(C) = P P: Plaintext C: Ciphertext K: Shared key Example: AES Result of design competition by NIST AES
128: key, block size are 128 bits Also, AES
192, AES
256 3/10/11 Guest lecture by Nikita Borisov 6 Stream cipher: Keystream(K) ▪ Produce inﬁnite, unpredictable key stream from key K C = P xor Keystream(K) P = C xor Keystream(K) Example: RC4 Used in older version of 802.11, SSL Some security vulnerabilities 3/10/11 Guest lecture by Nikita Borisov 7 Indistinguishability Adversary queries encryption, decryption oracles ▪ EK(.), DK(.) ▪ Polynomial # of times
Adversary provides M1, M2 Challenger provides EK(Mb) for b = 0 or 1 Adversary queries oracles again Outputs guess for b Security Adversary can’t win with probability (non
negligibly) more than 1/2 3/10/11 Guest lecture by Nikita Borisov 8 Basic encryption primitives insecure Block cipher: C = C’ => P = P’ Stream cipher: C xor C’ = P xor P’ Must use operation mode E.g., CBC C1 = IV (random) C2 = EK(P1 xor C1) C3 = EK(P2 xor C2)
… 3/10/11 Guest lecture by Nikita Borisov 9 Alice, Bob share key K Each sends EK(M) to send M over secure channel Security properties? Conﬁdentiality ▪ Guaranteed by security of E Integrity ▪ Not guaranteed Availability ▪ Cannot be guaranteed by cryptography 3/10/11 Guest lecture by Nikita Borisov 10 Message Authentication Code (MAC) aka Message Integrity Code (MIC)
MACK(M) = x Security: unforgeability Adversary queries MAC oracle ▪ MACK(.) Adversary produces (M,x) where M has never been queried Wins if MACK(M) = x Secure if adversary cannot win with probability non
negligibly more than 0 Examples: HMAC, CBC
MAC 3/10/11 Guest lecture by Nikita Borisov 11 Encryption key EK, MAC key MK Send(M) = EEK(M)  MACMK(M) Secure? Replay Reﬂection Solution: Sequence numbers Diﬀerent keys in diﬀerent directions 3/10/11 Guest lecture by Nikita Borisov 12 Must establish symmetric key with everyone O(N2) keys total Must be exchanged over secure channel! Public key cryptography Two keys: PK – public, SK – secret C = EPK(P) P = DSK(C) O(N) keys total 3/10/11 Guest lecture by Nikita Borisov 13 Example: RSA Rivest, Shamir, Adleman, 1977 Key generation N = p*q, for two large primes p e = 3, d = e
1 in ZN* ▪ d can be computed with knowledge of p, q PK = (N, e), SK = d ▪ Factoring N into p,q currently infeasible if p,q > ~1024 bits Encryption C = Me (mod N) P = Cd (mod N) Note: insecure in this form Must use randomization, padding to ensure indistinguishability 3/10/11 Guest lecture by Nikita Borisov 14 RSA
based key exchange (roughly what’s used in TLS)
Parties: Client, Server Steps: S
>C: PKS, NS C
>S: EPKS(NC) K = H(NSNC) ▪ Encryption, MAC keys derived from K Properties: Nonces protect from replay One
way authentication No PFS 3/10/11 Guest lecture by Nikita Borisov 15 Goal: if (long
term) keys uncompromised at end of session, session remains secure forever E.g., Diﬃe
Hellman S: pick random x, send gx C: pick random y, send gy Use (gx)y = (gy)x = gxy to derive shared key Securely forget secrets (incl. x,y, gxy) after session Security relies on discrete logarithm problem 3/10/11 Guest lecture by Nikita Borisov 16 Public
key algorithm Secret signing key SK Public veriﬁcation key VK Operation sig = SignSK(M) VerifyVK(M,sig) = True or False Example: RSA N,e = veriﬁcation key, d = signature key Sign(M) = H(M)d (mod N) 3/10/11 Guest lecture by Nikita Borisov 17 Putting things together: A
>B: A, gx, Sign(gx) B
>A: B, gy, Sign(gy) Problems? 3/10/11 Guest lecture by Nikita Borisov 18 SIGn
and
MAc, due to Hugo Krawczyk Used in IKE, part of IPSec A
>B: gx B
>A: gy, Sign(gx,gy), MACMK(B) A
>B: A, Sign(gy,gx),MACMK(A) 3/10/11 Guest lecture by Nikita Borisov 19 ...
View
Full Document
 Spring '08
 Hu

Click to edit the document details