425-guest-sp11 - CS425/CSE424/ECE428 – Distributed...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS425/CSE424/ECE428 – Distributed Systems 3/10/11 Guest lecture by Nikita Borisov 1   Confidentiality   Integrity   Availability 3/10/11 Guest lecture by Nikita Borisov 2   Unauthorized user   Authentication   Unauthorized use   Authorization   Untrusted network   Secure channels 3/10/11 Guest lecture by Nikita Borisov 3   Make worst ­case assumptions   Network compromised   Code / mechanism is known   Nothing remains secret forever   Separate policy from mechanism   Cryptography for secure channels   Identity management (PKI, passwords, etc.) for authentication   Access control lists, capabilities for authorization 3/10/11 Guest lecture by Nikita Borisov 4   Science of enciphering data   Cryptology (algorithm design) + cryptanalysis (breaking algorithms)   History   First algorithms thousands of years old   Encryption driven by military, intelligence, and financial uses   Since 1970’s, subject of much open research   Backbone of most Internet security mechanisms 3/10/11 Guest lecture by Nikita Borisov 5   Block cipher:             EK(P) = C DK(C) = P P: Plaintext C: Ciphertext K: Shared key Example: AES   Result of design competition by NIST   AES ­128: key, block size are 128 bits   Also, AES ­192, AES ­256 3/10/11 Guest lecture by Nikita Borisov 6   Stream cipher:   Keystream(K) ▪  Produce infinite, unpredictable key stream from key K   C = P xor Keystream(K)   P = C xor Keystream(K)   Example: RC4   Used in older version of 802.11, SSL   Some security vulnerabilities 3/10/11 Guest lecture by Nikita Borisov 7   Indistinguishability   Adversary queries encryption, decryption oracles ▪  EK(.), DK(.) ▪  Polynomial # of times           Adversary provides M1, M2 Challenger provides EK(Mb) for b = 0 or 1 Adversary queries oracles again Outputs guess for b Security   Adversary can’t win with probability (non ­negligibly) more than 1/2 3/10/11 Guest lecture by Nikita Borisov 8   Basic encryption primitives insecure   Block cipher: C = C’ => P = P’   Stream cipher: C xor C’ = P xor P’   Must use operation mode   E.g., CBC   C1 = IV (random)   C2 = EK(P1 xor C1)   C3 = EK(P2 xor C2)   … 3/10/11 Guest lecture by Nikita Borisov 9   Alice, Bob share key K   Each sends EK(M) to send M over secure channel   Security properties?   Confidentiality ▪  Guaranteed by security of E   Integrity ▪  Not guaranteed   Availability ▪  Cannot be guaranteed by cryptography 3/10/11 Guest lecture by Nikita Borisov 10   Message Authentication Code (MAC)   aka Message Integrity Code (MIC)     MACK(M) = x Security: unforgeability   Adversary queries MAC oracle ▪  MACK(.)   Adversary produces (M,x) where M has never been queried   Wins if MACK(M) = x   Secure if adversary cannot win with probability non ­ negligibly more than 0   Examples: HMAC, CBC ­MAC 3/10/11 Guest lecture by Nikita Borisov 11   Encryption key EK, MAC key MK   Send(M) = EEK(M) || MACMK(M)   Secure?   Replay   Reflection   Solution:   Sequence numbers   Different keys in different directions 3/10/11 Guest lecture by Nikita Borisov 12   Must establish symmetric key with everyone   O(N2) keys total   Must be exchanged over secure channel!   Public key cryptography   Two keys: PK – public, SK – secret   C = EPK(P)   P = DSK(C)   O(N) keys total 3/10/11 Guest lecture by Nikita Borisov 13   Example: RSA   Rivest, Shamir, Adleman, 1977   Key generation   N = p*q, for two large primes p   e = 3, d = e ­1 in ZN* ▪  d can be computed with knowledge of p, q   PK = (N, e), SK = d ▪  Factoring N into p,q currently infeasible if p,q > ~1024 bits   Encryption   C = Me (mod N)   P = Cd (mod N)   Note: insecure in this form   Must use randomization, padding to ensure indistinguishability 3/10/11 Guest lecture by Nikita Borisov 14   RSA ­based key exchange   (roughly what’s used in TLS)     Parties: Client, Server Steps:   S ­>C: PKS, NS   C ­>S: EPKS(NC)   K = H(NS||NC) ▪  Encryption, MAC keys derived from K   Properties:   Nonces protect from replay   One ­way authentication   No PFS 3/10/11 Guest lecture by Nikita Borisov 15   Goal: if (long ­term) keys uncompromised at end of session, session remains secure forever   E.g., Diffie ­Hellman   S: pick random x, send gx   C: pick random y, send gy   Use (gx)y = (gy)x = gxy to derive shared key   Securely forget secrets (incl. x,y, gxy) after session   Security relies on discrete logarithm problem 3/10/11 Guest lecture by Nikita Borisov 16   Public ­key algorithm   Secret signing key SK   Public verification key VK   Operation   sig = SignSK(M)   VerifyVK(M,sig) = True or False   Example: RSA   N,e = verification key, d = signature key   Sign(M) = H(M)d (mod N) 3/10/11 Guest lecture by Nikita Borisov 17   Putting things together:   A ­>B: A, gx, Sign(gx)   B ­>A: B, gy, Sign(gy)   Problems? 3/10/11 Guest lecture by Nikita Borisov 18   SIGn ­and ­MAc, due to Hugo Krawczyk   Used in IKE, part of IPSec   A ­>B: gx   B ­>A: gy, Sign(gx,gy), MACMK(B)   A ­>B: A, Sign(gy,gx),MACMK(A) 3/10/11 Guest lecture by Nikita Borisov 19 ...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online