Get documents about "slides
Shared by: linxiaoqin
-
Stats
- views:
- 1
- posted:
- 1/22/2013
- language:
- Latin
- pages:
- 694
Document Sample
CSCI 6365
• Network Security and Management
• Instructor: Bin Fu, Ph.D
• Office: ENGR 3.280
• Phone: 381-3635
• Email: binfu@cs.panam.edu
• Web: http://cs.panam.edu/~binfu/
Textbook
Textbook: Cryptography and Network Security, by
William Stallings, Fourth Edition
Topics
• Symmetric ciphers
• Block ciphers and DES
• Public key cryptography (RSA)
• Hash functions
• Key management
• Network Authentications
• IP security
• Web security
• Software security, etc
Exam, Assignment and Grade
• Midterm: 20%
• Final: 25%
• 4 assignments: 30%
• Attendance and Exercises in class: 25%
Chapter 1 – Introduction
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on
our own readiness to receive him; not on the
chance of his not attacking, but rather on the
fact that we have made our position
unassailable.
—The Art of War, Sun Tzu
Background
• Information Security requirements have
changed in recent times
• traditionally provided by physical and
administrative mechanisms
• computer use requires automated tools to
protect files and other stored information
• use of networks and communications links
requires measures to protect data during
transmission
Definitions
• Computer Security - generic name for the
collection of tools designed to protect data and to
thwart hackers
• Network Security - measures to protect data
during their transmission
• Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
Services, Mechanisms, Attacks
• need systematic way to define requirements
• consider three aspects of information
security:
– security attack
– security mechanism
– security service
• consider in reverse order
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract,
overview of concepts we will study
Security Services
• X.800 defines it as: a service provided by a
protocol layer of communicating open
systems, which ensures adequate security of
the systems or of data transfers
• RFC 2828 defines it as: a processing or
communication service provided by a
system to give a specific kind of protection
to system resources
• X.800 defines it in 5 major categories
Security Services (X.800)
• Authentication - assurance that the
communicating entity is the one claimed
• Access Control - prevention of the unauthorized
use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as
sent by an authorized entity
• Non-Repudiation - protection against denial by
one of the parties in a communication
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,
notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security recovery
Classify Security Attacks as
• passive attacks - eavesdropping on, or monitoring
of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Model for Network Security
Model for Network Security
• using this model requires us to:
– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by
the algorithm
– develop methods to distribute and share the
secret information
– specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security
Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions to
identify users
– implement security controls to ensure only
authorised users access designated information
or resources
• trusted computer systems can be used to
implement this model
Summary
• have considered:
– computer, network, internet security def’s
– security services, mechanisms, attacks
– X.800 standard
– models for network (access) security
Cryptography
Cryptography
Theoretical impact Application impact
Algebra
Number theory Security
Complexity theory
Two parts of cryptography
• Symmetric ciphers
If the encryption is known, then decryption is
known. Examples: DES, AES
• Public Key (non-symmetric cipher)
Even the encryption is know, the decryption is still
unknown. Example: RSA
Basic Concepts in Cryptography
• Plaintext: Original intelligible message
• Encryption algorithm: convert plaintext into
ciphertext
• Key: One of inputs to encryption algorithm.
Different key determines different encryption output
• Ciphertext: output of encryption, unintelligible data
• Decryption algorithm: takes the ciphertext and key
to generate plaintext
Model of Cryptosystem
X'
Cryptanalyst
K'
Message Encryption Decryption Message
X Y X
K Secure channel
Key
Encryption and Decryption
• Message X
• Encryption key K
• Ciphertext Y
Encryption function:
Y EK (X )
Decryption function:
X DK (Y )
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their
encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
Caesar Cipher
• Plain to Cipher mapping
a b cd e fgh i j k l mnopqrs t u vwxyz
D E F G H I J K L MN O PQ RS TUVW XYZ A BC
• Plain to Cipher mapping
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: DWWDFK DW P LGQLJ KW
Two functions
• a b c …. Z
• 0 1 2 … 25
• The encryption function is
E(p)=p+3 (mod 26)
• The Decryption function is
D(c)=(c-3) (mod 26)
Key space and security
• The number of keys for Caesar cipher is 26
• It is easy to break by brute-force attack via trying all
possible keys
Monoalphabetic Cipher
• Plain letters to cipher letters
a b cd e fgh i j k l mnopqrs t u vwxyz
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
abcdefghijklmnopqrstuvwxyz
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Statistics for English Letters
• Frequency of 26 Letters
E(12.7%) T(9.0%) A(8.1%) O(7.5%) I(6.9%)
N(6.7%) S( 6.3%) H(6.0%) R(5.9%) D(4.2%)
L(4.0%) C( 2.7%) U(2.7%) M(2.4%) W(2.3%)
F(2.2%) G(2.0%) Y(1.9%) P(1.9%) B(1.4%)
V(0.9%) K(0.7% ) X(0.15%)J(0.15%) Q(0.09%)
Z(0.07%)
Cipher Analysis
• Select a cipher long enough
• Analysis the frequency of all letters
• Find the mapping of letters
Multiple Substitutes
• A letter may be assigned different cipher symbols
e3,7,23
• It makes it much harder to attack via statistic
message
Playfair Cipher
• Key: monarchy
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
Pairing before Encryption
• Pair up letters
walk(wa)(lk)
• Insert filler letter for a pair with the same letter
balloon(ba)(lx)(lo)(on)
Encryption Rules
ar RM
plaintext letters in the same row are replaced by the
letter to the right (circularly)
• muCM plaintext letters in the same column are
replaced by the letter to the beneath (circularly)
• bpHS plaintext letters are replaced by the
letter that lie in its own row and column
Advantage of playfair over
monoalphabetic
• Multiple substitutes
• Making the frequency analysis more difficulty
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
Encryption rules
• Keyword: dece
• Key: decedecedeced
• Plaintext: f d e f e c a b c c c e d
• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”
• The plaintext “f” determines column number “f”
• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
Polyalphabetic Cipher
• 26 letters: a b c d e f …….
a A B C D E F …….
b B C D E F G …….
c C D E F G H …….
d D E F G H I …….
e E F G H I J …….
f F G H I J K …….
……
Advantage
• Each plaintext letter may be mapped to any of the 26
letters.
Basic Properties of Mod
• For integers x, y, and k,
x=y (mod k)
if there is another integer z such that x-y=z*k
• Example: x=7, y=11, k=4
3=11 (mod 4)
• If x=y(mod k) iff x and y have the same remainder
when divided by k
Mod k
• Assume
x=y(mod k) and
u=v(mod k)
we have:
x+u=y+v(mod k)
x*u=y*v(mod k)
Hill Cipher
• Take m successive plaintext letters and substitutes for them
m ciphertext letters
• Each letter is assigned a numerical value
• The Substitution is via a linear transformation
Hill Cipher
c1 k11k12 k13 p1
c2 k 21k 22 k 23 p2 mod 26
c k k k p
3 31 32 33 3
c1 k11 p1 k12 p2 k13 p3 mod 26
c2 k 21 p1 k 22 p2 k23 p3 mod 26
c3 k31 p1 k32 p2 k33 p3 mod 26
Matrix Multiplication
• For two matrixes A ai , j lm , B b j ,k mn
C AB
C ci ,k ln
m
ci , k ai , j b j ,k
j 1
Properties of matrix product
• Associative: (AB)C=A(BC)
• IA=AI=A, where I is the unit matrix
1 0 0 … 0
I= 0 1 0 … 0
0 0 1… 0
……
0 0 0 … 1
Inverse of matrix
• For matrix A ai , j nn , if there is another matrix
B bi , j nn such that AB=I, where I is the unit
matrix. B is called the inverse of A, denoted by
1
B A
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with 1
K
1
KK I
I is a mxm matrix that has all ones on the main diagonal,
and all zeros beyond the main diagonal
Encryption and Decryption
• Encryption:
C EK ( P) KP mod 26
• Decryption:
1 1
P DK (C ) K C mod 26 K KP IP P
Example
17 17 5
• K= 21 18 21
2 2 19
4 9 15
1
K
• = 15 17 6
24 0 17
Example
443 442 442 1 0 0
1
K K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
Hill Cipher Security
c11c12c13 k11k12 k13 p11 p12 p13
c21c22c23 k 21k 22 k 23 p21 p22 p23
c c c k k k p p p
31 32 33 31 32 33 31 32 33
C KP
1
CP K
Conclusion
• Hill cipher is easy to break by plaintext attack.
Problems
1. Encrypt the plaintext with Polyalphabetic Cipher
with the key decedece: BEEF
2. The ciphertext is from playfair encryption. Convert
the it into plaintext. Show each of your steps:
SENASXFNMG
Name Email
Encryption for binary message
• a b 1 iff a and b are different
• Encryption: ci pi ki
• pi= i-th binary digit of plaintext
• ki= i-th binary digit of key
• ci=i-th binary digit of ciphertext
Decryption for binary message
• Decryption: ci ki ( pi ki ) ki
pi (ki ki ) pi 0
pi
• pi= i-th binary digit of plaintext
• ki= i-th binary digit of key
• ci=i-th binary digit of ciphertext
Transposition techniques
• Encryption is by some permutation on the plaintext
• Plaintext: attack postponed until two am xyz
• Write the message in row:
a t tack p
o s tpon e
d unt i l t
woamxyz
• Read by column:
aodwtsuottnaaptmcoixknlypetz
Transposition techniques
• Permute the order of columns
Key: 4 312567
a t tack p
o s tpon e
d unt i l t
woamxyz
• Ciphertext:
ttna aptm tsuo aodw coix knly petz
Second round
• Input: ttna aptm tsuo aodw coix knly petz
• Permute the order of columns
Key: 4 312567
t t n aap t
mts uoa o
dwco ix k
n l ypet z
• Ciphertext:
nscy auop ttwl tmdn aoie paxt tokz
Two basic methods
• Substitution
monoalphabetic cipher
polyalbpabetic cipher
• Permutation
transposition
Block Cipher
• Block cipher: a block of plaintext is treated as a whole and
used to produce a ciphertext of the same length
• Mapping can be described by a table
00 11
01 10
10 00
11 01
• Key size for n bits block is
n
n2
Principal of block cipher
• Diffusion
The plaintext is dissipated into long range of the
ciphertext
• Confusion
Make the relationship between ciphertext and the
key as complicated as possible
Diffusion
• Let each plaintext digit affect many cipher digits
• Example 1: Hill cipher
c1 k11k12 k13 p1
c2 k 21k 22 k 23 p2 mod 26
c k k k p
3 31 32 33 3
• Example 2: For message M=m1, m2, m3, ……
Let the ciphertext k
yn mn i
i 1
Diffusion and confusion
• Confusion makes the statistics information of
plaintext be dissipated
• Confusion is usually achieved by substitution
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of
x.
• It is impossible to find different x and y with
f(x)=f(y)
Protocol
• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
Problem
The following cipher text is from the transposition
method with the key 4132. Get the plaintext back.
OCLTG NNENT OAEOH NESPI
Name:
DES
• Data Encryption Standard (DES) was established by
National Bureau of Standard in 1977
• Most widely used encryption scheme, especially in
financial applications
DES
• DES is a block cipher
• Each plaintext block is a 64 bits {0,1} string
• Each ciphertext block is a 64 bits {0,1} string
• The key size is 56 bits {0,1} string
• It is a combination of substitution and permutation
Three stages
• Stage 1: apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Stage 3: Output
1
Output block IP ( R16 , L16 )
Stage 1
• Apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• L0 is the left 32 bits
• R0 is the right 32 bits
• IP is a fixed permutation function
Stage 2
• 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Function f is called “S”-box function (“S” for substitution)
• The k i is a 48-bit key, a substring of the 56-bit input
key
One Round Feistel Ciper
• One round
Li 1
Li 1 Ri 1
f
Li Ri
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
L0 R0
f
L1 R1
f
L2 R2
.......
..........
L16 R16
One Round Feistel Cipher
• One round
Li 1
L15 R15
f k16
L16 R16
Decryption
• First stage:
( L0 ' , R0 ' ) IP (c) IP ( IP 1 ( R16 , L16 )) ( R16 , L16 )
• Second stage:
L1 ' R0 ' L16
R1 ' L0 ' f ( R0 ' , k1 ' ) R16 f ( L16 , k1 ' )
L1 ' R15
R1 ' ( L15 f ( R15 , k16 )) f ( R15 , k16 ) L15
Decryption
• Inverse of the DES
( L1 ' , R1 ' ) ( R15 , L15 )
( L2 ' , R2 ' ) ( R14 , L14 )
( L3 ' , R3 ' ) ( R13 , L13 )
..........
.......... .
( L16 ' , R16 ' ) ( R0 , L0 )
Function f ( Ri 1 , K i )
Ri 1 Ki
32
E
48
48
8 6
6
S1 S 2 S 3 S 4 S 5 S 6 S 7 S 8
4
8 4
32
P
32 f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
Function f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
• (a) T E ( Ri 1 ) : Expansion from 32 bits to 48 bits
• (b) T ' T K i ( B1 ,..., B8 ) each Bi is 6 bits
• (c ) T ' ' ( S ( B ), S ( B ),..., S ( B ))
1 1 2 2 8 8
Each Si is a 4x16 table with 4bits at each entry
Bi determines an entry in the Si table
• (d) T ' ' ' P(T ' ' )
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
Design of f
• Strict avalanche criterion:
When input bit I is inverted, any output bit j of S-
box should change with probability 1/2
• Bit independent criterion:
Output bits j and k should change independently
when any input bit i is inverted
• The two criterions depend on the design of S-box,
which has been studied a lot:
Choice of parameters
• Block size: larger size means greater security, and
less efficiency
• Key size: larger key size means greater security, and
slower speed
• Number of rounds: Single round is inadequate
Choice of parameters
• Block size: larger size means greater security, and
less efficiency
• Key size: larger key size means greater security, and
slower speed
• Number of rounds: Single round is inadequate
Design of function f
• Function f makes the DES nonlinear
• The S box makes function f nonlinear
E table
• E is a fixed expansion that maps 32 bits to 48 bits
Each entry of E determines which bit to select from 32 bits
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
P table
• P is a fixed 32 bits permutation
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Key generation
Input 56 bits key K= k1k 2 ...... k56
vi 1 for i=1,2,9,16; vi 2 otherwise
T PC1( K ) (C0 , D0 )
28bits
for i=1 to 16 do
Ci (Ci 1 vi ) Di ( Di 1 vi )
K i PC 2(Ci , Di )
48bits 28bits
PC1 and PC2
• PC1(K) is the permutation of 56 bits of K
• PC2(C,D) selects 48 bits from the 56 bits
input through a table
Electronic Codebook Mode
• ECB:
64 bits 64 bits 64 bits
P , P2 ,......, PN
1
C1 , C2 ,......, C N
• It may be possible to substitute message
Cipher Block Chaining Mode
• Encryption: C j E K [C j 1 Pj ]
IV P1 P2 PN
C N 1
K
Encrypt
K
Encrypt
...... K Encrypt
C1 C2 Ck
IV
• IV should be a confidential message
• It is used for encrypting the first block
C1 EK ( IV P )
1
P IV DK (C1 )
1
Decryption
• Decryption of CBC
DK [C j ] DK [ EK (C j 1 Pj )] (C j 1 Pj )
C j 1 DK [C j ] C j 1 C j 1 Pj Pj
CBC Decryption
• Decryption:
C1 C2 Ck
K
Decrypt
K
Decrypt
...... K Decrypt
IV
C N 1
PN
P1 P2
Cipher Feedback Mode
• CFB
C1 P S s ( EK ( IV ))
1
P C1 S s ( EK ( IV ))
1
CBF
• CFB CM 1 s bits
IV
shift
shift shift
64 s _ bits 64 s _ bits s bits 64 s _ bits s bits
s bits
K K ...... K
Encrypt Encrypt Encrypt
s bits 64 s _ bits s bits 64 s _ bits s bits 64 s _ bits
P1 P2 PM
s bits s bits
C1 s bits C2 s bits
CM
CBF Decryption
CM 1 s bits
shift
shift shift
64 s _ bits 64 s _ bits s bits 64 s _ bits s bits
s bits K
K ...... K
Encrypt Encrypt Encrypt
s bits 64 s _ bits s bits 64 s _ bits
IV
s bits 64 s _ bits
C1 s bits C2 CM
P1 P2 PM
Problems
a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution method?
c) Explain why DES can be invertible (verify each round is
easy to inverse).
d) Does DES require that the function f is invertible? Why?
(note: a function f is not invertible if for some x y, f ( x) f ( y ) )
Name:
Problem 1
Key: d e c edece:
Plaintex: BEEF
Ciphtertext: ECAD
Explanation for the first cipher text
• The key “d” determines the row number “d”
• The plaintext “b” determines column number “b”
• The cipher letter is at the intersection of row “d” and
column “b”, which is “E”
Encryption rules
• Keyword: dece
• Key: decedecedeced
• Plaintext: f d e f e c a b c c c e d
• Ciphertext: CBAD BACF FAECA
• The key “d” determines the row number “d”
• The plaintext “f” determines column number “f”
• The cipher letter is at the intersection of row “d” and
column “f”, which is “C”
Polyalphabetic Cipher
• 6 letters: a b c d e f
a A B C D E F
b B C D E F A
c C D E F A B
d D E F A B C
e E F A B C D
f F A B C D E
Symmetric Encryption
• The key for the decryption is the same as the key for
encryption.
• Examples: DES, AES
Asymmetric Techniques
• The key for encryption is different from the
key for decryption
• Example: RSA
Divisor
• Divisor: For two integers b and c, if b=c*z for some integer
z, c is a divisor of b.
• c|b to denote that c is a divisor of b.
• Examples: 4|16, 2|10, 3|27
Modular
• Given two positive integer n and any integer a, there are
integers r and q such that:
a qn r
0 r n, q a
a(modn) r
n
• r is the residue (remainder) when divided by n
• x is the largest integer at most x. e.g. 3.8 3
Mod n
• Given integers x and n>1, x (mod n) is the remainder of x
divided by n.
• Example 7 (mod 4)=3 10 (mod 3)=1
• Define x y(modn) if x (mod n)=y (mod n)
• x y(modn) iff (x-y) =n*z for some integer z
Mod n
• Assume
x y(modn)
u v(modn)
we have:
x u y v(modn)
x u y v(modn)
x * u y * v(modn)
System Zn
• The set Zn={0,1,2,…,n-1}. It has two operations +
and *
• For a,b in Zn, a+b is (a+b)(mod n), and a*b is
(ab)(mod n)
• Z5={0,1,2,3,4}
2+3=0 (mod 5) 2*4=3 (mod 5) 4*4 =1 (mod 5)
Properties of Modular Arithmetic
• Commutative: ( w x) mod n ( x w) mod n
( w x) mod n ( x w) mod n
• Associative: (( w x) y ) mod n ( w ( x y )) mod n
(( w x) y ) mod n ( w ( x y )) mod n
• Distributive:
( w ( x y )) mod n (( w x) ( w y )) mod n
(( x y ) w) mod n (( x w) ( y w)) mod n
• Identities
( w 0) mod n w mod n
(1 w) mod n w mod n
• Additive inverse (-x) ( x (n x)) mod n 0 mod n
Zn
• Commutative: (w x) mod n ( x w) mod n
• Associative: ((w x) y) mod n (w ( x y)) mod n
• Identities (w 0) mod n w mod n
• Additive inverse (-w) ( x (n x)) mod n 0 mod n
(Zn,+) is an abelian group
Properties of Modular Arithmetic
• Commutative: (w x) mod n ( x w) mod n
• Associative: ((w x) y) mod n (w ( x y)) mod n
• Distributive: ( w ( x y )) mod n (( w x) ( w y )) mod n
(( x y ) w) mod n (( x w) ( y w)) mod n
• Identities (1 w) mod n w mod n
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer
z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b,
gcd(a,b) is the greatest positive integer c such that c is the
divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
a qb r
0 r b, q b
a
gcd(a, b) gcd(b, r )
• This is a recursive equation since the second item goes
down
Example
• gcd(1970,1066)= 1970 11066 904
• gcd(1066,904)= 1066 1 904 162
• gcd(904,162)= 904 5 162 94
• gcd(162,94)= 162 1 94 68
• gcd(94,68)= 94 1 68 26
• gcd(68,26)= 68 2 26 16
• gcd(26,16)= 26 116 10
• gcd(16,10)= 16 110 6
• gcd(10,6)= 10 1 6 4
• gcd(6,4)= 6 1 4 2
• gcd(4,2)=2 4 2 2 0
Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2
a2 q2 a3 a4 0 a4 a3
a3 q3 a4 a5 0 a5 a4
.......
am 2 qm 2 am 1 am 0 am am 1
am1 qm1am
Observation
Each a i can be expressed as ai ui a1 vi a2 for some
integers ui , vi
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since ai 2 qi 2 ai 1 ai and inductive assumption
ai 2 ui 2 a1 vi 2 a2 and ai 1 ui 1a1 vi 1a2 ,
we have
ui 2 a1 vi 2 a2 qi 2 (ui 1a1 vi 1a2 ) ai
(ui 2 qi 2ui 1 )a1 (vi 2 qi 2vi 1 )a2 ai
Theorem
For two positive integers a and b with c=gcd(a,b),
there are two integers p and q such that p*a+q*b=c
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2 , q1 a1
a
2
gcd(a1 , a2 ) gcd(a2 , a3 )
a2 q2 a3 a4 0 a4 a3 , q2 a2
a3 gcd(a2 , a3 ) gcd(a3 , a4 )
• If a3 a2
2 , we have a2 1 a3 (a2 a3 )
(a2 a3 ) a2 / 2
• In another words, a4 (a2 a3 ) a2 / 2
Asymmetric Techniques
• The key for encryption is different from the
key for decryption
• Example: RSA
Number Theory
• A number p is a primer if it can not be expressed as p=st
such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized
into product of primers:
n p1 p2 ...pk ,
e1 e2 ek
p1 p2 ... pk
e1 , e2 ,...,ek 0
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
Proof
• Since gcd(a,m)=1, there are integers u and v such
that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
Observations
• For two different primers p and q, gcd(p,q)=1 and
gcd( p, q ) 1
m
• If prime number p is different from each of the primers
q1 , q2 ,..., qk
(it is possible that qi q j for different i,and j), then
gcd( p, q1q2 ...qk ) 1
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
n p x,
e
n p y,
f
Where 0 e f , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have x p f e y
It contradicts that gcd(p,x)=1
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
a p 1 1(mod p)
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
Proof
p 1
We have a ( p 1)! ( p 1)! (mod p)
p 1
(a 1)( p 1)! 0(mod p)
gcd( p, ( p 1)!) 1
p 1
(a 1) 0(mod p)
p 1
a 1(mod p)
Euler Function
*
For a positive integer n, Zn is the set of all positive
integers m<n with gcd(m,n)=1
Define (n) to be the number of elments in Zn
*
*
Example, Z10 ={1, 3,7,9}
For every prime number p, ( p) p 1
Theorem
If m and n are positive integers with gcd(m,n)=1, then
(mn) (m) (n)
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
(n)
a 1(mod n)
Foundation for RSA public key encryption
Proof
(n) elements in Zn
*
Let a1 , a2 ,..., a ( n ) be the
Claim: aa1 , aa2 ,..., aa ( n ) (mod n) is a permutation of
a1 , a2 ,..., a ( n )
Finite Fields
• Cryptography depends on number theory and
algebra
• Number theory: factorization,…
• Algebra: finite field theory,…
• AES will be built on the finite field theory
Group
A group is a set of elements with operation (G,)
• Closure: If a, b G , then a b G
• Associative: For a,b,c in G a (b c) (a b) c
• Identity element: There is an e in G s.t. e a a e a
for all a in G
• Inverse element : For each a in G there is a’ in G s.t.
a'a a a' e
Infinite Group and Abelian Group
• Infinite Group: If (G,) is a group and G is an
infinite set, it is called infinite group
• Abelian group: If (G ,) is a group and a b b a
for all elements a,b in G
Group Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+) is a group.
• Let M3={0,1,2} and a+b is defined as (a+b) (mod 3)
(M3,+) is a group of 3 elements.
Ring
A ring is ( R,,)
• ( R,) is an abelian group
• Closure under multiplication: If a, b are in R, so is a b
• Associativity of multiplication: (a b) c a (b c)
• Distributive laws: a (b c) (a b) (a c)
(a b) c (a c) (b c)
Ring Examples
• Let Z={…,-2,-1,0,1,2,…} be the set of all integers
(z,+,*) is a ring.
• Let M3={0,1,2} and a+b, a*b are defined as (a+b)
(mod 3) and (ab)(mod 3) respectively
(M3,+,*) is a ring of 3 elements.
Commutative Ring
A ring ( R,,) is commutative if it satisfies
a b b a
for all a, b in R
A ring is ( R,,) integral domain if it satisfies
1) It is commutative
2) It has element 1 in R such that 1 a a 1 a
3) If a,b in R have a b 0 , then a=0 or b=0
Field
A field is ( F ,,)
• ( F ,,) is an integral domain
• Multiplicative inverse: For each a in F except 0, there is
another a 1 , called the inverse element of a, such that
a a 1 a 1 a 1
Zp
If p is a primer number, (Zp, +,x) is a field.
Zp
If p is a primer number, (Zp, +,x) is a field.
Proof. For each a in {1,2,…,p-1}
a*1, a*2, …, a*(p-1) are different from each other
(mod p)
The list is a permutation of 1,2,…, p-1
So, there is a*b in the list with a*b=1 (mod p)
The element is the inverse of a.
Zp
• Assume ax ay(mod p) , where a,x,y are in {1,2,…p-1}
We have p | (ax ay)
p | a( x y )
Since p is a primer, we have p|a or p | ( x y)
It is impossible that p | a
We have p | ( x y)
So, x y(mod p)
Zn
• (Z3,+, x) is a field
• (Z4,+,x) is not a field
Problems
• Z5=({0,1,2,3,4},+, *). The + and * operations are
under mod 5. Find the inverse for each element if it
exists.
• Z6=({0,1,2,3,4,5},+, *). The + and * operations are
under mod 6. Find the inverse for each element if it
exists.
• Is Z5 or Z6 a field?
Symmetric Encryption
• The key for the decryption is the same as the key for
encryption.
• Examples: DES, AES
Asymmetric Techniques
• The key for encryption is different from the
key for decryption
• Example: RSA
Number Theory
• A number p is a primer if it can not be expressed as p=st
such that both s and t are integers>1,
Primers: 2,3,5,7,11,13,17,23,29,….
• Theorem: Each positive integer n can be uniquely factorized
into product of primers:
n p1 p2 ...pk ,
e1 e2 ek
p1 p2 ... pk
e1 , e2 ,...,ek 0
Lemma
If gcd(a, n)=1 and gcd(a,m)=1, then gcd(a,mn)=1
Proof
• Since gcd(a,m)=1, there are integers u and v such
that au+mv=1
• Similarly, ax+ny=1 for some integers x and y
• (au+mv)(ax+ny)=auax+auny+mvax+mvny=1
• a(uax+uny+mvx)+(mn)(vy)=1
• So, gcd(a,mn)=1
Observations
• For two different primers p and q, gcd(p,q)=1 and
gcd( p, q ) 1
m
• If prime number p is different from each of the primers
q1 , q2 ,..., qk
(it is possible that qi q j for different i,and j), then
gcd( p, q1q2 ...qk ) 1
Unique factorization
Every positive integer n has unique factorization
Proof: Assume
n p x,
e
n p y,
f
Where 0 e f , x and y parts have no factor p
Therefore, gcd(p,x)=1
Since e<f, we have x p f e y
It contradicts that gcd(p,x)=1
Fermat Theorem
If p is a primer, a is a positive integer with gcd(p,a)=1, then
a p 1 1(mod p)
Proof
Consider the lists: 1, 2, 3, …, p-1, and
a*1,a*2, a*3, …, a*(p-1)
For a*u and a*v in the second list, if a*u=a*v(mod p),
then a*(u-v)=0 (mod p).
It implies that u-v=0(mod p). So, u=v.
The element in the second list are all different (mod p).
So, 1*2*3*…*(p-1)=(a*1)*(a*2)*(a*3)…(a*(p-1))) (mod p)
Proof
p 1
We have a ( p 1)! ( p 1)! (mod p)
p 1
(a 1)( p 1)! 0(mod p)
gcd( p, ( p 1)!) 1
p 1
(a 1) 0(mod p)
p 1
a 1(mod p)
Euler Function
*
For a positive integer n, Zn is the set of all positive
integers m<n with gcd(m,n)=1
Define (n) to be the number of elments in Zn
*
*
Example, Z10 ={1, 3,7,9}
For every prime number p, ( p) p 1
Theorem
If m and n are positive integers with gcd(m,n)=1, then
(mn) (m) (n)
Proof
The table below contains all elements in 1,2,…,mn-1
Each column has (n) elements k with gcd(k,n)=1.
0 1 ...... m 1
m m 1 ...... m (m 1)
. . ...... .
(n 1)m (n 1)m 1 ...... (n 1)m (m 1)
Proof
• For two elements a,b in each column, gcd(m,a)=gcd(m,b).
• There are (m) columns with gcd(m,a)=1, where a is an
element in the column.
A special case
• Let p and q are two different prime numbers
• ( p) p 1 and (q) q 1
• We have ( pq) ( p) (q) ( p 1)(q 1)
Euler Theorem
If a and n are positive integers with gcd(a,n)=1, then
(n)
a 1(mod n)
Foundation for RSA public key encryption
Proof
(n) elements in Zn
*
Let a1 , a2 ,..., a ( n ) be the
Claim: aa1 , aa2 ,..., aa ( n ) (mod n) is a permutation of
a1 , a2 ,..., a ( n )
Proof
If aai aa j (mod n)
Then aai aa j 0(mod n)
a ( ai a j ) 0(mod n)
Since gcd(a,n)=1, there is an integer b,c with a*b+n*c=1
ab 1(mod n)
Proof
From a ( ai a j ) 0(mod n)
We have ba(ai a j ) 0(mod n)
( ai a j ) 0(mod n)
So, ai a j (mod n)
We have proven the claim.
Proof
By the Claim that aa1 , aa2 ,..., aa ( n ) (mod n) is a
permutation of a1 , a2 ,..., a ( n )
We have a1a2 ... a ( n ) ( aa1 )( aa2 )...( aa ( n ) )(mod n)
a1a2 ...a ( n) a ( n) (a1a2 ...a ( n) )(modn)
Proof
Since gcd(n, a1 ) 1, gcd(n, a2 ) 1,..., gcd(n, a ( n ) ) 1
We have gcd(n, a1a2 ...a ( n ) ) 1
There are integers b and c with ( a1a2 ... a ( n ) )b nc 1
(a1a2 ...a ( n ) )b 1(mod n)
Proof
By a1a2 ...a ( n) a ( n) (a1a2 ...a ( n) )(modn)
and (a1a2 ...a ( n ) )b 1(mod n)
We have (a1a2 ...a ( n) )b a ( n) (a1a2 ...a ( n) )b(modn)
(n)
1 a (mod n)
A special case
• Let p and q are two prime numbers, and n=pq.
• Since ( pq) ( p) (q) ( p 1)(q 1)
• Let a be a number with gcd(a,n)=1 , then
a ( n ) a ( p 1)(q 1) 1(mod n)
a ( p 1)(q 1) 1 a(mod n)
Problems
80
1. Compute 3 (mod 7)
*
2. Write all elements in Z 33
3. Compute (13) and (26)
Public key
• A revolution of cryptography.
• Previous methods are mainly based on the
permutation and substitution
• Public key is based on mathematical
function
Public Key
• Encryption:
Y E publicKey ( X )
• Decryption
X D privateKey (Y )
RSA Key Setup
• Choose two random big prime numbers p and q
• Compute N=pq
• Compute ( N ) ( p 1)(q 1)
• Choose random e (N ) such that gcd(e, ( N )) 1
• Compute the integer d such that ed 1(mod ( N ))
• Publicize (N,e) as the public key
• Keep d as the private key and destroy p,q and (N )
RSA Encryption
• Let m<N be a confidential message
• Cipher text is made by
c m (mod N )
e
RSA Decryption
• Plaintext is obtained by
m c (mod N ) d
RSA Principal
Since de 1(mod ( N )),
we have de 1 k ( N )
c d m ed m1 k ( N ) m m k ( N ) (mod N )
If gcd(m, N ) 1,
then m ( N ) 1(mod N ) and m k ( N )
1(mod N )
c d m m k ( N ) m 1 m(mod N )
RSA Example
• Choose two primers p=7 and q=13. N=7x13=91
• Compute (91) (7) (13) 6 12 72
• Choose e=5
• Compute d by 72x(-2)+5x29=1 and get d=29
• Public key (N, e) = ( 91,5)
• Message m=3.
• Ciphertext c 35 243 61(mod 91)
• Decryption c d 6129 3(mod 91)
Problems in RSA
• How to obtain two large prime numbers p and q?
• How to choose e and d with ed=1? (mod ( N ))
• How to compute m , c (mod ( N )) for large e and d?
e d
n
Compute a
Let a and n be two positive integers
Use the recursive equation:
• If n is even: a (a )
n n/2 2
• If n=2k+1 is odd: a a(a )
n k 2
• Let T(n) be the number of multiplications.
T ( n) T ( n ) 2
2
T (n) 2(log n)
Example
29
• Compute f(29)= 3 # of multiplications
• f(29)=3*f(14)*f(14)= 3 * f (14 )
2 2
• f(14)=f(7)*f(7)= f (7) 2 1
• f(7)=3*f(3)*f(3)= 3 * f (3) 2 2
• f(3)=3*f(1)*f(1)= 3 * f (1) 2 2
• The total number of multiplications is 2+1+2+2=7
Testing Primality
Design an algorithm for testing if a number is prime
Input n>0
For (i=2; i n ; i=i+1){
if n=0(mod i)=0 return no
}
return yes.
Total number of steps is O( n )
Testing Primality
Use Fermat Theorem:
If p is a primer, a is a positive integer with gcd(p,a)=1, then
p 1
a 1(mod p)
It is necessary, but not sufficient. In other words, there exists a
composite number that also has such a property
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1, then
p 1
a 1(mod p)
p 1
Furthermore, p|a 1
p 1 ( p 1) / 2 ( p 1) / 2
So, (a 1) (a 1)( a 1)
So, p | a ( p 1) / 2 1 or p | a ( p 1) / 2 1
( p 1) / 2
So, a 1(mod p )
Testing Primality
If p is not a primer, for most of 0<a<p, it does not satisfy
both
a p 1 1(mod p)
and
( p 1) / 2
a 1(mod p )
Algorithm
Input integer p>0
randomly select integer a (0, p)
( p 1) / 2
if ( gcd(a, p) 1 or a 1(mod p ) )
return (definitely) “composite”
else
return “prime “
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 0.5
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
(0.5) k
Testing Primality
If p is a primer, a is a positive integer with gcd(p,a)=1 , and
a j 1(mod p) for some even number j
Then, p | a 1j
So, (a 1) (a
j j/2
1)( a j/2
1)
So, p | a j /2 1 or p | a j/2 1
So, a j/2
1(mod p)
Testing Primality
If p is odd, a is a positive integer with gcd(p,a)=1 ,
p 1 2 k q , where q is a odd number
Consider the list: q,2q,2 2 q,..., 2 k q
If p is a prime number, there exists i k with
a 2i q
1(mod p)
If p is a composite number, for a random a: 0<a<p, it has
probability 1 / 4 there exists i<k
1(mod p)
i
2q
a
Algorithm
Input odd integer p>0
let p 1 2 q
k
randomly select integer a (0, p)
for (i=0 to k-1 ) do
{ if (a 1(mod p) )
2i q
return “prime”
}
return “composite “
Error probability
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” with probability 1/ 4
Amplification
Repeat the algorithm k times on the same input
If the input integer p is a prime number
The algorithm always outputs “Prime”
If the input integer p is a composite number
The algorithm says “prime” at every time with probability
( ) 1 k
4
A Free Book
A computational introduction to number theory and
algebra
By Victor Shoup
>500 pages pdf file
Problem
How many times should you repeat the first primality
algorithm so that it has <0.0001 chance to give a
wrong answer?
Midterm
• October 14, 2010 (Thursday)
• Class time
• Close book
Key management
• Distribution of public key
• Use of public key encryption to distribute
secret key
Public announcement of public key
• Uncontrolled public-key distribution
KU a
A KU a
KU a
Publicly Available Directory
Public-key
directory
KU b
KU a
A B
• Public-key publication
• KU: public key. KR: private key
Publicly Available Directory
Public-key
authority
request || time2
request || time1 E KR [ KU a ||Re quest||Time 2 ]
E KR [ KU b ||Re quest||Time1]
E KU b [ ID A || N1 ]
A B
EKUa [ N1 || N 2 ]
E KU b [ N 2 ]
• Public-key publication
Public-Key Certificate
Certificate
authority
KU b
KU a
C B E KRauth[Time 2, IDB , KU b ]
C A E KRauth[Time1, IDA , KU a ]
CA
A B
CB
• Exchange of Public-key Certificates
Public-Key Certificate
KU A || ID A
A B
E KU a [ K s ]
Simple public-key encryption to establish a session key
It is a secure for an active attack
• A generates {KU a , KRa } and sends B {KU a , A, ID A}
• E intercepts {KU a , A, ID A} , creates {KU e , KRe } and sends
{KU e , A, ID A } to B
• B generates a secret key, K s and sends E KU [ K s ]
e
• E intercepts E KU [ K s ], learns K s
e
• E sends EKU [ K s ] to A
a
Secret Key distribution with authentication
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ N 2 ]
E KU b [ E KRa [ K s ]]
• Public-key distribution of secret keys
Secret Key distribution with authentication
• Assume A and B know each others public keys
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ E KRa [ N 2 || K s ]]
• Public-key distribution of secret keys
Secret Key distribution with authentication
• Assume A and B know each others public keys
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ N 2 ]
E KU b [ E KRa [ K s ]]
• Public-key distribution of secret keys
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number q
• Primitive root of q
( , 2 , 3 ,..., q 1 (mod q)
is a permutation of 1,2,3,…,q-1)
User A Key Generation
• Select private XA XA q
• Compute public YA YA XA
(mod q)
User B Key Generation
• Select private XB XB q
• Compute public YB YB XB
(mod q)
Generation of Secret Key by A
User A computes
K (YB ) (mod q)
XA
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
Generation of Secret Key by B
User B computes
K (YA ) (mod q)
XB
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
Midterm 2008
• 90-100: 1
• 80-89: 2
• 70-79: 4
• 50-60: 2
Problem 1
1. a) What is the plaintext attack? b)Which
of the following encryption methods can be
easily broken by the plaintext attack?
Briefly explain your answer.
(1) Monoalphbetic Cipher (2) Hill Cipher
(3) DES (4)RSA
Attacks
• Ciphertext only attack:
attacker only knows ciphertext
• Known Plaintext attack:
attacker gets some plaintext patterns and their
encryptions
• Chosen-plaintext attack:
attacker choose message to encrypt
Solution
• Monoalphbetic Cipher
• Hill Cipher
Monoalphabetic Cipher
• Plain letters to cipher letters
a b cd e fgh i j k l mnopqrs t u vwxyz
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
abcdefghijklmnopqrstuvwxyz
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with 1
K
1
KK I
I is a mxm matrix that has all ones on the main diagonal,
and all zeros beyond the main diagonal
Encryption and Decryption
• Encryption:
C EK ( P) KP mod 26
• Decryption:
1 1
P DK (C ) K C mod 26 K KP IP P
Example
17 17 5
• K= 21 18 21
2 2 19
4 9 15
1
K
• = 15 17 6
24 0 17
Example
443 442 442 1 0 0
1
K K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
Hill Cipher Security
c11c12c13 k11k12 k13 p11 p12 p13
c21c22c23 k 21k 22 k 23 p21 p22 p23
c c c k k k p p p
31 32 33 31 32 33 31 32 33
C KP
1
CP K
Conclusion
• Hill cipher is easy to break by plaintext attack.
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution
method?
c) Explain why DES can be invertible (verify each
round is easy to inverse).
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage
2.
• B) All 16 rounds of stage 2
• C) The invertibility of stage 1 and stage 3 is
based on that IP ( IP 1 ) 1
The 16 rounds of stages are described by …
Three stages
• Stage 1: apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Stage 3: Output
1
Output block IP ( R16 , L16 )
Stage 1
• Apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• L0 is the left 32 bits
• R0 is the right 32 bits
• IP is a fixed permutation function
Stage 2
• 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Function f is called “S”-box function (“S” for substitution)
• The k i is a 48-bit key, a substring of the 56-bit input
key
One Round Feistel Ciper
• One round
Li 1
Li 1 Ri 1
f
Li Ri
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
L0 R0
f
L1 R1
f
L2 R2
.......
..........
L16 R16
Stage 3
• Output
Output block IP 1 ( R16 , L16 )
1
IP is the inverse of IP
One Round Feistel Ciper
• One round
Li 1
L15 R15
f k16
L16 R16
Decryption
• First stage:
( L0 ' , R0 ' ) IP (c) IP ( IP 1 ( R16 , L16 )) ( R16 , L16 )
• Second stage:
L1 ' R0 ' L16
R1 ' L0 ' f ( R0 ' , k1 ' ) R16 f ( L16 , k1 ' )
L1 ' R15
R1 ' ( L15 f ( R15 , k16 )) f ( R15 , k16 ) L15
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
Decryption
• First stage
( L0 ' , R0 ' ) IP (c) IP ( IP 1 ( R16 , L16 )) ( R16 , L16 )
L1 ' R0 ' L16
R1 ' L0 ' f ( R0 , k1 ' ) R16 f ( L16 , k1 ' )
L1 ' R15
R1 ' ( L15 f ( R15 , k15 )) f ( R15 , k15 ) L15
Part b)
• Permutation: IP, Left to Right and Right to
left in each of 16 stages.
• Substitution: S-box in each of those 16
stages.
Function f ( Ri 1 , K i )
Ri 1 Ki
32
E
48
48
8 6
6
S1 S 2 S 3 S 4 S 5 S 6 S 7 S 8
4
8 4
32
P
32 f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
Function f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
• (a) T E ( Ri 1 ) : Expansion from 32 bits to 48 bits
• (b) T ' T K i ( B1 ,..., B8 ) each Bi is 6 bits
• (c ) T ' ' ( S ( B ), S ( B ),..., S ( B ))
1 1 2 2 8 8
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d) T ' ' ' P(T ' ' )
Problem 3
3. a) Use the Euclidean algorithm to compute
the gcd(904,162).
b) Prove that Euclidean algorithm takes at
most 2log n divisions to compute gcd(m,n).
You can assume that dividing integer a by
another integer b gives both the quotient q
and the remainder r with a=b*q+r.
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer
z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b,
gcd(a,b) is the greatest positive integer c such that c is the
divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
a qb r
0 r b, q b
a
gcd(a, b) gcd(b, r )
• This is a recursive equation since the second item goes
down
Solution
• gcd(904,162)= 904 5 162 94
• gcd(162,94)= 162 1 94 68
• gcd(94,68)= 94 1 68 26
• gcd(68,26)= 68 2 26 16
• gcd(26,16)= 26 116 10
• gcd(16,10)= 16 110 6
• gcd(10,6)= 10 1 6 4
• gcd(6,4)= 6 1 4 2
• gcd(4,2)=2 4 2 2 0
Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2
a2 q2 a3 a4 0 a4 a3
a3 q3 a4 a5 0 a5 a4
.......
am 2 qm 2 am 1 am 0 am am 1
am1 qm1am
Observation
Each a i can be expressed as ai ui a1 vi a2 for some
integers ui , vi
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since ai 2 qi 2 ai 1 ai and inductive assumption
ai 2 ui 2 a1 vi 2 a2 and ai 1 ui 1a1 vi 1a2 ,
we have
ui 2 a1 vi 2 a2 qi 2 (ui 1a1 vi 1a2 ) ai
(ui 2 qi 2ui 1 )a1 (vi 2 qi 2vi 1 )a2 ai
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2 , q1 a1
a
2
gcd(a1 , a2 ) gcd(a2 , a3 )
a2 q2 a3 a4 0 a4 a3 , q2 a2
a3 gcd(a2 , a3 ) gcd(a3 , a4 )
• If a3 a2
2 , we have a2 1 a3 (a2 a3 )
(a2 a3 ) a2 / 2
• In another words, a4 (a2 a3 ) a2 / 2
Problem 4
4. a) In the RSA system, the public key of a
given user is e=41, n=3599. What is the
private key? Show each step of your
calculation.
b) Why does the security of RSA depend on
the intractability of factorization and
discrete logarithm problems? Why do we
need large primer numbers for RSA?
Public Key
• Encryption:
Y E publicKey ( X )
• Decryption
X D privateKey (Y )
RSA Key Setup
• Choose two random big prime numbers p and q
• Compute N=pq
• Compute ( N ) ( p 1)(q 1)
• Choose random e (N ) such that gcd(e, ( N )) 1
• Compute the integer d such that ed 1(mod ( N ))
• Publicize (N,e) as the public key
• Keep d as the private key and destroy p,q and (N )
RSA Encryption
• Let m<N be a confidential message
• Cipher text is made by
c m (mod N )
e
RSA Decryption
• Plaintext is obtained by
m c (mod N ) d
RSA Principal
Since de 1(mod ( N )),
we have de 1 k ( N )
c d m ed m1 k ( N ) m m k ( N ) (mod N )
If gcd(m, N ) 1,
then m ( N ) 1(mod N ) and m k ( N )
1(mod N )
c d m m k ( N ) m 1 m(mod N )
Solution
Part 1.
n=59*61.
(n) (59 1) * (61 1) 3480
The inverse of e=41 is d=2081 (mod 3480).
Solution
3480=41*84+36
41=36*1+5
36=5*7+1
1=36-5*7=36-7*(41-36*1)
=8*36-7*41
=8*(3480-41*84)-7*41
=8*3480-679*41.
2801=-679(mod 3480)
Part b.
If n=p*q can be factorized easily, one can
comput (p-1)*(q-1) and find d with
e*d=1(mod (p-1)(q-1)).
Part c.
• If factorization is easy, we can find p and q for n=p*q.
With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
y a (mod n)
d
With a pair of messages a and
d
a (mod n) , we can find d from discrete log.
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
exponent( int a, int e, int m):
int exponent(int a, int e, int m){
int temp;
if (e==1) return a%m;
if (e==0) return 1;
if (e%2==0) {
temp=exponent(a, e/2, m);
return (temp*temp)%m;
}
else{
temp=exponent(a, e/2, m);
return (((temp*temp)%m)*a)%m;
};
}
Bad Implementation
return (temp*temp*a)%m;
primality(int p)
int primality(int p){
int a, temp;
if (p<=1) return 0;
if (p==2) return 1;
a=1+(rand()%(p-1));
if (gcd(a, p)>1) return 0;
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=p-1)) return 0;
return 1;
}
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
Bad Implementation
a=rand()%p;
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
Problem 5
5. a) How many multiplications does it take for
computing 5596 (mod 1234 ) by using fast
exponentiation algorithm? Show the steps of your
calculation. You only need to get the number of
multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
Solution
5596 5298 5298
• It takes 12 multiplications
5298 5149 5149
5149 574 574 5
574 537 537
537 518 518 5
518 59 59
59 5 4 5 4 5
54 52 52
52 5 5
Midterm 2010
• 90-100: 1
• 80-89: 7
• 70-79: 5
• 60-70: 3
• <60: 1
Problem 1
1.a)Which of the following encryption
methods use substitution method? B) Which
of them use the permutation method?
C)Which of them use both methods? Briefly
explain your answer.
(1) Monoalphbetic Cipher (2) Playfair cipher
(3) Transposition cipher (4) Hill Cipher (5)
DES (6) RSA
Solution
• Substitution: Monoalphbetic Cipher,
Playfair cipher, Hill Cipher, DES
• Permutation: Transposition cipher, DES.
• Both: DES
Monoalphabetic Cipher
• Plain letters to cipher letters
a b cd e fgh i j k l mnopqrs t u vwxyz
Z E I R M F S K B HC U PQ GJ TOVW XYD A LN
• Plaintext to ciphertext
Plaintext: A t t a c k a t m i d n i g h t
Ciphertext: ZWWZ I C ZW P BRQBS KW
Monoalphabetic Cipher
• Plain:
abcdefghijklmnopqrstuvwxyz
• Cipher: a permutation of 26 letters
• Number of possible keys:
26!=1x 2 x 3 x 4 …x 25 x26
Hill Cipher
• C=K P mod 26
C is a column of m cipher letters
K is a mxm matrix
P is a column of m plain letters
• K is invertible with 1
K
1
KK I
I is a mxm matrix that has all ones on the main diagonal,
and all zeros beyond the main diagonal
Encryption and Decryption
• Encryption:
C EK ( P) KP mod 26
• Decryption:
1 1
P DK (C ) K C mod 26 K KP IP P
Example
17 17 5
• K= 21 18 21
2 2 19
4 9 15
1
K
• = 15 17 6
24 0 17
Example
443 442 442 1 0 0
1
K K = 858 495 780 mod 26 = 0 1 0
494 52 365 0 0 1
Hill Cipher Security
c11c12c13 k11k12 k13 p11 p12 p13
c21c22c23 k 21k 22 k 23 p21 p22 p23
c c c k k k p p p
31 32 33 31 32 33 31 32 33
C KP
1
CP K
Problem 2
2. a) Which parts of DES uses permutation method?
b) Which parts of DES uses the substitution
method?
c) Explain why DES can be invertible (verify each
round is easy to inverse).
Answer
• A) Stage 1, stage 3, and all 16 rounds of stage
2.
• B) All 16 rounds of stage 2
• C) The invertibility of stage 1 and stage 3 is
based on that IP ( IP 1 ) 1
The 16 rounds of stages are described by …
Three stages
• Stage 1: apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• Stage 2: 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Stage 3: Output
1
Output block IP ( R16 , L16 )
Stage 1
• Apply a fixed permutation IP
( L0 , R0 ) IP(Input Block)
• L0 is the left 32 bits
• R0 is the right 32 bits
• IP is a fixed permutation function
Stage 2
• 16 rounds of operations (i=1,2,…,16)
Li Ri 1
Ri Li 1 f ( Ri 1 , ki )
• Function f is called “S”-box function (“S” for substitution)
• The k i is a 48-bit key, a substring of the 56-bit input
key
One Round Feistel Ciper
• One round
Li 1
Li 1 Ri 1
f
Li Ri
Principals
• The substitution is used in the f
• The permutation is applied in each of the 16 rounds
L0 R0
f
L1 R1
f
L2 R2
.......
..........
L16 R16
Stage 3
• Output
Output block IP 1 ( R16 , L16 )
1
IP is the inverse of IP
One Round Feistel Ciper
• One round
Li 1
L15 R15
f k16
L16 R16
Decryption
• First stage:
( L0 ' , R0 ' ) IP (c) IP ( IP 1 ( R16 , L16 )) ( R16 , L16 )
• Second stage:
L1 ' R0 ' L16
R1 ' L0 ' f ( R0 ' , k1 ' ) R16 f ( L16 , k1 ' )
L1 ' R15
R1 ' ( L15 f ( R15 , k16 )) f ( R15 , k16 ) L15
Decryption
• Available information
(1) keys: k1,k2,…, k16
(2) IP
(3) Ciphertext: C
Decryption
• First stage
( L0 ' , R0 ' ) IP (c) IP ( IP 1 ( R16 , L16 )) ( R16 , L16 )
L1 ' R0 ' L16
R1 ' L0 ' f ( R0 , k1 ' ) R16 f ( L16 , k1 ' )
L1 ' R15
R1 ' ( L15 f ( R15 , k15 )) f ( R15 , k15 ) L15
Part b)
• Permutation: IP, Left to Right and Right to
left in each of 16 stages.
• Substitution: S-box in each of those 16
stages.
Function f ( Ri 1 , K i )
Ri 1 Ki
32
E
48
48
8 6
6
S1 S 2 S 3 S 4 S 5 S 6 S 7 S 8
4
8 4
32
P
32 f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
Function f ( Ri 1 , K i ) P( S ( E ( Ri 1 ) K i ))
• (a) T E ( Ri 1 ) : Expansion from 32 bits to 48 bits
• (b) T ' T K i ( B1 ,..., B8 ) each Bi is 6 bits
• (c ) T ' ' ( S ( B ), S ( B ),..., S ( B ))
1 1 2 2 8 8
Each Si is a 4x16 2D table with 4bits at each entry
Bi determines an entry in the Si table
• (d) T ' ' ' P(T ' ' )
Problem 3
3. a) Use the Euclidean algorithm to compute
the gcd(78,104). Show your steps.
b) Prove that Euclidean algorithm takes at
most 2log n divisions to compute gcd(m,n)
with m<n. You can assume that dividing
integer a by another integer b gives both the
quotient q and the remainder r with
a=b*q+r.
Greatest common divisor
• Divisor: For two integers b and c, if b=c*z for some integer
z, c is a divisor of b.
• Greatest common divisor: Given two integers a and b,
gcd(a,b) is the greatest positive integer c such that c is the
divisor for both a and b.
• Examples: gcd(10,4)=2, gcd(16,100)=4
• Problem: How to find gcd(a,b)?
Modular
• Assume a and b are two positive integers
a qb r
0 r b, q b
a
gcd(a, b) gcd(b, r )
• This is a recursive equation since the second item goes
down
Solution
• gcd(104,78)= 104 1 78 26
• gcd(78,26)=26 78 3 26 0
Solution
• gcd(904,162)= 904 5 162 94
• gcd(162,94)= 162 1 94 68
• gcd(94,68)= 94 1 68 26
• gcd(68,26)= 68 2 26 16
• gcd(26,16)= 26 116 10
• gcd(16,10)= 16 110 6
• gcd(10,6)= 10 1 6 4
• gcd(6,4)= 6 1 4 2
• gcd(4,2)=2 4 2 2 0
Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2
a2 q2 a3 a4 0 a4 a3
a3 q3 a4 a5 0 a5 a4
.......
am 2 qm 2 am 1 am 0 am am 1
am1 qm1am
Observation
Each a i can be expressed as ai ui a1 vi a2 for some
integers ui , vi
Proof: It is true for i=1,2. Assume it is true for all cases <i
Since ai 2 qi 2 ai 1 ai and inductive assumption
ai 2 ui 2 a1 vi 2 a2 and ai 1 ui 1a1 vi 1a2 ,
we have
ui 2 a1 vi 2 a2 qi 2 (ui 1a1 vi 1a2 ) ai
(ui 2 qi 2ui 1 )a1 (vi 2 qi 2vi 1 )a2 ai
Speed of Euclid algorithm
• Assume a1 and a2 are two positive integers
a1 q1a2 a3 0 a3 a2 , q1 a1
a
2
gcd(a1 , a2 ) gcd(a2 , a3 )
a2 q2 a3 a4 0 a4 a3 , q2 a2
a3 gcd(a2 , a3 ) gcd(a3 , a4 )
• If a3 a2
2 , we have a2 1 a3 (a2 a3 )
(a2 a3 ) a2 / 2
• In another words, a4 (a2 a3 ) a2 / 2
Problem 4
• 4. a) In the RSA system, the public key of a
given user is e=3, n=55. What is the private
key? Show each step of your calculation.
• b) Why does the security of RSA depend on
the intractability of factorization and
discrete logarithm problems?
• c) Why do we need large primer numbers
for RSA?
Public Key
• Encryption:
Y E publicKey ( X )
• Decryption
X D privateKey (Y )
RSA Key Setup
• Choose two random big prime numbers p and q
• Compute N=pq
• Compute ( N ) ( p 1)(q 1)
• Choose random e (N ) such that gcd(e, ( N )) 1
• Compute the integer d such that ed 1(mod ( N ))
• Publicize (N,e) as the public key
• Keep d as the private key and destroy p,q and (N )
RSA Encryption
• Let m<N be a confidential message
• Cipher text is made by
c m (mod N )
e
RSA Decryption
• Plaintext is obtained by
m c (mod N ) d
RSA Principal
Since de 1(mod ( N )),
we have de 1 k ( N )
c d m ed m1 k ( N ) m m k ( N ) (mod N )
If gcd(m, N ) 1,
then m ( N ) 1(mod N ) and m k ( N )
1(mod N )
c d m m k ( N ) m 1 m(mod N )
Solution
Part 1.
n=5*11.
(n) (5 1) * (11 1) 40
The inverse of e=3 is d=27 (mod 40).
Solution
40=13*3+1
1=40-13*3
27=-13(mod 40)
Part b.
If n=p*q can be factorized easily, one can
comput (p-1)*(q-1) and find d with
e*d=1(mod (p-1)(q-1)).
Part c.
• If factorization is easy, we can find p and q for n=p*q.
With p, q and n, we can find d.
• Discrete logarithm is to find x with y and n, where
y a (mod n)
d
With a pair of messages a and
d
a (mod n) , we can find d from discrete log.
Gcd(int a, int b)
int gcd(int a, int b){
if ((a%b)==0) return b;
return gcd(b, a%b);
}
exponent( int a, int e, int m):
int exponent(int a, int e, int m){
int temp;
if (e==1) return a%m;
if (e==0) return 1;
if (e%2==0) {
temp=exponent(a, e/2, m);
return (temp*temp)%m;
}
else{
temp=exponent(a, e/2, m);
return (((temp*temp)%m)*a)%m;
};
}
Bad Implementation
return (temp*temp*a)%m;
primality(int p)
int primality(int p){
int a, temp;
if (p<=1) return 0;
if (p==2) return 1;
a=1+(rand()%(p-1));
if (gcd(a, p)>1) return 0;
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=p-1)) return 0;
return 1;
}
Bad Implementation
temp=exponent(a, (p-1)/2,p);
if ((temp!=1)&&(temp!=-1)) return 0;
Bad Implementation
a=rand()%p;
Bad Implementation
if ((exponent(a, (p-)/2,p)!=1)
&&
(temp=exponent(a, (p-1)/2,p)!=p-1))
return 0;
Problem 5
5. a) How many multiplications does it take for
computing 5596 (mod 1234 ) by using fast
exponentiation algorithm? Show the steps of your
calculation. You only need to get the number of
multiplications instead of the final result for .
b) Explain why RSA needs fast exponentiation?
Solution
5596 5298 5298
• It takes 12 multiplications
5298 5149 5149
5149 574 574 5
574 537 537
537 518 518 5
518 59 59
59 5 4 5 4 5
54 52 52
52 5 5
Problem 6
6.Suppose we have a set of blocks encoded
with the RSA algorithm and we don’t have
the private key. Assume n=pq, e is the
public key. Suppose also someone tells us
they know one of the plaintext blocks has a
common factor with n. Show that the RSA
system can be broken.
Solution
• Assume that the block m has a common factor with
n.
• The plain text m is encrypted into the cipher text
cm
K public
(mod n)
• The cipher text c also has a common factor with n.
• Compute gcd(c,n) to get one of the two factors, and
also the second.
• With two factors and public key, compute private
key
Problem 7
7. Users A and B use the Diffie-Hellman key
exchange method with a common prime
q=7 and primitive root a=3. If user A has
private key =2, and use B has private key
=4, what is the shared secret key? Show the
steps of your calculation.
Solution
• A Calculates a X 32 9 2(mod q)
A
• B Calculates a 3 81 4(mod q)
X B 4
• A Calculates (a X B ) X A 42 16 2(modq)
• B Calculates (a X A ) X B 24 16 2(modq)
• The shared key is 2.
Key management
• Distribution of public key
• Use of public key encryption to distribute
secret key
Public announcement of public key
• Uncontrolled public-key distribution
KU a
A KU a
KU a
Publicly Available Directory
Public-key
directory
KU b
KU a
A B
• Public-key publication
• KU: public key. KR: private key
Publicly Available Directory
Public-key
authority
request || time2
request || time1 E KR [ KU a ||Re quest||Time 2 ]
E KR [ KU b ||Re quest||Time1]
E KU b [ ID A || N1 ]
A B
EKUa [ N1 || N 2 ]
E KU b [ N 2 ]
• Public-key publication
Public-Key Certificate
Certificate
authority
KU b
KU a
C B E KRauth[Time 2, IDB , KU b ]
C A E KRauth[Time1, IDA , KU a ]
CA
A B
CB
• Exchange of Public-key Certificates
Public-Key Certificate
KU A || ID A
A B
E KU a [ K s ]
Simple public-key encryption to establish a session key
It is a secure for an active attack
• A generates {KU a , KRa } and sends B {KU a , A, ID A}
• E intercepts {KU a , A, ID A} , creates {KU e , KRe } and sends
{KU e , A, ID A } to B
• B generates a secret key, K s and sends E KU [ K s ]
e
• E intercepts E KU [ K s ], learns K s
e
• E sends EKU [ K s ] to A
a
Secret Key distribution with authentication
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ N 2 ]
E KU b [ E KRa [ K s ]]
• Public-key distribution of secret keys
Secret Key distribution with authentication
• Assume A and B know each others public keys
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ E KRa [ N 2 || K s ]]
• Public-key distribution of secret keys
Secret Key distribution with authentication
• Assume A and B know each others public keys
E KU b [ N1 || ID A ]
EKUa [ N1 || N 2 ]
A B
E KU b [ N 2 ]
E KU b [ E KRa [ K s ]]
• Public-key distribution of secret keys
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number q
• Primitive root of q
( , 2 , 3 ,..., q 1 (mod q)
is a permutation of 1,2,3,…,q-1)
User A Key Generation
• Select private XA XA q
• Compute public YA YA XA
(mod q)
User B Key Generation
• Select private XB XB q
• Compute public YB YB XB
(mod q)
Generation of Secret Key by A
User A computes
K (YB ) (mod q)
XA
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
Generation of Secret Key by B
User B computes
K (YA ) (mod q)
XB
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
Authentication
• Masquerade: illegal insertion message to network
• Content modification: change content of message
• Sequence modification: modification to a sequence
of message
• Timing modification: delay or replay of message
• Source repudiation: denial of transmission by source
• Destination repudiation: denial of receipt by
destination
Two levels of authentication
• Produce an authenticator
• Verify the authenticity of a message
Authentication Methods
• Message encryption
• Message authentication (MAC)
• Hash function
Symmetric Encryption
• Encrypt the message M with key K shared by A and B
Source Destination
K K
M E D M
EK (M )
Message Encryption
Append checksum to message M and encrypt them together
Source
K
M
M E
F
F(M)
EK ( M || F ( M ))
F
M
Comparison D
F(M)
K
Destination
Public Key encryption
• Public key encryption: confidentiality
Source Destination
KU b KRb
M E D M
E KU b (M )
Public Key
• Encryption:
Y E publicKey ( X )
• Decryption
X D privateKey (Y )
Public Key encryption
• Public key encryption: authentication and signature
Source Destination
KRa KU a
M E D M
E KRa (M )
Public Key encryption
• Public key encryption: confidentiality, authentication and
signature
Source Destination
KU b KRb KU a
KRa
M E E D D M
E KRa (M ) E EU b [ E KRa ( M )] E KRa (M )
Message Authentication Code
• Use a secret key to generate a small fixed-size block of
data, MAC, that is appended to the message
MAC CK (M )
• M = input message
• C = MAC function
• K = shared secret key
• MAC = message authentication code
Message Authentication
Append MAC to message
K
M
M C
C
K CK (M )
Comparison
Message Authentication
Authentication and confidentiality
Source
K2
E
M D
C
EK 2 ( M || C K1 ( M ))
K1 K2
K1
C M
Comparison C K1 ( M )
Destination
Hash Function
• A hash function accepts a variable-size
message M as input and produces a fixed-
size output, H(M)
• There is no key to control hash function
Hash
Message plus concatenated hash code is encrypted using
symmetric encryption
Source
K2
E
M D
H
EK (M || H (M ))
K
H M
Comparison H (M )
Destination
Hash Function
• A hash function accepts a variable-size
message M as input and produces a fixed-
size output, H(M)
• There is no key to control hash function
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that
H(x)=h: One-way property
• Given x, it is computational hard to find y such that
H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that
H(x)=H(y): Strong collision resistance
Hash
Message plus concatenated hash code is encrypted using
symmetric encryption
Source
K2
E
M D
H
EK (M || H (M ))
K
H M
Comparison H (M )
Destination
Protocol
• Alice pick a random integer and computes f(x)
She read f(x) to Bob on the phone
• Bob tells Alice his guess of x as even or odd
• Alice reads x to Bob
• Bob verifies f(x) and sees if his guess was correct
Magic function f(x)
• For every integer x, f(x) is easy to compute.
• Given f(x), it is very hard to find the information of
x.
• It is impossible to find different x and y with
f(x)=f(y)
Birthday attack
• Among k people, what is the probability that two of
them have the same birthday
Counting
• K people: p1 , p2 ,..., pk
• The number of cases that all of them have different
birthdays:
365 364 ... (365 k 1) 365!
( 365 k )!
• The number of all possible k birthdays
365k
Probability
• K people: p1 , p2 ,..., pk
• The probability that k people have different birthdays
365!
Q(365 , k ) ( 365 k )!
365 k 356!
365 k ( 365 k )!
Birthday Paradox
• K people: p1 , p2 ,..., pk
• The probability that at least 2 people have same birthday
P(365, k ) 1 Q(365, k ) 1 365k 356! k )!
(365
P(365,23) 0.5072
P(365,30) 0.7
P(365,100) 0.999
Counting
• Select k random numbers between 1 and n: p1 , p2 ,..., pk
• The number of cases that all of them are different
n (n 1) ... (n k 1)
• The number of all possible k possibilities
k
n
Probability
• K numbers between 1 and n: p1 , p2 ,..., pk
• The probability that k numbers are different
n ( n 1)...(n k 1)
Q(n, k ) nk
Birthday Paradox
• K numbers between 1 and n p1 , p2 ,..., pk
• The probability that at least 2 of them are the same.
P(n, k ) 1 Q(n, k )
n ( n 1)...(n k 1)
1 nk
1 n nn 1 n 2 ... n n 1
n
n
k
1 (1 1 )(1 n )...( kn 1 )
n
2
1
Birthday Paradox
x
• For x0, consider the function f ( x) e
f ( x )' e x ,
f (0)' 1
f ( x )' ' e x 0
Taloy : f ( x) f (0) f (0)' x f ( )' ' / 2 0 x
x
e 1 x
Birthday Paradox
P ( n, k ) 1 Q ( n , k )
1 n ( n 1)...(n k 1)
nk
1 n nn 1 n 2 ... n n 1
n
n
k
1 (1 1 )(1 n )...( kn 1 )
n
2
1
(1 / n ) ( 2 / n ) (( k 1) / n )
1 e e ...e
(1 2 ... k ) / n
1 e
1 e k ( k 1) / 2 n
Birthday Paradox
k ( k 1) / 2 n
P(n, k ) 1 Q(n, k ) 1 e
Let
k ( k 1) / 2 n
1/ 2 1 e
k ( k 1) / 2 n
1/ 2 e
k ( k 1) / 2 n
2e
k 2 ln 2n 1.18 n n
Attack Hash
m
• Hash function H has 2 possible values
• Select k random values and apply H to them
• If k 2 m it has collision H(x)=H(y) for different x and
,
y with big chance.
Overlap between two sets
Given two sets {x1 , x2 ,..., xk } and { y1 , y 2 ,..., yk }
Each element has random value between 1 and n
What is the probability R(n,k) that two sets are not disjoint?
Overlap between two sets
Given two sets X {x1 , x2 ,..., xk } and Y { y1 , y2 ,..., yk }
Each element has random value between 1 and n
• The probability that y1 does not match x1 is 1 1
n
• The probability that no match in Y to x1 is (1 ) 1 k
n
• The probability that no match in Y to X is
((1 ) ) (1 )
2
1 k k 1 k
n n
Overlap between two sets
Given two sets X {x1 , x2 ,..., xk } and Y { y1 , y2 ,..., yk }
Each element has random value between 1 and n
R(n, k ) is the probability that at least one match in Y to X
R(n, k ) 1 (1 ) 1
n
k2
Overlap between two sets
x
Since 1 x e for x>0,
R (n, k ) 1 (1 )
2
1 k
n
1 k2
1 (e ) n
2
kn
1 e
Overlap between two sets
2
kn
R(n, k ) 1 e
2
kn
Let 1/ 2 1 e
,
2
kn
2e
ln 2 k2
n
k (ln 2)n 0.83 n n
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature
• Opponent generates 2m / 2 variations type 1 messages
• Opponent generates 2m / 2 variations type 2 messages
• Find a type 1 message x and type 2 message y such that
Hash(x)=Hash(y)
• Get the signature from the boss for the type 1 message X
the signature is EK ( Hash ( X ))
• Send out y|| EK ( Hash ( X ))
Variations of the same message
This letter is
I am writing
to introduce
you to
to you
Afred,
the
new
newly appoint ed
chief
senior
jewellery buyer for
……..
2m / 2 variations
A simple hash function
• Message M is partitioned into m blocks of n bits
M B1 || B2 || ...|| Bm
B1 b1,1b2,1...bn ,1
B2 b1, 2b2, 2 ...bn , 2
......
Bm b1,m b2,m ...bn ,m
A simple hash function
• Hash function value c1c2 ...cn
is defined as
c1 b1,1 b1, 2 ... b1,m
c2 b2,1 b2, 2 ... b2,m
......
cn bn ,1 bn , 2 ... bn ,m
A simple hash function
• Message M is partitioned into m blocks of n bits
M B1 || B2 || ...|| Bm
B1 b1,1b2,1...bn ,1
B2 b1, 2b2, 2 ...bn , 2
......
Bm b1,m b2,m ...bn ,m
Rabin’s Hash
• A message M is partitioned into M 1 , M 2 ,..., M N
• H 0 = initial value
H i E M i ( H i 1 )
G HN
• Encrypted with DES with 64 bits output.
• It is weak for birthday attack
Birthday Attack
Assume the hash code is m bits. Encrypted hash for signature
• Calculate the hash code G
• Construct the desired messages Q1 , Q2 ,..., QN 2
• Compute H i EQi [ H i 1 ] for i 1,2,...,N 2
• Opponent generates 2m / 2 blocks Xs
• Opponent generates 2m / 2 blocks Ys
• Find a X block and Y block: E X [ H N 2 ] DY [G ]
• Form message Q1 , Q2 ,..., QN 2 , X , Y with encrypted
signature E K (G )
Davies and Price variation
• A message M is partitioned into M 1 , M 2 ,..., M N
• H 0 = initial value
H i EM i ( H i 1 ) H i 1
G HN
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that
H(x)=h: One-way property
• Given x, it is computational hard to find y such that
H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that
H(x)=H(y): Strong collision resistance
Hash Design
Y0 Y1 YL 1
b b b
CVL
n f f f
n n n n
IV CV0 CV1 CVL 1
• IV = initial value b=length of input block
• CV= chaining variable f=compression algorithm
• L = number of input blocks Y= input block
• N = length of hash code
Principle
• The hash function is collision resistant if the
compression function is collision resistant
MD5 padding(1 512bits) 64
K bits length ( K mod 2 )
Message 10..0
Y0 Y1 ... Yq ... YL 1
512 512 512 512
128
H MD5 128 H MD5 128
H MD5
128
H MD5
IV CV1 CVq CVL 1
128 bit
• 128 bits Hash
Step 1: Padding
• Append (1 to 512) bits so that the total message
length is =448(mod 512)
• At least one bit is appended
Step 2: Append Length
64 bits are used for storing the length of the message.
If the message is longer than 64 bits. Only low-order 64 bits
are used. It is modular 264
Expanded message:
Y0 , Y1 ,..., YL 1
Step 3: Initialize buffer
128-bit buffer to hold four words (A,B,C,D)
A 67452301
B EFCDAB89
C 98BADCFE
D 10325476
Step 4: Process message in 512 bit
MD5 has four similar rounds
Each round uses one of the four functions F, G, H and I
Each round has 16 similar steps
All 512 bits are used in each round
a
MD5 Processing
Yq CVq
128 bit
512 F , T [1...16], X [i]
A B C D
• a
G, T [17 ... 32 ], X [ 2i ]
A B C D
H , T [33 ... 48 ], X [ 3i ]
A B C D
I , T [49 ... 64 ], X [ 4i ]
CVq 1
Compression function
A B C D
g
X [k ]
T [i ]
CLS s
A B C D
MD5 compression function
• 16 steps operating on the buffer ABCD
• Each step is of the form
a b ((a g (b, c, d ) X [k ] T [i]) s)
• a,b,c,d = four words of the buffer
• g = one of the functions F, G, H, I
• <<<s = circular left shift by s bits
• X[k] = M[q*16+k]= k-th word in the q-th 512-bit block
• T[i] = the i-th 32-bit word in matrix T
• + = addition modulo 232
Four functions
• The function g can be any of the four functions
F (b, c, d ) (b c) (b c)
G (b, c, d ) (b d ) (c d )
H (b, c, d ) b c d
I (b, c, d ) (c b) d
Functions T
• T has 64 entriesT[1…64]. Each entry is 32bit word
• T[i] is the integer part of 2 abs(sin(i ))
32
• The i is in the radians
T [1] D76 AA478
T [2] E8C 7 B756
T [3] 242070DB
.......
Digital Signature
• Verify the author , date and time
• Authenticate the content
• Be verifiable by third party
Digital Signature
• X: sender
• Y: receiver
• A: arbiter
Arbiter
X Y
Digital Signature
• K xa : the key shared between x and A
• K ay : the key shared between A and y
• M : message
• H : hash function
• ID : identification number
• T : timestamp
X A : M || E K xa [ ID X || H ( M )]
A Y : EKay [IDX || M || EK xa [ IDX || H (M )] || T ]
Digital Signature
• X: sender
• Y: receiver
• A: arbiter
Arbiter
M || E K xa [ ID X || H ( M )] EKay [IDX || M || EK xa [ IDX || H (M )] || T ]
X Y
Digital Signature
• Y stores M and EKay [ IDX || M || EK xa [ IDX || H (M )] || T ]
• Y sends EKay [IDX || M || EK xa [ IDX || H (M )] || T ] to the
arbiter A to settle disputes.
• Both sides trust the arbiter A.
Problem
• The arbiter can see the message
Arbiter does not see the message
• .
X A : IDX || EK xy [M ] || EK xa [IDX || H (EK xy (M ))]
hide _ message
A Y : EKay [IDX || EK xy [M ] || EK xa [IDX || H (EK xy (M ))]|| T ]
Problem
• The arbiter can form an alliance with the
sender to deny a signed message.
Public Key Approach
• KR: private key
• KU: public key.
X A : IDX || EKRx [IDx || EKU y (EKRx [M ])]
A Y : EKRa [IDX || EKU y [EKRx [M ]] || T ]
Mutual Authentication
Two issues:
• Confidentiality
• Timeliness
Some attacks
• Simply replay: copy a message and replay it later
• Repetition: Replay a timestamped message within
the valid time window
Two approaches
• Timestamp: make sure it is fresh message
• Challenge: A sends B a nonce and expects
that B’s reply contains it. Make sure it is
fresh message from B.
One-way Authentication
• KDC: responsible for generating the short term key.
• A: sender B: receiver
• Ks : Session key. K a : shared between A and KDC
• Kb : shared between B and KDC.
A KDC : ID A || IDB || N1
KDC A : EK a [ K s || IDB || N1 || EK b [ K s || ID A ]]
A B : EK b [ K s || ID A ] || EK s [ M ]
Public key One-way Authentication
A: sender B: receiver
A B : E KU b [ K s ] || EK s [ M ]
It is confidential, but no signature
Public key One-way Authentication
A: sender B: receiver
A B : M || E KRa [ H ( M )]
Hard to deny
Public key One-way Authentication
A: sender B: receiver
A B : E KU b [ M || E KRa [ H ( M )]]
Confidential and hard to deny and
Mutual Authentication
• KDC: responsible for generating the short term key.
• A: sender
• B: receiver
A KDC : IDA || IDB || N1
KDC A : E K a [ K s || IDB || N1 || EK b [ K s || IDA ]]
A B : E K b [ K s || IDA ]
B A : EK s [ N 2 ]
A B : E K s [ f ( N 2 )]
Problem
• Attacker can replay the message at step 3
• If the attacker can intercept the message at
step 4, he can impersonate A to send B
some message.
Mutual Authentication
• T: timestamp
A KDC : IDA || IDB
KDC A : E K a [ K s || IDB || T || E K b [ K s || IDA || T ]]
A B : E K b [ K s || IDA || T ]
B A : E K s [ N1 ]
A B : E K s [ f ( N1 )]
Time check
| Clock T | t
Avoid replay attack
• The replay attack can be avoided by
checking the timestamp.
Mutual Authentication
.
A B : IDA || N a
B KDC : IDB || N b || EK b [ IDA || N a || Tb ]
KDC A : EK a [ IDB || N a || K s || Tb ] || EK b [ IDA || K s || Tb ] || N b
A B : EK b [ IDA || K s || Tb ] || EK s [ N b ]
Mutual Authentication
.B have received the message from A
KDC A : EK a [ IDB || N a || K s || Tb ] || EK b [ ID A || K s || Tb ] || N b
Prevent the replay attack Session Key
Mutual Authentication
. Prevent the replay attack
A B : E K b [ ID A || K s || Tb ] || E K s [ N b ]
Public Key Approach
AS: the authentication server
A AS : ID A || IDB
AS A : EKRas [ ID A || KU a || T ] || EKRas [ IDB || KU b || T ]
A B : EKRas [ ID A || KU a || T ] || EKRas [ IDB || KU b || T ] || EKU b [ EKRa [ K S || T ]]
Clock synchronization is needed
Mutual Authentication
• KDC: responsible for generating the short term key.
• A: sender B: receiver
A KDC : IDA || IDB
KDC A : EKRauth [ IDB || KU b ]
A B : EKU b [ N a || IDA ]
B KDC : IDB || IDA || EKU auth [ N a ]
KDC B : EKRauth [ IDA || KU a ] || EKU b [ EKRauth [ N a || K s || IDB ]]
B A : EKU b [ EKRauth [ N a || K s || IDB ] || N b ]
A B : EK s [ N b ]
Mutual Authentication
Tell KDC for the intention to establish a secure connection
with B
A KDC : IDA || IDB
KDC A : EKRauth [ IDB || KU b ]
A gets the public key of B from KDC
Mutual Authentication
A tells B the intention for secure communication
A B : E KU b [ N a || IDA ]
B KDC : IDB || IDA || E KU auth [ N a ]
Tell KDC Na so that KDC can stamp the session key with the
nonce
Mutual Authentication
• The session key is tied with N a
KDC B : EKRauth [ IDA || KU a ] || EKU b [ EKRauth [ N a || K s || IDB ]]
• Tell B the public key of A
• B can verify it is from the KDC
Mutual Authentication
• Encrypt it with A’s public key. The key is fresh for A
B A : EKU a [ EKRauth [ N a || K s || IDB ] || N b ]
A B : EK s [ N b ]
• Tell B that A has the session key now.
Mutual Authentication
A KDC : IDA || IDB
KDC A : EKRauth [ IDB || KU b ]
A B : EKU b [ N a || IDA ]
B KDC : IDB || IDA || EKU auth [ N a ]
KDC B : EKRauth [ IDA || KU a ] || EKU b [ EKRauth [ N a || K s || IDB ]]
B A : EKU b [ EKRauth [ N a || K s || IDA || IDB ] || N b ]
A B : EK s [ N b ]
The nonce is for A
Chapter 14 – Authentication
Applications
Authentication Applications
• will consider authentication functions
• developed to support application-level
authentication & digital signatures
• will consider Kerberos – a private-key
authentication service
• then X.509 directory authentication service
Kerberos
• trusted key server system from MIT
• provides centralised private-key third-party
authentication in a distributed network
– allows users access to services distributed
through network
– without needing to trust all workstations
– rather all trust a central authentication server
• two versions in use: 4 & 5
Kerberos Requirements
• first published report identified its
requirements as:
– security
– reliability
– transparency
– scalability
• implemented using an authentication
protocol
Authentication with AS
• CAS: IDc||Pc||IDv
• ASC: Ticket
• C: IDc||Ticket
Ticket=E(Kv, [IDc||ADc||IDv])
Items
• C =client
• AS =authentication server
• V =server
• IDc =identifier of user on C
• IDv =identifier of V
• Pc =password of user on C
• ADc=network address of C
• Kv =secret encryption key shared by AS and V
More Secure Authentication
Once per user logon session:
• CAS: IDc||IDtgs
• ASC: E(Kc, Tickettgs )
Once per type of service:
• CTGS: IDc||IDv|| Tickettgs
• TGSC: Ticketv
Once per service session:
• CV
Tickettgs E ( K tgs , [ IDC || ADC || IDtgs || TS1 || Lifetime 1 ])
Ticketv E ( K v , [ IDC || ADC || IDv || TS 2 || Lifetime 2 ])
Items
• TGS: Ticket granting server (TGS)
• TS: Time stamp
Kerberos 4 Overview
• A basic third-party authentication scheme
• have an Authentication Server (AS)
– users initially negotiate with AS to identify self
– AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)
– users subsequently request access to other
services from TGS on basis of users TGT
Kerberos 4 Overview
Kerberos Realms
• a Kerberos environment consists of:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
• this is termed a realm
– typically a single administrative domain
• if have multiple realms, their Kerberos
servers must share keys and trust
Kerberos Version 5
• developed in mid 1990’s
• provides improvements over v4
– addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
– and technical deficiencies
• double encryption, non-std mode of use, session
keys, password attacks
• specified as Internet standard RFC 1510
X.509 Authentication Service
• part of CCITT X.500 directory service standards
– distributed servers maintaining some info database
• defines framework for authentication services
– directory may store public-key certificates
– with public key of user
– signed by certification authority
• also defines authentication protocols
• uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
ITU-T
• ITU telecommunication standardization sector
(ITU-T) coordinates standards for
telecommunications on behalf of the
international telecommunication union (ITU)
X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA) identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
X.509 Certificates
Make Certification
Unsigned certificate,
User ID, Public Key Hashing of unsigned cert.
Unsigned certificate,
User ID, Public Key
Encryption with Encryption with CA PR
Obtaining a Certificate
• any user with access to CA can get any
certificate from it
• only the CA can modify a certificate
• because cannot be forged, certificates can
be placed in a public directory
CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a hierarchy
• use certificates linking members of hierarchy to
validate other CA's
– each CA has certificates for clients (forward) and
parent (backward)
• each client trusts parents certificates
• enable verification of any certificate from one CA
by users of all other CAs in hierarchy
CA{V, SN, AI, CA, TA, A, Ap}
• V: version
• SN: Serial number, an integer unique within the issuing CA
• AI: Signature algorithm identifier, the algorithm used to
sign the certficate
• CA:Issuer nuame, X. 500 name of the CA that created and
signed this certificate.
• TA: Period of time, first and last valid dates
• A: Subject name, name of the user to whom this certificate
refers, certificate the public key
• AP: Issuer unique indentifier for indenting CA
CA Hierarchy Use
Certificate Revocation
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CA’s maintain list of revoked certificates
– the Certificate Revocation List (CRL)
• users should check certs with CA’s CRL
Authentication Procedures
• X.509 includes three alternative
authentication procedures:
• One-Way Authentication
• Two-Way Authentication
• Three-Way Authentication
• all use public-key signatures
One-Way Authentication
• 1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
• message must include timestamp, nonce,
B's identity and is signed by A
One way
• The identity of B is singed with A’s public key.
A{t A , rA , IDB , sgn Data , E[ PU b , K ab ]}
Items
• tA : time stamp
• n A : a nonce
• sgn Data : signed ID B with A’s private key.
Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
• reply includes original nonce from A, also
timestamp and nonce from B
Two-way
A{t A , rA , IDB , sgn Data , E[ PU b , K ab ]}
B{t B , rB , ID A , rA , sgn Data , E[ PU a , K ba ]}
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which
enables above authentication without
synchronized clocks
• has reply from A back to B containing
signed copy of nonce from B
• means that timestamps need not be checked
or relied upon
Three-way
A{t A , rA , IDB , sgn Data , E[ PU b , K ab ]}
B{t B , rB , ID A , rA , sgn Data , E[ PU a , K ba ]}
A{rB }
X.509 Version 3
• has been recognised that additional
information is needed in a certificate
– email/URL, policy details, usage constraints
• rather than explicitly naming new fields
defined a general extension method
• extensions consist of:
– extension identifier
– criticality indicator
– extension value
Certificate Extensions
• key and policy information
– convey info about subject & issuer keys, plus
indicators of certificate policy
• certificate subject and issuer attributes
– support alternative names, in alternative
formats for certificate subject and/or issuer
• certificate path constraints
– allow constraints on use of certificates by other
CA’s
Summary
• have considered:
– Kerberos trusted key server system
– X.509 authentication and certificates
Problem
Let message M=10111011 01011110 00011011
1) Assume that n=8. Compute the simple hashing
function value h(M).
2) Find another different message M’ such that
h(M)=h(M’).
3) Does the simple hashing function satisfy the
requirements for general hashing function?
Some New approaches for Preventing
Software Tampering
Bin Fu, Uni. of New Orleans
Golden Richard III, Uni. of New Orleans
Yixin Chen Uni. of New Orleans
Adbo Husseiny Tech. Int. of Virginia
Software protection
• Global economic impact of software piracy was
$11billion in 2001,.
• 40% of commerical software in use is pirated.
Password
• Check Password before running the software
• The password checking may be bypassed
Check password
#define realPassword 5413
……..
read(password);
if (password!= realPassword)
print("password is incorrect");
else run the software
Problems with the password
checking
• It is easy to bypass by removing the part of
code checking the password
• The password is released in the code.
Method 1
• Select a hashing function h( )
• Select multiple constants and changed them (offline)
c1’c1-h(password+1);
c2’c2-h(password+2);
• Recover them from the correct password (online)
c1c1’+h(password+1)
c2c2’+h(password+2)
Solve Quadratic Equation
x bx c 0
2
It has two roots:
b b 2 4c b b 2 4c
x1 x2
2 2
#define c1 2.0
#define c2 4.0
void quadratic(double b, double c, double *root1,
double *root2){
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
For solving the equation x bx c 0
2
#include <stdio.h>
#include <math.h>
#define realPassword 2314
#define c1 2.0
#define c2 4.0
void quadratic(double b, double c, double *root1, double *root2)\{
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
void main(){
double b, c, root1, root2;
int password;
scanf("%d", &password);
if (password!= realPassword) {
printf("password is incorrect");
}
else {
scanf("%lf, %lf", &b, &c);
quadratic(b,c, &root1, &root2);
printf("%lf, %lf", root1, root2);
}}
//offline for computing e1 and e2
#define d1 e1 //e1=c1-hash(realPassword+1)
#define d2 e2 //e2=c2-hash(realPassword+2)
double c1,c2;
void main() {
…….
scanf("%d", &password);
c1=d1+hash(password+1);
c2=d2+hash(password+2);
………
#include <stdio.h>
#include <math.h>
#include ``hash.h''
#define d1 e1
#define d2 e2
double c1,c2;
void quadratic(double b, double c, double *root1, double *root2) {
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
void main() {
double b,c, root1, root2;
int password;
scanf("%d", &password);
c1=d1+hash(password+1);
c2=d2+hash(password+2);
scanf("%lf",&b);
scanf("%lf",&c);
quadratic(b,c, &root1, &root2);
printf("%lf, %lf",root1, root2);
}
Hardness to break
• The attacker has to understand the
algorithm to considerable level in order to
recover those constants
• If attacker knows some of the constants the
security depends on the hardness of the
invertibility of the hashing function
Method 2
• Multiple constants are hidden in an array
• Only correct password can find their correct
addresses
int main(){
double b,c,root1, root2;
int password;
double constants[array_size]={
3.12, 4.0, 5.12, 4.13, 2.0, 5.16, 2.17, 3.0,
7.52, 6.9, 8.73, 9.23, 9.0, 8.42, 7.29, 5.9,
1.92, 9.2, 3.92, 6.63, 8.7, 8.36, 9.15, 1.0,
4.91, 4.9, 7.19, 2.76, 5.8, 8.79, 5.32, 4.9,
9.30, 2.9, 8.17, 9.26, 7.2, 3.12, 3.56, 3.7,
7.98, 6.8, 3.32, 5.78, 4.6, 1.26, 4.32, 2.8,
3.10, 5.3, 3.83, 4.28, 7.9, 3.64, 4.57, 4.9,
2.23, 3.8, 3.87, 6.12, 4.5, 4.98, 0.00, 9.0 };
scanf("\%d", &password);
c1=constants[hash(password+1)];
c2=constants[hash(password+2)];
c3=constants[hash(password+3)];
c4=constants[hash(password+4)];
……..}
Correct Password gives correct memory
addresses
• For correct password p, h(p+1)=4,
h(p+2)=1, h(p+3)=23, h(p+4)=62.
• c1=const[4]=2.0; c2=const[1]=1.0;
c3=const[23]=1.0; c4=const[62]=0.0;
Combine Two Methods (Off Line)
• Select two hashing functions h_address( )
and h_value
• Select some constants c1, c2
• Compute c1’=c1-h_value(p+1) and c2’c2-
h_value(p+2)
• Save c1’ at h_address(p+1) and c2’ at
h_address(p+2)
Combine Two Methods (On Line)
• Read the password p
• Fetch c1’ from h_address(p+1) and c2’
from h_address(p+2)
• Recover c1 by c1’+h_value(p+1) and c2 by
c2+h_value(p+2)
Hide the password
• Offline: let q=hash(password)
• Online:
read p
if (hash(p)==q) then accept
else reject
• Security: collision is hard for hash( )
Apply the method to obfuscation
• Define function pointers array
• Let the password determine the functions called by
giving the address to the corresponding pointers
#define c0 0
#define c1 1
#define c2 2
#define c3 3
double temp; int (*a[4])();
double b, c, root1, root2;
int step0( ) {temp=sqrt(b*b-4.0*c); return 0; }
int step1( ) {root1=(-b+temp)/2.0; return 0; }
int step2( ) {root2=(-b-temp)/2.0; return 0; }
int quadratic( ) {a[c0](); a[c1](); a[c2](); return 0; }
int main(){ //assign function pointers to the array a[ ] below
a[0]=step0;
a[1]=step1;
a[2]=step2;
a[3]=quadratic;
Method 3
• Select multiple constants and changed them (offline)
c1’c1-h(password+1); c2’c2-h(password+2);
c3’c3-h(password+3); c4’c4-h(password+4);
• Recover them from the correct password (online)
c1c1’+h(password+1); c2c2’+h(password+2);
c3c3’+h(password+3); c4c4’+h(password+4);
Conclusions
• Protect software by password
Method 1: change multiple constants
Method 2: Rearrange multiple constants
• Future research: Protect software by hardware
The End
Thank You
Client and Server
Client
Client Server
Client
Application protocol
Web client Web server
TCP protocol
TCP TCP
IP IP protocol IP
Ethernet Ethernet protocol Ethernet
driver driver
Ethernet
D3
Router C
D2 Router A Router E D1
Router D
Rounter B
Design Philosophy
FTP,WEB Application Service
TCP Reliable Transport Service
IP Connectionless Packet Delivery Service
Port Number
• TCP allows multiple application programs on a
machine
• Protocol number identify the ultimate destination
within a machine
• End point is represented by (host_ip_address, port)
Learn Networking
• Packet header
• Buffer management
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
TCP handshaking
Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
TCP sends packets
Client Server
send packet1
receive packet1
receive ACK1 send ACK1
send packet2
receive packet2
send ACK2
receive ACK2
Sliding Window Algorithm
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
p1 p2 p3 p4 p5 p6 p8 p9 p10 p11 p12
Only send the packets in the window at one moment
Window moves right after leftmost is acknowledged
Algorithm Properties
• Remember which packets unacknowledged
• Move past all acknowledged packets
• Retransmit the lost packet when it is expired
• The window size changes based on the bandwidth
Example of size four
send p1
send p2 receive p1, send A1
send p3 receive p2, send A2
send p4 receive p3, send A3
receive p4, send A4
receive A1
receive A2
receive A3
receive A4
TCP segment format
Source port(16b) Destination port(16b)
Sequence number(32b)
Acknowledgement number(32b)
Hlen(4b) Reserved(6b) Code bits(6b) Window(16b)
Checksum(16b) ….
Data
TCP Header
• Source port: TCP port number of source end
• Destination port: TCP port number of destination end
• Sequence number: Position in sender’s byte stream
• Acknowledgement number: Number of bytes expect to
receive
• Hlen: Length of header measured in 32b. (maybe 20bytes)
• Code bits: Purpose of the segment such as reset connection,
end of the byte stream, etc
• Window: Buffer size
• Checksum: Data integrity
Internet Protocol (IP)
• Unreliable, connectionless delivery
• Routing over internet
• Rules for unreliable delivery
Error message,
Discard packet
IP datagram format
Vers(4b) Hlen(4b) ServiceType(8b) TotalLength(16b)
Identification(16b) Flad(4b) FragmentOffset(12b)
TimeToLive(8b) Protocol(8b) HeaderChecksum(16b)
SourceIPAddress(32b)
DestinationIPAddress(32b)
IPOptions(24b) Padding(8b)
Data …….
IP
• Vers: IP version to create the datagram
• Hlen: datagram header length measured in 32b
• ServiceType: precedence(3b), D(1b), T(1b), R(1b),
• TotalLength: the total length of datagram in bytes
• Identification: Determine which datagram it belongs
• FragmentOffset: Offset in the original datagram
• Checksum: Data integrity
• TimeToLive: Maximum time to stay over internet.
Decreased by one by each router.
IP routing
• Find path to send the packet
• Routing table
• Routing protocols
router
router
M M
router
router
router
Socket Address
• struct in_addr_t{
in_addr_t s_addr; //32 bit IPv4 address
};
• struct sockaddr_t{
unit8_t sin_len; //length of structure
sa_family_t sin_family; //AF_INET
in_port_t sin_port; //16 bit port number
struct in_addr sin_addr; //32 bit IPv4 address
char sin_zero[8]; //unused
};
Generic Socket Address
• struct sockaddr{
uint8_t sa_len;
sa_family_t sa_family; //address family:AF_xx
char sa_data[14]; //prot.-specific address
};
bind( )
• #include <sys/socket.h>
• int bind(int sockfd,
const sockaddr *myaddr,
socklen_t addrlen)
• Get the local protocol address to a socket
listen( )
• #include <sys/socket.h>
• int listen(int sockfd, int backlog)
• Return 0 if OK, -1 on error
• Converts unconnected into a passive socket,
indicating the kernel should accept incoming
connection request
listen( )
• sockfd: socket descriptor returned by socket
function
• Backlog: maximum sum of two queues
incomplete connection queue: before the third hand
connections
completed connection queue: after the third hand
connections
Two Queues for Connection
server
accept
completed
connections
TCP
incomplete
connections
Arriving SYN
accept( )
• #include <sys/socket.h>
• int accept(int sockfd,
struct sockaddr *cliaddr,
socklen_t *addrlen)
• Called by TCP for returning completed connection
from the front of completed connection queue
Connect( )
• #include <sys/socket.h>
• int connect(int sockfd,
const struct sockaddr *servaddr,
socklen_t addrlen);
• Returns 0 if OK, -1 on error
• Establish a connection with a TCP server
Connect( )
• Sockfd: socket descriptor returned by socket
function
• Servaddr: socket address structure with IP address
and port number of server
• Addrlen: the length of socket address structure
A web site for source code
• Address:
http://www.kohala.com/start/unpv12e.html
• Download Source code
• Execute the commands in README
• Book: Unix Network Programming,
by Richard Stevens
Application protocol
Web client Web server
TCP protocol
TCP TCP
IP IP protocol IP
Ethernet Ethernet protocol Ethernet
driver driver
Ethernet
Port Number
• TCP allows multiple application programs on a
machine
• Protocol number identify the ultimate destination
within a machine
• End point is represented by (host_ip_address, port)
TCP client TCP server
socket()
bind()
listen()
accept()
socket() connection
connect()
write() data request read()
read data reply write()
close() end notification read() close()
TCP handshaking
Client Server
socket socket,bind,
connect listen,
(block) accept(block)
connect
returns
accept returns
read(blocks)
Cryptography and Network
Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
IP Security
• have considered some application specific
security mechanisms
– eg. Kerberos, SSL/HTTPS
• however there are security concerns that cut
across protocol layers
• would like security implemented by the
network for all applications
IPSec
• general IP Security mechanisms
• provides
– authentication
– confidentiality
– key management
• applicable to use over LANs, across public
& private WANs, & for the Internet
IPSec Uses
Benefits of IPSec
• in a firewall/router provides strong security
to all traffic crossing the perimeter
• is resistant to bypass
• is below transport layer, hence transparent
to applications
• can be transparent to end users
• can provide security for individual users if
desired
IP Security Architecture
• specification is quite complex
• defined in numerous RFC’s
– incl. RFC 2401/2402/2406/2408
– many others, grouped by category
• mandatory in IPv6, optional in IPv4
IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
– a form of partial sequence integrity
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Security Associations
• a one-way relationship between sender &
receiver that affords security for traffic flow
• defined by 3 parameters:
– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier
• has a number of other parameters
– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
Authentication Header (AH)
• provides support for data integrity &
authentication of IP packets
– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking
sequence numbers
• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key
Original IP
• Before AH
IPv4 Orig IP hdr TCP Data
IPv6 Orig IP dest,routing dest TCP Data
hdr
Transport Mode AH
• After AH
Authenticated
Orig IP
IPv4 hdr
AH TCP Data
IPv6 Orig IPdest,routingAH dest TCP Data
hdr
Authenticated
Tunnel Mode AH
• Format Authenticated
IPv4
New IP Orig IP
AH TCP Data
hdr hdr
ext
New IP Orig IP
IPv6 hdr
ext header AH
hdr
headers TCP Data
Authenticated
Authentication Header
Transport & Tunnel Modes
Encapsulating Security Payload
(ESP)
• provides message content confidentiality &
limited traffic flow confidentiality
• can optionally provide the same
authentication services as AH
• supports range of ciphers, modes, padding
– incl. DES, Triple-DES, RC5, IDEA, CAST etc
– CBC most common
– pad to meet blocksize, for traffic flow
Encapsulating Security Payload
Transport vs Tunnel Mode ESP
• transport mode is used to encrypt &
optionally authenticate IP data
– data protected but header left in clear
– can do traffic analysis but is efficient
– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet
– add new header for next hop
– good for VPNs, gateway to gateway security
Transport Mode ESP
Authenticated
• Format Encrypted
Orig IP ESP ESP ESP
IPv4 hdr hdr
TCP Data
trlr auth
IPv6 Orig IPdest,routingESP dest TCP Data
ESP ESP
hdr hdr trlr auth
Encrypted
Authenticated
Tunnel Mode ESP
• Format Authenticated
Encrypted
New IP ESP Orig IP ESP ESP
TCP Data
hdr hdr hdr trlr auth
IPv4
ext
New IP ext ESP orig IP ESP ESP
hdr TCP Data
hdr hdr hdr hdr trlr auth
IPv6 Encrypted
Authenticated
Items
• ESP trailer: Padding, Pad length, etc.
• ESP auth: ESP authentication.
Combining Security Associations
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s
– form a security bundle
• have 4 cases (see next)
Combining Security Associations
Key Management
• handles key generation & distribution
• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management
– sysadmin manually configures every system
• automated key management
– automated system for on demand creation of
keys for SA’s in large systems
– has Oakley & ISAKMP elements
Oakley
• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses
– cookies, groups (global params), nonces, DH
key exchange with authentication
• can use arithmetic in prime fields or elliptic
curve fields
ISAKMP
• Internet Security Association and Key
Management Protocol
• provides framework for key management
• defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
• independent of key exchange protocol,
encryption alg, & authentication method
Diffle-Hellman Key Exchange
• Enable two users to exchange key securely
• Published in 1976
• Commercial Products available
Global Public Elements
• Primer number q
• Primitive root of q
( , 2 , 3 ,..., q 1 (mod q)
is a permutation of 1,2,3,…,q-1)
User A Key Generation
• Select private XA XA q
• Compute public YA YA XA
(mod q)
User B Key Generation
• Select private XB XB q
• Compute public YB YB XB
(mod q)
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
User A Key Generation
• A:
K (YB ) (mod q)
XA
( XB XA
(mod q)) (mod q)
( XB XA
) (mod q)
( XBXA
)(modq)
Final Presentation
• Final a related security paper in the last five years
published in a good journal or conference
• Read it carefully.
• Describe the security problem that deals
• Describe the solution
• Possible future development
• Find the current background in that line.
• Every one talks about 30 minutes
• No single paper can be shared by two people.
Evaluation
• Presentation
• The quality of the paper that you selected
• The slides that you made
• Problem and solution.
• Your effort in proposing any future research
plan in the similar topic.
Aggressive Key Exchange
• The communications:
I R : CKYI , OK _ KEYX , GRP , g x ,EHAO , NIDP , IDI , IDR , N I , S KI [ IDI || IDR || N I || GRP || g x || EHAO ]
R I : CKYR , OK _ KEYX , GRP , g x ,EHAS , NIDP , IDR , IDI , N R , N I , S KR [ IDR || IDI ||| N R || N I || GRP || g y || g x || EHAS ]
I R : CKYI , CKYR , OK _ KEYX , GRP , g x ,EHAO , NIDP , IDI , IDR , N I , N R , S KI [ IDI || IDR || N I || GRP || g x || g y || EHAS ]
Protocol for Key Management
• The communications:
I R:
CKYI , OK _ KEYX , GRP,
x
g ,EHAO, NIDP, IDI , IDR , N I ,
x
S KI [ IDI || IDR || N I || GRP || g || EHAO]
Protocol for Key Management
• The communications:
RI:
CKYR , OK _ KEYX , GRP,
x
g ,EHAS, NIDP, IDR , IDI , N R , N I ,
y x
S KR [ IDR || IDI ||| N R || N I || GRP || g || g || EHAS]
Protocol for Key Management
• The communications:
I R:
CKYI , CKYR , OK _ KEYX , GRP,
x
g ,EHAO, NIDP, IDI , IDR , N I , N R ,
x y
S KI [ IDI || IDR || N I || GRP || g || g || EHA
• I=Initiator
• R=Responder
• CKYI ,CKYR = Initiator, responder cookies
• OK KEYX =Key exchange message type
• GRP= Name of Diffie-Hellman group for this exchange
• g x , g y =Public key of initiator, responder;
• EHAO, EHAS=Encryption, hash authentication functions,
offered and selected
• NIDP=Indicates encryption is not used for remainder of this
message
• N I , N R=Random nonce supplied by initiator, responder
• S KI [ X ], S KR [ X ] =Indicates the signature over X using
private key (signing key) of initiator, responder
ISAKMP
Summary
• have considered:
– IPSec security framework
– AH
– ESP
– key management & Oakley/ISAKMP
Chapter 17 – Web Security
Web Security
• Web now widely used by business,
government, individuals
• but Internet & Web are vulnerable
• have a variety of threats
– integrity
– confidentiality
– denial of service
– authentication
• need added security mechanisms
SSL (Secure Socket Layer)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard
known as TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end
service
• SSL has two layers of protocols
SSL Architecture
SSL Architecture
• SSL session
– an association between client & server
– created by the Handshake Protocol
– define a set of cryptographic parameters
– may be shared by multiple SSL connections
• SSL connection
– a transient, peer-to-peer, communications link
– associated with 1 SSL session
Parameters for a session
• Session identifier:
• Peer Certificate: An X509.v3 certificate
• Compression method
• Cipher spec: data encryption algorithm and hash
• Master key: 48 bits shared between client and server
• Is resumable: whether the session can be used for
newconnections
Parameters for a connection
• Server and client random: chosen for each
connection
• Server write MAC secret key: Used for MAC
• Client write MAC secret key: Used for MAC
• Server write key: Used for encryption
• Client write key: Used for encryption
• Initialization vector:
• Sequence number: for each transmitted message
SSL Record Protocol
• confidentiality
– using symmetric encryption with a shared
secret key defined by Handshake Protocol
– IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
– message is compressed before encryption
• message integrity
– using a MAC with shared secret key
– similar to HMAC but with different padding
SSL Record Format
Compressed
Content type Major version Minor version
length
Plaintext compressed
encrypted
MAC(0, 16, or 20 bytes)
SSL Record Operation
data
• a
Fragment
Compress
Add Mac
Encrypt
Append SSL record header
SSL Change Cipher Spec Protocol
• one of 3 SSL specific protocols which use
the SSL Record protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use
SSL Alert Protocol
• conveys SSL-related alerts to peer entity
• severity
• warning or fatal
• specific alert
• unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate
unknown
• compressed & encrypted like all SSL data
SSL Handshake Protocol
• allows server & client to:
– authenticate each other
– to negotiate encryption & MAC algorithms
– to negotiate cryptographic keys to be used
• comprises a series of messages in phases
– Establish Security Capabilities
– Server Authentication and Key Exchange
– Client Authentication and Key Exchange
– Finish
SSL Handshake Protocol
Phase 1
• Establish security capabilities, including
protocol version, session ID, cipher suite,
compression method, and initial random
numbers
Phase 2
• Server may send certificate, key exchange,
and request certificate. Server signals end of
hello message phase
Phase 2 Format
• Server-parameters: about certificate, key-exchange
protocol (Diffie-Hellman)
• Hash(clientHello.random||serverHello.random||serve
rParams)
Phase 3
• Client sends certificate if requested. Client
sends key exchange. Client may send
certificate verification
Phase 4
• Change cipher suite and finish handshake
protocol.
TLS (Transport Layer Security)
• IETF standard RFC 2246 similar to SSLv3
• with minor differences
– in record format version number
– uses HMAC for MAC
– a pseudo-random function expands secrets
– has additional alert codes
– some changes in supported ciphers
– changes in certificate negotiations
– changes in use of padding
Secure Electronic Transactions
(SET)
• open encryption & security specification
• to protect Internet credit card transactions
• developed in 1996 by Mastercard, Visa etc
• not a payment system
• rather a set of security protocols & formats
– secure communications amongst parties
– trust from use of X.509v3 certificates
– privacy by restricted info to those who need it
SET Components
SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment
Dual Signature
• customer creates dual messages
– order information (OI) for merchant
– payment information (PI) for bank
• neither party needs details of other
• but must know they are linked
• use a dual signature for this
– signed concatenated hashes of OI & PI
Dual Signature
• DS= E ( PRc , [ H ( H ( PI ) || H (OI ))])
• PI: Payment information (credit card number, etc)
• OI: Order information
• H: Hashing function
• PRc: Private key of the customer
Digests
• OIMD: H (OI ) Order information digest.
• PIMD: H (PI ) Payment information digest.
• POMD: H ( H ( PI ) || H (OI )) Payment order
message digest
Purchase Request – Customer
Purchase Request – Merchant
Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
3. processes order and forwards the payment
information to the payment gateway for
authorization (described later)
4. sends a purchase response to cardholder
Payment Gateway Authorization
1. verifies all certificates
2. decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
5. verifies dual signature on payment block
6. verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant
Payment Capture
• merchant sends payment gateway a
payment capture request
• gateway checks request
• then causes funds to be transferred to
merchants account
• notifies merchant using capture response
Summary
• have considered:
– need for web security
– SSL/TLS transport layer security protocols
– SET secure credit card payment protocols
A new authentication
• Public key approach: every message has an
unique signature
• ElGammal scheme: every message has
multiple signatures
ElGammal Signature Scheme
Let p be a primer .
Let be a primitive root of p.
Let a be secret number.
a (mod p)
K ( p, , a, )
Public: p, ,
Secret: a
ElGammal Signature Scheme
With K ( p, , a, )
For a random k : 1 k p 1 ,
Define
k
( x a )k (mod p 1)
1
signatureK ( x, k ) ( , )
ElGammal Signature Scheme
With x, and
verificati ( x, , ) true
on
(mod p) x
Explain
This is because
a k a k
(mod p)
x
Misuse One
If the random number k is released, it is easy to get the secret
number a
( x a )k (mod p 1)
1
k ( x a )(mod p 1)
a ( x k ) 1 (mod p 1)
Misuse Two
If same k is used for two signatures ( , 1 ) and ( , 2 )
for x1 and x 2 respectively
1
(mod p)
x1
x (mod p)
2 2
Misuse Two
From
x (mod p)
1 1
2
(mod p)
x2
we have 1 2
x1 x2
(mod p)
Since (mod p)k
k ( ) x x (mod p)
1 2 1 2
Misuse Two
From
x (mod p)
1 1
2
(mod p)
x2
we have 1 2
x1 x2
(mod p)
Since (mod p)k
k ( ) x x (mod p)
1 2 1 2
Misuse Two
It is equivalent to
k (1 2 ) x1 x2 (mod p 1)
Let d gcd(1 2 , p 1)
We have
d | (1 2 )
d | ( p 1)
d | ( x1 x2 )
Misuse Two
We have
x' k ' (mod p' )
k x' ( ' ) 1 (mod p' )
k x' ( ' ) 1 i p' (mod p 1)
for i 0,1,2,..., p 1
Select one of them to have (mod p)
k
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and q | ( p 1)
Let be a q-th root modulo p.
Let a be secret number 1 a q 1
(mod p)
a
K ( p, q, , a, )
Public: p, q, ,
Secret: a
Digital Signature Standard
With K ( p, q, , a, )
For a random k : 1 k p 1 ,
Define
( k (mod p))(modq)
( x a )k (mod q)
1
e1 x 1
e2 1
signatureK ( x, k ) ( , )
Digital Signature Standard
With x, and
verificati ( x, , ) true
on
(mod p)
e1 e2
Explain
This is because
e1 e2
x 1 1
x 1 a 1
( x a ) 1
(mod p )
k
Chapter 16 – IP Security
If a secret piece of news is divulged by a spy
before the time is ripe, he must be put to death,
together with the man to whom the secret was
told.
—The Art of War, Sun Tzu
Digital Signature Standard
Let p be a primer of 512 bits
Let q be a primer of 160 bits and q | ( p 1)
Let be a q-th root modulo p: q 1(mod p)
Let a be secret number 1 a q 1
(mod p)
a
K ( p, q, , a, )
Public: p, q, ,
Secret: a
Digital Signature Standard
With K ( p, q, , a, )
For a random k : 1 k p 1 ,
Define
( k (mod p))(modq)
( x a )k (mod q)
1
e1 x 1
e2 1
signatureK ( x, k ) ( , )
Digital Signature Standard
With x, and
verificati ( x, , ) true
on
(mod p)
e1 e2
Explain
This is because
e1 e2
x 1 1
x 1 a 1
( x a ) 1
(mod p )
k
Intrusion Detection
Cryptography and Network
Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 18 – Intruders
They agreed that Graham should set the test for Charles
Mabledene. It was neither more nor less than that
Dragon should get Stern's code. If he had the 'in' at
Utting which he claimed to have this should be
possible, only loyalty to Moscow Centre would
prevent it. If he got the key to the code he would
prove his loyalty to London Central beyond a doubt.
—Talking to Strange Men, Ruth Rendell
Intruders
• significant issue for networked systems is
hostile or unwanted access
• either via network or local
• can identify classes of intruders:
– masquerader
– misfeasor
– clandestine user
• varying levels of competence
Intruders
• clearly a growing publicized problem
– from “Wily Hacker” in 1986/87
– to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch
other attacks
Intrusion Techniques
• aim to increase privileges on system
• basic attack methodology
– target acquisition and information gathering
– initial access
– privilege escalation
– covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner
Password Guessing
• one of the most common attacks
• attacker knows a login (from email/web page etc)
• then attempts to guess password for it
– try default passwords shipped with systems
– try all short passwords
– then try by searching dictionaries of common words
– intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common words/interests)
– before exhaustively searching all possible passwords
• check by login attempt or against stolen password file
• success depends on password chosen by user
• surveys show many users choose poorly
Password Capture
• another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login (eg. telnet, FTP,
web, email)
– extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable
precautions/countermeasures
Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently to a
legitimate user
– but will have imperfect distinction between
Approaches to Intrusion Detection
• statistical anomaly detection
– threshold
– profile based
• rule-based detection
– anomaly
– penetration identification
Audit Records
• fundamental tool for intrusion detection
• native audit records
– part of all common multi-user O/S
– already present for use
– may not have info wanted in desired form
• detection-specific audit records
– created specifically to collect wanted info
– at cost of additional overhead on system
Statistical Anomaly Detection
• threshold detection
– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based
– characterize past behavior of users
– detect significant deviations from this
– profile usually multi-parameter
Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time
– counter, gauge, interval timer, resource use
• use various tests on these to determine if
current behavior is acceptable
– mean & standard deviation, multivariate,
markov process, time series, operational
• key advantage is no prior knowledge used
Examples
• Counter: number of logins by a single users
• Gauge: number of outgoing messages for a user
process
• Interval timer: length of time between successive
logins to an account.
• Resource utilization: number of pages printed during
a user session and time consumed by a program
execution.
Rule-Based Intrusion Detection
• observe events on system & apply rules to
decide if activity is suspicious or not
• rule-based anomaly detection
– analyze historical audit records to identify
usage patterns & auto-generate rules for them
– then observe current behavior & match against
rules to see if conforms
– like statistical anomaly detection does not
require prior knowledge of security flaws
Rule-Based Intrusion Detection
• rule-based penetration identification
– uses expert systems technology
– with rules identifying known penetration,
weakness patterns, or suspicious behavior
– rules usually machine & O/S specific
– rules are generated by experts who interview &
codify knowledge of security admins
– quality depends on how well this is done
– compare audit records or states against rules
Rule examples
• Users should not read files in other users’ personal
directories.
• Users must not write other users’ files
• Users who log in after hours often access the same
files they used before
• Users do not generally open disk devices directly
but rely on high-level commands
• Users should not be logged in more than once to
the same system
• Users do not make copies of system programs
Base-Rate Fallacy
• practically an intrusion detection system
needs to detect a substantial percentage of
intrusions with few false alarms
– if too few intrusions detected -> false security
– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good
record
Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working
together to detect intrusions
• issues
– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
Distributed Intrusion Detection -
Architecture
Distributed Intrusion Detection –
Agent Implementation
Honeypots
• decoy systems to lure attackers
– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator
can respond
• are filled with fabricated information
• instrumented to collect detailed information on
attackers activities
• may be single or multiple networked systems
Password Management
• front-line defense against intruders
• users supply both:
– login – determines privileges of that user
– password – to identify them
• passwords often stored encrypted
– Unix uses multiple DES (variant with salt)
– more recent systems use crypto hash function
Managing Passwords
• need policies and good user education
• ensure every account has a default password
• ensure users change the default passwords to
something they can remember
• protect password file from general access
• set technical policies to enforce good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers,
punctuation
– block know dictionary words
Managing Passwords
• may reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
• may enforce periodic changing of passwords
• have system monitor failed login attempts, &
lockout account if see too many in a short
period
• do need to educate users and get support
• balance requirements with user acceptance
Proactive Password Checking
• most promising approach to improving
password security
• allow users to select own password
• but have system verify it is acceptable
– simple rule enforcement (see previous slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter)
to detect poor choices
Statistical Anomaly Detection
• threshold detection
– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based
– characterize past behavior of users
– detect significant deviations from this
– profile usually multi-parameter
Conditional Probability
• Pr[A|B]
• Pr[AB]
• Pr[B]
Pr[ AB ]
Pr[ A | B]
Pr[ B]
Bayes Theorem
• E1, E2,…, En are mutually exclusive events
n
Pr[ A] Pr[ A | Ei ] Pr[ Ei ]
i 1
Pr[ A | Ei ] Pr[ Ei ] Pr[ A | Ei ] Pr[ Ei ]
Pr[ E i | A] n
Pr[ A]
Pr[ A | Ei ] Pr[ Ei ]
i 1
Diagram
• E1, E2, E3, E4
E2
E1
E3 E4
Dice
• Calculate the probability that a sum of 8 on
the roll of two dice assume one dice even
• A={Sum of 8}
• B={at least one dice even}
• Pr[A|B]=(36-3x3)/36=1/9
• Pr[AB]=3/36=1/12 for (2,6), (4,4) and (6,2)
• Pr[A|B]=(1/12)/(3/4)=1/4
Problem
• Compute the probability that sum is 7 of
two roll of two dice under the condition one
dice is odd.
Summary
• have considered:
– problem of intrusion
– intrusion detection (statistical & rule-based)
– password management
Base-Rate Fallacy
• practically an intrusion detection system
needs to detect a substantial percentage of
intrusions with few false alarms
– if too few intrusions detected -> false security
– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good
record
Intruders
• clearly a growing publicized problem
• may seem benign, but still cost resources
• may use compromised system to launch
other attacks
Intruders
• significant issue for networked systems is
hostile or unwanted access
• either via network or local
• can identify classes of intruders:
– masquerader
– misfeasor
– clandestine user
• varying levels of competence
Password Capture
• another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login (eg. telnet, FTP,
web, email)
– extracting recorded info after successful login (web
history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable
precautions/countermeasures
Password Checking
• Let H(x) be a hashing function with one way propoerty
• For a password y with id u, Z=H(y) is saved for u.
• When a password y’ is typed for u, fetch z and check if
Z h( y ' )
Honeypots
• decoy systems to lure attackers
– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so administrator
can respond
• are filled with fabricated information
• instrumented to collect detailed information on
attackers activities
• may be single or multiple networked systems
Managing Passwords
• need policies and good user education
• ensure every account has a default password
• ensure users change the default passwords to
something they can remember
• protect password file from general access
• set technical policies to enforce good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers,
punctuation
– block know dictionary words
Managing Passwords
• may reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
• may enforce periodic changing of passwords
• have system monitor failed login attempts, & lockout
account if see too many in a short period
• do need to educate users and get support
• balance requirements with user acceptance
• be aware of social engineering attacks
Proactive Password Checking
• most promising approach to improving
password security
• allow users to select own password
• but have system verify it is acceptable
– simple rule enforcement (see previous slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter)
to detect poor choices
Rule-Based Intrusion Detection
• rule-based penetration identification
– uses expert systems technology
– with rules identifying known penetration,
weakness patterns, or suspicious behavior
– rules usually machine & O/S specific
– rules are generated by experts who interview &
codify knowledge of security admins
– quality depends on how well this is done
– compare audit records or states against rules
#define d1 2.0
#define d2 4.0
#define realPassword 2314
int address;
double c1,c2;
double a[10000];
void main() {
……
address=realPassword;
// We may use another name instead of the realPassword.
a[address]=0;
c2=d2;
scanf("%d", &password);
a[password]=d1;
c1=a[address];
//c1 gets d1 if password is the correct realPassword).
}
#include <stdio.h>
#include <math.h>
#define d1 2.0
#define d2 4.0
#define realPassword 2314
int address;
double c1,c2;
double a[10000];
void quadratic(double b, double c, double *root1, double *root2)\{
double temp;
temp=sqrt(b*b-c2*c);
*root1=(-b+temp)/c1;
*root2=(-b-temp)/c1;
}
void main() {
double root1,root2;
int password;
address=realPassword; // We may use another name instead of the realPassword.
a[address]=0;
c2=d2;
scanf("%d", &password);
a[password]=d1;
c1=a[address]; //c1 gets d1 if password is correct (equal to
realPassword).
scanf("%lf", &a[0]); // read the parameter b
scanf("%lf", &a[1]); // read the parameter c
quadratic(a[0], a[1], &root1, &root2);
printf("%lf, %lf", root1, root2);
}
the vulnerability of web servers
Here only talk about the web application with PHP.
1. PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into
HTML.
2. PHP provided a lot of useful functions to make programming
easier, but attackers also can use these functions to do something
unexpected.
This form will allow the web browser user to upload a file from
their local to the remote web server.
<FORM METHOD="POST" ENCTYPE="multipart/form-data">
<INPUT TYPE="FILE" NAME=“upload">
<INPUT TYPE="HIDDEN"
NAME="MAX_FILE_SIZE“ VALUE="10240">
<INPUT TYPE="SUBMIT“ NAME=“Submit Query”>
</FORM>
It looks as follow:
This function is obviously useful but also brings risk.
While the attackers ultimate goal is obviously to be able to execute
commands on the remote web server and they can't achieve that by using
files on their local machine.
Therefore they need to get PHP code define into a file local to the remote
machine. This sounds like an impossible task initially but file upload comes
to the rescue. If the attacker creates a file on their machine containing PHP
code to be executed then upload it, PHP will be kind enough to save the
attacker’s file.
Simple example
This is a upload form, it
allows students to upload
their homework to the
“upload” folder in the remote
web server, but it doesn’t
have any control for the
upload file, in other words
the students can submit any
kind of files.
Simple example
In order to let students check
whether they submit their
homework successful, the web
server will give a list of all the
files in the “upload” folder to
the client, allow students to
view the filenames.
Simple example
But if somebody submit a
PHP file like that, and execute
it in remote web server, then
jack’s homework will be
deleted, obviously it is
important files for jack.
ex. “ ./ ” means the current
directory
Solution
• Forbid some unsafe functions by configuring
parameters of the web server.
ex. Set “safe_mode on” in “php.ini” file, its effort include:
1. restrict which commands can be executed
2. restrict which functions can be used
3. If you want, you can remove file upload completely
• Adding some codes in the uploading program to
forbid files which are executable or dangerous.
We also can use some simple codes change the
uploading file’s extension to make them
unexecutable.
Cryptography and Network
Security
Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 20 – Firewalls
The function of a strong position is to make the
forces holding it practically unassailable
—On War, Carl Von Clausewitz
Introduction
• seen evolution of information systems
• now everyone want to be on the Internet
• and to interconnect networks
• has persistent security concerns
– can’t easily secure every system in org
• need "harm minimisation"
• a Firewall usually part of this
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
– only authorized traffic is allowed
• auditing and controlling access
– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defence
Firewall Limitations
• cannot protect from attacks bypassing it
– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats
– eg disgruntled employee
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types. It is
impossible to scan all files and emails.
Firewalls – Packet Filters
Firewalls – Packet Filters
• simplest of components
• foundation of any firewall system
• examine each IP packet (no context) and
permit or deny according to rules
• hence restrict access to services (ports)
• possible default policies
– that not expressly permitted is prohibited
– that not expressly prohibited is permitted
Firewalls – Packet Filters
Attacks on Packet Filters
• IP address spoofing
– fake source address to be trusted
– add filters on router to block
• source routing attacks
– attacker sets a route other than default
– block source routed packets
• tiny fragment attacks
– split header info over several tiny packets
– either discard or reassemble before check
Firewalls – Stateful Packet Filters
• examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet validly belongs to one
• better able to detect bogus packets out of
context
Firewalls - Application Level
Gateway (or Proxy)
Firewalls - Application Level
Gateway (or Proxy)
• use an application specific gateway / proxy
• has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
• need separate proxies for each service
– some services naturally support proxying
– others are more problematic
– custom services generally not supported
Firewalls - Circuit Level Gateway
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such
connections are allowed
• once created usually relays traffic without
examining contents
• typically used when trust internal users by
allowing general outbound connections
• SOCKS commonly used for this
Bastion Host
• highly secure host system
• potentially exposed to "hostile" elements
• hence is secured to withstand this
• may support 2 or more net connections
• may be trusted to enforce trusted separation
between network connections
• runs circuit / application level gateways
• or provides externally accessible services
Firewall Configurations
Firewall Configurations
Firewall Configurations
Access Control
• given system has identified a user
• determine what resources they can access
• general model is that of access matrix with
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed
• can decompose by
– columns as access control lists
– rows as capability tickets
Access Control Matrix
Trusted Computer Systems
• information security is increasingly important
• have varying degrees of sensitivity of information
– cf military info classifications: confidential, secret etc
• subjects (people or programs) have varying rights
of access to objects (information)
• want to consider ways of increasing confidence in
systems to enforce these rights
• known as multilevel security
– subjects have maximum & current security level
– objects have a fixed security level classification
Bell LaPadula (BLP) Model
• one of the most famous security models
• implemented as mandatory policies on system
• has two key policies:
• no read up (simple security property)
– a subject can only read/write an object if the current
security level of the subject dominates (>=) the
classification of the object
• no write down (*-property)
– a subject can only append/write to an object if the
current security level of the subject is dominated by
(<=) the classification of the object
Reference Monitor
Evaluated Computer Systems
• governments can evaluate IT systems
• against a range of standards:
– TCSEC, IPSEC and now Common Criteria
• define a number of “levels” of evaluation
with increasingly stringent checking
• have published lists of evaluated products
– though aimed at government/defense use
– can be useful in industry also
Summary
• have considered:
– firewalls
– types of firewalls
– configurations
– access control
– trusted systems
Requirements for Hash function
• H(x) is easy to compute
• Given h, it is computational hard to find x such that
H(x)=h: One-way property
• Given x, it is computational hard to find y such that
H(x)=H(y): Weak collision resistance
• It is computational hard to find x and y such that
H(x)=H(y): Strong collision resistance
Pseudorandom Number Generator
Applications:
• Key generation
• Randomized algorithm
• Authentication protocols
• ……
Randomness
• Uniform distribution: The frequency of each number
should be approximately the same.
• Independence: No one value in the sequence can be
inferred from the others
• Unpredictability
Linear Generator
A sequence of numbers is generated by
X n 1 (aX n c)(mod m)
X 0: starting value ( 0 X 0 m)
a: the multiplier (0 a m)
c: the increment (0 c m)
m: the modulus 0m
Requirements for linear generator
• Generate all numbers between 0 and m
• Look random
• Should implement efficient with 32-bit arithmetic
Linear Generator
A sequence of numbers is generated by
X n 1 (aX n c)(mod m)
m 2 1
31
a 75 16807
c0
X n 1 16807 X n (mod 2 1)
31
Linear Generator weakness
If m,c,a are known, then once a single number is discovered,
then all subsequent numbers are known
If it is known that a linear generator is used, he can still solve
the equations:
X 1 (aX 2 c)(modm)
X 2 (aX 3 c)(modm)
X 3 (aX 4 c)(modm)
Generator with DES
C is a counter with period N
C
C 1
Key : K m Encryption
X i E K m [C 1]
Blum Blum Shub Generator
Choose two prime numbers p=q=3(mod 4)
Let n=pq
Choose a random number s relatively prime to n
X 0 s (mod n)
2
for i=1 to
X i ( X i 1 ) 2 (mod n)
Bi X i (mod 2)
