Sunum yükleniyor. Lütfen bekleyiniz

Sunum yükleniyor. Lütfen bekleyiniz

Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Benzer bir sunumlar


... konulu sunumlar: "Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown."— Sunum transkripti:

1 Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown

2 Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively as the true name and the good name, or the great name and the little name; and while the good or little name was made public, the true or great name appears to have been carefully concealed. —The Golden Bough, Sir James George Frazer

3 Message Authentication  message authentication is concerned with:  protecting the integrity of a message  validating identity of originator  non-repudiation of origin (dispute resolution)  the three alternative functions used:  hash function  message encryption  message authentication code (MAC)

4 Hash Functions  condenses arbitrary message to fixed size h = H(M)  usually assume hash function is public  hash used to detect changes to message  want a cryptographic hash function  computationally infeasible to find data mapping to specific hash (one-way property)  computationally infeasible to find two data to same hash (collision-free property)

5 Two Simple Insecure Hash Functions  consider two simple insecure hash functions  bit-by-bit exclusive-OR (XOR) of every block  C i = b i1 xor b i2 xor... xor b im  a longitudinal redundancy check  reasonably effective as data integrity check  one-bit circular shift on hash value  for each successive n-bit block •rotate current hash value to left by1bit and XOR block  good for data integrity but useless for security

6 Hash Function Requirements

7 Attacks on Hash Functions  have brute-force attacks and cryptanalysis  a preimage or second preimage attack  find y s.t. H(y) equals a given hash value  collision resistance  find two messages x & y with same hash so H(x) = H(y)  hence value 2 m/2 determines strength of hash code against brute-force attacks  128-bits inadequate, 160-bits suspect

8 Secure Hash Algorithm  SHA originally designed by NIST & NSA in 1993  was revised in 1995 as SHA-1  US standard for use with DSA signature scheme  standard is FIPS , also Internet RFC3174  nb. the algorithm is SHA, the standard is SHS  based on design of MD4 with key differences  produces 160-bit hash values  recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

9 Revised Secure Hash Standard  NIST issued revision FIPS in 2002  adds 3 additional versions of SHA  SHA-256, SHA-384, SHA-512  designed for compatibility with increased security provided by the AES cipher  structure & detail is similar to SHA-1  hence analysis should be similar  but security levels are rather higher

10 SHA Versions

11 SHA-512 Overview

12

13 SHA-512 Compression Function  heart of the algorithm  processing message in 1024-bit blocks  consists of 80 rounds  updating a 512-bit buffer  using a 64-bit value Wt derived from the current message block  and a round constant based on cube root of first 80 prime numbers

14 Keyed Hash Functions as MACs  want a MAC based on a hash function  because hash functions are generally faster  crypto hash function code is widely available  hash includes a key along with message  original proposal: KeyedHash = Hash(Key|Message)  some weaknesses were found with this  eventually led to development of HMAC

15 HMAC Design Objectives  use, without modifications, hash functions  allow for easy replaceability of embedded hash function  preserve original performance of hash function without significant degradation  use and handle keys in a simple way.  have well understood cryptographic analysis of authentication mechanism strength

16 HMAC  specified as Internet standard RFC2104  uses hash function on the message: HMAC K (M)= Hash[(K + XOR opad) || Hash[(K + XOR ipad) || M)] ]  where K + is the key padded out to size  opad, ipad are specified padding constants  overhead is just 3 more hash calculations than the message needs alone  any hash function can be used  eg. MD5, SHA-1, RIPEMD-160, Whirlpool

17 HMAC Overview

18 HMAC Security  proved security of HMAC relates to that of the underlying hash algorithm  attacking HMAC requires either:  brute force attack on key used  birthday attack (but since keyed would need to observe a very large number of messages)  choose hash function used based on speed verses security constraints

19 CMAC  previously saw the DAA (CBC-MAC)  widely used in govt & industry  but has message size limitation  can overcome using 2 keys & padding  thus forming the Cipher-based Message Authentication Code (CMAC)  adopted by NIST SP800-38B

20 CMAC Overview

21 Authenticated Encryption  simultaneously protect confidentiality and authenticity of communications  often required but usually separate  approaches  Hash-then-encrypt: E(K, (M || H(M))  MAC-then-encrypt: E(K2, (M || MAC(K1, M))  Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)  Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)  decryption /verification straightforward  but security vulnerabilities with all these

22 Counter with Cipher Block Chaining-Message Authentication Code (CCM)  NIST standard SP C for WiFi  variation of encrypt-and-MAC approach  algorithmic ingredients  AES encryption algorithm  CTR mode of operation  CMAC authentication algorithm  single key used for both encryption & MAC

23 CCM Operation

24 Private-Key Cryptography  Klasik şifreleme 1 anahtar kullanır  Alıcı ve gönderen arasında bu anahtar paylaştırılır.  Eğer bu anahtar açığa çıkarsa tüm sistem ele geçirilmiş olur  Ayrıca simetriktir tüm eşler aynıdır.  Bu şekilde alıcının, gönderenden gelmeyen mesajı ondan gelmiş gibi iddaa etme/belirtme ihtimali vardır.

25 Public-Key Cryptography  2 anahtarlı (açıl ve gizli)PKI yapısı en önemli gelişmedir 3000 yıllık geçimişe nazaran  Eşler aynı olmadığı için asimetriktir.  Number theory ı kullanır tek yönlü çözülmesi zor olan problemler ile ilgilenir.  Gizli anahtar yapısını tamamen kaşldırmaktansa onu tamamlar

26 Why Public-Key Cryptography?  2 porblemi çözmek için kullanılır:  Anahtar değiştokuşu– Bir KDC a ihtiyaç duymadan nasıl güvenli iletişim kurulabilir.  digital signatures – gerçek gönderenden mesaj değişmeden nasıl gönderilir.  Kendi gönderdiğimiz mesajların içinde tam güvenlik. Askeri, Ticari, kişisel  public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976  Belirli bir grup tarafından daha önceden biliniyordu 1960

27 Public-Key Cryptography  public-key/two-key/asymmetric 2 anahtar şu sebepler için kullanılır :  a public-key, herkez tarafından bilinebilir, mesajları mesajları şifrelemek, ve imzaları doğrulamak için kullanılabilir  Ilgili private-key, sadece alıcı tarafından bilinir, mesajı deşifre etmek, ve imzalama (create) signatures için kullanılır  Açık anahtardan, gizli anahtarı temin etmek zordur.  Asimetriktir :  Mesajı şifreleyen ve mesajı kontrol eden kişi, mesajı deşifre edemez veya bir digital imza atamaz

28 Public-Key Cryptography

29 Symmetric vs Public-Key

30 RSA  by Rivest, Shamir & Adleman (RSA) of MIT in 1977  En iyi bilinen ve an fazla kullanılan PKI  Matematikteki üssel sonlu alanlar a dayanmaktadır (Galois) ve bir asal sayının tam modülüne dayanmaktadır.  Çok büyük tam sayılar kullanır (eg bits)  Çok büyük sayıların çarpanlara ayrımasına bağlı güvenliği sahiptir.

31 RSA En/decryption  M mesajını şifrelemek için:  Alıcının açık anahtarı alınır PU={e,n}  C hesaplanır C = M e mod n, 0≤M

32 RSA Anahtar seçimi  Her bir kullıcı gizli/açık anahtar eşleri üretir:  Rastgele iki çok büyük asal sayı seçilir. p, q  Bunların çarpımı n modülü oluşturur n=p.q  Hesaplanır ø(n)=(p-1)(q-1)  Bir anahtar SEÇİLİR e  1

33 Why RSA Works  Eular teoremine göre:  a ø(n) mod n = 1 where gcd(a,n)=1  RSA da  n=p.q  ø(n)=(p-1)(q-1)  e ve d ters mod ø(n) olacak şekilde dikkatlice seçilir.  böylece e.d=1+k.ø(n) bir k değeri için eşit olur  hence : C d = M e.d = M 1+k.ø(n) = M 1.(M ø(n) ) k = M 1.(1) k = M 1 = M mod n = M 1.(1) k = M 1 = M mod n

34 RSA Example - Key Setup 1. Select primes: p=17 & q=11 2. Calculate n = pq =17 x 11= Calculate ø(n)=(p–1)(q-1)=16x10= Select e : gcd(e,160)=1; choose e=7 5. Determine d : de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x Publish public key PU={7,187} 7. Keep secret private key PR={23,187}

35 RSA Example - En/Decryption  Örnek RSA encryption/decryption  Mesaj M = 88 (nb. 88<187 )  şifreleme: C = 88 7 mod 187 = 11  Deşifreleme: M = mod 187 = 88

36 Diffie-Hellman Key Exchange  Ilk önerilen first PKI alt yapısıdır  by Diffie & Hellman in 1976 along with the exposition of public key concepts  note: now know that Williamson (UK CESG) secretly proposed the concept in 1970  Sonradan kullanılacak şifreleme için anahtar değiştokuşuna olanak saülayan pratik bir yöntemdir.  used in a number of commercial products

37 Diffie-Hellman Key Exchange  a Açık anahtar dağıtım şeması  genel bir mesajı göndermek için kullanılmaz  Fakat ortak bir anahar için kullanılabilir.  Sadece iki taraf tarafından bilinir  Anahtarın değeri katılanlara bağlıdır.(açık ve gizli anahtar konumlarına )  Sonlu alanların üssel gösterimine bağlıdır. (Galois) alanı field (modulo a prime or a polynomial) - easy  Gücenlik ayrık logaitmanın hesabının yapılmasınını zor olmasına bağlıdır (similar to factoring) – hard

38 Diffie-Hellman Setup  Tüm kullanıcılar parametrelerde anlaşırlar:  Çok büyük bir asal tamsayı yada polinom q  a, mod q ya göre temel kökü •primitive root a is a number whose powers successively generate all the elements mod q  Her bir kullanıcı (ör. A) anahtar üretirler  Bir gizli anahtar SEÇ (number): x A < q  Onun açık anahtarını hesapla public key • y A = a x A mod q  Her bir kullanıcı y A açık anahtar haline getirir •For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard

39 Diffie-Hellman Key Exchange  Ortak bir oturum anahtarı A & B için K AB : K AB = a x A. x B mod q = y A x B mod q ( B hesaplayabilir) = y B x A mod q ( A hesaplayabilir)  K AB gizli anahtar şifrelemesi için oturum anahtarı olarak kullanılır  Eğer Alive ve Bob aynı public anahtarları kullandıkça bu gizli anahtarı sonradan gene haberleşmek için kullanabilirler  Saldırganın bir X e ihtiyacı vardır ve ayrık logaritmayı çözmelidirler

40 Diffie-Hellman Example  Alice & Bob anahtar değiş tokuşu yağmak isterler:  Bir asal sayıda anlaşırlar q=353 ve a=3  Bir gizli ANAHTAR SEÇERLER:  A x A =97, B x B =233  Karşılık gelen açıkanahtarları hesaplamak için :  y A = 3 97 mod 353 = 40 (Alice)  y B = mod 353 = 248 (Bob)  Paylaşılan açık anahtarın hesaplanması:  K AB = y B x A mod 353 = mod 353= 160 (Alice)  K AB = y A x B mod 353 = mod 353= 160 (Bob)

41 Key Exchange Protocols  Kullanıcılar her iletişim kurmak istediklerinde yeni anahtar çiftleri D-H kullarak üretebilirler  Kullanıcılar herkeze açık bir dizin içinde D- H anahtarları koylabilir.  Hepsi meet-in-the-Middle Attack a karşı zayıftır.  anahtarların denetimi lazım

42 Man-in-the-Middle Attack 1. Darth 2 tane private / public keys üreterek başlar 2. Alice Bob a açık anahtarını gönderir 3. Darth araya girer ve ilk üretiği açık anahtarı BOB a gönderir. Dart ayrıca Alice ile paylaşılan bir anahtar da anlaşır 4. Bob açık anahtarı alır ve paylaşılan bir anahtar üretir. (Fakat alice yerine Darth ile) 5. Bob “Alice” açık anahtarını gönderir. 6. Darth Alice giden açık anahtarı alır. Darth BOB ile arasında bir paylaştıkları bir anahtar üretir (Alice zanneder= 7. Darth Alice & Bob arasındaki tüm iletişimi inceler / değiştirir

43 1. Darth – Yd1, Xd1 – Yd2, Xd2 2. Alice---> “Bob” Ya 3. Darth -->Bob Yd1. K2 = (Y A )^X D2 mod q 4. Bob -->Yd1 ile K1=(Y D1 )^ X B mod q 5. Bob---> “Alice” Yb 6. Darth-->Alice Yd2. K2=(Y D2 )^ X A mod q. 7. Alice-->Yd2 ile K2=(Y D2 )^ X A mod q.

44 Digital Signatures  have looked at message authentication  but does not address issues of lack of trust  digital signatures provide the ability to:  verify author, date & time of signature  authenticate message contents  be verified by third parties to resolve disputes  hence include authentication function with additional capabilities

45 Digital Signature Model

46

47 Digital Signatures CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Lets receiver verify the message is authentic  Symmetric-Key signatures »  Public-Key signatures »  Message digests »  The birthday attack »

48 Digital Signatures (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Requirements for a signature:  Receiver can verify claimed identity of sender.  Sender cannot later repudiate contents of message.  Receiver cannot have concocted message himself.

49 Symmetric-key Signatures CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Alice and Bob each trust and share a key with Big Brother; Big Brother doesn’t trust anyone  A=Alice, B=Bob, P=message, R A =random, t=time Only Alice can send this encrypted message to BB Only BB can send this encrypted message to Bob

50 Public-Key Signatures CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 No Big Brother and assumes encryption and decryption are inverses that can be applied in either order  But relies on private key kept and secret  RSA & DSS ( Digital Signature Standard ) widely used

51 Message Digests (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Message Digest (MD) converts arbitrary-size message (P) into a fixed-size identifier MD(P) with properties:  Given P, easy to compute MD(P).  Given MD(P), effectively impossible to find P.  Given P no one can find P′ so that MD(P′) = MD(P).  Changing 1 bit of P produces very different MD. Message digests (also called cryptographic hash) can “stand for” messages in protocols, e.g., authentication  Example: SHA bit hash, widely used  Example: MD5 128-bit hash – now known broken

52 Message Digests (2) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Public-key signature for message authenticity but not confidentiality with a message digest Alice signs message digest Message sent in the clear

53 Message Digests (3) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 In more detail: example of using SHA-1 message digest and RSA public key for signing nonsecret messages

54 Message Digests (4) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 SHA-1 digests the message 512 bits at a time to build a 160-bit hash as five 32-bit components Message in 512-bit blocks Five 32-bit hashes output SHA-1

55 Birthday Attack CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 How hard is it to find a message P′ that has the same message digest as P?  Such a collision will allow P′ to be substituted for P! Analysis:  N bit hash has 2 N possible values  Expect to test 2 N messages given P to find P′  But expect only 2 N/2 messages to find a collision  This is the birthday attack

56 Management of Public Keys CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 We need a trusted way to distribute public keys  Certificates »  X.509, the certificate standard »  Public Key infrastructures »

57 Management of Public Keys (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Trudy can subvert encryption if she can fake Bob’s public key; Alice and Bob will not necessarily know Trudy replaces E B with E T and acts as a “man in the middle”

58 Certificates CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 CA ( Certification Authority ) issues signed statements about public keys; users trust CA and it can be offline A possible certificate

59 X.509 CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 X.509 is the standard for widely used certificates  Ex: used with SSL for secure Web browsing Basic fields in X.509 certificates

60 Public Key Infrastructures (PKIs) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 PKI is a system for managing public keys using CAs  Scales with hierarchy, may have multiple roots  Also need CRLs ( Certificate Revocation Lists ) Hierarchical PKI Chain of certificates for CA 5 Trust anchor

61 Authentication Protocols CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Authentication verifies the identity of a remote party  Shared Secret Key »  Diffie-Hellman Key Exchange »  Key Distribution Center »  Kerberos »  Public-Key Cryptography »

62 Authorization vs Authentication • Authorization : process permitted to do smth. • Authentication: if you are actually communicating with a specific process. • Hey I’m Your Boss, delete that debt file of Trudy. •Authentication : Are you really Boss •Authorization : is Boss really allowed to such an activity

63 Shared Secret Key (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Authenticating with a challenge-response (first attempt)  Alice (A) and Bob (B) share a key K AB  R X is random, K X (M) is M encrypted with key K X  Reflection attack Bob knows it’s Alice Alice knows it’s Bob Challenge Response

64 Shared Secret Key (2) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 A shortened two-way authentication (second attempt)  But it is vulnerable to reflection attack

65 Shared Secret Key (3) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Trudy impersonates Alice to Bob with reflection attack  Second session gets Bob to give Trudy the response Bob thinks he is talking to Alice now

66 Common pitfalls 1. Cevap veren kendini tanıtmadan önce, onun hakkında doğrulayıcı bilgiye sahip olmak. 2. Iletişimi başlatan ve cevap verenin kanıtlamak için farklı anahtarlar kullanmasını sağla. Bu iki farklı anahtar olması anlamına gelsede 3. Iletişimi başlatan ve cevap verenin, cevapları farklı doğrulamak için seçtikleri challengeları farklı kümelerden seçmelidir

67 Shared Secret Key (4) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 First attempt is also vulnerable to reflection attack!  Trudy impersonates Bob to Alice after Alice initiates Alice thinks she is talking to Bob again Alice thinks she is talking to Bob

68 Shared Secret Key (5) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Moral: Designing a correct authentication protocol is harder than it looks; errors are often subtle. General design rules for authentication: 1. Have initiator prove who she is before responder 2. Initiator, responder use different keys 3. Draw challenges from different sets 4. Make protocol resistant to attacks involving second parallel session

69 Shared Secret Key (6) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 An authentication protocol that is not vulnerable  HMAC ( Hashed Message Authentication Code ) is an authenticator, like a signature Bob knows it’s Alice Alice knows it’s Bob

70 Diffie-Hellman Key Exchange (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Lets two parties establish a shared secret  Eavesdropper can’t compute secret g xy mod n without knowing x or y Shared secret

71 Diffie-Hellman Key Exchange (2) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 But it is vulnerable to a man-in-the-middle attack  Need to confirm identities, not just share a secret g xz mod n g zy mod n

72 KDC – Key Distribution Center (1) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Trusted KDC removes need for many shared secrets  Alice and Bob share a secret only with KDC (K A, K B )  End up with K S, a shared secret session key  First attempt below is vulnerable to replay attack in which Trudy captures and later replays messages Alice has session key K S Bob has session key K S Trudy can send this later to impersonate Alice to Bob

73 Key Distribution Center (2) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 The Needham-Schroeder authentication protocol  Not vulnerable to replays; doesn’t use timestamps Alice knows it’s Bob Bob knows it’s Alice

74 Key Distribution Center (3) CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 The Otway-Rees authentication protocol (simplified)  Slightly stronger than previous; Trudy can’t replay even if she obtains previous secret K S

75 Kerberos CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Kerberos V5 is a widely used protocol (e.g., Windows)  Authentication includes TGS ( Ticket Granting Server ) Ticket Gets session key K S Alice asks for a secret shared with Bob Gets shared key K AB Bob gets key K AB Ticket Knows it’s Bob Knows it’s Alice

76 Public-Key Cryptography CN5E by Tanenbaum & Wetherall, © Pearson Education- Prentice Hall and D. Wetherall, 2011 Mutual authentication using public-key cryptography  Alice and Bob get each other’s public keys (E A, E B ) from a trusted directory; shared K S is the result


"Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown." indir ppt

Benzer bir sunumlar


Google Reklamları