The ISO/OSI Security Architecture

• data confidentiality - protects data as it traverses the network from being disclosed to incorrect parties. Even the presence of particular communication sequences between parties should not be identified.

• data integrity - protects the data from modification or removal while in the network,

• data origin authentication - validates the sender of the data,

• data receiver authentication - validates the receiver of the data,

• peer-entity authentication - validates all network components, such as hardware routers and peer software components through which a data stream must travel, and

• non-repudiation - creates and verifies evidence that the claimed sender sent the data, that the intended receiver did receive it, and that neither can deny that this occurred.

Cryptography's Role in Networking

• Copy data from disk storage for remote analysis,
• Passively listen (only) on broadcast channels (such as wired-Ethernet and WiFi),
• Aggressively monitor traffic though intermediate routers or workstations (situated anywhere on a message's path),
• Actively replay, modify or insert their own messages into the message stream.

• Users encrypting individual files stored in a standard file-system,
• File-systems encrypting all data before writing it to disk,
• Datalink and Network layers: in switches and routers (e.g. VPNs),
• Session Layer: with end-to-end data conversion (e.g. SSL),
• Application Layer: in programs such as email agents (e.g. PGP).

Basic Cryptographic Terminology

• Known plaintext attack - the cryptanalyst (fancy name for an adversary with a Maths degree) has (or determines) a block of plaintext and its corresponding block of ciphertext. This may seem unlikely, but regularly exchanged encrypted messages have fixed or predictable payloads (e.g. email headers, VPN-session establishment).

• Chosen plaintext attack - the cryptanalyst can have their intended victim unknowingly encrypt fixed, known blocks of data.

• Differential analysis - a kind of plaintext attack involving many very similar plaintexts being encrypted, and their resulting ciphertexts being compared.

Simple Substitution :

    PT : abcdefghijklmnopqrstuvwxyz
    CT : DEFGHIJKLMNOPQRSTUVWXYZABC

Monoalphabetic Substitution :

    PT : abcdefghijklmnopqrstuvwxyz
    CT : QWERTYUIOPASDFGHJKLZXCVBNM

• count frequencies of each letter and match e's, t's, etc.
• count digraphs (th, er, on, an, re, he, in, ed, nd, ha, at, en, es, of, or...) and trigraphs (he, and, tha, ent, ion, tio, for, nde, has, nce...)
• match th, the, in, and, ...

The Influence of Computers on Cryptography

• An algorithm's strength is not simply derived from its keys' length, but from its peer evaluation and public review.

• A weak algorithm is one whose algorithm and implementation are not available, and whose strength would be compromised if these were made public.

Symmetric Ciphers

• DES: a block based cipher of 64bit blocks in, 64bit blocks out, 56 bit key filled to 64bits (8 odd-parity bits).

• Triple-DES: encrypts the same plaintext with DES three times. Three or two keys are provided, the plaintext is encrypted with the 1st key, decrypted with the second, and finally encrypted with the third (or 1st again).
  A double-DES scheme (with only 2 keys) does not require 2²ⁿ brute-force tests but 2ⁿ⁺¹ tests with a meet-in-the-middle attack.

• Ron Rivest's RC2 block cipher employs keys up to 1024 bits, and executes at a speed independent of key length.

• Ron Rivest's RC4 stream cipher (as used in WiFi's WEP encryption) employs keys of 40 to 256 bits, but has the property that if two messages are encrypted with the same RC4 key, their encryptions are related in a known way.

The DES Algorithm

• Data is encrypted in 64 bit blocks.
• Ciphertext is output in 64 bit blocks.
• A 56 bit key is used.
• The same key is used for both encryption and decryption.

Product and Substitution Cipher Boxes

The Substitution Stages

The Steps of the DES Algorithm

Step 1. Transposition of plaintext, independent of key. Step 19. Inverse of Step 1. Step 18. Exchange left 32 bits with right 32 bits. Steps 2-17. Use a function of the key for each stage, which we shall call Ki. Left out := Right in Right out := XOR(left in, f(Right in, Ki)) where f is a 4 step function. What are the steps of this magic function f? E := R1 (which is 32 bits) expanded to 48 bits. D := XOR(E, Ki). Divide D into 8x6 bits; feed each of these 6 bits into a different S box each producing 4 bits. Feed these 8x4 bits (= 32 bits) through a P box. How is the DES key used? K0 := 56 transposition cipher of K. Divide K0 into 2x28 bits. ROLeft each part. Ki := 56 bit transition of the number formed.

Triple DES

3DES_encrypt(key1, key2, key3, message) =

     DES_encrypt(key1, DES_decrypt(key2, DES_encrypt(key3, message))) 

DES under Unix in software

    char *crypt(char *key, char *salt);

    setkey(char *key);

    encrypt(char *buf, int edflag);

At the Crypto'94 conference, M.Matsui presented a DES-breaking technique termed 'linear-cryptanalysis'. Using 243 known ciphertexts, he was able to determine a single DES key in 50 days on a 100MHz desktop machine. As the cracking process is linear, comparable times on contemporary machines are measured in hours. In 1998 EFF's (then) US$250,000 DES cracking machine contained 1,856 custom chips and could brute force all 256 DES keys in 9 days.

DES Modes - Electronic Code Book (ECB)

DES Modes - Cipher Block Chaining (CBC)

Exchanging Encryption Keys

Diffie-Merkle-Hellman Key exchange

• A wants to send a key to B.
• A puts the key in a secure box and locks it with A's padlock.
• B does not have the key to A's padlock, so instead,
• B receives the box and adds B's own padlock to the box and returns it to A.
• A removes A's padlock with A's own key and sends the box back to B.
• B can now remove B's own padlock and remove the key which is now shared by A and B.

Public Key Cryptography

• The public key, E, may be openly published.

• The private key, D, is known only by the intended recipient.

• A and B openly publish their public keys (viewed as algorithms) E_A and E_B.

• A sends E_B( Plaintext_message ) to B.

• B calculates D_B( E_B( Plaintext_message ) ) = Plaintext_message.

• B can then reply with E_A( Plaintext_reply ) for A to read.

The MIT/RSA Algorithm

• We choose two very large prime numbers, p and q, each over 100 digits.
• We define E_A to be the pair (e,n) where n = pxq
  (for p, q being 100 digit primes, n will typically at least 200 decimal digits).
• We define D_A to be the pair (d,n)
  where (e x d) mod ( (p-1) x (q-1) )  = 1

• Encryption function : C := P_e mod n
• Decryption function : P := C_d mod n

Asymmetric ciphers

Strong Encryption is not enough - the need for Digital Signatures

• the forging of a signature by the receiver (or any third party), and
• the repudiation of the transmission of a message by the sender.

• True signatures, signed by the sender, verified by the receiver.
• Arbitrated signature may only be sent and verified through a trusted third party. The recipient is unable to verify the sender's signature directly, but is assured of its validity through the mediation of the arbitrator.

Message Digests - basic building blocks

• An absence of collisions. Unlike simpler file checksums, which quickly demonstrate file or data integrity, it must be hard to find two messages with the same digest.
• Must not be invertible. Digests are deterministic many-to-one functions.
• A uniform distribution of results. A change in just one input bit should affect at least half the output bits.

• The winner is Sydney
  2f8eff80630eb401b0038d8df420719b
• The winner is Sydey
  f2b91cf6f8ad805a127182e8a46d450f

• MD2 and MD5: developed by RSA, producing 16-byte hashes. Research in 1994 found weaknesses in collision frequencies.
• RIPEMD-160: The European standard producing 20-byte hashes.
• SHA-1, SHA-2 and SHA-256 are specified by the US government for their DSA, outputting 20-byte hashes.

(Old) performance of the basic building blocks

    linux>  openssl
    OpenSSL> speed md5
    To get the most accurate results, try to run this
    program when this computer is idle.
    Doing md5 for 3s on 16 size blocks: 1722968 md5's in 2.80s
    Doing md5 for 3s on 64 size blocks: 1469874 md5's in 2.80s
     ....
    type    16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    md5     9833.40k    33603.65k    92756.49k   167532.74k   217651.97k

Digital signature generation

Digital certificates

• An entity may be a person, a executing piece of software, or a device such as a router or a smart-card.
• A certification authority (CA) attests to the authenticity of the entity's public key by digitally signing a message with its own private key.
• The 'quality' of the certificate depends on the detail of information provided to the CA (more later).
• Either, public and private keys may be issued by the CA, or the CA may challenge the entity's public key.

Digital certificate encoding

Browser support for digital certificates

Browser support for digital certificates

The browser will display the digital certificate from the current page - here showing: The subject of the certificate, The issuer (CA) of the certificate, The serial number of the certificate, The period of validity of the certificate, and The message digest of certificate. If the issuer of a site's digital certificate is already known by the browser (either 'hard-wired' or manually added), the issuer's certificate may be viewed and verified. Version 3 of X.509 introduced extension fields - the association of additional information with a certificate. Each extension has: an extension type providing semantics and typing of the extension (e.g. a string), an extension value", such as an email or IP address, and a criticality indicator indicating if the whole certificate should be ignored if an extension is not recognized. Standard extensions (?) now describe the 'strength' and purpose of the certificate - digital signature, non-repudiation, key encipherment, data encipherment, certificate signing, etc.

Certificate Path validation

Certificate Revocation Lists

Trust breaks down, and CRLs are required, when: a subject's private key is exposed, a CA's private key is exposed, and the relationship between the subject and CA changes (e.g. the subject is no longer employed by the CA, or stops paying money to the CA). Certificate revocation plays a crucial part in the authentication process: Obtain the subject's digital certificate and verify its validity. Extract the serial number of the certificate. Fetch the current CRL from the CA. Verify the CRL's digital signature, and record its publication time and when the next CRL is to be published. Examine the CRL to determine if the intended certificate been revoked or suspended (based on the certificate serial number). Alert the user if the certificate is revoked. Limitations of Certificate Revocation In a large public key infrastructure community, CRLs are both large and must be downloaded frequently. Applications can be significantly slowed by the need to retrieve the latest CRL from a heavily taxed directory server (or other distribution point). There exists a compromise between always being up-to-date, versus the risk of false certificate acceptance.