Theory and Design of Network Security

1
Theory and Design of Network Security

• Part I Cryptography Basics and Public key
  Infrastructure
• Unit 1 Public-key Cryptography, Authentication
  and Digital Signature

2
Reference

• William Stallings. Cryptography and Network
  Security Principles and Practice (Fourth
  Edition). Prentice Hall, 2005.

3
Public Key Cryptography

• Problems of symmetric key
• Key Distribution
• Need a secure channel

?
Key
Secure Channel
4
Public Key Cryptography

• KDC (Key Distribution Center)

5
Public Key Cryptography

• Key Storage
• n users in the system. Each one needs n-1 keys.
  There are n(n-1)/2 keys in the system.
• 1000 users in the system. Each one needs 999
  keys. There are 499500 keys in the system.

6
Public Key Distribution

• Diffie Hellman 1976
• Public key distribution method
• How to realize the digital signature?

Public Value
secret
secret
Share a common key
7
Diffie-Hellman Key Exchange

• Diffie and Hellman 1976
• A number of commercial products employ this key
  exchange technique
• This algorithm enables two users to exchange key
  securely

8
Algorithm of Diffie-Hellman (1/2)
9
Algorithm of Diffie-Hellman (2/2)
10
Example of D-H Key Exchange
5
XA 36 XB58
q97
YA53650 mod 97 YB55844 mod 97
K(YB)XA mod 97 4436 75 nod 97 K(YA)XB mod
97 5058 75 nod 97
11
Diffie-Hellman
12
Primitive Roots

• From Eulers theorem have aø(n)mod n1
• consider ammod n1, GCD(a,n)1
• must exist for m ø(n) but may be smaller
• once powers reach m, cycle will repeat
• If smallest is m ø(n) then a is called a
  primitive root
• a, a2, , aø(n) are distinct (mod n)
• If p is prime, then successive powers of a
  "generate" the group mod p
• a, a2,, ap-1 are distinct (mod p)
• These are useful but relatively hard to find

13
Powers of Integers, Modulo 19
14
Discrete Logarithms

• The inverse problem to exponentiation is to find
  the discrete logarithm of a number modulo p
• That is to find x where ygx mod p
• Written as xlogg y mod p
• If g is a primitive root then always exists,
  otherwise may not
• x log3 4 mod 13 (x st 3x 4 mod 13) has no
  answer
• x log2 3 mod 13 4 by trying successive powers
  
• Computing exponentiation is relatively easy,
  finding discrete logarithms is generally a hard
  problem

15
Example of DL
16
Public Key Cryptosystem
17
Public Key Cryptosystem
18
Public Key Cryptosystem

• Encryption

19
Public Key Cryptosystem

• Authentication

20
PKC vs. SKC
21
PKC for Secrecy
22
PKC for Secrecy

• Secrecy
• Ciphertext Y EKUb(X)
• Receiver B can recover the plaintext using his
  private key KRb
• DKRb(Y) DKRb(EKUb(X)) X

23
RSA Cryptosystem

• 1977 by Ron Rivest, Adi Shamir, and Len Adleman
  (MIT)
• The first secure practical public key
  cryptosystem
• A block cipher in which the plaintext and
  ciphertext are integers between 0 and n-1 for
  some n

24
Math Background (RSA)

• Factorization Problem
• How to factorize an integer 48770428682337401 ?
• Is 223092871 a factor of 48770428682337401?
• It is difficult to factorize Npq if both p and
  q are large prime numbers

25
Prime Numbers

• prime numbers only have divisors of 1 and self
• they cannot be written as a product of other
  numbers
• note 1 is prime, but is generally not of
  interest
• eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
• prime numbers are central to number theory
• list of prime number less than 200 is
• 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
  61 67 71 73 79 83 89 97 101 103 107 109 113 127
  131 137 139 149 151 157 163 167 173 179 181 191
  193 197 199

26
Prime Factorisation

• to factor a number n is to write it as a product
  of other numbers na b c
• note that factoring a number is relatively hard
  compared to multiplying the factors together to
  generate the number
• the prime factorisation of a number n is when its
  written as a product of primes
• eg. 91713 3600243252

27
Relatively Prime Numbers GCD

• two numbers a, b are relatively prime if have no
  common divisors apart from 1
• eg. 8 15 are relatively prime since factors of
  8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the
  only common factor
• conversely can determine the greatest common
  divisor by comparing their prime factorizations
  and using least powers
• eg. 300213152 182132 hence
  GCD(18,300)2131506

28
Modular Arithmetic

• aqn r 0ltr lt n q a/n
• Congruent modulo
• (a mod n) (b mod n)

29
Modular Arithmetic Operations

• (a mod n)( b mod n) mod n (ab) mod n
• (a mod n)-( b mod n) mod n (a-b) mod n
• (a mod n) ?( b mod n) mod n (a ? b) mod n
• Example
• 11 mod 8 3 15 mod 8 7
• (11 mod 8) (15 mod 8) 10 mod 8 2

30
Properties of Modular Arithmetic(1/3)

• Define Zn
• Commutative laws
• Associative laws
• Distributive laws
• Identities
• (0w) mod n w mod n
• (1 ? w) mod n w mod n
• Additive inverse (-w)
• For each there exits a z such that
  wz0 mod n

31
Properties of Modular Arithmetic(2/3)

• If (ab)?(ac) mod n then b ?c mod n
• If (a ? b)?(a ? c) mod n then b ?c mod n
• If a is relatively prime to n
• For example
• 6 ?318 ?2 mod 8
• 6 ?742 ?2 mod 8
• Yet 3 ?7 mod 8

32
Properties of Modular Arithmetic(3/3)

• If p is a prime number, then all the elements of
  Zp are relatively prime to p
• Multiplicative inverse (w-1)
• For each there exists a z such that w
  ?z ?1 mod p
• For each and gcd(w,n)1, there exists a
  z such that w ?z ?1 mod n

33
Finding the Multiplicative Inverse

• Finding the GCD
• gcd(a,b)gcd(b, a mod b)
• gcd(55,22)gcd(22,55 mod 22)gcd(22,11)11
• Euclids Algorithm
• Page 115

34
Euclid's GCD Algorithm

• An efficient way to find the GCD(a,b)
• Euclid's Algorithm to compute GCD(a,b)

• EUCLID(a,b)
• A ?a B ?b
• If B0 return Agcd(a,b)
• R A mod B
• A ? B
• B ? R
• goto 2

35
Example GCD(1970,1066)

• 1970 1 x 1066 904 gcd(1066, 904)
• 1066 1 x 904 162 gcd(904, 162)
• 904 5 x 162 94 gcd(162, 94)
• 162 1 x 94 68 gcd(94, 68)
• 94 1 x 68 26 gcd(68, 26)
• 68 2 x 26 16 gcd(26, 16)
• 26 1 x 16 10 gcd(16, 10)
• 16 1 x 10 6 gcd(10, 6)
• 10 1 x 6 4 gcd(6, 4)
• 6 1 x 4 2 gcd(4, 2)
• 4 2 x 2 0 gcd(2, 0)

36
Extended Euclids Algorithm

• Extended Euclid(m,b)

• (A1,A2,A3) ?(1,0,m) (B1,B2,B3) ?(0,1,b)
• If B30 return A3gcd(m,b) no inverse
• If B31 return B3gcd(m,b) B2b-1 mod m
• (T1,T2,T3) ?(A1-QB1, A2-QB2, A3-QB3)
• 6. (A1,A2,A3) ? (B1,B2,B3)
• 7. (B1,B2,B3) ? (T1, T2, T3)
• 8. goto 2

Find b-1 such that bb-11 mod m
Page 119
37
Fermat's Theorem

• ap-1 mod p 1
• where p is prime and gcd(a,p)1
• also known as Fermats Little Theorem
• useful in public key and primality testing

38
Euler Totient Function ø(n)

• when doing arithmetic modulo n
• complete set of residues is 0..n-1
• reduced set of residues is those numbers
  (residues) which are relatively prime to n
• eg for n10,
• complete set of residues is 0,1,2,3,4,5,6,7,8,9
  
• reduced set of residues is 1,3,7,9
• number of elements in reduced set of residues is
  called the Euler Totient Function ø(n)

39
Euler Totient Function ø(n)

• to compute ø(n) need to count number of elements
  to be excluded
• in general need prime factorization, but
• for p (p prime) ø(p) p-1
• for p.q (p,q prime) ø(p.q) (p-1)(q-1)
• eg.
• ø(37) 36
• ø(21) (31)(71) 26 12

40
Euler's Theorem

• a generalisation of Fermat's Theorem
• aø(n)mod N 1
• where gcd(a,N)1
• eg.
• a3n10 ø(10)4
• hence 34 81 1 mod 10
• a2n11 ø(11)10
• hence 210 1024 1 mod 11

41
Primality Testing

• often need to find large prime numbers
• traditionally sieve using trial division
• ie. divide by all numbers (primes) in turn less
  than the square root of the number
• only works for small numbers
• alternatively can use statistical primality tests
  based on properties of primes
• for which all primes numbers satisfy property
• but some composite numbers, called pseudo-primes,
  also satisfy the property

42
Miller Rabin Algorithm

• a test based on Fermats Theorem
• algorithm is
• TEST (n) is
• 1. Find integers k, q, k gt 0, q odd, so that
  (n1)2kq
• 2. Select a random integer a, 1ltaltn1
• 3. if aq mod n 1 then return (maybe prime")
• 4. for j 0 to k 1 do
• 5. if (a2jq mod n n-1)
• then return(" maybe prime ")
• 6. return ("composite")

43
Probabilistic Considerations

• if Miller-Rabin returns composite the number is
  definitely not prime
• otherwise is a prime or a pseudo-prime
• chance it detects a pseudo-prime is lt ¼
• hence if repeat test with different random a then
  chance n is prime after t tests is
• Pr(n prime after t tests) 1-4-t
• eg. for t10 this probability is gt 0.99999

44
Prime Distribution

• prime number theorem states that primes occur
  roughly every (ln n) integers
• since can immediately ignore evens and multiples
  of 5, in practice only need test 0.4 ln(n)
  numbers of size n before locate a prime
• note this is only the average sometimes primes
  are close together, at other times are quite far
  apart

45
The RSA Algorithm (1/2)
46
The RSA Algorithm (2/2)
47
RSA Example
48
RSA Example
N119 pq 717 e5 ed 1 mod 616 d77
49
Security of RSA

• Three possible approaches to attacking the RSA
  algorithm
• Brute force
• Trying all possible private keys
• Mathematical attacks
• Timing attacks

50
Factoring Problem

• Factor n into its two prime factos. This enable
  calculation of ?(n) (p-1)(q-1), which enables
  determination of d e 1 mod ?(n) .
• Determine ?(n) directly, without first
  determining p and q.
• Determine d directly, without first determining
  ?(n)

51
Factoring Problem

• For a large n with large prime factors, factoring
  is a hard problem, but not as hard as it used to
  be.
• 1977 three inventors of RSA issue Mathematical
  Games
• 100 reward
• 1994 RSA-129 (428 bits) breaking

52
Progress of Factorization
53
Constraints of RSA

• Key Requirement
• Key size in the range of 1024 to 2018 bits
• p and q should differ in length by only a few
  digits. Thus, both p and q should be on the order
  of 1075 to 10100.
• Both (p-1) and (q-1) should contain a large
  prime factor
• gcd(p-1,q-1) should be small

54
Timing Attacks

• Proceeds bit by bit
• Modular exponentiation method
• bi1 slow bi0 fast

c0 d1 for ik to 0 do c2c d(dd)
mod n if bi1 then cc1 d(da)
mod n return d
55
Timing Attacks

• Countermeasures
• Constant exponentiation time
• Degrade performance
• Random delay
• Blinding
• Multiply the ciphertext by a random number before
  performing exponentiation.

56
Message Authentication

• Authentication Requirement
• Possible attacks on the network
• Disclosure
• Traffic analysis
• Masquerade
• Content modification
• Sequence modification
• Timing modification
• Repudiation

57
Authentication Functions

• Message encryption
• The ciphertext of the entire message serves as
  its authenticator
• Message authentication code (MAC)
• A public function of the message and a secret key
  that produces a fix-length value that serves as
  the authenticator
• Hash Function
• A public function that maps a message of any
  length into a fixed-length hash value, which
  serves as the authenticator

58
Message Encryption
(A)
Conventional encryption confidentiality and
authentication
59
Message Encryption
(B)
Public-key encryption confidentiality
60
Message Encryption
(C)
Public-key encryption authentication and
signature
61
Message Encryption
(D)
Public-key encryption confidentiality,
authentication And signature
62
Error Control

• Append an error-detecting code (frame check
  sequence, FCS) or checksum to each message before
  encryption

Internal error control
63
Error Control
External error control
64
TCP-level Encryption
65
Example of TCP Segment
The receiver can be assured of the proper
sequence because an attacker cannot successfully
alter the sequence number
66
Reference Link vs. End-to-End Encryption
67
Link Encryption

• Each vulnerable communications link is equipped
  on both ends with an encryption device.
• All traffic over all communications links is
  secure.
• Disadvantage the message must be decrypted each
  time it enters a packet switch.
• Each pair of nodes that share a link should share
  a unique key, with a different key used on each
  link. Thus, many keys must be provided.

68
End-to-End Encryption

• The encryption process is carried out at the two
  end systems.
• The data in encrypted form are then transmitted
  unaltered across the network to the destination
  terminal or host.
• The destination shares a key with the source and
  so is able to decrypt the data.
• The host may encrypt only the user data portion
  of the packet and must leave the header in the
  clear.
• Provide a degree of authentication
• To achieve greater security, both link and
  end-to-end encryption are needed.

69
Comparison
70
Logical Placement of End-to-End Encryption

• Network-layer encryption
• Front-end processor function

71
Scope
72
Encryption Strategies
73
MAC

• The use of a secret key to generate a small
  fixed-size block of data
• That is appended to the message
• A MAC function is similar to encryption. One
  difference is that MAC algorithm need not be
  reversible
• It is less vulnerable to being broken than
  encryption

74
MAC

• Three situations in which a message
  authentication code is used
• The same message is broadcast to a number of
  destinations
• It is cheaper and more reliable to have only one
  destination responsible for monitoring
  authenticity
• An exchange one side has a heavy load and cannot
  afford the time to decrypt all incoming message.
• Message being chosen at random for checking
• Authentication of a computer program in plaintext
  is an attractive service
• The computer program can be executed without
  having to decrypt it every time

75
MAC

• Other rationales
• For some applications, it may not be concern to
  keep message secret, but it is important to
  authenticate message
• SNMPv3separates the functions of confidentiality
  and authentication
• Separation of authentication and confidentiality
  functions affords architectural flexibility
• Perform authentication at the application level
  but to provide confidentiality at a lower level
• A user may wish to prolong the period of
  protection beyond the time of reception and yet
  allow processing the message content

76
MAC
Message authentication
77
MAC
Message authentication and confidentiality Authen
tication tied to plaintext
78
MAC
Message authentication and confidentiality Authen
tication tied to ciphertext
79
Hash Function

• Definition
• A hash function accepts a variable-size message M
  as input and produces a fixed-size hash code H(M)
• Sometime called a message digest
• Hash Algorithm
• MD5
• RFC 1321 developed by Ron Rivist at MIT
• Secure Hash Algorithm (SHA)
• FIPS PUB 180 in 1993 (NIST) 180-1 in 1995
• FISP Federal Information Processing Standard

80
Hash Function
81
Requirements of Hash

• H can be applied to a block of data of any size
• H produces a fixed-length output
• H(x) is relatively easy to compute for any given
  x, making both hardware and software
  implementations practical
• For any given code h, it is computationally
  infeasible to find x such that H(x)h. This is
  sometimes referred to in the literature as the
  one-way property
• For any given block x, it is computationally
  infeasible to find y?x with H(y)H(x). This is
  sometimes referred to as weak collision
  resistance
• It is computationally infeasible to find any pair
  (x,y) such that H(x)H(y). This is sometimes
  referred to as strong collision resistance

82
Requirements of Hash
83
Basic Use of Hash (A)
84
Basic Use of Hash (B)
85
Basic Use of Hash (C)
86
Comparison of SHA-1 and MD5

• Brute force attack for SHA-1 is harder (160 vs
  128 bits for MD5)
• SHA-1 is not vulnerable to any known attacks
  (compared to MD4/5) ??
• (Speed) SHA-1 is a little slower than MD5 (80 vs
  64 steps)
• Both designed is simple and compact

87
Revised Secure Hash Standard

• NIST have issued a revision FIPS 180-2 and adds 3
  additional hash algorithms SHA-256, SHA-384,
  SHA-512.
• Designed for compatibility with increased
  security provided by the AES cipher
• Structure detail are similar to SHA-1 and hence
  analysis should be similar.

88
Comparison of SHA Properties
89
Digital Signature

• Dispute of message authentication
• Message authentication protects two parties who
  exchange messages from any third party. However,
  it does not protect the two parties against each
  other.
• Several forms of dispute between the two are
  possible

90
Problem of Authentication

• The following disputes could arise
• Receiver may forge a different message and claim
  that it came from sender.
• Sender can deny sending the message

91
Properties

• The digital signature is analogous to the
  handwritten signature. It must have the following
  properties
• It must be able to verify the author and the date
  and time of the signature
• It must be able to authenticate the contents at
  the time of the signature
• The signature must be verifiable by third
  parties, to resolve dispute

92
Requirements (1/2)

• The signature must be a bit pattern that depends
  on the message being signed
• The signature must use some information unique to
  the sender, to prevent both forgery and denial
• It must be relatively easy to produce the digital
  signature
• It must be relatively easy to recognize and
  verify the digital signature

93
Requirements (2/2)

• It must be computationally infeasible to forge a
  digital signature, either by constructing a new
  message for an existing digital signature or by
  constructing a fraudulent digital signature for a
  given message
• It must be practical to retain a copy of the
  digital signature in storage

94
Digital Signature Concept
95
Dispute Concept
Verify Judge
Signers Digital Signature
Third Party
Dispute
Sender
Receiver
96
RSA Digital Signature
97
Digital Signature Standard (DSS)

• The National Institute of Standards and
  Technology (NIST) has published Federal
  Information Processing Standard FIPS PUB 186,
  known as the Digital Signature Standard (DSS).
• The DSS makes use of the Secure Hash Algorithm
  (SHA)
• The DSS was originally proposed in 1991 and
  revised in 1993 in response to public feedback
  concerning the security of the scheme

98
DSS Concept (1/2)

• The DSS uses an algorithm that is designed to
  provide only the digital signature function
• Unlike RSA, it cannot be used for encryption or
  key exchange

99
DSS Concept (2/2)
100
DSS Algorithm

• Discrete Logarithms (page 228-233)
• Consider the equation
• y gx mod p
• Given g,x,and p, it is straightforward matter to
  calculate y
• Given y, g, and p, it is, in general, very
  difficult to calculate x
• Computational complexity
• e((ln p)1/3ln(ln p))2/3

101
DSS Algorithm

• Setup
• p large prime bit length of between 512 and 1024
  bits in increments of 64 bits 2L-1 lt p lt 2L and
  512 lt L lt 1024
• q prime divisor of (p-1) and 2159 lt q lt
  2160,i.e., the length is 160 bits
• g h(p-1)/q mod p,1lth lt p-1 ,h is an integer
  (I.e., gq 1 mod p)

102
DSS Algorithm

• Sign
• User As private key
• x random ? 0 lt x ltq
• User As public key
• y gx mod p
• Signing
• Randomly select k, 0ltkltq
• calculate r (gk mod p) mod q
• calculate s k-1(H(M) xr) mod q
• Signature (r,s)

103
DSS Algorithm

• Sign

104
DSS Algorithm

• Verify
• Verifying (r, s) (M)
• Calculate w (s)-1 mod q
• Calculate u1 H(M)w mod q
• Calculate u2 (r)w mod q
• Calculate v (gu1yu2) mod p mod q
• Verify v r (?). If yes, (r, s) is a valid
  signature on the message M

105
DSS Algorithm

• Verify

106
Criticisms of DSS (1/2)

• DSS cannot be used for encryption or key
  distribution
• DSS was developed by the NSA, and there may be a
  trapdoor in the algorithm
• DSS is slower than RSA
• RSA is the ISO 9796, the international digital
  signature standard

107
Criticisms of DSS (2/2)

• The DSS selection process was not public
  sufficient time for analysis has not been
  provided
• DSS may infringe on other pattern
• The key size is too small