Confidentiality Using Conventional Encryption - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Confidentiality Using Conventional Encryption

Description:

Title: CH-5: Confidentiality Subject: Security Author: H. Yoon Last modified by: Technology Created Date: 3/2/1998 8:57:48 AM Document presentation format – PowerPoint PPT presentation

Number of Views:851
Avg rating:3.0/5.0
Slides: 34
Provided by: HYo85
Category:

less

Transcript and Presenter's Notes

Title: Confidentiality Using Conventional Encryption


1
Confidentiality Using Conventional Encryption
  • Where should cryptographic functionality be
    located?
  • How can we make communications confidential?
  • How do we distribute keys?
  • What is the role of random numbers?

2
Placement of Encryption Function
Placement of encryption function
  • Networks are vulnerable to active and passive
    attacks
  • Many potential locations for confidentiality
    attacks
  • By network tapping or other means
  • Passive inductive attacks on electrical signaling
  • Phone and wiring closets may be accessible to
    outsiders
  • Satellite links are easy to monitor
  • etc

Points of Vulnerability
3
Link vs. End-to-End Encryption
Placement of encryption function
  • The most powerful and most common approach to
    securing the points of vulnerability is
    encryption
  • If encryption is to be used to counter these
    attacks, need to decide what to encrypt and where
    the encryption should be located
  • Two fundamental alternatives
  • Link encryption
  • End-to-end encryption

4
Link vs. End-to-End Encryption
Placement of encryption function
5
Placement of encryption function
Logical Placement of E2E Encryption Function
  • Link encryption occurs at either the physical or
    link layers
  • For end-to-end encryption, several choices are
    possible
  • At the lowest practical layer, the encryption
    function could be performed at network layer
  • All the user processes and applications within
    each end system would employ the same encryption
    scheme with the same key
  • With this arrangement, front-end processor may be
    used to off-load the encryption function

6
Placement of encryption function
Logical Placement of E2E Encryption Function
  • X.25 or TCP provide end-to-end security for
    traffic within a fully integrated internetwork.
    However, such a scheme cannot deliver the
    necessary service for traffic that crosses
    internetwork boundaries, such as E-Mail, EDI, and
    file transfer
  • In this case, the only place to achieve
    end-to-end encryption is at the application layer
  • A drawback of application-layer encryption is
    that the number of entities to consider increases
    dramatically
  • Many more secret keys need to be generated and
    distributed

7
Placement of encryption function
Logical Placement of E2E Encryption Function
8
Placement of encryption function
Logical Placement of E2E Encryption Function
9
Traffic Confidentiality
Traffic Confidentiality
  • Security from traffic analysis attack
  • Knowledge about the number and length of messages
    between nodes may enable an opponent to determine
    who is talking to whom
  • Types of information derivable from traffic
    analysis
  • Identities of communicating partners
  • Frequency of communication
  • Message patterns, e.g., length, quantity,
    (encrypted) content
  • Correlation between messages and real world
    events
  • Can (sometimes) be defeated through traffic
    padding

10
Countermeasure to Traffic Analysis
Traffic Confidentiality
  • Link encryption approach
  • Link encryption hides address information
  • Traffic padding is very effective
  • End-to-End encryption approach
  • Leaves addresses in the clear
  • Measures available to the defender are more
    limited
  • Pad out data units to a uniform length at either
    the transport or application level
  • Null message can be inserted randomly into the
    stream

11
Covert Channel
Traffic Confidentiality
  • Essentially, the dual of traffic analysis
  • A means of communication in a fashion unintended
    by the designers of the communication facility
  • Usually intended to violate or defeat a security
    policy
  • Examples
  • Message length
  • Message content
  • Message presence

12
Key Distribution
Key Distribution
  • For conventional encryption to work, the two
    parties must share the same key and that key must
    be protected from access by others
  • Alices options in establishing a shared secret
    key with Bob include
  • Alice selects a key and physically delivers it to
    Bob
  • Trusted third party key distribution center (T3P
    or KDC) selects a key and physically delivers it
    to Alice and Bob
  • If Alice and Bob have previously and recently
    used a key, it can be used to distribute a new
    key
  • If Alice and Bob have keys with the T3P, rekeying
    can be accomplished similarly

13
Key Distribution
Key Distribution
  • Manual delivery is a reasonable requirement with
    link encryption, challenging with E2E encryption
  • The number of keys grows quadratically with the
    number of endpoints
  • T3P key(s) constitute a rich target of
    opportunity
  • Initial (master) key distribution remains a
    challenge

14
Use of a Key Hierarchy
Key Distribution
  • Use of a key distribution center is based on the
    use of a hierarchy of keys
  • Session keys
  • Master keys

15
A Key Distribution Scenario
Key Distribution
  • Assume each principal shares a unique master key
    with the KDC
  • Alice desires a one-time session key to
    communicate with Bob
  • Alice issues a request to the KDC for a session
    key to be used with Bob. Alices request
    includes a nonce to prevent replay attack
  • KDC responds with a message encrypted under
    Alices key. The message contains the session
    key, the nonce, and the session key along with
    Alices identity encrypted under Bobs key
  • Alice forwards the data encrypted under Bobs Key
    to Bob
  • Alice and Bob mutually authenticate under the
    session key
  • Alice sends a nonce to Bob encrypted under the
    session key
  • Bob applies a transformation to the nonce and
    sends the result back to Alice

16
A Key Distribution Scenario
Key Distribution
17
Hierarchical Key Control
Key Distribution
  • Instead of a single KDC, a hierarchy of KDCs can
    be established local KDCs and a golbal KDC
  • Local KDCs exchange keys through a global KDC
  • Can be extended to three or more layers
    (hierarchy)

                 
 
18
Session Key Lifetime
Key Distribution
  • Tradeoffs in the session key lifetime
  • The more frequent session keys, the more secure,
    but the less performance (the more network load
    and delay)
  • For connection-oriented protocols, one option is
    to associate a session with a connection
  • For long-lived connections, must periodically
    rekey
  • For connectionless protocols, rekey at intervals

19
A Transparent Key Control Scheme
Key Distribution
20
Decentralized Key Distribution
Key Distribution
  1. A issues a request to B for a session key and
    includes a nonce, N1
  2. B responds with a message encrypted using the
    shared master key. Response includes the session
    key selected by B, an identifier of B, the value
    of f(N1), and another nonce, N2
  3. Using the new session key, A returns f(N2) to B

21
Controlling Key Usage
Key Distribution
  • It is desirable to impose some control on the way
    in which keys are used
  • e.g. we may wish to define different types of
    session keys on the basis of use, such as
  • Data-encrypting key
  • PIN-encrypting key
  • File-encrypting key
  • One technique is to associate a tag with each key
  • Tag is a bit-vector representing the keys usage
    or type
  • e.g. the extra 8 bits in each 56-bit DES key can
    be used as a tag
  • Limited flexibility and functionality due to the
    limited tag size
  • Because the tag is not transmitted in clear form,
    it can be used only at the point of decryption,
    limiting the ways in which key use can be
    controlled
  • A more flexible scheme is to use a control vector

22
Key Distribution
Control Vector Scheme
  • Each session key has an associated control vector
  • Control vector consists of a number of fields
    that specify the uses and restrictions for that
    session key
  • The length of control vector may vary
  • Control vector is cryptographically coupled with
    the at the time of key generation at the KDC
  • Hash value H h(CV)
  • Key input Km ? H
  • Encrypted session key EKm ? HKs
  • When a session key is delivered to a user from
    the KDC, it is accompanied by the control vector
    in clear form
  • The session key can be recovered only by using
    both the master key and the control vector
  • Ks DKm ? HEKm ? H Ks
  • Advantages (over the 8-bit tag)
  • No restriction on length of control vector
    (arbitrarily complex controls to be imposed on
    key sue)
  • Control vector is available in clear form at all
    stage of operation ? Key control can be exercised
    in multiple locations

CV control vector Km master key Ks session
key
23
Key Distribution
Controlling Key Usage
24
Random Number Generation
Random Number Generation
  • Use of random numbers (in cryptography)
  • As key stream for a one-time pad
  • For session keys
  • For public key
  • For nonces (random numbers) in protocols to
    prevent replays
  • Good cryptography requires good random numbers
  • Random number requirements
  • Statistically random (uniform distribution, etc)
  • Unpredictable (independent)

25
Sources of Randomness
Random Number Generation
  • Natural random noise (Natural real randomness)
  • Radiation counters, radio noise, thermal noise in
    diodes, leaky capacitors, mercury discharge
    tubes, etc
  • Generally need special H/W for this
  • Starting to see this in new CPUs (Pentium III)
  • Almost random sources
  • Keystroke timing
  • Mouse tracking
  • Disk latency, etc
  • Published lists
  • e.g., Rand Co. in 1955 published a book of 1
    million numbers generated using an electronic
    roulette wheel
  • Predictable
  • In practice, pseudorandom numbers are
    algorithmically derived from a deterministic PRNG
    (Pseudorandom Number Generator)

26
Lehmers algorithm
Random Number Generation
  • Most widely used technique for PRNG
  • Also known as linear congruential method
  • Four parameters
  • m modulus m gt 0
  • a multiplier 0 ? a lt m
  • c increment 0 ? c lt m
  • X0 seed 0 ? X0 lt m
  • Xn1 (aXn c) mod m
  • Generates numbers in the range 0, , m-1
  • Good and bad choices for m, a, and c
  • Lots of obvious bad choices

27
Lehmers algorithm - 2
Random Number Generation
  • Choose a very large m, e.g., 231
  • Provides for a long series
  • Usually the maximum integer value for a given
    computer
  • Criteria for good RNG
  • Generate the entire range (full period)
  • Pass statistical tests
  • Efficient implementation
  • Good choices
  • m 231-1, a prime value
  • a 75 16807
  • c 0
  • Useful for applications requiring statistical
    randomness (Monte Carlo simulation)
  • Not so useful for cryptography (easy
    cryptanalysis)
  • Xi, Xi1, Xi2 gives solution for m, a, and c

28
Cryptographically Generated RNs
Random Number Generation
  • Cyclic encryption
  • Generate session keys from a master key
  • A counter with period N is input to the
    encryption logic
  • e.g. 56-bit counter for 56-bit DES
  • X0 ? X1 ? ? Xn-1
  • Xis can not be deduced since the master key is
    protected
  • Full-period PRNG can be used instead of a simple
    counter
  • DES OFB mode
  • Can be used as a PRNG (IV is the seed)
  • Successive 64-bit outputs constitute a sequence
    of pseudorandom numbers with good statistical
    properties

29
ANSI X9.17 PRNG
Random Number Generation
  • One of the (cryptographically) strongest PRNG
  • Used in financial security applications and PGP
  • DTi is date/time value at the beginning of ith
    stage
  • Vi is seed value at the beginning of ith stage
  • Ri is output (PRN) of ith stage
  • K1, K2 are 3DES keys
  • Ri EDEK1,K2(Vi ? EDEK1,K2(DTi))
  • Vi1 EDEK1,K2(Ri ? EDEK1,K2(DTi))

30
Blum Blum Shub (BBS) PRNG
Random Number Generation
  • Choose large primes p and q, s.t. p ? q ? 3 (mod
    4)
  • Let n p ? q
  • Choose s relatively prime to n
  • BBS produces a sequence of bits Bi
  • X0 s2 mod nfor (i 1 i ) Xi
    (Xi-1)2 mod n Bi Xi 1
  • BBS is referred to as a cryptographically secure
    pseudorandom bit generator (CSPRBG)

31
Blum Blum Shub PRNG- Example
Random Number Generation
  • N383 x 503 192649, s 101355

32
CSPRBG
Random Number Generation
  • Cryptographically secure pseudorandom bit
    generator (CSPRBG) is defined as one that pass
    the next-bit test
  • Next-bit test
  • Given k bits of output from a PRBG, there is no
    polynomial time algorithm that can predict the
    k1st bit with probability greater than ½ ?
  • For all practical purposes, the sequence is
    unpredictable
  • The security of BBS is based on the difficulty of
    factoring n (i.e., given n, determining two prime
    factors p and q)

33
HW
Random Number Generation
  • P. 5.3
  • P. 5.4
  • P. 5.5
  • P. 5.9
  • P. 5.10
  • (For P.5.3 and P. 5.10, please look up the errata
    sheet)
Write a Comment
User Comments (0)
About PowerShow.com