Network Security

References

Computer Networks, 3rd Edition, A. Tanenbaum, Chapter 7
Corporate Internet Strategies newsletter, March 96
Wired Magazine, March 96
IBM Security Concepets article
 http://www.digicash.com/publish/sciam.html
 http://world.std.com/~franl/pgp/pgp-passphrase-faq.html
 gopher://gopher.well.sf.ca.us/00/hacking/pgp.up
 VeriSign Digital ID Center
 How SSL Works
 PC Week article http://home.zdnet.com/pcweek/news/0929/29des.html
RSA Security http://www.rsa.com/

There are five aspects of security. They aren't totally independent of each other, and real applications usually have to worry about several or all of them. We ignore authorization as an OS issue. Authorization clearly relies on authenication.

Secrecy or Privacy

Keeping content hidden from the wrong people. Traditional systems: locks, safes.

Being confident about a persons or a documents identity. Traditional systems: id cards, face/voice recognition, physical distinction of copies

What a user/process is allowed to do. Distinct from authentication, an OS issue if authentication can be done

Applying the digital equivalent of a persons signature so they can't later deny something. Traditional systems: signature

Being confident that a message wasn't altered. Traditional systems: registered mail, courier

Physical - protect wires, shield them, use fiber
Data link - encrypt/decrypt for each point-to-point hop
Network - firewalls may filter packet traffic
Transport - provide and end-to-end (process-to-process) encryption
Application - authentication and non-repudiation must be solved here

Cryptography

Here's the model

Plaintext, P -----> | Encryption algorithm | -----> Ciphertext, C ------> | Decryption algorithm | ------> Plaintext, P

Intruders monitor the channel and see the ciphertext. Active intruders may introduce ciphertext message into the channel.

The ciphertext C = E_K(P) which is to say that the ciphertext is the output of a function E with two parameters, K and P.
Obviously  D_K(E_K(P)) = P so E and D are inverses of each other.

The encryption algorithm is public. Keeping it secret is too hard (equivalent to the need to encrypt P in the first place). Making it public nowadays also means that people all over the world try to crack it, so if they can't crack it they world gains confidence that it is a good algorithm.

With a public encryption algorithm the protection comes from the secretness of the key. An example is combination lock using a 3 digit key. Everyone knows the algorithm (left, right, left) but you must have the key to open a lock. The longer the key the larger the amount of work that must be done to break the encryption with a brute force attack.

Need for redundancy

1. All encrypted messages must contain redundancy to prevent the sending of false messages.

 

 
 
 

If the ciphertext is exactly as big as the plaintext, and all possible ciphertext messages decrypt to legal plaintext messages, then it is trivial for a bad guy to generate false messages. The bad guy doesn't need to know what message he is sending with is random-bit false messages in order to cause problems.

For example, suppose that a banking message had three fields for a transfer operation: from account, to account, and amount. The field sizes are known to the bad guys (say they are 4, 4, and 6 digits). If every possible 4 digit number is potetially a legitimate account number, then a random set of 14 digits in a false ciphertext message will be decrypted to a legal but bogus money transfer operation.

If the coded message contains redundancy, then bogus decrypted messages can be detected. So to continue the example, each 4 digit account number could be proceeded by some standard word or number string. Now it is impossible to generate bogus ciphertext which maps to a legal plaintext account number.
 

2. Something must prevent the undetected re-transmission of intercepted messages.

 

 
 
 

The intruder may listen to the channel, record ciphertext messages, then play them back at some later time. This can cause all sorts of damage and problems, and isn't detectable since the re-played messages are perfectly legal.

One approach is to use a timestamp and discard any message older than some threshold.

Modern cryptography

There are two major categories of algorithms: secret key and public key.

Attacking an encryption algorithm is much easier if a sample of plaintext/ciphertext is available. It should be assumed that this is the case when gauging the safety of an algorithm.

Secret key

The problem with secret key is distributing the keys. This is particularly hard if you want to communicate securely with large numbers of people, and if you don't necessarily know who you want to communicate with in advance.

DES (Data Encryption Standard)

Estimated in 1994 that a machine could be built for $1 million to crack DES through brute force search of the state space in 4 hours. More creative idea: put a cheap DES chip capable of 1 million encryptions per second in every radio/TV in one billion peoples homes (say everyone in China). Each chip is assigned a tiny piece of the key space. Ciphertext/plaintext pair messages are broadcast to each radio/TV, all chips starts doing encryptions for their part of the key space and comparing. Within 60 seconds the key is found.

Better secret key algorithms (e.g. IDEA) are availalble than DES. The problem of distributing the key remains even with these cryptographically secure algorithms.

IDEA

Public key

The requirements for this to work are the following, where E is the encryption algorithm plus its key and D is the decryption algorithm plus its key

1. D( E(P) ) = P
2. It is very hard to deduce D from E.
3. E cannot be broken by a "chosen plaintext" attack.

 

 
 
 

The first requirement just says that D and E are inverses of each other.

The second requirement says that knowing E isn't enough to tell you D.

A "chosen plaintext" attack is one where the bad guy can encrypt as much plaintext as he wants using the encryption algorithm E. This is the strongest sort of attack since it lets the bad guy experiment with plaintext/ciphertext pairs.

1. Person X wants to communicate to person Y. Person X devises a algorithms and a keys for encrypting and decrypting, call these Ex and Dx. Person X makes Ex (algorithm + key) public by putting it on the web in a well-known place. Person X then makes D known, but keeps the decryption key private.
2. Person Y does the same thing, making Ex and D public.
3. Person X takes a message P and encrypts it using with person Y's public algorithm/key C = Ey(P) and sends C to person Y.
4. Person Y computes Dy(C) = Dy( Ey(P) ) = P to get the plaintext.

 

 
 
 

This works because only person Y knows the private key, and Dy can't be derived from the public information Ey.
The decryption algorithms D are published to take advantage of people trying to crack the scheme.

RSA Algorithm

First you need the following

1. Select two large (greater than 10¹⁰⁰) prime numbers, p and q
2. Compute n = p * q, and z = (p-1) * (q-1).
3. Choose a number relatively prime to z and call it d (d and z must have no common factors)
4. Find e such that (e * d) mod z = 1

 

 
 
 

You can get p and q from a book of prime numbers. This keep supercomputers gainfully employed.

When you multiply two large primes you get a number with only two factors. Because factoring a large number is very expensive, you have effectively hidden p and q in the product n which you can safely make public.

1. Represent the message as a plaintext bit string (just put the bits for the ASCII codes together into a string).
2. Divide the plaintext bit string into blocks of k bits so that each block when viewed as a k bit binary number P <= 2^k has value less than n. You want the biggest k you can get.
3. To encrypt the plaintext form the ciphertext C by C = P^e (mod n)
4. To decrypt the ciphertext, calculate P = C^d (mod n)

To break the encryption you must factor n to p and q, hence z, and then use Euclid's algorithm to get d. RSA calculate that it would take 4 billion years of compute time using the best algorithm and a 1 usec calculation time to factor a 200 digit number.

RSA example

Select p = 3, q = 11 so n = p * q = 33
Calculate z = (p-1) * (q-1) = 20
Choose d = 7 since 7 and 20 are relatively prime
Solving for e in 7 * e mod 20 = 1 yields e = 3

<Tanenbaum figure 7-11 showing encryption of short plaintext example>

Security Scenarios

Scenario 1 - privacy

 Result

Anyone can know your public key - how do you know who the message was from? (no authentication)

Scenario 2 - authentication, no privacy

 Result

Anyone can decrypt with A's public key, which is widely available (no secrecy)

Scenario 3 - privacy, authentication

Result

B doesn't know immediately that A actually sent the message, but forgery is detected later in message 3
A knows that message 2 isn't a recorded replay because it contains R_A which was just generated by A
B knows that message 1 wasn't a forgery when it receives message 3 containing R_B which only A could have decrypted and returned to it.

A and B now have an authenticated, secure means of communication. In practice a secret key for the session is also exchanged for subsequent secure data transfer.

Scenario 4 - authentication, privacy, non-repudiation

Result

Authentication, privacy, nonrepudiation assured - A and B only know each others public keys

The public key scheme used must have the following property for this to work:

E( D(P) ) = P
in addition to the standard property of
D( E(P) ) = P
RSA algorithm has this property and is widely used for digital signatures.

Use of random session numbers, as in scenario 3, guards against replay attacks.

Scenario 5 - authentication, integrity, no privacy

A message digest is a special hash function that takes an arbitrary amount of plaintext and creates a fixed length bit string. The hash function has the following properties:

1. Given P, it is easy to computer MD(P)
2. Given MD(P) it is impossible to find P
3. No two messages generate the same message digest (to a very small probability)

A computes MD(P), then sends signs it with A's private key
A sends P and D_A( MD(P) ) to B
B uses A's public key to decrypt MD(P) by doing E_A( D_A( MD(P) ) )
B computes MD(P) for himself, from P, and compares. If there is a difference, then P was tampered with in transit.

Digital Signatures: Authentication & Nonrepudiation

• Verifiable: Anybody should be able to check a signature to see whether it is valid.
• Unforgeable: It should be impossible for anybody but you to attach your signature to a document.
• Non-reusable: It should be impossible to "lift" a signature off one document and attach it to another.
• Unalterable: It should be impossible for anybody to change the document after it has been signed.

Non-deniable: It should be impossible for the signer to disavow the signature once it is created.

Implementing public key

Problems arise if A's private key is stolen or released to the public (A can now repudiate), or if A changes its private key at some point. Some kind of key repository helps solve these problems.

Distributing public keys: certificate authorities

Sending a public key as part of a request has similar problems. It would be easy for X to send a message claiming to be A with a public key attached. The receiver B can't tell just from the key that it is indeed A's key.

One way of insuring to whom a public key belongs is with a certificate. A certificate has the following information

• Person's name, address, organization, etc
• Person's public key
• Validity dates
• Certificate number

The certificate authority (CA) must be trusted to have determined the identity of the party to whom the certificate was issued. The only public key that must be widely accessible to everybody is that of the CA.

PGP - Pretty Good Privacy

Pure public key is impractical because:

• Algorithms are slow, so encrypting a large file is time consuming
• The keys are long, so the private key can't be memorized

 Encrypting the plaintext with a single-key algorithm is much faster
 A session key is generated (randomly) (IDEA 128 bit encryption)
 The message is encrypted with this session key
 The session key is encrypted with A's private key, then B's public key
 The cyphertext and the encrypted session key are sent to B
 B decodes session key with B's private and A's public keys
 B decodes message

 Keys must be long to be safe (large prime products are hard to factor, small ones are easy)
 128 byte key = 1024 bits ~= 150 characters - too much to memorize
 Where to store private key?  Public key is not a problem - directory on Net is most convenient
 Store with computer - human error attacks
 PGP encrypts the private key with a pass phrase

Losing your private key/pass phrase
Tampering with public keys
Most of these are in the PGP shell you use
 files that don't really get deleted from the disk
 temporary copies of plaintext files (swap space, /tmp)
 viruses within computer or PGP shell - could capture pass phrase
 trojan horse versions of PGP shell

The limits of cryptography

• algorithms
• implementation
• human factors

RSA-129 Challenge

Issued by Martin Gardner in 1977 Scientific American article describing RSA 129 digit key - expected to take 1015 years to crack.

Group of people used the Net to accumulate 5,000 mips-years in 1993/94 to break it

New means of factoring large primes - vector units. Accumulate enough vector units, determine the factor. Makes estimations of difficulty of factoring wrong since better algorithms now available.

Netscape SSL - direct attack

Export quality (40 bit) key cracked by several people using idle workstations, spare supercomputer time

Took a long weekend of searching the entire key space (64 mips-years)

128 bit US version keys are much stronger - "billion machines, each a million times more powerful, 6 billion years required"

Netscape SSL - indirect attack

Property of PRNG - they repeat if started from the same seed.

Two UCB students - looking at algorithm used to select session key to encrypt messages noticed that the seed to the PRNG was determined from time-of-day, pid, and parent pid

Process ids are easy to get, or even to break (15 bit number)

Huge mistake in implementation cause Netscape to do a new version, start a "bugs bounty" prorgram

Secret key schemes

40-bit (export version)

From PC Week article:

"The 40-bit key that can readily be exported permits more than a trillion possible values; the 56-bit DES key permits more than 72,000 trillion possible values. But even at this higher level of protection, a professional DES-cracking machine (which may already exist, based on a 1993 design) could crack a new key (on average) every 3.5 hours at a present-day construction cost of about $600,000."

RSA Security sponsored a $10,000 challenge to anyone breaking the 56bit DES code. It took 5 months of people using idle cycles of machines connected to the net to do it.

brute force attack:

72 quadrillion keys possible
peak rate of 7 billion keys tested per second
25% of key space searched before key found
10s of thousands of cooperating hosts
all operating systems, huge range of compute power