PPT

batterycopperInternet και Εφαρμογές Web

12 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

70 εμφανίσεις

Spring 2011/Topic 10

1

Information Security


CS 526 (Spring 2010)



Key Distribution & Agreement, Secure
Communication, Quantum Cryptography

Spring 2011/Topic 10

2

Readings for This Lecture


On Wikipedia


Needham
-
Schroeder protocol
(only the symmetric key part)


Public Key Certificates


Transport Layer Security


HTTP Secure


Quantum key distribution








Outline


Symmetric setting


Key establishment between two parties


Key distribution among multiple parties


Kerberos


Distribution of public keys, with public key
certificates


Diffie
-
Hellman Protocol


TLS/SSL/HTTPS


Quantum communication


Spring 2011/Topic 10

3

Spring 2011/Topic 10

4

Need for Key Establishment



Alice and Bob need to share a secret key K



How to establish the shared key?



How to refresh it (not a good idea to


encrypt a lot of data with the same key)


Encrypt
K
(M)


C = Encrypt
K
(M)


M = Decrypt
K
(C)

Spring 2011/Topic 10

5

Key Transport vs. Key Agreement


Key establishment
: process to establish a
shared secret key available to two or more
parties;


key transport
: one party creates,


and securely transfers it to the


other(s).


key agreement
: key establishment


technique in which a shared secret


is derived by two (or more) parties

Spring 2011/Topic 10

6

Long
-
Term Key vs. Session Key


Session key
: temporary key, used for a short
time period.


Assumed to be compromisible after some time


Long
-
term key
: used for a long term period,
public/private keys are typically long
-
term.


Using session keys to:


limit available cipher
-
text encrypted with the
same key


limit exposure in the event of key compromise


avoid long
-
term storage of a large number of
distinct secret keys


create independence across communications
sessions or applications

Spring 2011/Topic 10

7

Basic Key Transport Protocol


Assumes a long term symmetric key K shared
between A and B


Basic: new key is
r
A






A


B: E
K
(r
A
)



Prevents replay: uses time t
A
new key is
r
A




A


B: E
K
(r
A
, t
A
, B)



Key transport with challenge/response:




A



B: n
B







A


B: E
K
(r
A
, n
B
, B)

Spring 2011/Topic 10

8

Authenticated Key Exchange Protocol 2
(AKEP2)

r
A


(B, A, r
A
, r
B
), h
K
(B, A, r
A
, r
B
)


(A, r
B
), h
K
(A, r
B
)



Setup: A and B share long
-
term keys K and K’



h
K

is a MAC (keyed hash function)



h’
K’

is a pseudo
-
random permutation (a block cipher)



establish key W = h’
K’
(
r
B
)

Key Agreement among Multiple
Parties


For a group of N parties, every pair needs to
share a different key


Needs to establish N(N
-
1)/2 keys



Solution: Uses a central authority, a.k.a., Trusted
Third Party (TTP)


Every party shares a key with a central server.


How to achieve that in an organization with many
users?

Spring 2011/Topic 10

9

Spring 2011/Topic 10

10

Needham
-
Schroeder Shared
-
Key
Protocol: Use Trusted Third Party


Parties: A, B, and trusted server T


Setup: A and T share K
AT
, B and T share K
BT


Goal: Mutual entity authentication between A and B; key
establishment


Messages:


A



T: A, B, N
A





(1)


A


T: E[
K
AT
] (N
A
, B, k, E[
K
BT
](k,A))

(2)


A



B: E[
K
BT
] (k, A)




(3)


A



B: E[
k
] (N
B
)




(4)


A



B: E[
k
] (N
B
-
1)




(5)

What bad things can happen if there is no N
A
?

Another subtle flaw in Step 3.

Spring 2011/Topic 10

11

Kerberos


Implement the idea of Needham
-
Schroeder protocol


Kerberos is a
network authentication
protocol


Provides authentication and secure
communication


Relies entirely on
symmetric
cryptography


Developed at MIT: two versions, Version 4
and Version 5 (specified as
RFC1510)


http://web.mit.edu/kerberos/www


Used in many systems, e.g., Windows
2000 and later as default authentication
protocol

Spring 2011/Topic 10

12

Kerberos Overview


One issue of Needham
-
Schroeder


Needs the key each time a client talks with a service


Solution: Separates TTP into an AS and a TGS.


The client authenticates to AS using a long
-
term
shared
secret

and receives a TGT.


supports single sign
-
on


Later the client can use this TGS to get additional tickets
from TGS without resorting to using the shared secret.
These tickets can be used to prove authentication to SS.

AS = Authentication Server

SS = Service Server

TGS = Ticket Granting Server

TGT = Ticket Granting Ticket

Spring 2011/Topic 10

13

Overview of Kerberos

Spring 2011/Topic 10

14

Kerberos Drawback


Single point of failure:


requires online Trusted Third Party: Kerberos server


Security partially depends on tight clock
synchronization. Convenience requires loose
clock synchronization


Use timestamp in the protocol


Hosts typically run Network Time Protocol to
synchronize clocks


Useful primarily inside an organization


Does it scale to Internet? What is the main difficulty?


Spring 2011/Topic 10

15

Public Keys and Trust


Public Key: P
A


Secret key: S
A



Public Key: P
B


Secret key: S
B




How are public keys stored?



How to obtain the public key?



How does Bob know or ‘trusts’ that P
A

is
Alice’s public key?

Spring 2011/Topic 10

16

Distribution of Public Keys


Public announcement
:
users
distribute public keys to
recipients or broadcast to
community at large




Publicly available
directory
:
can obtain greater
security by registering keys
with a public directory



Both approaches have
problems, and are vulnerable
to forgeries

Spring 2011/Topic 10

17

Public
-
Key Certificates


A certificate
binds identity (or other information) to
public key


Contents digitally signed by a trusted Public
-
Key or
Certificate Authority (CA)


Can be verified by anyone who knows the public
-
key
authority’s public
-
key


For Alice to send an encrypted message to Bob,
obtains a certificate of Bob’s public key

Public Key Certificates

Spring 2011/Topic 10

18

Spring 2011/Topic 10

19

X.509 Certificates


Part of X.500 directory service standards.


Started in 1988


Defines framework for authentication services:


Defines that public keys stored as
certificates

in
a public directory.


Certificates are
issued and signed

by an entity
called
certification authority (CA).


Used by numerous applications: SSL, IPSec, SET


Example: see certificates accepted by your browser


Spring 2011/Topic 10

20

How to Obtain a
Certificate?


Define your own CA
(use openssl or Java
Keytool)


Certificates unlikely to be
accepted by others


Obtain certificates from
one of the vendors:
VeriSign, Thawte, and
many others

Spring 2011/Topic 10

21

CAs and Trust


Certificates are trusted if signature of CA verifies


Chain of CA’s can be formed, head CA is called
root CA


In order to verify the signature, the public key of
the root CA should be obtain.


TRUST is centralized (to root CA’s) and
hierarchical


What bad things can happen if the root CA
system is compromised?


How does this compare with the TTP in
Needham/Schroeder protocol?

Spring 2011/Topic 10

22

Key Agreement: Diffie
-
Hellman
Protocol

Key agreement protocol, both A and B contribute to the key


Setup: p prime and g generator of Z
p
*, p and g public.


K = (g
b

mod p)
a

= g
ab

mod p



g
a

mod p


g
b

mod p


K = (g
a

mod p)
b

= g
ab

mod p

Pick

random, secret a

Compute and send g
a

mod p

Pick

random, secret b

Compute and send g
b

mod p

Spring 2011/Topic 10

23

Authenticated Diffie
-
Hellman

g
a

mod n


g
b

mod n


g
c

mod n


g
c

mod n



Alice computes g
ac
mod n

and Bob computes g
bc

mod n !!!


C
Alice
, g
a

mod n, Sign
Alice
(g
a

mod n)


C
Bob
, g
b

mod n, Sign
Bob
(g
b

mod n)


Secure communication

24

Spring 2011/Topic 10

Spring 2011/Topic 10

25

Transport Layer Security (TLS)


Predecessors: Secure socket layer (SSL): Versions 1.0, 2.0, 3.0


TLS 1.0 (SSL 3.1); Jan 1999


TLS 1.1 (SSL 3.2); Apr 2006


TLS 1.2 (SSL 3.3); Aug 2008


Standard for Internet security


Originally designed by Netscape


Goal: “... provide privacy and reliability between two communicating
applications”


Two main parts


Handshake Protocol


Establish shared secret key using public
-
key cryptography


Signed certificates for authentication


Record Layer


Transmit data using negotiated key, encryption function

Usage of SSL/TLS


Applied on top of transport layer (typically TCP)


Used to secure HTTP (HTTPS), SMTP, etc.


One or both ends can be authenticated using public key
and certificates


Typically only the server is


Client & server negotiate a cipher suite, which includes


A key exchange algorithm, e.g., RSA, Diffie
-
Hellman, SRP, etc.


An encryption algorithm, e.g., RC4, Triple DES, AES, etc.


A MAC algorithm, e.g., HMAC
-
MD5, HMC
-
SHA1, etc.




Spring 2011/Topic 10

26

TLS Handshake Protocol


C

ClientHello

ServerHello,

[Certificate]

[ServerKeyExchange],

[CertificateRequest],

ServerHelloDone


S

[Certificate],

ClientKeyExchange,

[CertificateVerify]



Finished

switch to negotiated cipher

Finished

switch to negotiated cipher

27

Spring 2011/Topic 10

Use of cryptography


C

SSL/TLS Version, Crypto suites, nonce

Version, Choice, nonce,

Signed certificate

containing server’s

public key Ks


S

Secret key K

encrypted with

server’s key Ks

switch to negotiated cipher

Hash of sequence of messages

Hash of sequence of messages

28

Spring 2011/Topic 10

Viewing HTTPS web sites


Browser needs to communicate to the user the fact that
HTTPS is used


E.g., a golden lock indicator on the bottom or on the address bar


Check some common websites


When users correctly process this information, can defeat
phishing attacks


Security problems exist


People don’t know about the security indicator


People forgot to check the indicator


Browser vulnerabilities enable incorrect indicator to be shown


Use confusing URLs, e.g.,


https://
homebanking.purdueefcu.com@host.evil.com/


Stored certificate authority info may be changed


Spring 2011/Topic 10

29

Spring 2011/Topic 10

30


Quantum Cryptography


based on a survey by Hoi
-
Kwong Lo.
http://www.hpl.hp.com/techreports/97/HPL
-
97
-
151.html


And on
http://en.wikipedia.org/wiki/Quantum_key_distribution

Spring 2011/Topic 10

31

Quantum Mechanics & Cryptography


Quantum communication


protecting communication using principles of physics


Quantum computing


Can more efficiently solve some problems that are difficult for
traditional computers to solve


e.g., Shor’s efficient algorithm for factoring,


Exploits quantum superposition and entanglement,


N qubits can be in an arbitrary superposition of up to 2
N

different
states simultaneously


N bits in classical computers can only be in one of 2
N

states


Quantum computers can compute with all states
simultaneously


Spring 2011/Topic 10

32

Properties of Quantum Information


Heisenberg Uncertainty Principle (HUP)


If there is a particle, such as an electron, moving
through space, it is impossibly to measure both its
position and momentum precisely.


A quantum state is described as a vector


e.g., a photon has a quantum state,


quantum cryptography often uses photons in 1 of 4
polarizations (in degrees): 0, 45, 90, 135

Basis

0

1



(
rectilinear)







(diagonal)





Encoding 0 and 1
under two basis

Spring 2011/Topic 10

33

Properties of Quantum Information


No way to distinguish which of


a photon is


Quantum “no
-
cloning” theorem: an unknown quantum
state cannot be cloned.


Measurement generally disturbs a quantum state


one can set up a rectilinear measurement or a diagonal
measurement


a rectilinear measurement disturbs the states of those
diagonal photons having 45/135


Effect of measuring

Basis

















or





or







or




or






Spring 2011/Topic 10

34

Quantum Key Agreement


Requires two channels


one quantum channel (subject to adversary and/or
noises)



one public channel (authentic, unjammable, subject to
eavesdropping)


Protocol does not work without such a channel

Spring 2011/Topic 10

35

The Protocol [Bennet & Brassard’84]

1.
Alice sends to Bob a sequence of photons, each of
which is chosen randomly and independently to be in
one of the four polarizations


Alice knows their states


2.
For each photon, Bob randomly chooses either the
rectilinear based or the diagonal base to measure


Bob record the bases he used as well as the measurement

Spring 2011/Topic 10

36

The Protocol [Bennet & Brassard’84]

3.
Bob publicly announces his basis of
measurements

4.
Alice publicly tells Bob which measurement
basis are correct and which ones are not


For the photons that Bob uses the correct
measurement, Alice and Bob share the same results


See the following page for an example:

http://en.wikipedia.org/wiki/Quantum_key_distribution


Spring 2011/Topic 10

37

The Protocol [Bennet & Brassard’84]

5.
Alice and Bob reveals certain measurement
results to see whether they agree


to detect whether an adversary is involved or the
channel is too noisy



Why attackers fail


Any measurement & resending will disturb the
results with 50% probability

Additional Steps


Information reconciliation


Figure out which bits are different between Alice and
Bob


Conducted over a public channel


Privacy amplification


Reducing/eliminating Eve’s partial knowledge of a key


Spring 2011/Topic 10

38

Spring 2011/Topic 10

39

Coming Attractions …


Operating System Security Basics/
UNIX Access Control