SSIN - Security in Informatic Systems

celerymoldwarpΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

94 εμφανίσεις

SSIN - Security in Informatic Systems
Demonstrating Computer Security for educational purposes
CryptoAcademy

Filipe Miguel Alves Bandeira Pinto de Carvalho - 080509076
Pedro Miguel Ferreira Machado - 070509074

1

Index
Introduction.............................................................................................................
3
Goals......................................................................................................................
3
Cryptography..........................................................................................................
4
RC4............................................................................................................
4
DES............................................................................................................
7
AES............................................................................................................
9
RSA............................................................................................................
11
MD5............................................................................................................
13
SHA............................................................................................................
14
System Architecture..............................................................................................
15
Walkthrough...........................................................................................................
16
Future Improvements.............................................................................................
18
Conclusions...........................................................................................................
18
References............................................................................................................
19

2

Introduction
There’s many information on cryptographic algorithms spread online and in libraries but
there’s not any place to combine it all together and provide a good learning experience.
CryptoAcademy intends to fulfill that gap in cryptography studies, presenting an intuitive
interface, a theoretical knowledge about each algorithm, examples and a test place, for each
user to experience and test the algorithm as he wishes.
CryptoAcademy is a “wiki-like” project which allows users to check the information on
several cryptographic algorithms and test them on their own.
Registration is not necessary and the information is trusted and verified by experts. If
a user has any suggestion, there’s a contact in the webpage to allow users help improve the
system.
Goals
The motivation of this project has its origin in the necessity of spreading information in
an efficient way. In this case, the information refers to cryptography.
It’s important for the students that knowledge come from other sources besides the
classes. As time goes by, it’s more and more important that students (and everyone else) can
study, practice and learn a little on their own. That’s the main goal of this project. On one side,
it’s intended to help the teacher passing knowledge to students and on the other side, invite
students to learn and try on their own. This kind of education really intends to persuade students
to study and work at home. It’s not intended, by any means, to replace the teacher, but to
provide a tool that can help him and his students to get better results.
Besides, the practical knowledge is becoming more important everyday, thus the “learn
by doing” philosophy it's a must for everyone. Only theoretical classes are not enough for the
students to learn any subject. With a tool like CryptoAcademy, not only the work of the teacher
gets eased, but the students get a little extra hand on their study. Learn by doing is for sure an
interesting philosophy that sumarizes the objective of the project.


3

Cryptography
RC4

Designer: Ron Rivest (RSA Security)

General description

RC4 is one of the most widely software stream cipher and used in popular protocols,
such as SSL (protect Internet traffic), WEP (secure wireless networks) and PDF.
It’s considered to be fast and simple in terms of software.

Algorithm Description

RC4[1] generates a pseudorandom stream of bits (a keystream). As with any stream
cipher, these can be used for encryption by combining it with the plaintext using bit-wise
exclusive-or; decryption is performed the same way (since exclusive-or is a symmetric
operation).
To generate the keystream, the cipher makes use of a secret internal state which
consists of two parts:

1.
A permutation of all 256 possible bytes (denoted "S" below).
2.
Two 8-bit index-pointers (denoted "i" and "j").
The permutation is initialized with a variable length key, typically between 40 and 256
bits, using the
key-scheduling
algorithm (KSA). Then the stream of bits is generated by a
pseudo random generation algorithm.

4

The lookup stage of RC4. The output byte is selected by looking up the values of S(i) and S(j), adding them together
modulo 256, and then looking up the sum in S; S(S(i) + S(j)) is used as a byte of the key stream, K.


Vulnerabilities:

especially vulnerable when the beginning of the output keystream is not discarded

RC4-dropN, being N a multiple of 256 is a improvement to solve this issue

when nonrandom or related keys are used

some ways of using RC4 can lead to very insecure systems, such as WEP

Erik Tews, Ralf-Philipp Weinmann, and Andrei Pychkine used this analysis to
create aircrack-ptw, a tool which cracks 104-bit RC4 used in 128-bit WEP in
under a minute.


The aircrack-ptw attack
[2]

“The aircrack team were able to extend Klein’s attack and optimize it for usage against
WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using
just 40,000 captured packets. For 60,000 available data packets, the success probability is
about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and
ARP re-injection, 40,000 packets can be captured in less than one minute under good condition.
The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7
GHz and can additionally be optimized for devices with slower CPUs. The same attack can be
used for 40 bit keys too with an even higher success probability.”



Biased outputs[3][4]:

The best such attack is due to Itsik Mantin and Adi Shamir who showed that the
second output byte of the cipher was biased toward zero with probability 1/128
(instead of 1/256). This is due to the fact that if the third byte of the original state
is zero, and the second byte is not equal to 2, then the second output byte is
5

always zero. Such bias can be detected by observing only 256 bytes.

Improvements:

the most important weakness of RC4 comes from the insufficient key schedule; the
first bytes of output reveal information about the key. This can be corrected by simply
discarding some initial portion of the output stream.

RC4-drop
N
, where
N
is typically a multiple of 256, such as 768 or 1024 and it
means the number of bits discarded

RC4+, with a more complex three-phase key schedule and a more complex
output function which performs four additional lookups in the S array for each
byte output, taking approximately 1.7× as long as basic RC4

VMPC, that is similar to original RC4, but iterates in a basis of 768 times and with
an optional additional 768 iterations to incorporate an initial vector.

6

DES

General description:

DES stays for Data Encryption Standard[5]. It’s a reversible,secret key algorithm which
is specially fast if computed in hardware.
DES was deliberately weakened so that the US National Agency (NSA) could break it
(key was only 56 bits long) - is now considered to be insecure for many applications. This is
briefly due to the 56-bit key size being too small.
On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard
(AES). Until that time, DES was the previously predominant algorithm for the encryption of
electronic data.


Algorithm description:

DES is the archetypal block cipher — an algorithm that takes a fixed-length string
of plaintext bits and transforms it through a series of complicated operations into another
ciphertext bitstring of the same length (64 bits). Every 8th bit of the selected key is discarded,
that is, positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind
only the 56 bit key.

Vulnerabilities:

DES is now considered insecure because a brute force attack is possible (EFF DES
cracker[6]) and fast. As of 2008, the best analytical attack is linear cryptanalysis, which
requires 243 known plaintexts(Junod, 2001).

Like other block ciphers, DES by itself is not a secure means of encryption but must
instead be used in a mode of operation.

Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute
force attack in 1998 that demonstrated that DES could be attacked very practically, and
highlighted the need for a replacement algorithm.

One of the major criticism of DES, when proposed in 1975, was that the key size was
too short. Martin Hellman and Whitfield Diffie of Stanford University estimated that a
machine fast enough to test that many keys in a day would have cost about $20 million
in 1976, an affordable sum to national intelligence agencies such as the US National
Security Agency. In 1998, the EFF built Deep Crack for less than $250,000. It only took
rounding 22 hours to crack DES.

Conclusion
: As the amount to spend in a cracker for DES and the time consumption
wasn’t that big, it would not be necessary to use any of the vulnerabilities. The major
vulnerability is considered to be its key size.
7



Improvements
:

Triple DES[7], for example is still considered secure. It uses a bundle of 3 DES keys,
each one of 56 bits. Considering this point, the major weakness of DES is exceeded.


8

AES

Designer:
two Belgian cryptographers, Joan Daemen and Vincent Rijmen
General description:

Originally called Rijndael, AES goes for Advanced Encryption Standard[8]. It is a
symmetric-key algorithm (meaning the same key is used for both encrypting and decrypting the
data) in a reversible, secret key system.

Efficiency:
efficient both in software and in hardware

Algorithm description:


AES operates on a 4×4 column-major order matrix of bytes, termed the
state
, although
some versions of Rijndael have a larger block size and have additional columns in the
state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of
transformation rounds that convert the input, called the plaintext, into the final output,
called the ciphertext. The number of cycles of repetition are as follows:

10 cycles of repetition for 128 bit keys.

12 cycles of repetition for 192 bit keys.

14 cycles of repetition for 256 bit keys.

Each round consists of several processing steps, including one that depends on the
encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the
original plaintext using the same encryption key.

Vulnerabilities:


On July 1, 2009, Bruce Schneier blogged about a related-key attack on the 192-bit and
256-bit versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich, which
exploits AES's somewhat simple key schedule and has a complexity of 2119

(Not confirmed) XSL attack:

the
XSL attack
is a method of cryptanalysis for block ciphers. The attack was
first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has
caused some controversy as it was claimed to have the potential to break the
AES cipher faster than an exhaustive search. Since AES is already widely used
in commerce and government for the transmission of secret information, finding
a technique that can shorten the amount of time it takes to retrieve the secret
message without having the key could have wide implications.
9


In overview, the XSL attack relies on first analyzing the internals of a cipher
and deriving a system of quadratic simultaneous equations. These systems
of equations are typically very large, for example 8000 equations with 1600
variables for the 128-bit AES. Several methods for solving such systems are
known. In the XSL attack, a specialized algorithm, termed
XSL
(
eXtended
Sparse Linearization
), is then applied to solve these equations and recover
the key. As it wasn’t confirmed, this attack to AES is only theoretical but it can
become possible in the future

10

RSA

General description

RSA stands for Rivest, Shamir and Adleman, his inventors. It is a reversible public
key system, that involves a
public key
and a
private key.
The public key can be known to
everyone and is used for encrypting messages. Messages encrypted with the public key can
only be decrypted using the private key. It envolves three steps: key generation, encryption and
decryption.


Algorithm description:


A user of RSA creates and then publishes the product of two large prime numbers,
along with an auxiliary value, as their public key. The prime factors must be kept secret.
Anyone can use the public key to encrypt a message, but with currently published
methods, if the public key is large enough, only someone with knowledge of the prime
factors can feasibly decode the message

Vulnerabilities:

Being:
m - plaintext message
n = p*q = primus number 1 * primus number 2


When encrypting with low encryption exponents (e.g.,
) and small values of the
, (i.e.,
) the result of
is strictly less than the modulus
. In this case,
ciphertexts can be easily decrypted by taking the
th root of the ciphertext over the
integers.

Because RSA encryption is a deterministic encryption algorithm (i.e., has no random
component) an attacker can successfully launch a chosen plaintext attack against the
cryptosystem, by encrypting likely plaintexts under the public key and test if they are
equal to the ciphertext. A cryptosystem is called semantically secure if an attacker
cannot distinguish two encryptions from each other even if the attacker knows (or has
chosen) the corresponding plaintexts. As described above, RSA without padding is not
semantically secure.

Wiener’s attack:

Uses the continued fraction method to exploit a mistake made in the use of RSA.
This error could be exploited when users are doing transactions using credit
card or mobile devices such as phones. The public-key cryptosystem RSA is
11

frequently used for security applications such as email, credit card payments,
login network access and so on.

Improvements

Padding schemes - To avoid these problems, practical RSA implementations typically
embed some form of structured, randomized padding into the value
before encrypting
it. This padding ensures that
does not fall into the range of insecure plaintexts, and
that a given message, once padded, will encrypt to one of a large number of different
possible ciphertexts.

Signing messages

12

MD5

General description:

MD5[10] was designed by Ron Rivest and it’s a cryptographic hash function that
produces a 128 bit(16 byte) hash value. It’s unidirectional, irreversible and one-way algorithm.
Usually it’s expressed as a hexadecimal number, 32 bits long.


Example:
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6

Vulnerabilities:

a group of researchers described how to create a pair of files that share the same MD5
checksum (2004)[11]

An example of MD5 collision, with the two messages differing in 6 bits can lead to the
same hash

it has since been shown that MD5 is not collision resistant, as such, MD5 is not suitable
for applications like SSL certificates or digital signatures that rely on this property

A number of projects have published MD5 rainbow tables online, which can be used to
reverse many MD5 hashes into strings that collide with the original input, usually for the
purposes of password cracking.

http
://
en
.
wikipedia
.
org
/
wiki
/
Rainbow
_
table

A rainbow table is ineffective against one-way hashes that include salts
( random bits, creating one of the inputs to a one-way function). For
example, consider a password hash that is generated using the following
function (where "+" is the concatenation operator):

saltedhash(password) = hash(password+salt)

saltedhash(password) = hash(hash(password)+salt)

The salt value is not secret and may be generated at random and stored
with the password hash. A large salt value prevents precomputation
attacks, including rainbow tables, by ensuring that each user's password
is hashed uniquely.

A 2009 attack by Tao Xie and Dengguo Feng breaks MD5 collision resistance in 2^20.96
time. This attack runs in a few seconds on a regular computer

13

SHA

General description:

SHA is a cryptographic hashing family of functions. It has some variants. They are
unidirectional, irreversible and one-way functions.
SHA-1[12] is similar to MD5 and is the most widely hashing function used
SHA-2[13] avoids the collision problem of the other hash algorithms, so its hash function
is implemented in some widely used security applications and protocols, including TLS and
SSL, PGP, SSH, S/MIME, Bitcoin and IPsec.

Vulnerabilities:

SHA-1 still has the collision problem that the hash algorithms have

SHA-1 example: As we can see in the image, despite the messages are very similar one another, the
digest produced is completely different.

Table of comparison between the one-way algorithms analyzed in this document.
14

System Architecture
To build the website, MVC architecture was used with the Ruby on Rails technology,
using also a sqlLite database. As external dependencies, CanCan and Devise are used for the
authentication in the website.
To use the functionalities of the application, authentication is not needed, it exists only
for administration purposes, such as updating algorithms information, adding new algorithms or
creating new sections.

15

Walkthrough
The website is more intuitive, but some pictures of the work were taken to show the
main functionalities. It can be consulted in
http
://
cryptoacademy
.
herokuapp
.
com
/


This image is the page from one of the algorithms in the database. It can only be edited
by a logged user (the only one is the admin), to keep the information relevant and correct.






16

An attack execution on the way with all the relevant information displayed in real time.
The result of a bruteforce attack in a simple password. When the password is found too fast, the
computer won’t process or print the data in real time, as we can see.
17

Future Improvements
As this is an on-going project, there’s always room for improvements.
First of all, it would be interesting to include even more knowledge and adapt it to
cryptography classes. The content included is important, but it’s possible that some is lacking.
Some review and feedback from renowned users is also important , to allow continuous
improvement in the application.
Not less important, would be integrate this website in feup network, after contacting
CICA to host cryptoAcademy and allow students of Security classes use and learn with this
application.
In the end, some UI improvements would also be necessary to turn the graphical
interface more appealing.


Conclusions
Throughout the execution of this project we could understand that the main source of
security problems and the main vulnerability of the algorithms are the passwords themselves. A
password should be wisely chosen as no cryptographic algorithm is completely foolproof. In the
websites case (like email, facebook accounts or so), an infinite number of tries is allowed, so a
bruteforce attack can be easily perfomed. Usually this kind of attack, depends on the password
strength. If the password is very small and simple, this kind of attack easily gets access to the
account in a very short time.

As time goes by, hardware is getting quicker and stronger. This means that it's even
easier (and also less expensive) to execute some calculations that some years ago were not
possible. This way it is necessary to improve the algorithms security and consistency. Some
new algorithms based on pre-existent ones have been emmerging, using them as a chain to get
stronger and safe results (tripleDES). In some cases it is also a good solution just to improve
the collision resistance by increasing the size of the resulting hash.

Last, but not least, we noticed that the project helped us in understanding some
concepts we were not able to understand during the lectures on cryptography, thus proving that,
with a few improvements, this could be a useful tool to the future students of this class.
18

References
[1]
http
://
en
.
wikipedia
.
org
/
wiki
/
RC
4
[2]
http
://
www
.
darknet
.
org
.
uk
/2007/09/
aircrack
-
ptw
-
fast
-
wep
-
cracking
-
tool
-
for
-
wireless
-
hacking
/
[3] Souradyuti Paul and Bart Preneel, Analysis of Non-fortuitous Predictive States of the RC4
Keystream Generator. INDOCRYPT 2003, pp52 – 67
[4]
A

Practical

Attack

on

Broadcast

RC
4
, Mantin and Shamir, FSE 2001
[5]
http
://
en
.
wikipedia
.
org
/
wiki
/
Data
_
Encryption
_
Standard
[6]
http
://
en
.
wikipedia
.
org
/
wiki
/
EFF
_
DES
_
cracker
[7]
http
://
en
.
wikipedia
.
org
/
wiki
/
Triple
_
DES
[8]
http
://
en
.
wikipedia
.
org
/
wiki
/
RSA
_%28
algorithm
%29
[9]
http
://
en
.
wikipedia
.
org
/
wiki
/
Wiener
%27
s
_
Attack
[10]
http
://
en
.
wikipedia
.
org
/
wiki
/
MD
5
[11]
http
://
www
.
cs
.
colorado
.
edu
/~
jrblack
/
papers
/
md
5
e
-
full
.
pdf
[12]
http
://
en
.
wikipedia
.
org
/
wiki
/
SHA
-1
[13]
http
://
en
.
wikipedia
.
org
/
wiki
/
SHA
-2




19