Académique Documents
Professionnel Documents
Culture Documents
AssociateProf.DrMazleenaSalleh
DepartmentofComputerSystem&Communication FacultyofComputerScienceandInformationSystems
mazleena@utm.my 075532006/32369
AssociateProfDrMazleenaSalleh
Module1:Introduction
CourseLearningOutcome
Attheendofthecourse,studentsshouldhavethefollowing knowledge,skillsandattitudeto:
Illustratethefundamentalconceptsincryptography. Applythenecessarytheorytoperformencryptionanddecryption processes. Differentiatetechniquesusedincryptographywhichrelatetotheir differentuses. Recommendtools,techniquesandtrendscryptographyfordata security. Formulatedatasecuritystrategiesusinglatestcryptography technique.
AssociateProfDrMazleenaSalleh
Module1:Introduction
9/11/2011
References
AssociateProfDrMazleenaSalleh
InformationSecurity
Confidentiality/Privacy keepinginformationsecretfromallbutthosewhoare authorizedtoseeit. DataIntegrity ensuringinformationhasnotbeenalteredby unauthorizedorunknownmeans. maintainingdataconsistency EntityAuthentication/Identification corroborationoftheidentityofanentity(e.g.,aperson,a computerterminal,acreditcard,etc.)
AssociateProfDrMazleenaSalleh
Module1:Introduction
9/11/2011
...InformationSecurity
Messageauthentication corroboratingthesourceofinformation;alsoknownas dataoriginauthentication. Signature ameanstobindinformationtoanentity. Authorization conveyance,toanotherentity,ofofficialsanctiontodoor besomething. Validation ameanstoprovidetimelinessofauthorizationtouseor manipulateinformationorresources.
AssociateProfDrMazleenaSalleh Module1:Introduction 5
...InformationSecurity
Accesscontrol restrictingaccesstoresourcestoprivilegedentities. unauthorizedusersarekeptout Certification endorsementofinformationbyatrustedentity. Timestamping recordingthetimeofcreationorexistenceofinformation. Originatorofcommunicationscantdenyitlater
AssociateProfDrMazleenaSalleh
Module1:Introduction
9/11/2011
...InformationSecurity
Witnessing verifyingthecreationorexistenceofinformationbyan entityotherthanthecreator. Nonrepudiation preventingthedenialofpreviouscommitmentsoractions. Availability Legitimateusershaveaccesswhentheyneedit Someobjectivesarecombined: Userauthenticationusedforaccesscontrolpurposes Nonrepudiationcombinedwithauthentication
AssociateProfDrMazleenaSalleh Module1:Introduction 7
SecurityThreats
Informationdisclosure/informationleakage Integrityviolation Masquerading Denialofservice Illegitimateuse Genericthreat:Backdoors,trojanhorses,insiderattacks MostInternetsecurityproblemsareaccesscontrolor authenticationones Denialofserviceisalsopopular,butmostlyanannoyance
AssociateProfDrMazleenaSalleh
Module1:Introduction
9/11/2011
MainClassesOfThreats
Interruptionanassetsis lost/unavailable/cannot beutilizedeg:databaseis delete Interceptionanauthorized party(person/program)has gainedaccesstoanasseteg: wiretapping
AssociateProfDrMazleenaSalleh
Module1:Introduction
MainClassesOfThreats
Modification:an unauthorizedparty (person/program)hasgained accessandtamperedaround it,eg:modifyinganitemof database. Fabrication:Productionof counterfeitobjectsfor computingsystem,eg repeatingafinancial transaction
AssociateProfDrMazleenaSalleh
Module1:Introduction
10
9/11/2011
TypesofAttack
Passive attack can only observe communications or data Active attack can actively modify communications or data Often difficult to perform, but very powerful Mail forgery/modification TCP/IP spoofing/session hijacking
AssociateProfDrMazleenaSalleh
Module1:Introduction
11
SecurityMechanism
SecurityMechanism Physicalprotection Cryptography AccessControl Authorization Auditing Cryptographyisonlyasmallpartofprotectionneeded forabsolutesecrecy.
Module1:Introduction 12
AssociateProfDrMazleenaSalleh
9/11/2011
Cryptography
Essentialtoolformakingsecurecomputingsystems. Badlydesignedprotocolsareeasilyexploitedtobreakinto computersystems,toeavesdroponphonecalls,tosteal services,andsoforth. Designishard. Itiseasytounderestimatethetaskandquicklycomeup withadhocprotocolsthatlaterturnouttobewrong. thenecessarytimeandexpertiseforproperprotocol designistypicallyunderestimated,oftenatfuturecost. takesknowledge,effortandingenuitytodothejobright.
AssociateProfDrMazleenaSalleh Module1:Introduction 13
AssociateProfDrMazleenaSalleh
Module1:Introduction
14
9/11/2011
Cryptography
Crytographyisthescienceofsecretwriting.MattBlaze Cryptographyisthestudyofsecret(crypto)writing(graphy) concernedwithdevelopingalgorithmswhichmaybeusedto provide(goals): secrecy authenticatethatamessagehasnotchangedintransit (integrity) implicitlyauthenticatethesender Cryptographyisdefensiveandcanprotectordinarycommerce andordinarypeople.
AssociateProfDrMazleenaSalleh
Module1:Introduction
15
SupportforSecurityMechanisms
Threebasicbuildingblocksareused: Encryptionisusedtoprovideconfidentiality,canprovide authenticationandintegrityprotection. Digitalsignaturesareusedtoprovideauthentication,integrity protection,andnonrepudiation. Checksums/hashalgorithmsareusedtoprovideintegrity protection,canprovideauthentication Oneormoresecuritymechanismsarecombinedtoprovidea securityservice.
AssociateProfDrMazleenaSalleh
Module1:Introduction
16
9/11/2011
FundamentalIdeaofCryptography
Possibletotransformplaintextintociphertextin whichinformationispresentbuthidden.Wecan releasethetransformedmessagewithoutexposing theinformationitrepresent. Differenttransformationscreatedifferentciphertext fortheexactsamemessage. Forperfectciphers,anyciphertextcanbeinterpreted asanymessage.
AssociateProfDrMazleenaSalleh
Module1:Introduction
17
WhatCryptographyCanDo
Itcanprotectprivacy. Itseparatesthesecurityofamessagefromthesecurityof themedia. Itcanauthorizesomeone. Itcanfacilitatetrust. Itcanallowfordigitalcredentials(authentication). Itcanvalidatetheintegrityofinformation. Itcanensurethefairnessoffinancialtransactions. Itcanprovideanaudittrailforlaterdisputeresolution. Cryptographystopslyingandcheating.
AssociateProfDrMazleenaSalleh Module1:Introduction 18
9/11/2011
OtherUsesofCryptography
Morespecializeduses: Digitalsignatures Undeniabledigitalsignatures Allornothingdisclosureofsecrets Zeroknowledgeproofs Oblivioustransfer Simultaneousexchangeofsecrets Secureelections Digitalcash
AssociateProfDrMazleenaSalleh Module1:Introduction 19
ThingsthatCryptographyCannotDo
Cryptographycanonlyhideinformationafteritisencrypted andwhileitremainsencrypted. Secretinformationgenerallydoesnotstartoutencrypted, sothereisnormallyanoriginalperiodwhichthesecretare notprotected. Secretinformationgenerallyisnotusedinencrypted form,soitisagainoutsidethecryptographicenvelope everytimethesecretisused. Cryptographycannotprotectagainstinformants,undercover spying,bugs,photographicevidenceortestimony.
AssociateProfDrMazleenaSalleh Module1:Introduction 20
10
9/11/2011
Adversaries
Hackers:informalandinstitutional Insiders Lonecriminals Commercialespionage Press Organizedcrime Terrorists Nationalintelligence
Module1:Introduction 21
AssociateProfDrMazleenaSalleh
CriminalAttacks
HowcanIacquirethemaximumfinancialreturnby attackingthesystem? Forgery,misrepresentation,replay,repudiation Generallyopportunistic Minimumnecessaryresources Focusesonlowtechflaws Focusesontheweakestsystems Mediumrisktolerance:willingtoriskjoborjailtime.
AssociateProfDrMazleenaSalleh Module1:Introduction 22
11
9/11/2011
ComponentsofaCryptosystem
Plaintextmessagespace,P Cipertextmessagespace,C Keyspace,K Asetofencryptionalgorithms,Ek Asetofdecryptionalgorithms,Dk
C
C=E(P,K)
AssociateProfDrMazleenaSalleh Module1:Introduction
P=D(C,K)
23
EncryptionandDecryption
Encryption Processofencodinganinformationsothatitsmeaningis notunderstood. Decryption Processofdecodingtheencryptedmessagetogetback theoriginalinformation.
Original Plaintext or Cleartext
AssociateProfDrMazleenaSalleh
Encrypt or Encipher
Ciphertext
Decrypt or Decipher
Module1:Introduction
12
9/11/2011
KeylessandKeyedCryptosystem
KeylesscryptosystemperformsE/Dwithoutusing anykey. Symmetrickey:Key1=Key2 Asymmetrickey:Key1Key2
Ciphertext Plaintext Encrypt Decrypt Plaintext
Key1
AssociateProfDrMazleenaSalleh Module1:Introduction
Key2
25
AlgorithmE/D
Plaintext,P=[p1,p2,..,pn] Ciphertext,C=[c1,c2,..,cn] IfEandDaretheencryptionandthedecryption algorithmsrespectively,then C=E(P) P=D(C) Cryptosystemshouldbehaveasfollows: P=D(E(P))orP=D(Key2,E(Key1,P))
AssociateProfDrMazleenaSalleh Module1:Introduction 26
13
9/11/2011
FeaturesofaGoodCryptosystem
EandDalgorithmsmustbeefficient. Thesystemmustbeeasytoused. Thesecurityofthesystemmustdependonthe secrecyofthekeysandNOTonthesecrecyoftheE andDalgorithms. Thesizeoftheciphertextisnotunnecessarylarger thantheplaintext.
AssociateProfDrMazleenaSalleh
Module1:Introduction
27
Confidentiality
Keepingthecontentsofamessageconfidential:during transmissionorstorage. IfAsendsamessagetoB,buttheenemyinterceptsit,Amust makesurethatthisenemywillneverunderstandsthecontent ofthemessage.
K
Transmitted (or Stored) Ciphertext,
Original Plaintext,
Encrypt,
E (K, P)
Decrypt,
D (K,C)
Recovered Plaintext,
AssociateProfDrMazleenaSalleh
Module1:Introduction
28
14
9/11/2011
Integrity
Provingthatthecontentsofamessagehave remainedunchanged.
Secret channel for keys
P E(K, P)
Seal
D(K, C)
Seal
C
Seal
Verify?
AssociateProfDrMazleenaSalleh
Module1:Introduction
29
Authenticity/NonRepudiation
Provingthatamessagecomesfromthedeclared,authenticsource Preventinganauthenticsourcefromlaterdenying(orrepudiate) theauthenticityofthemessage.
Private Key Public Key TTP Certification Authority
Sign
Digital Signature
Unsign
P P
AssociateProfDrMazleenaSalleh Module1:Introduction
Verify?
30
15
9/11/2011
SymmetricKeyCryptosystem
Asinglekeysharedbybothsenderandreceiver. Advantages: Fastencryption/decryptionprocess,efficientforlong messages Weakness: Requiresestablishmentofasecurechannelforkeyexchange. Ifthiskeyisdisclosed,communicationsarecompromised. Suppose3personsA,B,Cwanttocommunicatetoeachotherin A B private, K
KAC
AssociateProfDrMazleenaSalleh Module1:Introduction
AB
KBC
31
Asymmetric/PublicKeyCryptosystem
Keythatisusedtoencryptthemessageisdifferenttothekey usedtodecryptthemessage. Publickeywidelyavailableanyonewantingtosendthema messageusesthealgorithmandtherecipientspublickeyto doso. Onlytherecipient,withtheirprivatekeycandecryptthe message. Weakness computationallyintensive,encryptionanddecryptiontake longer. Notsuitableforencryptinglongmessages
AssociateProfDrMazleenaSalleh Module1:Introduction 32
16
9/11/2011
Hashing
Cryptographichashfunctionisadeterministicprocedurethat takesanarbitraryblockofdataandreturnsafixedsizebit string,the(cryptographic)hashvalue. Idealcryptographichashfunctionhasfourmainorsignificant properties: itiseasytocomputethehashvalueforanygivenmessage, itisinfeasibletogenerateamessagethathasagivenhash, itisinfeasibletomodifyamessagewithouthashbeing changed, itisinfeasibletofindtwodifferentmessageswiththe samehash.
AssociateProfDrMazleenaSalleh Module1:Introduction 33
Hashing
Acryptographichash function(specifically, SHA1)atwork.Note thatevensmallchanges inthesourceinput(here intheword"over") drasticallychangethe resultingoutput,bythe socalledavalanche effect.
AssociateProfDrMazleenaSalleh
Module1:Introduction
34
17
9/11/2011
BlockCipher
Encryptsagroupofplaintext symbolsasoneblock. Decryptionissimplythereverseof theencryptionprocessusingthe samesecretkey. Differentplaintextblocks,usually64 bits,aremappedtodifferent ciphertextblocks;ablockcipher effectivelyprovidesapermutation ofthesetofallpossiblemessages. Theactualpermutationproduced duringanyparticularoperationis secret,anddeterminedbyakey.
AssociateProfDrMazleenaSalleh Module1:Introduction
Plaintext Block
Encrypt
Ciphertext Block
35
BlockCipher
Advantages: informationfromtheplaintextisdiffusedintoseveralciphertext symbol. immunitytoinsertionssinceasingleinsertionintoablockwould resultanincorrectlengthandthuscouldbedetectedduring decryption. Disadvantages: blockciphermustwaituntilanentireblockofplaintexthasbeen receivedbeforestartingtheencryptionprocess;thisresultinslowness ofencryption. errorpropagationwherebyasingleerrorwillaffectthetransformation ofallothercharactersinthesameblock.
AssociateProfDrMazleenaSalleh
Module1:Introduction
36
18
9/11/2011
StreamCipher
Astreamcipherbreakstheplaintextintounits,normallya singlecharacter.Itencryptsthenthunitoftheplaintextwith thenthunitofthekeystream. Streamcipherscanbedesignedtobeexceptionallyfast. Eachcharacterisencryptedwithoutregardforanyother plaintextcharacter,eachcharactercanbeencryptedassoon asitisread. Streamcipherhaslowerrorpropagationsinceeachcharacter isseparatelyencoded.Errorencounteronlyaffectsthat particularcharacter.
Module1:Introduction
AssociateProfDrMazleenaSalleh
37
StreamCipher
Runabout10timesfasterthancomparableblockciphers Disadvantages: lowdiffusionwherebyallinformationofthatparticular characteroftheplaintextisretainedinthecharacterof theciphertext. susceptibilitytomaliciousinsertionandmodification
key (optional) ISSOPMI plaintext
AssociateProfDrMazleenaSalleh
wdhuw... ciphertext
38
Module1:Introduction
19
9/11/2011
Cryptanalysis
Processofattemptingtodiscovertheplaintextorthe keyused. Strategydependonthenatureoftheencryption schemeandtheinformationavailable. However,anencryptionschemeisunconditionally secureiftheciphertextgenerateddoesnotcontain enoughinformationtodeterminethecorresponding plaintext.
Reading:Forouzan,pg5660
AssociateProfDrMazleenaSalleh
Module1:Introduction
39
AssociateProfDrMazleenaSalleh
Module1:Introduction
40
20
9/11/2011
CiphertextOnly
Cryptanalysthasonlytheciphertextfromwhichtodeterminethe plaintext. Noknowledgewhatsoeveroftheactualmessage Thecryptoanalysthastheciphertextofoneorseveralmessages. wanttorecovertheplaintextor(better)thekey. Given:C1=E(P1),C2=E(P2),...,Ci=E(Pi) Deduce: EitherP1,P2,...,Pi,K; oranalgorithmtoinferPi+1fromCi+1=E(Pi+1).
AssociateProfDrMazleenaSalleh Module1:Introduction 41
KnownPlaintextAttack
Inknownplaintextattacktheattackerhaspairs (x,e(x)),butthechoiceofxisnotunderthe attacker'scontrol.
AssociateProfDrMazleenaSalleh
Module1:Introduction
42
21
9/11/2011
ChosenPlaintext
Attackerhaspairs(x,e(x))andxischosenbytheattacker. capabilitytofindtheciphertextcorrespondingtoan arbitraryplaintextmessageofhisorherownchoosing. Thelikelihoodofthistypeofattackbeingpossibleisnotmuch. Codeswhichcansurvivethisattackareconsideredtobevery secure. Adaptivechosenplaintextattack,thecryptanalystcan determinetheciphertextofchosenplaintextsinaniterative processbasedonpreviousresults.Thisisthegeneralnamefora methodofattackingproductcipherscalled"differential cryptanalysis.
AssociateProfDrMazleenaSalleh Module1:Introduction 43
ChosenPlaintextAttack
Wanttorecoverthekey. Given:P1,P2,...,Pi,C1=E(P1),C2=E(P2),...,Ci=E(Pi) wherewecanselectP1,P2,...,Pi. Deduce:EitherKoranalgorithmtoinferPi+1from Ci+1=E(Pi+1).
AssociateProfDrMazleenaSalleh
Module1:Introduction
44
22
9/11/2011
ChosenCiphertext
Cryptanalystcanchooseanarbitraryciphertextand findthecorrespondingdecryptedplaintext. Thisattackcanbeusedinpublickeysystems,where itmayrevealtheprivatekey. Chosetheciphertexttobedecrypted. Given:C1,C2,...,Ci,P1=D(C1),P2=D(C2),...,Pi=D(Ci) Deduce:K
AssociateProfDrMazleenaSalleh
Module1:Introduction
45
BreakableCipher
Thereisanalgorithmknowntobeabletheoretically breakthecipher. Abreakableciphermaynotbefeasiblebroken exceptbyusingcurrenttechnology. Exampleusingbruteforcewhichrequire1030 operations. Cipherisbreakablebutinfeasible! Cryptanalysisishard,tedious,repetitiveandvery expensive.Successisneverassured.
AssociateProfDrMazleenaSalleh Module1:Introduction 46
23
9/11/2011
Kerckhoffs'Principle
AlsocalledKerckhoffs'assumption,axiomorlaw State:Acryptosystemshouldbesecureevenifeverythingaboutthe system,exceptthekey,ispublicknowledge. Majorityofciviliancryptographymakesuseofpubliclyknownalgorithms Butciphersusedtoprotectclassifiedgovernmentormilitary informationareoftenkeptsecret. Theresistanceoftheciphertoattackmustbebasedonlyonthesecrecy ofthekey. Keydomainforeachalgorithmissolargethatitmakesitdifficultforthe adversarytofindthekey.
AssociateProfDrMazleenaSalleh Module1:Introduction 47
Conclusions
Theproblemwithbadcryptographyisthatitlooksjustlike goodcryptography. Successfulattacksareoftenkeptsecret.Unlessattackers publicize. Weneedtobeproactive. Understandtherealthreatstoasystem Designsystemswithstrongcryptography Buildcryptographyintosystemsatthebeginning Perfectsolutionsarenotrequired,butsystemsthatcanbe brokencompletelyareunacceptable.
AssociateProfDrMazleenaSalleh Module1:Introduction 48
24