ITIS 6167/8167: Network Security I

Lecture 2:
The Elements of Cryptography I

Professor Ehab Al-Shaer

Al Shaer
CyberDNA Center
Software
f and Information
f Systems,
y
School of Computing and Informatics
University of North Carolina, Charlotte, NC

1 (c) Prof. Ehab Al-Shaer, UNCC

 Cryptographic System

Secure Communication

Confidentiality
Authentication
Message Integrity
Anti-Replay
Anti Replay Protection
Client PC with Anti-Delay Protection
Server with
Cryptographic Cryptographic
System Provided
P id d System
Software Automatically Software

2 (c) Prof. Ehab Al-Shaer, UNCC

 Principles Information Security: CIA
y Confidentiality has been defined by the in ISO-17799 as "ensuring that information is
accessible only to those authorized to have access“
y Encryption/privacy
y Authentication
y Integrity means that all characteristics of the data including content, rules for how pieces
of data relate,, dates,, definitions and lineage
g must be correct for data to be complete
p
y Data provenance
y Anti-reply and anti-delay
y Anti-repudiation: ensuring that a party in a dispute cannot repudiate, or refute the validity
of a statement/contract
y Availability
y Survivability: operability to achieve the system mission
y Reliability: ratio of functional time over total time
y Resiliency/Tolerance: the ability to recover/continue after failure or intrusion
y Dependability: the reliability of the system integrity, truthfulness, and trustfulness
y Usage
y Role-based Access control
y Digital Right Management
y Context-aware security enforcemen
3 (c) Prof. Ehab Al-Shaer, UNCC
 Encryption

4 (c) Prof. Ehab Al-Shaer, UNCC

 Plaintext, Encryption, Ciphertext, and
D
Decryption
ti
Encryption Note:
Key Interceptor Cannot Read
Ciphertext Without the
Decryption Key
Plaintext
Pl i t t Encryption Cipherte t “11011101”
Ciphertext
“Hello” Method &
Key Interceptor
Network
Decryption
Key

Party A Ciphertext “11011101” Decryption Plaintext

Method & “Hello”
Key

5 (c) Prof. Ehab Al-Shaer, UNCC Party B

 Key Length and Number of Possible
Keys

Key Length
Number of Possible Keys
in Bits
1 2
2 4
4 16
8 256
16 65,536
40 1,099,511,627,776
56 72,057,594,037,927,900
112 5,192,296,858,534,830,000,000,000,000,000,000
6 (c) Prof. Ehab Al-Shaer, UNCC
 Key Length and Number of Possible
Keys

Key Length
Number of Possible Keys
in Bits
112 5.1923E+33
168 3.74144E+50
256 1.15792E+77
512 1.3408E+154

7 (c) Prof. Ehab Al-Shaer, UNCC

 E
Encryption
ti Algorithms
Al ith
•Encryption
Encryption Algorithms:
9Some algorithms use a key K, so that the ciphertext message depends on both the
original plaintext message and the key value, denoted C = E(K,P) [1].
-Symmetric:
Symmetric: Encryption and Decryption keys are mirror processes.
-Asymmetric: Decryption key inverts the Encryption process, such that
converting ciphertext back to plaintext is not simply the reversing of the
encryption steps.

• Key Secrecy:
9Security depends on the secrecy of the key, and not the secrecy of the algorithm.
Key Size No of Alt Keys Time Req @ 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years

8 2168 = 3.7 xUNCC

168Prof. Ehab Al-Shaer,
(c) 1050 5.9 x 1030 years8
 Ti
Time to
t Break
B kaCCode
d

9 (c) Prof. Ehab Al-Shaer, UNCC

 Confidentiality

Symmetric
y Keyy Encryption
yp ((Secret Key)
y)
Public Key Encryption

10 (c) Prof. Ehab Al-Shaer, UNCC

 Symmetric Key Encryption for
C fid ti lit
Confidentiality
Symmetric Note:
Key A single key is used to
encrypt and decrypt
in both directions.
Plaintext
Pl i t t Encryption Cipherte t “11011101”
Ciphertext
“Hello” Method &
Key Interceptor
Network Same
Symmetric
Key

Party A Ciphertext “11011101” Decryption Plaintext

Method & “Hello”
Key

11 (c) Prof. Ehab Al-Shaer, UNCC Party B

 Data Encryption Standard (DES)
64-Bit
64 Bit DES Symmetric Key
64-Bit Plaintext (56 bits + 8 redundant bits)
Block

DES E
Encryption
ti
Process

64-Bit Ciphertext
Block
12 (c) Prof. Ehab Al-Shaer, UNCC
 Model of Conventional Encryption
Process
• An encryption scheme has 5
major
j components:t

9(1) Plaintext Input

9(2) Encryption Algorithm

9(3) Secret Key

9(4) Transmitted
T itt d Ciphertext
Ci h t t

9(5) Decryption Algorithm

13 (c) Prof. Ehab Al-Shaer, UNCC

 DES CBC (DES-Cipher
DES-CBC (DES Ci h Block
Bl k Ch
Chaining)
i i g)
DES Keyy
Firstt
Fi
64-Bit Plaintext Block

DES Key
K
Initialization DES Encryption Second
Vector (IV) Process 64-Bit Plaintext Block

First DES Encryption

64 Bit Ciphertext Block
64-Bit Process

Second
64-Bit Ciphertext Block
14 (c) Prof. Ehab Al-Shaer, UNCC
 Triple DES (3DES)
168 Bit Encr
168-Bit Encryption
ption with
ith Three 56
56-Bit
Bit Ke
Keys
s

Sender Receiver

Encrypts plaintext with the Decrypts ciphertext with

1st key the 3d key

Decrypts output of first Encrypts output of the

step with the 2nd key first step with the 2nd key

Encrypts output of second Decrypts output of second

step with the 3d key; gives step with the 1st key; gives
p
the ciphertext to be sent g
the original p
plaintext

15 (c) Prof. Ehab Al-Shaer, UNCC

 Triple DES (3DES)
112 Bit Encr
112-Bit Encryption
ption With T
Two
o 56
56-Bit
Bit Ke
Keys
s

Sender Receiver

Encrypts plaintext with the Decrypts ciphertext with

1st key the 1st key

Decrypts output with the Encrypts output with the

2nd key 2nd key

Encrypts output with the Decrypts output with the

1st key 1st key

16 (c) Prof. Ehab Al-Shaer, UNCC

 Triple DES (3DES)
56-Bit
56 Bit Encr
Encryption
ption With One 56-Bit
56 Bit Ke
Key
(For Compatibility With Receivers
Who Can Handle Only Normal DES)

Sender Receiver

Encrypts
yp pplaintext with Decrypts
yp ciphertext
p with
the key the key

Decrypts output with the

key (undoes first step)

Encrypts output with the

k
key
17 (c) Prof. Ehab Al-Shaer, UNCC
 DES 3DES,
DES, 3DES and AES

DES 3DES AES

Key Length (bits) 56 112 or 168 128 192

128, 192, 256

Strength Weak Strong Strong

Processing
Moderate High Modest
Requirements

RAM Requirements Moderate High Modest

18 (c) Prof. Ehab Al-Shaer, UNCC

 Public Key Encryption for
C fid ti lit
Confidentiality

Encrypted
Encrypt with Decrypt with
Message
Party B’s
B s Public Key Party B’s
B s Private Key

Party A Party B
Decryptt with
D ith Encryptt with
E ith
Party A’s Private Key Encrypted Party A’s Public Key
Message

19 (c) Prof. Ehab Al-Shaer, UNCC

 Hi h L
High-Level
l Principles
Pi i l
• High-Level
g Principles:
p
9Based on the infeasibility to determine the decryption key
(i.e. the Receiver’s Private Key), given knowledge of the
f ll i
following:
-Receiver’s Public Key
-Chosen
Ch Plaintext
Pl i t t
-Possibly chosen ciphertext
9Some algorithms,
9S l h such
h as RSA,
SA exhibit
h b the
h ffollowing
ll
attribute:
- Either of the two related keys can be used for
encryption, with the other used for decryption.
20 (c) Prof. Ehab Al-Shaer, UNCC
 Encryption with Public
Public-keys
keys
•Encryption Process:
9(1) Each end system in a network
generates a pair of keys to be used
for encryption and decryption of
messages that it will receive.
receive
9(2) Each system publishes its
encryption key by placing it in a
public register or file. This is the
Public-key. The companion key is
kept private.
9 ((3)) If Bob wishes to send Alice,, he
encrypts the message using Alice’s
Public-key.
9 ((4)) When Alice receives the
message, she decrypts it using her
21 (c) Prof. Ehab Al-Shaer, UNCC Private-key. No other receiver can
decrypt the message.
 Key Length and Number of Possible
Keys
y Notes: Shared keys, with lengths of more than 100 bits, are
considered strong symmetric keys today.
today
y Shared keys, with lengths of less than 100 bits, are considered
weak symmetric keys today.
y Public key/private key pairs must be much longer to be
strong because of the disastrous consequences of learning
someone’s pprivate keyy and because pprivate keys
y cannot be
changed rapidly.

22 (c) Prof. Ehab Al-Shaer, UNCC

 Strong Keys for Symmetric and Public
K E
Key Encryption
ti

Strong Symmetric Keys Strong Public and

Private Keys

• Limited damage if cracked, so • Serious damage if cracked, so

can be shorter must be longer
• Changed frequently, so can • Rarely changed (long lived), so
be shorter must be longer
• fast in pprocessing g • much slower p processing g time
• needs to be exchanged by both • can be used to exchange keys
• requires a unique pair per • one private and many public
session Îcomplex/ not scalable Î scale
• needs another key system to • needs digital certificate to exchange
23
exchange
(c) Prof. it
Ehab Al-Shaer, UNCC
 Strong Keys for Symmetric and Public
K E
Key Encryption
ti

Strong Symmetric Keys Strong Public and

Private Keys
100 bits or more today
Longer for high-value transactions 1,024 or 2,048 bits for
Longer tomorrow as cracking RSA encryption today
power increases
DES 56-bits
DES: 56 bi ((weak), k) bbut 3DES gives
i 512 bi
bits ffor ECC
112-bit or 168-bit security encryption today
AES: Key lengths of 128, 192, or 256;
yet places a light load on processor Longer tomorrow as
and RAM so can be used by mobile cracking power
devices increases
IDEA: 128 bits used in some versions
of PGP
24 RC4:(c)40
Prof. Ehab
bits Al-Shaer,
(used UNCC
in WEP)
 C t
Categories
i off P
Public-keys
bli k

•Three Categories:
yp / yp
9Encryption/Decryption: Sender encrypts
yp a message
g
with the recipient’s public key.

9Digital Signature: Sender ”signs” a message with its

private key.

9Key y Exchange:
g Two sides cooperate
p two exhange
g a
session key.
25 (c) Prof. Ehab Al-Shaer, UNCC
 Mi
Misconceptions
ti about
b t PK E
Encryption
ti

9More secure from cryptanalysis than is conventional

encryption.
9General purpose technique that has made
conventional encryption obsolete.
9Key distribution is trivial compared to ‘handshaking’
involved with the Key Distribution of conventional
encryption methods.
methods

26 (c) Prof. Ehab Al-Shaer, UNCC

 Quiz
y Would cryptographic
g systems use symmetric key encryption or
public key encryption for confidentiality in ___?
A. World Wide Web downloads
B. E-mail with attachments
C. E-mail without attachments
D. Database transactions
E. Instant messaging
g g
F. File Transfer
G. Remote Shell
H. Pagers Answer: PK used for (B, C, H)
I. Movies (VoD or Satellite) the rest uses SK
J. VoIP
K. SNMP

27 (c) Prof. Ehab Al-Shaer, UNCC

 Authentication

Challenge-Response Authentication with MS-CHAP

Encryption Versus MAC Versus Hashing
Message-by-Message Authentication with Digital Signatures and
Digital Certificates from Certificate Authorities using Public Key
Infrastructures

28 (c) Prof. Ehab Al-Shaer, UNCC

 A th ti ti R
Authentication Requirements
i t

•Authentication
A h i i Requirements:
R i
9 Requirements - must be able to verify that:
-Message came from apparent source or author,
- Contents have not been altered,
- Sometimes,
Sometimes it was sent at a certain time or sequence.
sequence

Protection against active attack (falsification of data

9Protection
and transactions)

29 (c) Prof. Ehab Al-Shaer, UNCC

 A th ti ti A
Authentication Approaches
h
•Authentication
Authentication Approaches:
9 Authentication Using Conventional Encryption
– Only the sender and receiver should share a key
9Message Authentication without Message Encryption
– An authentication tag
g is g
generated and appended
pp to
each message using hashing
9Message Authentication Code (MAC)
– Calculate
C l l t ththe MAC as a function
f ti off the
th message andd
the key.
MAC = F(K, M)

30 (c) Prof. Ehab Al-Shaer, UNCC

 A th ti ti F
Authentication Functions
ti
•Authenticators:
Authenticators: Functions that may be used to produce an
authenticator may be grouped in three classes:
-Hash Function
-Message Authentication Code
-Message
Message Encryption

31 (c) Prof. Ehab Al-Shaer, UNCC

 MS-CHAP Challenge-Response
A th ti ti Protocol
Authentication P t l
y Hashing
H hi AltAlternatives
ti
y Hash Length
y Longer hashes give more security
y Longer hashes require more processing time
y MD5: 128-bit hash
y SSHA (secu
(securee hash
as algorithm)
a go t )
y 160-bit hash for SHA-1 (in the book)
y 256-bit hash for SHA-256 (not in the book)
y 384-bit hash for SHA-384 (not in the book)
y 512-bit hash for SHA-512 (not in the book)

32 (c) Prof. Ehab Al-Shaer, UNCC

 Encryption Versus Hashing
Encryption Hashing

Key is usually added

Uses a key as an
to text; the two are
U off K
Use Key i
input
t tto an
combined, and the
encryption method
combination is hashed

Output is of a fixed
Length of Output is (variable)
short length,
Result similar in length to input
regardless of input

Reversible; ciphertext One-way function; hash

Reversibility can be decrypted cannot be “de-hashed” back
back to plaintext to the original string
33 (c) Prof. Ehab Al-Shaer, UNCC
 H h Functions
Hash F ti

•Algorithm:
Al ith
9Check that provides data against modification.
9 h value
9Hash l is generated
d by
b ffunction: h = H(M)
( )
-M = Variable length message
-H(M) = Fixed length hash value
9Hash value is appended to the message at the source at a
time when the message is assumed to known to be correct.
correct
9Receiver Authenticates the message by re-computing the
hash value.

34 (c) Prof. Ehab Al-Shaer, UNCC

 R
Requirements
i t for
f Hash
H hFFunctions
ti
(1) H can be applied to a block of data of any size.
(2) H produces a fixed length output.
(3) H(x) is a relatively easy to compute for any given x, making both
h d
hardware andd software
ft implementations
i l t ti practical.
ti l
(4) For any given code h, it is computationally infeasible to find x such
that H(x) = h. This is sometimes referred to in literature as the one-
way property.
(5) For any given block x, it is computationally infeasible to find y != x
with H(y) = H(x). This is sometimes referred to as weak collision
resistance.
(6) It is computationally infeasible to find any pair (x, y) such that H(x) =
H(y) This is sometimes referred to as strong collision resistance (note
H(y).
that you are given a free choice of both input x and y)
35 (c) Prof. Ehab Al-Shaer, UNCC
 1. One-Way Hash Functions for
A th ti ti
Authentication

[i it Confidential?
[is C fid ti l? How?]
H ?]

36 (c) Prof. Ehab Al-Shaer, UNCC [is it Confidential? How?]

 2. One-Way Hash Functions for
A th ti ti
Authentication

•One Way Hash Functions: Secret value (could be a password!) is

added before the hash and removed before transmission.
Passwd added Passwd removed Passwd added again

Faster but weaker

(c) Prof. Ehab Al-Shaer, UNCC
37 than 1.a. Why?
 Example of 2: MS-CHAP Challenge-
R
Response Authentication
A th ti ti Protocol
P t l

Note: Both the client and the server

know the client’s password. 1.
Verifier creates
Challenge Message

Challenge
g

2.
Applicant Verifier sends Challenge Message Verifier
V ifi
(Client) (This is sent to avoid/detect spoofing)
(Server)

38 (c) Prof. Ehab Al-Shaer, UNCC

 MS-CHAP Challenge-Response
A th ti ti Protocol
Authentication P t l

3.
3
Applicant (Supplicant) Password Challenge
creates a Response Message:
(a) Adds password to g
Hashing
Challenge Message (Not Encryption)
(b) Hashes the resultant bit
string (does not encrypt)
Response
espo se
( ) Th
(c) The hhashh iis th
the R
Response
Message

39 (c) Prof. Ehab Al-Shaer, UNCC

 MS-CHAP Challenge-Response
A th ti ti Protocol
Authentication P t l

4.
Applicant sends Response Message without encryption

Transmitted Response

40 (c) Prof. Ehab Al-Shaer, UNCC

 MS-CHAP Challenge-Response
A th ti ti Protocol
Authentication P t l

Password Challenge 5.
Verifier adds password to the
Hashing Challenge Message it sent.
Hashes the combination. This
is the expected Response
Expected Response
Message.

41 (c) Prof. Ehab Al-Shaer, UNCC

 MS-CHAP Challenge-Response
A th ti ti Protocol
Authentication P t l

Transmitted Response =? Expected Response

6.
If the two Response Messages are equal, the
applicant knows the password and is authenticated.
Sever logs Client in.

7.
Note that only hashing is involved. There is no encryption.
Done only at the initiation of a session
session. Is this enough?

42 (c) Prof. Ehab Al-Shaer, UNCC

 S
Security
it off H
Hash
hFFunctions
ti and
d MACS
•Brute-Force Attacks:
9Hash Functions: The strength of the hash function against brute-
force attacks depends solely on he length of the hash code produced
by the algorithm.
9MAC: More difficult to crack than Hash Functions because it
requires known message-MAC pairs.
•Cryptanalysis:
9Hash Functions: In recent years, there has been considerable effort,
and some successes in developing cryptanalytic attacks on has
functions.
9MAC: More variety in the structure of MAC’s than in hash
f
functions,
ti so it
its more diffi
difficult
lt tto generalize.
li

43 (c) Prof. Ehab Al-Shaer, UNCC

 3. Message Authentication Code (MAC)
using
i Secret
S t Keys
K
9(1) Uses the secret key to
generate a small fixed block of
data, known as a checksum or
MAC. The MAC is appended to
the message.
9(2) Alice calculates the MAC as
a function of the message and
the secret key
key. The MAC is
appended to the message and
sent to Bob.
9 (3) Bob uses his copy of the
Key to generate a new MAC off
of the message, and compares it
with
ith Ali
Alices’’ appended
d d MAC
MAC.

44 (c) Prof. Ehab Al-Shaer, UNCC

 4.Message Authentication Code (MAC)
using
i Public
P bli k
keys
9(1) Uses the secret key or
private key to generate a small
Secret or public
fixed block of data, known as a
checksum or MAC. The MAC is
appended to the message.
9(2) Alice calculates the MAC as
a function of the message and
the secret key
key. The MAC is
appended to the message and
sent to Bob.
9 (3) Bob uses his copy of the
Key to generate a new MAC off
of the message, and compares it
Secret or private with
ith Ali
Alices’’ appended
d d MAC
MAC.

45 (c) Prof. Ehab Al-Shaer, UNCC

 M
Message Encryption
E ti
•Definition:
Definition:
9The Ciphertext of the entire message serves as its
authenticator. Message
g encryption
yp by
y itself can p
provide a
measure of authentication.
• Methods and Basic Encryption:
9Conventional Encryption: Confidentiality and
Authentication (using symmetric keys – we saw this)
9Public-key Encryption: Confidentiality (encrypt with PK)
y Encryption:
9Public-key yp Authentication and Signature
g

46
9Public-key Encryption: Confidentiality, Authentication
(c) Prof. Ehab Al-Shaer, UNCC
and Signature
 Authentication with Public-keys
( confidentiality)
(no fid ti lit )
•Authentication
Authentication Process:
9(1) Bob prepares a message
to Alice and encrypts the
message using his private
key.
9(2) Alice decrypts Bob
Bob’ss
message by using his Public-
key.
9 (3) Since the message was
encrypted using the sender’s
private key,
p y, only
y the sender
could have sent this message.
47 (c) Prof. Ehab Al-Shaer, UNCC
 Ensuring Both Encryption and
A th ti ti
Authentication
• Question:
9Given the two preceding processes, how are you
able to ensure for both Encryption and
Authentication?

• Solution:
9 Encrypt first (using sender private key) ,
followed byy the signature
g
9Signature first has the advantage that the
signature can be verified by parties other than
th Recipient.
the R i i t
48 (c) Prof. Ehab Al-Shaer, UNCC
 Digital Signature for Message-by-
M
Messageg A Authentication
th ti ti

To Create the Digital Signature:

Plaintext
1. Hash the plaintext to create a
Hash
brief message digest
digest; this is
NOT the Digital Signature.
MD
Sign (Encrypt)
2. Sign (encrypt) the message
2 with Sender’s
digest with the sender’s private Private Key
key to create the digital signature.
DS
3. Transmit the plaintext + digital
signature, encrypted with
symmetric key encryption.
DS Pl i t t
Plaintext
49 (c) Prof. Ehab Al-Shaer, UNCC
 Digital Signature for Message-by-
M
Messageg A Authentication
th ti ti

DS Plaintext

4. Encrypted Symmetric with

S
Session
i KKey
Sender Receiver

50 (c) Prof. Ehab Al-Shaer, UNCC

 Digital Signature for Message-by-
M
Messageg A Authentication
th ti ti
In the Receiver:
5 Decrypt the entire msg using
5.
6. 7. secret key
6. Hash the received plaintext
Received Plaintext DS
with the same hashing algorithm
the sender used. This gives
Decrypt with the message digest.
Hash True Party’s
Party s
Public Key 7. Decrypt the digital signature
with the sender’s public key.
This also should give the
message digest.
MD MD
8. 8. If the two match, the
Are they equal? message is a authenticated.
thenticated
51 (c) Prof. Ehab Al-Shaer, UNCC
 Problem: Public Key Deception
Impostor
p Verifier

“I am the True Person.” Must authenticate True Person.

“Here is TP’s public key.” Believes now has

(Sends Impostor’s public key) Critical TP’s public key
Deception
“Here is authentication
a thentication Believes
B li T
True P
Person
based on TP’s private key.” is authenticated
(Really Impostor’s private key) based on Impostor’s public key

Decryption of message from Verifier “True Person,

encrypted with Imposter’s public key, here is a message encrypted
so Impostor can decrypt it with your public key.”
key.

52 (c) Prof. Ehab Al-Shaer, UNCC

 Important X.509 Digital Certificate
Fi ld
Fields

Field Description

Version
V i Version
V i number b off th
the X
X.509.
509 Most
M t certificates
tifi t
Number follow Version 3. Different versions have
different fields. This figure reflects the
Version 3 standard
standard.

Issuer Name of the Certificate Authority (CA).

Serial Unique serial number for the certificate, set by

Number the CA.

53 (c) Prof. Ehab Al-Shaer, UNCC

 Important X.509 Digital Certificate
Fi ld
Fields

Field Description

Subject The name of the person,

person organization,
organization computer
computer,
or program to which the certificate has been
issued. This is the true party.

The public key of the subject—the public key of

Public Key
the true party.

Public
P bli K
Key The algorithm
Th l ith the th subject
bj t uses tto sign
i messages
Algorithm with digital signatures.

54 (c) Prof. Ehab Al-Shaer, UNCC

 Important X.509 Digital Certificate
Fi ld
Fields

Field Description

Valid The period before which and after which the

Period certificate should not be used.
Note: Certificate may be revoked before the end
of this period
period.

Digital The digital signature of the certificate, signed by

Signature the CA with the CA’s
CA s own private keykey.
Provides authentication and certificate integrity.
User must know the CA’s public key
independently.

55 (c) Prof. Ehab Al-Shaer, UNCC

 Important X.509 Digital Certificate
Fi ld
Fields

Field Description

Signature The digital signature algorithm the CA uses to sign

Algorithm its certificates.
Identifier

56 (c) Prof. Ehab Al-Shaer, UNCC

 Digital Signature and Digital Certificate
i A
in Authentication
th ti ti

Digital
g Certificate Digital
g Signature
g

Public Key
y of Signature
g to Be
True Party + Tested with
Public Key of
True Party

Authentication

57 (c) Prof. Ehab Al-Shaer, UNCC

 Digital Certificates
y Client should know the CA public key
y The
Th rolel off the
h CA is to associate the
h sender/party
d / name
with a public key (NOT to authenticate the party)
y If the client ggets the certificate from another one other than
CA, it should also download the certificate revocation list
(CRL) from the CA to ensure that this name-key record is
not revoked.

58 (c) Prof. Ehab Al-Shaer, UNCC

 Public Key Infrastructure (PKI) with a
C tifi t A
Certificate Authority
th it
Certificate Verifier
V ifi
Authority 6. Request Certificate (Cheng)
PKI Server Revocation List (CRL)

3.
Request Certificate 7. Copy of CRL
for Lee

4. 5.
Create & Certificate
Certificate
Distribute for Lee
f Lee
for L
(1) Private Key
and
Verifier ((2)) Digital
g Certificate Applicant (Lee)
(Brown)
59 (c) Prof. Ehab Al-Shaer, UNCC
 Key Distribution for Symmetric
Session Key
Public Key Distribution
Diffie Hellman Key Agreement
Diffie-Hellman

60 (c) Prof. Ehab Al-Shaer, UNCC

 Public Key Distribution for Symmetric
S i K
Session Keys

1. Create
Symmetric
Session Key

Party A Party B

61 (c) Prof. Ehab Al-Shaer, UNCC

 Public Key Distribution for Symmetric
S i K
Session Keys

Party A Party B

2. Encrypt 3. Send the Symmetric 4. Decrypt

Session Key with Session Key Encrypted Session Key y with
Party B’s Public Key for Confidentiality Party B’s Private Key

5. Subsequent Encryption with

Symmetric Session Key
(c) Prof. Ehab Al-Shaer, UNCC
62
 Diffie Hellman Key Agreement
Diffie-Hellman
1 Agree on Diffie
1. Diffie-Hellman
Hellman Group
p (prime) and g (generator)
such that 0 < p < g

Party X Party Y

2. 2.
Generates Generates
Random Random
Number x Number y

63 (c) Prof. Ehab Al-Shaer, UNCC

 Diffie Hellman Key Agreement
Diffie-Hellman

Party X Party Y
3. 3.
Computes Computes
xx’=g^x
g x mod p 4.
Exchange x’ and y’ yy’=g^y
=g^y mod p
Without Security

64 (c) Prof. Ehab Al-Shaer, UNCC

 Diffi H ll
Diffie-Hellman History
Hi t

•RSA:
•RSA
9Proposed in 1976, and is the first public key
algorithm
l h ((predates
d RSA))
p
9Purpose of the algorithm
g is to enable two
users to exchange a key securely over a
potentially insecure channel.
9Limited to the exchange of keys, I.e. can not
be used for en-/de-cryption.

65 (c) Prof. Ehab Al-Shaer, UNCC

 Diffie Hellman Key Agreement
Diffie-Hellman

Party X Party Y
5.
5 5.
5
Compute Key= Compute Key=
y’^x mod p x’^yy mod p
=g^(xy)
^( ) moddp 6 Subsequent
6. S b tEEncryption
ti =g^(xy) mod p
with Symmetric
Session Keyy

66 (c) Prof. Ehab Al-Shaer, UNCC

 Diffi H ll
Diffie-Hellman K
Key Exchange
E h
•Diffie-Hellman:
Diffie Hellman:
9Alice and Bob want to agree upon
a key
9They agree on 2 large
9Th l integers
i t n
and g such that 1 < g < n
9Alice chooses random x, computes
X = g^x mod n and sends it to Bob.
Bob
9Bob chooses random y, computes Y
= g^y mod n, and sends it to Alice.
9Alice computes k = Y^x mod n
9Bob computes k’ = X^y mod n
9If someone is eavesdropping,
eavesdropping the
intrudder knows n, g, X and Y but
67 (c) Prof. Ehab Al-Shaer, UNCC not x and y.
 Replay Attacks

68 (c) Prof. Ehab Al-Shaer, UNCC

 Replay Attacks
y Replay Attacks
y Retransmit an intercepted message
y Message is encrypted so that replay attacker cannot read it
y Why
Wh Replay
R l Att
Attacks
k
y Repetition might work—for instance, replaying an encrypted
username and ppassword might
g result in access to a ppoorlyy
designed system

69 (c) Prof. Ehab Al-Shaer, UNCC

 Replay Attacks
y Preventing Replay Attacks

y Insert a time stamp in messages and accept messages only if they

are very recent
y Insert a sequence number in each message

y Insert a nonce ((random number selected for the occasion)) in a

request message; only accept a reply message with the same
nonce. Other party does not accept a request message with a
pre ious nonce
previous

70 (c) Prof. Ehab Al-Shaer, UNCC

 Cryptographic Goals and Methods
Confidentiality Authentication

Symmetric Applicable. Sender Not applicable.

K
Key encrypts
t with
ith kkey
Encryption shared with the receiver.

Applicable. Sender
Applicable
Public
P bli Applicable.
A li bl S Sender
d
encrypts with receiver’s
Key encrypts with own
public key.
Encryption private key.

Applicable. Used in
Hashing Not applicable. MS-CHAP and
HMACs discussed in the
next chapter.
71 (c) Prof. Ehab Al-Shaer, UNCC
 Delay Attacks: Impact and Solution
y Delaying
y g messages
g is dangerous
g for real-time control application
pp
(biding, military, alarms)
y Algorithm
y Server learns the client Actual Time (Ct) and calculates the offset = St – Ct
y Every time the client sends a msg, it includes the timestampe (Cts)
y When the server receives the message at time T, it calculates the time in the
server bbasedd on th
the client
li t clock
l k when
h ththe message iis received
i d as ffollows:
ll
y St = Cts + offset
y The server if | T – St | > threashold Î the message
g was delayed
y (action:
(
ignore or ..)
y Threshold should be > RTT/2 + alph

72 (c) Prof. Ehab Al-Shaer, UNCC

 Cryptographic System
Phase 1:
Initial Negotiation
of Security Parameters

Phase 2:
Client PC Mutual Authentication Server

Phase 3:
Key Exchange or
Key Agreement

73
 Cryptographic System

Phase 4:
Ongoing Communication with
Message-by-Message
Confidentiality, Authentication,
and Message Integrity
Client PC
Server

„ Complete Cryptographic Systems provide

{Negotiate parameters
{Authentication

{ Privacy/confidentiality,
Privacy/confidentiality and
74 { Key exchange mechanism
 Major Cryptographic Systems
Layer Cryptographic System

Application Kerberos

T
Transport
t SSL/TLS

Internet IPsec

Data Link PPTP, L2TP (really only a tunneling system)

Not applicable. No messages are sent at this
Physical
layer only individual bits
layer—only

„ How can cryptographic

yp g p systems
y used to
offer “defense-in-depth” security system ?
75
SSL/TLS

76
 SSL/TLS
y History
y invented by Netscape then by Microsoft!
y SSL leads IETF to standardize TLS
y widely used in browsers today
y Architecture
y not transparent
y client & server-aware secure socket API:
y ssl_connect( ); ssl_accept( ) .. etc

77
 SSL/TLS Operation

Applicant Verifier
(Customer Client) ((Merchant Server))
Protects All Application Traffic
That is SSL/TLS-Aware

SSL/TLS Works at Transport Layer

78
 SSL/TLS Operation
Applicant Verifier
(Customer Client) (Merchant Server)

1 Negotiation of Security Options (Brief)

1.

2 Merchant Authenticates (mandatory) Self to Customer

2.
Uses a Digital Certificate
Customer Authentication is Optional and Uncommon

79
 SSL/TLS Operation
Applicant Verifier
(Customer Client) (Merchant Server)

3. Client Generates Random Session

(symmatic) Key Client Sends to Server Encrypted
by Public Key Encryption

4. Ongoing Communication with Confidentiality

and Merchant Digital Signatures in each message

80
 Perspective on SSL/TLS
y Useful if Connection Will be Limited to Web services
y SSL/TLS is built into all browsers and webservers
y Provides only medium security, but exploitation is difficult
((why?)
h ?)
y In VPNs, clients can be required to have digital certificates,
raising the security of SSL/TLS considerably

81