View
213
Download
0
Embed Size (px)
Citation preview
2
Introduction to Cryptography The idea is to protect data by transforming into a representation from which is hard to recover. This provide us with: Confidentiality – only the sender and the receiver should know the
message content
Authentication – sender and receiver can confirm the identity of each other
Integrity – sender and receiver can detect any alteration of the message
Non-repudiation – sender can not deny having created the message
Freshness – message is recent and not a replay
Unless a message is properly protected unfriendly “agents” can capture or see it as it moves across the network and, Insert messages into the connection
Impersonate – fake (spoof) source address
Hijack – take over connection a replacing the sender or receiver
Denial of service – by, for example, overloading the resources
3
Private (Symmetric) – Key systems
In these systems the message M is encrypted using a key e which is known only to the sender and the receiver. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. There is usually a simple relationship between e and d. A widely known secret-key system is DES (Data Encryption Standard)
M encryptionalgorithm
decryption algorithm
e – encryption key d – decryption key
M = D(X, d)
Alice
X = E(M, e)
Bob
Unfriendly agent Eve
4
Public (Asymmetric)– Key systems
In these systems the message M is encrypted using a key e which is public. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. Knowing e doesn’t help anyone to discover the decryption key d.
M encryptionalgorithm
decryptionalgorithm
e – public encryption key d – private decryption key
M = D(X, d)
Alice
X = E(M, e)
Bob
Unfriendly agent Eve
5
RSA – A Public-key Crypto-System
RSA stands for its inventors Ron Rivest, Adi Shamir, and Len Ademan. We assume here that message is broken into parts of the right size, e.g. 1024 bits.
Choosing Keys
Choose two large prime numbers p, q (e.g., 512 bits each)
Compute n = pq, z = (p-1)(q-1) = Ф(n)
Choose e, (e<n), such that it has no common factors with z, e.g. gcd(e,Ф(n)) = 1 (gcd stands for greatest common divisor)
Choose d such that ed-1 is exactly divisible by z (in other words,ed mod Ф(n) = 1)
Public key is (n,e)
Private key is (n,d)
R.L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. of ACM, 21 (2), pp. 120-126, Feb. 1978.
6
RSA: Encryption - Decryption
)(mod
computes,sender theRSA, using message a send To
nMX
Me
MnMnM
nednM
nMnXM
ed
n
edd
)(mod)(mod
),( of multiple some 1 is and 1)(mod Since
)(mod)(mod
computes,receiver themessage edecrypt th To
1
)(
0
)(mod)),(,()),(,(
:is that identical, are functions decryption and encryption that Notice
nXnkXDnkXE k
7
Hash AlgorithmsA basic tool for cryptography is a secure hash algorithm. Given a variable length message x, a secure hash algorithm computes a function h(x) which has a fixed and often smaller number of bits. It is usually not possible to recover x from its hash function. Desirable properties of a secure hash function are:
A hash function h(x) is one-way if given y it is hard to find x such that h(x) = y
A hash function h(x) is weakly collision-free if given a message x1 it is hard to find another message x2 such that h(x1) = h(x2)
A hash function h(x) is strong collision-free if it is hard to find any pair of messages x1, x2 such that h(x1) = h(x2)
An important property of secure hash functions, like any hash function, is that they should uniformly cover their range. That is, for a uniform distribution of the inputs, the output probabilities from the hash function should be uniform.
8
Authentication via Digital Signatures
Method I: Bob encrypts entire message with his private key; this is Bob’s digital signature
Bob send both the message and his digital signature
Similar to handwritten signatures
Dear Alice,
Bob Bob’s private key
Ready for Transmission Alice decrypts Bob’s message using Bob’s public key
If decrypted message matches the message, Alice knows that the signed message could only have come from Bob
Signing the entire document/message is computationally expensive
Original Text
Text encrypted with Bob’s private key
9
Authentication via Digital Signatures
Method II:
Compute a hash on the document/message
The hash, also called a message digest, is much smaller than the document, resembles a CRC (Cyclic Redundancy Check)
Use private key to encrypt only the message digest
Encrypted digest is commonly called a digital signature
Computationally inexpensive
Send both the document and the digitally signed message digest
At receiver
Hash the document → MDA and decrypt the digital signature → MDB
If MDA = MDB then receiver knows that:
the identity of sender correctly matches the advertiser of the public key (authentication)
that the document hasn’t been tampered with (data integrity)
10
Digital Signature - Signed message digest
Bob sends digitally signed message
OriginalLong
MessageFixed-sizemessage
digest
Encryptedmessage
digest
Bob’sprivate
key
Send to Alice
Alice verifies signature and integrity of digitally signed message
Many to onehash function
Fixed-sizemessage
digest
OriginalLong
Message
Many to onehash function
Encryptedmessage
digest
Bob’spublic
key
Fixed-sizemessage
digest
Compare
11
Non-Repudiation via Digital Signatures
Fixed-sizemessage
digest
OriginalLong
Message
Many to onehash function
Encryptedmessage
digest
Bob’spublic
key
Fixed-sizemessage
digest
Compare
MDAMDB
Digital Signatures provide authentication, integrity, and non-repudiation
At receiver, if MDA = MDB then receiver knows that:
Only the sender’s private key could have created this signature (Non-repudiation & Authentication)
Sender can’t deny sending message
12
One-Way Hash Chains
Construction
Pick random rN and a public one-way function F
ri = F(ri+1)
Secret value: rN
Public value: r0
Fr8r5 r6 r7
F F Fr4
Properties
Use in reverse order of construction, i.e. r1, r2,…, rN
It is not feasible to derive ri from rj (j<i)
Good for authenticating ri knowing rj (j<i), e.g. verify if rj = Fi-j(ri)
Robust to missing values
13
Message Authentication Codes (MAC)
It is a code – MAC(K,M)
Calculated by some function MAC that requires little computation
Inputs are the message M to be sent and K, the symmetric key known only by the two parties
The code is appended to each packet, i.e. {M, MAC(K,M)}
BobAlice
ComputeC = MAC(K,M)
{ M | C }
It’s Alice not AliceYes No
ComputeC’ = MAC(K,M)
C = C’Alice and Bob know in advance K and the MAC function
14
Unicast Source Authentication
Bob
Dave
Carol
Alice
Ka-b
{M|MAC(Ka-b, M)}
Ka-b
Ka-cKa-d
M is duplicated and sent separately to each intended receiver with it a different MAC
High overhead and consumes network resources
Internet
{M|MAC(Ka-c, M)}
{M|MAC(Ka-d, M)}
15
Multicast Source Authentication
InternetInternet
Bob
Dave
Carol
Alice
Ka
{M|MAC(Ka, M)}
Ka
KaKa
Ka is known to all receivers. Any receiver can forge a packet
Low overhead and less network resources when compared with unicast method
16
TESLATimed Efficient Stream Loss-Tolerant Authentication Uses symmetric key cryptography Asymmetric key cryptography via time Based on initial loose time synchronization MAC is attached to each packet Delayed-disclosure of keys
MAC(Ki,M)
M
timeti-1 ti ti+1
F(Ki)Authentic
Commitment
Ki
is disclosed
1- Verify Ki
2- Verify MAC3- M is authentic
A. Perrig, R. Canetti, J.D. Tygar, D. Song, “Efficient authentication and signing of multicast streams over lossy channels,” IEEE Symposium on Security and Privacy, May 2000.
17
TESLA – Sender SetupAlice
time
interval i -1 interval i interval i +1 interval N
Ki+1KiKi-1 KN
Use F' to derive the key to compute MAC K‘i= F’(Ki)
K’i+1K’iK’i-1 K’N
F’ F’ F’ F’
Break time in intervals of same duration
Determine key chain length N, picks the last key KN randomly
Using a One Way Pseudo Random Function F compute Ki = F(Ki+1), assign one key to each interval
Key generation
18
TESLA – Authentication
Ki+1KiKi-1
K’i+1K’iK’i-1
F’ F’ F’
Mi-1, Ki-2 MAC(K’i-1, Di-1)
Di-1
Mi , Ki-1 MAC(K’i, Di)
Di
Mi+1, Ki MAC(K’i+1, Di+1)
Di+1
Pi-1 Pi Pi+1
authenticated authenticated after reception of Pi+1
not yet authenticated
When the receiver gets packet Pi,it can not verify the MAC since it does not yet know Ki from which it can compute K’i
Packet Pi+1 discloses Ki and allows the receiver to:
verify that Ki is correct, e.g., F(Ki) = Ki-1
compute K’i and check the authenticity of packet Pi by verifying the MAC of Pi
19
TESLA – Dynamic Packet Rates
Dj
K’i
Dj+1
K’i+2
i i +5i +4i +3i +2i +1
Dj+3
K’i+3
Dj+4
K’i+3
Dj+4
K’i+5
Mj+4
Ki+1
Mj+3
Ki-1
Mj+2
Ki-1
Mj
Ki-4
Mj+1
Ki-2
TΔ
d=4
The MAC key and the disclosed key depend of the time interval
The authentication key of Pj is Ki which is disclosed by packets sent in interval (i + d )
In this example packet Pj+4 discloses key Ki+1 which allows the receiver to compute Ki and to authenticate packet Pj
Pj Pj+2Pj+1 Pj+3 Pj+4
20
Attacks to Ad-Hoc Networks
Passive Only eavesdrop
Threats against privacy/anonymity
Active Injects packets and eavesdrops
Characterized based on the number of controlled nodes in the network
Routing disruption attacks Causes legitimate data packets to be routed dysfunctionally (e.g.,
routing loop, black hole, gray hole, detour, partition)
Resource consumption attacks Consumes valuable network resources or node resources (e.g.,
injecting data packets, injecting control packets)
21
ARIADNE: A Secure On-Demand Routing Protocol for Ad Hoc
Networks Withstands node compromise
Relies on highly efficient symmetric cryptography
Does not require trusted hardware or powerful processors
Authenticate routing messages using one of: Shared secrets between each pair of nodes
Avoids need for synchronization
Shared secrets between communicating nodes combined with broadcast authentication
Requires loose time synchronization
Digital signatures
Y-C Hu, A. Perrig, D. B. Jonson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” 8th ACM International Conference on Mobile Computing and Networking, MobiCom 2002, pp. 12-23.
22
ARIADNE: Key Setup Shared secret keys
Key distribution center
Bootstrapping from a Public Key Infrastructure (PKI)
Pre-loading at initialization
Initial TESLA keys
Embed at initialization
Assume PKI and embed Certifications Authority’s public key at each node
Digital signatures
A mechanism distribute one authentic public key for each node
Each node also has an authentic element from the Route Discovery chain of every node initiating Route Discoveries
23
ARIADNE: Route Discovery Takes after DSR
Assume sender and receiver share secret (non-TESLA) keys for message authentication
Target authenticates ROUTE REQUESTS
Sender includes a MAC computed with end-to-end key
Target verifies authenticity and freshness of request using shared key
Data authentication using TESLA keys
Each hop authenticates new information in the REQUEST
Target buffers REPLY until intermediate nodes release TESLA keyso TESLA security condition is verified at the targeto Target includes a MAC in the REPLY to certify the condition was met
Attacker can remove a node from node list in a REQUEST, but
One-way hash functions verify that no hop was omitted (per-hop hashing)
24
ARIADNE: Route Discovery Assume all nodes know an authentic key of the TESLA one-way key chain of
every other node
Securing ROUTE REQUEST
Target can authenticate the sender (using their additional shared key)
Initiator can authenticate each path entry in the ROUTE REPLY
No intermediate node can remove any other node in the REQUEST or REPLY
ROUTE REQUEST packet contains eight fields: ROUTE REQUEST: label
initiator: address of the sender
target: address of the recipient
id: unique identifier
time interval: TESLA time interval of the pessimistic arrival time
hash chain: sequence of MAC hashes
node list: sequence of nodes on the path
MAC list: MACs of the message using TESLA keys
25
ARIADNE: Route Discovery Upon receiving ROUTE REQUEST, a node:
1. Processes the request only if it is new
2. Processes the request only if the time interval is valid (not too far in the future, but not for an already disclosed TESLA key)
3. Modifies the request and rebroadcasts it– Appends its address to the node list, replaces the hash chain with H[A, hash
chain], appends MAC of entire REQUEST to MAC list using KAi where i is the index for the time interval specified in the REQUEST
When the target receives the route request:
1. Checks the validity of the REQUEST (determining that the keys from the time interval have not been disclosed yet and that hash chain is correct)
2. Returns ROUTE REPLY containing eight fields– ROUTE REPLY, target, initiator, time interval, node list, MAC list– target MAC: MAC computed over above fields with key shared between
target and initiator– key list: disclosable MAC keys of nodes along the path
26
ARIADNE: Route Discovery Node forwarding ROUTE REPLY
Waits until it can disclose TESLA key from specified intervalo Appends that key to the key listo This waiting does delay the return of the ROUTE REPLY but does not
consume extra computational power
When initiator receives ROUTE REPLY
1. Verifies each key in the key list is valid
2. Verifies that the target MAC is valid
3. Verifies that each MAC in the MAC list is valid using the TESLA keys
The ROUTE MAINTENACE mechanism has similar features, e.g.,
Based on DSR Node forwarding a packet to the next hop returns a ROUTE ERROR to the
original sender
Prevent unauthorized nodes from sending errors, e.g. sender we authenticates errors