Invitation to Computer Science 5th Edition › Pic › CourseItem › 3968_chapter08u.pdf · Invitation to Computer Science, 6e 7 . Invitation to Computer Science, 6e 8 . Cryptography

Invitation to Computer Science 5th Edition

Chapter 8

Information Security

CIA Triad of Information Security

Ensuring that data is

protected from

unauthorized access

Ensuring

that data

can be

modified

only by

appropriate

mechanisms

The degree to which authorized

users can access information for

legitimate purposes

Invitation to Computer Science, 6e 2

Information Security

• Rick Analysis

– Determining the nature and likelihood of the risks to key data

– Planning for information analysis requires risk analysis

– Goal is to minimize vulnerability to threats that put a system at the most risk


Cryptography

• Cryptography

– The field of study related to encoded information (comes from Greek word for "secret writing")

• Encryption

– The process of converting plaintext into ciphertext

• Decryption

– The process of converting ciphertext into plaintext


Cryptography

plaintext

message ciphertext

message

Encryption

Decryption

Encrypted(Information) cannot be read

Decrypted(Encrypted(Information)) can be


Cryptography

• Cipher

– An algorithm used to encrypt and decrypt text

• Key

– The set of parameters that guide a cipher

– Neither is any good without the other


Symmetric-Key Cryptography

• The general idea behind symmetric-key cryptography. Alice can send a message to Bob over an insecure channel with the assumption that an adversary, Eve, cannot understand the contents of the message by simply eavesdropping on the channel.

• The original message from Alice to Bob is referred to as plaintext; the message that is sent through the channel is referred to as the ciphertext. Alice uses an encryption algorithm and a shared secret key. Bob uses a decryption algorithm and the same secret key.



Cryptography

• Substitution cipher: A cipher that substitutes one character with another

– Caesar cipher

• A substitution cipher that shifts characters a certain number of positions in the alphabet

• Transposition ciphers

– A cipher that rearranges the order of existing characters in a message in a certain way (e.g., a route cipher)


Caesar cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Substitute the letters in the second row for the letters in the top row to encrypt a message

Ex:

Encrypt(COMPUTER) gives FRPSXWHU

Decrypt(Encrypt(COMPUTER)) gives COMPUTER

Why is this called the Caesar cipher? What is the key?


Transposition Cipher

T O D A Y

+ I S + M

O N D A Y

Write the letters in a row of five, using '+' as a blank. Encrypt by starting spiraling inward from the top left moving counter clockwise

Ex:

Encrypt(TODAY IS MONDAY) gives T+ONDAYMYADOIS+

Decrypt by recreating the grid and reading the letters across the row

The key are the dimension of the grid and the route used to encrypt the data

What is the key?


Cryptanalysis

Cryptanalysis

– The process of decrypting a message without knowing the cipher or the key used to encrypt it

– Substitution and transposition ciphers are easy for modern computers to break

– To protect information more sophisticated schemes are needed


Modern symmetric-key ciphers

• Modern ciphers normally use a combination of substitution, transposition and some other complex transformations to create a ciphertext from a plaintext.

• Modern ciphers are bit-oriented (instead of character-oriented). The plaintext, ciphertext and the key are strings of bits.

• Example

– DES (Data Encryption Standard)

– AES


DES

• DES is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST) in 1977.

• DES has been the most widely used symmetric-key block cipher since its publication.


DES (continued)

• Symmetric encryption algorithm

• Designed for digital data: plaintext is binary string

• Uses 64-bit binary key (56 bits actually used)

• Sixteen rounds of same series of manipulations

• Decryption uses same algorithm, keys in reverse

• Fast and effective, but requires shared key, 56 bits is too small for modern technology


DES (continued)

DES manipulations

• Split string

• Duplicating some bits

• Omit some bits

• Permute bit order

• Combine bit strings with XOR (exclusive or)



AES

• The Advanced Encryption Standard (AES) is a symmetric-key block cipher published by the US National Institute of Standards and Technology (NIST) in 2001 in response to the shortcoming of DES.


Asymmetric-key Cryptographs

• Two distinctive keys in asymmetric-key cryptography: a private key and a public key.

• The key for encryption and the key for decryption are different

– Person A makes an encryption key public (public key)

– Anyone can encrypt a message using the public key and send it to A

– Only A has the decryption key (private key) and can decrypt the message

• Example

– RSA


Figure 16.7 The general idea behind asymmetric-key cryptography Invitation to Computer Science, 6e 20

RSA

RSA key creation

– Pick 2 large prime numbers: p and q

– Compute n = p×q, and m = (p-1)×(q-1)

– Choose large number e at random, so that e and m are relatively prime (no common factors except 1)

– Find unique value d, between 0 and m, such that (e×d) modulo m = 1

– Public key = (n, e), Private key = d


RSA (continued)

Example:

• Choose p = 7, q = 11

• n = 7×11 = 77, and m = 6×10 = 60

• Choose e = 13 (60 = 2*2*3 * 5, 13=1*13)

• The corresponding d = 37 (13×37 modulo 60 = 1)

• Therefore, public key = (77, 13), Private key = 37


RSA (continued)

RSA encryption:

Given public key (n, e)

– Convert message to integer P

– Calculate C = Pe modulo n

RSA decryption:

Given private key d

– Calculate Cd modulo n


RSA (continued)

RSA encryption, example:

Given public key (77, 13)

– Convert message to integer P = 5

– Calculate C = 513 modulo 77 = 26

RSA decryption:

Given private key 37

– Calculate 2637 modulo 77 = 5


Public/Private Keys

• Digital signature

– Data that is appended to a message, made from the message itself and the sender's private key, to ensure the authenticity of the message

• Digital certificate

– A representation of a sender's authenticated public key used to minimize malicious forgeries


Computer Security

Authentication credentials

Information users provide to identify themselves for computer access

– User knowledge such as name, password, PIN

– Smart card with embedded memory chip used for identification

– Biometrics human characteristics such as fingerprints, retina or voice patterns


Computer Security

Malicious Code

A computer program that attempts to bypass appropriate authorization and/or perform unauthorized functions

– Worm: stands alone, targets network resources

– Trojan horse: disguised as benevolent resource

– Virus: self-replicating

– Logic bomb: set up to execute at system event


Computer Security

Security Attacks

An attack on the computer system itself

– Password guessing: obvious

– Phishing: trick users into revealing security information

– Spoofing: malicious user masquerades as authorized user

– Back door: unauthorized access to anyone who knows it exists


Computer Security

– Buffer overflow: defect that could cause a system to crash and leave the user with heightened privileges

– Denial-of-service: attach that prevents authorized user from accessing the system

– Man-in-the-middle: network communication is intercepted in an attempt to obtain key data

Have you ever experienced one of these?



Mal-Ware

• Virus: attaches itself to a program or file and causes damage of hardware, software or files

• Worm: has the capability to spread itself out to everyone listed in your email address book

• Trojans horse: will appear to be useful software at first glance but will actually do damage once installed or run on your computer


http://www.webopedia.com/TERM/P/program.html

http://www.webopedia.com/TERM/F/file.html

http://www.webopedia.com/TERM/H/hardware.html

http://www.webopedia.com/TERM/S/software.html

http://www.webopedia.com/TERM/F/file.html

http://www.webopedia.com/TERM/S/software.html

Mal-Ware (con’t)

• Some Famous Computer Virus, Worm, or Trojan Horse


Web Transmission Security

• E-commerce requires secure transmission of names, passwords, credit card numbers

• Web protocols: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

– Client-server applications

– Server provides certificate of authentication and server’s public key

– Client sends its DES key, encrypted using RSA

– Data is sent encrypted by the (now shared) DES key



Secure Socket Layer (SSL)





• SSL includes two sub-protocols: the SSL Record Protocol and the SSL Handshake Protocol.

– Record Protocol - defines the format used to transmit data.

– Handshake Protocol - using the Record protocol to exchange messages b/t an SSL-enable server and an SSL-enable client.



• 客戶端認證 (Client Authentication)

• 伺服端認證 (Server Authentication)

• 加密連線 (Encrypted Connection)


SSL Record Protocol Operation

abcdef ghijk lmn

abcdefghijklmnApplication Data

Fragment

Compress

Add MAC

Encrypt

Add SSL

Record Header

generate MD5 by using HASH


SSL 訊息封裝 (一)

• SSL 封包格式

Type=22

Length Content

HTTP, ..., Message(or Compress)

Type=23

MajorVersion

MinorVersion

Length MAC

加密編碼

Type= 21

AlterLevel

AlertDesc.

IP Header

Type= 20

Change

TCPHeader SSL Message

(a) 變更密文規格協定

(b) 警告協定

(c) 握手協定

(d) 紀錄協定

1 Byte1

1 1 Byte

3 >= 0 Bytes

1 1 2 >= 0 Bytes 0,16, 20

Hand.Type

1


SSL 訊息封裝 (二) • 握手協定之命令型態

訊息（命令）型態

參數（內容）

hello_request

無

client_hello

版本、亂數、會議 ID、加密套件、壓縮方法

server_hello

版本、亂數、會議 ID、加密套件、壓縮方法

certificate

一連串的 X.509v3 憑證內容

server_key_exchange

鑰匙材料、數位簽章

certificate_request

憑證型態、認證中心

server_done

無

certificate_verify

數位簽章

client_key_exchange

鑰匙材料、數位簽章

finished

雜湊值


SSL 訊息封裝 (三)

• 紀錄層訊息封裝 Application data

Fragment Fragment Fragment

compress

compress MAC

Encrypt

EncryptH

上層資料 (如 HTTP)

分段處理

壓縮處理

加入認證標頭

加密處理

加入 SSL 紀錄標頭

TCP MessageTCP

HeaderTCP 協定包裝如 https: tcp/443 埠口

compression_method

client/server_write_MAC_secret

client/server_write_keyclient/server_write_IV

SSL 協定包裝


11-5 SSL 會議連結識別

• 會議連結』(Session Connection)：Session ID

• 使用於 SSL Record Layer 的參數

– Session Identifier

– Peer Certificate

– Compression Method

– Cipher Spec

– Master Secret

– Is Re-useable


SSL 握手協定 (一) • 協商步驟

1. 交換 Hello 訊息，協議演算法，並檢視是否有 Session ID 可重

複使用。

2. 交換鑰匙材料，及製作『前置主秘鑰』(Pre-master Secret)

3. 交換『身份憑證』。

4. 利用 Pre-master Secret 製作 Master Secret。

5. 將安全參數登錄於 Session Connection。

6. 保證協議當中未受到駭客攻擊。


SSL 握手協定 (二)

• 協商階段

客戶端

(1) client_hello

伺服端

(2) server_hello

(3) certificate *

(4) server_key_exchange *

(5) certificate_request *

(6) server_done

(7) certificate *

(8) client_key_exchange

(9) certificate_verify *

(10) [change_cipher_spec]

(11) finished

(12) [change_cipher_spec]

(13) finished

雙方利用 Hello 訊息互相傳送相關安全參數

第一階段

伺服端傳送憑證、交換鑰匙與要求對方憑證

客戶端傳送憑證、交換鑰匙與要求確認憑證

客戶端要求變更密文規格及完成協議

伺服端要求變更密文規格及確認完成協議

SSL/TLS 安全連線依照安全機制傳輸應用層資料

第二階段

第三階段

第四階段

Record Protocol

備註：有星號 (*) 表示選項訊息Invitation to Computer Science, 6e 52

網路環境－防火牆


Documents

Invitation to Computer Science 5th Edition › Pic › CourseItem › 3968_chapter08u.pdf · Invitation to Computer Science, 6e 7 . Invitation to Computer Science, 6e 8 . Cryptography