ECS726: Security and Authentication
Week 1: Introduction
Pasquale Malacaria January, 2023
EECS, QMUL
Copyright By PowCoder代写 加微信 powcoder
Motivation
Motivation: A practical example
Consider an email exchange where Alice send an email to Bob.
• What expectations Alice and Bob may/should have about this exchange?
• A minimal common expectation is that the email is not lost!
• what else?
Motivation: A practical example
Alice might ask herself:
• Am I happy that anyone could read this email, or do I only want Bob to see it?
• How can I make sure that my email reaches Bob without being changed?
Motivation: A practical example
Bob might ask himself:
• How can I have confidence that this email actually came from Alice?
• Can I be sure that this is the email that Alice intended to send me?
• Is it possible that Alice could deny in the future that she sent me this email?
fundamental security problems
Availability: the email is not lost
Confidentiality: Data cannot be viewed by unauthorised
users (only Bob should read that email) Integrity: Data should not be altered by unauthorised
users (the email shouldn’t be altered)
Origin authentication: the given entity is the source of
the received data (the email was from Alice) Non repudiation: an entity cannot deny a previous
commitment or action (Alice cannot deny she
sent the email)
Entity authentication: assurance that a given entity is
currently active in the communication
Motivation: Cryptography
Cryptography provides the tools and techniques to address several of these problems.
• it is used everyday: Internet , Email, Messaging, Wifi, Mobile telephony, banking, digital rights (e.g. in video broadcasting), blockchain, eID cards, . . .
Motivation: Information Security
Information Security (Cyber Security) Protection of information and information systems
• The system can be a simple e-ID card reader, or as complex as an entire organization (involving PCs, smart phones, servers, wired and wireless networks, OS, middleware, applications, external services, staff, customers, etc.).
Cryptography
is an essential part of Information Security but there is more to it than cryptography
Motivation: Cryptography vs security
Cryptography is not everything: security needs a holistic approach.
• All components of the system needs to be designed, configured, and used securely:
• Physical security (doors, locks, CCTV)
• Network infrastructure (routers, cables, wifi) • Hardware, firmware, Middleware
• Operating System, Applications
• Business logic
• And above all: humans!
We discuss some of these in the 2nd half of the module.
Basic Cryptographic Services
Basic Setting
The basic setting of a cryptosystem is a peer-to-peer communication between Alice and Bob that may be intercepted and modified by Eve:
Channel of Communication
Basic Setting
Basic setting of a cryptosystem:
Channel of Communication
possible settings: broadcast (multiple recipients), file storage (sender and recipients the same entity), . . .
Basic Setting
Basic setting of a cryptosystem:
Channel of Communication
• Note that entities (or users e.g. Alice, Bob, Eve) can
be humans, computers, devices, etc.; whoever or whatever is taking part in the processing of data. 10
Basic Setting
of Communication
Listen Modify
Setting: unauthorized access to data (eavesdropping, copying restricted files, etc.).
Active Attack: unauthorised alteration, deletion, transmission or access prevention to data.
Security Services
A security service is a specific security goal.
Confidentiality (aka. “secrecy”) the assurance that data cannot be viewed by an unauthorised user.
this is the classic security service, which we also consider first.
Channel of Communication
Security Services
Data Integrity the assurance that data has not been altered in an unauthorised manner (including
accidental errors).
◃ This assurance applies from the time the
data was last created, transmitted, or
stored by an authorised user.
– note: Data integrity focuses on ‘detecting”
alteration of data, not necessarily on “preventing” it.
Channel of Communication
Security Services
Data Origin Authentication assurance that a given entity was the original source of a data.
◃ data origin authentication is sometimes referred to as “message authentication” since it is concerned with the authentication of the data (message) and not who we are communicating with at the time the data is received.
◃ the time of creation or the immediate source of data is not of concern.
Security Services
Entity Authentication the assurance that a given entity is involved and currently active in a
communication session.
◃ entity authentication can also be referred
to as “identification” because it is concerned with determining: who am I communicating with now, in real time?
Security Services
Non-repudiation the assurance that an entity cannot deny a previous commitment or action (to a
“third party”)
◃ desirable in situations where there is the
potential for a dispute over the exchange of data.
Relationships between security services
Data Origin Authentication is a Stronger Notion than Data Integrity
◃ data origin authentication requires data integrity
◃ this is just a logical statement: if we cannot be sure if
data has been tampered with or not, how can we
ascertain the identity of its creator?
◃ data origin authentication is data integrity with the
extra property of assurance of the identity of the original source of the data.
Relationships between security services
Non-Repudiation of a Source is a Stronger Notion than Data Origin Authentication
◃ we can only bind the source to the data, in a manner that cannot be later denied, if we have assurance that the data itself is from that source.
◃ hence, non-repudiation requires data origin authentication (and therefore, in turn, data integrity)
Relationships between security services
Data Origin Authentication and Entity Authentication are Different
◃ for instance, regarding an email, we need data origin authentication and entity authentication is rather meaningless;
◃ on the other hand, before “authorizing” an entity to use a resource, we need entity authentication.
Data Origin Authentication Plus a Freshness Check can Provide Entity Authentication
◃ this is because we then are certain who the data originated from and that the originator is involved in the current communication session.
Relationships between security services
Confidentiality Does Not Imply Data Origin Authentication
◃ because for instance an adversary (Eve) can also re-arrange the encrypted messages of (Alice), or slightly modify them, so that they decrypt to a legitimate message, which is obviously not originated (created) by the sender (Alice);
◃ we usually need both, but they should be explicitly and separately shown to be provided.
Basic cryptographic terminology
cryptography design and analysis of mechanisms based on mathematical techniques that provide
fundamental security services.
◃ it comes from the Greek word kryptos
meaning “hidden”, “concealed”, “secret”.
cryptographic primitive a cryptographic process that provides a number of specified security
◃ examples: block ciphers, stream ciphers,
message authentication codes, hash functions, and digital signature schemes
Basic cryptographic terminology
cryptographic algorithm the particular specification of a cryptographic primitive (sufficiently detailed
such that a programmer could implement it). ◃ e.g., AES is a cryptographic algorithm
that specifies a block cipher cryptographic protocol a sequence of message
exchanges and operations between one or more parties, at the end of which a series of security goals should have been achieved
◃ e.g., SSL/TLS
cryptosystem (aka. “cipher system”) the implementation
of some cryptographic primitives and their accompanying infrastructure
Basic model of a cryptosystem for confidentiality
Basic model of a cryptosystem for confidentiality
ciphertext
the raw data to be protected during transmission from sender to receiver.
◃ also said to be in the “clear”
the scrambled version of the plaintext that results from applying the encryption algorithm (and the encryption key) to the plaintext.
◃ ciphertext is not a secret and can be obtained by anyone who “eavesdrops” the channel.
◃ no-one should be able to extract (compute) the plaintext from cipher-text without having the decryption key.
Basic model of a cryptosystem for confidentiality
encryption algorithm the set of rules that determines, for any given plaintext and encryption key, a
ciphertext.
decryption algorithm the set of rules that determines,
for any given ciphertext and decryption key, a
unique plaintext.
encryption key a value that the sender inputs into the
encryption algorithm along with the plaintext
in order to compute the ciphertext. decryption key is related to (but not always identical to)
the encryption key. The receiver inputs the decryption key into the decryption algorithm along with the ciphertext to get the plaintext.
Basic model of a cryptosystem for confidentiality
keyspace the collection of all possible decryption keys
interceptor (aka “adversary” or “attacker”) an entity other than the sender or receiver who attempts to
determine the plaintext.
◃ The interceptor will be able to see the
ciphertext. The interceptor may know the decryption algorithm. The one piece of information the interceptor must not know is the decryption key.
Encryption: an example of coding
encryption/decryption is an example of coding/decoding, esp. called cryptographic coding.
other types of coding (each for a specific purpose):
◃ “source-coding”: compression
◃ “channel-coding”: error-correction
◃ “line-coding”: modulation
Astonishingly, most of the fundamental ideas of all of the above (and much more) was developed by . Shannon (the father of “information theory”) during the 40s.
comparison to other security mechanisms
Encryption vs. Access Control (AC): hardware, OS and middleware mechanisms to prevent unauthorised users from accessing data. However, it is tied to the location the data resides, difficult to achieve when data is in “communication” (e.g. in cloud-computing).
◃ AC’s confidentiality guarantee is solely based on enforcing lack of access to entire data, in contrast, in encryption, the adversary can see the entire ciphertext, and only does not have the decryption key.
◃ the majority of our data protection is through AC, so we will return to this important topic in week 8.
comparison to other mechanisms
Encryption vs. Steganography: steganography is about “information hiding”: plaintext is embedded in another non-secret data (e.g. an image) and the combined is sent; only the receiver knows that a hidden plaintext “exists” in the first place, and how to look for it.
comparison to other mechanisms
• These mechanisms can of course be combined to provide “multiple layers” of security:
◃ an adversary who gets around the access control to a computer/channel, if notices hidden information/traffic, will only find it in encrypted format.
◃ however, steganography seems to be rarely used in practice seriously, because it does not provide any “guarantees”.
◃ that said, for different security services, related techniques such as “digital watermarking” (to assert ownership of a data) and “honeypots” (to detect unauthorised access) are in frequent use.
Symmetric vs. Public-Key cryptosystem
symmetric (key) cryptosystems the encryption key and the decryption key are “essentially” the same.
◃ even if they are not the same, they can be readily derived from each other.
public-key cryptosystems the encryption key and the decryption key are fundamentally different.
◃ ⇒ aka. “asymmetric cryptosystems”
◃ it is computationally infeasible to
determine the decryption key from the encryption key (this is not an intuitive property, in fact, quite amazing!).
Symmetric vs. Public-Key cryptosystem
in both symmetric and public-key cryptosystems, the decryption key should be kept secret(fromadversary)
◃ in symmetric-key crypto, the sender also knows the decryption key (but not adversary), whereas in public-key crypto, everyone can know the encryption key (hence the name: public key), incl. the adversary!
Symmetric vs. Public-Key cryptosystem
in both symmetric and public-key crypto, the encryption and decryption are closely tied (so that only each can “neutralize” the effect of the other).
◃ in symmetric crypto, the decryption and encryption keys are essentially the same, while in public-key, it is (computationally) impossible to derive the decryption key from the encryption key!
• this is thanks to the magic of mathematics! we will see example of this (weirdness) in subsequent weeks.
Making the encryption algorithm known
It may be tempting to keep the detail of the encryption/decryption “algorithm” secret (on top of the decryption key). However:
◃ a device implementing the algorithm can be “reverse engineered” to extract the algorithm;
◃ the details of the algorithm may be accidentally or deliberately leaked to the public domain.
Kerckhoff’s principle: the cryptographic algorithm should not be required to be secret (it should stay secure even if the detail of the algorithm is revealed).
◃ Essentially, all the “hidden” stuff should be concentrated in the decryption key.
Making the encryption algorithm known
The case for using publicly known algorithm (as opposed to proprietary algorithms):
◃ Scrutiny: public algorithms are studied by a wide range of experts and perhaps adopted by public standardisation bodies;
◃ Interoperability: much easier to adopt and implement publicly known algorithms in open networks (esp., when requiring secure communications with external clients, perhaps in the future);
◃ Transparency: easier to convince a trading partner
that their systems are secure if the security
techniques they employ are open to assessment by
their partners. 35
Cryptosystem security assumptions
the attacker (eavesdropper, adversary) knows:
1. all transmitted ciphertexts
2. some corresponding plaintext-ciphertext pairs, dueto
◃ receiver’s failure to keep decrypted ciphertexts secret;
◃ some predictable plaintexts (e.g. document headers);
◃ the attacker has influenced the choice of plaintexts
encrypted by the sender;.
◃ the attacker has (temporary) access to either the
encryption or decryption device (its interface);
◃ in case of a public-key cryptosystem, the encryption
key is known to any attacker, so they can generate as
many plaintext-ciphertext pairs as they wish. 3. the details of the encryption algorithm
Cryptosystem security assumptions
some terminology of cryptographic attacks:
ciphertext-only attacks attacker only knows the encryption algorithm and some ciphertext;
known-plaintext attacks ∼ and some arbitrary plaintext/ciphertext pairs;
chosen-plaintext attacks ∼ and some plaintext/ciphertext pairs that correspond to
plaintexts chosen by the attacker.
Note that these are increasingly powerful attacks (why?)
Breaking encryption algorithms
Breaking an encryption algorithm: a method of determining the plaintext from the ciphertext that does not involve being legitimately given the decryption key.
1. determining the decryption key directly (the most powerful type of break, since it allows decryption of all other ciphertexts corresponding to that key);
2. deducing a plaintext from the corresponding ciphertext without first determining the decryption key.
Exhaustive key searches
Exhaustive key search can be used to break almost all encryption algorithms (with a notable exception to come!).
◃ This attack, also known as a brute-force attack provides a ‘benchmark’ against which the effectiveness of other attacks can be measured.
◃ It simply involves decrypting the ciphertext with different decryption keys (from the “key-space”) until candidates for the correct decryption key are found.
Exhaustive key searches
The candidate decryption keys can be identified from:
◃ some known plaintext/ciphertext pairs: if a decryption key successfully decrypts the known ciphertexts into the corresponding known plaintexts, it’s a candidate!
◃ knowledge of the plaintext language: if the plaintext is in a known language, such as English, then the attacker will be able to use the statistical properties of the language to recognise candidate plaintexts, and hence candidate decryption keys.
◃ contextual information: e.g. specific strings/characters or format in the plaintext.
some generic cryptographic attacks
Dictionary attacks involve compiling a type of ‘dictionary’, e.g.:
◃ in a cryptosystem with a fixed key, the dictionary may consist of ciphertexts corresponding to plaintexts the attacker has been able to learn by some means.
◃ in a cryptosystem where keys are “derived” from passwords, the attacker compiles a dictionary of likely passwords and then derives the resulting keys from them, used for a (more intelligent than brute-force) exhaustive key search.
Time memory trade-off combining a pre-computed table (dictionary) and exhaustive search.
some generic cryptographic attacks
Side-channel attacks not directed against the theoretical design of a cryptographic primitive, but rather on its implementation; e.g.:
◃ timing attacks: different processor computations may take slightly different “times” to compute depending on the value of the key.
◃ power analysis: different processor computations may take slightly different “electric power” to compute depending on the value of the key.
◃ fault analysis: inducing errors in a cryptosystem and studying the resulting output for useful information.
◃ padding attacks: manipulating the “padding” process and monitoring the resulting error messages.
Historical Cryptosystems (and why they are all useless!)
Historical Cryptosystems
They are all:
• symmetric cryptosystems (predate the discovery of public-key cryptography)
• designed to provide confidentiality only.
• described as operating on alphabetic characters (in
contrast to modern cryptosystems, which generally
operate on binary numbers
• each is completely unsuitable for use in modern
cryptographic applications
So, we only study them to internalize some concepts and grasp intuition.
: (100 BC – 44 BC) used this method in his private correspondence ⇒ Caesar (shift) cipher
Plaintext : THE QUICK BROWN FOX JUMPS . . . Ciphertext : QEB NRFZH YOLTK CLU GRJMP . . .
Question: What is the “key” in the above example?
plaintext ciphertext
D (3) E (4) .
Z (25) A (0) B (1) C (2) D (3)
A (0) B (1) .
W (22) X (23) Y (24) Z (25) A (0)
Math. representation: Encryption:
Math. representation: Encryption:
C = P + K mod 26.
Math. representation: Encryption:
Decryption:
C = P + K mod 26.
Math. representation: Encryption:
Decryption:
C = P + K mod 26.
P = C − K mod 26.
Math. representation: Encryption:
Decryption:
C = P + K mod 26.
P = C − K mod 26.
Question: what is the biggest weakness of the ?
Simple Substitution Cipher
The main problem with Caesar cipher is its miniscule key-space size (of only 26). The simple substitution tries to resolve that:
Simple Substitution Cipher
Question:
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com