275 lines
6.4 KiB
Markdown
275 lines
6.4 KiB
Markdown
# It Security
|
|
|
|
## Security Goals - CIA
|
|
|
|
- Confidentiality
|
|
- only authorized entities can access assets in a system
|
|
- Attacks:
|
|
- Eavesdropping - inteception of data during transfer
|
|
- Traffic Analysis - analyze address information or timings to deduce who communicatos with whom
|
|
- Integrity
|
|
- only authorized entities can change assets in a system
|
|
- Attacks:
|
|
- Modification - intercept and modify data in transfer
|
|
- Masquerading - modify SCR address information of a data packet in transfer
|
|
- Replay - intercept a data packet in transfer and later replay it
|
|
- Repudiation - deny an action such as having sent a specific data packet
|
|
- Availability
|
|
- authorized entities can access assets in a system as intended
|
|
- Attack: Denial of Service- flooding a server with fake requests, jam signal with stronger singal on the same frequency, enter password wrongly to get the account blocked
|
|
|
|
|
|
|
|
## Encryption Scheme definition
|
|
|
|
Noted as a tuple (P, C, K, E, D):
|
|
|
|
- P = plaintexts
|
|
- C = ciphertexts
|
|
- K = keys
|
|
- E = encryption functions
|
|
- D = decryption functions
|
|
|
|
|
|
|
|
For any K_1 in K, there is a K_2 in K such that for all p in P, D_K_2(E_K_1(p)) = p
|
|
|
|
For symmetric encryption, K_1 = K_2
|
|
|
|
This definition doesn't cover any notion of security
|
|
|
|
## Symmetric Encription scheme
|
|
|
|
Properties:
|
|
|
|
- Bob and Alice share the same key in advance
|
|
- Decription is *difficult* without the key
|
|
|
|
|
|
|
|
## Caesar Cipher
|
|
|
|
= Letter shift by k amount
|
|
vulnerable to Brute force attacks (exhaustive search attacks)
|
|
|
|
|
|
|
|
## Monoalphabetic Substitution Cipher
|
|
|
|
= replace each letter by a fixed permutation of the alphabet
|
|
|
|
key space is very large -> No brute force, however:
|
|
|
|
vulnerable to frequency analysis, as Monoaplhabetic Substitution preservers letter frequencies
|
|
|
|
|
|
|
|
## Perfect Secrecy
|
|
|
|
Defintion:
|
|
|
|
> An encryption scheme is said to provide **perfect secrecy** iff given a probability distribution Pr on P, and Pr(P) > 0 for all plaintexts p and for each p in P, c in C and k in K chosen uniformly at random Pr(p|c) = Pr(p)
|
|
|
|
Meaning: Whether or not c is observed, p is as likely as its occurrence in the plaintext space
|
|
|
|
A cipher providing perfect secrecy cannot be broken by an attacker. Not even by one with infinite computational resources and infinite time. (Shannon'S Theorem)
|
|
|
|
|
|
|
|
## One-Time-Pad (OTP)
|
|
|
|
*aka Vernam Cipher or Vernam's One-Time-Pad*
|
|
|
|
for each encryption, chose a key uniformly at random.
|
|
|
|
Encryption: C = P xor K
|
|
|
|
Decryption: C xor K = P xor K xor K = P
|
|
|
|
- Advantages:
|
|
- Easy to compute (XOR is cheap computation)
|
|
- As secure as theoretically possible
|
|
- -> Security independent of the attacker's resources
|
|
- garantees confidentiality
|
|
- Disadvantages
|
|
- Key must be as long as plaintext
|
|
- impractical
|
|
- does not guarantee **integrity**
|
|
- insecure if keys are reused
|
|
|
|
|
|
|
|
**Learn the Prove for perfect secrecy by heart!**
|
|
|
|
## Computational Security
|
|
|
|
= An encryption scheme is called computationally secure iff all known attacks against the cipher are computationally infeasible within any reasonable amout of time/resources
|
|
|
|
|
|
|
|
## Attacker Models
|
|
|
|
- Ciphertext only attack
|
|
- attacker knows only cipher text
|
|
- known plaintext attack
|
|
- knows some pairs of plaintext and ciphertext
|
|
- chosen plaintext attack
|
|
- can obtain ciphertext for plaintexts of his choice
|
|
- chosen ciphertext attack
|
|
- can obtain plaintext for ciphertexts of his choice before target ciphertext is known
|
|
|
|
Security in a chosen-ciphertext setting is hardest to achieve
|
|
|
|
Ciphertext-only setting is more difficult for the attacker -> easier to achieve
|
|
|
|
|
|
|
|
## Stream Ciphers
|
|
|
|
Idea:
|
|
|
|
- Replace K with PRBG:
|
|
- Seed of PRBG with a truly random key K
|
|
- PRBG should be cryptographically secure, though there is no proof
|
|
- new initialization vector for each P
|
|
|
|
|
|
|
|
> For each plaintext P select a fresh IV and set C = E_K(P) = IV || P xor PRBG(IV, K)
|
|
>
|
|
> PRBG(IV, K) is referred to as *key stream*. The same key K is used for multiple plaintexts
|
|
|
|
|
|
|
|
Weakness:
|
|
If IV is reused with the same key, Stream Cipher is vulnerable to known-plaintext attacks (cf Chap 2 slide 32)
|
|
E.g. used to attack WPA2 (KRACK attack)
|
|
|
|
|
|
|
|
examples:
|
|
|
|
- broken
|
|
-
|
|
- A5/1
|
|
- E0
|
|
- unbroken
|
|
- SNOW 3G
|
|
- CHACHA20
|
|
- blockciphers in CTR mode
|
|
|
|
|
|
|
|
## Block Ciphers
|
|
|
|
Operate on plaintext blocks of a specific length
|
|
|
|
- called the block length b of the cipher
|
|
- plaintext space P = ciphertext space C = {0,1}^b
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
- broken
|
|
- DES
|
|
- IDEA
|
|
- unbroken
|
|
- KASUMI
|
|
- AES
|
|
Camellia
|
|
|
|
|
|
|
|
## Advanced Encryption Standard (AES)
|
|
|
|
more scure and efficient than 3DES, block length of 128 bit, regardless of key length
|
|
|
|
|
|
|
|
Operates on rounds:
|
|
input and output of each round represented as 4x4 byte matrices
|
|
|
|
Operations:
|
|
|
|
- Substitute Byte(SB) - substitutes one byte
|
|
- Round Key Addition (KA) - XOR byt with corresponding key
|
|
- Shift Row (SR) - Shift a row by different amounts
|
|
- Mix Column (MC) - Multiplication of a column by a given matrix
|
|
|
|
|
|
|
|
Overall Operation:
|
|
|
|
plaintext -> KA -> SB -> SR -> MC* -> KA -> ciphertext & next round continuing after first KA operation
|
|
|
|
*MC not done in the last round!
|
|
|
|
Number of rounds depends on key size:
|
|
|
|
- 128 bit key -> 10 rounds
|
|
- 192 -> 12
|
|
- 256 -> 14
|
|
|
|
|
|
|
|
Modes of encryption:
|
|
|
|
- Electronic Code Book (ECB)
|
|
- Cipher Block Chaining (CBC)
|
|
- Counter (CTR)
|
|
- Output Feedback (OFB) -> covered exercises
|
|
|
|
|
|
|
|
### Electronic Codebook Mode (ECB)
|
|
|
|
- Encryption: C_i = E_k(P_i) for i = 1, ..., n
|
|
- Decryption: P_i = D_k(C_i) for i = 1, ..., n
|
|
- Requires padding of P_n to b bit
|
|
|
|
|
|
|
|
Problem:
|
|
|
|
- Same P_i leads to same C_i -> Patterns are visible
|
|
|
|
-> ECB should not be used!
|
|
|
|
|
|
|
|
### Cipher Block Chaining Mode (CBC)
|
|
|
|
- IV = C_0
|
|
- Encryption: C_i = E_k(P_i xor C_i-1) for i = 1, ..., n
|
|
- Decryption: P_i = D_k(C_i) xor C_i-1 for i = 1, ..., n
|
|
- Requires padding of P_n to b bit
|
|
|
|
|
|
|
|
- Requires a fresh IV for each plaintext to encrypt!
|
|
If same IV is reused on P and P*, then C_1 and C_1* reveal whether P_1 = P_1*
|
|
- Vulnerable to a padding-oracle attack
|
|
|
|
Should not be used anymore
|
|
|
|
|
|
|
|
### Counter Mode (CTR)
|
|
|
|
- IV public, fresh for each plaintext
|
|
- Encryption: C_i = E_k(IV+i) xor P_i for i = 1, ..., n
|
|
- Decryption: P_i = C_i xor E_k(IV+i) for i = 1, ..., n
|
|
|
|
|
|
|
|
Properties:
|
|
|
|
- CTR does not require padding
|
|
- Ciphertext has the same size as plaintext
|
|
- CTR turns a block cipher into stream cipher
|
|
- CTR encryption and decryption can be parallelized
|
|
|
|
|
|
|
|
|