




























































































Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Computer and Network Security notes
Tipologia: Dispense
1 / 300
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!





























































































In offerta
Slide password: }DIAGamat1c{++
The internet first started with no security. Then it has been patched, so technically it’s not a good project. What is information security? There are many definitions, but we are now interested in the most important ingredients:
- Confidentiality^ (or privacy): we consider data and information as the same term, no difference. Confidentiality means that we must provide access to data only to people who have the right to access them. All the other people should not be able to access the information. - Data integrity:^ if I’m storing data or I’m obtaining data maybe downloading some information, I want to be sure that the data I’m obtaining are the original data. They must not change, I must be sure about this. What if an attacker makes a change and provide you another file? This is the most frequent attack, called the man in the middle attack. The MITM can check the content of every communication and he can also change that content. - Data authentication:^ I’m downloading the right file that is on the web, that’s ok, but that file was what the original publisher meant to upload? Data integrity and authentication often go together. - Authentication:^ You often authenticate yourself with username and password. Well, that’s the worst way to make authentication. Very weak, but we still use it. - Availability:^ Information should be available to all people who have the right to access it.
What is cryptography? In some books you will read that cryptography is the art of hiding information , changing information into something which looks different in such a way that people can’t understand the real content without the algorithm. Modern cryptography has invented new tools to ensure data integrity. Today we study cryptography to ensure all the properties we talked about before. Modern cryptography is going further, not only encryption. Cryptography will give you a mathematical model which you will transform into a running program. We will check then the system security like firewall’s work. When you download a file, you have permissions for it. Talking about security, we basically have two types of attacks. The first is automatic tools attacks. When you just connect to the internet, you can check that you are receiving a lot of attacks. This is because there are some automatic tools that just go over the existent 4 billions IP numbers and check wether there is an open port and so on. We don’t see that because we have firewall in our computers. We also have target attacks , when someone collects information about you for months, years, and then attack you. They are very dangerous. The original meaning of cryptography is to make encryption. Generally, we talk about “messages”, but it means also a file on your computer, or a stream. “Message” is the information you want to hide. So, the encryption takes the message and turns it into something not understandable. The symmetric, decryption , takes this and returns the original message. This is made using encryption and decryption functions that are paired. Algorithms are updated, because as time passes new methods are discovered, new technologies. But the main idea is the same.In order to make encryption and decryption we use an encryption function and algorithm E and a decryption function and algorithm D. Then we use an encryption and decryption key, which are just an input to the algorithm. No meaning, just a string of bits. So you have: where k1 is the key, m is called plaintext and C is called ciphertext.
Then we have a typical attack model. This means that the attacker is able to access the communication line. That is really so easy, both with cable or wireless connection. We assume that every attacker can easily access the information we are transmitting, so we must send ciphertext , not the plaintext.
There are two types of attacker. The passive attacker is the weakest. He can only intercept what we are transmitting. The active attacker can instead modify the message being sent and could also send a message claiming to be someone else. In the packet sniffing (passive attack) the intruder Trudy can read all the information that B sends to A and vice versa. In the IP spoofing (active attack) it’s based on cheating on the identity of the sender. The man in the middle attack could run at different levels. The denial of service (DoS) is an attack to the availability of a service, whatever it is. It’s realised sending many packets to the attacked host. The SYN packets mean “I want to open a connection”. The server then sends a SYN- ACK packet. That’s how the protocol works. If the client is an attacker, when receiving the SYN-ACK packet from server, it doesn’t send the ACK and the server keeps waiting for it. If the request are very frequent and all the clients keep the connection half open, the server will use a data structure to keep information about these and when another client sends a request the server could not accept it because its memory for accepting requests is full. This attacks the availability of a service. Alice Bob Trudy
We don’t want the attacker to know even partial information about the message. For instance, if we are sending the same encrypted message every day at the same time, the attacker could see that the length is always the same. This is information. There are protocols implementing this behaviour: same plaintext, same algorithm, same key, different ciphertext. It could be possible that the attacker knows both plaintext and ciphertext, so he could try to generate all possible keys. So we want to make this hard, meaning computationally hard to try all possibilities. If the key has N bits, it takes to try all possibilities. That’s exponential. But if N is small enough it’s easy to determinate. As time passes, we need longer keys because computational power of computers grows. This is very important, the attacker uses brute force attacks, what we want is that no adversary can determine any meaningful information about the message m. The attacker could collect small information and then prepare the attack.
The typical model is this: the attacker knows the algorithms E, D, the message space and at least partial information about . But he doesn’t know and . Julio Caesar was using the shift cipher. In this case, the key is just an integer, the algorithm just shifts the characters, so for example is k is 2, A becomes C, B becomes D and so on… The substitution cipher works like this, you have random permutation of characters. The size of the key space is 26!, it seems large but in every language there is a statistic distribution of letters. So it’s easy to analyse a ciphertext like this.
This theorem says that a cipher cannot be perfect if the size of its key space is less than the size of its message space. This is proved by contradiction.
- Eavesdropping:^ the^ attacker^ can^ get^ messages^ exchanged^ in^ a^ private conversation. - Known plaintext : the attacker has some samples of C and P. He has some pairs but doesn’t have the key, but the pairs have the same encryption algorithm. For discovering a key of N digits, we need max tries. This happens in a brute force attack. For example, 128 is a very high number. But if a mathematician says that there is some math property that can exclude some keys, he would say that the algorithm is broken. For us, under a practical point of view, it’s the same. - Chosen plaintext:^ in this case, the attacker could know some plaintext to be encrypted and obtains the ciphertext, without knowing the key. Also this could be useful.
- Adaptive chosen plaintext : this is the variant where the input of the algorithm is chosen basing on the previous information. This is more powerful, but also more difficult. - Chosen ciphertext : the attacker chooses some C and obtains the relative P. These attacks, chosen plain/ciphertext, are also called “lunch time attack”, because it’s easy to imagine the case where the analyst leaves his room for lunch and the attacker is free to use his tools. The security today is based on computational power. What is the threshold? It’s a limit, growing in the time. In the 70’s a keys of 56 bits was looking like a good threshold. It wasn’t. 80 is a great number. But google broke even an algorithm with 80 bits key. Today 128 is secure , but many people are already using 256 bits keys. The approach of the stream cipher is based on the idea of the one time pad. Is defined a secret key, called seed , that is used to generate a byte stream (keystream). The keystream is a string of bits enough long to permit encryption. The function generating the next bytes uses the seed or both the seed and the previous generated bytes. In the synchronous case you use only the key, in the asynchronous is the other case. Managing a key is like managing a password: I need another key. Where I save this? The new key is simpler. Then I store another key, simpler. And simpler. And so on, so in the end I have only a simple key to remember. We’ll see how it works. The block cipher is the logical way to organise operations. In this approach you have an encryptor and the plaintext has a fixed size. Also the ciphertext has a fixed size. For any given length N: if the keystream is truly random then One Time Pad is a perfect cipher.
Is any of you watching the Hackmageddon website? If you want to be up to date it becomes a job and you have to spend 1 hour every day to read specific websites, news, forums and so on. It’s not so easy to be up to date with attacks. What is more important than knowing a specific list of attacks is knowing the techniques that have been employed for running attacks. What is still important today is the human
header part. Clients of even web browsers allowing people to write and read email are not normally set up so that you can easily find the sender. You have to look for the specific command to see the whole source of email. just as an exercise find a way to find the whole content of your email.
I want to discuss some basic information, some basic concept about algebra and mathematics because modern cryptography is strongly based on that. Even if we can agree about the fact that our job will not be to design a new encryption algorithm. Maybe if you like, but it requires strong mathematical skills , if you are really interested you have to study the first introduction to cryptography, more mathematics, attend some courses, after that maybe you can become a strong cryptanalyst. Is a very nice field, successful people risk to be reach for the whole life. Normally people are not targeting money in life, they are targeting happiness. What is happiness? A good cipher. Anyway, in order to understand some ingredients we need the basics of mathematics for discussing some part of the encryption algorithms, even when talking about hash functions. In order to talk about groups , we should consider a set. This set can be finite of infinite, and over this set is defined a binary operation , you see here addition, always remind that when you see addition and symbol of addition it’s just a name, you have to define the addition operation in some way you may like, I mean this is no necessarily the traditional addition operations, in many case it will be, but you can define some different addition. In particular, if the properties you see are are satisfied, we are talking about abelian group. What are the properties?
multiplication, the identity element is number 1. So it is very important when you are visiting these concepts that what we read here are just symbols. This not means number 0, is a symbol we are using because we use the + symbol in this case. In some cases you can use the dot, reminding the product. In that case you can put the identity element as 1. This can lead to some misunderstanding so I want to point out this.
Def: Two natural numbers a and b are said to be congruent modulo n (n is a positive integer) a b (mod n) if |a - b| is multiple of n, or, equivalently, the integer divisions of a and n and of b and n yield the same remainder.
Now, can you calculate ? You can use Euler because this is a very nice number. Is 127 prime? Yes. You can prove it checking if is divisible for every number from 2 to . What is the size of ? 126. is equal to 1. You can just by reducing the exponent. 74 is just 37 times 2. Another hint is: What is ? In the case you have a group G and you have an element a of that group, of order n, you can consider all such powers, . This is a called and is a subgroup of G. Element a is called the generator of . If G is generated by a, G is called cyclic and a is a primitive element of G. There is a theorem saying that for any prime p, is cyclic.
Let’s talk about rings and fields. In the case of ring we are interested in commutative ring with identity. You have a set of properties here, you have two operations, traditionally denoted by addition and multiplication, if you check the left side you recognise you are just asking that the set F with operation + is a commutative group. Now for the second operation you still see closure, associative property, commutative. There is the identity , you see 2 different symbols for identity of first and second operation. The last property you want is the unity property giving a cross property for the two operations. It is a distributive property, if you want to compute the multiplication between a and the sum of b and c you can evenly distribute the product with respect to the addition. In this case we talk about commutative rings. We are requesting property number 9. Now you have ring with additional property. What you see here is all about commutative rings with identity. Then you have another property, if you add to a commutative ring with identity another property that is the inverse for second operation you get a field. You see the definition, a times its inverse its giving the identity, there exists the inverse for whatever element of the set except the identity for the first operation. This is field, modern cryptography is based on finite fields. with addition and multiplication is a ring but not always a field. is not a group to respect of multiplication. Because you loose the closure. And in the case where you consider it happens that is a group with respect of multiplication.
200
126
7
0
1
n − 1
Let’s look this definition, we are asking that F is a group with respect to the addition, we’re asking that f is a group to respect of multiplication, plus the distributive property. This is an equivalent way to see the definition of field. In practise you want each of operation of commutative group plus the distributive property. Some operation that are important operations while computing the encryption of information can be expressed as operations between polynomials. In order to define this we should make it clear what polynomials we are going to consider. We are considering polynomials over fields , you see here the traditional notation for a polynomial, this is polynomial of degree n based on one variable x defined over a field F. All the coefficients here are numbers belonging to the field. The power is the repetition of multiplicative operation just like standard polynomials with operations defined over a field. The equation you get by computing a polynomial equal 0 has at most n solutions in F. We not surprised because this is fundamental, but if you are not working on fields. Considering rings with identity, this means we don’t have the multiplicative inverse, equation 6 times x = 0 in is having 6 solutions. Even if the degree of this polynomial is 1. You can easily meet strange cases. You can surprise how possible first degree 6 solutions. Because it is not a field. It’s not a group with respect to the multiplication. Number 2 is not having a multiplicative inverse. In the next slides there are some statements, some lines of code. I don’t know whether how to use symbolic you know, there are several tools for computing informative symbolic computation, like Mathlab. I’m not going to discuss these lines, they are just examples for showing the properties. First definition, if we have 2 polynomials f(x) and g(x) over a field F, the first you see is degree n and the second is m, with m <= n. It is easy to prove that exist only one polynomial r(x) whose degree is less than m such that you can express f(x) the polynomial with higher degree like the product of 2 polynomials g(x) and another polynomial h(x) + r(x). This r(x) is unique. This is the statement of the theorem, this polynomial is called the remainder of f(x) mod g(x). Because you can consider it like the result of f(x) divided g(x). Of course the remainder is having the degree smaller of the degree of g(x). Definition: a Field F is finite if set F is finite.
considering degree 4 polynomials, we are working over , just bits, this is a possible polynomial degree 4 in particular you see it is degree 3, just a particular case, you can describe this polynomial here as the set of coefficient, you see, 0, 1, 0 means degree 4 term.
I want to mention a very interesting aspect, not trivial. In textbooks is not sufficiently covered in my opinion. Let’s assume there is a transmission of information, you are the attacker, you get the ciphertext, assume is just one block, you don’t know the key, you start trying all possible keys, we already said that there are too many keys but even if the size of the key is small think of the case of the very old DES key. The size was 56. You can manage generating all the possible keys. What happens? You have the ciphertext, you know the algorithm, in this case is DES but it can be another algorithm. You try all possible keys, since this is just an algorithm when you give as input a ciphertext and a wrong key you get the output, it should be the plaintext but if the key is wrong you get a wrong plaintext. What is this? Whatever. How it looks like? Like garbage. So, how can the adversary understand he found the good key? This is a very important question. Is the adversary able to understand he just found the good key? If after trying a key here he gets some meaningful text written in whatever language he could say ok I found it. But what if the original plaintext was not an English text? Was if it was just a sequence of numbers , coordinates? Not so easy because if the original plaintext was a sequence of numbers, with whatever key you get a sequence of numbers. How to understand if the sequence is correct or not? I want to mention an additional problem the adversary should face. If he doesn’t have any information about the nature , the characteristics of the plaintext, he find very difficult to understand while trying a brute force he found the right key. You are running a brute force attack, how many keys per second you want to try? Too many, otherwise it will take too much time. So it’s impossible the adversary is inspecting the outcome for some key. The adversary is running a program that is testing many keys and it’s analysing the output. It’s not so easy. In some cases only the adversary may be very lucky because instead of testing wether the output is a good plaintext he can just use this output as input for some next block. If the next block works the input was good. This is just a very particular case. In general, brute force attacking requires the adversary to make some effort to understand wether the key just used for running the algorithm was good or not good. Not trivial.
I want to make it a little bit more complicated. For some reason, when Alice is sending information to Bob, Alice may agree with Bob to send a prefix before the message. A prefix is a standard pattern. Why? Because that is the pattern that only Alice and Bob know. Bob can have some confirmation. Why? Because Bob will have the same problem that the attacker is having, I mean, suppose that the attacker is running the man in the middle attack, who can change the content of the transmission, the message that Alice is sending to Bob can be changed by the attacker. Bob will get a wrong ciphertext, he’s knowing the good key, he will use it to decrypt a wrong ciphertext, he’s getting garbage. If the original plaintext was original English text bob will be able to understand the information has been changed. But if the original message was just a sequence of numbers the fact the man in the middle is changing information how will impact on Bob? He will get a sequence of numbers, it’s not so easy for Bob to understand the impact of the attack. You can understand that putting a prefix here so that Bob will decrypt the message and expects to find a prefix here, so he will trust the content of the message. This is just a very simple approach that is somewhat anticipating the meaning of data integrity , because we will be studying measures for guarantee data integrity. Alice an Bob are just concerned about data integrity. So there are possible measures, the pattern can be at the beginning, in the tail, in the middle, whatever pattern, so that once the pattern has been agreed the two parts will be able to use it so they can distinguish a good message from a bad one. I close the parenthesis.
We can now see again the characteristics of the Rijndael algorithm (AES). It has a symmetric block size. It can work with 3 possible key lengths. The larger is the size of the key, more secure is the algorithm and more resistant to brute force attacks. The smallest length of 128 it’s large enough to be resistant to brute force attacks due to the computational power of today. It requires a very high number of attends to find the right key. So far, AES is resistant to all possible attacks that have been tested. It is very fast , because Rijndael is using only operations that are available in every hardware, as a primitive, like shift, xor, change the content of a cell and so on. All quick primitive elementary operations for cpu, very fast, and also the code will be very compact. This is also meaning that you can use it also in modern devices, because you understand in the current era in most of these encryption algorithms should run on
new iteration on this state metrics by taking the output of the previous operation, by taking some more bits from the secret key. This means that as we already commented the secret key needs to be longer than the original one. For every step here of this iteration we will need 128 bits. To be combined with 128 bits because there will be xor bit by bit. For every iteration there will be an operation of xoring, the state with the bit of the key, so since the state is having 128 bits we need the same number of bits coming from the key. In the case of the key of this size Rijndael is using 10 rounds. People studying the algorithm trying to crack Rijndael also considered the possibility of weakening Rijndael by just decreasing the number of rounds. Some attacks can be successful for 1, 2, 3, 4 rounds. But after 6 rounds all known attacks have been unsuccessful. Each round is making the state a little bit more complicated , making some high non linear operation on bits, every operation made with the metrics should be invertible because otherwise you cant decrypt it. So the function that is used for changing the metrics is in any moment a 1 to 1 function. You need to be able to invert the operation, otherwise you are not able to decrypt. So, here is now the description of 4 steps.
8
Let’s see now the other steps, the round is the shift of rows. Very simple because the first line doesn’t shift, the second line shifts of 1 position, the third 2 positions and the fourth of 3 positions etc. This step is very easily invertible. Now the step is mixing columns , is run by considering every column on the state as a polynomial defined over the GF of size . It means that the numbers that are in every column are just the coefficient of a polynomial, a polynomial multiplied by a special polynomial invertible that is this one. This means you take the first column, consider it like a vector describing the coefficient of a polynomial, this polynomial is multiplied by a standard polynomial here defined so the column is replaced by the bits coming from the representation of the result. This operation is invertible, such that polynomial is admitting an inverse. This is just the sequence of operations, substitution, shift rows, mix columns and the final xoring between the bit coming and the bits obtained by mixing columns. The last step is just a xor. The xor is invertible. About the process of making key longer, you understand if the key is 128 bit you have to run 10 rounds. Every round is requesting to compute xor between the key and the state, so you need 128 bit per round. If rounds are 10 then you will need 1280 bits. You understand you need to make a key expansion. I don’t want to go into details because the definition depends on the length of the key. There is a well known book from the two designers of Rijndael, containing all the math needed to implement all details. What is nice, the 2 guys wrote the book after designing the algorithm, it is nice to think they just some reverse engineering of the algorithm just to make confusion on numbers. I don’t know if this is really true. Is Rijndael strong? Very very strong. The strongest. Among the ones we use today for symmetric block encryption. Nobody is able to break 5 or 6 rounds. It is considered impossible to break by brute Rijndael, even for the key size 128. Also because don’t forget the detail I told you when you try 1 key you run something to understand if the key is successful or not. I want to say something more important under a cultural point of view. When you will be checking for standards, meany standards are coming from the internet engineering task force, you can read the documents. They are numbered, you can check these documents and some of them are internet standards, other are just proposal, in many cases you will need some standards telling that during some communication you should encrypt information. By symmetric encryption. But the standard is not naming Rijndael. Why not? A very simple answer. When deciding standards, you use concepts and the strength of the standard is in the concepts. Then you write another document saying for now this is the list of the welcome algorithms for making an encryption. So that you will change this list from time to