Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Computer Network Security, Appunti di Sicurezza Dei Sistemi Informativi

Teoria esame Computer Network Seciruty

Tipologia: Appunti

2020/2021

In vendita dal 03/01/2021

CrazyLittlePug
CrazyLittlePug 🇮🇹

3 documenti

1 / 74

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Computer & Network Security
Giuliano Abruzzo
February 2, 2020
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a

Anteprima parziale del testo

Scarica Computer Network Security e più Appunti in PDF di Sicurezza Dei Sistemi Informativi solo su Docsity!

Computer & Network Security

Giuliano Abruzzo

February 2, 2020

Contents

  • 1 Introduction
  • 2 Secret Key: Stream Ciphers & Block Ciphers
    • 2.1 Stream Cipher
      • 2.1.1 A5
      • 2.1.2 RC-4
    • 2.2 Block Ciphers
      • 2.2.1 AES
      • 2.2.2 ECB
      • 2.2.3 CBC
      • 2.2.4 PCBC
      • 2.2.5 CFB
      • 2.2.6 OFB
      • 2.2.7 CTR
      • 2.2.8 Initialization Vector
      • 2.2.9 Strengthening a cipher
  • 3 Data Integrity & Authentication
    • 3.1 MAC
    • 3.2 MAC based on CBC
    • 3.3 MAC based on hash functions
      • 3.3.1 SHA-1
      • 3.3.2 HMAC
      • 3.3.3 AE
  • 4 Public Key Cryptography
    • 4.1 Public Exchange of Keys
  • 5 RSA
    • 5.1 Math considerations
    • 5.2 RSA Protocol
    • 5.3 Attacks against RSA
      • 5.3.1 Factorization
      • 5.3.2 Weak Messages
      • 5.3.3 Chinese Reminder Attack
      • 5.3.4 Same N
      • 5.3.5 Multiplicative Property of RSA
      • 5.3.6 Chosen Ciphertext Attack
      • 5.3.7 Chosen Plaintext Attack
    • 5.4 RSA Standards
      • 5.4.1 Public-Key Cryptography Standard
      • 5.4.2 Optimal Asymmetric Encryption Padding
      • 5.4.3 El Gamal Encryption
  • 6 Digital Signature - DSA
    • 6.1 Standards for Digital Signatures
      • 6.1.1 RSA and PKCS#1
      • 6.1.2 El-Gamal Signature Scheme
    • 6.2 DSS, Digital Signature Standard
  • 7 Authentication
    • 7.1 Authentication by Symmetric Key
      • 7.1.1 Challenge/Response Authentication
      • 7.1.2 Timestamp Authentication
      • 7.1.3 Mutual Authentication
    • 7.2 Authentication trough Third-Party
      • 7.2.1 First schema
      • 7.2.2 Needham-Schroeder Protocol
      • 7.2.3 Needham-Schroeder Protocol variant
      • 7.2.4 Needham-Schroeder Protocol Expanded
  • 8 Kerberos
    • 8.1 Kerberos preliminary implementation
    • 8.2 Kerberos simplified version
    • 8.3 Ticket-granting Ticket
    • 8.4 Kerberos Realms
  • 9 Authentication based on public keys & X.509 & PKI
    • 9.1 Needham-Schroeder public key
      • 9.1.1 Needham-Schroeder public key Attack
      • 9.1.2 Needham-Schroeder public key fixed variant
    • 9.2 X.509 Standard
    • 9.3 PKI: Public Key Infrastructure
      • 9.3.1 X.509 Certificate’s Fields
      • 9.3.2 Hierarchy of CAs
      • 9.3.3 Certificate Revocation
      • 9.3.4 OCSP
      • 9.3.5 PGP: Pretty Good Privacy
  • 10 Passwords
    • 10.1 Unix Password Hash
    • 10.2 Lamport’s Hash
    • 10.3 Encrypted Key Exchange, EKE
      • 10.3.1 SPEKE & PDM
  • 11 IPSEC
    • 11.1 Security Associations (SA)
    • 11.2 Transport & Tunnel Modes
      • 11.2.1 Transport Mode
      • 11.2.2 Tunnel Mode
    • 11.3 Authentication Header AH
    • 11.4 Encapsulating Security Payload ESP
    • 11.5 Combining Security Associations: SAs
      • 11.5.1 Transport Adjacency
      • 11.5.2 Transport-Tunnel bundle
  • 12 SSL/TLS
    • 12.1 SSL Architecture
    • 12.2 Handshake Protocol
      • 12.2.1 Fixed Diffie-Hellman
      • 12.2.2 Ephemeral Diffie-Hellman
      • 12.2.3 Anonymous Diffie-Hellman
    • 12.3 Attacks against TLS
      • 12.3.1 Downgrade Attack
      • 12.3.2 Heart Bleed
  • 13 Firewalls
    • 13.1 Packet Filtering
    • 13.2 IPtables
      • 13.2.1 Examples of IPtables
    • 13.3 Bastion Host

1 Introduction

Cryptography and Security differ, in fact Cryptography deals with secrecy of information, Security deals with problems of fraud, like message modifications or user authentication. Security might use Cryptography, and encryption doesn’t live alone without some form of authentication. We will call:

  • Encryption function: E;
  • Decryption function: D;
  • Encryption key: k 1 ;
  • Decryption key: k 2 ;
  • For every message m: Dk 2 (Ek 1 (m)) = m;
  • Secret Key (symmetric): k 1 = k 2 ;
  • Public Key (asymmetric): k 1 6 = k 2 ;

A Threat is a menace, a source of danger, instead an Exploit is a software or a chuck of data, or a sequence of commands that take advantage of a vulnerability to cause unintended or unanticipated behavior to occur on computer. The communication model is:

Instead a Threat (attack ) model is:

The Adversary can be Passive, that means that will reads the exchanged messages (without changes), or Active, that means that can modify the message between Alice and Bob, or can send fake messages claiming that they have been sent by someone else (Alice or Bob). The passive adversary model is also called Packet Sniffing, instead an active adversary model is also called IP Spoofing, in which T is able to forge messages that look like messages sent by A or B by

The proof is done by contradiction:

  • We assume that the number of the keys l is less than the number of messages n so l < n and we consider ciphertext C 0 : P r(C 0 ) > 0;
  • For some key k, consider P = Dk(C 0 ) So there exists at most l keys such messages, one for each key;
  • Choose message P 0 such that it is not of the form Dk(C 0 ) since there exists n−l such messages;
  • Hence P r(C 0 |P 0 ) = 0 but since in a perfect cipher P r(C 0 |P 0 ) = P r(C 0 ) > 0 we have a contradiction;

We have several different attack models like:

  • Eavesdropping: in which the attacker secretly listening private conversation of others;
  • Known Plaintext: attacker has samples of both plaintext and its encrypted version so will use them to reveal information like secret keys;
  • Chosen Plaintext: attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal is to game information which will reduce the security of the encryption scheme.
  • Adaptive Chosen Plaintext: the crypt-analyst makes a series of interactive queries, choos- ing subsequent plaintexts based on the information from the previous encryptions;
  • Chosen Ciphertext: the crypt-analyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key;
  • Physical Access;
  • Physical modification of messages;

2 Secret Key: Stream Ciphers & Block Ciphers

The idea is that Alice and Bob share:

  • a crypto protocol E;
  • a secret key k;
  • they communicate using E with key k;
  • adversary knows E and some messages but ignores k;

There are two different approaches Stream Cipher and Block Cipher:

2.1 Stream Cipher

The idea is try to simulate the one-time-pad, so we define a secret key called Seed, and we use the seed to generate a byte stream called Keystream:

  • The ith^ byte is function of:
    • Only key, synchronous stream cipher;
    • Both key and first i − 1 bytes of the ciphertext, asynchronous stream cipher;

In a synchronous stream cipher the output of the encryption function is generated independently from the plaintext and the ciphertext. So we have for synchronous stream cipher:

2.1.1 A

A5 is an encryption algorithm (1987) used to provide over-the-air communication privacy in the GSM cellular telephone standard. Initially it was kept secret, but the general design was leaked in 1994 and the algorithms were entirely reverse engineered in 1999.

2.1.2 RC-

RC or Ron’s Code was an algorithm easy to program, fast and very popular considered safe between 1987 and 1994, in which we have:

  • Variable key length (byte);
  • Synchronous stream cipher ;
  • Starting from the key it generates a random permutation;
  • Eventually the sequence will repeat but for long period 2^1 00 so its simulate one-time-page;
  • It’s very fast in fact 1 byte of output requires 8-16 instructions;
  • The goal is to generate random permutation of the first 256 natural numbers;

Algorithm RC-4 Init j = 0; S 0 = 0, S 1 = 1, ... , S 255 = 255; assume a key of 256 bytes: k 0 , ... , k 255 (if the key is shorter repeat); for i = 0 to 255 do: j = (j + Si + ki) mod 256; exchange Si and Sj ;

2.2.1 AES

AES or Advanced Encryption Standard is an algorithm based on symmetric block cipher in which we have a block size of 128 bits and a key lengths of 128, 192 or 256 bit that use finite fields algebra, and now have fun with settordici mathematical formulas and almost useless concepts:

  • A set G with binary operation + (addition) is called a commutative group if:
    • ∀a, b ∈ G, a + b ∈ G;
    • ∀a, b, c ∈ G, (a + b) + c = a + (b + c);
    • ∀a, b ∈ G, a + b = b + a;
    • ∃ 0 ∈ G, ∀a ∈ G, a + 0 = a;
    • ∀a ∈ G, ∃ − a ∈ G, a + (−a) = 0;
  • Let (G, +) be a group, then (H, +) is a sub-group of (G, +) if it is a group and H ⊆ G;
    • The Theorem of Lagrange says that: if G is finite and (H, +) is a subgroup of (G, +) then |H| divides |G|;
  • Two natural a and b are said to be congruent modulo n (with n a positive integer): a ≡ b(mod n) if: - If |a − b| is multiple of n or the integer division of a and n and of b and n yield the same remainder ; - The congruence relation is reflexive, symmetric and transitive, hence it is an equivalence relation; - The quotient set Zn is the set of n classes of equivalence congruent to 0, 1 , ...n − 1: − 1 ≡ n − 1(mod n), − 2 ≡ n − 2(mod n), etc..; - The properties of congruence are: ∗ Invariance over addition: a ≡ b · (mod n) ⇔ (a + c) ≡ (b + c) · (mod n) ∀ a, b, c ∈ N, ∀ n ∈ N 0 ∗ Invariance over multiplication: a ≡ b · (mod n) ⇔ (a × c) ≡ (b × c) · (mod n) ∀ a, b, c ∈ N, ∀ n ∈ N 0 ∗ Invariance over exponentiation: a ≡ b · (mod n) ⇔ ak^ ≡ bk^ · (mod n) ∀ a, b, k ∈ N, ∀ n ∈ N 0
  • Let’s an^ denote a + a + ... + a for n times (Why an^ and not

n a? Only D’Amore knows, we spent two days wondering why the fuck he used this notation), we say that a is of order n if an^ = 0:

  • For any m < n, am^6 = 0 then all elements of finite groups have finite order, an^ = 1 for multiplicative operator (where an^ denotes a · a × ...);
  • Zm is the set of natural numbers mod m and the elements of Zm are the classes of equivalence of congruent integers;
  • Z m∗ is the set of natural numbers mod m that are coprime to m, the multiplicative group of Zm;
  • φ(m) is the Euler’s totient function and it’s equal to = |Z m∗|;
  • The Euler Theorem says that for all a in Z m∗, aφ(m)^ = 1 · mod m so we have: ak·φ(m)+1^ = a × mod m, k ≥ 0; ∗ We can also extend it to Zm where m = pq and p, q are prime number and we have: ak·φ(m)+1^ = a × mod m, k ≥ 0;
  • Quindi in poche parole, Zm e il set dei numeri naturali congruenti in modulo ai numeri che vanno da 0 a a m − 1 , Z m∗e il subset di Zm considerando solo i numeri coprimi con m (due numeri sono coprimi se non hanno nessun divisore comune apparte 1), la funzione toziente di eulero e la funzione che restituisce il numero di interi coprimi tra 1 e il numero m tipo φ(8) = 4 perche 1 , 3 , 5 , 7 sono coprimi);
  • Let G be a group and a an element of order n, the set: 〈a〉 = { 1 , a, ... , an−^1 } is a sub-group of G, a is called the generator of 〈a〉 (it’s the number from which we can generate all the elements of the subgroup). If G is generated by a then G is called Cyclic, and a is the primitive element of G.
  • The theorem says that for any prime number p the multiplicative group of Z p∗ is cyclic;
  • A set F with two binary operations + addition, and × (or ·) multiplication is called a com- mutative ring with identity if:
  • A set F with two binary operations + addition, and × (or ·) multiplication is called a com- mutative field if:
  • A field is a commutative ring with identity where each non-zero element has a mul- tiplicative inverse. (F, +) is a commutative (additive) group and (F \ { 0 }, ·) is a commutative (multiplicative) group (with · distributive over +)

Now finally the AES, that is a symmetric block cipher with key lengths of 128, 192 or 256 bit, and it’s resistance to all known attacks. It’s simple and it’s fast, so it’s very good for devices with limited computing power. When we have Input and Output block length of 128 bits the State of 128 bits we can arrange it as a 4-by-4 matrix of bytes. 128 since we have 16 elements in the matrix and each element is in byte that is formed by 8 bits so (16 · 8 = 128).

When we have a key length of 128,196,256 bits the Cipher Key Layout that is arranged in a 4-by- 32 n matrix of bytes (where n = 128, 196 , 256 bit):

The algorithm at high level (without explanations in details that we will see later ) is:

Algorithm High level AES AES(State, Key); KeyExpansion(Key, ExpandKey); AddRoundKey(Key, ExpandKey [0]); for (i = 1, i < R, i + +) do: Round(State, ExpandKey [i]); F inalRound(State, ExpandKey [R]);

So, this code is repeated for each block of the plain text (each block is of 128 bits), so we start with a key of 128 bit, but before we start the rounds (that are 10) since we don’t want to use the same key of 128 bits for all the different blocks, we need to expand the key in such a way for each block we have a different key of 128 bits. The encryption is done by following this scheme:

We can see that every state is done by the encryption of the precedent round with the key extended of the current block. 128 bits AES uses 10 rounds, in which the secret key of 128 bits is expanded to 10 round keys of 128 bits each. Each round changes the state, then we XOR the round key, if we have longer keys we add one round for every extra 32 bits. Now we will see in details what happen in each single round, we start from the assumption that the plain text that we are going to encrypt is divided in state of 128 bit and each state can be divided in a matrix 4 × 4. We will transform the state by applying:

  1. Substitution;
  2. Shift rows;
  3. Mix columns;
  4. XOR round key;

The Substitution operates on every byte separately: Ai,j ← A− i,j^1 , so we apply a transformation in place in every single block, the operation is a multiplicative inverse which is highly non-linear. If Ai,j = 0 then we don’t change Ai,j. It’s important to note that the substitution is invertible.

We will Shift each element of each row to the right, 0 for the first row, 1 for the second row, 2 for the third row, 3 for the fourth row. This shift is invertible.

In the Mixing Columns operation every state column is considered as a Polynomial over GF (2^8 ), we will multiply with an invertible polynomial 03 x^3 + 01x^2 + 01x + 02(mod x^4 + 1) the Inv instead is 0Bx^3 + 0Dx^2 + 09x + 0E.

The Key Expansion instead will generate a different key per round, and need a 4 × 4 matrix of values per round. It’s based upon a non-linear transformation of the original key.

Breaking 1 or 2 rounds of the AES is easy, actually is not known how to break 5 rounds, and breaking the full 10 rounds efficiently is considered impossible.

All block ciphers operate on blocks of fixed length cause message can be of any length and because encrypting the same plaintext under the same key always produces the same output. Several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbitrary length.

2.2.2 ECB

ECB or also called Electronic Code Book is an stream cipher in which we encrypt each plaintext block separately, and it’s very simple and efficient, and also it’s possible to implement it in a parallel way. It doesn’t conceal plaintext patterns, and it’s possible to attack it with active attacks, in fact plaintext can be manipulated by removing, repeating or interchanging blocks.

We can see that the last plaintext block is not divisible for 128 (plaintext block size, our block is made by n bits) so we fill the block with all 0, the XOR will be done only by the first n bits of the previous ciphertext. So during the decryption the block will be

[

P (^) n∗

C n∗− 1 |C n∗∗− 1

]

so in order to get the original plaintext the result will be XORed with Cn− 1 in this way we obtain: [ P (^) n∗

C n∗− 1 |C n∗∗− 1

] ⊕ [

C n∗− 1 |C n∗∗− 1

]

= [P (^) n∗ | 000000 ...]

  • Encryption:
    • If the plaintext length is not a multiple of the block size, we will pad it with enough zero until it is.
    • We encrypt the plaintext using the Cipher Block Chaining mode;
    • We swap the last two ciphertext blocks (? swap? where? in the figure there isn’t any swap);
    • We truncate the ciphertext to the length of the original plaintext;
  • Decryption:
    • If the ciphertext length is not a multiple of the block size, (like n bits short), then we pad the it with the last n bits of the block cipher decryption of the last full ciphertext block ;
    • Swap the last two ciphertext blocks;
    • Decrypt the ciphertext using the Cipher Block Chaining mode;
    • We truncate the plaintext to the length of the original ciphertext;

2.2.4 PCBC

PCBC is designed to extend or propagate a single bit error both in encryption and decryption (before if there was a bit error it will propagate to change all the message here only a bit). Here we have that the current plaintext (i) before encryption is XORed with: plaintexti− 1

ciphertexti− 1. In the decryption will happen the same procedure, but the XOR will happen after the decryption, so since the decryption need the plaintext of the precedent block is not possible anymore to do it in parallel like in the CBC.

On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this doesn’t affect the decryption of subsequent blocks (this doesn’t happen to CBC ):

  • Ii+2 = Ci+

(Dk(Ci+1)

Ii+1);

  • Ii+1 = Ci

(Dk(Ci)

Ii);

  • Ii+2 = Ci+

(Dk(Ci+1)

Ci

Dk(Ci)

Ii

2.2.5 CFB

CFB is similar to CBC but makes a block cipher into an asynchronous stream cipher, so it supports some re-synchronizing after error if the input to the encryptor is given by through a shift-register. In the encryptor the plaintext will be XORed after applying the encrypt (in the CBC we do it before). Since the XOR is done after encryption we don’t need anymore to pad last block with 0 when the plaintext size is not a multiple of the block size:

The decryption can be made in parallel since in order to obtain the plaintext I only need the current block and the precedent ciphertext. If there is an error in the output of the encryption al- gorithm this error will not be propagated in all the other blocks, since it will only infect the current XOR and the decryption of the next block. So CFB shares two advantages over CBC, the block cipher is only ever used in the encryption direction and the message doesn’t need to be padded to a multiple of the cipher block size.

When we want to use a CFB with shift register, we start by initializing a shift register the size of the block size with the initialization vector, this will be encrypted with the block cipher and the highest s bits of the result are XORed with s bits of the plaintext to produce s bits of ciphertext, that then we be shifted in the register and this process will be repeated for the next s bits of plaintext. The decryption is similar, we start with the initialization vector we encrypt and XOR the high bits of the result with s bits of the ciphertext to produce s bits of plaintext, then we shift the s bits of the ciphertext into the shift register and encrypt again:

2.2.7 CTR

CTR or Integer Counter Mode turns a block cipher into a stream cipher, in fact it generates the next keystream block by encrypting successive values of a counter. This counter can be any function which produces a sequence which is guaranteed not to repeat for a long time. It has similar characteristics to OFB but it also allows a random access property during decryption, so it’s well suited to operation on a multi-processor machine where blocks can be encrypted in parallel. The generation of each ciphered block is independent from any other blocks since we use a different seed for each block.

Of course we have problems if we repeat the seed like OFB. When we use CTR we can decrypt the message starting from block i for any i, since we don’t need to decrypt from the first block.

2.2.8 Initialization Vector

Most modes (except ECB ) require an Initialization vector, or IV, that is a sort of dummy block used to kick off the process for the first real block. It doesn’t need to be secret in most case but it’s important that it is never reused with the same key, in fact, in CBC and CFB, reusing IV leaks some information about the first block of plaintext. In CBC mode the IV must be unpredictable in encryption time. For OFB and CTR reusing an IV completely destroys security.

2.2.9 Strengthening a cipher

There are two ways in order to strengthening a cipher:

  • Key Whitening:
    • Consist of steps that combine the data with portions of the key (usually by using XOR) before the first round and after the last round of encryption;
  • Iterated Ciphers (Triple DES, 3-DES ):
    • In which the plaintext undergoes encryption repeatedly by underlying cipher, in which ideally we use a different key so we have for triple cipher : ∗ C = Ek 1 (Ek 2 (Ek 1 (P ))) called EEE mode; ∗ C = Ek 1 (Dk 2 (Ek 1 (P ))) called EDE mode;
  • So we use three algorithms of encryption or two algorithm of encryption and one of decryption. Sometimes only two keys are used in 3-DES, and identical key must be at beginning and end.

Since the goal of the adversary it to find the secret key, the double DES cannot be used, in fact if we have a double cipher with two different keys the adversary can use the meet-in-the-middle attack. If fact if plaintext/ciphertext pairs are known, we have 2n^ encryption and 2n^ decryption so 2 keys of n bits. So it’s possible to try all possible 2n^ encryptions of the plaintext and all possible 2 n^ decryptions of the ciphertext. In other words, the presence of two different keys is represented as a function h(x) = g(f (x)), and the middle attack try to map the co-domain given the domain of the function f with the counter-image of the co-domain of the g function, so if initially you think to have a set of 2^2 n^ keys in reality the attacker will make 2n^ attempts, cause assuming that the adversary knows some ciphertexts C and some plaintexts P , the attacker can in parallel encrypt P and decrypt C trying to find some correspondences and if he find them he found the key.

It’s even possible to use the triple encrypting with the CBC, and this can be done in two ways, by external CBC, in which we use a triple encoding, or internal CBC, in which we have an encryption after a decryption (with a different key) and another encryption.

3 Data Integrity & Authentication

The goal is to ensure the integrity of messages even in presence of an active adversary who sends own messages. It’s important to note that authentication is orthogonal to secrecy (so they are independent between each other), so the secrecy of a messages doesn’t not imply that the sender of the message is actually the one with who you think you are communicating.

3.1 MAC

The authentication algorithm is called A, the verification algorithm is called V (accept/reject), the authentication key is k, and the message space is usually a binary strings. Every message between Alice and Bob is a pair : (m, Ak(m)), where Ak(m) is called the authentication tag of m. The authentication algorithm is called MAC, Message Authentication Code, in fact Ak(m) is frequently denoted as M ACk(m) and the verification is done by executing authentication on m and comparing it with M ACk(m). The security requirement is that adversary can’t construct a new legal pair (m, M ACk(m)) even after seeing a (mi, M ACk(mi)). The output should be as short as possible and the MAC function is not 1-to-1.

The adversary knows the MAC algorithm, knows plaintext pairs (m, M ACk(m)), and knows cho- sen plaintext (unrealistic) so choose m get M ACk(m) and the goal is given n legal pairs find a new