Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Information System Security, Appunti di Sicurezza Dei Sistemi Informativi

Introduction to cybersecurity (risk estimation and risk management, main attacks, secuirty properties), cryptography (symmetric and asymmetric crypto, digest, key-digest, PKC), authentication processes (CRA, OTP, Kerberos, FIDO), security in IP (IPsec, RADIUS, PAP, CHAP, EAP) networks and application layer (TLS), security in e-mails, firewalls.

Tipologia: Appunti

2022/2023

In vendita dal 14/02/2024

pietro_armenante_14
pietro_armenante_14 🇮🇹

15 documenti

1 / 121

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Information Systems Security
Pietro Armenante
I Semester a.a. 2023/2024
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Anteprima parziale del testo

Scarica Information System Security e più Appunti in PDF di Sicurezza Dei Sistemi Informativi solo su Docsity!

Information Systems Security

Pietro Armenante

I Semester a.a. 2023/

Contents

  • 1 Introduction
    • 1.1 The first axiom of Engineering
    • 1.2 Risk estimation
    • 1.3 Risk management
    • 1.4 Security in the life cycle of a system
    • 1.5 Window of exposure
    • 1.6 WOE: responsible disclosure
    • 1.7 Cyber threats schema
      • 1.7.1 Motivations and threat actors
    • 1.8 Cybersecurity Standardization bodies
    • 1.9 Security
    • 1.10 C.I.A and security properties
    • 1.11 Data protection
    • 1.12 Some classes of attack
      • 1.12.1 IP spoofing
      • 1.12.2 Packet sniffing (eavesdropping)
      • 1.12.3 Denial-of-Service (DoS)
      • 1.12.4 Distributed Denial-of-Service (DDoS)
      • 1.12.5 Shadow/fake server
      • 1.12.6 Connection hijacking/MITM
      • 1.12.7 Trojan
      • 1.12.8 Zeus
      • 1.12.9 Software bugs
      • 1.12.10 Virus and Co. (malware)
      • 1.12.11 Prevention against malware
      • 1.12.12 Social Engineering
  • 2 Cryptographic Techniques for Cybersecurity
    • 2.1 Kerchoffs’ principle
    • 2.2 The EX-OR (XOR) function
    • 2.3 Symmetric cryptography/secret key
      • 2.3.1 DES
      • 2.3.2 Triple DES (3DES, TDES)
      • 2.3.3 Double DES
      • 2.3.4 Application of block algorithms
      • 2.3.5 Symmetric stream encryption algorithms
      • 2.3.6 Salsa20 and ChaCha20
      • 2.3.7 AES
      • 2.3.8 Key distribution for symmetric cryptography
    • 2.4 Asymmetric cryptography/public key
      • 2.4.1 Digital signature
      • 2.4.2 Confidentiality without shared secrets
      • 2.4.3 Public-key algorithms
      • 2.4.4 Key distribution for asymmetric cryptography
    • 2.5 Elliptic curve cryptography (ECC)
    • 2.6 Digest
      • 2.6.1 KDF (Key Derivation Function)
    • 2.7 MAC/MIC
      • 2.7.1 Authentication by digest and asymmetric encryption
    • 2.8 Public key certificate
    • 2.9 Performance
    • 2.10 CNSA
  • 3 Authentication techniques, protocols and architectures
    • 3.1 Digital authentication model (NIST SP800.63B)
    • 3.2 Password-based authentication
      • 3.2.1 The dictionary attack
      • 3.2.2 Rainbow table
      • 3.2.3 Using salt in storing passwords
    • 3.3 Strong authentication
    • 3.4 Challenge-responde authentication (CRA)
      • 3.4.1 Symmetric CRA
      • 3.4.2 Asymmetric CRA
    • 3.5 One-Time Password (OTP)
      • 3.5.1 The S/KEY system
      • 3.5.2 Time-based OTP
      • 3.5.3 Event-based OTP
      • 3.5.4 Out-of-band OTP
    • 3.6 Two-/Multi-Factors AuthN (2FA/MFA)
    • 3.7 Authentication of human beings
    • 3.8 Kerberos
    • 3.9 Signle Sign-On (SSO)
    • 3.10 Authentication interoperability
      • 3.10.1 HOTP
      • 3.10.2 TOTP
    • 3.11 FIDO
      • 3.11.1 FIDO 2.0
  • 4 Security of IP networks
    • 4.1 PAP
    • 4.2 CHAP
      • 4.2.1 MS-CHAP
    • 4.3 EAP
    • 4.4 Authentication for network access
      • 4.4.1 RADIUS
    • 4.5 IEEE 802.1x
    • 4.6 Which is the best OSI level to implement security?
    • 4.7 Security at network level (L3)
      • 4.7.1 VPN
      • 4.7.2 IPsec
      • 4.7.3 IP insecurity
  • 5 Firewall - 5.0.1 Packet filter - 5.0.2 Application-level gateway - 5.0.3 Circuit-level gateway - 5.0.4 HTTP forward and reverse proxy - 5.0.5 WAF (Web Application Firewall)
    • 5.1 Architectures
      • 5.1.1 Packet Filter Architecture
      • 5.1.2 Dual-homed gateway architecture
      • 5.1.3 Screened host architecture
      • 5.1.4 Screened subnet architecture
      • 5.1.5 Local/personal firewall
    • 5.2 Intrusion Detection System (IDS)
    • 5.3 Other kind of defence techniques
  • 6 Security of Network Applications
    • 6.1 TLS
    • 6.2 HTTP security
    • 6.3 PCI DSS Prescriptions
  • 7 E-mail security
    • 7.1 ESMTP
    • 7.2 SMTP with TLS
    • 7.3 Security services for e-mail messages
    • 7.4 MIME
    • 7.5 Reading e-mail
  • 8 In-class exercises
    • 8.1 Security Properties
    • 8.2 Basic Security Attacks
    • 8.3 Risk Management
    • 8.4 Cryptography
    • 8.5 Message integrity and authentication
    • 8.6 X.509v3 certificates, CRL, OCSP, digital signatures
    • 8.7 Exercises integrity and asymmetric crypto
    • 8.8 Authentication
    • 8.9 Security of IP networks
  • 9 Laboratory exercises and theory
    • 9.1 Laboratory
      • 9.1.1 Information gathering
      • 9.1.2 Capture and manipulation of network traffic
      • 9.1.3 Additional exercises
    • 9.2 Laboratory
      • 9.2.1 Symmetric cryptography
      • 9.2.2 Brute force attack
      • 9.2.3 Performance evaluation SymmCrypto
      • 9.2.4 RSA Key generation
      • 9.2.5 RSA encryption and decryption
      • 9.2.6 RSA signature generation and verification
      • 9.2.7 EC Key generation
      • 9.2.8 EC signature generation and verification
      • 9.2.9 Performance evaluation RSA, EC
      • 9.2.10 Computation and verification of message digests
      • 9.2.11 Performance evaluation Digest
      • 9.2.12 Application of digest algorithms: file integrity
    • 9.3 Laboratory
      • 9.3.1 Cryptography applications: integrity
      • 9.3.2 Applications of asymmetric cryptography: key exchange/agreement
      • 9.3.3 Digital certificates and public key infrastructures
      • 9.3.4 Key exchange with DH
      • 9.3.5 Asymmetric challenge response authentication
      • 9.3.6 Password hashing and dictionary attack
      • 9.3.7 Password hashing
      • 9.3.8 Dictionary attack
      • 9.3.9 Password salting
    • 9.4 Laboratory
      • 9.4.1 Personal firewall
      • 9.4.2 Stateless and statefull packet filters
      • 9.4.3 Packet filter stateless - Output traffic
      • 9.4.4 Packet filter stateless - Public Service
  • 9.4.5 Packet filter stateless - ICMP Traffic
  • 9.4.6 Packet filter stateless - Bandwidth Limitation
  • 9.4.7 Packet filter stateless - Protection from IP spoofing
  • 9.4.8 Packet filter statefull

1.3 Risk management

It’s inevitable that many risks will be identified. So you need to prioritize them keeping into account not only the impact but also the available time and budget. It’s important to prioritize risks as you have a fixed time and money and try to maximize the number of risks covered. In order to do that, it is possible to create a risk assessment matrix (or risk heat map) where colours of the matrix depends on the rule that you decide and indicate how the risk can damage.

After the analysis of the security (asset, vulnerabilities and threats), there is the management of the security which count to select countermeasures, implement countermeasures and audit the system. The audit (the verification) of the system has to be done by a person who is not into the project.

1.4 Security in the life cycle of a system

When should I consider the risk while creating a new system? In every step of the creation.

Some terminology:

  • incident, a security event that compromises the integrity, confidentiality or availability of an in- formation asset;
  • data breach, an accident that results in the disclosure (divulgazione) or potential exposure of data;
  • data disclosure, a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party.
  • security control, is a component that has been placed in a system to protect it, like a firewall, an anti-virus.

1.5 Window of exposure

Security tool updated: for example IDS is an alarm that tell you when something is happening so that you can switch off the device. How long is the window of exposure? Patch Tuesday is the second Tuesday of the month, which is the day where companies release patch in stock. Than, there’s the Exploit

Wednesday where hackers know about the problem (from the patch) and create an automatic scan for the devices, so that they can attack devices that they still haven’t updated. In general this window can be a vary variable length.

1.6 WOE: responsible disclosure

There are many organizations, like ZDI (Zero Day Initiative) which disclosure responsibly the error they find with the phylosophy: ”knowing the problem is better than ignoring”. This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. They follow some specific ways of working, that’s a real example:

  • 8-may-18, ZDI reported the vulnerability to the vendor and the vendor acknowledged the report;
  • 14-may-18, the vendor replied that they successfully reproduced the issue ZDI reported;
  • 9-sep-18, the vendor reported the issue with the fix and that the fix might not make the September release;
  • 10-sep-18, ZDI cautioned potential 0-day, start the official window explosure;
  • 11-sep-18, the vendor confirmed the fix did not make the build;
  • 12-sep-18, ZDI confirmed the intention to 0-day on 20-sep-18.

1.7 Cyber threats schema

There are three main components:

  • threat actors and their motivation;
  • attack vectors (vulnerabilities and context);
  • vulnerable targets (value for owner and attacker).

1.7.1 Motivations and threat actors

The motivations are bounded to MICE:

  • M is for money (direct transfer or indirect);
  • I is for ideology (political, religious, hacktivism);
  • C is for compromise (individuals with no choice due to blackmail or threat against their families or themselves;
  • E is for ego.

About the actors:

where CaaS, Crime as a Service, is a service that you can buy and APT is a software which is silently located in a device, most of the time done my nation-state.

  • Peer authentication (mutual), the user wants to be sure that also the site is the real one and not someone who’s trying to emulate it. One way to prove it, is using a fake password and see what the site do. If the site let you in, so it’s a fake site; otherwise it is the right one.
  • Data origin authentication, email is one of the few services that are not end to end because the receiver could be offline when the writer sent the email (it’s not send directly between 2 peers). This peculiarity can be used to attack the device. You can’t apply peer authentication. In this case data them-self has the proof of the origin of the information: you should check, for example, the source of an email to understand if it’s original.
  • Non-repudiation is a special property of some data in which the creator of the data cannot deny to have created those data because the document itself keeps those information. This kind of authentication is even valid in Court of Justice. Even if sender/author authentication is verified, if you want to grant non-repudiation, you should verify integrity (I created this document, but during the travel someone changed it, so now I can repudiate it). Additionally, if the document is related to a human-being authentication is not enough because it is an electronic procedure (username/password, etc.) that can be done by someone else. So you need identification. It is normally associated not only to technical aspects but also specific procedures performed voluntarily. If you have created a file involuntarily, it cannot have non-repudiation. We (almost) never have non repudiation with protocols or procedures that perform automatic actions on user’s behalf.
  • Authorization, now that I authenticate, I have to know if the user has the authorization to do what he wants to do. One sub-case is access control, when you want to access some data.
  • We call it privacy if the data are private; if the data are general we say confidentiality, secrecy. When there is a communication there’s always the risk that someone is listening to the commu- nication. This property has to be respected also in communication with myself (data that moves in the same device). Privacy can be related to data (unofficial pen with secret data), actions or geographical position.
  • People who work on the network have the power to change the content of the message, even if they control one single router or a really little part of the network. Integrity the property of data to control if they have been modified. - Modification are always possible because we can’t control every little pieces of the network, but if they happen we detect them and we reject them. So its not about stopping modification, but detecting it. This kind of attack is called data modification. - Another kind of attack against integrity is data cancellation/filtering, that is, for example, deleting data (or a part of the data) on the communication when some money transfer is happening. This kind of attack is very hard to detect because it can be only done by the receiver. But the receiver may not know what to expect.

Now imagine if I can’t modify or delete any data from the communication and data are encrypted (data are hidden and it’s impossible to understand them). What it is possible to do? We can try changing some data randomly, but then we don’t know what could happen. So I can let the data pass, but I wait till the message arrive to the receiver and I make a copy of that message. Now, I can replay the message again and again. This kind of attack is called replay attack. That’s the same principle of the car attack: when you open the car, it is possible to copy that signal and then replay it when you are gone so I can open the car.

1.11 Data protection

For each security property consider always the three cases of data protection:

  • data in transit, when data are transmitted over a communication channel;
  • data at rest, when data are stored in a memory device;
  • data at work, when data are in RAM for use by a process.

But, where is the enemy? It can be

  • outside our organization, so the defences can be boundary/perimeter defences like a firewall;
  • outside our organization, with the exception of out partners, so the defences can be an extranet protections like VPN;
  • inside our organization so the defences can be LAN/Intranet protections;
  • nowadays we don’t distinguish anymore the enemies, they are everywhere (we connect to internet in many places, so it’s impossible to say when the enemy is inside and when it is outside), so we use ZTA (Zero Trust Architecture), any kind of interactions has to be checked.

We say that the enemy can be:

  • MITM (Man In The Middle), sitting between the two peers A and B;
  • MATE (Man At The End), inside one peer;
  • MITB (Man In The Browser), inside one specific component of one peer (typically the web browser).

Then he can be a passive attacker if he can only read data/traffic or an active attacker if he can read but also modify, delete or create data/traffic. The basic problems is that networks are insecure, that is that most communications are made in clear, LANs operate in broadcast and geographical connections are not made through end-to-end dedicated lines but through shared lines o third-party routers. Other problems are weak user authentication (normally password-based), no server authentication and software contains many bugs.

1.12 Some classes of attack

1.12.1 IP spoofing

The IP spoofing or masquerading is an attack where the enemy forge a new source network address so as not to be recognised. Typically the level 3 (IP) address is forged, but it’s convenient to change also the level 2 address (e.g. ETH) because modifying just the level 3 it is possible to know from which place the attack come from. So the attack is about data forging and unauthorized access to systems. The countermeasure is to never use address-base authentication because, for security, address are not reliable information.

1.12.2 Packet sniffing (eavesdropping)

This attack permit the attacker to read the packets (password, data, etc.) addressed to another network node. It is easy to do in broadcast networks or at the switching node. The countermeasures are to use non-broadcast network and encryption of packet payload. However, the problem, in this case, is that non-broadcast networks are impossible to obtain (it’s possible only if we connect with a wire 2 devices, in wireless it’s impossible): so that’s not the solution. You can protect the content (the payload) but not the header because you want to know were the packets are going or the system would not work anymore. However, that’s not safe 100% because I can in any case understand where the packets are going and so I can understand something about the situation or the data.

1.12.3 Denial-of-Service (DoS)

This attack keep the host busy so that it can’t provide its services: it can be done with email/log saturation, ping flooding (ping bombing) or SYN attack. There’s no way to block this attack, if not to monitor the connection to mitigate the effects. Remember:

  • ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.

1.12.6 Connection hijacking/MITM

This kind of attack, also known as data spoofing, is an attack where the attacker takes control of the communication channel deviating it, inserting, deleting and manipulating it. If u want to do that you have to be in the middle between the 2 hosts (MITM) either physically or logically. You can do it sending fake information to the host so that to convince it to be the right destination of the traffic. This kind of attack can be done also after peer authentication. So peer authentication is not enough, we need other properties like secrecy, data/origin authentication, integrity, serialization (is the data coming in the same order, or not, or some packet have been cancelled?).

1.12.7 Trojan

A trojan (horse) is a program that seems to be ok, which contains a dangerous payload (the most simple example is a generic cracked program). It is considered a malware vector, that is something transporting things for another one. Network is more protected than in the past, so now the attack is moving towards the terminals (MATE, MITB). There are many ways in which this kind of attack can be performed: starting from classic attack tools (like a keylogger as part of a game, that is a keyboard driver that record the keys you type, so as to recognise possible username/password) and modern ones like a browser extension. Another kind of attack is the overlay attack, that is a musk under a site so as to catch sensible data from the site on the musk (like bank password, etc.).

1.12.8 Zeus

Zeus (or Zbot) is the biggest botnet in the world. It can be used both directly or indirectly to load other malware. It is very difficult to discover and remove because it hides itself with stealth techniques and it has about 3.6M active copies just in the USA.

1.12.9 Software bugs

Even the best software contains bugs that can be used for various aims. An example was the WinNT server (3.51, 4.0): it happened that, while testing this server on the market, the TCP port 135 was open (release 3.51). So, with the service pack (SP) 3, Windows fixed the problem. But an attacker tried to see how it works now with this release the port. He installed the SP3 on the server attacker and sent a message to the 135 port. Now the server is not blocking. But it is responding back with an error saying that the pack sent is wrong. So the attacker, with attack spoofing, can use another NT server to redirect that answer (to this server, which is not the one that actually sent the packet). This machine will say that the packet is not wrong, the other one will respond the same, and so on, blocking both of the machines. With SP4, they solve this problem. The lesson is: you can’t respond to an attack.

1.12.10 Virus and Co. (malware)

  • In general we say that a malware is anything malicious software.
  • A virus has a dangerous payload that wants to damage the host and it is propagated by humans involuntarily.
  • A worm doesn’t damage you directly but it blocks your system (like DoS) replicating itself auto- matically. If attacked by a worm, you can’t disconnect a single host because once you disconnect, you reinstall the operative system and connect to the network, the host will be attacked again. So you have to stop the whole system.
  • A backdoor is an hidden entrance which can be created by programmers (so as to be sure, for example, that is someone doesn’t pay for the software, they can enter it and destroy everything), trojan, police or government.
  • A rootkit is a privileged access tool, hidden and stealth.
  • Potentially Unwanted Applications (PUA), classified as grayware, refer to applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security

and/or privacy. It may also contribute in consuming computing resources. It may be unwanted by the user even if it is installed with users’ consent.

Virus, worm and malware require complicity (may be involuntarily) from the user, the system manager or the producer. The possible countermeasures are user awareness, correct configuration/secure software and install antivirus and keep it updated. In black market there are temporary shops called vulnerability marketplace where it is possible to buy malicious codes. There are some people that develop software to make malware. This chain in called malware food chain. In order to avoid this phenomenon many companies guarantee a bug bounty (some money) to anyone who discover a bug. They create server with fake data to discover bugs and they release it in the market as a test server so that everyone can work on it. Another economic fraud which is often used is the one that uses a mule. A malware coder writes malicious software in order to enter in a computer and install a trojan to steal bank credential. But he is a clever guy, so he uses a mule. He sends, for example, an e-mail to a third person saying him ”Help me and I give you some money, you take 30% of the total, I take the 70%. The only thing you have to do is taking this money and sending me it at this bank account”. The third person will have 30% of the total but he will be also contacted by the police for this movement of money, while the attacker is safe and with his money. This third person, the one who is the bridge between the victim and the attacker is called mule. A ransomware is a malware oriented to get a ransom (riscatto). It can attack desktop and laptop (disk content made unreadable), but also table and smartphone (made unusable). The attack asks for a ransom to unblock it (not always). Sometimes he gives you only a little part of the data, asking for more money to the rest. They actually never give you back the whole data. In some cases, this attack is called ransomware-as-a-service or TOX malware, it is performed in the TOR anonymous network and he says that he is giving you the money back if you help him distributing the ransomware to the victims. How? Pen drive is the best way to distribute ransomware. So, never take a pen drive from places where a pen drive should not be in (streets, etc.).

1.12.11 Prevention against malware

How to prevent all this kind of attack? Backup is the minimum but efficient solution. However, how do you do a backup? Backup could be not enough. But how old is the backup? If it’s an old backup, it will be useless to recover data. There could be the possibility of a silent backup that doesn’t block the pc immediately, but encrypt the backup. So it’s important so read it first. Offline or network backup? Network backup is a backup linked to cloud for example, backup must be offline because the ransomware will attack also the network backup. You should also take it away from the source to avoid fire, flooding and earthquake. Try to take the backup from the far place to simulate the travel you have to do when something happen (if this travel is secure for the backup, it can happen that your car is a modern one and produce electromagnetic camps that can delete the content of a disk) and read it at least once a year. If an attack has been performed, you should know when it happened so to understand which is the right backup. Nowadays there are systems that protect the integrity that want a permission to modify things (in this case we talk about availability).

1.12.12 Social Engineering

In many cases human can be the weak element of the attack. This happens because of many factors like low problem understanding, mistakes of human beings especially when overload and stressed, human beings have a natural tendency to trust, complex interfaces can mislead the user and originate erroneous behaviours (usability), performance decrease due to the application of security measures. We call social engineering the techniques used to ask for the involuntary user’s participation to the attack. Usually naive users are targeted (”change your password with the following one, because your PC is under attack”), but experienced users are targeted too (copying an authentic mail but changing its attachment or URL). It can happen via mail, via phone, fax or even paper and involves also psychological pressure, showing acquaintance with the company’s procedures, habits and personnel helps in gaining trust and make the target lower his defences. There are cases in which, the attacker has obtained something without using any kind of technology.

2 Cryptographic Techniques for Cybersecurity

Cryptography is a mathematical technique: we have some data that we want to protect, this data is a message, for example, that we want to send to a receiver through a channel which is not secure. So we take this message, which is called message in clear because in this part everyone can read it and understand it, and we transform it through the mathematical algorithm of the encryption. So now we can send the message on the channel, but now this message is the equivalent of the message in clear but in a way that no one can understand it, and it is called message encrypted. Once this message arrive at destination, if the receiver use a proper algorithm of decryption, which is the contrary on encryption, he will be able to transform the message into the original one, so as to be read and understood. The most important part in this chain are the keys, the one used for encryption and the one used for decryption, which tell the algorithms how to transform the message. For each different key, you obtain different transformation: so key1 hide the message, while key2 is the antidote of this transformation. In this document we will refer to the message in clear as plaintext or cleartext or using a P; while we will refer to the encrypted message as ciphertext or C.

2.1 Kerchoffs’ principle

If the keys:

  • are kept secret;
  • are managed only by trusted systems;
  • are of adequate length;

then it has no importance that the encryption and decryption algorithms are kept secret. On the contrary, it is better to make the algorithms public so that they can be widely analysed and their possible weaknesses identified. This principle is transformed into the motto ”Security Through Obscurity”. So, it’s better use public algorithms.

2.2 The EX-OR (XOR) function

This is a primitive operation available on all CPU, even the smallest ones. So, quick repetition:

2.3 Symmetric cryptography/secret key

In this kind of cryptography key1 and key2 are the same key (K), so it’s a single key, shared by sender and receiver. Mathematical rules used are very simple so it uses a low computational load and it is used for data encryption. We will define cyphertext as C = enc(K,P), while plaintext as P = dec(K,C). In this case we put the key inside the algorithm which encrypt the message, so data is sent. At the receiver, the data need the key to be decrypted. How do we send the key? This is the main problem of symmetric cryptography. In this picture we see many encryption algorithms. The DES one is the worst one: if you find it somewhere, there could be two reasons: or it’s something old, or they want to spy you because 56 bits as key are not enough. While AES one in the best one. Why are there so many algorithms (there are many algorithms than the ones in the slide)? For political reasons (more or less each country have one of them), then there are many kind of devices and computational strength (some algorithms are better for some environment). In this slide we see also the use of the work ”block”. We can say that blocks are the way the message is divided. In the first case, for example, the message to send will be divided

into blocks of 64 bits, not one more, not one less. These kind of algorithms are called block encryption algorithms.

2.3.1 DES

Data Encryption Standard (DES) uses 56 bits key + 8 parity bits, up to 64 bits. In particular, every 7 bits, the 8th is the parity bit. So, only 56 bits are meaningful. The attacker has to guest only 56 bits. This is the only algorithm with a difference between the real key and the effective one. It uses 64 bits data block. It was designed to be efficient in hardware because it requires XOR, shift, permutation (modifying randomly the bits in a register).

2.3.2 Triple DES (3DES, TDES)

This kind of encryption repeat 3 times the DES (encrypting 3 times). Actually, they use the EDE mode which is Encrypt-Decrypt-Encrypt with different keys:

  • 3DES with 2 keys encrypt with key2, decrypt with key2 and encrypt again with key1 (it is not normally used because it can be transformed into a classic DES);

C′^ = enc(K 1 , P ) (1)

C′′^ = dec(K 2 , C′) (2) C = enc(K 1 , C′′) (3)

  • 3DES with 3 keys encrypt with key2, decrypt with key2 and encrypt with key3;

C′^ = enc(K 1 , P ) (4)

C′′^ = dec(K 2 , C′) (5) C = enc(K 3 , C′′) (6)

If the time for processing is T, with 3DES is 3T. But, why do we need to spend so much time? So, why dont’t we pass from double encryption?

2.3.3 Double DES

We don’t have to use it because it can be used to perform an attack called meet-in-the-middle which allows to decrypt data with at most 2N^ +1^ attempts (if the keys are N-bit long). So, you have doubled the processing time, gaining only 1 resistance bit. That’s the reason why the double version of encryption algorithms is never used. If the base symmetric algorithms would ba a mathematical group, you don’t won’t have neither 1 bit more. Let’s try to understand the meet-in-the-middle attack. The hypothesis are that that the keys are N bit long and we know P and C as C = (K2, enc(K1, P)). How can we know C e P? If I send a message on a line of communication, I can, then, look at the communication and catch C and P. We can break the formula into two so as to obtain for each M = enc(k1, P) and C = enc(K2, M). At this point, given N bit of key, I try all the possible combination of bits to find X and Y, encrypting and decrypting:

  • compute 2N^ values Xi = enc(Ki, P )

will be encrypted in different ways ans if someone perform che swap the result will be wrong. But we have a problem: like we say before, the most attacked block is the first one and in this case this block doesn’t have anybody before him. We need to create something additional, the initialization vector (IV), to start the procedure. It should be a random value used only to manipulate the first block and to give it the some protection as the other blocks. In the decryption phase, we need to cancel the effect of the XOR. So, first we decrypt the ciphertext, then we XOR it with the previous one so as to cancel the effect of the XOR. Also the receiver should know the IV, so it must be transmitted to destination as well. How do we send it? The first approach says to send in clear the IV, because even if the attacker knows the IV, he can’t encrypt the header, but he can encrypt the header xored with the IV. So, if you have IV, you cannot perform pre-computation because the header will be different every time (being xored with the IV). The second approach, if you don’t want to send the IV in clear, you can use ECB to encrypt the IV (if it’s one single block) and CBC to encrypt the key. One error in transmission generates an error at the decryption at two blocks.

Padding We can do padding if some data don’t fit perfectly in a block. It is typically applied to large data, on the last fragment resulting from the division in blocks. If data dimensions is less than the block dimension, we prefer ad-hoc techniques (CFB, OFB, CTR, ...). How do we do that? If we have 2 bit in one block, we add other 62 bits to complete the block. Even if the plaintext is an exact multiple of the block, padding must be added anyhow to avoid errors in the interpretation of the last block. So, if you think that you don’t need padding because your data are perfectly divided, you actually need the biggest padding block (64 bits). YOU CAN NEVER HAVE 0 PADDING. So the padding length is always between 1 and the size of the block. The problems in this case are that we are transmitting/storing more data than needed and then, which is the value of the padding bits? Some padding techniques: Why are there so many techniques? Some of

them offer minimal integrity control: if key is wrong or data is manipulated, then the padding bytes are incoherent (e.g. wrong padding values). With SSH2 padding equal data gives different ciphertext. The padding type for a certain algorithm determines the type of some possible attacks.

CTS (Ciphertext stealing) CTS permits to use block algorithms without padding. It works like that: the last partial block is filled with bytes from the second-to-last block, these bytes are removed from the second-to-last block (which becomes a partial one), then after encryption, it exchanges the position of the last and second-to-last blocks. It easy really useful when we cannot increase the size of the data after encryption, but the computation time slightly increase. Let’s have an example of how CTS works with ECB (encryption). We start form the two blocks Pn− 1 and Pn. We first encrypt Pn− 1 , then we cut it into two pieces; the first one (the head) has the same dimension of Pn, while the second one (the tail) has the same dimension of the missing piece in Pn. So, we take the tail and we put in next to the last block, then we encrypt it (so that the tail will be encrypted twice). At the end we swap the position of the two blocks.

Now, we go to the decryption phase. We take Cn− 1 to create Dn, then we pad Cn with the extracted ciphertext in the tail end of Dn. We select the first M bits of Dn to create Pn. We queue this last (possibly partial) block for eventual output. Then, we decrypt En 1 to create Pn 1. C = AES 128 ECB CTS containts all the information to send data to destination. But we say that we never use ECB, so let’s go now CBC. We start form the two blocks Pn− 1 and Pn where we add all 0s to complete the block. The first thing to do is to XOR Pn− 1 with the previous ciphertext and then encrypt it (En− 1 ). Then, we use this whole block to XOR with Pn and we encrypt