0% found this document useful (0 votes)

7 views

ECS726 Week01

Uploaded by

ashjo747

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

7 views

ECS726 Week01

Uploaded by

ashjo747

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 70

ECS726: Security and Authentication

Week 1: Introduction

Pasquale Malacaria

EECS, QMUL
Motivation
Motivation: A practical example

Consider an email exchange where Alice send an email to

Bob.

• What expectations Alice and Bob may/should have

about this exchange?
• A minimal common expectation is that the email is
not lost!
• what else?

1
Motivation: A practical example

Alice might ask herself:

• Am I happy that anyone could read this email, or do I

only want Bob to see it?
• How can I make sure that my email reaches Bob
without being changed?

2
Motivation: A practical example

Bob might ask himself:

• How can I have confidence that this email actually

came from Alice?
• Can I be sure that this is the email that Alice intended
to send me?
• Is it possible that Alice could deny in the future that
she sent me this email?

3
fundamental security problems

Availability: the email is not lost

Confidentiality: Data cannot be viewed by unauthorised
users (only Bob should read that email)
Integrity: Data should not be altered by unauthorised
users (the email shouldn’t be altered)
Origin authentication: the given entity is the source of
the received data (the email was from Alice)
Non repudiation: an entity cannot deny a previous
commitment or action (Alice cannot deny she
sent the email)
Entity authentication: assurance that a given entity is
currently active in the communication
4
Motivation: Cryptography

Cryptography provides the tools and techniques to

address several of these problems.

• it is used everyday: Internet , Email, Messaging, Wifi,

Mobile telephony, banking, digital rights (e.g. in video
broadcasting), blockchain, eID cards, . . .

5
Motivation: Information Security

Information Security (Cyber Security)

Protection of information and information systems

• The system can be a simple e-ID card reader, or as

complex as an entire organization (involving PCs,
smart phones, servers, wired and wireless networks,
OS, middleware, applications, external services, staff,
customers, etc.).

Cryptography
is an essential part of Information Security but there is
more to it than cryptography

6
Motivation: Cryptography vs security

Cryptography is not everything: security needs a holistic

approach.

• All components of the system needs to be designed,

configured, and used securely:
• Physical security (doors, locks, CCTV)
• Network infrastructure (routers, cables, wifi)
• Hardware, firmware, Middleware
• Operating System, Applications
• Business logic
• And above all: humans!

We discuss some of these in the 2nd half of the module.

7
Basic Cryptographic Services
Basic Setting

The basic setting of a cryptosystem is a peer-to-peer

communication between Alice and Bob that may be
intercepted and modified by Eve:

Channel of Communication

Listen Modify
Alice Bob

Eve

8
Basic Setting

Basic setting of a cryptosystem:

Channel of Communication

Listen Modify
Alice Bob

Eve

Other possible settings: broadcast (multiple recipients),

file storage (sender and recipients the same entity), . . .
9
Basic Setting

Basic setting of a cryptosystem:

Channel of Communication

Listen Modify
Alice Bob

Eve

• Note that entities (or users e.g. Alice, Bob, Eve) can
be humans, computers, devices, etc.; whoever or
whatever is taking part in the processing of data. 10
Basic Setting

Channel of Communication

Listen Modify
Alice Bob

Eve

Passive Setting: unauthorized access to data

(eavesdropping, copying restricted files, etc.).
Active Attack: unauthorised alteration, deletion,
transmission or access prevention to data. 11
Security Services

▶ A security service is a specific security goal.

Confidentiality (aka. “secrecy”) the assurance that data
cannot be viewed by an unauthorised user.
▷ this is the classic security service, which
we also consider first.

Channel of Communication

Listen
Alice Bob

Eve

12
Security Services

Data Integrity the assurance that data has not been

altered in an unauthorised manner (including
accidental errors).
▷ This assurance applies from the time the
data was last created, transmitted, or
stored by an authorised user.
- note: Data integrity focuses on ‘detecting”
alteration of data, not necessarily on “preventing”
it.

Channel of Communication

Listen Modify
Alice Bob

Eve
13
Security Services

Data Origin Authentication assurance that a given

entity was the original source of a data.
▷ data origin authentication is sometimes
referred to as “message authentication”
since it is concerned with the
authentication of the data (message) and
not who we are communicating with at
the time the data is received.
▷ the time of creation or the immediate
source of data is not of concern.

14
Security Services

Entity Authentication the assurance that a given entity

is involved and currently active in a
communication session.
▷ entity authentication can also be referred
to as “identification” because it is
concerned with determining: who am I
communicating with now, in real time?

15
Security Services

Non-repudiation the assurance that an entity cannot

deny a previous commitment or action (to a
“third party”)
▷ desirable in situations where there is the
potential for a dispute over the exchange
of data.

16
Relationships between security services

▶ Data Origin Authentication is a Stronger Notion than

Data Integrity
▷ data origin authentication requires data integrity
▷ this is just a logical statement: if we cannot be sure if
data has been tampered with or not, how can we
ascertain the identity of its creator?
▷ data origin authentication is data integrity with the
extra property of assurance of the identity of the
original source of the data.

17
Relationships between security services

▶ Non-Repudiation of a Source is a Stronger Notion

than Data Origin Authentication
▷ we can only bind the source to the data, in a manner
that cannot be later denied, if we have assurance that
the data itself is from that source.
▷ hence, non-repudiation requires data origin
authentication (and therefore, in turn, data integrity)

18
Relationships between security services

▶ Data Origin Authentication and Entity Authentication

are Different
▷ for instance, regarding an email, we need data origin
authentication and entity authentication is rather
meaningless;
▷ on the other hand, before “authorizing” an entity to
use a resource, we need entity authentication.
▶ Data Origin Authentication Plus a Freshness Check
can Provide Entity Authentication
▷ this is because we then are certain who the data
originated from and that the originator is involved in
the current communication session.

19
Relationships between security services

▶ Confidentiality Does Not Imply Data Origin

Authentication
▷ because for instance an adversary (Eve) can also
re-arrange the encrypted messages of (Alice), or
slightly modify them, so that they decrypt to a
legitimate message, which is obviously not originated
(created) by the sender (Alice);
▷ we usually need both, but they should be explicitly
and separately shown to be provided.

20
Basic cryptographic terminology

cryptography design and analysis of mechanisms based

on mathematical techniques that provide
fundamental security services.
▷ it comes from the Greek word kryptos
meaning “hidden”, “concealed”, “secret”.
cryptographic primitive a cryptographic process that
provides a number of specified security
services.
▷ examples: block ciphers, stream ciphers,
message authentication codes, hash
functions, and digital signature schemes

21
Basic cryptographic terminology

cryptographic algorithm the particular specification of a

cryptographic primitive (sufficiently detailed
such that a programmer could implement it).
▷ e.g., AES is a cryptographic algorithm
that specifies a block cipher
cryptographic protocol a sequence of message
exchanges and operations between one or
more parties, at the end of which a series of
security goals should have been achieved
▷ e.g., SSL/TLS
cryptosystem (aka. “cipher system”) the implementation
of some cryptographic primitives and their
accompanying infrastructure
22
Basic model of a cryptosystem for confidentiality

23
Basic model of a cryptosystem for confidentiality

plaintext the raw data to be protected during

transmission from sender to receiver.
▷ also said to be in the “clear”
ciphertext the scrambled version of the plaintext that
results from applying the encryption algorithm
(and the encryption key) to the plaintext.
▷ ciphertext is not a secret and can be
obtained by anyone who “eavesdrops”
the channel.
▷ no-one should be able to extract
(compute) the plaintext from cipher-text
without having the decryption key.
24
Basic model of a cryptosystem for confidentiality

encryption algorithm the set of rules that determines,

for any given plaintext and encryption key, a
ciphertext.
decryption algorithm the set of rules that determines,
for any given ciphertext and decryption key, a
unique plaintext.
encryption key a value that the sender inputs into the
encryption algorithm along with the plaintext
in order to compute the ciphertext.
decryption key is related to (but not always identical to)
the encryption key. The receiver inputs the
decryption key into the decryption algorithm
along with the ciphertext to get the plaintext.
25
Basic model of a cryptosystem for confidentiality

keyspace the collection of all possible decryption keys

interceptor (aka “adversary” or “attacker”) an entity other
than the sender or receiver who attempts to
determine the plaintext.
▷ The interceptor will be able to see the
ciphertext. The interceptor may know the
decryption algorithm. The one piece of
information the interceptor must not know
is the decryption key.

26
Encryption: an example of coding

▶ encryption/decryption is an example of
coding/decoding, esp. called cryptographic coding.
▶ other types of coding (each for a specific purpose):
▷ “source-coding”: compression
▷ “channel-coding”: error-correction
▷ “line-coding”: modulation

Astonishingly, most of the

fundamental ideas of all of the
above (and much more) was
developed by Claude C. Shannon
(the father of “information theory”)
during the 40s.

27
comparison to other security mechanisms

▶ Encryption vs. Access Control (AC): hardware, OS

and middleware mechanisms to prevent unauthorised
users from accessing data. However, it is tied to the
location the data resides, difficult to achieve when
data is in “communication” (e.g. in cloud-computing).
▷ AC’s confidentiality guarantee is solely based on
enforcing lack of access to entire data, in contrast, in
encryption, the adversary can see the entire
ciphertext, and only does not have the decryption key.
▷ the majority of our data protection is through AC, so
we will return to this important topic in week 8.

28
comparison to other mechanisms

▶ Encryption vs. Steganography: steganography is

about “information hiding”: plaintext is embedded in
another non-secret data (e.g. an image) and the
combined is sent; only the receiver knows that a
hidden plaintext “exists” in the first place, and how to
look for it.

29
comparison to other mechanisms

• These mechanisms can of course be combined to

provide “multiple layers” of security:
▷ an adversary who gets around the access control to a
computer/channel, if notices hidden
information/traffic, will only find it in encrypted format.
▷ however, steganography seems to be rarely used in
practice seriously, because it does not provide any
“guarantees”.
▷ that said, for different security services, related
techniques such as “digital watermarking” (to assert
ownership of a data) and “honeypots” (to detect
unauthorised access) are in frequent use.

30
Symmetric vs. Public-Key cryptosystem

symmetric (key) cryptosystems the encryption key and

the decryption key are “essentially” the same.
▷ even if they are not the same, they can be
readily derived from each other.
public-key cryptosystems the encryption key and the
decryption key are fundamentally different.
▷ ⇒ aka. “asymmetric cryptosystems”
▷ it is computationally infeasible to
determine the decryption key from the
encryption key (this is not an intuitive
property, in fact, quite amazing!).

31
Symmetric vs. Public-Key cryptosystem

▶ in both symmetric and public-key cryptosystems, the

decryption key should be kept secret (from adversary)
▷ in symmetric-key crypto, the sender also knows the
decryption key (but not adversary), whereas in
public-key crypto, everyone can know the encryption
key (hence the name: public key), incl. the adversary!

32
Symmetric vs. Public-Key cryptosystem

▶ in both symmetric and public-key crypto, the

encryption and decryption are closely tied (so that
only each can “neutralize” the effect of the other).
▷ in symmetric crypto, the decryption and encryption
keys are essentially the same, while in public-key, it is
(computationally) impossible to derive the decryption
key from the encryption key!
• this is thanks to the magic of mathematics! we will
see example of this (weirdness) in subsequent weeks.

33
Making the encryption algorithm known

▶ It may be tempting to keep the detail of the

encryption/decryption “algorithm” secret (on top of
the decryption key). However:
▷ a device implementing the algorithm can be “reverse
engineered” to extract the algorithm;
▷ the details of the algorithm may be accidentally or
deliberately leaked to the public domain.

▶ Kerckhoff’s principle: the cryptographic algorithm

should not be required to be secret (it should stay
secure even if the detail of the algorithm is revealed).
▷ Essentially, all the “hidden” stuff should be
concentrated in the decryption key.

34
Making the encryption algorithm known

The case for using publicly known algorithm (as opposed

to proprietary algorithms):
▷ Scrutiny: public algorithms are studied by a wide
range of experts and perhaps adopted by public
standardisation bodies;
▷ Interoperability: much easier to adopt and implement
publicly known algorithms in open networks (esp.,
when requiring secure communications with external
clients, perhaps in the future);
▷ Transparency: easier to convince a trading partner
that their systems are secure if the security
techniques they employ are open to assessment by
their partners. 35
Cryptosystem security assumptions

the attacker (eavesdropper, adversary) knows:

1. all transmitted ciphertexts
2. some corresponding plaintext-ciphertext pairs, due to
▷ receiver’s failure to keep decrypted ciphertexts secret;
▷ some predictable plaintexts (e.g. document headers);
▷ the attacker has influenced the choice of plaintexts
encrypted by the sender;.
▷ the attacker has (temporary) access to either the
encryption or decryption device (its interface);
▷ in case of a public-key cryptosystem, the encryption
key is known to any attacker, so they can generate as
many plaintext-ciphertext pairs as they wish.
3. the details of the encryption algorithm
36
Cryptosystem security assumptions

some terminology of cryptographic attacks:

ciphertext-only attacks attacker only knows the

encryption algorithm and some ciphertext;
known-plaintext attacks ∼ and some arbitrary
plaintext/ciphertext pairs;
chosen-plaintext attacks ∼ and some
plaintext/ciphertext pairs that correspond to
plaintexts chosen by the attacker.

Note that these are increasingly powerful attacks (why?)

37
Breaking encryption algorithms

Breaking an encryption algorithm: a method of

determining the plaintext from the ciphertext that does not
involve being legitimately given the decryption key.

1. determining the decryption key directly (the most

powerful type of break, since it allows decryption of
all other ciphertexts corresponding to that key);
2. deducing a plaintext from the corresponding
ciphertext without first determining the decryption key.

38
Exhaustive key searches

Exhaustive key search can be used to break almost all

encryption algorithms (with a notable exception to come!).

▷ This attack, also known as a brute-force attack

provides a ‘benchmark’ against which the
effectiveness of other attacks can be measured.
▷ It simply involves decrypting the ciphertext with
different decryption keys (from the “key-space”) until
candidates for the correct decryption key are found.

39
Exhaustive key searches

The candidate decryption keys can be identified from:

▷ some known plaintext/ciphertext pairs: if a decryption

key successfully decrypts the known ciphertexts into
the corresponding known plaintexts, it’s a candidate!
▷ knowledge of the plaintext language: if the plaintext is
in a known language, such as English, then the
attacker will be able to use the statistical properties of
the language to recognise candidate plaintexts, and
hence candidate decryption keys.
▷ contextual information: e.g. specific
strings/characters or format in the plaintext.

40
some generic cryptographic attacks

▶ Dictionary attacks involve compiling a type of

‘dictionary’, e.g.:
▷ in a cryptosystem with a fixed key, the dictionary may
consist of ciphertexts corresponding to plaintexts the
attacker has been able to learn by some means.
▷ in a cryptosystem where keys are “derived” from
passwords, the attacker compiles a dictionary of likely
passwords and then derives the resulting keys from
them, used for a (more intelligent than brute-force)
exhaustive key search.
▶ Time memory trade-off combining a pre-computed
table (dictionary) and exhaustive search.

41
some generic cryptographic attacks

▶ Side-channel attacks not directed against the

theoretical design of a cryptographic primitive, but
rather on its implementation; e.g.:
▷ timing attacks: different processor computations may
take slightly different “times” to compute depending
on the value of the key.
▷ power analysis: different processor computations
may take slightly different “electric power” to compute
depending on the value of the key.
▷ fault analysis: inducing errors in a cryptosystem and
studying the resulting output for useful information.
▷ padding attacks: manipulating the “padding” process
and monitoring the resulting error messages.
42
Historical Cryptosystems (and
why they are all useless!)
Historical Cryptosystems

They are all:

• symmetric cryptosystems (predate the discovery of

public-key cryptography)
• designed to provide confidentiality only.
• described as operating on alphabetic characters (in
contrast to modern cryptosystems, which generally
operate on binary numbers
• each is completely unsuitable for use in modern
cryptographic applications

So, we only study them to internalize some concepts and

grasp intuition.
43
Caesar Cipher

▶ Julius Caesar: (100 BC – 44 BC) used this method in

his private correspondence ⇒ Caesar (shift) cipher

Plaintext : THE QUICK BROWN FOX JUMPS . . .

Ciphertext : QEB NRFZH YOLTK CLU GRJMP . . .

Question: What is the “key” in the above example?

44
Caesar Cipher

Z A B
Y 25 0 1 C plaintext ciphertext
24 2 D
X3 W X Y
2 V 22 23 24 2 Z A 3
1 5 D (3) A (0)
19 20 21 W

U 02

E
0
P Q R S 2

4
2
2

B 2 3 4 5 6G
O 4 15 16 17 18 19T

−3 E (4) B (1)
U V

F G
1

5
C D E F
.. ..

6 7
. .

H
T

Z (25) W (22)
18

8
S

I
1

13
7
A (0) X (23)
R7

H
1

8 2
J
I J9 10 11 1M N 16 10
11 K L 5 Q
12 1
K B (1) Y (24)
14 P L
M 13
N O C (2) Z (25)
D (3) A (0)

45
Caesar Cipher