CS 623
RR format
(name, value, type, ttl) type=A (address) name is hostname, value is IP address type=NS name is domain, value is IP address of authoritative name server for this domain type=MX value is name of mailserver associated with name
DNS Hierarchy
1) root DNS servers 2) com - yahoo,amazon org - pbs edu - uab, umass
how big should n be?
1024 - bits
IPv6
128bits written as hexadecimals separated by colons
Five regional internet registries
African Network Information Centre (AFRINIC) American Registry for Internet Numbers (ARIN) Asia Pacific Network Information Centre (APNIC) Latin America and Caribbean Network Information Centre (LACNIC) Réseaux IP Européens Network Coordination Centre (RIPE NCC)
Protocols
Application layer Transport layer Network layer link layer
requirements of cryptographic hash functions
can be applied to data of any length output is a fixed length, usually very short relatively easy to compute h(x), given x function is deterministic infeasible to get x, given h(x) - one-way property infeasible to find any pair x and y (x≠y) such that h(x) = h(y) collision resistance property
decryption
cipher text is converted back into plain text
What is the internet?
collection of networks that are interconnected uses CP/IP to route data broken into packets or datagrams from the course destication bunch of application layer protocols run on top of TCP/IP allowing hypertext, emails, voip
public key cryptography applications
communication: SSL/TLS, SSH, HTTPS to establish connections over the internet signatures: digitally sign documents and messages, ensuring authenticity and integrity key exchange: secure exchange of symmetric encryption keys in protocols like diffie-hellman key exchange
security building blocks main pillars of security
confidentiality integrity availability privacy authentication authorization
access control
control access to the information based on the identity or role of the user
public key cryptography
cryptographic method that uses pairs of keys public keys which may be disseminated widely private keys which are known only to the owner enables: secure communication over insecure channels provides digital signatures, key exchange, and secure encryption
DES
data encryption standard encrypts by series of substation and transpositions based on feistel structure worldwide standard for more than 20 years designed by IBM (Lucifer) with later help from NSA no longer considered secure for highly sensitive applications replacement standard AES (advanced encryption standard) recently completed
packet-switched
data is broken up into packets and the packets are individually sent to the destination over network communication lines
electronic code book (ECB) mode
des encrypts 64 bits at a time, it can encrpyt a long message in electronic code book mode deterministic - if smae key used identical plaintext blocks map to identical ciphertext not even secure against eavesdroppers
DNS records
distributed db storing resource records (RR)
caesar cipher
each letter is shifted a fixed number of places
RSA:
earliest and widely used based on difficulty of factoring large prime numbers
Block cipher encryption modes
electronic code book (ECB) cipher block chain (CBC) - most popular
SMTP/IMAP
email protocols
IP Address
every dewvice has a unique address IPv4 IPv6
public key
every user has a private key and a public key encryption done using the public key decryption using private key
traceroute
for network path information tracert - windows traceroute - linux, mac uses ICMP protocol
ping
for network reachability testing and round trip times delay measurements command line tool uses the ICMP protocol
stream cipher
generates a keystream and encrypts by combining the keystream with the plaintext, usually with the bitwise XOR operation
IANA
global level: Internet Assigned Numbers (IANA)
integrity mechanisms
hashes: short string of bits produced from a larger data object digital signatures: similar to real life signatures, ensures both source integrity and data integrity
UDP
host to host data transmission protocol, it is connectionless
WhoIS databases
input: domain name or company name output: registrar, whois server, dns server
IANA
internet assigned numbers authority manages IP address allocation
ICANN
internet corporation for assigned names and numbers controls domain name system
key management public key cryptography
is essential to ensure the security of public key cryptosystems
closed design
keep cipher secret bad practice once its public then the whole system breaks apart, security is based on how secret the program is
open design
keep everything public, except the key good practice
confidentiality
keeping your secrets only those with a key can unlock an item cryptography symmetric key public key
diffie-hellman key exchange
key agreement protocol that allows two parties to establish a shared secret key over an insecure channel
public key cryptography differences
key management problem potentially simpler much slower than private key crypto
private key encryption: main functions
keygen: K = keygen(I) I is a security parameter enc: C = enc(K, M) dec: M = dec(K, C)
encryption
make the information incomprehensible to everyone except authorized parties
availability
making sure services are available examines denial of service attacks the property that information is accessible and modifiable in a timely fashion by those authorized to do so
authentication
making sure someone is who they claim to be (claimed identity) authentication factors what you know what you have what you are
Elliptic Curve Cryptography (ECC)
more recent offers equivalent security to RSA but with shorter key lengths making it suitable for resource-constrained devices
Domain name resolution process
multi step iteration process resolves a domain name to the corresponding IP address ex: wikipedia.org, computer sends a query to root name server, reroutes to .org nameserver, the routes the query to wikipedia's nameserver, returns the webserver's IP address domain to IP address mapping is cached locally, at the network level
How long should be the output (n bits) of a cryptographichash function?
n should be at least 160
capabilities of the attacker
no information besides the algorithm ciphertext only - adversary knows only the ciphertext(s) known plaintext - adversary knows a set of plaintext-cciphertext pairs chosen plaintext (CPA attack) - adversary chooses a number of plaintexts and obtains the corresponding ciphertexts chosen ciphertext attack (CCA attack) - adversary chooses a number of ciphertexts and obtains the corresponding plaintexts
goals of the attacker
one-way security: learn plaintext and ciphertext key recovery security: extract key semantic security: learn info about plaintext linked to ciphertext
caesar cipher easy to break
only 25 possible brute force values1 to 25 e, t, a, o are the most common letters picked so frequency analysis can be used
registrars
organizations where one can register a domain name verifies uniqueness of name enters domain name into various databases: whois & DNS
block cipher
partition plaintext into blocks and encrypt each block independently to produce ciphertext blocks
how to achieve security against CCA?
prevent any messaging of the ciphertext this can be achieved by using integrity protection mechanisms the ciphertext is generated using CBC and a MAC is generated on this ciphertext both ciphertext and the MAC sent off the other party decrypts only if MAC is valid
integrity
preventing unauthorized changes hashes and digital signatures are used to verify the trustworthiness of the data or source
protecting integrity
preventing unauthorized changes: no one should be able to modify something unless they are allowed to do so detecting modifications: any unauthorized changes should be detectable
privacy
protecting private ionformation
public key cryptography key components
public key private key encryption decryption
private key cryptography differences
quite efficient key distribution and management is a serious problem
cipher block chain (CBC) mode
randomized encryption IV - initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation IV is a random value IV is no secret; it is sent along with the (it is part of the ciphertext) secure against CPA attacks; sutomatically secure against eavesdropping attacks
random substitution cipher
randomly replace a letter by another letter
data routing
routers forward the data packets to the next hop based on their routing policies/tables and the destination IP address
type of authentication factors
secrets: password tokens: hardware tokens, digitasl certificates biometrics: fingerprints, iris, vein pattern, facial recognition, voiceprint
algorithm strength public key cryptography
security of public key cryptosystems depends on the strength of the underlying mathematical algorithms and the size of the keys used
during key generation:
select large primes - choose randomly compute multiplicative inverses - efficient algorithm exists during encryption and decryption - requires modular multiplication
private key
sender and receiver share a common key encryption and decryption done using this key
brute force attacks: key recovery
since he key space is finite, a cryptanalyst can try and check all possible keys for this to be not feasible the key space should be large
enigma machine
used by germans during WWII complexity and the subsequent efforts to break its codes marked a turning point in the history of cryptography
key
used to encrypt and decrypt only those with the proper key can decrypt a cipher text can be symmetric or asymmetric
cryptographic attacks public key cryptography
vulnerable to various cryptosystems are vulnerable to various cryptographic attacks, including brute force attacks, man-in-the-middle attacks and chosen plaintext attacks
public key cryptography concept introduced by
whitfield diffie martin hellman ralph merkle
access control
who can access what object and what the user can do how to restrict access, access control models
public key encryption
two keys: public encryption key e; private key encryption key d encryption easy when e is known decryption easy when d is known, hard when d is not known
key cipher
use a key to start the replacement and then shift the remaining letters
security model
1<2<3<4<5 1 - hardest attack 5 - easiest easiest cryptosystem secure against 5 is the strongest (automatically secure against all less than) and secure against 1 is the weakest
IPv4
4 bytes of data grouped as 4 octets separated by dots 172.16.254.1 first three octets designate the netwwork ID last octet is the host ID in that network
DNS
Domain name system distributed database implemented in hierarchy of many DNS servers a tree like structure of name servers keep the information needed to resolve a domain name to the corresponding IP address of the server eg. mail.google.com eg. 142.251.15.83
IETF
Internet Engineering Task Force manages and formalizes internet standards/protocols
RSA Example
Let p = 7, q = 11. Then n = 77 and Φ(n) = 60 Choose e = 13. Then d = 13-1 mod 60 = 37.• Let message = 2.• E(2) = 213 mod 77 = 30.• D(30) = 3037 mod 77=2
RSA: why does it work
Need to show: D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d.• Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent.
DES Security
S-box design not well understood has survived some recent sophisticated attack key is too short, hence is vulnerable to brute force attack 1998 distributed attack took 3 months 1,000,000 machine will crack DES in 35 mintutes - 1997 estimate 10,000 - 2.5 days
vernam cipher (unbreakable)
a given ciphertext can decrypt to multiple possible plain text with same number of letters they provide the perfect secrecy as the ciphertext leaks no information about the original message
substitution cipher
a simple encryption method where each letter in plaintext is replaced by another letter in ciphertext may use mathematical formula or random substitution
cryptosystem
a suite of cryptographic algorithms for key generation, encryption of plaintext into ciphertext and decryption of ciphertext to plain text
hash
a unique fixed length bit fingerprint created from any data object
signature
a unique seal created by applying secret knowledge
AES
advanced encryption standard goal - to define federal information processing standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents MARS RC6 Twofish Serpent Rijndael - winner
cipher
an algorithm used for encryption and decryption
one time pads (Vernam cipher)
an unbreakable and perfectly secret encryption method encrypt each plaintext is combined with a letter from a one time pad decrypt each letter in ciphertext is combined with the letter from the same one time pad in the same sequence
HTTP
application layer protocol that is used to transmit hypertext
cryptography
study of mathematical techniques to achieve various goals in information security, such as confidentiality, authentication, integrity, non-repudiation, etc.
integrity protections
tampering proof: prevents any type of modifications to the data tamper evident: does not prevent any modification to data, but makes sure any such modification can be detected
Not secure against CCA why?
the ciphertext can be massaged and changed in a meaningful way
IP
the dominant networking protocols used in the internet IP: internet protocols that define how packets are exchanged between two network points
TCP
the dominant networking protocols used in the internet TCP: transmission protocol controls data transmission between hosts and ensures reliable lossless data connections
ciphertext
the encrypted and unreadable data or message produced after applying an encryption algorithm
plaintext
the original and readable data or message before encryption
confidentiality
the property that information is not disclosed to unauthorized entities secrets should be secrets unless you are authorized to access it
cryptanalysis
the study of breaking cryptographic systems or algorithms
Structures of the internet
tier 3: single/multi home networks that connect end users to higher level intermediate networks tier 2: intermeditate networks that connect tier 3 networks to the transit networks tier 1: mostly telecom providers that connect to other tier 1 networks and can bed used for transit
denial of service attack (Ddos)
to attack availability of a system make it slow in performance, unavailable, critical part of the workflow congested, so that the whole system is slow
machine level authentication
to determine if we are getting data from the correct device
encrypt
to take plain text and use mathematical process to convert it to cipher text using an encryption algorithm or key