CS 623

RR format

(name, value, type, ttl) type=A (address) name is hostname, value is IP address type=NS name is domain, value is IP address of authoritative name server for this domain type=MX value is name of mailserver associated with name

DNS Hierarchy

1) root DNS servers 2) com - yahoo,amazon org - pbs edu - uab, umass

how big should n be?

1024 - bits

IPv6

128bits written as hexadecimals separated by colons

Five regional internet registries

African Network Information Centre (AFRINIC) American Registry for Internet Numbers (ARIN) Asia Pacific Network Information Centre (APNIC) Latin America and Caribbean Network Information Centre (LACNIC) Réseaux IP Européens Network Coordination Centre (RIPE NCC)

Protocols

Application layer Transport layer Network layer link layer

requirements of cryptographic hash functions

can be applied to data of any length output is a fixed length, usually very short relatively easy to compute h(x), given x function is deterministic infeasible to get x, given h(x) - one-way property infeasible to find any pair x and y (x≠y) such that h(x) = h(y) collision resistance property

decryption

cipher text is converted back into plain text

What is the internet?

collection of networks that are interconnected uses CP/IP to route data broken into packets or datagrams from the course destication bunch of application layer protocols run on top of TCP/IP allowing hypertext, emails, voip

public key cryptography applications

communication: SSL/TLS, SSH, HTTPS to establish connections over the internet signatures: digitally sign documents and messages, ensuring authenticity and integrity key exchange: secure exchange of symmetric encryption keys in protocols like diffie-hellman key exchange

security building blocks main pillars of security

confidentiality integrity availability privacy authentication authorization

access control

control access to the information based on the identity or role of the user

public key cryptography

cryptographic method that uses pairs of keys public keys which may be disseminated widely private keys which are known only to the owner enables: secure communication over insecure channels provides digital signatures, key exchange, and secure encryption

DES

data encryption standard encrypts by series of substation and transpositions based on feistel structure worldwide standard for more than 20 years designed by IBM (Lucifer) with later help from NSA no longer considered secure for highly sensitive applications replacement standard AES (advanced encryption standard) recently completed

packet-switched

data is broken up into packets and the packets are individually sent to the destination over network communication lines

electronic code book (ECB) mode

des encrypts 64 bits at a time, it can encrpyt a long message in electronic code book mode deterministic - if smae key used identical plaintext blocks map to identical ciphertext not even secure against eavesdroppers

DNS records

distributed db storing resource records (RR)

caesar cipher

each letter is shifted a fixed number of places

RSA:

earliest and widely used based on difficulty of factoring large prime numbers

Block cipher encryption modes

electronic code book (ECB) cipher block chain (CBC) - most popular

SMTP/IMAP

email protocols

IP Address

every dewvice has a unique address IPv4 IPv6

public key

every user has a private key and a public key encryption done using the public key decryption using private key

traceroute

for network path information tracert - windows traceroute - linux, mac uses ICMP protocol

ping

for network reachability testing and round trip times delay measurements command line tool uses the ICMP protocol

stream cipher

generates a keystream and encrypts by combining the keystream with the plaintext, usually with the bitwise XOR operation

IANA

global level: Internet Assigned Numbers (IANA)

integrity mechanisms

hashes: short string of bits produced from a larger data object digital signatures: similar to real life signatures, ensures both source integrity and data integrity

UDP

host to host data transmission protocol, it is connectionless

WhoIS databases

input: domain name or company name output: registrar, whois server, dns server

IANA

internet assigned numbers authority manages IP address allocation

ICANN

internet corporation for assigned names and numbers controls domain name system

key management public key cryptography

is essential to ensure the security of public key cryptosystems

closed design

keep cipher secret bad practice once its public then the whole system breaks apart, security is based on how secret the program is

open design

keep everything public, except the key good practice

confidentiality

keeping your secrets only those with a key can unlock an item cryptography symmetric key public key

diffie-hellman key exchange

key agreement protocol that allows two parties to establish a shared secret key over an insecure channel

public key cryptography differences

key management problem potentially simpler much slower than private key crypto

private key encryption: main functions

keygen: K = keygen(I) I is a security parameter enc: C = enc(K, M) dec: M = dec(K, C)

encryption

make the information incomprehensible to everyone except authorized parties

availability

making sure services are available examines denial of service attacks the property that information is accessible and modifiable in a timely fashion by those authorized to do so

authentication

making sure someone is who they claim to be (claimed identity) authentication factors what you know what you have what you are

Elliptic Curve Cryptography (ECC)

more recent offers equivalent security to RSA but with shorter key lengths making it suitable for resource-constrained devices

Domain name resolution process

multi step iteration process resolves a domain name to the corresponding IP address ex: wikipedia.org, computer sends a query to root name server, reroutes to .org nameserver, the routes the query to wikipedia's nameserver, returns the webserver's IP address domain to IP address mapping is cached locally, at the network level

How long should be the output (n bits) of a cryptographichash function?

n should be at least 160

capabilities of the attacker

no information besides the algorithm ciphertext only - adversary knows only the ciphertext(s) known plaintext - adversary knows a set of plaintext-cciphertext pairs chosen plaintext (CPA attack) - adversary chooses a number of plaintexts and obtains the corresponding ciphertexts chosen ciphertext attack (CCA attack) - adversary chooses a number of ciphertexts and obtains the corresponding plaintexts

goals of the attacker

one-way security: learn plaintext and ciphertext key recovery security: extract key semantic security: learn info about plaintext linked to ciphertext

caesar cipher easy to break

only 25 possible brute force values1 to 25 e, t, a, o are the most common letters picked so frequency analysis can be used

registrars

organizations where one can register a domain name verifies uniqueness of name enters domain name into various databases: whois & DNS

block cipher

partition plaintext into blocks and encrypt each block independently to produce ciphertext blocks

how to achieve security against CCA?

prevent any messaging of the ciphertext this can be achieved by using integrity protection mechanisms the ciphertext is generated using CBC and a MAC is generated on this ciphertext both ciphertext and the MAC sent off the other party decrypts only if MAC is valid

integrity

preventing unauthorized changes hashes and digital signatures are used to verify the trustworthiness of the data or source

protecting integrity

preventing unauthorized changes: no one should be able to modify something unless they are allowed to do so detecting modifications: any unauthorized changes should be detectable

privacy

protecting private ionformation

public key cryptography key components

public key private key encryption decryption

private key cryptography differences

quite efficient key distribution and management is a serious problem

cipher block chain (CBC) mode

randomized encryption IV - initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation IV is a random value IV is no secret; it is sent along with the (it is part of the ciphertext) secure against CPA attacks; sutomatically secure against eavesdropping attacks

random substitution cipher

randomly replace a letter by another letter

data routing

routers forward the data packets to the next hop based on their routing policies/tables and the destination IP address

type of authentication factors

secrets: password tokens: hardware tokens, digitasl certificates biometrics: fingerprints, iris, vein pattern, facial recognition, voiceprint

algorithm strength public key cryptography

security of public key cryptosystems depends on the strength of the underlying mathematical algorithms and the size of the keys used

during key generation:

select large primes - choose randomly compute multiplicative inverses - efficient algorithm exists during encryption and decryption - requires modular multiplication

private key

sender and receiver share a common key encryption and decryption done using this key

brute force attacks: key recovery

since he key space is finite, a cryptanalyst can try and check all possible keys for this to be not feasible the key space should be large

enigma machine

used by germans during WWII complexity and the subsequent efforts to break its codes marked a turning point in the history of cryptography

key

used to encrypt and decrypt only those with the proper key can decrypt a cipher text can be symmetric or asymmetric

cryptographic attacks public key cryptography

vulnerable to various cryptosystems are vulnerable to various cryptographic attacks, including brute force attacks, man-in-the-middle attacks and chosen plaintext attacks

public key cryptography concept introduced by

whitfield diffie martin hellman ralph merkle

access control

who can access what object and what the user can do how to restrict access, access control models

public key encryption

two keys: public encryption key e; private key encryption key d encryption easy when e is known decryption easy when d is known, hard when d is not known

key cipher

use a key to start the replacement and then shift the remaining letters

security model

1<2<3<4<5 1 - hardest attack 5 - easiest easiest cryptosystem secure against 5 is the strongest (automatically secure against all less than) and secure against 1 is the weakest

IPv4

4 bytes of data grouped as 4 octets separated by dots 172.16.254.1 first three octets designate the netwwork ID last octet is the host ID in that network

DNS

Domain name system distributed database implemented in hierarchy of many DNS servers a tree like structure of name servers keep the information needed to resolve a domain name to the corresponding IP address of the server eg. mail.google.com eg. 142.251.15.83

IETF

Internet Engineering Task Force manages and formalizes internet standards/protocols

RSA Example

Let p = 7, q = 11. Then n = 77 and Φ(n) = 60 Choose e = 13. Then d = 13-1 mod 60 = 37.• Let message = 2.• E(2) = 213 mod 77 = 30.• D(30) = 3037 mod 77=2

RSA: why does it work

Need to show: D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d.• Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent.

DES Security

S-box design not well understood has survived some recent sophisticated attack key is too short, hence is vulnerable to brute force attack 1998 distributed attack took 3 months 1,000,000 machine will crack DES in 35 mintutes - 1997 estimate 10,000 - 2.5 days

vernam cipher (unbreakable)

a given ciphertext can decrypt to multiple possible plain text with same number of letters they provide the perfect secrecy as the ciphertext leaks no information about the original message

substitution cipher

a simple encryption method where each letter in plaintext is replaced by another letter in ciphertext may use mathematical formula or random substitution

cryptosystem

a suite of cryptographic algorithms for key generation, encryption of plaintext into ciphertext and decryption of ciphertext to plain text

hash

a unique fixed length bit fingerprint created from any data object

signature

a unique seal created by applying secret knowledge

AES

advanced encryption standard goal - to define federal information processing standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents MARS RC6 Twofish Serpent Rijndael - winner

cipher

an algorithm used for encryption and decryption

one time pads (Vernam cipher)

an unbreakable and perfectly secret encryption method encrypt each plaintext is combined with a letter from a one time pad decrypt each letter in ciphertext is combined with the letter from the same one time pad in the same sequence

HTTP

application layer protocol that is used to transmit hypertext

cryptography

study of mathematical techniques to achieve various goals in information security, such as confidentiality, authentication, integrity, non-repudiation, etc.

integrity protections

tampering proof: prevents any type of modifications to the data tamper evident: does not prevent any modification to data, but makes sure any such modification can be detected

Not secure against CCA why?

the ciphertext can be massaged and changed in a meaningful way

IP

the dominant networking protocols used in the internet IP: internet protocols that define how packets are exchanged between two network points

TCP

the dominant networking protocols used in the internet TCP: transmission protocol controls data transmission between hosts and ensures reliable lossless data connections

ciphertext

the encrypted and unreadable data or message produced after applying an encryption algorithm

plaintext

the original and readable data or message before encryption

confidentiality

the property that information is not disclosed to unauthorized entities secrets should be secrets unless you are authorized to access it

cryptanalysis

the study of breaking cryptographic systems or algorithms

Structures of the internet

tier 3: single/multi home networks that connect end users to higher level intermediate networks tier 2: intermeditate networks that connect tier 3 networks to the transit networks tier 1: mostly telecom providers that connect to other tier 1 networks and can bed used for transit

denial of service attack (Ddos)

to attack availability of a system make it slow in performance, unavailable, critical part of the workflow congested, so that the whole system is slow

machine level authentication

to determine if we are getting data from the correct device

encrypt

to take plain text and use mathematical process to convert it to cipher text using an encryption algorithm or key