Post on 19-Dec-2015
Network Security 7-1
Secure Electronic Commerce
Prof. Amir HerzbergSeminar 89-957, Wedn. 6-8pmCS Dept., Bar Ilan University
אלקטרוני: סחר אבטחת סמינרLecture 1: Overview of security & crypto
Network Security 7-2
Administration Seminar for graduate & undergrad students Related courses:
Intro to communication networks 89-350 (parallel Ok) Intro to Cryptography (89-656, fall term) This term: Crypto applied to security (89-956): requires
intro first I’ll try to cover the most relevant stuff in the first 2-3
lectures Requirements
Deliver seminar for one topic Few in pairs Attend and understand most classes
• Missing 2 is Ok; if more: justify all
Reception: Wedn. 12-2, room 324.
Network Security 7-3
Goals of this seminar
Understand secure e-commerce Expose to recent, active research area
Possibilities of new research Experience in research work – reading,
presenting
Network Security 7-4
Subjects
Payments Micropayments Aggregated (micro)payments Anonymous payments (digital cash)
Trust and credential management Overview including KeyNote, SPKI Understanding Trust Management Systems Credentials / Certificate Chain Discovery
Others? You can propose…
Network Security 7-5
What to do next? Pick subject:
See site for subjects, papers and dates• Two pairs, few singles
Site: link from my homepage, http://amir.herzberg.name/ Inform me of your choices (2 please) by e-mail Only if you’re going to deliver… `a honor commitment`
Read paper(s) carefully, prepare lecture, handouts See related papers in http://citeseer.org Ask to change if you prefer another paper/topic Use English or Hebrew, foils or PC (but write well!) Give me a copy
We next give overview of crypto & security You can leave if not interested (e.g. know already)
Network Security 7-6
Security and Cryptography OverviewGoals: understand principles of network security:
cryptography and its many uses beyond “confidentiality”
authentication message integrity key distribution
security in practice: firewalls security in application, transport, network, link
layers
Network Security 7-7
What is network security?Confidentiality: only sender, intended receiver
should “understand” message contents sender encrypts message receiver decrypts message Privacy: hide `who is doing what with
whom`Authentication: sender, receiver want to confirm
identity of each other Message Integrity: sender, receiver want to
ensure message not altered (in transit, or afterwards) without detection
Access and Availability: services must be accessible and available to users
Network Security 7-8
Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
Network Security 7-9
There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!
eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source
address in packet (or any field in packet) hijacking: “take over” ongoing connection
by removing sender or receiver, inserting himself in place
denial of service: prevent service from being used by others (e.g., by overloading resources)
Cryptography can help ……
Network Security 7-10
The language of cryptography
symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
Network Security 7-11
Symmetric key cryptography
symmetric key crypto: Bob and Alice share know same (symmetric) key: K
e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
A-B
KA-B
plaintextmessage, m
K (m)A-B
K (m)A-Bm = K ( )
A-B
Network Security 7-12
Public Key Cryptography
symmetric key crypto requires sender,
receiver know shared secret key
Q: how to agree on key in first place (particularly if never “met”)?
public key cryptography
radically different approach [Diffie-Hellman76, RSA78]
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Network Security 7-13
Public key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
Network Security 7-14
Public key encryption algorithms
need K ( ) and K ( ) such thatB B. .
given public key K , it should be impossible to compute private key K
B
B
Requirements:
1
2
RSA: Rivest, Shamir, Adelman algorithm
+ -
K (K (m)) = m BB
- +
+
-
Network Security 7-15
RSA: Choosing keys
1. Choose two large prime numbers p, q. (e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
4. Find d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
K B+ K B
-
Network Security 7-16
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute
c = m mod n
e (i.e., remainder when m is divided by n)e
2. To decrypt received bit pattern, c, compute
m = c mod n
d (i.e., remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens!
c
Network Security 7-17
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z.
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt:
decrypt:
Network Security 7-18
RSA: Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result: If p,q prime and n = pq, then:
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
Network Security 7-19
RSA: another important property
The following property will be very useful later:
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first, followed
by private key
use private key first,
followed by public key
Result is the same!
Network Security 7-20
Roadmap
.1 What is network security?
.2 Principles of cryptography
.3 Authentication and integrity mechanisms
.4 Digital Signatures
.5 Key Distribution and certification
.6 Attacks and counter measures
.7 Access control: firewalls
.8 Security in many layers
Network Security 7-21
Example: `paper, stone, scissors`
Popular kids game Kid’s implementation:
`Simultaneous` exposure Cheating common…
Physical implementation: Write choice on card Cards placed `face down` Choices fixed but secret Cards turned
How to do over network?Bob Alice
Network Security 7-22
Secure `paper, stone, scissors`
Use hash function h( ) Confidentiality
Bob can’t know what Alice chose
Collision-resistance Alice, Bob can’t `change
their hand`
Randomness h(x) appears `random` If h(x) is deterministic,
confidentiality impossible
Bob Alice
Network Security 7-23
Crypto-Hash Functions - `Wish List`
Compression Unbounded/Long input Short (finite) output
Confidentiality Can’t find x from h(x)
Collision-resistance `Strong`: can’t find x,x’ s.t. h(x)=h(x’) `Weak`: given x, can’t find x’≠x s.t. h(x)=h(x’)
Randomness: uniform output distribution
Network Security 7-24
Detection of Message Modification How can Bob detect that message from Alice
Had random error? A: use Error Detection Code Was intentionally modified?
• A1: send (securely) the hash of the message to Bob• How can we send it securely? • Why not send message instead?
Network Security 7-25
Detection of Message Modification
Can we simply send the hash with the message?A: No; Eve can then change message and
compute new hash!
Network Security 7-26
Message Authentication Code (MAC)
Use a key shared between Alice and Bob to authenticate messages sent between them
Network Security 7-27
MAC authenticates messages
MAC allows two or more mutually trusting parties to authenticate all messages sent between them.
Alice Bob
Key k Key km, MACk(m)
EveOnly Alice and me know k. So one of us sent
m.
Network Security 7-28
MAC authenticates messages
MAC allows two or more mutually trusting parties to authenticate all messages sent between them.
Alice Bob
Key k Key km, MACk(m)
EveOnly Alice, Charlie, Don and me know k. So one of us sent
m.
Charlie
Key k
Don
Key k
Network Security 7-29
MAC Use Secret KeyRandom or pseudo-randomDo not reveal to adversaryDo not use for anything except
MACE.g. use different key for
encryption
Network Security 7-30
Limitations of MAC MACk(m) may expose information about
m! Example: Let MAC be any secure MAC.
Define MAC’k(m)=LSb(m)||MACk(m), where LSb is least significant bit.
MAC only shows a key-holder computed it
Could be any key holder (e.g. recipient)… Specify sender, recipient in message
Could be re-transmission / replay… Add time/counter/random challenge to identify
Network Security 7-31
Authenticated Communication Random values Na,Nb (nonces) for freshness Authenticate messages mA, mB by including
their hash in the MAC inputs To authenticate many messages (in order):
Add sequence numbers Can use same nonces for multiple messages
Network Security 7-32
Non-repudiation Non-repudiation: proof of
authenticity that cannot be disputed by `signer` Long-lived Validation by multiple, arbitrary parties
Not ensured by MAC – key known to both! Applications:
Contract/document//payment signing Time-stamping of documents Guaranteed/Certified Messaging Services
Main tool: digital signatures and certificates
Network Security 7-33
Public Key Digital Signatures Sign using a private, secret signature key Everybody knows the public validation key Everybody can validate signatures at any time
Provides non-repudiation – signer is committed
Network Security 7-34
Metaphor to Public Key Signature:Cylinder Seal (ancient Iran)
Public key: impression of seal Private key: cylinder seal Hard to create impression without seal Hard to change clay tablet with
impression Hard to create the seal from the
impression Clay tablets (w/ impressions) last long
time
Network Security 7-35
large message
mH: Hashfunction H(m)
digitalsignature(encrypt)
Bob’s private
key
+
Bob sends digitally signed message:
Alice verifies signature and integrity of digitally signed message:
(H(m))d-
signed msg hash
(H(m))d-
Signed msg hash
large message
m
H: Hashfunction
H(m)
Validatedigital
signature
H(m)
Bob’s public
key
equal ?
RSA Signatures with Hashing
d,n
e,n
Network Security 7-36
Problem: validation of public key How does Alice obtain Bob’s public
key… To encrypt messages to Bob To validate signatures by Bob
If Eve can cause Bob to use Eve’s key thinking it is Alice’s key… Eve can decrypt messages sent to Alice Eve can pretend to sign for documents as
Alice Solution: certificate: signed public key
Network Security 7-37
Certification Authorities
Certification authority (CA): binds public key to particular entity, E.
E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by
CA – CA says “this is E’s public key”Bob’s public
key K B+
Bob’s identifying informatio
n
digitalsignature
CA private
key K CA-
K B+
certificate for Bob’s public
key, signed by CA
Network Security 7-38
Certification Authorities When Alice wants Bob’s public key:
gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate,
get Bob’s public key
Bob’s public
key K B+
digitalSignaturevalidate
CA public
key K CA+
K B+
Network Security 7-39
A certificate contains: Serial number (unique to issuer) info about certificate owner, including
algorithm and key value itself (not shown) info about
certificate issuer valid dates digital signature by
issuer
Network Security 7-40
Time-Stamping of Signatures, etc. Goal: non-repudiated proof of document creation
date Proof doc/signature existed at/before date Signature existed before public key was revoked it is
valid Timestamp signed by Time-stamping Authority Hash document to protect confidentiality
Time-StampingAuthority
(TSA)
Author
Relying Party
h(doc) (paper, invention)
h(doc,sign), certificate(PK)
Network Security 7-41
Non-Repudiated Delivery Services
Non-Repudiation of Origin (NRO) Destination proves that it received the message,
originated by the origin, at particular time. Signature of Delivery Authority and/or Origin + Time-
Stamping Auth.
Non-Repudiation of Submission (NRS) Origin proves it submitted the message, to the
destination, at particular time by signature of Delivery Authority
Non-Repudiation of Receipt (NRR) Origin proves that the destination received the message,
at particular time by signature of destination + TSA
Delivery Authority
DestinationOrigin
Network Security 7-42
SSL / TLS in a Nutshell SSL provides a `secure TCP tunnel from client to
server`: Confidentiality Authentication of server, optionally also of client Message and connection integrity
SSL: Secure Socket Layer Since SSL (& TLS) operate on top of `standard` Sockets API
TLS: Transport Layer Security Since TLS (& SSL) secure TCP (the transport layer) IETF standard version of SSL When we describe common aspects we usually say just SSL
Many implementations, libraries, e.g. Open-SSL Original goal and still main use: secure transfer of
credit card number…
Network Security 7-43
Credit Card Payments
Buyer Merchant6579 4763 2113 Issuer
Card#, signed slip
Card#, signed slip, $
Card#, $
Card#, statement
Issuer Acquirer (Payment Gateway)
Network Security 7-44
`Mail Order / Telephone Order (MOTO)’ or`Card Not Present’ Transactions (Web, phone, mail)
Buyer Merchant6579 4763 2113 Issuer
Card#, $
Card#, $
Card#, $
Card, statement
Issuer Acquirer (Payment Gateway)
Network Security 7-45
SSL Credit Card Payments
SSL encrypted
Credit Card Number
Credit Card Number
Acquirer (Payment Gateway)
Issuer
Card#, $
Card#, $
Network Security 7-46
SSL Based Credit Card Payments
Use SSL to securely transfer credit card numbers Trivial deployment (merchant decision). No client software required (SSL is in browser). Built on top of the existing credit card infrastructure. By far, the most widely used payment method.
But, due to several security problems…Very high dispute rates (esp. for online services)Very expensive for banks and merchants