276 75 3MB
English Pages 273 Year 2005
BulletproofWirelessSecurity
BulletproofWirelessSecurity GSM,UMTS,802.11andAdHocSecurity
By
PraphulChandra
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Newnes is an imprint of Elsevier
NewnesisanimprintofElsevier 30CorporateDrive,Suite400,Burlington,MA01803,USA LinacreHouse,JordanHill,OxfordOX28DP,UK Copyright©2005,ElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,or transmittedinanyformorbyanymeans,electronic,mechanical,photocopying, recording,orotherwise,withoutthepriorwrittenpermissionofthepublisher. PermissionsmaybesoughtdirectlyfromElsevier’sScience&TechnologyRights DepartmentinOxford,UK:phone:(+44)1865843830,fax:(+44)1865853333, e-mail:[email protected].Youmayalsocompleteyourrequestonlinevia theElsevierhomepage(www.elsevier.com),byselecting“CustomerSupport”andthen “ObtainingPermissions.” Recognizingtheimportanceofpreservingwhathasbeenwritten, Elsevierprintsitsbooksonacid-freepaperwheneverpossible. LibraryofCongressCataloging-in-PublicationData (Applicationsubmitted.) BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary. ISBN:0-7506-7746-5 ForinformationonallNewnespublications, visitourwebsiteatwww.books.elsevier.com. 05060708091010987654321 PrintedintheUnitedStatesofAmerica
Thisbookisdedicated— Tomyparents, whoselove,supportandexample havehelpedmereachmygoals; and Tomywife,Shilpy, whosecheerfulpatienceand constantencouragement madethisbookpossible.
Contents Preface.............................................................................................................. xi “...butwheredoesthevoicego?”......................................................................................xi ABriefHistoryofWireless.............................................................................................. xii ABriefHistoryofSecurity..............................................................................................xiv MovingOn..................................................................................................................... xxii ReadingConventions..................................................................................................... xxiii HowtoReadthisBook?................................................................................................ xxiii
Acknowledgments............................................................................................. xxv Acronyms....................................................................................................... xxvii AbouttheAuthor.......................................................................................... xxxiii Chapter1:SecurityandCryptography...................................................................1 1.1 WhatisSecurity?..........................................................................................................1 1.2 Cryptography................................................................................................................3 1.2.1Confidentiality.....................................................................................................3 1.2.2Integrity................................................................................................................9 1.2.3Authentication....................................................................................................11 1.2.4ReplayProtectionandNonrepudiation..............................................................13 1.3 Cryptanalysis..............................................................................................................13 1.4 BlockCiphers.............................................................................................................14 1.4.1UsingtheCiphers:TheModes..........................................................................15 1.5 StreamCiphers............................................................................................................18 1.6 HowSecureisCryptography?....................................................................................22 1.6.1StrengthofaCipher...........................................................................................22 1.6.2Key-Length:HowLongisSecure?....................................................................23 1.7 BeyondCryptography.................................................................................................24 1.7.1Firewalls.............................................................................................................24 1.7.2DenialofServiceAttacks..................................................................................25 1.7.3CodeSecurity.....................................................................................................26 1.7.4Steganography....................................................................................................27 1.8 Conclusion..................................................................................................................28
Chapter2:NetworkSecurityProtocols.................................................................29 2.1Introduction.................................................................................................................29 2.2KeyEstablishmentProtocols......................................................................................29 2.2.1KeyGenerationinSKC.....................................................................................30 vii
Contents 2.2.2KeyDistributioninSKC....................................................................................30 2.2.3KeyEstablishmentinPKC................................................................................31 2.2.4Diffie-HellmanKeyExchange...........................................................................33 2.2.5EnhancedDiffie-HellmanKeyExchange..........................................................35 2.2.6RSA....................................................................................................................35 2.3AuthenticationProtocols.............................................................................................38 2.3.1Address-BasedAuthentication...........................................................................38 2.3.2PasswordsforLocalAuthentication(Login).....................................................39 2.3.3PasswordsforNetworkAuthentication.............................................................41 2.3.4AuthenticationUsingSKC.................................................................................42 2.3.5AuthenticationUsingPKC.................................................................................47 2.3.6WhattoUseforAuthentication:SKCorPKC?.................................................48 2.3.7SessionHijacking..............................................................................................49 2.3.8NeedhamSchroeder...........................................................................................51 2.3.9Kerberos.............................................................................................................52 2.4EncryptionProtocols...................................................................................................54 2.4.1DES....................................................................................................................56 2.4.2TripleDESor3DES...........................................................................................56 2.4.3AES....................................................................................................................59 2.4.4RC4....................................................................................................................60 2.5 IntegrityProtocols.......................................................................................................61 2.5.1CBCResidue......................................................................................................61 2.5.2CRC32...............................................................................................................62 2.5.3MD5...................................................................................................................63
Chapter3:SecurityandtheLayeredArchitecture..................................................67 3.1 Introduction.................................................................................................................67 3.2 SecurityatLayer1......................................................................................................68 3.3 SecurityatLayer2......................................................................................................69 3.3.1ExtensibleAuthenticationProtocol(EAP)........................................................69 3.3.2EAPoL:EAPOverLAN....................................................................................72 3.3.3EAP-TLS:TLSHandshakeOverEAP..............................................................73 3.4 SecurityatLayer3......................................................................................................75 3.5 SecurityatLayer4:SSL/TLS.....................................................................................80 3.6 SecurityatLayer5+....................................................................................................84
Chapter4:Voice-OrientedWirelessNetworks......................................................85 4.1 TheWirelessMedium.................................................................................................86 4.1.1RadioPropagationEffects.................................................................................86 4.1.2HiddenTerminalProblem..................................................................................88 4.1.3ExposedTerminalProblem................................................................................89 4.1.4Bandwidth..........................................................................................................89 4.1.5OtherConstraints..............................................................................................90 4.2 TheCellularArchitecture............................................................................................90 4.3 TWNs:FirstGeneration..............................................................................................93 4.3.1AddressesinAMPS...........................................................................................96 viii
Contents 4.3.2CallSetupinAMPS...........................................................................................97 4.4 TWNs:SecondGeneration.........................................................................................98 4.4.1AddressesinGSM...........................................................................................102 4.4.2CallSetupinGSM...........................................................................................103 4.5 TWNs:ThirdGeneration..........................................................................................104 4.5.1ConnectionSetupinUMTS.............................................................................106 4.6 TheOverallPicture...................................................................................................107
Chapter5:Data-OrientedWirelessNetworks.....................................................109 5.1 WLANs.....................................................................................................................109 5.1.1:Addressesin802.11........................................................................................114 5.1.2ConnectionSetupin802.11.............................................................................114 5.1.3MediaAccess...................................................................................................117 5.1.4SpectrumEfficiencyin802.11.........................................................................120 5.2 MANETs...................................................................................................................121 5.2.1MACforMANETs..........................................................................................123 5.2.2RoutinginMANETs........................................................................................124 5.2.3AddressAllocationinMANETs......................................................................126 5.2.4SecurityinMANETs.......................................................................................127 5.3 WirelessNetworksintheNearFuture......................................................................127
Chapter6:SecurityinTraditionalWirelessNetworks..........................................129 6.1 SecurityinFirstGenerationTWNs..........................................................................129 6.2 SecurityinSecondGenerationTWNs......................................................................129 6.2.1AnonymityinGSM..........................................................................................130 6.2.2KeyEstablishmentinGSM.............................................................................131 6.2.3AuthenticationinGSM...................................................................................132 6.2.4ConfidentialityinGSM....................................................................................136 6.2.5What’sWrongwithGSMSecurity?................................................................137 6.3 Securityin2.5GenerationTWNs.............................................................................140 6.3.1WAP................................................................................................................142 6.3.2CodeSecurity...................................................................................................144 6.4 Securityin3GTWNs...............................................................................................144 6.4.1AnonymityinUMTS.......................................................................................144 6.4.2KeyEstablishmentinUMTS...........................................................................146 6.4.3AuthenticationinUMTS..................................................................................146 6.4.4ConfidentialityinUMTS.................................................................................150 6.4.5IntegrityProtectioninUMTS..........................................................................151 6.4.6PuttingthePiecesTogether..............................................................................152 6.4.7NetworkDomainSecurity...............................................................................155 6.5 Summary...................................................................................................................158
Chapter7:SecurityinWirelessLocalAreaNetworks..........................................159 7.1 Introduction...............................................................................................................159 7.2 KeyEstablishmentin802.11....................................................................................160 7.2.1What’sWrong?................................................................................................160 7.3 Anonymityin802.11................................................................................................161 ix
Contents 7.4 Authenticationin802.11...........................................................................................162 7.4.1OpenSystemAuthentication...........................................................................164 7.4.2SharedKeyAuthentication..............................................................................165 7.4.3AuthenticationandHandoffs...........................................................................166 7.4.4What’sWrongwith802.11Authentication?....................................................167 7.4.5Pseudo-AuthenticationSchemes......................................................................168 7.5 Confidentialityin802.11..........................................................................................169 7.5.1What’sWrongwithWEP?...............................................................................170 7.6 DataIntegrityin802.11............................................................................................174 7.7 Loopholesin802.11Security...................................................................................176 7.8 WPA..........................................................................................................................177 7.8.1KeyEstablishment...........................................................................................178 7.8.2Authentication..................................................................................................183 7.8.3Confidentiality................................................................................................186 7.8.4Integrity............................................................................................................187 7.8.5TheOverallPicture:Confidentiality+Integrity..............................................189 7.8.6HowDoesWPAFixWEPLoopholes?............................................................189 7.9 WPA2(802.11i)........................................................................................................190 7.9.1KeyEstablishment...........................................................................................190 7.9.2Authentication..................................................................................................191 7.9.3Confidentiality...............................................................................................191 7.9.4Integrity............................................................................................................193 7.9.5TheOverallPicture:Confidentiality+Integrity..............................................193
Chapter8:SecurityinWirelessAdHocNetworks...............................................199 8.1 Introduction...............................................................................................................199 8.2 RoutinginMultihopAdHocNetworks....................................................................201 8.2.1ProactiveRouting.............................................................................................201 8.2.2ReactiveRouting..............................................................................................202 8.2.3HybridRouting................................................................................................202 8.2.4.RoutingAttacks...............................................................................................202 8.2.5SecureRouting.................................................................................................203 8.3 KeyEstablishmentandAuthentication.....................................................................205 8.3.1ThresholdSecretSharing.................................................................................205 8.4 ConfidentialityandIntegrity.....................................................................................210 8.5 Bluetooth..................................................................................................................210 8.5.1BluetoothBasics..............................................................................................211 8.5.2SecurityModes................................................................................................213 8.5.3KeyEstablishment...........................................................................................216 8.5.4Authentication..................................................................................................223 8.5.5Confidentiality.................................................................................................224 8.5.6IntegrityProtection..........................................................................................227 8.5.7Enhancements..................................................................................................227
References......................................................................................................229 Index..............................................................................................................231 x
Preface “...butwheredoesthevoicego?” AmanhasbeenarrestedinNewYorkforattemptingtoextortfundsfromignorant andsuperstitiouspeoplebyexhibitingadevicewhichhesayswillconveythehuman voiceanydistanceovermetallicwiressothatitwillbeheardbythelisteneratthe otherend.Hecallsthisinstrumentatelephone.Well-informedpeopleknowthatitis impossibletotransmitthehumanvoiceoverwires.” —NewsiteminaNewYorknewspaper,1868. Irememberadaynotsolongago,whenIwasshowingmymotherhowtouseacell phone.SheaskedmehowitworkedandIstarteddescribingthebase-stations,switchesandthecellulararchitecture.AfterIwasdone,sheaskedme“...butwheredoesthe voicego?”—Whereindeed? Engineerssometimestendtoforgetthattheconceptofwirelessseemsmagicalto mostpeople.Beingvisualcreatures,wecanacceptthefactthatinawirednetwork, ourvoice(ordata)travels“on”thewirebutseeingawirelessnetworkisalmost magical—yourvoice(ordata)disappearsintoyourhandsetandreappearsoutofthe handsetofanotherpersonattheothersideoftheglobe. Pausetothinkaboutit.Ifyoutoldsomeoneinthenineteenthcenturythatyoucould dothis,youwouldhaveprobablybeencreditedwithsupernaturalpowers.Wereally aredoingmagic.Ihadalwaysbeenfascinatedbywireless.Thenduringmycollege years,Itookacourseincryptographyandwasintriguedbyhowsecurecommunicationcouldbeachievedoveranunsecurechannel.Itwasonlynaturalthenthatthe fieldofwirelesssecurityattractedmetowardsitandresultedinthisbook. Ihavealwaysfeltthatforacompleteunderstandingofanyfield,ithelpstoknowhow thefielddeveloped.Wethereforestartbylookingatabriefhistoryofwirelessanda briefhistoryofcryptography.Thosewithapurelytechnicalinclinationmay,therefore,skipthischapterbutIthinkitmakesforgoodlightreading.Ihopeyouenjoy thischapterandtherestofthisbook. xi
Preface
ABriefHistoryofWireless Thereisnodoubtthatthedaywillcome,maybewhenyouandIareforgotten,when copperwires,gutta-perchacoverings,andironsheathingswillberelegatedtothe MuseumofAntiquities.Then,whenapersonwantstotelegraphtoafriend,heknows notwhere,hewillcallanelectromagneticvoice,whichwillbeheardloudbyhim whohastheelectromagneticear,butwillbesilenttoeveryoneelse.Hewillcall “Whereareyou?”andthereplywillcome,“Iamatthebottomofthecoal-mine” or“CrossingtheAndes”or“InthemiddleofthePacific”;orperhapsnoreplywill comeatall,andhemaythenconcludethathisfriendisdead. —ProfessorW.E.Ayrton(memberoftheInstitutionofElectricalEngineers)said thisatalectureattheImperialInstitute...in1897. Arguably,wirelesscommunicationbetweenhumansisasoldasthehumancivilizationitself,forassoonasthefirsthumansstartedcommunicatingwitheachother usingtheirvocalcords,wehadachievedwirelesscommunication.However,theterm wirelesscommunicationisusuallyusedtorefertowirelesscommunicationbeyond the“lineofsound.” ThefoundationsofwirelesscommunicationwerelaidbyMichaelFaraday’sworkon electromagnetism,whichestablishedthatelectricandmagneticeffectsresultfrom “linesofforce”thatsurroundconductorsandmagnets.BasedonFaraday’swork, JamesMaxwellderivedmathematicalequationsthatrepresentedthe“linesofforce” Faradayhadexplained.Maxwellpublishedhisworkinapaperin1855.Later,in 1861,Maxwellfurtherdevelopedhisworkshowingthatifanelectricchargewas appliedtoa(hypothetical)elasticfluid,itwouldresultinthegenerationofwaves thatwouldtravelthroughthemedium.Ineffect,Maxwellpredictedtheexistenceof electromagneticwaves.FriedrichKohlrauschandWilhemWeberfurtheredMaxwell’s workbycalculatingthatthesewaveswouldtravelatthespeedoflight. Upuntil1888,thefieldofelectromagnetismwasthatofpuretheory.Inthatyear, HeinrichHertzdiscoveredradiowaveswhichareanexampleofelectromagnetic radiation.Hertzdidthisbydevisingatransmittingoscillatoranda“receiver.”The “receiver”wasbasicallyametalloopwithagapononeside.Whenthisloopwas placedwithinthetransmitter’selectromagneticfield,sparkswereproducedacrossthe gapintheloop.Thisprovedthatelectromagneticwavescouldbesentoutintospace andremotelydetected.Ineffect,HertzshowedthattheelasticfluidthatMaxwellhad hypothesizedcouldbetheether.Thediscoveryofradiowavesconfirmedtheideas
xii
Preface
ofMaxwellandotherscientistswhohadworkedonelectromagnetismandsparkeda greaterinterestinthefield. WhenGuglielmoMarconilearntaboutHertz’swork,herealizedthatiftheradio wavescouldbetransmittedoverlargedistances,wirelesstelegraphycouldbe developed.Marconistartedexperimentingwiththisideaandby1894,hemanagedto receiveradiosignalsatadistanceofoveramile.Marconitriedtodevelophiswork furtherbytakingthehelpoftheItaliangovernment.However,theItaliangovernment wasnotinterested.So,MarconiapproachedtheBritishgovernment.Hewasgranted apatentforwirelesstelegraphyin1897andtheworld’sfirstradiofactorywassetup atChelmsfordin1898.Soon,radiosstartedtobeusedcommercially.Theworldof wirelesstelegraphygotanotherbigboostin1901whenMarconiandhisassociates wereabletoreceiveasignalacrosstheAtlanticsuccessfully.Recognizinghiscontributiontothefieldofwirelesscommunication,MarconiwasawardedtheNobelPrize in1909. In1914,physicistswereabletouseradiotransmissiontocarryvoiceandbythe 1920s,wirelessmobilereceiverswerebeinginstalledinpolicecarsinDetroit. Commercially,wirelessdeploymentreacheditsfirstlandmarkin1983withthe deploymentoftheAdvancedMobilePhoneSystem(AMPS)intheUnitedStates. AMPSwasanexampleofthefirstgenerationwirelessnetworksthatweredeployed acrosstheworld.Althoughamajorsuccessstory,the1G(firstgeneration)wireless networkssoonoutgrewthecapacityneededtoservetheexplodinggrowthinthe numberofwirelesssubscribers.Thismotivatedthedevelopmentanddeploymentof the2G(secondgeneration)wirelessnetworkslikeGSMinthelate1990s.Today, 2Gisthedominantmobiletechnology.Thedeploymentof3Gisexpectedtobegin soon1,butonanothernote,theexplodinggrowthinWirelessLocalAreaNetworks (WLANs)ischangingthefieldofwirelesscommunicationinunforeseenways.Asof thewritingofthisbook,punditsaretryingtoenvisionhow3G,IP,PSTNandWLANs willcometogethertoprovidetheultimatecommunicationdream—stayingconnected: anytime,anywhere.
1
Somemayarguethat3Gmayneverhappenandserviceprovidersmaygostraightfrom2.5Gto4G.See Chapter4formoredetails.
xiii
Preface
ABriefHistoryofSecurity “Well,Ineverhearditbefore,”saidtheMockTurtle,“butitsoundsuncommon nonsense.”
—LewisCarroll,AliceinWonderland.
Secretcommunicationachievedbyhidingtheexistenceofamessageisknownas steganography.ThewordisderivedfromtheGreekword“steganos,”meaningcoveredand“graphin”meaningtowrite. ThefirstwrittenaccountofsteganographycomesfromHerodotus,whochronicledthe storyofHistaiaeus.HistaiaeuswantedtoencourageAristagorasofMiletustorevolt againstthePersianking.Toconveyhisinstructionssecurely,Histaiaeusshavedthe headofhismessenger,wrotethemessageonhisscalpandthenwaitedforthehairto regrow.Fromthathumblebeginning,steganographyevolvedtothemicrodotinWorld WarII.ThemicrodotwasatechniquewhereintheGermanagentsinLatinAmerica wouldphotographicallyshrinkapageoftextdowntoadotlessthan1mmindiameter,andthenhidethismicrodotontopofafullstopinanapparentlyinnocuousletter. ThefirstmicrodottobespottedbytheFederalBureauofInvestigation(FBI)(USA) wasin1941.Thecomingofthedigitalagefurtherchangedthefaceofsteganography. Moderntechniquesinvolvehidingthecontentofamessageinapicturebymodifying thelowernibbleofapixel. Whereassteganographydealswithhidingthemessage,theotherbranchofsecret communication,cryptography,dealswithhidingtheinformationcontentofthe message.Cryptographyconsistsoftwobasicoperations—transpositionandsubstitution.Transpositioninvolvesrearrangingthe“letters”inthemessageandsubstitution involvesmappingthe“letters”inamessageaccordingtoapredeterminedmapping.In cryptographiclingo,thenewmessageobtainedbytransformingtheoriginalmessage usingcryptographyisknownastheciphertext,whereastheoriginalmessageisknown astheplaintext. Thetransformationoftheplaintexttotheciphertextisachievedusingacipher.Each distinctciphercanbedescribedintermsofthealgorithmandthekey.Asanexample, considertheCaesarcipher,oneoftheearliestmilitaryciphersusedbyJuliusCaesar. Thiscipherworksbyreplacingeachletterinthemessagewithaletterwhichisthree placesdownthealphabet.Inthiscase,thealgorithmpartofthecipheristheactof substitutionandthekeyis“threeforward.”Moregenerically,themono-alphabetic substitutioncipheristhegenericnamegiventoanysubstitutioncipherinwhicheach letterintheplaintextisreplacedbyexactlyoneletterorsymbolintheciphertext. xiv
Preface
Thefirstdocumenteduseofmono-alphabeticsubstitutioncryptographyappearsinthe KamaSutra,atextwritteninthefourthcenturyB.C.bytheIndianscholarVatsyayna. Vatsyaynaexplainsatechniqueofsecretwritingthatworksbypairingtheletters ofthealphabetatrandomandthensubstitutingeachletterinthemessagewithits partner.Withthepassageoftime,multiplevariationsofthemono-alphabeticcipher continuedtobedevelopedindependentlyaroundtheworld. Thenextbiggestinventionintheworldof“secretwriting”camewiththeinventionof cryptanalysis,orthescienceofdestroyingciphers.Cryptanalysisconsistsofobtainingtheplaintextmessagefromtheciphertextwithouttheknowledgeofthekey.The inventionofcryptanalysiscanbetracedbacktotheninthcentury.In815,theCaliph al-MamunestablishedtheBaital-Hikmah(“HouseofWisdom”)inBaghdadand assignedArabictheologianstoscrutinizetherevelationsofMuhammadtheProphet andestablishthechronologyoftherevelations. TheArabictheologiansdidthisbycountingthefrequenciesofwordscontainedin eachrevelation.Thetheorywasthatcertainwordshadevolvedrelativelyrecently; andhence,ifarevelationcontainedahighnumberofthesenewwords,thiswouldindicatethatitcamelaterinthechronology.Significantly,thescholarsdidnotstoptheir scrutinyatthelevelofwords.Theyalsoanalyzedindividuallettersanddiscovered thatsomelettersaremorelikelytooccurinagiventextthanothers. Althoughitisnotknownwhofirstrealizedthatthevariationinthefrequenciesofletterscouldbeexploitedinordertobreakciphers,theearliestknowndescriptionofthis techniqueisbytheninth-centuryscientistAbuYusufYaqubibnIs-haqibnas-Sabbah ibnomranibnIsmailal-Kindi.Thecryptanalystshadtriumphedoverthecryptographers andthusbeganthe“war”betweencryptographerstryingtobuildunbreakableciphers andcryptanalyststryingtobreaktheseciphers.Asweshallsee,thiswarcontinuesto thisdayandprovidestheimpetusfortheevolutionofcryptography. Theonuswasnowonthecryptographerstocomeupwithanewstrongercipher.The rootsofthisnewstrongertypeofciphercanbetracedbacktoanessaywrittensometimeinthe1460sbytheFlorentinepolymathLeonBattistaAlberti.Albertiproposed mappingeachplaintextlettertotwoormoreciphertextlettersandswitchingbetween themduringtheencipherment.AlthoughAlbertihadhituponthemostsignificant breakthroughincryptographyforoverathousandyears,hefailedtodevelopthisconceptintoacompletecipher. Albertimadeoneothersignificantcontributiontothefieldofcryptography—he inventedthefirstcryptographicmachine—thecipherdisc.Thecipherdiscisthe earliestknowncryptographicmachineanditconsistsoftwoconcentriccopperdiscs, xv
Preface
oneslightlylargerthantheother,withthealphabetinscribedalongthecircumference ofboththediscs.Thesmallerdiscisplacedontopofthelargerdiscandconnected atthecenterusinganeedlewhichactsasanaxis.Sincethetwodiscscouldbeindependentlyrotated,thetwoalphabetscanhavedifferentrelativepositionsandcan thereforeeasilybeusedtoencryptmessagesusingthemono-alphabeticcipher.In fact,thediskcanalsobeusedinmorecomplicatedways.Albertisuggestedchanging thesettingofthediskwhileencryptingthemessagetousethepoly-alphabeticcipher thathehadjustinvented. Alberti’sinitialidearegardingthepoly-alphabeticcipherwasfurtherdevelopedby JohannesTrithemiusandGiovanniPortaovertheyears.However,thedevelopmentof thisideatoacompletecipherwaslefttoBlaisedeVigenere.AlthoughAlberti,TrithemiusandPortaallmadevitalcontributionstothisnewpoly-alphabeticcipher,the cipherisknownastheVigenerecipherinhonorofthemanwhodevelopeditintoits finalform.ThestrengthoftheVigenerecipherliesinit’susingnotonebut26distinct cipheralphabetstoencryptamessage.ThegreatadvantageofVigenerecipheristhat itisimpregnabletothefrequencyanalysiswhichthecryptanalystshadusedtobreak themono-alphabeticcipher.Thefactthataletterwhichappearsseveraltimesinthe ciphertextcanrepresentadifferentplaintextletteroneachoccasiongeneratestremendousambiguityforthecryptanalyst.Besidesbeinginvulnerabletofrequencyanalysis, theVigenerecipheralsohasanenormousnumberofkeys,makingitdifficulttotry allpossiblekeys.Thecreationofthepoly-alphabeticVigenereciphermeantthatthe cryptographerswerenowincontrol. TheVigenerecipherremainedunbreakableuntilthemid-nineteenthcentury.This iswhenCharlesBabbagecamealong.Babbageisbestknownfordevelopingthe blueprintofthemoderncomputer—theDifferenceEngine.However,Babbagealso madethegreatestbreakthroughincryptanalysissincetheArabscholarsintheninth century—hebroketheVigenerecipher.Babbageneverpublicizedthisdiscovery.His discoverycametolightonlyinthetwentiethcenturywhenscholarsexaminedBabbage’sextensivenotes.Meanwhile,in1863FriedrichWilhelmKasikialsobrokethe Vigenerecipherindependentlyandpublishedhisdiscovery.ThebreakingofVigenere cipherputthecryptanalystsbackonthetop. SincetheVigenerecipherwasbroken,thecryptographershadbeentryingtocomeup withabetter,moresecuretypeofcipher.Theneedforsuchaciphergrewinthelate nineteenthcenturywiththeinventionofthetelegraphandtheradio.Theuseofthe telegraphtookthespeedofcommunicationstonewheights.However,forbusinessmenandthemilitarytoexploittheimmediacyofthetelegraphrequiredtheuseofan xvi
Preface
unbreakablecipher,sincemessagessentusingthetelegraphendedupbeinghandled byawholegroupofpeople(telegraphoperators,andsoforth). Thedemandforasecurecipherwasfurtherfueledbytheinventionofradiobythe ItalianphysicistGuglielmoMarconi.Wirelesscommunicationwasdesirablefor manyreasons,especiallybythemilitary.Primaryamongthemwerethatcommunicationcouldbeachievedwithminimalinfrastructuresupportandthatcommunication couldbeachievedevenifthecommunicatingpartieswereconstantlymoving.These advantageswereinherentduetotheall-pervasivenatureofradio.However,theallpervasivepropertyoftheradiowasalsoitsgreatestweakness,sincethismeantthat themessagessentfromthetransmittertothereceiverinthebattlefieldwerealso accessibletotheenemynearby.Consequently,anunbreakablecipherbecamean absolutenecessity. However,thediscoveryofthenextgreatcipherwasnottocomeuntil1918,and thefieldofcryptographydidnotseeanymajoradvancesduringWorldWarI (1914–1918).Thefieldofcryptanalysisthough,wasanotherstory.Duringthewar, theFrenchlisteningportslearnttorecognizearadiooperator’sfist(hispauses,his speedoftransmissionandhisrelativelengthsofdotsanddashes).TheFrenchalso establishedsixdirectionfindingstationswhichwereabletodetectthedirection fromwhicharadiomessagewascoming.Sinceeachenemybattalionusuallyhad anassignedradiooperatorandsincebattalionsweremobile,theabovetwopieces ofinformationcouldbecombinedtotrackthemovementofenemybattalions.This wasprobablythebirthoftrafficanalysisasaformofcryptanalysis,andduringthe warthisbecameanespeciallyvaluabletoolwhenanewcipherwasintroducedbythe enemy.Infact,theFrenchalsorecognizedthatwirelesscommunicationwasmoreunsecurethanwiredcommunicationduetotheeaseofmessagecollectionandexploited thisfactbydestroyingcommunicationlandlinesastheyretreated.Thisforcedthe advancingGermanstouseradiocommunication;thusmakingmessagecollection easierfortheFrench. Inshort,WorldWarIwasdominatedbythecryptanalysts.Newcipherswere introducedbutallofthemwerebrokenonebyone.Then,in1918,MajorJoseph Mauborgne,headofcryptographicresearchfortheUSArmy,introducedtheconcept ofarandomkey.Theideawasinspiredbythefactthatthefundamentalweakness oftheVigenerecipherthatwasexploitedbyBabbageandKasikitobreakitwasthe cyclicalnatureofthecipherwhenusedwithashortkey.Sincethekeywaslimitedin length,everynthletteroftheplaintextwasencryptedaccordingtothesameciphertext alphabet.Mauborgneadvocatedemployingmessage-lengthrandomkeysaspartofa xvii
Preface
Vigenereciphertogiveanunprecedentedlevelofsecurity.Thiscipherwasknownas theone-timepadciphersinceitrequiredthegenerationoflarge“pads”ofrandomkeys. Thesecurityoftheone-timepadcipherlaywhollyintherandomnessofthekey.The keyinjectsrandomnessintotheciphertextandiftheciphertextistrulyrandom,there isnostructureforthecryptanalysttoexploit.Infact,todatetheone-timepadcipher istheonlycipherwhichcanbemathematicallyproventobeabsolutelysecure.Atfirst thought,thismayleadonetobelievethatthecryptographershadonceandforallwon thewaragainstthecryptanalysts.Ifthisweretrue,thisbookneverwouldhavebeen written.Perfectlysecureastheone-timepadis,itsuffersfromtwogreatoperating difficulties—keygenerationandkeydistribution. Generatingtrulyrandomkeysisnotaseasyasitmightinitiallysound.AsVoltaire putit,“Anybodywhotriestogeneraterandomnumbersbydeterministicmeansisof courselivinginastateofsin.”Overtheyears,cryptographershaverealizedthatthe bestrandomkeysarethosecreatedbyharnessingnaturalphysicalprocesseslikeradioactivity.Thebottomlineisthatitrequiresagreatdealoftime,effortandmoneyto generatetrulyrandomkeys.Difficultaskeygenerationwas,therewasanothermajor problemwiththeone-timepadcipher—thedistributionoftheselargepadsofkeys.To befair,keydistributionhadalwaysbeenaproblemintheworldofcryptography—and aneglectedoneatthat.Theone-timepadcipherjustbroughttheproblemintothelimelightbymakingitalotmoredifficulttosolve(duetothesheervolumeofthepads). Eventhoughthecryptographershadcreatedtheperfectcipherin1918,itwasoflittle useduetoitshugeoperatingcost.However,therewasanotherdevelopmentin1918 thatchangedthefieldofcryptography.ThiswasthedevelopmentoftheEnigmaby theGermaninventor,ArthurScherbius.TheEnigmawasacryptographicmachine whichcouldbeusedforencryptinganddecryptingmessages.ItwasanelectricalversionofAlberti’scipherdiscbutwasmuchmorepowerful.Ausercouldsimplytypein theplaintextalphabet(asinthekeyboardofatypewriter)andobtainthecorrespondingciphertext.ThecryptographiccoreoftheEnigmawasthescramblingunit,which consistedofasetofscramblerdiscs(alsoknownasrotors).Thefirstdiscautomaticallyrotatedbyone-sixthofarevolutioneachtimealetterwasencrypted.Thesecond diskrotatedeachtimethefirstdischadcompletedarevolution,andsoon. IthelpstothinkoftheEnigmaintermsofAlberti’scipherdisc.Enigmahadcombined thescramblerstoimplementapoly-alphabeticcipherwhichcontinuallyswitched betweendifferentcipheralphabets.Considerwhatwouldhappeniftheinnerdiscof Alberti’scipherdiscwasrotatedaftertheencryptionofeachletter:wewouldhave apoly-alphabeticcipherwithaself-generatingkey.Infact,thelengthofthe“key” xviii
Preface
wouldbeaslongasthemessageitself.So,wasthistheimplementationofaone-time padcipher?Well,notquite.Rememberthattheone-timepadcipherrequiresthekey toberandom.IntheEnigmathegenerationofthe“key”wasafactoroftheinitialsettingsofthescramblersandtheplaintextitself.Eventhoughthismadethediscovery ofthekeyverytough,thekeywasnotreallyrandom—itwasjustmechanically(and therefore,mathematically)convoluted.NotethateventheEnigmawasfacedwiththe problemofkeydistribution.IncaseoftheEnigma,eventhoughthekeywasgeneratedduringencryption,theinitialsettingsofthescramblerneededtobeknowntothe sender(s)andthereceiver(s)beforesecurecommunicationwouldbegin.However,the initialsettingsoftheEnigmacouldbechangedonaperiodicbasis—daily,weekly, andsoforth.Thismadetheamountofdatathatneededtobesecurelydistributed muchlessthanthatrequiredforaone-timepadcipher. TheinventionoftheEnigmawastrulyagreatone,andonewhichchangedtheface ofcryptographyforever.Thescramblerorientations,arrangementsandtheplug-board settingstogetherofferedapossibleof10,000,000,000,000,000variationsoftheinitial arrangementsfromwhichthecryptanalystwouldhavetosearchtobreakthecipher. Thecryptographerswerebackontopintheirbattlewiththecryptanalysts.Tobefair, Scherbiuswasnottheonlyonewhohadhitupontheideaofrotatingscramblers. AlexanderKochintheNetherlandsandArvindDamminSwedenhadindependently andalmostsimultaneouslyhituponthisidea.However,noneofthemcouldmarket themachinewellenoughtomakeitacommercialsuccess.Itwasonlyin1927,when theGermansrealizedthattheAchillesheeloftheirWorldWarIcampaignwasthe breakingoftheircipher,thattheGermangovernmentselectedtheEnigmaforuseby themilitary.Infact,theEnigmawastoplayacrucialroleinWorldWarII. EnigmawasattheheartofHitler’sblitzkieg(literally—lightningwar)strategy,whose ethoswas“speedofattackthroughthespeedofcommunication.”WhentheAmericans andtheFrenchbegantoencountermessagesencryptedwiththeEnigma,theywere completelybaffledandquicklygaveup.Thiswasprobablyduetothefactthatinthe wakeofthevictoryinWorldWarI,theAllieswereinadominantpositionandfeared noone,leastofallGermany.Therewas,therefore,nogreatmotivationfortheAllies’ cryptanalysts.Therewasonecountry,though,thatcouldnotaffordtorelax—Poland. AfterWorldWarI,Polandhadreestablisheditselfasanindependentstate.However, totheeastofPolandlayRussia,anationambitioustospreaditscommunism,andto thewestlayGermany,desperatetoregainterritorycededtoPolandafterthewar.The PolishcryptanalyststhereforehadplentyofmotivationtoattacktheEnigma.Adversity,itseems,isoneofthefoundationsofsuccessfulcodebreaking. xix
Preface
ThefirststepinthecrackingoftheEnigmacameonNovember8,1931whenHansThiloSchmidt,aGermanmilitaryemployee,handedoverGermanmilitarydocuments containinginstructionsforusingthemilitaryversionoftheEnigmamachine,tothe Frenchinexchangefor10,000marks.ThesedocumentscontainedenoughinformationtoallowtheAlliestocreateanexactreplicaoftheEnigmamachine.However, theFrenchcryptanalystsdidnotactuallybuildareplica,sincetheywereconvinced thatthenextstageofbreakingthecipher—thatis,findingthekeyrequiredtodecipheramessage—wasimpossible.Thisunderscoresoneofthebasicpresumptionsof cryptography—thestrengthofagoodcipherdependsnotonkeepingthealgorithm (machine)secretbutonkeepingthekey(initialsettingofthemachine)secret. FortunatelyfortheAllies,theFrenchcryptanalystshandedovertheSchmidt documentstothePolishcryptanalyststhankstoanexistingmilitaryco-operation agreementbetweenthetwocountries.ThisallowedthePolishcryptanalyststoattack theEnigmaeventhoughtheFrenchcryptanalystshadgivenuphope.Inattackingthe Enigma,thePolishbureauofcryptographymadeabreakthroughinthefieldofcryptography.Forcenturies,ithadbeenassumedthatthebestcryptanalystswereexperts inthestructureoflanguage.However,thePolishtheorizedthatsinceEnigmawasa mechanicalcipher,cryptanalystswithamorescientificmindmightbebetterequipped toattacktheEnigma.Workingoffthistheory,thePolishbureauassignedthreemathematicianstoworkontheEnigmacipher—oneofthemwasMarianRejewski. WorkingaloneontheEnigma,Rejewski’sattackwasbasedonthetheorythatrepetitionistheenemyofsecurity,sincerepetitionleadstopatternswhichcanbelinked andthereforeexploited.TheSchmidtdocumentsshowedthatthemostobvious repetitionintheEnigmacipherwasthemessagekey.Todiscourageattacksonthe Enigma,theGermancryptographershaddecidedthatinsteadofusingthedaykey (initialscramblersettings)toencryptallmessagesoftheday,thedaykeywasinstead usedjusttoencryptthemessagekey.Themessagekeywasusedtoencryptthemessageitselfandthemessagekeyitselfwastransmittedencryptedwiththedaykey.This processmadethesystemmoresecurebyavoidingtherepeateduseofasingledaykey toencrypthundredsofmessages.However,thefactthatthemessagekeywasencryptedandtransmittedtwiceatthebeginningofeverymessagetoavoidmistakescaused byradiointerferencemadetheprocesssusceptibletoRejewski’srepetitiontheory. EventhoughanexplanationofRejewski’sbreakthroughincrackingtheEnigmais beyondthescopeofthisbook,itisimperativetomentionherethatRejewski’sattackonEnigmaisoneofthetrulygreataccomplishmentsofcryptanalysis.Notonly didRejewskibreakoneofthegreatestciphersofthetime,healsoachievedanother xx
Preface
firstinthecryptographicworldbymechanizingthecryptanalysis.Themachinesthat wereusedtoautomatetheprocessoffindingthedaykeywerecalledbombes,aname attributedtothetickingnoisetheymadewhileworking.FortheAllies,thecracking oftheEnigmawasamajorbreakthroughsinceitcounteractedtheethosofBlitzkrieg, whichwas“speedofattackthroughspeedofcommunications.” However,inDecemberof1938whentheGermansaddedtwomorescramblerstothe Enigma,Rejewski’sbombeswererendereduselessandthePolishdidnothavethe resourcestotacklethenew,evenmorecomplicated,cipher.CrackingthenewEnigma wasnowlefttoBritainandFrance,whichusedRejewski’sbreakthroughasastarting stepinthisprocess.BletchleyParkinBuckinghamshirewasselectedasthecenter ofAlliedcode-breakingwithEnigmabeingoneofthemajorchallenges.Learning fromthePolishexperience,theteamatBletchleyParkconsistedofmathematicians andscientists,besideslinguistsandclassicists.WorkingwiththenewEnigmacipher, overtime,theBletchleyteaminventedtheirownshortcutsforfindingtheEnigma message-keys. ThereweremanysignificantbreakthroughsatBletchleyParkbuttheonethatmost deservesmentionisthatofAlanTuring.Turingismostknownforhis1937mathematicalpapertitled“OnComputableNumbers.”Thepaperwasanattempttoidentify Gödel’sundecidablequestions;thatis,questionsthatwerebeyondthereachoflogical proof.Inordertoidentifytheseundecidablequestions,Turingproposedauniversal Turingmachinewhoseinternalworkingcouldbealteredsothatitcouldperformdifferentfunctions.Ineffect,Turingcreatedtheblueprintforthemodernprogrammable computer.2 TuringjoinedBletchleyParkinSeptember1939andfocusedhisworkonhowto cracktheEnigmacipherwithoutusingthemessage-key-repetitionloophole.In effect,TuringwasworkingtohandlethescenariowheretheGermanswouldrectify thisloopholeintheEnigmacipher.Towardsthisaim,hestudiedthevastcollectionofcapturedmessagesandthecorrespondingdecryptedplaintextthatBletchley hadaccumulatedinthepast.Turingnoticedthatmostofthemessagessentbythe Germansconformedtoacertainstructure.Usingthisknowledge,alongwithother aspectsofthemessagelikethetime,sourceanddestinationofthemessage,Turing realizedhecouldsometimesgetenoughinformationaboutthemessagetopredict partsofthemessage.Turingusedthese“cribs”(ciphertext-plaintextpairs)alongwith hisbackgroundinmathematicsandsciencetobuildhisversionofthebombes,which 2
Tobefairtohistory,theuniversalTuringmachinewasareincarnationofCharlesBabbage’sDifferenceEngine No.2.
xxi
Preface
couldcrackthenewcomplicatedversionoftheEnigmacipher.Theeffectivenessand successofTuring’sbombescanbeestimatedbythefactthatabombecoulddiscover amessagekeyinlessthananhour,andtherewereasmanyas49bombesemployed inBletchleyParkbytheendof1942. EnigmawasbynomeanstheonlycipherofWorldWarII.Thereweremanyother ciphersusedbytheGermansandtheAlliedforces,cryptographersandcryptanalysts. Breakthroughswereachievedoneithersideofthefence,butperhapsnostoryisas interesting(orprobablyaswelldocumented)asthestoryoftheEnigma.
MovingOn Nowthatwehaveahistoricalperspectiveofwirelesstechnologyandcryptography, wecanlookatthetechnicalaspectsofwirelesssecuritybutbeforewebegin,Iwould likethereadertobeawareofwhattoexpectfromthisbook. WirelessSecurityisavasttopicandanyattempttoaddressallissuesinasinglebook isadauntingtask.Itisalmostimpossibletoexplaineachandeverysecurityalgorithm thatisusedinwirelesssecurityindetailinasinglevolume.Inwritingthisbook,I havetriedtostrikeabalancebetweenarchitecturaloverviewsandminutedetails.The aimofthisbookhasbeentoanswerquestionslike:Howiswirelesssecuritydifferent fromsecurityofwirelinenetworks?Howhaswirelesssecurityevolvedwithchanges inwirelessnetworking?Whatisthearchitecturalphilosophybehindthedesignof wirelesssecurityprotocols?Whataretheloopholesintheseprotocolsandhowcan theyberectifiedinfuturedesigns?Withthisaiminmind,therestofthisbookisorganizedasfollows: Chapter1looksatthebasicsofcryptography. Chapter2delvesintohowcryptographyisusedtoprovidenetworksecurity.Wealso lookatsomeofthemostprominentsecurityprotocolsusedinnetworksecuritytoday. Wedonotdistinguishbetweenwirelineandwirelessnetworksatthisstageofthebook. Chapter3exploresthetopicofsecurityandthelayered-networkarchitecture.Thisis anoften-neglectedtopicandonewhich,Ithink,isnecessarytounderstandthearchitecturalintegrationofsecurityandnetworking. Chapter4laysthefoundationofwirelessnetworksanddiscussesthedesignofcellularnetworkswhichwereprimarilydesignedforenablingvoicecommunication. Chapter5discusseswirelessnetworkswhichareprimarilydesignedforenabling datacommunication.Thesenetworksarearelativelynewphenomenonandprobxxii
Preface
ablythemostwidelydeployedtechnologyinthisfieldisIEEE’s802.11.Welookat 802.11networksandalsoexploremobileadhocnetworkingwhichisanactivearea ofresearchtodayinwirelessnetworking. Chapter6looksattheevolutionofsecurityincellularnetworks.Westartwithsecurityimplementationinthefirstgeneration(AMPS)cellularnetworksandseehow securityimplementationsevolvedandimprovedinsecondgeneration(GSM)andthen thirdgeneration(UMTS)cellularnetworks. Chapter7studiessecurityin802.11networks.Thistopichasbeenatopicofhot debateintherecentpast.Welookatthesecurityimplementationof802.11indetail andstudywhatallthedebatewasabout.Wethenlookathowthe802.11ispecificationsaimtofixtheloopholesof802.11networks. FinallyinChapter8,welookatsecurityinwirelessadhocnetworks.Adhocnetworks(andspecificallymultihopadhocnetworks)areanactiveareaofresearch today.Needlesstosay,then,thatsecurityinsuchnetworksisalsobeingactively researched.Thischapterlooksattheunderlyingsecurityconceptswhichseempromisingforsecuringadhocnetworks.
ReadingConventions AliceandBobarethecommonarchetypalcharactersusedincryptography/security. IhavestucktothisconventionwhereAliceandBobwanttocommunicatewitheach othersecurelyoveranunsecurenetwork.Eveisaneavesdropper/attackerwhowishes toeavesdropontheircommunicationordisrupttheircommunicationorlaunchother sortsofattacks.Thesethreecharacterswouldbesufficientforexplanationofthetext. Anotherconventiontokeepinmindisthattheencryptionofamessage(M)using akey(K)isdepictedeitherbyEK(M)orK(M)whereasthehashofamessage(M) usingakey(K)isdepictedbyHK(M).
HowtoReadthisBook? Beginatthebeginningandgoontillyoucometotheend;thenstop.
—LewisCarroll,AliceinWonderland.
IcannotpossiblysayitbetterthanLewisCarroll:Iwouldlikeeveryreadertoreadthe wholebook,butsincethatisnotalwayspossible,Ihavetriedtoorganizethisbook inasmodularafashionaspossibletoallowmaximumflexibility;forexample,readersinterestedonlyincellularnetworkssecuritymayskipChapters5,7and8.On theotherhand,thosewithabackgroundincryptographymayskipChapters1and2. xxiii
Preface
Intheend,itisuptothereader.Anywayyoureadit,Ihopethisbookhelpsyouin understandingsecurityinwirelessnetworks.
xxiv
Acknowledgments Iamthankfultomyfatherforteachingmethevaluesandmoralsoflife.Iamthankful tomymotherwhoneverhadtimetodoanythingelsebutbeamothertomeandmy sister.IamthankfultoSumedhaforbeingalovingsisterandforalwaysbeingthere. Iamthankfultomywifeforherlove,supportandconstantencouragementwithout whichthisbookwouldhaveneverbeenwritten.Iamthankfultoherforputtingup withmylonghoursonthecomputerandalsoforbeingtheproof-reader,first-cut editor,typesetterandtypistforthisbook. Iamalsothankfultothefollowingpeople: DavidLide–mynumerousdiscussionswithwhohaveimprovedmyunderstanding onvarioustechnicaltopics. ChandraDidi,JijajiandtheAhujaFamily–fortheirencouragementandsupport. AshwinMahajan–mydiscussionswithwhotaughtmelateralthinking. AnkurBhagat–fromwhomIlearntthemeaningofperseverance. and HarryHelms,myeditor–whoseencouragementandguidancewereinvaluablein writingthisbook. Finally,IwouldliketothankalltheauthorswhosetexthasbeenlistedintheReferencessection.Manyreferenceswereusedforthisbookbutsomemayhavebeen mistakenlyleftoutfromtheReferencesection:toalltheseauthorswhorecognize theirwordsandideasrepresentedherebutdonotseetheirworkinthereference section,myapologies.
xxv
Acronyms Symbol 1G 2G 3G
FirstGeneration SecondGeneration ThirdGeneration
A ACO AES AH AK AKC AMF AMPS AODV AP ARAN ARP AuC
AuthenticationCipheringOffset AdvancedEncryptionStandard AuthenticationHeader AnonymityKey AsymmetricKeyCryptography AuthenticationManagementField AdvancedMobilePhoneSystem AdHocOn-demandDistanceVector AccessPoint AuthenticatedRoutingforAdHocNetworks AddressResolutionProtocol AuthenticationCenter
B BS BSA BSC BSIC BSS BSS BTS
BaseStation BasicServiceArea BaseStationController BaseTransceiverStationIdentityCode BaseStationSystem BasicServiceSet BaseTransceiverStation
C CA CBC
CertificateAuthority CipherBlockChaining xxvii
Acronyms
CCMP CCS CD CDMA CEPT CHAP CI CO CRC CRL CSMA-CD CTS
CounterModeCBC-MACProtocol CommonChannelSignaling CollisionDetection CodeDivisionMultipleAccess ConferenceofEuropeanPostalandTelecommunication ChallengeHandshapeAuthenticationProtocol CellIdentifier CentralOffice CyclicRedundancyCheck CertificationRevocationList CarrierSenseMultipleAccesswithCollisionDetection ClearToSend
D DAD DCC DDoS DES DH DHCP DIFS DoS DS DSDV DSR DSSS
DuplicateAddressDetection DigitalColorCode DistributedDenialofService DigitalEncryptionStandard Diffie-Hellman DynamicHostConfigurationProtocol DistributedInter-FrameSpace DenialofService DistributionSystem DestinationSequencedDistanceVector DynamicSourceRouting DirectSequenceSpreadSpectrum
E EAP EAPoL ECB EIR ELP ESN ESP ESS
ExtensibleAuthenticationProtocol ExtensibleAuthenticationProtocoloverLan ElectronicCodebook EquipmentIdentityRegister EquationalLogicProgramming ElectronicSerialNumber EncapsulatingSecurityPayload ExtendedServiceSet
F FHSS FMS
FrequencyHoppingSpreadSpectrum Fluhrer-Mantin-Shamir xxviii
Acronyms
G GAP GFSK GMSC GMSK GPRS GSM
GenericAccessProfile GaussianFrequencyShiftKeying GatewayMobileSwitchingCenter GaussianMinimumShiftKeying GeneralPacketRadioService GlobalSystemsforMobileCommunications
H HLR HTML HTTP
HomeLocationRegister HyperTextMarkupLanguage HyperTextTransferProtocol
I IANA IBSS ICV IK IKE IMEI IMSI IPSec IS41 ISP IV
InternetAssignedNumbersAuthority IndependentBasicServiceSet IntegrityCheckValue InitializationKey InternetKeyExchange InternationalMobileStationEquipmentIdentity InternationalMobileSubscriberIdentity InternetProtocolSecurity InterimStandard41 InternetServiceProvider InitializationVector
K KAC KDC KSI
KeyAdministrationCenter KeyDistributionCenter KeySetIdentifier
L LAN LK LMSI LS
LocalAreaNetwork LinkKey LocalMobileSubscriberIdentity LandStation
M MAC MAC
MediaAccessControl MessageAuthenticationCode xxix
Acronyms
MANET MANET MAP ME MIC MIN MK MPDU MS MSC MSDU MSISDN MSRN MTSO
MobileAdHocNetwork MultihopAdHocNetwork MobileApplicationPart MobileEquipment MessageIntegrityCheck MobileIdentificationNumber MasterKey MediaAccessControlProtocolDataUnit MobileStation MobileSwitchingCenter MediaAccessControlServiceDataUnit MobileSubscriberISDNNumber MobileStationRoamingNumber MobileTelephoneSwitchingOffice
N NAT NAV NIST
NetworkAddressTranslation NetworkAllocationVector NationalInstituteofStandardsandTechnology
O OFB OFDM OLSR OOB OSA OSI
OutputFeedback Orthogonal-Frequency-Division-Multiplexing OptimizedLinkStateRouting Out-Of-Band OpenSystemAuthentication OpenSystemsInterconnection
P PAN PAP PDA PHY PK PKC PKEY PKI PLCP PMD PMK
PersonalAreaNetwork PasswordAuthenticationProtocol PersonalDigitalAssistant PhysicalLayer PayloadKey PublicKeyCryptography Pass-Key PublicKeyInfrastructure PhysicalLayerConvergenceProtocol PhysicalMediumDependent Pair-wiseMasterKey xxx
Acronyms
PN PoP PPP PRF PSTN PTK
PacketNumber PointofPresence PointtoPointProtocol PseudorandomFunction PublicSwitchedTelephoneNetwork Pair-wiseTransientKey
Q QoS
QualityofService
R RADIUS RF RNC RSA RSN RSS RTS
RemoteAccessDialInUserSecurity RadioFrequency RadioNetworkController Rivest-Shamir-Adleman RobustSecurityNetwork ReceivedSignalStrength RequestToSend
S SA SAR SAT SCM SEG SID SIFS SIG SIM SKA SKC SP SPI SQN SS7 SSID SSL SSP STA STP
SecurityAssociation Security-awareAdHocRouting SupervisoryAudioTone StationClassMark SecurityGateway SystemIdentifier ShortInter-FrameSpace SpecialInterestGroup SubscriberIdentityModule SharedKeyAuthentication SymmetricKeyCryptography SignalingPoints SecurityParameterIndex SequenceNumber SignalingSystem#7 ServiceSetIdentifier SecureSocketsLayer ServiceSwitchingPoint Station SignalingTransferPoint xxxi
Acronyms
T TCP TDMA TGT TKIP TLS TMSI TSC TSN TWN
TransmissionControlProtocol TimeDivisionMultipleAccess TicketGrantingTicket TemporalKeyIntegrityProtocol TransportLayerSecurity TemporaryMobileSubscriberIdentity TkipSequenceCounter TransitionalSecurityNetwork TraditionalWirelessNetwork
U UEA UIA UMTS URL
UserEncryptionAlgorithm UserIntegrityAlgorithm UniversalMobileTelecommunicationsSystem UniversalResourceLocator
V VLR VPN
VisitorLocationRegister VirtualPrivateNetwork
W WAE WAN WAP WEP WLAN WML WPA WTLS
WirelessApplicationEnvironment WideAreaNetwork WirelessApplicationProtocol WiredEquivalentPrivacy WirelessLocalAreaNetwork WirelessMarkupLanguage Wi-FiProtectedAccess WirelessTransportLayerSecurity
Z ZRP
ZoneRoutingProtocol
xxxii
AbouttheAuthor PraphulChandraisanElectricalEngineerbytraining.HecompletedhisundergraduatestudiesfromInstituteofTechnology,BHUinIndiaandhisgraduatestudiesfrom ColumbiaUniversity,NewYork.HeworksforTexasInstrumentsandliveswithhis wifeinMaryland.Thisishisfirstbook.Heiscurrentlyworkingonhissecondbook whichwouldbeaboutWi-FiTelephony.Hemaintainshispersonalwebsiteatwww. thecofi.net.
xxxiii
C H APTER 1
SecurityandCryptography 1.1 WhatisSecurity? “WhenIuseaword,”HumptyDumptysaid,inratherascornfultone,“itmeansjust whatIchooseittomean—neithermorenorless.” —ThroughtheLookingGlass. TheWebsterdictionarydefinessecurityastheconditionorqualityofbeingfree fromapprehension,anxiety,orcare.Asecurecommunicationnetwork,then,canbe definedasanetworkwhoseusersdonotfeelanyapprehensionoranxietywhileusing thenetwork. Notehowthemeaningofasecurenetworkdependsonhowitisused.Asanexample, considertheInternet.AslongastheInternetwasthedomainofengineersandscientists,usersdidnotcareaboutsecurity.Ifsomebodywasgeekyenoughtoconnecttothe Internet,theyhadtherighttouseitanywaytheywanted.Withthecommercialization oftheInternetcameabigboominthenumberofusers.Alongwiththisboom,however,camesecurityconcerns.Thesesecurityconcernsgrewmanifoldwiththecomingof ageofe-commerce.Today,usersusetheircreditcardovertheInternetasmuchasthey useitoverthetelephone.Whatarethesecurityexpectationsofsuchusers? Let’sconsiderthiswithaconcreteexample.SupposeAlice(A)wantstocarryouta monetarytransactionwithherBank(B).Firstandforemost,Aexpectsthattheinformationsheintendstosendto(orreceivefrom)Bshouldnotbeaccessibletoanybody
(Alice)
(Expected Secure Communication)
Figure1.1:TheNeedforSecurity
1
(Bank)
Chapter1 else.Thisistheexpectancyofconfidentiality.Next,sheexpectsthattheinformation shesendsto(orreceivesfrom)Bshouldnotbealteredorcorruptedbyanybody.This istheexpectancyofintegrity.Notethatconfidentialityandintegrityaremutually exclusiveprinciplesinthattheexistenceofonedoesnotimplytheexistence(orthe absence)oftheother.1 SinceBtooisauseroftheunderlyingnetwork,weshouldconsideralso,thesecurity expectationsofB.First,BexpectsthatAiswhoshesayssheis.Afterall,youwould notexpectyourbanktoletsomeoneelseoperateoraccessyouraccount.Thisisthe expectationofauthentication.BalsoexpectstohaveproofofthetransactionthatA carriesoutsothatAcannotdenyhavingwithdrawnmoneyfromheraccountinthe future.Thisistheexpectationofnonrepudiation. BothAandBalsoexpectthattheywouldbeabletocarryouttransactionswithout losingconnectionorcommunicationwitheachother.Atitsfacevalue,thisappearsto beanetworkingproblemratherthanasecurityproblem.However,DenialofService (DoS)attacksintherecentpasthaveexploitedweaknessesinnetworksecurityprotocolstocompletelybringdownserversandnetworks,thusbringingthisprobleminto thesecuritydomain. Tosummarize,asecurecommunicationnetworkprovidesthefollowingfacilitiesto itsusers: Confidentiality:Thenon-occurrenceoftheunauthorizeddisclosureofinformation. Nooneexceptthesenderandthereceivershouldhaveaccesstotheinformation beingexchanged. Integrity:Thenon-occurrenceoftheunauthorizedmanipulationofinformation.No oneexceptthesenderandthereceivershouldbeabletomodifytheinformation beingexchanged. Authentication:Thereceiver’sabilitytoascertaintheoriginofamessage.Anintruder shouldnotbeabletomasqueradeassomeoneelse. Nonrepudiation:Thereceiver’sabilitytoprovethatthesenderdidinfactsendagiven message.Thesendershouldnotbeabletofalselydenylaterthathesentamessage. ServiceReliability:Theabilitytoprotectthecommunicationsessionagainstdenialof serviceattacks. Ifthemessageisencrypted,anintrudermayhaveaccesstothedatabeingsentbutdoesnothaveaccesstothe “information”beingsent.Inthiscase,anintrudermaystillbeabletomodifythedata,leadingtoamodification intheinformation.
1
2
SecurityandCryptography Itisextremelyimportanttorealizethatthesearedistinctindependentrequirements andthepresenceorabsenceofanyoneofthemdoesnotinanywayguaranteethe presenceortheabsenceoftheother(s).
1.2 Cryptography Nowthatweunderstandtherequirementsofasecurecommunicationnetwork,the nextquestionishowtosatisfytheserequirements.Hereiswherecryptographycomes in.Cryptographyistheartandscienceofkeepingmessagessecure[1].Letuslookat howcryptographymakesmessages“secure”inthecontextofourrequirementsof securecommunicationnetworks. 1.2.1 Confidentiality Usersofanetworkusehumanlanguages(likeEnglish,Hindi,French,andsoforth) tocommunicateoveranetwork.LetussupposethatAusesEnglishforthistransaction.ThemessagesthatareexchangedbetweenAandBarethereforeinplainEnglish orplaintext.ConsidernowthatAissittingatherhomeinourexampleandthatthe media(twisted-pairtelephonewires,coaxcable,wireless,andsoforth)whichcarry hermessagesgobeyondherhomeboundaries.Thismeansthatanybodymayaccess themediawithoutA’sknowledge. Now,letusintroduceEve(E),theeavesdropper(oraprivateinvestigator,ifyou wanttokeepthingsexciting)whowantstokeeptrackofA’sfinancialtransactions. AllEneedstodotoaccessthemessagesistoaccessthemedia.Sincethemessages exchangedbetweenAandBareinplaintext,Ewillhavenoproblemaccessingthe informationsheneedsifshecanaccessthemedia. LetussupposethatAwantshermessagestobeconfidential.Todoso,sheneeds tosendoutthemessagesinaformatthatEwillnotunderstand.Putanotherway,A wantstosendmessagestoBinsecretorciphertext.Theprocessofconvertingplaintextmessagesintociphertextiscalledencryption.Encryptioncanthereforebedefined astheprocessofdisguisingamessagesoastohideitssubstanceortheinformation containedinthemessage.Conversely,decryptionistheprocessofobtainingthe plaintextfromtheciphertextandcanthereforebedefinedastheprocessofobtaining theinformationcontainedinanencryptedmessage.Mathematically,ifMrepresents theplaintextmessageandCrepresentstheciphertextmessage,thenwecansay:
Encryption::E(M)=C Decryption::D(C)=M.
3
Chapter1
Encryption
(Plaintext)
Decryption
(Ciphertext)
(Plaintext)
Figure1.2:CryptographyinAction
TheassumptionwehavemadeinthisexampleisthatEisincapableofdecryptingtheciphertexttoobtaintheinformation.Tobemoreprecise,theassumptionis thatthemessagessentbyAtoBwouldbesecureifBandonlyBknowshowto decryptmessagesthatAisencrypting.Lookedatanotherway,thismeansthatA andBshareasecret—thatis,howtoencryptanddecryptmessages.Sowecansay thatconfidentialityhereisachievedbysharingofasecret.Thissecretisthemethod (algorithm/cipher)AusestoencryptandBusestodecryptmessages. Therearepracticallimitationsforusingthismethodology.First,thisschemeof thingsrequirethatAandBhaveapredeterminedalgorithmtouse.Thisassumesthe existenceofasecurechannelbetweenAandB(aface-to-facemeeting,asecuretelephoneconversation,andsoforth).Thisisnotalwayspossible.Second,Bmusthave aseparatealgorithmforeachofitscustomers,otherwiseonecustomermaybeable toeavesdroponthetransactionsofothercustomers.ThisrequiresBtobeabletouse ahugenumberofalgorithms.Notonlydoesthisincreasethesystemcomplexityfor B,italsoplacesanadditionalburdenonthesystemdesignerstofindsomanycryptographicalgorithms. Notefurtherthatinthisschemeofthings,theconfidentialityofthesystemisenforced bysharingthecipher(encryption/decryptionalgorithm)andkeepingitasecret betweenthepartiesinvolved.Mathematically,suchasecuritysystemisrepresented byD(E(M))=M.However,suchasystemhasseverecryptographiclimitations.Supposethatthereisagroupofpeoplewhowanttocommunicatewitheachotherovera medium.Now,whilecommunicating,twopeoplewanttoensuretheconfidentialityof themessagesbetweenthem—thatis,theydonotwantothersinthegrouptobeable toaccessthemessagestheyareexchanging.Sincethecipherisknowntoallgroup members,two-partyconfidentialitycannotbeachievedbythissecuritysystem.This iswherekeyscomein.Akeyisasharedsecretbetweencommunicatingpartieswhich canbeusedforsecuringcommunicationbetweenthem.
4
SecurityandCryptography Whenacipherusesakeytoencryptanddecryptmessages,thesecrettobeshared movesfromthealgorithmtoanumber(key).Wecannowachievesecurecommunicationbetweenanynumberofnodesinanunsecureenvironmentbyensuringthatthe participatingnodesshareasecretkey.Inotherwords,thesecurityinthesesystemsis basedonthekeyandnotonthedetailsofthealgorithm.Thisisalsomucheasierto implement,sincekeepinganumbersecretismuchmoreeasierthankeepinganalgorithmsecret.Akeyisoneofalargenumberofvalues.Thesetofvaluesfromwhich thekeycanbeselectedisknownasthekeyspace.Thelargerthekeyspace,themore secureisthekeysincethekeywouldbehardertoguess(break). 1.2.1.1SymmetricKeyCryptography Keyscanbeusedsymmetricallyorasymmetrically.SymmetricKeyCryptography (SKC)referstotheprocesswhereinthesenderandthereceiverusethesameshared key(andthesamecipher)toencryptanddecryptmessages.SuchasystemisrepresentedmathematicallyasDK(EK(M))=M. Inourexample,supposeAandBdecidetouseSKCtomaintaintheconfidentialityof theirtransaction.Assumingthereallifescenario,whereinAandBhavenopreestablishedstandardsorknowledgeabouteachother,establishingsecurecommunication betweenthemrequiresthefollowingsteps: 1
2
3,4 (Alice)
(Bank)
1. A and B agree on a cryptosystem (cipher to be used). 2. A and B agree on the key to be used. 3. A encrypts messages using the negotiated key and cipher and sends them to B. 4. B decrypts the ciphertext using the negotiated key and cipher.
Figure1.3:SymmetricKeyCryptography
TheAchillesheelofsymmetrickeycryptographyisthatstep2hastobecarriedout beforetheunderlyingchannelhasbeenmadesecure. Step2beingcarriedoutunsecurelymeansthatifEvegetsaccesstothechannelduringthisstep,shecanknowthekeythatAandBdecidetouse.Thiscompromisesthe securityofthesystem.Insynopsistherefore,symmetrickeycryptographyhasthefollowingproblems: 5
Chapter1
• Keysneedtobedistributedinsecret,sincethesecurityofthesystemliesin thesecrecyofthekeys.Sincethereisnoinherentsupportforkeydistribution, keysareusuallydistributedbysomeothermeans(likecouriers,forexample). Thismeansthatthesystemisassecureasthecourier.Furthermore,keydistributioncanbeadauntingtaskforlargenetworksliketheInternet.
• Oncethekeyisstolen,thewholesecuritysystembreaksdown—thereisno gracefuldeath.
• Assumingaseparatekeyisusedforeachpairofnodes,thetotalnumberof keysrequiredforann-nodenetworkisn(n–1)/2.Thisquantitygrowsdramaticallywithincreasingn.
1.2.1.2AsymmetricKeyCryptography AsymmetricKeyCryptography(AKC)exploitsthemathematicsoftrapdooronewayfunctions.Aone-wayfunctionisafunctionfsuchthatitiseasytocomputef(x) foranygivenxbutitisveryhardtocomputexforagivenf(x).“Veryhard”usually meansthatittakesaverylongtimewithcurrentcomputerpowerstandardstocalculatexfromf(x).Anexampleofaone-wayfunctionisthesquareofanumber.Itis easytocomputethesquareofanumberbutitismuchhardertocomputetherootofa number.However,calculatingtherootsisnothardenoughtobeusedincryptography. Atrap-doorone-wayfunctionisaone-wayfunctionwiththepeculiaritythatit becomeseasytocalculatexfromf(x)ifandonlyifweknowasecretkey.Inother words,xtof(x)iseasyandf(x)toxishardexceptifweknowthesecrety;inwhich case,givenyandf(x),itbecomeseasytogetx.Anexampleoftrap-dooroneway functionistheproductoftwolargeprimenumbers.Suchaproductiseasytocomputebutgiventheproductitisveryhardtocomputeitsfactorsandobtainbackthe numbers.Infactthelargertheprimenumbersthemoreharditbecomestofactorthe product.However,thetrapdooristhatifweknowoneoftheprimenumbersthenthe problembecomesthetrivialproblemofdivisiontoobtaintheothernumber.So,one oftheprimesservesasthekeyhere. Asymmetrickeycryptographyreferstotheprocesswhereinthesenderandthereceiverusedifferentkeys(butthesamecipher/algorithm)toencryptanddecryptmessages. SuchasystemisrepresentedmathematicallyasEK1(M)=CandDK2(C)=Mor x → f(x) :: Easy f(x) → x :: Very Difficult f(x) + Y → x :: Easy Figure1.4:TrapDoorOne-WayFunctions
6
SecurityandCryptography DK2(EK1(M))=M.Thedecryptionkeyisdifferentfromtheencryptionkeyandshould notbederivablefromtheencryptionkey.Asymmetrickeycryptographyisalsocalled PublicKeyCryptography(PKC)sinceeithertheencryptionkeyorthedecryptionkey maybemadepublicdependingonwhetherweneedconfidentialityornonrepudiation. ToachieveconfidentialityusingPKCinourexampleofAliceandtheBank,weuse themechanismdescribedinFigure1.5. 1 2 3,4 (Alice)
(Bank)
1. A and B agree on a cryptosystem (cipher to be used). 2. B sends its public key to A. 3. A encrypts messages using the negotiated cipher and B’s public key received in step 2. 4. B decrypts the ciphertext using its private key and the negotiated cipher.
Figure1.5:PublicKeyCryptography
ThestrengthofPKCliesinthefactthatthestepscarriedoutintheunsecurechannel (steps1and2)donotcompromisethesecurityofthesystem.Thisissobecauseit istheencryptionkeywhichissentovertheunsecuremediumandmadepublic.This meansthatwhoevergetsaccesstothepublickey(sayEve)canencryptmessagesand sendthemtoBbutEvecannotdecryptmessagesmeantforBsincetheprivatekeyis stillasecret.ThereforewhenPKCisusedtoachieveconfidentiality,theencryption keyisthepublickeyandthedecryptionkeyistheprivatekey.2 Thesecrecyofthesystemliesinthedecryptionkey,whichisnevertransmittedover themedium.Theencryptionkeyismadepublicbythereceiversothatanyonecan sendmessagestothemsecurely.Sinceonlythereceiverhasthedecryptionkey,only hecandecryptthemessage. Tosummarize,Bmaintainsapairofkeys(K1,K2)peruser.Whenauser(Alice) wantstomakeatransaction,BsendshertheencryptionkeyK1overtheunsecure medium.Aliceencryptsallhermessagesusingthiskey(EK1(M))andsendstheresultingciphertextoverthemedia.Now,eventhoughEhasaccesstotheciphertext,Cand Ontheotherhand,thedecryptionkeyismadepublicbythesendertoimplementdigitalsignatures.Indigital signatures,sinceonlysendercanencryptthemessage,anyonewhoreceivesthemessage(anddecryptsitusing thepublickey)canbeensuredthatthemessageisauthentic.
2
7
Chapter1 theencryptionkey,K1,shecannotaccesstheinformationcontainedinthemessages sinceDK1(EK1(M))doesnotyieldM. Mathematically,accesstof(x)(theciphertext)doesnothelproguenodessinceitis “veryhard”toobtainxfromf(x).Thishappensbecausefisatrap-doorone-wayfunction.Thetrap-doorinthiscaseistheprivatekey,K2whichneverleavesB.Sincethe privatekey,K2(thetrap-door)isknownonlytothedestinationofthemessage(B), onlyBcandecryptthemessage. Ideally,wewouldalwaysliketousePKC.However,everythingcomesatacost.PKC algorithmsareslow.Infact,theyarealmost1000timesslowerthanSKCalgorithms. Thoughthismaynotseemamajorhindrancegiventheincreasingprocessingpower andspeedsoftoday’scomputers,weshouldrememberthatasthespeedofPKC grows,sowouldthespeedofSKC,keepingthelatteranattractiveoptionforreal timeapplicationslikevoice.Also,withtime,theamountofdatabeingtransmittedper applicationwillgrowwiththegrowthinmultimedianetworking. Notethattheabovesolutionachievesconfidentialityinonedirection.Inotherwords, EwouldbeunabletoreadmessagesthatAsendstoBbutEcanreadmessagesthatB sendstoA.Toachieveconfidentialityinbothdirections,Awouldneedtomaintaina pairofkeys,sendtheencryptionkeytoBandthendecryptmessagesitreceivesfrom Busingthecorrespondingpair-key. Itisimportanttopointoutherethatcryptographyisnotaperfectsolution(nottoday, atleast).EvenPKCissusceptibletochosenplaintextattacks.Theseattacksexploit thefactthattheencryptionkeyismadepublicinPKC.Hereishowarogueperson maybreakintoasystemusingPKC.First,theroguepersonlearnsthepublickeyofa nodeandthenencryptsallpossible(orallprobable)plaintextmessagesthatitexpects thenodetoreceive.Notethatthiscanbedoneoff-line.Oncefinished,theroguenode hasaone-to-onemappingoftheciphertextmessagesandtheplaintextmessages.It cantheninterceptciphertextmessagesinrealtime,hashthemintothemappingand obtainthecorrespondingplaintext.Suchanattackishighlyeffectiveifthesetof plaintextmessagesthatthenodereceivesarelimited.Thishappens,forexample,in ATMmachinescommunicatingwiththecentraldatabase. 1.2.1.3HybridCryptography HybridsystemsexploitthespeedofSKCandusePKCtosolvethekeydistribution problemofSKC.RefertoFigure1.6toseehowAandBcommunicatesecurelyina hybridcryptosystem.
8
SecurityandCryptography 1 2 3,4 (Alice)
5
(Bank)
1. A and B agree on a cryptosystem (cipher to be used). 2. B sends its public key to A. Let’s call this key K1. 3. A generates a random session key, K. It encrypts the session key K with B’s public key and sends it to B, i.e., A transmits Ek1(K). 4. B decrypts the received message using its private key to obtain the session key, K. At this point both A and B (and only A and B) know the session key to be used for this transaction. 5. Both A and B use the session key for this session to communicate securely.
Figure1.6:HybridCryptography
Asseenabove,hybridcryptographyusesPKCforkeydistributionbutSKCformessageencryption.Sincekeydistributionisdoneoncepersessionandthisremovesthe burdenofkeydistribution,thetrade-offisworthit.SKCformessageencryptionfulfilsthespeedrequirementsofrealtimeapplications.Notealsothatthismethoduses adistinctkeyforeverysessionandsincethissessionkeyisgeneratedatruntime,it drasticallyreducestheprobabilityofcompromisingthekey’ssecurity.Anotheradvantageofthisschemeisthatitautomaticallyachievesconfidentialityinbothdirections. 1.2.2Integrity SupposethatAissendingencryptedmessagestoB.WhenEvegetsaccesstothe transmissionmediumbetweenAandB,shestartsaccessingthemessagesthatAis sendingtoBoverthemedium.AlthoughEve(E)isnotabletomakeanysenseofthe packetsthatsheisintercepting(sincethemessagesareencrypted),Erandomlystarts modifyingthesemessagesonthefly.WhenBreceivesthemessages,hehasnoway ofknowingthatthemessagehasbeentamperedwith,sohecontinuestoprocessthese messages.Ondecryptingtheciphertext,Bmayeithergetamessagedifferentfrom whatAhadsent,orsomegarbledmessage.Eitherisundesirablesinceitviolatesthe integrityofthemessages. So,howdoescryptographysatisfytheintegrityrequirementofacommunication network?Forthereceivertoensurethatthemessagesentbythesourcehasnotbeen modifiedortamperedwith,cryptographyexploitsone-wayhashfunctions.These areonewayfunctionswiththeadditionalpropertythattheytakeaninputofvariable lengthbutproduceanoutputoffixed(andmuchshorter)length.Forcryptography, therearetwodesirablefeaturesinone-wayhashfunctions.First,asmallchangeinthe 9
Chapter1 messageshouldproducealargechangeinthehashofthemessage.Thishelpsbecause aroguepersontryingtotamperwiththemessagewouldlikelychangeonlyasmall pieceofinformationinthemessage.Second,thehashfunctionshouldbecollisionfree.Thismeansthattheprobabilityoftwodifferentmessagesproducingthesame hashshouldbeverylow.Thispropertyprotectsagainsttheattackwhereintherogue nodetriestocompletelychangethemessagewhiletryingtomaintainthesamehash.
(MAC)
(Message)
Figure1.7:MessageAuthenticationCode
Incryptography,thesenderofthemessagecalculatesthehashofthemessage.This hashisknownbyvariousnameslikeMessageAuthenticationCode(MAC),message digest,fingerprint,messageintegritycheck,andsoon.Now,ifEvemodifiesthemessage(and/ortheMAC),Bwillknowthatthemessagehasbeentamperedwith.Refer toFigure1.8toseehowthisworks: 1
1 2
3 4
(Alice)
X (msg. dropped) OK (msg. used)
(Eve)
(Bank)
1. A and B negotiate the one-way-hash function they will use. E eavesdrops on this information. 2. Before sending a message, A (or B) computes the hash of the message and attaches it to the message. 3. Eve modifies this message and sends it to B. When B calculates the MAC of the message and compares it to the attached MAC, the two do not match and B, therefore, knows that the message was tampered with. B, therefore, drops this message. 4. If the message is un-tampered, B accepts the message since the MAC he calculates and the MAC attached to the message are identical.
Figure1.8:UsingMACforIntegrity
ThestrengthoftheschemeliesinEve’sinabilitytomodifythemessagewithoutmodifyingthecorrespondingMAC.Thishappensbecauseasmallchangeinthemessage producesalargechangeinthehashofthemessageandbecausetheprobabilityofthe modifiedmessagehavingthesameMACastheoldmessageisverylow.Consider alsothefactthatEvemighttrytocreatetotallynewmessagesonherown,attachher ownMACandtrytopassthemoffasAlice’smessages,butthisisanauthentication problemandisexplainedinthenextsection. 10
SecurityandCryptography ItispossibletoensurethatonlytheintendedreceiverofthemessageisabletocalculatetheMACofthemessage.Thisisdonebycalculatingthehashonthemessage contentandasecretkeysharedbetweenthesenderandthereceiver(obtained,for example,byPKCforSKC).Inotherwords,theone-wayhashfunctionoperatesona combinationofthemessagecontentandthekeytoproduceahashwhichisknownas theMessageAuthenticationCode(MAC).Sinceaneavesdropperdoesnothavethe key,theycannotcalculatetheMACofthemessage. 1.2.3Authentication SupposethatAandBaretryingtocommunicatesecurelyusinghybridcryptography forconfidentialityandMACsformessageintegrity.Now,supposeEveplanstorob bankcustomersbymasqueradingasthem.Obviously,toprotectagainstimpostors likeEve,thebankneedsasecurityfeature.Authenticationreferstotheabilityofa receivertoascertaintheoriginofamessage.ThisensuresthatanimpostorlikeEveis notabletomasqueradeassomeoneelse.Figure1.9showswhyasimple“usernamepassword”schemeisnotsufficienttoaddressthisissue. Incryptography,authenticationisachievedbyusingdigitalsignaturesorchallengeresponseschemes.Theformerinvolvesthesenderdigitallysigningthemessage.Ifit 1
1 3 5
2
(K2)
4
(K1)
E K1(K6)
E K2(K3) 6
(Alice)
(Eve)
(Bank)
Hint: Odd numbered keys are real. Even numbered keys are used by E for fraud. 1. When A and B agree on a cryptosystem (algorithm to be used), E notes this down. 2. B sends its public key (K1) to A. E notes this down but does not send this to A. 3. E generates an encryption-decryption key pair (K2,K4) and sends the encryption key, K2 to A. 4. E generates a random key (K6) on her own, encrypts it using K1 and sends it to B. Note that B has no way of finding out that the message came from E and not A; so B proceeds to the next logical step of prompting for username and password before allowing access into the account. 5. Meanwhile, since A too has no way to find out that message it received came from E and not B, A proceeds to generate a random session key, K3. It encrypts K3 with K2 and sends it to B. However, E intercepts this, decrypts it using K4. At this time E has successfully tricked A into believing that A has a trusted session with B. So, B prompts A to send her username and password using the session key K3. 6. At this point in time, E knows the username and password of A. She sends this to B. So, finally E has tricked A into believing that she is B and has tricked B into believing that she is A. She is practically the master of the universe here.
Figure1.9:Man-in-the-MiddleAttack
11
Chapter1 isensuredthatdigitalsignaturescannotbecopiedorfaked,thereceivercancheckfor digitalsignaturesonthemessagestoauthenticatethemessage.Digitalsignaturesuse PKCinreverse.RefertoFigure1.10toseehowdigitalsignatureswork. 1 2 3,4 (Alice) 1. 2. 3. 4.
(Bank)
A and B agree on a cryptosystem (cipher to be used). A sends its public key to B. Let’s call this key K1. A encrypts the message it sends to B with its own private key. B decrypts the received message using K1 (A’s public key). If B is able to successfully decrypt the message, B can be sure that it is talking to A since only A has its own private key.
Figure1.10:DigitalSignatures
Practicalimplementationsofauthenticationdonotinvolveencryptingthewholemessagewiththeprivatekey,sincethismaytakealongtime.Instead,theyencryptthe hashofthefunction.Sincethehashofthemessageismuchsmallerthanthemessage itself,thissavesalotoftime.Thereceivercanthendecryptthehashofthemessage withthesender’spublickey,computethehashofthemessageandcomparethetwoto authenticatethemessage. Inthechallenge-responsescheme,BsendsarandomnumbertoA.Thisisthechallenge.A‘signs’thisrandomnumberwithherprivatekeyandsendsthissigned responsebacktotheinitiator.Thisistheresponse.Bverifiesthissignedresponseby 1 2 3 4 (Alice) 1. 2. 3. 4.
(Bank)
A and B agree on a cryptosystem (cipher to be used). A sends its public key to B. Let’s call this key K1. B sends a random number to A. A encrypts this random number with its own private key and sends this to B. B decrypts the received message using K1 (A’s public key). If B finds that it is successfully able to decrypt and obtain the random number it sent, B is ensured that it is talking to A.
Figure1.11:Challenge-Response
12
SecurityandCryptography decryptingtheresponse.Ifthisisverified,BauthenticatesA.Amayalsoauthenticate Bbysendingachallenge. Challenge-responsesystemsanddigitalsignaturesarevariationsofthesame technique.Whereastheformerrequiresasingleseparatemessagetoensureauthentication,thelatterdoesitonaper-messagebasis.Eventhoughthelatterappearstobe moresecure,theformeroneiswellsuitedforconnection-orientednetworkswhere theauthenticationcanbedoneonceatconnectionsetuptime,thussavingthepermessageover-head. 1.2.4ReplayProtectionandNonrepudiation Intherealworld,whenAgivesachequetoB,Bneedstodepositthechequeinthe banktocashit.Sincethebanktakespossessionofthechequeaftercashingit,this ensuresthatBdoesnotcashthechequemorethanonce.Now,consideradigital cheque.SupposeAsentBadigitallysigneddigitalcheque.HowdowepreventB fromcashingthechequemorethanonce?Sincethereisnophysicalentity,thebank cannottakepossessionofsomething. Inthedigitalworld,protectionagainstreuseofanentitymeantforone-timeuseis referredtoasreplayprotection.Inotherwords,wewanttoensurethatBcanonly usethechequeonce.ThisisachievedbyhavingAincludeatimestampinthemessage,hashthemessageandencryptitwithitsprivatekey.Basically,theauthentication mechanismspreadsitsscopetoincludeatimestampinthedigitalsignature.Thisway twochequessenttoBwillhavetwodifferentdigitalsignatures,evenifeverythingelse isexactlythesame. Timestampsalsohelpsolvetheproblemofnonrepudiation.SupposeAsendsacheque toBandlaterclaimsthatshedidnotsendit.TheproofthatBhasisthatthemessage hereceivedwassignedusingA’sprivatekeyandthereforeAsentit.However,supposeArepudiates,claimingthatshehaslostherprivatekey.Timestampslimitthe problemtosomeextent,butnonrepudiationisoneofthetoughestsecurityparameters andusuallyrequirestheinvolvementofatrustedthirdparty.
1.3Cryptanalysis Theantithesisofcryptographyiscryptanalysis.Whereastheformeraimstohide theinformationcontentofamessagefromunauthorizedentities,thelatteraimsto recovertheinformationcontentofamessage.Putanotherway,cryptanalystsaimto recovertheplaintextfromtheciphertextwithouthavingaccesstothesharedsecret keys.Anattemptedcryptanalysisiscalledanattack. 13
Chapter1 Thesimplestformofcryptanalysisisabruteforceattackwheregiventheciphertext, thecryptanalysttrieseverypossiblekeyonebyonetodecryptituntiltheyobtaina meaningfulplaintext.Thistypeofattackminimizesthedatainputrequirements(all itneedsistheciphertext)andmaximizesthesystemresourcerequirements(timeand computingpower). Aswemovealongthisbook,wewillseevarioustechniquesofcryptanalysis.Networksecurityis,infact,anongoingstrugglebetweenthecryptographerstryingto providesecurityandcryptanalyststryingtobreakit.
1.4BlockCiphers Cryptographicalgorithmsarebroadlydividedintotwocategoriesdependingonthe typeofdatatheyexpectasinput.Blockcipherstakeblocks(usually64bits)ofdata asaninput,whereasstreamciphersoperateonabit(orabyte)attime.Givenakey,a blockcipheralwaysencryptsagivenblockofplaintexttothesameciphertext.Onthe otherhand,givenakey,astreamcipherwillencryptagivenbit(orbyte)ofplaintext toadifferentciphertext. Thebuildingblocksofblockciphersarepermutationandsubstitution.Let’ssaywe aredealingwithk-bitblocks;asubstitutionspecifies,foreachofthe2kpossiblevalues oftheinputblock,thek-bitoutput.So,basicallywehaveasubstitutiontable.Since itisimpracticaltomanagesuchtablesfor64-bitblocks,substitutionisdonefor8-bit blockswhichareobtainedbysplittinguptheinputblock.Tospecifyacompletelyrandomlychosensubstitutionfork-bitblockswouldtakeaboutk.2kbits.Apermutation specifies,foreachofthekinputbits,theoutputpositiontowhichitgoes.Tospecifya completelyrandomlychosenpermutationofthek-bitswouldtakeaboutk.logk. Theaimofpermutationandsubstitutionistomaximizediffusionandconfusion. Diffusionisthepropertyofcipherswhichmeasureshowmanybitschangeinthe ciphertextwhenasinglebitischangedintheplaintext.Blockciphersusuallyhavea largedegreeofdiffusion,thatis,changing1bitinablockofplaintextchangesalmost halfthebitsintheciphertextblock.Streamciphers,ontheotherhand,havenulldiffusionsincebydefinitiontheyoperateon1bitatatime.Confusionisthepropertyof cipherswhichhidesthecorrelationbetweentheplaintextandtheciphertext. Oneofthemostcommonwaystobuildasecret-keyblockcipheristobreaktheinput intomanageablesizedchunks(say8bits),doasubstitutiononeachsmallchunk,take theoutputsofallsubstitutionsandrunthemthroughapermuterthatisasbigasthe input,whichshufflesthebitsaround.Thentheprocess(around)isrepeatedsothat 14
SecurityandCryptography
Round 1
L0
w bits
w bits
R0 K1
≈
R1 • • •
L1
F
• • •
Round i Ki
≈ Li
F
Ri • • •
Feistelnetworksareiteratedblock cipherswheretheencryption algorithmisoftheform:Li=Ri–1 andRi=Li–1XORf(Ri–1,Ki).The functionf()canbeascomplicated aswelike(itmayevenbeahash function)butanyFeistelnetworkis guaranteedtobereversible.DigitalEncryptionStandard(DES)is aspecialcaseofFeistelnetworks whichusesaproprietary“f()”(also knownasmanglerfunction).
Plaintext (2w bits)
• • •
eachbitwindsupasaninputto eachofthesubstitutions.Themultipleroundsensurethatthecipher hasenoughdiffusion.Becauseof thesemultiplerounds,suchblock ciphersarealsoknownasiterated blockciphers.
Round n
Kn
1.4.1UsingtheCiphers:The Modes
≈
Thinkofacryptographicalgorithm asablackboxwhichtakessome inputandproducestheencrypted messageastheoutput.Theinput suppliedtothealgorithmconsists oftheplaintextmessage,thekey(s) andsomesortoffeedback.The plaintextmessageisproducedby theuser.Thekeyswillbedealt withinthenextsection.
F
Ln
Rn
Ln+1
Rn+1
Ciphertext (2w bits)
Figure1.11a:AFeistelNetwork
Thissectionwilldealwiththe feedbackissueandthe“mode”:acryptographicmodereferstohowthealgorithmis used.Thestrengthofthealgorithmitselfdependsonthemodeinwhichitisused. Differentmodesofanalgorithmaresuitableforvarioussituationsandneeds,butthe modeshouldnotcompromisethesecurityoftheunderlyingalgorithm. 15
Chapter1 ECB:ElectronicCodebookMode(BlockCiphers): Pn–1
Pn
Pn+1
Cn–1
Cn
Cn+1
Ci = Ek(Pi) Figure1.12:ECBMode
Thisisthesimplestandthemostobviousmodeforblockciphers.Dataisdividedinto 64-bitblocksandisfedtothecipherwhichproducesthecorrespondingciphertext.Each blockisencryptedseparatelyandthereforetheoperationcanbecarriedoutinparallel. Theadvantageofthisschemeisthatitissimple,canbeparallelizedandthereisno errorpropagation(aciphertextblockcorruptedduringtransmissiondoesnotaffectany otherblocks).Thebiggestloopholeintheschemeisthatplaintextblocksaremapped one-to-onetociphertextblocks.Thismeansthatrepeatsinplaintextblockscause repeatsintheciphertextblocks.Thispropertymakesthismodevulnerabletosplicing, re-orderingandreplayattacks.Inourexample,Evemaycreateadirectoryandthenreshufflethecipherblocksinthemessage(orreplaythese blocksatalatertime)tomodifythemessageasshewants. CBC:CipherBlockChainingMode(BlockCiphers): Pn–1
Cn–1
Pn
Cn
Pn+1
Cn+1
Ci = Ek(Pi XOR Ci−1) Figure1.13:CBCMode
ThebasicproblemwithECBisthatagivenplaintextalwaysmapstothesameciphertext.WecouldsolvethisproblembyXORingtheplaintextwitharandomnumber (aslargeastheplaintextblock)beforeencryptingit.Iftherandomnumberchanges 16
SecurityandCryptography foreachblock,thesameplaintextwillmaptoadifferentciphertexteachtimeitis encrypted.However,thisschemewouldrequirethatAlicesendtherandomnumber alongwiththeciphertexttoBob.Thismeansthatwedoublethetrafficloadonthe network—notaverygoodidea. CBCextendsonthe“random”numberideabyusingtheciphertextfromtheprevious blockasa“randomnumber.”SinceAliceistransmittingtheciphertextfromthepreviousblockanyway,Bobalreadyknowsthe“randomnumber”beingusedandsothere isnoextratraffictobetransmitted.ThechaininginCBCaddsafeedbackmechanism totheblockcipher.Theresultsoftheencryptionofthepreviousblocksarefedinto theencryptionofthecurrentblock.Inotherwords,eachblockisusedtomodifythe encryptionofthenextblockandthereforeeachcipherblockdependsnotonlyonthe plaintextthatgenerateditbutonallpreviousplaintextblocks.Thispropertymakesit difficultforanattackertodecryptselectedciphertextblocks.Theattackermusthave accesstothecompletesessioninordertodecryptanyonecipherblock. Notethatchainingforcesidenticalplaintexttomaptodifferentciphertextifandonly ifsomepreviousplaintextinthesessionisdifferent.Thismeansthatidenticalsessionsstillmaptothesameciphertextsessionandtwomessagesthatbeginthesame (mostpacketshavesimilarheaders)willencryptinthesamewayuptothefirstdifference.Topreventthis,thefirstblockofdataisfedarandomInitializationVector(IV). ThisIVmaynotbesecretandmaybesenttothereceiverunsecurely.Thisdoesnot compromisethesecurityofthesystem. TheadvantageofCBCisthatitismuchmoresecurethanECBandisself-recovering fromerrorssinceanerrorinCieffectsonlyPiandPi+1.TheloopholeinCBCisthat flippingabitinCiflipsthecorrespondingbitinPi+1.Inourexample,ifEveknowsthe messageformatthatisusedforthecommunicationbetweenAliceandBob,shemay flipacertainbitinacertainciphertextblocktochangethemessageasshewishes. NotethateventhoughflippingabitinCiwillflipthecorrespondingbitinPi+1,itwill alsogarblePi.However,thismaynotbeagoodenoughindicationforBobtodeterminethatthemessagehasbeentamperedwith.Thisshowswhyitisimportantto ensuretheintegrityofthemessage.
17
Chapter1 OFB:OutputFeedbackMode(StreamCipher): Pi–1
Si–1
Ci–1
Pi
Si
Pi+1
Si+1
Ci
Ci+1
Ci = Pi XOR Si Si = Ek(Si–1) Pi = Ci XOR Si Si = Ek(Si–1) Figure1.14:OFBMode
OFBisamethodofusingablockcipherasastreamcipher.WestartwiththeblocksizeInitializationVector(IV)andencryptitusingthekeytoobtainb0,suchas S0=Ek(IV).NextweencryptS0toobtainS1(S1=Ek(S0)andsoon.Notethatallthis canbedoneoff-linebothonthesenderandthereceiversidesinceitdoesnotrequire thepresenceoftheplaintextortheciphertext. Whentheplaintextmessagearrivesatthesenderside,eachblockcansimplybe XORedwiththeappropriateSitoobtaintheciphertext.Onthereceiverside,the ciphertextisagainXORedwiththeappropriateSitoobtaintheplaintextback. Confidentiality,asalways,isobtainedbykeepingthekeys(usedtogeneratethe pseudorandomstring)secret.Notethatthefeedbackmechanismisindependentofboth theplaintextandtheciphertextandisusedinthepseudorandomstringgeneration. TheadvantagesofOFBarethatitisfast(key-streamcanbeprecomputed),doesnot requireanypaddingandthaterrorsinciphertextcauselimitederrorsinplaintext.The disadvantagesarethatitisnotself-synchronizingandissusceptibletoknownplaintextattacks.
1.5StreamCiphers “Anyonewhoattemptstogeneraterandomnumbersbydeterministicmeansis,of course,livinginastateofsin.” —JohnvonNeumann Streamciphersoperateonplaintext1bitatatimeandconsistoftwocomponents:a key-streamgeneratorandamixingfunction.ThemixingfunctionistypicallyanXOR 18
SecurityandCryptography whilethekey-streamgeneratorvariesfromoneciphertotheother.Eventhoughblock ciphersareusuallymoresecurethanstreamciphers,theincentiveforusingstream ciphersliesinthattheyarefasterandeasiertoanalyze.Theformerpropertymakes themmoresuitableforrealtimeapplicationslikevoicecommunicationsandthelatter propertymakesthemmorelikeablebycryptographerswholiketoknowhowthesystemissecureratherthanrelyingonblack-boxmanglerfunctionsand/orsubstitution boxesofblockciphers. Anoptimalkey-streamgeneratorhasaperiodof2NforanN-bitkey.Theperiod ofakey-streamgeneratorreferstothetimethatittakesforregeneratingthesame key-stream. Thesecurityofthesystemliesentirelyontheinsidesofthekey-streamgenerator;for example,ifthekey-streamgeneratorgeneratesastreamofzeroes,theciphertextisthe plaintext.Ontheotherhand,ifthekey-streamgeneratorgeneratesanendlessstream ofrandombits,wehaveperfectsecurity.Forstreamcipherstoworkcorrectly,boththe senderandthereceivermustgeneratetheexactsamerandomnumberstreamsothatthe sendercanXORitwiththeplaintexttoobtaintheciphertextandthereceivercanXOR itwiththeciphertexttoobtaintheplaintext.However,thereisaninherentcontradiction inthesetwogoalsofgeneratingrandomnumbersperfectlyanddeterministically. So,thekey-streamgeneratorateitherendgeneratespseudorandomnumbers.These pseudorandomnumbersareusedtoencryptdataatthesender.Themagicisthatthe key-streamgeneratoratthereceiveralsogeneratesthesamepseudorandomnumber stringflawlessly.Securityisprovidedbymakingtheoutputofthekey-streamgeneratorafunctionofakeyprovidedtoitasaninput.Thekeyshouldfirstbenegotiated securelybetweenthesenderandthereceiver(byusingPKCforexample).Then,the key-streamgeneratoratthesenderandthereceiverusethenegotiatedkeytoproduce identicaloutput. Pseudorandomnumbersarenumbersthat“appear”toberandom,buthavea deterministicpatternsincetheyare,afterall,producedbysomefinitestatemachine. Themoreobscurethispattern(thatis,thelongertherepetitionperiod),thebetteris thesecurityprovided.How“long”aperiodislongenoughdependsupontheapplication.However,itisimperativethatthekey-streamgeneratormusthaveaperiodmuch largerthanthenumberofbitsthegeneratorwilloutputbetweenkey-exchanges.For aT-1linkwhichwillencrypt237bitsperday,theperiodmustbeordersofmagnitude largerthanthisevenifthekeyisexchangeddaily.
19
Chapter1 Streamcipherscanbedividedintotwocategories(ormodes).Ifthestateofthe key-streamgeneratordependsonjustthekey,thecipheriscalledasynchronous streamcipher.If,ontheotherhand,thestateofthekey-streamgeneratordependson somepreviouslyproducedciphertextalongwiththekey,thecipheriscalledaselfsynchronizingcipher. SynchronousStreamCiphers: Key
Pi
K.G.
Key
K.G.
Ci
Pi
ci = pi XOR ki
Figure1.15:SynchronousStreamCipher
The“simple”modeofstreamciphersworksbyproducingakey-streamwhichisindependentofanyfeedbackanddependssolelyonthekey.Thismeansthatthesecurity ofthesystemiscompletelycompromisedifthekeyiscompromised.Inthisscheme, thesenderXORstheplaintextwiththiskey-streamtogeneratetheciphertextandthe receiversimplyXORstheciphertextwiththekey-streamtoobtaintheplaintext.This systemrequiresthatthesenderandthereceiverbeperfectlysynchronized Theadvantageofthismodeisthatthereisnoerrorpropagation;ifaciphertextbit getscorruptedduringtransmission,onlythecorrespondingplaintextbitisaffectedor corrupted.However,ifabitisinsertedinordeletedfromtheciphertext,thesender andthereceiverwilllosetheirsynchronizationandthiswillleadtocorruptionofthe restofthemessage. Infact,theinsertionattackcanbeusedtolaunchattackswhichcandomuchmore harmthanjustsimplygarblingthemessageifthekey-streamiseverreused.Tounderstandthisloopholeofkeyreuse,let’sconsiderasimplifiedexample.SupposeMike iscapableoflaunchingaknownplaintextattack.WhatEvedoesistosendPtoAlice andaskAlicetoencryptthemessage.WhenAliceencryptsPwithK,andsendsout thecorrespondingciphertext,C,Evecapturesthis: 20
SecurityandCryptography
P=P0,P1,P2……..Pi……Pn XOR K=K0,K1,K2…….Ki……Kn ________________________ C=C0,C1,C2…….Ci……Cn ←Evecapturesthis.
EvetheninsertsPaintoPandagainasksAlicetoencryptit.SupposeAlicehasakeystreamgeneratorwithaperiodofn.So,Aliceencryptsthisnewmessageagainwith thesamekey-stream:
P=Pa,P0,P1,P2……..Pi……Pn XOR K=K0,K1,K2…….Ki……Kn __________________________ C=C'0,C'1,C'2…….C'i……C'n ←Eveseesthis.
Now,EveknowsCandC'.Soshedoesthis:
PaXORC'0=K0;K0XORC0=P0;P0XORC'1=K1andsoon.
Ascanbeseen,Evenowhasthekey-stream.Itisforthisreasonthatstreamciphers shouldneverreusethekey-streamandshouldhaveasufficientlylongperiod. Self-SynchronizingStreamCiphers: Key
Pi
K. G. –
K. G. –
Ci
Key ci = pi XOR ki ki = f(cj) Pi
ci = pi XOR ki and ki = f(ci)
Figure1.16:Self-SynchronizingStreamCipher
Inthismode,thestateofthekey-streamgenerator(andthereforeitsoutput)isafunctionofafixednumber(sayn)ofpreviousciphertextbits.Thismeansthatthetwo streamgeneratorscanselfsynchronizewitheachotherinitiallywithoutusingany externalmeansbyexchangingann-bitInitializationVector(IV).Mostciphersstart bysendingIVatthebeginningofasessionormessagesothatboththesenderandthe receivercanstartoffsynchronized. Self-synchronizingstreamciphersarebetterthansynchronousstreamciphersinterms ofsecuritysincetheattackermusthaveaccesstoacompletesession(oratleastasetof nbits)inordertodecryptanycipherbit.However,self-synchronizingstreamciphers 21
Chapter1 areslowerthansynchronousstreamcipherssincethekey-streamcannotbeprecomputed.Also,inself-synchronizingstreamciphersanerrorinoneciphertextbitcorrupts nplaintextbitsatthereceiver.
1.6HowSecureisCryptography? Acryptographicsystemhastwobasicingredients:thealgorithmandthekeys.Since anysystemisonlyasstrongastheweakestlink,systemdesignersneedtokeepin mindthatboththeseingredientsneedtobestrong.Thestrengthofacryptographic algorithmisbasedonhowitencryptsandonhowitisused(itsmode).Thestrength ofakeydependsonthelengthofthekey,howlongakeyisused,howthekeyisgenerated,howkeysareexchanged,howkeysarestored,andsoon. 1.6.1StrengthofaCipher Designingsecurecryptographicalgorithmsisnoteasyandmostpracticalimplementationsofcryptographicsystemsleavethisjobtoalargebodyofacademicresearch andusestandardizedalgorithms.Astandardizedalgorithmisonethathasbeen reviewedthoroughlybya“trusted”bodyofacademicresearchand“certified”to besafe.Thesystemdesignerscanthentrustthealgorithmasmuchastheytrustthe certifyingbody. Itisnotagoodideatousea“secret”(proprietary)algorithmtoensurethesecurity ofasystemsincethesealgorithms,bydefinition,havebeenreviewedonlybyasmall groupofpeopleandhaveahigherprobabilityofhiddenweaknessesandloopholes. Standardizedalgorithmshavebeenreviewedmuchmorethoroughlyandtherefore havealowerprobabilityofsufferingfromweaknessesandloopholes.Usingstandardizedalgorithmsalsoensuresinteroperabilitywithproductsfromothermanufacturers. Keepinmindthatthefactthattheinnerworkingofthecipherisamatterofpublicknowledgeisnotasbadasitsoundssincethesecurityofthesystemliesinthe secrecyofthekeysandnotthesecrecyofthecipheritself.A“strong”algorithm shouldhavethefollowingcharacteristics:
• Patternsinplaintextshouldbeconcealed.Plaintexthaslinguisticpatterns. Examplesofthisare—somelettersoccurmorefrequentlythanother;some pairsoflettersoccurveryfrequentlyandsomelettersoccuronlyincertain pairs.Itisthesepatternswhichcompromisethesecurityofthesystem.Agood cipherhidesthesepatterns.
• Agoodmodeensuresthattheinputtothecipherisrandomized.Acipheris, afterall,amathematicaloperation(thoughaverycomplexone).Giventhe 22
SecurityandCryptography sameinput,itwillalwaysproducethesameoutput.Thiscompromisesthe securityofthesystemtoo,sinceaneavesdroppermaybeabletoproducea mappingofmostplaintexttociphertextoveraperiodoftime.
• Manipulationoftheplaintextbyintroducingerrorsintheciphertextshouldbe difficult.Thisisimportanttoavoidattackerswhohavenospecialmotivebut justliketoplaywiththesystem(alsoknownasviruslaunchers,denialofserviceattacks,andsoon.)
• Itshouldbepossibletoencryptmorethanonemessagewithonekey.
1.6.2Key-Length:HowLongisSecure? “SecurityIsn’t” —Anonymous Givenacipher,thekeysizeisameasureofthestrengthofthecipher.Ifthekeysize istoosmall,knownplaintextattacksbecomeeasy.Supposeweknowagivenplaintextblockandthecorrespondingciphertextandsupposethatthekeysizeisthreebits. Giventhisinformation,wecantryencryptingtheinputblockwithallthepossible eightkeysandseewhenwegettheciphertext,hencedeterminingthekeybeingused. So,whatisasafekeylengthforacryptographicsystem?Theanswertothatquestionliesinthevalue(expressedinmonetaryterms)ofthedatathesystemistryingto protect.Theaimofthecryptographicdesignershouldbetomakeasuccessfulattack onthesystemmorecostlythantheactualworthofthedata,thusmakingtheattack unattractiveforthecryptanalyst.Thesystemdesignershouldalsokeepinmindthat, thankstoMoore’sLaw,thecostofcomputingpowerconsistentlydecreaseswithtime. Thismeansthatthedefinitionofa“safekeylength”changeswithtime. Itisextremelyimportanttorealizethatusingkeylengthasameasureofthestrength ofacryptographicsystemassumesthatabruteforceattackisthebestpossibleattack againstacryptographicsystem. Inblockciphers,besidesthekeysize,thesizeoftheblock(amongotherthings)is ameasureofthestrengthofthecipher.Torealizethis,assumethatwehavea8-bit inputblock.Thismeansthatnomatterhowbigthekeyandnomatterhowgoodthe encryptingalgorithm,therearejust256possibleoutputblocksthatcanresultfrom theencryptionoftheinputblock.Ifanattackercancreateamappingbetweenallpossibleinputblocksandallpossibleoutputblocksthenhehasbrokenthecipher.
23
Chapter1
1.7BeyondCryptography 1.7.1Firewalls Thoughoriginallydesignedtocontainbadnetworksoftwareproblems,firewallshave becomeanintegralpartofnetworksecuritytoday.Ideally,everynodewhichconnects tothenetworkshouldberesponsibleforitsownsecurity.Inmostcases,however,itis notonlyeasierbutalsomoresecuretoisolateyourLocalAreaNetwork(LAN)from theInternet.Afirewallisbasicallyasetofhardwareand/orsoftwarethatisolatesa LANfromtherestoftheInternet.Firewallsexistbecausenodesareusuallyunwilling orincapableofprotectingthemselves. Nodesunwillingtoprotectthemselvesmaysoundsurprisingbutthefactisthatmost PCsandUNIXWorkstationsaresoldwithawholebunchofunsecureapplications. Theinsecurityintheseapplicationscanbeattributedeithertobugs(badprogramming)ortofeatures(overridingtheunderlyingsecuritymechanismstomake applicationsmore“convenient”fortheuser).Nodesincapableofprotectingthemselvesincludenodeslikewebserverswhichhandleveryhightrafficloadsandcannot sparetheprocessingpowerrequiredforsecurityneeds. Itisinterestingtostudytheco-existenceofwebserversandfirewalls.Webserversare largecomplexpiecesofsoftwarecapableofhandlingveryhightrafficload.Firewalls, ontheotherhand,tendtobesmallandsimple(toavoidbugsinthefirewallsthemselves)butarealsocapableofhandlingveryhightrafficloads.Alsointerestingisthe placementofawebserverinaLANwithrespecttothefirewalls,keepinginmindthat webserversaretheeasiesttargetsforattacksbecauseoftheirsheersizeandcomplexity.Placingawebserveroutsidethefirewallisdefinitelyabadidea,sinceitexposes thewebservertoallsortsofattacks.However,placingthewebserverinsidethe firewallmeansthatifthewebserveriscompromised,itcanthenbeusedasalaunchingpadforattacksonotherhostsintheLAN.Thetypicalsolutionforthisproblem involvestheuseoftwofirewalls.Thewebserveristhenplacedinthesocalled demilitarizedzone(theregionbetweentheinternalfirewallandtheexternalfirewall). Thoughfirewallsarebynomeanssufficientprotectionagainstsecuritythreats,they formagoodfirstlineofdefenseagainstattackscomingfromoutsidetheLAN.Firewallshavealsocomealongwayintermsoffunctionalityandversatility.Eventhough theunderlyingtheoryoffirewallscontinuestobeaccesscontrol(keepoutthebad packets),thereisnodoubtthatfirewallshaveevolvedovertheyears.Firewallstoday canoperateatthelinklayer(packetfilteringbasedonMACaddresses),thenetwork layer(packetfilteringbasedonIPaddresses)ortheapplicationlayer(packetfiltering basedonthedatacontentinsidethepacket). 24
SecurityandCryptography Itisimportanttorealizethatfirewallsimplementuser-definedpoliciesandthesecurityofafirewallisafactorofthestrengthofthepolicy.Stricterpoliciesmeantighter accesscontrolandthereforemoresecurity,butthiscomesatthecostoflimitingthe applicationsthatusersmightwishtouse.Thejobofthenetworkadministrator,therefore,istostrikeabalancebetweenthesetwoneeds. 1.7.2DenialofServiceAttacks CryptographyalsodoesnotprovideanyhelpagainstDenial(orDegradation)of Service(DoS)attacks.Tounderstandwhythisisso,weneedtounderstandwhatDoS attacksareandhowtheyarelaunched. DoSattacksworkbyoverloadingthefiniteresourcesavailableinasystem,thus makingthesystemunusablebyusers.Theyaresometimescategorizedbasedonthe resourcetheyoverload;forexample,attacksmayoverloadbandwidthintheaccess loop,processingcapacityattherouters,processingcapacityattheserver,orany combinationofthese.AtrivialexampleisaJava™appletrunninginaninfiniteloop, forkingoffthreadswhichwillsoonerorlaterexhaustCPUandmemoryresourcesin thesystem.Amorepracticalexample(andonewhichhasbeenusedtolaunchattacks intherecentpast)involvesaTCPclientapplicationsendingSYNpacketstoaserver inaloop.SincetheTCPattheserverallocatesresourcesandkeepstrackofhalf-open connectionsinatable,iftheclientsentenoughSYNpacketstoexhaustthistable,the serverwouldrejectallfutureconnectionrequests,thusdenyingservicetootherclients. YetanothervariationofsuchattacksistheDistributedDenialofService(DDoS) attackwhereattackersusescommonexploitstoinstallazombieprogramonasmany machinesastheycan.Thezombieprogrambindsitselftoaportandwaits.The zombiescancomealiveatapredeterminedtimeoronreceivinganexplicitmessage fromtheattacker.Onwakingup,thezombiessendalargenumberofpacketstothe desiredtarget,thustryingtoexhaustresourcesatthetarget.DDoSattacksaremuch moreeffectivethantheDoSattackssincethetargethastocopewithmuchhigher loads.Also,sincepacketsarecomingfrommultipleclientsandthereforemultipleIP addresses,itmakestheseattackshardertotrackdowntheattacker. DefensesagainstDoSattacksmaybebasedonprotection,reactionorprevention. Protectionworksbyhavingmultipleresourceswhereoneisneeded.Thismeansthat ifoneresourceisbroughtdownbytheattack,theotherresourcecantakeoverwithouttheservicebeingaffected.Reactionworksbytrackingthesourceofthepackets whichareoverloadingtheresourceandthentakingappropriateactionagainstthe sourceoftheattack(usuallythismeansshuttingoffthesource).However,reaction 25
Chapter1 willnotworkiftheattackisusingIPaddressspoofingorifitisaDDoSattack. PreventionofDoSattacksinvolvestheuseofingressfilteringwhereineachInternet ServiceProvider(ISP)ensuresthatthepacketscomingfromtheendpointintothe networkarenotusingaddressspoofing.IfeachISPusesthispreventionmechanism, itwouldmakeiteasiertotracktheattacksource(andthereforebeastrongdeterrent toattackers)incaseofanattack.However,thereisnocurrentlawrequiringISPsto dothisandthereforethispreventionschemeisstilllargelytheoretical. 1.7.3CodeSecurity Finally,cryptography(orforthatmatteranyotherbranchofscience)cannotprotect againstbadlywrittencode.Inthissection,webrieflyseesomeofthemostcommon codevulnerabilitieswhichhavebeenexploitedintherecentpast. BufferOverflows:Theseattacksexploitvulnerabilitiesinapplications,programming languagesandoperatingsystems.Theunderlyingproblemisthatsomeapplicationsdonotdoargumentboundchecking.Thismeansthatthereisnocheckinthe applicationcodeforensuringthatthelengthofthesuppliedargumentiswithin certainbounds.Sincesomeprogramminglanguagesdoinherentargumentbound checkingandothersdon’t,thiscaneitherbeseenasavulnerabilityintheapplication codeoravulnerabilityintheprogramminglanguage,dependingonwhichsideofthe fenceyousit.Asweshallsee,theoperatingsystemvulnerabilitywhichmakessuch attacksevenmoredangerousisthefactthatmostoperatingsystemsallowcodetobe executedfromthestack(forexample,thevalueofthefunctionpointerofthecalling routineisstoredinthestack). Tounderstandbufferoverflowsmoreclearly,considertheoldversionoftheUNIX applicationsendmail.Thisapplicationcouldbeinvokedindebugmodeusingtwoarguments.Thefirstargumentwasanindexintoanarrayandthesecondargumentwasthe valuetobewrittenintothatarrayelement.Thebugwasthattheapplicationdidnotdo anyboundcheckingoneitherofthearguments.Thismeantthatuserscould,infact, writeanything(usingthesecondargument)toanymemorylocation(usingthefirstargument)bymanipulatingtheargumentscorrectly.Notonlythis,userscouldinfactchange thecourseofprogramexecutionandexecutetheirownpieceofcode(worms,andso on)byfirstplacingthiscodeinacertainmemorylocationandthenusingsendmailto overwritethereturnfunctionpointertojumptotheirownmemorylocation. Thebest(andoftenthesimplest)protectionagainstbufferoverflowattacksisto ensurethatyourapplicationdoesnothavesuchbugs.Thiscanbedonebyusingtools likelintanddynamiccodeanalysistools. 26
SecurityandCryptography TOCTTOU:Theseattacksexploitthefactthatthereisafinitetimefromtime-ofchecktotime-of-use.Anexamplewouldmakethingsclearer.UNIXstoresuser passwords(orrathertheirhasheswithsalt)in/etc/pwdfile.Whenuserswanttoupdatetheirpasswords,UNIXdoesthefollowing:
1. Pickarandomfilename,say,rand123.txt
2. Checkifrand123.txtexistsin/tmp.Ifyes,goto1
3. Ifnot,open/tmp/rand123.txt.
4. Copycontentsof/etc/pwdtorand123.txt
5. Addnewentry.
6. Copyrand123.txtto/etc/pwd.
ThevulnerabilitythatTOCTTOUexploitsisthatthesystemcallrequiredforstep2 (checking)isseparatefromthesystemcallrequiredforstep3(opening)andtherefore thereisafinitetimebetweenthesetwosteps.Tounderstandhowtheattackexploits this,letusassumethattheattackercanguesstherandomfilenamethesystemgenerates(thisisnotastoughasitsoundssincethe“random”filenameusesthecurrent timestampasaseedfortherandomnumbergenerator).Now,whatahackerneeds todoiscreateafakepasswordfilewiththisrandomnameandcopythisfileintothe /tmpdirectorybetweensteps2and3.Iftheattackercandothis,theyhavesuccessfullyreplacedtherealpasswordfilewiththeirownversionofthepasswordfile. 1.7.4Steganography Aswehaveseen,cryptographyisusedtosatisfymostoftherequirementsofsecure communicationstoday.However,therearecertainaspectsofsecuritythatcryptographycan’tprotectagainst;forexample,cryptographycan“hide”theinformation contentofthemessagebutitcannothidethefactthatamessagewasinfactsent. Toachievethis,weneedtousesteganography.Steganographyinvolvesembedding amessageinsideanothermessage;forexample,wemayhideatextmessagewithin anothertextmessagesuchthatthehiddenmessagecanonlyberevealedbyXORing thesentmessagewithasecretbitmap.Recentusesofsteganographyinvolvehiding messagesinsideaJPEGimagebyexploitingthefactthatinJPEG,changingthelower bitsinapixelrepresentationdoesnotchangetheappearanceoftheimageenoughto bedetectablebyhumaneyes.
27
Chapter1
1.8Conclusion Inthischapter,wesawwhatnetworksecuritymeansandhowcryptographyforms thebasisoftheprotectionmechanismswecanusetoprovidethissecurity.The nextchapterwilllookathowcryptographicprotocolsareusedinnetworkstodayto providesecurity.
28
C H APTER 2
NetworkSecurityProtocols 2.1Introduction InChapter1,welookedathowcryptographyformsthebasisofnetworksecurity.The threeimportantaspectsofnetworksecurityareauthentication,encryptionandmessage integrity.Cryptographyprovidesamechanismtoachieveeachoftheseobjectives. Theconceptof“keys”iscentraltotheideaofcryptography.Therearetwoimportant conceptsrelatedtokeys:keygenerationandkeydistribution.Theformerrefersto howkeysaregeneratedandcreated,whereasthelatterreferstohowausernodein anetworkfindsoutthekey(s)usedtotalksecurelytootherusersornodes.Theterm keyestablishmentisalittlevaguesinceitsexactmeaningdependsonthecontextin whichitisused.Welookatkey-relatednetworksecurityprotocolsinSection2.2. TheninSection2.3,welookatnetworkauthenticationapproachesandprotocols.The approachtakeninboththesesectionsistostudynotonlythestandardizedprotocols inusetodaybuttoalsolookatabuild-uptotheseprotocolstounderstandtheintricaciesinauthenticationandkey-establishmentprocess.Sections2.4and2.5studysome ofthemostcommonencryptionandintegrityprotocolsinusetoday.
2.2KeyEstablishmentProtocols ForSymmetricKeyCryptography(SKC),thetermkeyestablishmentcanbeclearly brokendownintotwocomponents:Keygenerationandkeydistribution.ForPublic KeyCryptography(PKC),however,thetermkeyestablishmentisalittlemorecomplicated.Inthecaseoftwouserscommunicatingwitheachotheroveranunsecure channel,theuseofPKCkeyestablishmentprotocolsresultsinbothusersestablishingthepublic-privatekeypair.Specifically,whenthePKCestablishmentprotocol ends,eachuserhasaprivatekey(knownonlytothemselves)whichhasneverbeen transmittedontothemediumandapublickey(knowntotheotherendaswell)which, evenifavailabletoaneavesdropperdoesnotcompromisethesecurityofthesystem. However,aswewillseeinSection2.2.3,thisapproachissusceptibleto“man-in-themiddle”attacks.Toprotectagainstsuchattacks,wehavetoinvolveanotherlayerof 29
Chapter2 keydistributioninPKC.Don’tworryifit’salittleconfusingrightnow.Thingswill becomemuchcleareraswemoveon. 2.2.1KeyGenerationinSKC InSKC,keygenerationisrelativelysimple.TheonlyrequirementofaSKCkeyis thatitberandom1andlongenoughtodeterabruteforceattack.Henceanyrandom stringornumbercanbeusedasakey,aslongasbothcommunicatingusersandonly bothcommunicatingusersknowthekey. 2.2.2KeyDistributioninSKC Forunderstandingtheproblemofkeydistribution,recallthatinSKCnetworksecurityisachievedbyensuringthatthecommunicatingusersandonlythecommunicating usersknowthesharedsecret(key).Now,consideranetworkwithnnodeswhere eachnodemaywishtotalksecurelytoeveryothernode.Howmanykeyswouldthis require?Ifyouaremathlovers,youwillimmediatelyrealizethattheanswerisnC2. Fortherestofus,seethetablebelowtoappreciatethescaleofkeygrowth: NumberofusersintheNetwork NumberofKeysRequired(SKC) 2 1 3 3 4 6 . . . . 50 1,225 . . . . 250 31,125 . . . . N {N*(N-1)}/2
SincethenumberofkeysrequiredgrowsasO(n2),wherenisthenumberofusersin thenetwork,wehaveascalingproblem.Agrowthinthenumberofkeyswhichneed tobekeptsecretmakesadministrationmoreandmoredifficult.Why?Becauseeach nodeinthenetworkneedstobeconfiguredtostorethekeysofalltheothernodesit wishestocommunicatewith.Howdoweconfiguresomanykeysateachnode?One approachistorequiremanualconfigurationofallkeysintoeachnodeinthenetwork.However,thisapproachdoesnotscalewelleither.Also,itishighlysusceptible
1
Pseudorandom,tobeprecise.
30
NetworkSecurityProtocols tohumanerror.Whatisneededisascaleableprocesswherehumaninterventionis minimized.Inotherwords,wewantthenetworktobeabletoobtainkeyswithout requiringhumanintervention.Buthowdowedistributethekeysecurelyifthenetworkisnotsecuretostartcommunicatinginthefirstplace? Thisisatypicalchickenandeggsituation2whichischaracteristicofSKC.SKCrelies onapresharedsecretbetweenthecommunicationpartiestosecurecommunication betweenthem.Itdoesnotsayhowtoestablishthe“preshared”secret.Undoubtedly, thisisatoughproblem,sincewecannottrustthenetwork.3 Tosolvethesetwoproblems,mostSKCimplementationsuseaKeyDistributionCenter(KDC).TheKDCisacentralizedtrustedthirdpartywhichstoreskeysforallthen nodesinthenetwork.Inotherwords,eachnodeinthesystemisconfiguredwithonly onekey—itsown.However,thiskeyisalsostoredattheKDC.Thismakeskeyadministrationmucheasier.4 Now,consideranetworkofnnodeswhereAlicewantstotalktoBobsecurely.To dothis,AlicefirstestablishesasecuresessionwithKDCusingherownkey5and requeststheKDCtogenerateasessionkeyforhersessionwithBob.Ongettingthis message,KDCestablishesasecuresessionwithBob(usingBob’skey)andthen sendsthesamesessionkeytobothAliceandBob.AliceandBobnowusethissession keytoestablishasecuresession.TheobviousdrawbackoftheschemeisthatcentralizationofallinformationattheKDCcreatesaperformancebottleneckandasingle pointoffailureorsecuritycompromise. 2.2.3KeyEstablishmentinPKC RecallthatfortwopartiestocommunicatesecurelyusingPKC,weneedtwokeys insteadofthesinglekeyrequiredinSKC.Thetwokeysarecomprisedofthepublic key(availabletoanyone)andtheprivatekey(knownonlytotheuser).Thesecurity ofthesystemliesinkeepingtheprivatekeysecret.Oneofthebasicrequirementsfor the“public-key,private-key”pairinPKCisthatthekeysbecomplementary;inother wordsamessageencryptedwithoneofthekeysshouldbedecryptableonlywiththe correspondingkeyinthepair.WelookatkeygenerationprotocolsforPKCinthe nextfewsections. 2
Oraneggandachickensituation? …otherwisewewouldn’tbeusingcryptographytosecureourcommunication. 4 Asaruleofthumb,simplersystemsaremoresecuresincetheyreducetheprobabilityoferror(humanand otherwise). 5 ThisispossiblesinceAliceknowsherownkeyandtheKDCknowsthekeysofallusersinthenetwork. 3
31
Chapter2 Inthissection,welookatkeydistributionprotocolsforPKC.Onthefaceofit, thismightseemlikeatrivialproblem.Oncewehaveestablishedthe“public-key, private-key”pairsecurelyoveranunsecuremedium,keydistributioncanbean“askbefore-use”algorithm.6SuchanapproachwouldrequirethatwhenBobwantsto startcommunicatingwithAlice,BobsimplyasksAliceforherpublickeyandAlice sendsherpublickeytoBob.Anotherapproachcouldbetohaveeachuserbroadcast herpublickey,whichmakesherpublickeyavailabletoallnodesinthenetwork. Sincemakingthepublickey“public”doesnotresultinasecuritycompromise,7this approachshouldnotresultincompromisingthesecurityofthesystem.Unfortunately, thisisnottrue.Section2.2.4showswhythisisso,andSection2.2.5showshowto solvetheproblemusingatrustedthirdparty. ThetrustedthirdpartyinPKCistheCertificateAuthority(CA),whoseroleisbest understoodbyanexample.SupposeBobwantstotalktoAliceusingPKC.Tofind outAlice’spublickey,BobshouldasktheCAforAlice’spublickey.WhentheCA receivesBob’srequestforAlice’spublickey,theCArespondsbackwithacertificate. ThiscertificateisbasicallyoftheformEKiCA{Alice’spublickeyisKwa}.Inother words,theCAsendsthemessage“Alice’spublickeyisKwa”encryptedwithitsown privatekey.WhenBobreceivesthismessage,itusestheCA’spublickey(KwCA)to “decrypt”thecertificateandobtainAlice’spublickey.SincetheCA’sprivatekey isknownonlytotheCA,noonecanforgethecertificateandclaimanotherkeyas Alice’spublickey. UsingthecertificateauthorityforkeydistributioninPKCmeansthatBobcangetany otheruser’s(node’s)publickeysecurely8aslongashehastheCA’spublickeyandas longashetruststheCA.Thismeansthattheman-in-the-middleattackisnolongera threattothesystem,butthisalsomeansthateachnodeinthesystemalreadyknows thepublickeyoftheCA.ThiscanbeachievedbyconfiguringeachuserwiththepublickeyoftheCA,orbypublishingtheCA’spublickeyina“well-known”medium. Notethatpublishingonepublickeyismucheasierthanhavingeachuserpublishher publickey. EventhoughCAssufferfromsomeofthesamedrawbacksasaKDC(singlepointof failureandcompromise),theyoffersomeadvantagesoverKDC.First,theCAisnot aperformancebottlenecksinceitisnotactivelyinvolvedinusersessions.Second,the
6
SimilartotheSKC-basedkeydistributionscheme. OneofthebasictenetsofPKCisthatthesecurityofthesystemshouldlieintheprivatekeyandnotthepublickey. 8 Andthusavoidaman-in-the-middleattack. 7
32
NetworkSecurityProtocols informationstoredattheCA(thecertificates)isnotsensitiveinthateveniftheCAis compromised,thesecurityofthesystemisnotcompromised.9 2.2.4Diffie-HellmanKeyExchange TheDiffie-Hellmankeyexchangealgorithmisbasedontheeaseofdoingexponentiationandthedifficultyofdoingdiscretelogarithms(thereverseoperation).Even thoughitcannotbeusedforencryptingmessagesorforsigningmessages,itallows AliceandBobtoestablishasharedsecretkeysecurelyoveranunsecuremedium. Figure2.1showshowtheDiffie-Hellmanalgorithmworks. Select g, n, x Sx = gx mod n
Sx, g, n
Select y Sy = gy mod n Sy Calculate SharedKey = (Sy)x
Calculate SharedKey = (Sx)y
Figure2.1:Diffie-Hellman
Theprotocolisbeautifulinitssimplicity.Itconsistsofonlytwomessageexchanges. First,Aliceselectsalargeprimenumbern,ageneratorgandarandomnumberxand calculatesSx=gxmodn.Asthefirstmessage,Alicesendsg,nandSxtoBob.When Bobreceivesthismessage,hegeneratesarandomnumberyandcalculatesSy=gy modnandsendsittoAliceasthesecondmessage.Atthistime,bothAliceandBob cancalculateSxy=gxymodneasily.Alicecancalculate(Sy)xmodnandBobcancalculate(Sx)ymodn.Bothevaluatetothesamenumbergxymodn(calledSxy)andthisis thesharedsecret. Theonlysecretnumbersintheprotocolarexandy.OnlyAliceknowsxandonlyBob knowsy.Noeffortismadetokeepg,n,SxorSysecret.Let’ssupposeEvecapturedthe 9
ThesystemissecureaslongastheattackdoesnotcompromisetheCA’sprivatekeyallowingEvetoissue invalidcertificates.
33
Chapter2 twomessagesexchangedbetweenAliceandBob.Thismeansshehasaccesstog,n, Sx(gxmodn)andSy(gymodn).However,EvestillcannotcalculateSxy(gxymodn) sinceitishardtofindxgivenSx(gxmodn)ortofindygivenSy(gymodn)using discretelogs. EventhoughtheDiffie-Hellmanalgorithmisbeautifulinitssimplicity,ithasitsown loopholes.Onemajorloopholeisthatitissusceptibletoaman-in-the-middleattack asshowninFigure2.2. Alice
Eve
Bob
g, n, Sx g, n, S'x
Sv S'v
Figure2.2:Man-in-theMiddleAttackAgainstDiffie-Hellman
Inthisattack,EvecapturesthefirstmessagethatAlicesendstoBob,notesdown g,n,SxandmodifiesthemessagebeingsenttoBobsoastoreplaceSx(gxmodn) withS’x(gkmodn)wherekisasecretnumberknownonlytoEve.Similarly,when BobsendsthesecondmessagecontainingSytoAlice,EvereplacesSy(gymodn)with S'y(gpmodn)wherepisasecretnumberknownonlytoEve. Atthispoint,AliceandEvehaveasharedsecretof(gxpmodn)andBobandEve haveasharedsecretof(gkymodn).TheonlyproblemisAliceandBobthinktheyare talkingtoeachotherwhereasinrealitytheyarebothtalkingtoEve.Thisisadangerousattack,sinceEvemaynowactasarelaybetweenAliceandBob,thusactingas atransparenteavesdropperbetweenthem.Hemayactuallyhijackthetwosessions completely,carryingoutindependentconversationswithAliceandBobwhereneither AlicenorBobisawarethatthesessionhasbeenhijacked. Theman-in-the-middleattackworksagainsttheDiffie-Hellman(DH)protocolsince thereisnoinherentauthenticationmechanismintheprotocolandthereforenoway forAliceandBobtoverifythattheyareinfacttalkingtoeachother.Tosolvethis problemisthetopicofthenextsection.
34
NetworkSecurityProtocols 2.2.5EnhancedDiffie-HellmanKeyExchange Theman-in-the-middleattackloopholeinDHprotocolstemsfromthefactthatAlice hastoinformBobofSxoveranunsecuremediumandBobhastoinformAliceofSy overanunsecuremedium.Additionally,sincegandnarealsotransmittedoverthe unsecuremedium,itistrivialforEvetogenerateafakeSxandaSy. ToprotectDHagainstman-in-themiddleattacks,weexploitthePublicKey Infrastructure(PKI)describedinSection2.2.3.ThePKIreliesonasingletrusted party—thecertificateauthority—whichsignsthepublickeyofauserwithitsown privatekeytocreatetheuser’scertificate. FortheDiffie-Hellmankeyexchange,ifgandnarefixeditisknownasstaticDiffieHellmanandtheCAcreatesacertificateoftheformEKiCA{gxmodn,Alice}for AliceandEKiCA{gymodn,Bob}forBob.Ontheotherhand,ifgandnareephemeral (tobeestablisheddynamically),itisdynamicDiffie-HellmanandtheCAcreatesa certificateoftheformEKiCA{g,n,gxmodn,Alice}forAliceandEKiCA{g,n,gymodn, Bob}forBob. Now,Aliceknowsherprivatekeyx,getsBob’scertificate,derivesBob’spublickey Sy(=gymodn)fromBob’scertificateandcalculatesthesharedsecretas(Sy)x.SimilarlyBobcalculatesthesharedsecretas(Sx)y. Inthisnewscheme,thevulnerabilityagainstman-in-the-middleattackisnolonger presentsinceEve(evenifheknowsgandn)cannolongerfoolBobintobelieving thatA’spublickeyis(gkmodn)andnot(gxmodn)sincepublickeysmustnowbe signedbytheCA’sprivatekey. 2.2.6RSA TheDHpublickeyalgorithmdescribedaboveistheoldestkeyestablishmentprotocolstillinusetoday.Anotherimportant(andmorerecent)keyestablishmentprotocol istheRivest-Shamir-Adleman(RSA)protocol,whichisbasedonthedifficultyof factoringtheproductoftwolargeprimes.However,RSAisamuchmoregeneric (powerful)protocolthanDHinthatitcanbeusedforencryptionandintegrity(digital signatures)also. Toputthingsinperspective,realizethattheDHprotocolwentfarenoughtoestablishasharedsecretsecurelybetweentwopartiescommunicatingoveranunsecure medium.Thoughthisisundoubtedlyagreatachievement,theDHprotocolsaysnothingabouthowtousethissharedsecretforencryptionorintegrity.
35
Chapter2 InRSA,togenerateaprivate-key,public-keypair,Aliceselectstwolargeprime numberspandqandcalculatesnastheproductofpandq.Alicealsocalculates phi(n)10as(p–1)*(q–1).Next,togeneratethepublickey,Alicechoosesanumber esuchthateisrelativelyprimetophi(n).Then,thepublickeyisdefinedasthepair andtheprivatekeyisdefinedasthepairwheredisthemultiplicative inverseofemodphi(n). Theprocessdescribedsofarmaysoundtrivialtoimplementbutisreallynot.The securityofthesystemliesintheprimenumberspandq;thelargertheseprimes,the moresecurethesystem.Commercialimplementationstypicallyuse256-bitpandq. However,itisnoteasytogeneratesuchlargeprimes.Infact,itissodifficulttofind largeprimenumbersthatmostimplementationsofRSAuseprobable-primes,which aredefinedasnumberswhichare“probablyprime.”ThesenumbersaretypicallygeneratedusingFermat’sLittleTheorem.11 Figure2.3showshowRSAisusedforencryption.WhenAlicewantstoprotectthe messagethatBobissendingtoher,shecalculatesRSAkeysasdescribedaboveand sendsherpublickeytoBob.BobbreaksupthemessagehewantstosendtoAlice intoblocks.Thesizeofeachblockmustbelessthanthesizeofthekeylength.12Bob thenencryptseachplaintextblock(let’scallitm)toobtaintheciphertextblock(let’s Alice
Bob
Choose p, q. n = px q. Choose e. Calculate d. Public key Private key
c = mc mod n
m = cd mod n
Figure2.3:RSA 10
Inmodulararithmetic,phi(k)isdefinedasthenumberofelementslessthankwhicharerelativelyprimeto kmodulok.Foraprimek,itcanbeshownthatphi(k)=k–1.Also,itcanbeshownthatphi(a*b)=phi(a)* phi(b)=(a–1)*(b–1). 11 Fermat’slittletheoremstatesthatifpisaprimenumber,andxisanumbersuchthat0