Đang tải... (xem toàn văn)
(BQ) In this age of universal electronic connectivity, viruses and hackers, electronic eavesdropping, and electronic fraud, security is paramount. This text provides a practical survey of both the principles and practice of cryptography and network security. The book is divided into 2 parts, part 2 from chapter 16 to chapter 23.
PART 5: NETWORK AND INTERNET SECURITY CHAPTER TRANSPORT-LEVEL SECURITY 16.1 Web Security Considerations Web Security Threats Web Traffic Security Approaches 16.2 Secure Socket Layer and Transport Layer Security SSL Architecture SSL Record Protocol Change Cipher Spec Protocol Alert Protocol Handshake Protocol Cryptographic Computations 16.3 Transport Layer Security Version Number Message Authentication Code Pseudorandom Function Alert Codes Cipher Suites Client Certificate Types Certificate_Verify and Finished Messages Cryptographic Computations Padding 16.4 HTTPS Connection Initiation Connection Closure 16.5 Secure Shell (SSH) Transport Layer Protocol User Authentication Protocol Connection Protocol 16.6 Recommended Reading and Web Sites 16.7 Key Terms, Review Questions, and Problems 485 486 CHAPTER 16 / TRANSPORT-LEVEL SECURITY Use your mentality Wake up to reality —From the song, “I’ve Got You Under My Skin” by Cole Porter KEY POINTS ◆ ◆ ◆ ◆ ◆ Secure Socket Layer (SSL) provides security services between TCP and applications that use TCP The Internet standard version is called Transport Layer Service (TLS) SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message authentication code SSL/TLS includes protocol mechanisms to enable two TCP users to determine the security mechanisms and services they will use HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server Secure Shell (SSH) provides secure remote logon and other secure client/server facilities Virtually all businesses, most government agencies, and many individuals now have Web sites The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers As a result, businesses are enthusiastic about setting up facilities on the Web for electronic commerce But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts As businesses wake up to this reality, the demand for secure Web services grows The topic of Web security is a broad one and can easily fill a book In this chapter, we begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH 16.1 WEB SECURITY CONSIDERATIONS The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets As such, the security tools and approaches discussed so far in this book are relevant to the issue of Web security But, as pointed out in [GARF02], the Web presents new challenges not generally appreciated in the context of computer and network security • The Internet is two-way Unlike traditional publishing environments—even electronic publishing systems involving teletext, voice response, or fax-back— the Web is vulnerable to attacks on the Web servers over the Internet 16.1 / WEB SECURITY CONSIDERATIONS 487 • The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions Reputations can be damaged and money can be lost if the Web servers are subverted • Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex This complex software may hide many potential security flaws The short history of the Web is filled with examples of new and upgraded systems, properly installed, that are vulnerable to a variety of security attacks • A Web server can be exploited as a launching pad into the corporation’s or agency’s entire computer complex Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site • Casual and untrained (in security matters) users are common clients for Web-based services Such users are not necessarily aware of the security risks that exist and not have the tools or knowledge to take effective countermeasures Web Security Threats Table 16.1 provides a summary of the types of security threats faced when using the Web One way to group these threats is in terms of passive and active attacks Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site Another way to classify Web security threats is in terms of the location of the threat: Web server, Web browser, and network traffic between browser and server Issues of server and browser security fall into the category of computer system security; Part Four of this book addresses the issue of system security in general but is also applicable to Web system security Issues of traffic security fall into the category of network security and are addressed in this chapter Web Traffic Security Approaches A number of approaches to providing Web security are possible The various approaches that have been considered are similar in the services they provide and, to some extent, in the mechanisms that they use, but they differ with respect to their scope of applicability and their relative location within the TCP/IP protocol stack Figure 16.1 illustrates this difference One way to provide Web security is to use IP security (IPsec) (Figure 16.1a) The advantage of using IPsec is that it is transparent to end users and applications and provides a general-purpose solution Furthermore, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing Another relatively general-purpose solution is to implement security just above TCP (Figure 16.1b) The foremost example of this approach is the Secure 488 CHAPTER 16 / TRANSPORT-LEVEL SECURITY Table 16.1 A Comparison of Threats on the Web Threats Integrity Consequences • Modification of user data • Loss of information • Trojan horse browser • Compromise of machine • Modification of memory • Vulnerabilty to all other threats • Modification of message traffic in transit Confidentiality • Eavesdropping on the net • Loss of information • Theft of info from server • Loss of privacy Countermeasures Cryptographic checksums Encryption, Web proxies • Theft of data from client • Info about network configuration • Info about which client talks to server Denial of Service • Killing of user threads • Disruptive • Flooding machine with bogus requests • Annoying • Filling up disk or memory Difficult to prevent • Prevent user from getting work done • Isolating machine by DNS attacks Authentication • Impersonation of legitimate users • Data forgery Cryptographic techniques • Misrepresentation of user • Belief that false information is valid Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS) At this level, there are two implementation choices For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications Alternatively, SSL can be embedded in specific packages For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol Application-specific security services are embedded within the particular application Figure 16.1c shows examples of this architecture The advantage of this approach is that the service can be tailored to the specific needs of a given application HTTP HTTP FTP SMTP FTP SMTP S/MIME SSL or TLS Kerberos TCP TCP UDP IP/IPSec IP (a) Network level (b) Transport level SMTP HTTP TCP IP (c) Application level Figure 16.1 Relative Location of Security Facilities in the TCP/IP Protocol Stack 16.2 / SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY 489 16.2 SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY Netscape originated SSL Version of the protocol was designed with public review and input from industry and was published as an Internet draft document Subsequently, when a consensus was reached to submit the protocol for Internet standardization, the TLS working group was formed within IETF to develop a common standard This first published version of TLS can be viewed as essentially an SSLv3.1 and is very close to and backward compatible with SSLv3 This section is devoted to a discussion of SSLv3 In the next section, the principal differences between SSLv3 and TLS are described SSL Architecture SSL is designed to make use of TCP to provide a reliable end-to-end secure service SSL is not a single protocol but rather two layers of protocols, as illustrated in Figure 16.2 The SSL Record Protocol provides basic security services to various higherlayer protocols In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol These SSL-specific protocols are used in the management of SSL exchanges and are examined later in this section Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows • Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable type of service For SSL, such connections are peer-to-peer relationships The connections are transient Every connection is associated with one session • Session: An SSL session is an association between a client and a server Sessions are created by the Handshake Protocol Sessions define a set of cryptographic SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol SSL Record Protocol TCP IP Figure 16.2 SSL Protocol Stack HTTP 490 CHAPTER 16 / TRANSPORT-LEVEL SECURITY security parameters which can be shared among multiple connections Sessions are used to avoid the expensive negotiation of new security parameters for each connection Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections In theory, there may also be multiple simultaneous sessions between parties, but this feature is not used in practice There are a number of states associated with each session Once a session is established, there is a current operating state for both read and write (i.e., receive and send) In addition, during the Handshake Protocol, pending read and write states are created Upon successful conclusion of the Handshake Protocol, the pending states become the current states A session state is defined by the following parameters • Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state • Peer certificate: An X509.v3 certificate of the peer This element of the state may be null • Compression method: The algorithm used to compress data prior to encryption • Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation It also defines cryptographic attributes such as the hash_size • Master secret: 48-byte secret shared between the client and server • Is resumable: A flag indicating whether the session can be used to initiate new connections A connection state is defined by the following parameters • Server and client random: Byte sequences that are chosen by the server and client for each connection • Server write MAC secret: The secret key used in MAC operations on data sent by the server • Client write MAC secret: The secret key used in MAC operations on data sent by the client • Server write key: The secret encryption key for data encrypted by the server and decrypted by the client • Client write key: The symmetric encryption key for data encrypted by the client and decrypted by the server • Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key This field is first initialized by the SSL Handshake Protocol Thereafter, the final ciphertext block from each record is preserved for use as the IV with the following record • Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero Sequence numbers may not exceed 264 – 16.2 / SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY 491 SSL Record Protocol The SSL Record Protocol provides two services for SSL connections: • Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads • Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC) Figure 16.3 indicates the overall operation of the SSL Record Protocol The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment Received data are decrypted, verified, decompressed, and reassembled before being delivered to higher-level users The first step is fragmentation Each upper-layer message is fragmented into blocks of 14 bytes (16384 bytes) or less Next, compression is optionally applied Compression must be lossless and may not increase the content length by more than 1024 bytes.1In SSLv3 (as well as the current version of TLS), no compression algorithm is specified, so the default compression algorithm is null The next step in processing is to compute a message authentication code over the compressed data For this purpose, a shared secret key is used The calculation is defined as Application data Fragment Compress Add MAC Encrypt Append SSL record header Figure 16.3 SSL Record Protocol Operation Of course, one hopes that compression shrinks rather than expands the data However, for very short blocks, it is possible, because of formatting conventions, that the compression algorithm will actually provide output that is longer than the input 492 CHAPTER 16 / TRANSPORT-LEVEL SECURITY hash(MAC_write_secret || pad_2|| hash(MAC_write_secret || pad_1||seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment)) where = concatenation = shared secret key = cryptographic hash algorithm; either MD5 or SHA-1 pad_1 = the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and 40 times (320 bits) for SHA-1 pad_2 = the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times for SHA-1 seq_num = the sequence number for this message SSLCompressed.type = the higher-level protocol used to process this fragment SSLCompressed.length = the length of the compressed fragment SSLCompressed.fragment = the compressed fragment (if compression is not used, this is the plaintext fragment) || MAC_write_secret hash Note that this is very similar to the HMAC algorithm defined in Chapter 12 The difference is that the two pads are concatenated in SSLv3 and are XORed in HMAC The SSLv3 MAC algorithm is based on the original Internet draft for HMAC, which used concatenation The final version of HMAC (defined in RFC 2104) uses the XOR Next, the compressed message plus the MAC are encrypted using symmetric encryption Encryption may not increase the content length by more than 1024 bytes, so that the total length may not exceed 214 + 2048 The following encryption algorithms are permitted: Block Cipher Algorithm AES IDEA RC2-40 DES-40 DES 3DES Fortezza Stream Cipher Key Size Algorithm Key Size 128, 256 128 40 40 56 168 80 RC4-40 RC4-128 40 128 Fortezza can be used in a smart card encryption scheme For stream encryption, the compressed message plus the MAC are encrypted Note that the MAC is computed before encryption takes place and that the MAC is then encrypted along with the plaintext or compressed plaintext For block encryption, padding may be added after the MAC prior to encryption The padding is in the form of a number of padding bytes followed by a one-byte 16.2 / SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY 493 indication of the length of the padding The total amount of padding is the smallest amount such that the total size of the data to be encrypted (plaintext plus MAC plus padding) is a multiple of the cipher’s block length An example is a plaintext (or compressed text if compression is used) of 58 bytes, with a MAC of 20 bytes (using SHA-1), that is encrypted using a block length of bytes (e.g., DES) With the padding-length byte, this yields a total of 79 bytes To make the total an integer multiple of 8, one byte of padding is added The final step of SSL Record Protocol processing is to prepare a header consisting of the following fields: • Content Type (8 bits): The higher-layer protocol used to process the enclosed fragment • Major Version (8 bits): Indicates major version of SSL in use For SSLv3, the value is • Minor Version (8 bits): Indicates minor version in use For SSLv3, the value is • Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used) The maximum value is 214 +2048 The content types that have been defined are change_cipher_spec, alert, handshake, and application_data The first three are the SSL-specific protocols, discussed next Note that no distinction is made among the various applications (e.g., HTTP) that might use SSL; the content of the data created by such applications is opaque to SSL Figure 16.4 illustrates the SSL record format Change Cipher Spec Protocol The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest This protocol consists of a single message (Figure 16.5a), which consists of a single byte with the value The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection Encrypted Content Major type version Minor version Compressed length Plaintext (optionally compressed) MAC (0, 16, or 20 bytes) Figure 16.4 SSL Record Format 494 CHAPTER 16 / TRANSPORT-LEVEL SECURITY byte byte bytes Ն bytes Type Length Content (a) Change Cipher Spec Protocol (c) Handshake Protocol byte byte Ն byte Level Alert Opaque content (b) Alert Protocol (d) Other Upper-Layer Protocol (e.g., HTTP) Figure 16.5 SSL Record Protocl Payload Alert Protocol The Alert Protocol is used to convey SSL-related alerts to the peer entity As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state Each message in this protocol consists of two bytes (Figure 16.5b) The first byte takes the value warning (1) or fatal (2) to convey the severity of the message If the level is fatal, SSL immediately terminates the connection Other connections on the same session may continue, but no new connections on this session may be established The second byte contains a code that indicates the specific alert First, we list those alerts that are always fatal (definitions from the SSL specification): • unexpected_message: An inappropriate message was received • bad_record_mac: An incorrect MAC was received • decompression_failure: The decompression function received improper input (e.g., unable to decompress or decompress to greater than maximum allowable length) • handshake_failure: Sender was unable to negotiate an acceptable set of security parameters given the options available • illegal_parameter: A field in a handshake message was out of range or inconsistent with other fields The remaining alerts are the following • close_notify: Notifies the recipient that the sender will not send any more messages on this connection Each party is required to send a close_notify alert before closing the write side of a connection • no_certificate: May be sent in response to a certificate request if no appropriate certificate is available • bad_certificate: A received certificate was corrupt (e.g., contained a signature that did not verify) • unsupported_certificate: The type of the received certificate is not supported • certificate_revoked: A certificate has been revoked by its signer • certificate_expired: A certificate has expired C.8 / NUMBER THEORY 8.7 8.8 8.9 8.10 C-17 positive integer f such Yf K X mod P Your function should return a tuple (rngstate, f) where rngstate, is a valid rng state like the function from part (b) returns f Generalize your attack function from part (d) to work given a block of output, with the Y and f values you generated in part (e) g How would you modify this RNG to overcome this problem? The example version of the Chinese Remainder Theorem has several inefficiencies Observe that in the Chinese Remainder Theorem the first step is to initialize the M array, where the value of M[i] is the product of all the moduli except moduli[i] This is performed at the beginning of every function call, which is somewhat inefficient, because it could just be done once, for a single set of moduli Furthermore, the output of this function is larger than it needs to be, indeed, it need be no larger than the product of all the moduli In this question, not merely call built in Sage functions a Write a function to pre-compute the M array, it should also compute the product of all the moduli b Write a version of the CRT function that takes the precomputed M array and a list of residues Make sure that the output of this function is no larger than it needs to be The purpose of this question is to become more familiar with the Chinese Remainder Theorem functionality in Sage Use Sage to compute the following questions about the CRT a Find a number that reduces to and modulo 10 and 17, respectively b Find a number that reduces to 17, 89, 77, 65, and 100 modulo 23, 199, 503, 647, and 593, respectively c Find a number that reduces to 98189, 78089, and 13418 mod 519787, 722299 and 166169, respectively d Compute the CRT basis of the moduli 100, 501, 999 e Find three numbers that reduce mod the moduli 49, 99, 1003, and 33191 to i) 1,2,3,4 ii) 2,3,5,7 iii) 101, 99, 102, 98 f Use Sage to compute an integer that is relatively prime to through modulo the first primes, respectively The purpose of this question is to become more familiar with the Sage functionality for modular exponentiation Use Sage to compute: a 123¿456 mod 789 b 100¿797 mod 797 c 15¿30 mod 1000 d 111¿222 mod 987654321 e 1217¿2833 mod 3836311 f Compute N, a product of two primes, both greater than 1,000,000 and then compute The purpose of this function is to show how to use the Euler totient functionality built into Sage Using the built-in functionality in Sage, compute the C-18 APPENDIX C / SAGE EXERCISES Euler totient function on the following inputs: a 781 b 10245 c 110 d Find an exponent x and one or two integers such that raising to the x power mod 547689 results in Find at least one integer such that modular exponentiation with x and this modulus does not result in e Find an exponent x and one or two integers such that raising to the x power mod 999999 results in Find at least one integer such that modular exponentiation with x and this modulus does not result in C.9 CHAPTER 9: PUBLIC-KEY CRYPTOGRAPHY AND RSA 9.1 Use Sage to answer the following questions Show all your Sage input/output: a Suppose your RSA public key factors as p = 6569 and q = 8089, and the public exponent e is 11 Suppose you were sent the Ciphertext 28901722 Perform the RSA Decryption and recover the plaintext b Suppose that you want to encrypt the number 449 and send it to someone with public key N = 37617577, and e = 529 c Suppose that you forgot your public exponent, but you know that the prime factors of your key’s modulus are 1723 and 5381 and your private exponent is 223 Find the public exponent d Use Sage to generate an RSA public/private key pair and perform an encryption and decryption 9.2 Use Sage to solve the following problems: In part (a)-(c) determine if the following signatures are good or bad: a N = 13962799 and e = value to sign = 821 and signature = 8674413 b N = 34300129 and e = 61 value to sign = 2478 and signature = 27535246 c N = 5898461 and e = 23 value to sign = 419 and signature = 2607727 d Suppose that you have an RSA modulus with prime factors p = 3181 and q = 2677 and the public exponent is 163 Calculate the signature of 521 and then verify it 9.3 The purpose of this question is to implement RSA encrypt and decrypt functions with Sage a Implement an RSA key generation function b Implement an RSA encrypt function c Implement an RSA decrypt function d Show that your functions work by simulating an RSA encrypt and decrypt with them 9.4 The purpose of this question is to implement Sage functions for creating and verifying RSA signatures For these questions you may use any answers from previous questions a Implement a Sage function that takes an integer and an RSA private key and produces an RSA signature of it C.10 / OTHER PUBLIC-KEY CRYPTOSYSTEMS C-19 b Implement a Sage function that takes an RSA signature and a hash value and determines if the signature is valid c Show your functions work by simulating a sign and verify Show at least one sign and verify and also show an example that if the hash or signature are incorrect, your verify function correctly fails (You may use the key generation function from an earlier problem.) C.10 CHAPTER 10: OTHER PUBLIC-KEY CRYPTOSYSTEMS 10.1 For all of the following questions related to Diffie-Hellman show all of your Sage input and output a Suppose that you are Bob and you have agreed on the domain parameters p = 70849 and g = Further suppose that Alice has sent the value X = 39674 Compute a secret value y and compute Y, and the shared secret b Suppose that Alice and Bob have agreed on the domain parameters p = 6779 and g = 3, further suppose that Alice chooses the secret value x = 384 and Bob chooses the secret value y = 152 Perform a simulated key exchange as in the example c Find a prime q and a prime p such that p = 2q + 1, find an element in the finite field with p elements that has multiplicative order q Perform a simulated DH Secret Exchange as in the examples 10.2 a Implement a Sage function that takes a bound and returns elements: p, q, g, and F Satisfying: p and q are prime, such that p = 2*q + 1, g is an integer with multiplicative order q in the finite field with p elements, F is a Sage field object with p elements b Implement a Sage function that takes the output from your function in part (a) and returns the pair (X, x) where X = g¿x mod p and x is greater than and less than q c Implement a Sage function that takes a public value from the other party in the DH key exchange and the secret value and returns the shared secret d Show an example key exchange with your functions from parts (a) - (c) 10.3 The purpose of this question is to use Sage to explore how solving the discrete logarithm can break DH In Sage, if a is an element of a finite field, and g generates a, then if the order of the finite field is small enough a.log(g) will return the discrete log of g with respect to a Use this functionality to solve the following problems a Suppose p = 499, g = 7, and X = 297 Find x such that X = g¿x b Suppose p = 863, g = 5, X = 543, and Y = 239 Find x and y such that X = g¿x and Y = g¿y c Suppose p = 7589, g = 2, X = 6075 and Y = 1318 Find the shared secret value 10.4 Recall the Dual DL PRNG (Problem 8.6) There is an actual crypto algorithm, called the Dual EC DL PRNG, where instead of an element in a multiplicative group mod a prime and exponentiation, we consider a point on an elliptic curve over a prime order finite field and scalar multiplication (see NIST SP-800-90, C-20 APPENDIX C / SAGE EXERCISES Recommendation for Random Number Generation Using Deterministic Random Bit Generators.) We need to define some auxiliary functions: • x(P): maps the x-coordinate of an elliptic curve point, P, to the integer the smallest positive integer that maps to x mod P • LSBm(a): returns the least significant m bits of integer a And we also denote the following values: • p: a prime, with n bits • E: an elliptic curve over a finite field with p elements, given by equation y2 = x3 + ax + b • P: a point on E, with prime order q (for maximum security q should be roughly the same size as p.) • Q: a point in the cyclic subgroup of E generated by P At the beginning of iteration i we have internal state s[i], and we define the following values: t[i] = s[i] s[i + 1] = x(t[i] P) r[i] = x(t[i] Q) o[i] = LSBn - (r[i]) Here o[i] is the output of the ith iteration block, and s[i + 1] The following diagram shows the flow for generating one block of output with this Crypto Algorithm # # # x1t[i] P2 s[i + 1]/ s[i] t[i] # x1t[i] Q2 r[i] LSBn - 81r[i]2 o[i] The following problems outline a similar problem with this algorithm as the one described in Problem 8.6 a Implement a Sage function to generate a single output block from this algorithm (Your function should take an internal state represented as a list with the following elements [E,P,Q,si], where E is a Sage Elliptic Curve object, P is a point on E, with prime order q, and Q is a point on E, generated by Q b Write a Sage function that takes an output of this PRNG (i.e., the x coordinate of a point with the top bits truncated off) and returns the possible values for R = t[i] Q that could have generated that output [Hint: try the is_x_coordinate function on Elliptic Curve objects.] c Suppose you have E defined by y ¿ = x ¿ + 2x + 4, P = (42,980956284 88211854), Q = (6396452788131036613,9671497098832291002), and you know that the P has order q = 1227273995918533091 and also Q = 99689 P Write a Sage function that takes an output from one iteration of this function and returns a list of the possible next internal states # # C.10 / OTHER PUBLIC-KEY CRYPTOSYSTEMS C-21 d Suppose you know that o[i] = 58246156843038996, and o[i + 1] = 10.5 10.6 10.7 10.8 64511473570997445, use the fact that you have two subsequent outputs to determine the possible internal states that could have generated these two outputs For all of the following questions show your Sage input/output a Compute the order of the curve defined by y2 = x3 + 7*x + 25 over the finite field with 47 elements b On the curve defined by y2 + x*y = x3 + x over GF(28) compute the inverse of the point (1,1) c On the curve defined by y2 + y = x3 + x2 + x + over the finite field with 701 elements, find a generator and show its order d On the curve defined by y2 = x3 + 4187*x + 3814 over finite field of size 6421 compute the sum of the points (3711,373) and (4376,2463) e On the elliptic curve defined by y2 = x3 + 3361*x + 6370 over finite field of size 8461 compute 1001 times the point (1735, 3464) f On the elliptic curve defined by y2 = x3 + 1800*x + 1357 over finite field of size 8191, let P1 = (1794, 1318) and P2 = (3514, 409), compute the sum of 13 times P1 plus 28 times P2 In this problem, use the domain parameters E is the elliptic curve defined by y2 = x3 + 8871*x + 7063 over the finite field with order 70177 The generator point G = (49359,30149) has order 70393 Show your Sage input/output a Suppose you are Bob and Alice has sent the point (10117, 64081) compute an integer y the point Y and the shared secret b Suppose that Alice chooses the secret value x = 2532 and Bob chooses the secret value y = 15276 c Perform a full simulated secret agreement between Alice and Bob The purpose of this question is to implement Sage functions to perform ECDH a Write a function that takes a curve, and a base point on the curve and generates the secret value x and the public value X as per ECDH b Write a function that takes a public value and a secret value and computes the shared secret c Assume that your domain parameters are: Elliptic Curve defined by y2 = x3 + 26484*x + 15456 over Finite Field of size 63709 q = 63839 G = (53819,6786) Show your functions work by simulating an ECDH key exchange Recall that for cryptographic purposes, we use curves with prime order The purpose of this question is to show why Let E be the elliptic curve defined by y2 = x3 + 7489*x + 12591 over Finite Field of size 23431 This curve has order 23304 Let the base point be (20699, 19493) a Compute 10 random multiples of this base point What you notice? b Why is this bad? (Hint: What would happen if this was Alice or Bob’s public point?) C-22 APPENDIX C / SAGE EXERCISES C.11 CHAPTER 11: CRYPTOGRAPHIC HASH FUNCTIONS 11.1 The following describes a simple hash function: Choose p, q primes and compute N = pq Choose g relatively prime to N and less than N Then a number n is hashed as follows: H = gn mod N If there is an m that hashes to the same value as n, then gm K gn mod N so gm - n K mod N which implies that m - n K mod f(N) So breaking this amounts to finding a multiple of f(N), which is the hard problem in RSA a Write a function that takes a bitlength n and generates a modulus N of bitlength n and g less than N and relatively prime to it b Show the output of your function from part (a) for a few outputs Using N, g, n as arguments write a function to perform the hashing For parts (c) - (e) compute the simple hash: c N = 600107, g = 154835, n = 239715 d N = 548155966307, g = 189830397891, n = 44344313866 e N = 604766153, g = 12075635, n = 443096843 f Write a function that creates a collision given p and q Show that your function works for a couple of examples C.12 CHAPTER 13: DIGITAL SIGNATURES 13.1 Use Sage to solve the following problems For these questions assume that we are using DSA with domain parameters: p = 7,877,914,592,603,328,881 q = 44449 g = 2,860,021,798,868,462,661 Use these domain parameters to determine if the signatures are valid in parts (a) - (c) a public key y = 3798043471854149631, hash value H = 59367, and signature (r,s) = (31019,4047) b public key y = 1829820126190370021, hash value H = 77241, and signature (r,s) = (24646,43556) c public key y = 4519088706115097514, hash value H = 48302, and signature (r,s) = (36283,32514) Perform a signing operation in parts (d)-(e) C.12 / DIGITAL SIGNATURES C-23 d private key x = 8146, hash value H = 22655 e private key x = 1548, hash value H = 32782 13.2 The purpose of this question is to implement a DSA signature verification function a Implement a function that takes domain parameters p, q, and g Also, a Hash value H (in {1, 2, Á , p - 1}), a public key y, and a signature (r,s) b Use the function you wrote in part (a) as well as the functions from the DSA examples to simulate a DSA signature and verify as in the examples This page intentionally left blank GLOSSARY In studying the Imperium, Arrakis, and the whole culture which produced Maud’Dib, many unfamiliar terms occur To increase understanding is a laudable goal, hence the definitions and explanations given below —Dune, Frank Herbert Some of the terms in this glossary are from the Internet Security Glossary[RFC 2828] These are indicated in the glossary by an asterisk asymmetric encryption A form of cryptosystem in which encryption and decryption are performed using two different keys, one of which is referred to as the public key and one of which is referred to as the private key Also known as public-key encryption authentication* The process of verifying an identity claimed by or for a system entity authenticator Additional information appended to a message to enable the receiver to verify that the message should be accepted as authentic The authenticator may be functionally independent of the content of the message itself (e.g., a nonce or a source identifier) or it may be a function of the message contents (e.g., a hash value or a cryptographic checksum) avalanche effect A characteristic of an encryption algorithm in which a small change in the plaintext or key gives rise to a large change in the ciphertext For a hash code, the avalanche effect is a characteristic in which a small change in the message gives rise to a large change in the message digest bacteria Program that consumes system resources by replicating itself birthday attack This cryptanalytic attack attempts to find two values in the domain of a function that map to the same value in its range block chaining A procedure used during symmetric block encryption that makes an output block dependent not only on the current plaintext input block and key, but also on earlier input and/or output The effect of block chaining is that two instances of the same plaintext input block will produce different ciphertext blocks, making cryptanalysis more difficult block cipher A symmetric encryption algorithm in which a block of plaintext bits (typically 64 or 128) is transformed as a whole into a ciphertext block of the same length byte A sequence of bits Also referred to as an octet cipher An algorithm for encryption and decryption A cipher replaces a piece of information (an element in plaintext) with another object with the intent to conceal meaning Typically, the replacement rule is governed by a secret key ciphertext The output of an encryption algorithm; the encrypted form of a message or data code An unvarying rule for replacing a piece of information (e.g., letter, word, phrase) with another object not necessarily of the same sort Generally, there is no intent to conceal G-1 G-2 GLOSSARY meaning Examples include the ASCII character code (each character is represented by bits) and frequency-shift keying (each binary value is represented by a particular frequency) computationally secure Secure because the time and/or cost of defeating the security are too high to be feasible confusion A cryptographic technique that seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible This is achieved by the use of a complex scrambling algorithm that depends on the key and the input conventional encryption Symmetric encryption covert channel A communications channel that enables the transfer of information in a way unintended by the designers of the communications facility cryptanalysis The branch of cryptology dealing with the breaking of a cipher to recover information or forging encrypted information that will be accepted as authentic cryptographic checksum An authenticator that is a cryptographic function of both the data to be authenticated and a secret key Also referred to as a message authentication code (MAC) cryptography The branch of cryptology dealing with the design of algorithms for encryption and decryption, intended to ensure the secrecy and/or authenticity of messages cryptology The study of secure communications, which encompasses both cryptography and cryptanalysis decryption The translation of encrypted text or data (called ciphertext) into original text or data (called plaintext) Also called deciphering differential cryptanalysis A technique in which chosen plaintexts with particular XOR difference patterns are encrypted The difference patterns of the resulting ciphertext provide information that can be used to determine the encryption key diffusion A cryptographic technique that seeks to obscure the statistical structure of the plaintext by spreading out the influence of each individual plaintext digit over many ciphertext digits digital signature An authentication mechanism that enables the creator of a message to attach a code that acts as a signature The signature is formed by taking the hash of the message and encrypting the message with the creator’s private key The signature guarantees the source and integrity of the message digram A two-letter sequence In English and other languages, the relative frequency of various digrams in plaintext can be used in the cryptanalysis of some ciphers Also called digraph discretionary access control* An access control service that enforces a security policy based on the identity of system entities and their authorizations to access system resources This service is termed “discretionary” because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource GLOSSARY G-3 divisor One integer is said to be a devisor of another integer if there is no remainder on division encryption The conversion of plaintext or data into unintelligible form by means of a reversible translation, based on a translation table or algorithm Also called enciphering firewall A dedicated computer that interfaces with computers outside a network and has special security precautions built into it in order to protect sensitive files on computers within the network It is used to service outside networks connections, especially the Internet and dial-in lines greatest common divisor The greatest common divisor of two integers, a and b, is the largest positive integer that divides both a and b One integer is said to divide another integer if there is no remainder on division hash function A function that maps a variable-length data block or message into a fixedlength value called a hash code The function is designed in such a way that, when protected, it provides an authenticator to the data or message Also referred to as a message digest honeypot A decoy system designed to lure a potential attacker away from critical systems A form of intrusion detection initialization vector A random block of data that is used to begin the encryption of multiple blocks of plaintext, when a block-chaining encryption technique is used The IV serves to foil known-plaintext attacks intruder An individual who gains, or attempts to gain, unauthorized access to a computer system or to gain unauthorized privileges on that system intrusion detection system A set of automated tools designed to detect unauthorized access to a host system Kerberos The name given to Project Athena’s code authentication service key distribution center A system that is authorized to transmit temporary session keys to principals Each session key is transmitted in encrypted form using a master key that the key distribution center shares with the target principal logic bomb Logic embedded in a computer program that checks for a certain set of conditions to be present on the system When these conditions are met, it executes some function resulting in unauthorized actions mandatory access control A means of restricting access to objects based on fixed security attributes assigned to users and to files and other objects The controls are mandatory in the sense that they cannot be modified by users or their programs man-in-the-middle attack A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data in order to masquerade as one or more of the entities involved in a communication master key A long-lasting key that is used between a key distribution center and a principal for the purpose of encoding the transmission of session keys Typically, the master keys are distributed by noncryptographic means Also referred to as a key-encrypting key G-4 GLOSSARY meet-in-the-middle attack This is a cryptanaltytic attack that attempts to find a value in each of the range and domain of the composition of two functions such that the forward mapping of one through the first function is the same as the inverse image of the other through the second function—quite literally meeting in the middle of the composed function message authentication A process used to verify the integrity of a message message authentication code (MAC) message digest Cryptographic checksum Hash function modular arithmetic A kind of integer arithmetic that reduces all numbers to one of a fixed set [0, Á ,n - 1] for some number n Any integer outside this range is reduced to one in this range by taking the remainder after division by n mode of operation A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream multilevel security A capability that enforces access control across multiple levels of classification of data multiple encryption Repeated use of an encryption function with different keys to produce a more complex mapping from plaintext to ciphertext nibble A sequence of four bits nonce An identifier or number that is used only once one-way function A function that is easily computed, but the calculation of its inverse is infeasible password* A secret data value, usually a character string, that is used as authentication information A password is usually matched with a user identifier that is explicitly presented in the authentication process, but in some cases, the identity may be implicit plaintext The input to an encryption function or the output of a decryption function primitive root If r and n are relatively prime integers with n and if f(n) is the least positive exponent m such that rm K mod n, then r is called a primitive root modulo n private key One of the two keys used in an asymmetric encryption system For secure communication, the private key should only be known to its creator pseudorandom number generator A function that deterministically produces a sequence of numbers that are apparently statistically random public key One of the two keys used in an asymmetric encryption system The public key is made public and is to be used in conjunction with a corresponding private key public-key certificate Consists of a public key plus a User ID of the key owner with the whole block signed by a trusted third party Typically, the third party is a certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institution public-key encryption Asymmetric encryption GLOSSARY G-5 public-key infrastructure (PKI) The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography relatively prime Two numbers are relatively prime if they have no prime factors in common; that is, their only common divisor is replay attacks An attack in which a service already authorized and completed is forged by another “duplicate request” in an attempt to repeat authorized commands residue When the integer a is divided by the integer n, the remainder r is referred to as the residue Equivalently, r = a mod n residue class All the integers that have the same remainder when divided by n form a residue class (mod n) Thus, for a given remainder r, the residue class (mod n) to which it belongs consists of the integers r, r ; n, r ; 2n, Á RSA algorithm A public-key encryption algorithm based on exponentiation in modular arithmetic It is the only algorithm generally accepted as practical and secure for public-key encryption secret key The key used in a symmetric encryption system Both participants must share the same key, and this key must remain secret to protect the communication security attack* An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system security mechanism A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack security service A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service security threat* A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm That is, a threat is a possible danger that might exploit a vulnerability session key A temporary encryption key used between two principals steganography Methods of hiding the existence of a message or other data This is different than cryptography, which hides the meaning of a message but does not hide the message itself stream cipher A symmetric encryption algorithm in which ciphertext output is produced bit-by-bit or byte-by-byte from a stream of plaintext input symmetric encryption A form of cryptosystem in which encryption and decryption are performed using the same key Also known as conventional encryption trapdoor Secret undocumented entry point into a program used to grant access without normal methods of access authentication G-6 GLOSSARY trapdoor one-way function A function that is easily computed, and the calculation of its inverse is infeasible unless certain privileged information is known Trojan horse* A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program trusted system A computer and operating system that can be verified to implement a given security policy unconditionally secure Secure even against an opponent with unlimited time and unlimited computing resources virtual private network Consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security virus Code embedded within a program that causes a copy of itself to be inserted in one or more other programs In addition to propagation, the virus usually performs some unwanted function worm Program that can replicate itself and send copies from computer to computer across network connections Upon arrival, the worm may be activated to replicate and propagate again In addition to propagation, the worm usually performs some unwanted function zombie A program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator ACRONYMS 3DES AES AH ANSI CBC CC CESG CFB CMAC CRT DDoS DES DoS DSA DSS ECB ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T IV Triple Data Encryption Standard Advanced Encryption Standard Authentication Header American National Standards Institute Cipher Block Chaining Common Criteria Communications-Electronics Security Group Cipher Feedback Cipher-Based Message Authentication Code Chinese Remainder Theorem Distributed Denial of Service Data Encryption Standard Denial of Service Digital Signature Algorithm Digital Signature Standard Electronic Codebook Encapsulating Security Payload Federal Information Processing Standard Internet Architecture Board Internet Engineering Task Force Internet Protocol IP Security International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector Initialization Vector KDC LAN MAC MIC MIME MD5 MTU NIST NSA OFB PCBC PGP PKI PRNG RFC RNG RSA SET SHA SHS S/MIME SNMP SNMPv3 SSL TCP TLS UDP WAN Key Distribution Center Local Area Network Message Authentication Code Message Integrity Code Multipurpose Internet Mail Extension Message Digest, Version Maximum Transmission Unit National Institute of Standards and Technology National Security Agency Output Feedback Propagating Cipher Block Chaining Pretty Good Privacy Public Key Infrastructure Pseudorandom Number Generator Request for Comments Random Number Generator Rivest-Shamir-Adelman Secure Electronic Transaction Secure Hash Algorithm Secure Hash Standard Secure MIME Simple Network Management Protocol Simple Network Management Protocol Version Secure Sockets Layer Transmission Control Protocol Transport Layer Security User Datagram Protocol Wide Area Network ... the client • Random: A client-generated random structure consisting of a 32- bit timestamp and 28 bytes generated by a secure random number generator These values serve as nonces and are used during... twofish1 92- cbc Twofish with a 1 92- bit key hmac-md5-96 First 96 bits of HMAC-SHA1; digest length = 12; key length = 16 twofish 128 -cbc Twofish with a 128 -bit key aes256-cbc AES in CBC mode with a 25 6-bit... 25 6-bit key aes1 92- cbc AES with a 1 92- bit key aes 128 -cbc** Serpent256-cbc Serpent1 92- cbc AES with a 128 -bit key Compression algorithm none* No compression zlib Defined in RFC 1950 and RFC 1951 Serpent