46
Network Security 7-1 Secure Electronic Commerce Prof. Amir Herzberg Seminar 89-957, Wedn. 6-8pm CS Dept., Bar Ilan University ררררר: ררררר ררר ררררררררLecture 1: Overview of security & crypto

Network Security7-1 Secure Electronic Commerce Prof. Amir Herzberg Seminar 89-957, Wedn. 6-8pm CS Dept., Bar Ilan University סמינר : אבטחת סחר אלקטרוניAmir

  • View
    220

  • Download
    1

Embed Size (px)

Citation preview

Network Security 7-1

Secure Electronic Commerce

Prof. Amir HerzbergSeminar 89-957, Wedn. 6-8pmCS Dept., Bar Ilan University

אלקטרוני: סחר אבטחת סמינרLecture 1: Overview of security & crypto

Network Security 7-2

Administration Seminar for graduate & undergrad students Related courses:

Intro to communication networks 89-350 (parallel Ok) Intro to Cryptography (89-656, fall term) This term: Crypto applied to security (89-956): requires

intro first I’ll try to cover the most relevant stuff in the first 2-3

lectures Requirements

Deliver seminar for one topic Few in pairs Attend and understand most classes

• Missing 2 is Ok; if more: justify all

Reception: Wedn. 12-2, room 324.

Network Security 7-3

Goals of this seminar

Understand secure e-commerce Expose to recent, active research area

Possibilities of new research Experience in research work – reading,

presenting

Network Security 7-4

Subjects

Payments Micropayments Aggregated (micro)payments Anonymous payments (digital cash)

Trust and credential management Overview including KeyNote, SPKI Understanding Trust Management Systems Credentials / Certificate Chain Discovery

Others? You can propose…

Network Security 7-5

What to do next? Pick subject:

See site for subjects, papers and dates• Two pairs, few singles

Site: link from my homepage, http://amir.herzberg.name/ Inform me of your choices (2 please) by e-mail Only if you’re going to deliver… `a honor commitment`

Read paper(s) carefully, prepare lecture, handouts See related papers in http://citeseer.org Ask to change if you prefer another paper/topic Use English or Hebrew, foils or PC (but write well!) Give me a copy

We next give overview of crypto & security You can leave if not interested (e.g. know already)

Network Security 7-6

Security and Cryptography OverviewGoals: understand principles of network security:

cryptography and its many uses beyond “confidentiality”

authentication message integrity key distribution

security in practice: firewalls security in application, transport, network, link

layers

Network Security 7-7

What is network security?Confidentiality: only sender, intended receiver

should “understand” message contents sender encrypts message receiver decrypts message Privacy: hide `who is doing what with

whom`Authentication: sender, receiver want to confirm

identity of each other Message Integrity: sender, receiver want to

ensure message not altered (in transit, or afterwards) without detection

Access and Availability: services must be accessible and available to users

Network Security 7-8

Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, control messages

data data

Alice Bob

Trudy

Network Security 7-9

There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!

eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source

address in packet (or any field in packet) hijacking: “take over” ongoing connection

by removing sender or receiver, inserting himself in place

denial of service: prevent service from being used by others (e.g., by overloading resources)

Cryptography can help ……

Network Security 7-10

The language of cryptography

symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption

key secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

Network Security 7-11

Symmetric key cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m

K (m)A-B

K (m)A-Bm = K ( )

A-B

Network Security 7-12

Public Key Cryptography

symmetric key crypto requires sender,

receiver know shared secret key

Q: how to agree on key in first place (particularly if never “met”)?

public key cryptography

radically different approach [Diffie-Hellman76, RSA78]

sender, receiver do not share secret key

public encryption key known to all

private decryption key known only to receiver

Network Security 7-13

Public key cryptography

plaintextmessage, m

ciphertextencryptionalgorithm

decryption algorithm

Bob’s public key

plaintextmessageK (m)

B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

Network Security 7-14

Public key encryption algorithms

need K ( ) and K ( ) such thatB B. .

given public key K , it should be impossible to compute private key K

B

B

Requirements:

1

2

RSA: Rivest, Shamir, Adelman algorithm

+ -

K (K (m)) = m BB

- +

+

-

Network Security 7-15

RSA: Choosing keys

1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Find d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

K B+ K B

-

Network Security 7-16

RSA: Encryption, decryption

0. Given (n,e) and (n,d) as computed above

1. To encrypt bit pattern, m, compute

c = m mod n

e (i.e., remainder when m is divided by n)e

2. To decrypt received bit pattern, c, compute

m = c mod n

d (i.e., remainder when c is divided by n)d

m = (m mod n)

e mod n

dMagichappens!

c

Network Security 7-17

RSA example:

Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z.

letter m me c = m mod ne

l 12 1524832 17

c m = c mod nd

17 481968572106750915091411825223071697 12

cdletter

l

encrypt:

decrypt:

Network Security 7-18

RSA: Why is that m = (m mod n)

e mod n

d

(m mod n)

e mod n = m mod n

d ed

Useful number theory result: If p,q prime and n = pq, then:

x mod n = x mod ny y mod (p-1)(q-1)

= m mod n

ed mod (p-1)(q-1)

= m mod n1

= m

(using number theory result above)

(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )

Network Security 7-19

RSA: another important property

The following property will be very useful later:

K (K (m)) = m BB

- +K (K (m))

BB+ -

=

use public key first, followed

by private key

use private key first,

followed by public key

Result is the same!

Network Security 7-20

Roadmap

.1 What is network security?

.2 Principles of cryptography

.3 Authentication and integrity mechanisms

.4 Digital Signatures

.5 Key Distribution and certification

.6 Attacks and counter measures

.7 Access control: firewalls

.8 Security in many layers

Network Security 7-21

Example: `paper, stone, scissors`

Popular kids game Kid’s implementation:

`Simultaneous` exposure Cheating common…

Physical implementation: Write choice on card Cards placed `face down` Choices fixed but secret Cards turned

How to do over network?Bob Alice

Network Security 7-22

Secure `paper, stone, scissors`

Use hash function h( ) Confidentiality

Bob can’t know what Alice chose

Collision-resistance Alice, Bob can’t `change

their hand`

Randomness h(x) appears `random` If h(x) is deterministic,

confidentiality impossible

Bob Alice

Network Security 7-23

Crypto-Hash Functions - `Wish List`

Compression Unbounded/Long input Short (finite) output

Confidentiality Can’t find x from h(x)

Collision-resistance `Strong`: can’t find x,x’ s.t. h(x)=h(x’) `Weak`: given x, can’t find x’≠x s.t. h(x)=h(x’)

Randomness: uniform output distribution

Network Security 7-24

Detection of Message Modification How can Bob detect that message from Alice

Had random error? A: use Error Detection Code Was intentionally modified?

• A1: send (securely) the hash of the message to Bob• How can we send it securely? • Why not send message instead?

Network Security 7-25

Detection of Message Modification

Can we simply send the hash with the message?A: No; Eve can then change message and

compute new hash!

Network Security 7-26

Message Authentication Code (MAC)

Use a key shared between Alice and Bob to authenticate messages sent between them

Network Security 7-27

MAC authenticates messages

MAC allows two or more mutually trusting parties to authenticate all messages sent between them.

Alice Bob

Key k Key km, MACk(m)

EveOnly Alice and me know k. So one of us sent

m.

Network Security 7-28

MAC authenticates messages

MAC allows two or more mutually trusting parties to authenticate all messages sent between them.

Alice Bob

Key k Key km, MACk(m)

EveOnly Alice, Charlie, Don and me know k. So one of us sent

m.

Charlie

Key k

Don

Key k

Network Security 7-29

MAC Use Secret KeyRandom or pseudo-randomDo not reveal to adversaryDo not use for anything except

MACE.g. use different key for

encryption

Network Security 7-30

Limitations of MAC MACk(m) may expose information about

m! Example: Let MAC be any secure MAC.

Define MAC’k(m)=LSb(m)||MACk(m), where LSb is least significant bit.

MAC only shows a key-holder computed it

Could be any key holder (e.g. recipient)… Specify sender, recipient in message

Could be re-transmission / replay… Add time/counter/random challenge to identify

Network Security 7-31

Authenticated Communication Random values Na,Nb (nonces) for freshness Authenticate messages mA, mB by including

their hash in the MAC inputs To authenticate many messages (in order):

Add sequence numbers Can use same nonces for multiple messages

Network Security 7-32

Non-repudiation Non-repudiation: proof of

authenticity that cannot be disputed by `signer` Long-lived Validation by multiple, arbitrary parties

Not ensured by MAC – key known to both! Applications:

Contract/document//payment signing Time-stamping of documents Guaranteed/Certified Messaging Services

Main tool: digital signatures and certificates

Network Security 7-33

Public Key Digital Signatures Sign using a private, secret signature key Everybody knows the public validation key Everybody can validate signatures at any time

Provides non-repudiation – signer is committed

Network Security 7-34

Metaphor to Public Key Signature:Cylinder Seal (ancient Iran)

Public key: impression of seal Private key: cylinder seal Hard to create impression without seal Hard to change clay tablet with

impression Hard to create the seal from the

impression Clay tablets (w/ impressions) last long

time

Network Security 7-35

large message

mH: Hashfunction H(m)

digitalsignature(encrypt)

Bob’s private

key

+

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:

(H(m))d-

signed msg hash

(H(m))d-

Signed msg hash

large message

m

H: Hashfunction

H(m)

Validatedigital

signature

H(m)

Bob’s public

key

equal ?

RSA Signatures with Hashing

d,n

e,n

Network Security 7-36

Problem: validation of public key How does Alice obtain Bob’s public

key… To encrypt messages to Bob To validate signatures by Bob

If Eve can cause Bob to use Eve’s key thinking it is Alice’s key… Eve can decrypt messages sent to Alice Eve can pretend to sign for documents as

Alice Solution: certificate: signed public key

Network Security 7-37

Certification Authorities

Certification authority (CA): binds public key to particular entity, E.

E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by

CA – CA says “this is E’s public key”Bob’s public

key K B+

Bob’s identifying informatio

n

digitalsignature

CA private

key K CA-

K B+

certificate for Bob’s public

key, signed by CA

Network Security 7-38

Certification Authorities When Alice wants Bob’s public key:

gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate,

get Bob’s public key

Bob’s public

key K B+

digitalSignaturevalidate

CA public

key K CA+

K B+

Network Security 7-39

A certificate contains: Serial number (unique to issuer) info about certificate owner, including

algorithm and key value itself (not shown) info about

certificate issuer valid dates digital signature by

issuer

Network Security 7-40

Time-Stamping of Signatures, etc. Goal: non-repudiated proof of document creation

date Proof doc/signature existed at/before date Signature existed before public key was revoked it is

valid Timestamp signed by Time-stamping Authority Hash document to protect confidentiality

Time-StampingAuthority

(TSA)

Author

Relying Party

h(doc) (paper, invention)

h(doc,sign), certificate(PK)

Network Security 7-41

Non-Repudiated Delivery Services

Non-Repudiation of Origin (NRO) Destination proves that it received the message,

originated by the origin, at particular time. Signature of Delivery Authority and/or Origin + Time-

Stamping Auth.

Non-Repudiation of Submission (NRS) Origin proves it submitted the message, to the

destination, at particular time by signature of Delivery Authority

Non-Repudiation of Receipt (NRR) Origin proves that the destination received the message,

at particular time by signature of destination + TSA

Delivery Authority

DestinationOrigin

Network Security 7-42

SSL / TLS in a Nutshell SSL provides a `secure TCP tunnel from client to

server`: Confidentiality Authentication of server, optionally also of client Message and connection integrity

SSL: Secure Socket Layer Since SSL (& TLS) operate on top of `standard` Sockets API

TLS: Transport Layer Security Since TLS (& SSL) secure TCP (the transport layer) IETF standard version of SSL When we describe common aspects we usually say just SSL

Many implementations, libraries, e.g. Open-SSL Original goal and still main use: secure transfer of

credit card number…

Network Security 7-43

Credit Card Payments

Buyer Merchant6579 4763 2113 Issuer

Card#, signed slip

Card#, signed slip, $

Card#, $

Card#, statement

Issuer Acquirer (Payment Gateway)

Network Security 7-44

`Mail Order / Telephone Order (MOTO)’ or`Card Not Present’ Transactions (Web, phone, mail)

Buyer Merchant6579 4763 2113 Issuer

Card#, $

Card#, $

Card#, $

Card, statement

Issuer Acquirer (Payment Gateway)

Network Security 7-45

SSL Credit Card Payments

SSL encrypted

Credit Card Number

Credit Card Number

Acquirer (Payment Gateway)

Issuer

Card#, $

Card#, $

Network Security 7-46

SSL Based Credit Card Payments

Use SSL to securely transfer credit card numbers Trivial deployment (merchant decision). No client software required (SSL is in browser). Built on top of the existing credit card infrastructure. By far, the most widely used payment method.

But, due to several security problems…Very high dispute rates (esp. for online services)Very expensive for banks and merchants