Index of /rozprawy2/10467
121
0
0
Pełen tekst
(2) Acknowledgments I would like to thank to my family, especially my Mother, for support and giving possibility of continuing development on the PhD studies, to my supervisor, Professor Marek Ogiela, for conducting and supervising my development during my doctoral studies, for valuable comments, valuable materials and also a very pleasant cooperation, at high level of expertise.. Podziękowania Chciałbym złożyć gorące podziękowania mojej Rodzinie a zwłaszcza mojej Mamie, za duchowe wsparcie oraz umożliwienie kontynuowania rozwoju na studiach doktoranckich, mojemu promotorowi, Profesorowi Markowi Ogieli, za prowadzenie i nadzorowanie mojego rozwoju w trakcie studiów doktoranckich, za cenne uwagi, udostępnione materiały a także za bardzo miłą współpracę, na wysokim poziomie merytorycznym..
(3) Cryptographic aspects of security analysis and network protocols improvements. Table of content. 1. Introduction ............................................................................................ 6 1.1. The scientific goal of this thesis .......................................................................................7 1.2. The scope of this thesis ....................................................................................................9. 2. Basic vulnerabilities and network attacks ............................................. 12 2.1. Physical security ............................................................................................................ 12 2.2. Sniffing and spoofing ..................................................................................................... 13 2.3. Spanning Tree Protocol vulnerabilities ........................................................................... 15 2.4. Attacks for Virtual Local Area Networks ........................................................................ 15 2.5. Attacks against IP protocol ............................................................................................. 16 2.6. IPSec protocol................................................................................................................ 17 2.7. TCP Protocol security aspects ........................................................................................ 18 2.8. ICMP vulnerabilities ...................................................................................................... 19 2.9. Attacks for wireless networks......................................................................................... 21 2.10. Services and port scanning ........................................................................................... 23 2.11. SNMP Protocol ............................................................................................................ 24 2.12. Domain Name Servers ................................................................................................. 25 2.13. Tunneling issues ........................................................................................................... 26 2.14. Chapter summary ......................................................................................................... 27. 3. Cryptographic algorithms ..................................................................... 28 3.1. Symmetric-key encryption ............................................................................................. 28 3.1.1. Data Encryption Standard .................................................................................. 28 3.1.2. Triple DES ........................................................................................................ 31 3.1.3. Substitution box theory ...................................................................................... 32 3.1.4. Advanced Encryption Standard .......................................................................... 32 3.1.5. Blowfish algorithm ............................................................................................ 35 3.1.6. Block Rivest Ciphers – RC2, RC5 and RC6....................................................... 36 3.1.7. Block cipher modes of operation ....................................................................... 37 ECB – Electronic Codebook ...............................................................................37 CBC – Cipher Block Chaining ............................................................................38 OFB – Output Feedback .....................................................................................38 Other cipher block modes ...................................................................................39 3.1.8. RC4 ................................................................................................................... 40 3.2. Public-key encryption .................................................................................................... 41 3.2.1. Diffie-Hellman key exchange protocol .............................................................. 41 3.2.2. ElGamal algorithm ............................................................................................ 42 3.2.3. RSA algorithm................................................................................................... 43 3.2.4. Elliptic curves cryptography .............................................................................. 45 3.3. One way hash functions ................................................................................................. 46 3.3.1. MD5 hash function ............................................................................................ 47 3.3.2. SHA-1 hash function ......................................................................................... 49 3.3.3. SHA-2 hash functions ........................................................................................ 50 3.4. Chapter summary ........................................................................................................... 51 – 3/121 –.
(4) Cryptographic aspects of security analysis and network protocols improvements. 4. Trust models ......................................................................................... 52 4.1. Secure Socket Layer ...................................................................................................... 52 4.2. X.509 certificates ........................................................................................................... 54 4.3. Public Key Infrastructure ............................................................................................... 57 4.4. SSH trust model ............................................................................................................. 59 4.5. Kerberos protocol .......................................................................................................... 61 4.6. Chapter summary ........................................................................................................... 64. 5. Remote functions calls ......................................................................... 65 5.2. Remote Procedure Call .................................................................................................. 65 5.3. Remote Method Invocation ............................................................................................ 68 5.4. Common Object Request Broker Architecture ................................................................ 70 5.5. XML-RPC and Representational State Transfer (REST)................................................. 73 5.6. Simple Object Access Protocol....................................................................................... 75 5.7. Chapter summary ........................................................................................................... 76. 6. Proposition of Secure Remote Protocol ................................................ 77 6.1. Assumptions of a new SRP Protocol............................................................................... 77 6.2. High level architecture of SRP ....................................................................................... 78 6.3. Data representation in SRP............................................................................................. 80 6.4. Network frames ............................................................................................................. 82 6.5. Secure Interface Description Language .......................................................................... 84 6.6. Chapter summary ........................................................................................................... 85. 7. Features and application of SRP protocol ............................................. 86 7.1. SRP implementation in Java ........................................................................................... 86 7.2. Quality of the code......................................................................................................... 87 7.3. Security implementation guidelines for remote protocols ............................................... 87 7.3.1. Cryptography-related stuffs ............................................................................... 88 7.3.2. Authentication, Authorization and Accounting ................................................... 88 7.3.3. Denial-of-service ............................................................................................... 90 7.3.4. Input validation ................................................................................................. 90 7.3.5. Race conditions ................................................................................................. 91 7.3.6. Thirdparty software and unsafe functions .......................................................... 91 7.3.7. Static Analysis Tools.......................................................................................... 92 7.3.8. Security-related tests ......................................................................................... 92 7.4. Security assessment ....................................................................................................... 93 7.5. Performance results ........................................................................................................ 95 7.6. License .......................................................................................................................... 95 7.6. Chapter summary ........................................................................................................... 96. 8. Summary .............................................................................................. 97 8.1. The argument and the goal ............................................................................................. 97 8.2. Things that have been done ............................................................................................ 98 8.3. Further research ........................................................................................................... 100. Appendix A ............................................................................................ 102 License for SRP and Code generator: .................................................................................. 102. Appendix B - Components of the SRP implementation in Java.............. 104 B.1. Main types for SRP protocol .............................................................................. 104 B.2. Packet structure and Exceptions ......................................................................... 105 B.3. ByteArrayUtils, Config and Logger classes........................................................ 106 B.4. Connectors......................................................................................................... 107 – 4/121 –.
(5) Cryptographic aspects of security analysis and network protocols improvements. B.5. Components ....................................................................................................... 108 B.6. Cryptographic stuffs .......................................................................................... 108 B.7. Generated code .................................................................................................. 109. Bibliography........................................................................................... 110 List of figures ......................................................................................... 114 List of tables ........................................................................................... 116 List of acronyms and shortcuts ............................................................... 117 The disc with SRP implementation ........................................................ 121. – 5/121 –.
(6) Cryptographic aspects of security analysis and network protocols improvements. 1. Introduction. This thesis describes basic security aspects of remote protocols used in computer networks. The purpose of this dissertation is to propose new, secure protocol for remote function calls. Network protocol is a set of messages sent between two or more peers, set of available end-points' states and set of rules how to exchange these messages. Many computer networks allow for public access and many people – including intruders – have access to the data transmitted over these networks. Nowadays, security is and still becomes more important. However, the most important aspects of security are changing all the time. Security is not focused on one, single problem and is not a static or constant process. It is dynamic process. Current security issues are different than five, ten, twenty or more years ago. One of the most important components of secure systems are cryptography modules. Cryptography is also changing and evolving. This is very old science. One of the best known algorithms – Caesar's cipher is 2000 or more years old. Of course, this cipher is not secure anymore and is out of scope this paper, but this fact shows how old the cryptography is. The only requirement for Caesar cipher was confidentiality and the security of the message depended on the secret algorithm. Nowadays, confidentiality requirement is quite obvious and we require something more, for example: integrity checking, digital signatures, secret sharing, digital moneys, blind signatures, steganography, digital watermarks and much more. Cryptography is necessary and must be applied on many network layers. Confidentiality is very important for credentials exchanging in authentication process, for protecting companies' and governments' secrets or even for private message exchanging purpose. Let's imagine what would happen if intruder changed total amount of money in digital bank transfer. All these, sensitive data are transmitted over the network, in many cases over the public networks, so if the data are encrypted and cannot be read, perhaps we could exchange them to other, random data. Message integrity must be checked and assured in every bank or on-line shopping transaction. Digital signatures have legal consequences, so it is obvious that must be secure. Steganography and digital watermarks may be used to protect music tracks, photos or movies. In that way, the author can include hidden message to his song, movie or image and protect his work in whole network. There are many other cryptography aspects of computer networks and many of them becomes more important. – 6/121 –.
(7) Cryptographic aspects of security analysis and network protocols improvements. 1.1. The scientific goal of this thesis. Nowadays, secure programming is and still becomes more important. Some time ago, it was difficult to create network connection and to utilize this connection in computer program. Therefore typical programming languages are focused on standalone, sequence machines. This approach is visible in many commonly used compilers. Typical computer program contains functions, objects and components. Functions are one of the first abstract things. Object methodologies introduced classes, objects and methods. There are three pillars of object oriented programming: encapsulation, inheritance and polymorphism. Next step in programming languages was component based development and service oriented programming. Only the last one approach is based on network technologies. First network software used network sockets and network datagrams. Such programs were created very often in client-server architecture, for example web, ftp or e-mail servers. Socket programming is quite complicated and requires many similar lines of code in different products. Moreover all failure situations like lost of connection or damaged packets need to supported in good, secure software. The programmer has to write a code responsible for such situations and for example has to close connection, release all resources and create connection again. This solution requires also binary data representation and conversion created by the programmer. The network protocol on application layer must be created and implemented by software engineers. This approach costs too much because too many staff hours are taken by tasks related to network modules creation. Sometimes, it is cheaper to create something like single program divided into few, independent parts run on separate hosts. Every program is divided into part and modules called functions, methods, packages or components. These components are used in typical sequence program, but we can also split the program between two separate hosts. There are few technologies like RMI, RPC or CORBA for this purpose. In all these technologies, the software engineer create program in very similar way like for single machine. The only difference is that some functions or components are run on separate host in the network. All communication is supported by lower layer responsible for creating and closing all connections, failure scenarios, etc. The programmer has to configure few configuration modules and then may use remote resources in the same way as local. This approach is much more cheaper in big projects and partially moves responsibility for network layer from software engineer to network library vendor. – 7/121 –.
(8) Cryptographic aspects of security analysis and network protocols improvements. RPC, RMI and CORBA technologies are binary protocols and the programmer has to use appropriate libraries. There are also text-based (or XML-based) remote technologies like SOAP or REST. There is one more difference between these groups of remote approaches. SOAP and REST are focused on remote objects and resources. CORBA and RMI also utilizes references to remote objects but the real purpose is that the programmer may to revoke remote method. REST does not require special libraries and engineers may send messages encoded in URLs and XMLs. All these technologies simplify network communication and allow programmer to split his software into parts run simultaneously on separated hosts in the network. However all these solutions have security issues. None of them is security focused. Every remote protocol may be hacked and may be dangerous in many circumstances. Such security mechanism like SSL/TLS, Kerberos or SSH are not enough. Poor authentication and vulnerabilities in authorization process cannot be fixed with cryptographic algorithms. Software libraries created without secure programming guidelines may be also vulnerable and an attacker may utilize build-in security bugs, for example buffer overflows, poor authentication and authorization or incorrect permissions, etc. Therefore there is a necessity to create secure solution with configurable security mechanism to align security level to existing requirements. There are many other security-related threats described in details in second chapter. The basic argument of this thesis is that, it is possible to create design, specification and implementation of the new, universal network protocols designed for remote procedures, function or methods call with the following properties: The protocol will have build-in security mechanisms. Above-mentioned security mechanisms will be configurable in that way that the security level will be aligned with current requirements for the system using the protocol (including client's and legal requirements). The protocol shall be platform-independent (with no hardware and operating system dependencies) and programming language-independent. The necessity of such protocol will be described in next pages. Seeing the needs of new protocol and risks of existing solutions, the author defined the following goals for this thesis: Propose of a new protocol specification will meet the characteristics listed above. Sample implementation of the designed protocol. – 8/121 –.
(9) Cryptographic aspects of security analysis and network protocols improvements. The analysis of the proposed protocol. The analysis of the mechanisms and risks in the existing network protocols for remote function and procedure calls and An attempt to describe the security implementation guidelines that should be used when designing new network protocols. Identification of further developments in the field of remote network protocols security.. 1.2. The scope of this thesis. Security of computer systems will be described in second chapter. How to protect computer networks? There is no one good way for protecting data in networks. Security of computer networks has many aspects including above mentioned things like confidentiality or data integrity. Cryptography is necessary in secure solutions but it is not enough. Many attacks are not related to cryptanalysis but rather to social engineering, denial of service or software vulnerabilities like buffer overflows, SQL injections, cross site scripting, etc. There are hundreds of clear-text network protocols. Typical and most common network threats are the subject of next chapter. What can be a target in the network? There are many potential targets. Every device, every data and every user can be a target. Even the device without any classified data may be a target. Unused, forgotten devices are often authorized to perform important operations in local network or in important components of the system. Moreover, in many cases, such devices are not patched, so the intruder has no problem to get access using well know vulnerabilities or even downloaded exploits. Also every data can be a target. Even unimportant information may be used for trust relation purpose. An attacker may use such information to create employee’s confidence and to ask about more important information. Social engineering techniques are used very often and are very important from security point of view, but are also out of scope of this paper. Such techniques are described in [21]. All these security issues will be described in second chapter. Cryptographic algorithms are described a little later in third chapter. Most of network protocols trusts other peers, including intruders. There is no good, universal security model of computer networks. Existing secure protocols were designed for specific purpose and every of them has another trust model, for example SSH trust model is different than SSL trust model but both of them utilizes similar algorithms. Single sing-in feature may be implemented with – 9/121 –.
(10) Cryptographic aspects of security analysis and network protocols improvements. Kerberos protocol in a very easy way, but Kerberos is not so secure like SSL. On the other hand, single authentication with one secure password is better than many complicated passwords (people are in the habit of writing down theirs complicated passwords on scraps of paper). The application of Kerberos and SSL is different. This is only one example, there are many other protocols but none of them address all network security issues. The author will describe existing solutions in fourth chapter. Remote function calls are described in fifth chapter. Designers of existing solutions did not care about security or created complicated solutions. Nowadays, clear-text protocols with many vulnerabilities are not good choice. Encryption is not enough to protect such protocol. There are many other dangerous, previously mentioned and described in chapter two. On the other hand CORBA or SOAP protocols are quite complicated and it is easy to make a security mistake. These technologies are applicable only to huge computer systems. It is hard to maintain such component from security perspective. Programming is quite easy, but it is difficult to address all security issues on time. Chapter six contains the design, description and specification of Secure Remote Protocol (SRP). This is completely new approach to remote function calls. The protocol is as simple as possible. Build-in security features may be configured by the administrator and exchanged without software recompilation. This, flexible approach allows for exchanging cryptographic modules depending on project phase, law requirements or security issues addressed for existing modules. Moreover the protocol is operating system and platform-independent. This fact allows migration of SRP to many hosts including mobile devices. The specification is open and may be implemented and developed without any fee. How to assess security level of SRP? Security assessment is related to the security and threat model we want to use and implement. There are various techniques how to do it, including Common Criteria, FIPS, FMEA or STIG analysis. The author is well-familiar with two of them: Security Failure Mode and Effects Analysis (FMEA) and Security Technical Implementation Guidelines (STIG). First of them is the process where engineers identify potential failure modes (for example security issues) and then assigns three numbers to these issues: Severity, Probability of occurrence and Detection. Every number is a value from the set {1..10}. Risk Priority Number (RPN) is a multiplication of all three values. Higher RPN means that the issue is more important. STIG analysis is based on security requirements provided by DISA (Defense Information Systems Agency) [36], [37] and [38]. The verifier has to check which requirements are met and which of them are not implemented. All STIG requirements are very detailed. STIG analysis is low-level – 10/121 –.
(11) Cryptographic aspects of security analysis and network protocols improvements. assessment. Security issues from STIG analysis are described in chapter seven. This chapter contains also rest of results for the Secure Remote Protocol. Last, eighth chapter is conclusions from this thesis. There is a short summary of things were done in this dissertation and some ideas about further development in cryptographic aspects of security analysis and network protocols improvements. The proposition of Secure Remote Protocol, the argument and goals of this thesis are taken under consideration. This chapter shows that all goals and requirements given in the introduction has been achieved. However, there is also field for further improvements. Most important areas of this development are described in second part of this chapter. Appendix A contains BSD license which is integral part of the SRP implementation attached on the compact disc to this thesis.. – 11/121 –.
(12) Cryptographic aspects of security analysis and network protocols improvements. 2. Basic vulnerabilities and network attacks. This chapter describes most important attacks against network security. It is hard to say which attack is important and most dangerous from security point of view. It depends on many aspects, for example Denial-of-Service attack for web page of small company which does not utilize Internet as basic information carrier is not so important like the same attack for Internet company. There are some common, well known basic security attacks against well known vulnerabilities or properties of network protocols. Many of them are described here, but not all. New attacks' vectors are involved all the time, old methods are modified and improved. The intention of this chapter is not describe all known attacks, but to split them into some categories and show the most dangerous attacks in every category.. 2.1. Physical security. One of the most important aspects of security is physical security [21]. This issue is ignored and forgotten many times, by many companies. The author has seen many networks which were susceptible to physical attack. Such attack may be invisible for administrator. Many attacks may be also ignored, because symptoms of attack are often very small for example short term damage of network or one of the available services. Many devices can be also stolen, many data can be copied to external drive and many times it is much more easier than typical network attack. How many people are conscious that they have shared disks in public, wireless network and they granted access to everybody with no password? What would happen if such, shared data were a confidential and important data for the company? Who cares that computers may be attacked during network surfing in public hot spots? Wireless signal can be also used to attack and it is very important to be aware of it. Who cares about stolen laptops, palmtops or smartphones? Such devices very often contains classified data. Physical security and physical attacks are not in the scope of this paper and are not described here. However the author is convinced that this aspect of data security is still very important and every administrator should be aware of it.. – 12/121 –.
(13) Cryptographic aspects of security analysis and network protocols improvements. 2.2. Sniffing and spoofing. One of the basic and most popular methods is the sniffing. The idea of Ethernet network is to send network frames to every connected device, in the so called “ether”. The destination device should check destination address and if the address is correct, accept the received frame or ignore it in the other case. In this situation, there is no problem with sniffing all data sent over the network, because every device receives all network frames. However, nowadays many networks are switched. This is much better solution because of better performance. Switches are learning which network address is on which port. Every switch and bridge checks source addresses in network frames and bind them with his physical interface. After some time switch knows where to send network frame, so the frame is sent only to destination device, not to all devices. Switches divides the network to areas, named collision domains [28]. It protects the network against unnecessary collisions and against simple sniffing attacks. There is no simple way to listen the data, the attacker is interested in. However, there is no authentication in 2nd network layer in OSI/ISO model. Every device can send such frame: “my address is X”, where X means fictitious physical address. In this case, switch receives the frame with wrong, prepared address. The frame is correct from technical point of view, so the switch use this frame to bind false address with his physical port. Moreover switches have limited amount of memory, so too many packets with false information may cause memory overflow and switch may start working as a typical hub1, however the author does not know such switch, most of them may stop working in such situation. Sniffing may also be used for diagnosing purpose and is needed in many situations. This situation shows the basic conflict. We want to have some simple diagnostic tools in case of any network problems. On the other hand, there is a necessity to make the network secure. Another simple method is called spoofing. As it was mentioned, there is no authentication in nd. 2 layer and every device can laying and exchange source addresses in sent frames, for example it is possible to send correct “ARP response” frame with wrong MAC address [8]. This is well known vulnerability and is used with ARP poisoning techniques. There are no states in ARP protocol, so it is hard to pair specific ARP request with specific ARP response. If the host does not know MAC address of destination device, ARP request “who has such address” is sent to every other hosts in the local network. Only one host should reply for this request. For a performance purpose, ARP responses are cached for a while, for example for five minutes. If a source host has specific record. 1 This is also the initial state of switch. – 13/121 –.
(14) Cryptographic aspects of security analysis and network protocols improvements. in ARP cache there is no reason to send another request “who has such address?”, because destination address is known. This is good occasion for intruder who may send ARP replies to the victim. The victim usually accepts the “ARP requests”. It causes the change in the ARP table on the victim's host. ARP cache is not correct any more, is poisoned now. If the ARP cache is poisoned, the victim will sent all packets to the intruder instead of correct destination device. Such type of attack is shown in Figure 2.1.. Figure 2.1. ARP poisoning. Spoofing is one of attack which may be utilized against Dynamic Host Configuration Protocol (DHCP). The typical scenario is that a new host in the network asks DHCP server about IP address which can be used. DHCP server reserves one of free addresses for asking host for specific period of time and then replies to specific MAC address. As it was mentioned, MAC address can changed, so the intruder may send many DHCP request one by one, with many different MAC addresses. This is a quite simple method for Denial of DHCP Service because of no free IP addresses in DHCP server. This may cause the situation, that no one else can reserve a new address and connect to the network.. – 14/121 –.
(15) Cryptographic aspects of security analysis and network protocols improvements. 2.3. Spanning Tree Protocol vulnerabilities. The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology of second OSI/ISO network layer. It is designed as Ethernet protocol for switched networks. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation. The main frame utilized by this protocol is BPDU (Bridge Protocol Data Units) frame. If STP is in use, every port must go through all STP steps before the communication is allowed. There are few, faster and better extensions of STP like RSTP (Rapid STP), PVST (Per-VLAN STP) or MSTP (Multiple STP), but none of them is secure. There is no security mechanism like authentication or authorization in STP. This is good opportunity for attackers to interference with correct network structure. They can send previously prepared, malicious BPDU frames and create very long communication path. Moreover they can deactivate correct links. We should also realize that spanning tree creation process requires some resources. There is no problem with Denial of Service attack, because an attacker may send thousands of contradictory BPDU frames.. 2.4. Attacks for Virtual Local Area Networks. Virtual LANs are a sets of hosts which are connected together to the same broadcast domain, regardless of their physical location. VLAN allows for splitting hosts connected to the same switch to few groups and to connect hosts from different switches in single group. Detailed specification is included in [35]. Grouping feature is very useful solution implemented in many laboratories where low layer network configuration is changed very often. One of the VLAN’s vulnerabilities are trunk links. Trunk links do not add VLAN’s tag to Ethernet frames, moreover such links trust any packet. If we connect a computer directly to trunk link we can add special tags to Ethernet frames and have an access to any VLAN we want. There are also some vector attacks which utilizes double tagged network frames. Some, vulnerable network switches may smuggle them to incorrect VLAN which is the target of attack.. – 15/121 –.
(16) Cryptographic aspects of security analysis and network protocols improvements. 2.5. Attacks against IP protocol. Internet Protocol (IP) is most common protocol all over the world. Almost every new network device implements one of IP protocols. Nowadays there are two different versions of Internet Protocol – IP version 4 and IP version 6. Both versions of Internet Protocol are stateless protocols. This fact allows to some abuses in 3rd network layer in OSI/ISO model. The IPv4 header contains few interesting fields like source and destination addresses, time to live, identification, flags and fragment offset. Routers have to forward IP frames as soon as possible – this is only a performance requirement. The second issue is that the route of 2 packets with identical source and destination addresses may be different. Third, important thing is that IPv4 packets can be splitted to few smaller packets by routers. All these three things can cause some problems in the third network layer. Some of network devices can crash because of strange fragment offset's value in IP packets. Let's say that the begin of second part of packet (counted from offset value) was before the end of first packet. Such situation should never happen but the attacker can prepare and send packet with such data. Another problem is what will happen if too many uncompleted packets with different identification number are received? Destination device would receive huge number of unfinished packets with a whole in the middle of every malicious packet. There are doubts that all network devices and software are tested against such tricks. It is thought that many of them are vulnerable. The next security issue is connected with time to live (TTL) of packet. TTL field can be used for checking operating system. Different systems put different values to this field. This field can be also used to determine number of routers between sender and current host or router. TTL is decremented usually by 1 on every router. The initial value of this field is usually 32, 64 or 128. Moreover, if the administrator does not want somebody to have additional router, he can decrement TTL to 1. In this case, additional router (unwanted by the administrator) will decrement this value to 0 and packet will die, will be not forwarded. IPv4 may contain additional options. One of them is very interesting from security point of view. A “Security” option may be used by military routers to determine more or less secure routes, for example according to rule that confidential data should not be sent through hostile countries. IP version 6 is a successor of IPv4. It is a little strange, because this protocol is more than 15 years old [43], [44] and IPv4 is still very popular and used in the Internet. However, the number of free IPv4 addresses is not so big and becomes smaller every day. IPv6 will have to be implemented in many computer systems and used in the nearest future. The structure of IPv6 is quite different than IPv4. The header in new version of IP protocol is much more simple. Moreover routers cannot – 16/121 –.
(17) Cryptographic aspects of security analysis and network protocols improvements. divide packets to smaller parts any more. These facts efficiently prevent from few performance attacks which are possible against IPv4. The author is wondering about “flow label” usage. Perhaps this field can be used for Denial of Service attacks, but it is only suspicion, such attack vector is not clear now.. 2.6. IPSec protocol. Typical network which utilizes TCP/IP protocols is almost not secured. There are no doubts that encryption and integrity control should be provided in every point of network path between the sender and receiver as stated in the [28]. We could create secure applications which can guarantee appropriate security level in the application layer – the highest layer in OSI/ISO network model. However in this case there are thousands of existing applications which are not addressed with this solution, applications which are not secure. What should be done with this software? Software modification requires additional effort, moreover it is hard to make this software secure. Security is not a feature, it should be part of every application. Second solution is cryptography in low network layer. It would be transparent for the application and end user. The basic purpose of IPSec protocol is to provide some security standards in 3rd and 4th network layers. This protocol can be used in two modes. First mode is the transport mode and second one is called tunnel mode. The different is that transport mode puts additional header between TCP and IPv4 headers or adds additional header to IPv6 packet. The tunnel mode encapsulates whole IPSec packet in the another IP packet. The big disadvantage of IPsec is that because of performance requirements, only symmetric algorithms can be used. This fact causes that there is a key distribution problem in the network. Shared keys are not considered as a secure solution. The author is wondering about Diffie-Hellman algorithm. Perhaps it would be good to implement it, to establish session key, but there is no such option in the IPSec standard. ISAKMP and IKE protocols which are used for key exchange have few well know vulnerabilities, so key exchange process is not very secure. As stated in [8], IPsec adds two types of headers to TCP/IP packets. First of them, Authentication Header does not allow for encryption, but provides mechanisms for integrity control and protection against repeated attack. This header may be used only in transport mode or as an additional header in IPv6 packet. Second type of header – Encapsulation Security Payload may be used in both modes. This header allows also for encryption. Both headers may be used for data integrity checking. HMAC (Hashed Message Authentication Code) method counts a hash value for – 17/121 –.
(18) Cryptographic aspects of security analysis and network protocols improvements. whole message and the key. The difference between AH and ESP headers is that AH checks also integrity of some (but not all) fields from IP header like IP addresses (some fields like TTL cannot be checked).. 2.7. TCP Protocol security aspects. Transmission Control Protocol (TCP) is another very popular Internet protocol. TCP provides reliable, ordered delivery of the data transmitted over the network. Reliability makes this protocol so popular. This property is confirmed by many years of TCP usage. First RFC document [47] is from 1974 year. This shows how old and how good this protocol is. At that time, almost nobody has thought about network intruders. TCP protocol is very popular because of very good fault control mechanisms. Moreover this protocol adjusts transmission's speed. However TCP protocol is not vulnerabilities free. One of the most popular attacks is TCP hijacking.. Figure 2.2. TCP/IP hijacking. TCP headers utilize sequence and acknowledgment numbers. The sequence number is an offset to first byte in current TCP packet. This number is increased in next packet by total length of current packet. However, if SYN flag is set, sequence number is a number of first byte in the TCP session. Usually, initial sequence number is set to 1. Acknowledgment number is used with ACK – 18/121 –.
(19) Cryptographic aspects of security analysis and network protocols improvements. flag. It is an acknowledgment that packet with specific sequence number was received. These facts allow for TCP/IP hijacking attack. An example is shown in the Figure 2.2. First TCP/IP packet is sent from host A to host B. Then, host B sends an acknowledgment packet with specific SEQ and ACK numbers. If an intruder is listening and receiving all packets, next sequence and acknowledgment numbers can be counted by him in an easy way. The attacker may try to send prepared TCP/IP packet to a victim with previously computed sequence and acknowledgment numbers. There are at least three consequences of such situation. First of all, packet will be accepted and processed by a receiver, by the victim. Second consequence is that the real sender will send TCP/IP packets with wrong numbers, because he will not increment sequence number counter. Third consequence is that ACK packets, sent by a victim will be ignored because of wrong acknowledgment numbers. A very simple form of injecting TCP/IP packets is RST packet injectoin. If the source is spoofed and acknowledgment number is correct, the receiver will accept injected RST packet and will reset the current connection. It is very hard to prevent against RST attacks. TCP protocol requires some resources for creating and for existing connections. New connection is created by three-way handshake process described in [28]. This is required by fault management in TCP. This fact can be utilized by attackers. Every TCP packet with SYN flag reserves some resources for new connection. If a victim receives such packet, sends back SYN/ACK packet and waits for third – ACK packet. If ACK packet is not sent, resources are still allocated for new connection. Many TCP packets with SYN flag may cause very effective “Denial of Service” attack, so called SYN flooding attack.. 2.8. ICMP vulnerabilities. Internet Control Management Protocol (ICMP) is one of the core Internet protocols. This protocol is used for diagnosing a connection problems or determining route of packets from source to destination. It is very helpful in many fault situations. There is also other side of this protocol. ICMP can be abused in many ways. The most popular way of attack is “Denial of Service”. Ping requests may be sent one by one. Such attack is called ping flooding. The goal of ping flooding is to use whole victim's bandwidth for ICMP packets. In this situation, other services will be unavailable. Moreover, maximum length of ICMP data is equal to 216 = 65 536 bytes. Huge number of such, – 19/121 –.
(20) Cryptographic aspects of security analysis and network protocols improvements. large echo request packets may cause strange behavior of many network devices. Several old operating systems crashes if there is sent long ICMP echo requests. Such attack is known as “Ping of Death” attack. Typical ping flooding may be detected in an easy way by border routers, firewalls or Intrusion Detection System. More interesting and effective attack is called Distributed Denial of Service. Source address can be spoofed. It is much more difficult to detect such attacks, because source addresses are different in every packet. There is no repeated, similar echo requests. The second, more efficient way is to infect as many hosts as possible all over the Internet and then simultaneously sent ping requests from thousands of infected hosts at the same time. Such attacks are very hard to detect and may be very effective.. Figure 2.3. ICMP amplification attack. The last one well known and very clever ICMP attack is the amplification attack (Figure 2.3). Every echo request causes echo reply, sent back to the sender. There is no authentication in ICMP protocol, so source IP address can be exchanged in echo requests. If the attacker sends ping requests with victim's IP to many hosts in the network, all these hosts will send – 20/121 –.
(21) Cryptographic aspects of security analysis and network protocols improvements. back replies to the victim. In that way, huge percent of victim's bandwidth will be taken by ICMP response packets. This is another example of DoS attack.. 2.9. Attacks for wireless networks. Physical aspects of wireless networks have been just described at the begin of this chapter but algorithms and encryption mechanism have not been discussed yet. There is no doubt that it is much more difficult to limit access to wireless signal than to the network cable. Therefore it is important to apply available security mechanisms to IEEE 802.11 wireless networks. “Wired Equivalent Privacy” protocol has been a first protocol used for protection network in 802.11 standard. The name of this protocol suggests that it should provide security level similar to wired, cable networks. The truth is that this is a weak protocol. The protocol was designed in 1997 year and uses RC4 algorithm. David Wagner discovered first RC4 vulnerabilities 2 years earlier. The WEP protocol may utilize 40 or 104-bits keys. At the begin CRC32 checksum is counted and concatenated to clear-text message. Then Initialization Vector (IV) is concatenated with a key and it gives the seed for RC4 algorithm. Initialization Vector and encrypted message are sent over the network. This process is visible in Figure 2.4.. Figure 2.4. WEP protocol. Keys used in WEP protocol are not very long, especially 40-bit keys. Packets encrypted by such keys can be cracked by brute-force method with Tim Newsham optimization. His method reduces the 40-bit keyspace down to 21 bits. Second problem with WEP, mentioned in [15] is keystream reuse. If two ciphertexts were XORed with the same keystream, this keystream can be – 21/121 –.
(22) Cryptographic aspects of security analysis and network protocols improvements. eliminated using equation 2.1.. ( P1 XOR RC4(seed) ) XOR ( P2 XOR RC4(seed) ) = P1 XOR P2. (2.1). If some bits of P1 message are known, the same bits from P2 can be easily recovered. Initialization Vector is only 24-bits long, so it is probable that it will be reused after some, short time. Moreover, the standard does not specify how to choose and generate Initialization Vector for next packets. Another vulnerability of WEP protocol is connected with CRC32 function. This function is enough for casual error detection, but from cryptographic point of view is not secure. It is known that the intruder can exchange some bits of message and then some bits of CRC function in that way that CRC will be still correct. The most popular attack against WEP is Fluhrer, Mantin and Shamir (FMS) attack, described in [8]. This attack takes advantage of using initialization vectors and weaknesses of key generation in RC4. This vector of attack is popularized by many network tools. The last attack, very effective in many situations is a dictionary attack. Many times WEP key is equal to SSID or is a short, simple word.. Figure 2.5. Wireless network based on RADIUS server. Next, more secure solutions for wireless networks are WPA and WPA2 protocols (WiFi Protected Access). Both may work with RADIUS server (Remote Authentication Dial In User Service). Network infrastructure with RADIUS server is in Figure 2.5. Both protocols may also work in two modes: in WPA Personal mode or Enterprise mode. Personal versions uses “Pre-Shared Key” (PSK), Enterprise utilizes RADIUS and EAP protocol. The disadvantage of PSK method is that every network user uses the same shared secret key. This idea is very dangerous in corporate – 22/121 –.
(23) Cryptographic aspects of security analysis and network protocols improvements. networks, because it is almost impossible that the shared key may be secret, in this solution shared key becomes a public key. WPA2 is newer protocol and replaced WPA. WPA2 devices implement Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) based on AES algorithm.. 2.10. Services and port scanning. Port scanning is well known and very popular method for discovering network services. It is used by many network security scanners, for example Nessus, Retina or Foundstone. Every TCP or UDP network service listens on specific, previously defined port. In some circumstances this port may be dynamic, for example in RPC protocol. UDP ports receives data stream from the network and TCP ports accept new connections, rest of ports should be closed. The basic variety of port scanning is to send TCP packets with SYN flag. Every open port should response with SYN and ACK flags. Such algorithm may cause Denial of Service, because of so-called half open connections. After received SYN/ACK packet, attacker should send ACK packet to finish three way handshake and then close the connection or just send the RST packet to tear down the connection immediately, as described in [8] and [28]. Port scanning by SYN flooding can be easily detected and blocked, because of large number of ports – 65535. Therefore, hackers involved next variety of port scanning, called spoofing decoys. This method spoofs connections from various decoy IP addresses between each real port scanning connections. RFC 793 [48] defines specific behavior of closed TCP ports. According to this document, RST packet should be sent by closed ports as a response for FIN, X-mas (with Urgent, Push and Fin flags) or null packets (all flags are set to zero). If a port is listening, RST packet will be not sent. This vulnerability may be abused to detect open ports. If the attacker knows open port numbers, he can guess what kind of services are running. Standard port numbers are described by IANA organization in [52]. Vulnerabilities in standard, well known services are also described in the Internet and might be utilized by potential intruders.. – 23/121 –.
(24) Cryptographic aspects of security analysis and network protocols improvements. Figure 2.6. Idle port scanning – the use case with open port. Another method of port scanning is so called idle scanning (figure 2.6). The attacker needs to find an idle host that is not sending or receiving any other network packets and which has a typical TCP/IP stack implementation. IP identification number is usually incremented by a constant value in every packet. The ID difference between two packets can be checked by sending few TCP/IP packets and receiving answers. The next step is to get know current ID in IP packet. It can be done by for example SYN/ACK packet and received RST packet. Afterward, the attacker sends SYN packet with spoofed source IP address which should be equal to idle host's IP. If a target has the open port, SYN/ACK packet will be sent to idle host and idle host will response to a victim using RST packet with incremented ID. In case of closed port, nothing will be sent to an idle host and ID will not be incremented. Then, the attacker may check again the current ID of idle host, compare with previous ID and check if RST was sent or not between these two tests.. 2.11. SNMP Protocol. The basic idea of Simple Network Management Protocol (SNMP) is that there are two types of network devices – agents and managers. Manager may send some simple packets to agents like – 24/121 –.
(25) Cryptographic aspects of security analysis and network protocols improvements. set or get requests and agents perform some tasks. Agents may send only two types of messages: responses and traps. First version of this protocol has all possible security vulnerabilities. SNMP does not specify protocol on the transport layer. Both, UDP and TCP may be utilized with SNMP, Sniffing and spoofing attacks are quite easy in SNMPv1. The only security mechanisms in SNMP v.1 is so called community string. This field is constant in every SNMP message and can be obtained and used later. Moreover SNMP community string was on the top ten most critical Internet security threads in 2000 year [60]. In many implementation, community string is set to default value, is not changed at all. Version 2 of SNMP introduced few types of commands and errors, but the security level is the same as in version 1. One of goals of SNMP v.3 is to add new security mechanisms and to protect this protocol against some easy network attacks. All security features added in SNMP v.3 are optional, none of them is required, so this protocol may also be unsecured. SNMP v.3 may be used with three different security levels: no authentication, authentication and no privacy, authentication and privacy. We should give an attention that it is not enough. All cryptographic algorithms utilized by this version are symmetric, so there is a key propagation problem, there is no trust model and such simple attacks like brute force or dictionary attacks may be still used.. 2.12. Domain Name Servers. Domain Name Servers (DNS) are one of the most popular servers all over the Internet. People prefer typical names and words than IP numbers. DNS servers translate IP addresses to domain names, so almost every connection sends DNS query at the begin. DNS queries and responses utilize UDP protocol. There is no problem with sniffing on UDP layer. DNS queries and responses have to be connected somehow and this is the reason on Transaction ID field in DNS packets. This field causes spoofing attack more difficult, but such attack is still possible. Both, DNS servers and DNS clients have DNS cache. DNS entries may be cached because domain names are not changed very often. After some time DNS entries are deleted from cache and the host (or DNS server) has to send next query to the specific DNS server. It is possible to send queries between two servers, because there is a huge amount of DNS entries and it is too big number for single server. The attacker may send DNS responses with wrong IP addresses, but the question is how to get the Transaction ID number? The attacker may create his own DNS server, for example: attacker.domain.com. The next step is to send a query about myaddress.attacker.domain.com to the – 25/121 –.
(26) Cryptographic aspects of security analysis and network protocols improvements. domain.com DNS. The domain.com DNS sends back query about IP of “myaddress” host. In that way the attacker receives current Transaction ID. Many DNS servers increases this ID by one in every packet, so the attacker may send many packets with ascending IDs, beginning from received ID incremented by 1. DNSSec project is an attempt to secure DNS, but this, new protocol is still tested and is not very popular. DNSSec utilizes cryptography and provide such security mechanisms like authentication, transactions and key distribution. The author put hopes on this protocol, because existing DNS protocol is one of the biggest Internet vulnerabilities. DNS's vulnerabilities may be used with one of the most dangerous attacks - “man in the middle” attack. This attack allows for putting an intruder's host inside the connection between two victims. There are some tools which may generate very similar key signatures to original and then exchange them. Moreover, some proxy servers allows for man in the middle attacks, this is advertised as a feature of proxy hardware not as a vulnerability. Users who are usually aware of security threats usually remember first and last few characters of signature. Similar, exchanged keys may be recognized as correct keys. DNS hacking is a first step of such attack and this step is quite easy to perform.. 2.13. Tunneling issues. HTTP protocol (Hypertext Transfer Protocol) is also very popular in the Internet. Many companies allow for HTTP traffic on their firewalls, IDSes and IPSes. Other services are usually blocked. Therefore many malicious codes use HTTP tunnels for their connections. This is the way which may be used for stealing classified data from companies. This method is well known by administrators and HTTP traffic is often monitored and checked. Such monitoring is not a simple task, because of huge number of possibilities and potential HTTP issues. New web technologies allow for user friendly web interfaces and for many new features but allow also for very tricky attacks which may be hard to detect. XSS (Cross-site scripting) is one of the most known attacks against web technologies. This attack is on the top ten list [60]. Outside DNS traffic is allowed too, in most of companies. Many administrators do not realize that DNS may also be also abused for tunneling purpose. The idea is that the intruder should create his own domain for example: thief.domain.com. If somebody (or something, for example malicious software) wants to send some information, it may be done by converting this information – 26/121 –.
(27) Cryptographic aspects of security analysis and network protocols improvements. to Base32 standard and then send it as a DNS request with previously encoded bytes, for example: “confidentialStolenInformation.thief.domain.com”. Responses from DNS are also allowed, so pseudo-DNS server may send control information back. Such traffic may discovered because of huge number of DNS queries from one, specific host. However, there is no problem with spoofing technique, because of UDP usage, so source addresses may be exchanged to every address from the network. This case is much more difficult to discover. As we see, there is another problem with protocols – abusing of them. It is very hard to create a protocol which cannot be abused for some illegal purpose. Moreover, in many situations, it is very hard to detect such illegal usage. Author is considering what restrictions may be implemented in new protocols? What mechanisms can block abusing of network mechanisms? These questions are very difficult. People who involved DNS tunneling are very excited of DNSSec. The basic goal of DNSSec is to build more secure networks, but there is the other side of the coins. Detection of DNSSec tunneling may be much more difficult. The same issue may be addressed for HTTPS protocol. This is typical HTTP protocol encapsulated in SSL layer. There is no possibility to check HTTP traffic without man in the middle attack. Therefore proxy servers with this feature (described in previous subchapter) are designed and released. From company point of view, it is much more secure to check all traffic than allow for unchecked HTTPS data. Such data may contain all types of malicious code and employees’ computers may be infected in this way.. 2.14. Chapter summary. This chapter has described basic network security issues. As it has been presented, most common and most important network protocols are vulnerable. There are many threats which can be used against privacy, data integrity, availability of service, etc. Next chapter describes basic security ways which can protect current solutions, implemented and existing in computer networks. Security issues and threats described here are addressed in next chapter. Such mechanisms like symmetric and asymmetric cryptography, on-way functions, digital signatures, authentication types, authorization models and trust models will be presented and discussed in the chapter 3.. – 27/121 –.
(28) Cryptographic aspects of security analysis and network protocols improvements. 3. Cryptographic algorithms. This chapter includes description of the most important security features and protection methods. Physical security mechanisms are very important but as it was written are out of scope of this thesis, so this is the only important mechanism not described here. It is hard to choose best solution for protecting networks and computer systems. Used and implemented security mechanisms depend on security threat model. It is important to choose things we want to protect, to define risk and to prioritize what is the most important. There is no common solution for network attacks. Moreover, we should realize that security is not a static process. New attacks methods are involved all the time, new vulnerabilities in protocols and software too. There are thousands of exploits available in the Internet. It shows that the problem is not simple.. 3.1. Symmetric-key encryption. Cryptography is very important for network security. It is one of the most critical and necessary element of every network infrastructure and communication. Confidentiality and data integrity are ensured by cryptographic algorithms. One of the most important group of algorithms in cryptography are encryption algorithms. The Auguste Kerckhoff’s principle [26] is that every encryption algorithm shall be public known and only cryptographic key shall be hidden. Nowadays, every algorithm utilized for security purpose is compliant with this axiom. Algorithms with symmetric keys are very popular and used in almost every encrypted connection. Such algorithms utilize only one private key shared between peers. However there is a problem how to send secret key using unsecured channel? The solution of issue is described in next section. This section describes only few, most popular symmetric algorithms.. 3.1.1. Data Encryption Standard. First version of Data Encryption Standard (DES) algorithm was created by IBM – 28/121 –.
(29) Cryptographic aspects of security analysis and network protocols improvements. (International Business Machines Corporation) in 1976 year [29]. It was a response for request for proposals for a standard cryptographic algorithm from NBS (National Bureau of Standards), now known as NIST (National Institute of Standards and Technology). Prototype of DES algorithm was called Lucifer and utilized 128-bit keys. There are few legends that DES algorithm has a backdoor introduced by NSA (National Security Agency) request, however there is no known attacks based on it. There are few known attacks like linear or differential cryptanalysis but both may be applied to all S-box based algorithms, not only to DES. The fact is the NSA limited key length used in DES from 128 bits in Lucifer to 56 bits.. Figure 3.1. Encryption of single block in DES algorithm. DES is a block cipher based on S-boxes (Substitution boxes) theory. Plain text is splitted into 64-bit blocks. The last block is padded to 64 bits. The 56-bit key is elongated to 64-bit. Last bit of every byte is a parity bit. Every of 64-bit blocks is encrypted as a separate data and takes eighteen actions shown in Figure 3.1. The initial action is an initial permutation. The block is then divided into left and right halves. Every part contains 32 bits. Then there are sixteen rounds, so called Feistel permutations. Every round produces left and right part according to formula 3.1. Ki represents 48-bit round key derived from original key given as encryption key for algorithm. The f – 29/121 –.
(30) Cryptographic aspects of security analysis and network protocols improvements. function has few steps described below: 1.. 32-bit right part (Ri-1) of round data is expanded to 48 bits. 2.. Ri is XORed with round key Ki. 3.. XOR result is splitted into 8 parts, every part has 6 bits. 4.. every part are shortened to 4 bits after S-box substitution. 5.. final permutation is performed. Round key is computed according to the following rules: 6.. initial key is splitted into two parts. 7.. every part is shifted to the left about specified number of bits (depends on iteration. number) 8.. both parts are concatenated and 48 bits are selected according to P-box (permutation. box) Last operation is inverse permutation to produce cipher text. The result of DES is 64-bit block with cipher text.. Li = Ri-1. (3.1). Ri = Li-1 XOR f(Ri-1, Ki). DES algorithm has been a cryptographic standards over the years. However there are four weak keys (see Table 3.1) in DES algorithm which are forbidden and should never been used. These keys produces the same round keys in all sixteen rounds and gives cipher text the same as plain text. Moreover there are twelve semi-weak keys (Table 3.2). Semi-weak key reduces number of effective rounds and gives much better opportunity to effective cryptanalysis. There are also 48 keys that produce only four distinct round keys (instead of 16) - these are called possibly weak keys.. Table 3.1. DES weak keys 0x 0000 0000 0000 0000 0x 0000 0000 FFFF FFFF 0x E0E0 E0E0 F1F1 F1F1 – 30/121 –.
(31) Cryptographic aspects of security analysis and network protocols improvements. 0x F1F1 F1F1 E0E0 E0E0. Table 3.2. DES half weak keys 0x 011F 011F 010E 010E. 0x 1F01 1F01 0E01 0E01. 0x 01E0 01E0 01F1 01F1. 0x E001 E001 F101 F101. 0x 01FE 01FE 01FE 01FE. 0x FE01 FE01 FE01 FE01. 0x 1FE0 1FE0 0EF1 0EF1. 0x E01F E01F F10E F10E. 0x 1FFE 1FFE 0EFE 0EFE. 0x FE1F FE1F FE0E FE0E. 0x E0FE E0FE F1FE F1FE. 0x FEE0 FEE0 FEF1 FEF1. 3.1.2. Triple DES. Triple DES (or 3DES) utilizes DES algorithm [3]. The purpose of 3DES creation is too short key in DES. Depending on the specific variant, 3DES uses two or three keys instead of single 56-bit key. Two keys variant is in Figure 3.2. Plain text is encrypted two times and decrypted once in two keys variant of 3DES. Decryption with second key is performed between two encryption processes with the first key. Three keys variant encrypts plain text three times with three different keys.. Figure 3.2. Encryption in two keys (K1 and K2) variant of Triple DES. This algorithm increases the number of attempts needed to retrieve the secret key which is concatenation of all used 56-bit keys. It is a significant enhancement of security. The most important issue for Triple DES is that all weak, semi weak and possible weak keys exists also in 3DES algorithm.. – 31/121 –.
(32) Cryptographic aspects of security analysis and network protocols improvements. 3.1.3. Substitution box theory. Previously described algorithms (DES and 3DES) utilize Substitution-boxes and Feistel permutations. There is a common theory which describes S-boxes. According to Shannon theory [27] most important things are: confusion and diffusion. Moreover there is an assumption that good S-boxes shall have the following properties (we assume that xϵ{0,1} and αϵ{0,1}): 1. strict avalanche criterion (SAC) – single input bit change should affect at least half of output bits (at least half of them should be changed). This property is applicable also to P-boxes 2. completeness – every output bit should be a complex function of every input bit. This property is also applicable to P-boxes 3. well balanced – binary function f:Σn→GF(2) is well balanced if the truth table contains 2n-1 zeros (and ones), where GF(2) means binary Galois field. 4. non-linearity – the minimum distance between the function and the set of all affine functions. 5. propagation criterion of degree k – the function f. holds this criterion. if:. ∀ x∈Σ n ,α∈Σ n ,α≠0n ,f ( x ) XORf ( xXORα) :1≤W ( α)≤k 6. good XOR profile – should not contain entries with big numbers, big numbers requires more rounds. XOR profile shows differences between S-box input and output data, for example: S:Σn→ Σm, s1'=S(s1), s2'=S(s2), a=s1 XOR s2 and b=s1' XOR s2'. In that case, XOR profile has a columns and b rows. Sum of values in every row is equal 2n, so big numbers limits rest of possibilities. More information, some proofs and precise explanations of above mentioned properties of S-boxes are in [25].. 3.1.4. Advanced Encryption Standard. Advanced Encryption Standard (AES) algorithm is much more secure than DES [29]. The main reason is key length (128, 192 or 256 bits). In 1997 year, National Institute of Standards and Technology (NIST) put out a request for proposals for a new symmetric key encryption algorithm. – 32/121 –.
(33) Cryptographic aspects of security analysis and network protocols improvements. In August 1998, after evaluation process NIST selected five finalists [29] listed in table 3.3:. Table 3.3. AES finalists with authors Algorithm. Author(s). MARS. IBM. RC6. RSA. Rijndael. John Daemen and Vincent Rijmen. Serpent. Ross Anderson, Eli Biham, Lars Knudsen. Twofish. Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson. In the October 2000, NIST announced that the organization voted for Rijndael algorithm. On the 26th November 2001, Rijndael became official government encryption standard, published as Federal Processing Standard FIPS 197 [33]. Original algorithm supported more keys: 128-, 160-, 192-, 224- and 256 bits. Rijndael was chosen because of its good performance on limited capacity devices and for its overall quite good security. In the opposite to DES, AES operates on full bytes, not on single bits. This fact allows for faster implementation on many devices. First step in AES algorithm is to divide input, plain text to 128-bit length blocks. As it is shown in table 3.4, number of rounds depends on key's length. Data are stored in byte matrix. The height of every matrix is 4 bytes, so the key and block matrix sizes may be computed as total bits divided by 32 (4 · 8 bits = 32 bits).. Table 3.4. Number of rounds, key and matrix sizes as a function of key's length. AES-128. Key matrix size [B] 4. Block matrix size [B] 4. AES-192. 6. 4. 12. AES-256. 8. 4. 14. Number of rounds 10. There are four functions used for encryption in AES algorithm: SubBytes, ShiftRows, MixColumns and AddRoundKey. Matrix with initial plain text is called the state. Previously mentioned functions operates on these states and transforms bytes inside matrix. Pseudo-code of AES algorithm is listed below:. – 33/121 –.
(34) Cryptographic aspects of security analysis and network protocols improvements. AES(input, key) state := input; AddRoundKey(state, currentKey); for round:=0 to N-1 begin SubBytes(state); ShiftRows(state); MixColumns(state); AddRoundKey(state, currentKey); end SubBytes(state); ShiftRows(state); AddRoundKey(state, currentKey); return state; end. The SubBytes function operates independently on every byte given state doing nonlinear transformation according to S-box table, Table 3.5.. Table 3.5. SubBytes S-box in AES. All values are in hexadecimal system y. x. 0. 1. 2. 3. 4. 5. 6. 7. 8. 9. a. b. c. d. e. f. 0. 63. 7c. 77. 7b. f2. 6b. 6f. c5. 30. 01. 67. 2b. fe. d7. ab. 76. 1. ca. 82. c9. 7d. fa. 59. 47. f0. ad. d4. a2. af. 9c. a4. 72. c0. 2. b7. fd. 93. 26. 36. 3f. f7. cc. 34. a5. e5. f1. 71. d8. 31. 15. 3. 04. c7. 23. c3. 18. 96. 05. 9a. 07. 12. 80. e2. eb. 27. b2. 75. 4. 09. 83. 2c. 1a. 1b. 6e. 5a. a0. 52. 3b. d6. b3. 29. e3. 2f. 84. 5. 53. d1. 00. ed. 20. fc. b1. 5b. 6a. cb. be. 39. 4a. 4c. 58. cf. 6. d0. ef. aa. fb. 43. 4d. 33. 85. 45. f9. 02. 7f. 50. 3c. 9f. a8. 7. 51. a3. 40. 8f. 92. 9d. 38. f5. bc. b6. da. 21. 10. ff. f3. d2. 8. cd. 0c. 13. ec. 5f. 97. 44. 17. c4. a7. 7e. 3d. 64. 5d. 19. 73. 9. 60. 81. 4f. dc. 22. 2a. 90. 88. 46. ee. b8. 14. de. 5e. 0b. db. a. e0. 32. 3a. 0a. 49. 06. 24. 5c. c2. d3. ac. 62. 91. 95. e4. 79. b. e7. c8. 37. 6d. 8d. d5. 4e. a9. 6c. 56. f4. ea. 65. 7a. ae. 08. c. ba. 78. 25. 2e. 1c. a6. b4. c6. e8. dd. 74. 1f. 4b. bd. 8b. 8a. d. 70. 3e. b5. 66. 48. 03. f6. 0e. 61. 35. 57. b9. 86. c1. 1d. 9e. e. e1. f8. 98. 11. 69. d9. 8e. 94. 9b. 1e. 87. e9. ce. 55. 28. df. f. 8c. a1. 89. 0d. bf. e6. 42. 68. 41. 99. 2d. 0f. b0. 54. bb. 16. S-box transformation is a substitution of input bytes for bytes from S-box table. Four first bits (most-significant bits) are x value and four least-significant bits are y value in S-box table. The ShiftRows function shifts last three row of every state in left side. First row is not changed. – 34/121 –.
(35) Cryptographic aspects of security analysis and network protocols improvements. Second row is one byte shifted, third row is two bytes shifted and forth row is three bytes shifted in the right. The MixColumns function works with columns of state. Four values in every column are. third 3. degree. polynomial. 2. coefficients.. This. polynomial. is. multiplied. 4. by:(03)16x ·(01)16x ·(01)16x·(02)16 mod x +1. The AddRoundKey transformation utilizes only XOR function. Current state is XORed with current round's key. Round's key is generated by KeyExpansion function described in [33]. Decryption process is quite similar to encryption. Almost all helper function in this process are inverse functions to previously described helper functions. Pseudo-code of inverse AES is listed below:. InverseAES(input, key) state := input; AddRoundKey(state, currentKey); for round:=0 to N-1 begin SubBytes(state); ShiftRows(state); MixColumns(state); AddRoundKey(state, currentKey); end SubBytes(state); ShiftRows(state); AddRoundKey(state, currentKey); return state; end. 3.1.5. Blowfish algorithm. The Blowfish is a next symmetric block cipher based on Feistel permutations, S-boxes and P-arrays. It was designed by Bruce Schneier in 1994 year. This algorithm provides a good encryption rate and no effective cryptanalysis of it has been found to date. The only successful cryptanalysis against this algorithm was against variants that uses reduced number of rounds. Blowfish cipher splits input plain text into 64-bit blocks and the key length is variable from 32 to 448 bits. There are sixteen rounds in this cipher. Encryption is performed by separating 64-bit input block into two 32-bit blocks and the function is executed every round:. for i:=1 to 16 begin XLeft := XLeft XOR Pi; // Pi is ith element from Permutation array XRight := F(XLeft) XOR XRight; // F() is a Feistel function – 35/121 –.
Powiązane dokumenty
The following easy result shows that countably incomplete ultrapowers of infinite structures are always non-trivial..
Against the background of these guesses and surmises, the news that the Russian occupation was to follow the reaches of the Lower Elbe, almost right up to the very gates
Application of a linear Padé approximation In a similar way as for standard linear systems Kaczorek, 2013, it can be easily shown that if sampling is applied to the
4.5.. Denote this difference by R.. In a typical problem of combinatorial num- ber theory, the extremal sets are either very regular, or random sets. Our case is different. If A is
In the proof of this theorem, the key role is played by an effective interpretation of the well-known fact that an irreducible polynomial which is reducible over the algebraic
W i l k i e, Some model completeness results for expansions of the ordered field of real numbers by Pfaffian functions, preprint, 1991. [10] —, Model completeness results for
This leads one to the (false) idea that there is a natural way of defining differentiability so that differentiable functions depend only on a finite number of variables, which
There are striking similarities between the structure of minor patterns for interval maps and the structure of primary patterns for the maps of the triod Y (see [ALM Y ]) which fix
