Applied Cryptography Overview

Applied Cryptography Overview

To demonstrate the concepts in this chapter, we will use the office complex case study from Chapter 1, "Wireless Technologies."

The Office Complex Case Study

An advertising corporation, AdEx Inc., has installed a wireless LAN system throughout its multistory building in Reston, Virginia. It has installed access points at key locations to provide complete coverage throughout the building. Employees are given laptop computers with docking stations at their work areas. Both the docking stations and the laptops are equipped with wireless LAN access devices. The conference rooms are equipped with projection systems connected to the LAN so that employees can take their laptop to a conference room, connect to the projection system over the network, and control a presentation via their laptop.

An AdEx sales team, headed by Kathleen, is proposing a new marketing campaign to a potential new client, NitroSoft. The team has been working on this presentation account for several weeks. Before the presentation, Kathleen takes the NitroSoft group to lunch. During lunch, the NitroSoft people receive a message on their PDAs announcing a new acquisition that has relevance to the team presentation. One of the people in the NitroSoft group, Louis, mentions the announcement to Kathleen, who takes out her PDA and asks him to send her a copy of the announcement. Louis sends a copy to her PDA, with additional background information. Kathleen forwards it to one of her staff members, with instructions on how to incorporate the new information into the presentation.

After lunch, the group returns to AdEx and proceeds to the conference room for the presentation. On the way, Kathleen checks her PDA and receives word that her team will be able to incorporate the new information but that it will take 20 more minutes. They inform her that the changes fit well in the second half of the slides. Kathleen says that she will begin with the original presentation and switch to the new presentation half way through if they complete it and are satisfied with the results. Otherwise, she will stick with the original presentation.

Kathleen and the NitroSoft group reach the conference room and settle in for the presentation. The AdEx sales team continues working as Kathleen begins the presentation. As she talks, she monitors her PDA and receives confirmation that the team has incorporated the new information and is satisfied with the result. At a convenient point, Kathleen pauses, loads the updated slides, and switches to the new presentation. The NitroSoft group is impressed by the efficiency and speed with which the team incorporated the new information. AdEx and NitroSoft close the deal that day.

Imagine that the relationship between AdEx and NitroSoft is not cordial. In fact, let us say that AdEx and NitroSoft are hostile to or competing with each other. Louis and NitroSoft need to communicate securely. Unfortunately, they must communicate over inherently insecure (and potentially hostile) channels (AdEx's network). Kathleen is a malicious party who wants to spy on or tamper with their conversations. Figure 6.1 depicts the relationship we will use for examples throughout this chapter.

Figure 6.1. The overt relationship between Louis, NitroSoft, AdEx, and Kathleen

graphics/06fig01.gif

What does communicating securely mean for Louis and NitroSoft, particularly if they must communicate over hostile channels? It means that even if their messages are transported over an insecure medium (such as AdEx's network or the Internet), it should be as if they were communicating directly with each other over a dedicated and physically secure channel that they completely control. If the communications channel is secure,

         No one can listen to their communications.

         No one can modify or tamper with their communications.

         Both know that they are communicating with each other and not with an impostor.

         Louis cannot deny that he sent a message to NitroSoft, or vice versa, at a later date.

These requirements for secure communications serve as goals for applied cryptography. They are also, not surprisingly, four of the six security principles discussed in Chapter 2, "Security Principles": Privacy and Confidentiality, Integrity, Authentication, and Nonrepudiation. Here is the meaning of these principles in the context of the office complex scenario:

         Privacy and confidentiality. Kathleen should not be able to learn anything about the contents of a message Louis sends to NitroSoft.

         Integrity. Kathleen should not be able to trick NitroSoft into believing that information she sends came from Louis; she should not be able to modify, undetected, a message Louis sends to NitroSoft.

         Authentication. Louis should be able to convince NitroSoft that it is communicating with him; Kathleen should not be able to trick NitroSoft into believing that she is Louis.

         Nonrepudiation. After committing to a transaction, Louis should not, at a later date, be able to claim that he did not commit to that transaction.

Cryptographers use many tools to accomplish these security goals. An encryption algorithm is a cryptographic protocol Louis and NitroSoft can use to establish privacy. Figure 6.2 depicts the process. Encryption is the process that transforms an understandable message into a form that only a legitimate recipient can read. The initial (readable) message is called the plaintext, and the resulting garbled (unreadable) message is called the ciphertext. Decryption is the process of retrieving the original plaintext message from the ciphertext.

Figure 6.2. The encryption/decryption process

graphics/06fig02.gif

Traffic Analysis

It is worth emphasizing why these security principles are called goals and why encryption in and of itself may be insufficient. Take Privacy and Confidentiality, for example. The preceding states that Kathleen should not be able to learn anything about the contents of a message Louis sends to NitroSoft. You may be saying that, if it is encrypted properly, this is true. Not so? You must consider traffic analysis as well. Traffic analysis is the art and science of examining communication patterns to derive meaning from otherwise meaningless communications.

For example, let us say that Louis must receive approval for any deal before he can sign. Further, let us assume that NitroSoft has a process in place for evaluating proposals and receiving approval for the expenditure. The approval process takes ten minutes, and if the proposal is approved, notifying Louis and processing the necessary paperwork for signatures take five more minutes. By timing the response, Kathleen can derive information from the exchange without being able to read the message. This is a simple example, but the point is that you can gain a lot of information by watching traffic volume, the length of messages, and the like which encryption by itself does not protect.

Primitives and Protocols

Primitives are algorithms or procedures to accomplish a computing task, such as converting plaintext to ciphertext or converting ciphertext to plaintext. Protocols are processes or procedures to accomplish communications between entities. An encryption protocol is the process of encrypting plaintext into ciphertext so that the intended recipient can decrypt the ciphertext and retrieve the plaintext. There are numerous cryptographic algorithms and protocols. The following examples are frequently used cryptographic methods that do not fall strictly into the encryption or decryption category:

         A message authentication code (MAC) is an algorithm to generate a code that can be used by a protocol to establish the authenticity of a message between to entities.

         A key agreement algorithm is part of a protocol that can be used by two entities to compute a shared secret (a key or another token known only to them) even if they cannot communicate over a secure channel.

         A digital signature is an algorithm used by an entity to sign an electronic message; the protocols of this algorithm are the process of signing a message and verifying the signature at the destination.

A set of cryptographic protocols forms a library of useful cryptographic tools. These tools, used appropriately, can help a developer create secure applications. The thing to remember is that cryptographic primitives are used to produce cryptographic protocols; these protocols are used in turn to generate secure applications. Figure 6.3 depicts this relationship. Developers should not use primitives; used by themselves, primitives may be insecure.

Figure 6.3. The relationships between primitives, protocols, and applications

graphics/06fig03.gif

Symmetric and Asymmetric Algorithms

Conventional cryptographic algorithms use what are called keys. A key is electronically represented information that affects the execution of an encryption or decryption algorithm. A keyed algorithm produces different output for different keys. Figure 6.4 depicts an encryption algorithm that takes two inputs, the original plaintext and an encryption key, and produces one output, the ciphertext. Using a different key as one of the inputs produces a different ciphertext. The decryption algorithm also takes two inputs, the cipher text and a decryption key, and produces a single output, the plaintext (if the decryption key is correct).

Figure 6.4. The encryption process with keys

graphics/06fig04.gif

An encryption algorithm is symmetric if the encryption key is the same as the decryption key. Using a symmetric protocol, Louis and NitroSoft share the same symmetric key, or shared secret. To send a private message to NitroSoft, Louis encrypts the message with the shared symmetric key, and NitroSoft decrypts that message with the same symmetric key.

An encryption algorithm is asymmetric if the encryption and decryption keys differ. One use of asymmetric keys is public/private key cryptography, in which each person has a private and a public key. Using a public/private key protocol, if Louis wants to send a private message to NitroSoft, he encrypts the message with NitroSoft's public key, and NitroSoft then decrypts the message with its private key. Although NitroSoft must maintain the secrecy of its private key, it can give the public key to anyone it chooses (including Kathleen). NitroSoft could even publish the public key in a public directory or phone book. A big advantage of asymmetric cryptographic protocols over symmetric cryptographic protocols is that Louis can obtain NitroSoft's public key from a public directory and send NitroSoft a secret message without ever meeting face to face with anyone at NitroSoft (that is, without ever agreeing on a shared secret symmetric key).

Cryptographic Attacks

To understand fully how to use cryptography in a wireless (or other) application, a developer must understand who her application's adversaries are. In the example, the developer must understand how Kathleen thinks and which techniques she might use to circumvent the security of an application.

Cryptography plays only a small role in an application's security. Certainly, if an application uses bad or weak cryptography, it will be exploitable. However, even if an application uses strong cryptography, it may still be insecure. For example, a privacy application might use a strong encryption algorithm but store the algorithm's decryption key in plaintext in a buffer that can be used to pad information transmitted, thus leaking the key to Kathleen. (Application security is stressed in later chapters.)

Types of Attacks

Consider how Kathleen could attempt to break (attack) an encryption algorithm. Recall that an encryption algorithm is a protocol utilizing keys designed to protect the privacy of information. Kathleen can break an encryption algorithm if she can learn any information about the plaintext corresponding to encrypted ciphertext. By this, we mean learning any information about the plaintext: the number of 1 bits in the plaintext, the value of the fifth bit, or the entire message.

To obtain information about the plaintext, Kathleen can try every possible decryption key until she finds the correct one. This is called a brute force or exhaustive key search attack. When Kathleen learns the decryption key, she can decrypt the entire ciphertext and any subsequent ciphertext transmitted.

Rather than mount a brute force attack, Kathleen could try to exploit an obscure property of the algorithm itself. Such an attack is referred to as a smart or shortcut attack. Although shortcut attacks typically require less time than brute force attacks, they may be less practical in the real world (for example, they can require an exorbitant amount of memory or observed ciphertexts).

What would Kathleen's attacks look like? There are two general types of attacks: passive attacks and active attacks. In a passive attack, Kathleen would simply listen to and record the communications between Louis and NitroSoft. After collecting enough data, she could perform some computation and try to break the protocol between Louis and NitroSoft. In an active attack, Kathleen would actually interfere with the communication between Louis and NitroSoft. She could do the following:

         Prevent NitroSoft from receiving some of Louis's messages.

         Modify some of Louis's messages in transit.

         Save some of Louis's messages and resend them at a later date (commonly referred to as a replay attack.

         Pretend to be Louis to NitroSoft and NitroSoft to Louis (the man in the middle).

Costs of Attacks

Almost all modern cryptographic protocols are breakable in theory. Given enough time and resources, you could break virtually any cryptographic protocol. The question is not whether someone can break a cryptographic protocol but whether it is practical in real life. This aspect of breaking cryptography leads cryptographers to classify an attack against a cryptographic algorithm by the attack's requirements. The more practical an attack, the more susceptible an algorithm is to that attack.

The other aspect is cost: how much memory or how long it will take. Does the attack algorithm run in minutes, days, years, or centuries? The more time required, the less vulnerable the cryptography. Thus, the measure of an attack's cost gives an indication of the attacked encryption algorithm's strength.

Of course, even if all known attacks against an algorithm currently require too much time or memory to execute, advances in scientific research, or computing power, will yield considerably faster attacks. For example, in the 1970s, single 56-bit key DES was considered secure enough to protect sensitive information. Now these keys can be brute-force attacked in hours on a network of standard desktop personal computers.

Another aspect of an attack's requirements is the information necessary. Because we are considering attacks against an encryption algorithm, we might ask how much ciphertext is required for analysis or whether knowledge of part of the plaintext is required. The more information required by an attacker, the less likely an attacker will be able to mount a successful attack.

Large Numbers

We close this section with a discussion of large numbers. In the preceding subsection we mentioned that a cryptographic algorithm may be considered secure if it is unfeasible for an attacker to mount an attack in practice. Perhaps it takes too much time, consumes too much memory, or requires too many ciphertext samples. But how much is too much? We will answer that question in the section "Choices." For now, let us point out that too much is usually a very large number on the order of 2128. So that you can put these large numbers in context, and for future reference, see Table 6.1. This table is taken from Applied Cryptography: Protocols, Algorithms, and Source Code in C, by B. Schneier, John Wiley and Sons, second edition, 1996.

Table 6.1. Examples of Large Numbers

Physical Analogue

Number

Years until next ice age

214

Age of the Earth in years

230

Age of the Universe in years

234

Number of atoms in the Earth

2170

Number of atoms in the Sun

2190

Number of atoms in the galaxy

2223

 



Wireless Security and Privacy(c) Best Practices and Design Techniques
Wireless Security and Privacy: Best Practices and Design Techniques
ISBN: 0201760347
EAN: 2147483647
Year: 2002
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net