Date:
In this lecture we have discussed the objective and the syllabus of the course. We then started by introducing the vernman cipher and some basic aspects of security.
We are here for three main reasons:
Learn how to use encyption. The big problem is not to have good cryptography. The real problem is in how to use it correctly. Indeed, most of real world problems do not occur because crypto is broken, but rather because of some miss-configured cryptography. By learning how mistakes are made we will also gain a deeper insight into how to prevent and fix those mistakes.
Understand Internet Security Protocols. During this course we will mainly focus on the network part of computer part of security.
Modern tools and their exploitation. This part is for 3 extra CFU and can be skipped altogether.
We will cover the following arguments:
Basic crypto (2 CFU): attacks, countermeasures, secutity services and basic cryptographic constructions.
Authentication and network protocol support (1.5 CFU).
In-depth analysis of TLS and Ipsec (2.5 CFU): Very deep analysis of the TLS protocol used for web security. We will see a very large number of attacks (BEAST, CRIME, renegotiation, ROBOT, etc...) on this protocol to think and understand why a very well designed protocol might still have some vulnerabilities.
Advanced crypto (3 CFU): in this last part we will see how network cryptography has evolved in the last decade.
Extras: TESLA, Merkel Trees, Blockchain basics, wireless security and occasional dedicated talks.
Recommended books for beginners:
Serious Cryptography, very good practical treatment of crypto!
AAA and Network Security for Mobile Access, plenty of materials on protocols: PPP, Radius, Diameter, EAP, IPsec, PKI, etc.
SSL and TLS Essentials, old like hell, but very nice.
Best ever online references
Extra material:
Mathematica files
Slides
Papers
The best possible cipher is called the One time pad (also known as the Vernman cipher).
This cipher is based on the following idea: suppose you have a plain text such as \(\text{10111101...}\) that you want to protect. The cipher works by generating a key, which in this case is a random sequence of bits such as \(\text{00110010...}\). The important thing is that the key is as long as the plain text we want to protect. Once we have generated the key we apply the XOR operator the bits of the keys and those of the plaintext. The resulting bits are the encrypted bits.
\[\text{plaintext} \mathbin{\oplus} \text{key} = \text{10111101...} \mathbin{\oplus} \text{00110010...} = \text{10001111...} = \text{encrypted plaintext}\]
It turns out that this is the best encryption mechanism. In this mechanism the decryption is done by applying once again the XOR but with this time to the result of the encryption process and the key. This is because the inverse operation of the XOR operator is the XOR operator itself. Thus, when using the XOR operation the encryption the encryption and decryption is the same.
\[\text{encrypted plaintext} \mathbin{\oplus} \text{key} = \text{10001111...} \mathbin{\oplus} \text{00110010...} = \text{10111101...} = \text{plaintext}\]
The good benefit of this encryption mechanism however are not given for free. Indeed, some critical assumptions have to be met. The Vernman Cipher is perfectly secure (technically called uncoditionally secure) if and only if the following assumptions are held:
For every new message we have to use a new key. Indeed, consider that you re-use the same key \(k\) to encrypt two different messages \(m_1, m_2\). This means that
\[\begin{cases} c_1 &= m_1 \mathbin{\oplus} k \\ c_2 &= m_2 \mathbin{\oplus} k \\ \end{cases}\]
Then we can do the following
\[\begin{split} c_1 \mathbin{\oplus} c_2 &= (m_1 \mathbin{\oplus} k) \mathbin{\oplus} (m_2 \mathbin{\oplus} k) \\ &= m_1 \mathbin{\oplus} m_2 \mathbin{\oplus} k {\oplus} k \\ &= m_1 \mathbin{\oplus} m_2 \\ \end{split}\]
and so if we know one of the two messages we can get immediately the other. Thus, if this assumption is not held, then the best encryption mechanism becomes the worst encyption mechanism.
The key must be as long as the plaintext. If the keys is shorter than the message, then to encrypt the message we have to re-use parts of the keys, and thus, by using the previous argument, if we know part of the message we can read directly other parts of the message.
kes must be truly random: In computer science there are two types
of randomness. One is the (true) randomness, and the other is
pseudo-randomness. For example functions like rand() implements
an algorithm that generates a pattern that only looks random but
is in reality generated by an algorithm, and therefore it has a
deterministic nature. To actually generate a truly random number
you need to use physical quantities such as temperature, wind
pressures, and other things like that. The site random.org allows
you to generate truly random numbers.
In practice these three assumptions are really hard, if not completely impossible, to actually satisfy. This means that this mechanism is actually extremely impractical to use. Indeed, to transfer the private key one would need to have an already secured channel. But the key is as long as the plain text. So why even bother generating the key, when you can directly send the text over the secure channel? The one time pad works in theory, but not in practice.
Observation: With quantum computing the problem of exchanging keys becomes much more practical to solve.
Some people, especially those who do not study the field of security, ask themselves the following question: "How can I secure your system?" This question is fundamentally wrong, because in security you cannot "secure" a system in a general sense. You always need to have defined an adversary, or a threat. You don't just secure your system; you secure it against a specific adversary or threat.
When you talk about encryption, the adversary is the so-called eavesdropper, which is the guy that wants to look at your text to understand what's inside.
The three aspects of security are generally abbreviated as CIA, and are:
Confidentiality: a system has this security property if the adversary is not able to look at the contents of the message.
Integrity: the adversary should be prevented from taking the message and modifying it. Notice that confidentiality and integrity are completely two different properties: in the modification the adversary may not look at the message, but may simply write an entire different message.
Availability: a system has this security property if it is resistent against denial of service attacks.
Notice that the one-time pad is perfectly secure with respect to confidentialtiy, but it has no integrity. Indeed, an eveasdropper (let's call her eve), can do a man in the middle (MITM) attack to take the message, flip a bit in it, and send it to the receiver of the message. The receiver is not able to tell that the contents of the message has been modified.