http://www.infotech.monash.edu Review FIT5163: Information & Computer Security Week 1: Introduction Security standards – International standards, e.g., ITU-T X.800 – National standards, e.g., NIST, FIPS Security Attacks – Passive attacks, e.g., interception – Active attacks, e.g., interruption, tampering, fabrication Security services – Confidentially, integrity, availability, authentication… Security mechanisms – Encryption, digital signature, access controls, traffic padding, routing control Week 2: Encryption Principles Classical ciphers – Substitution ciphers – Transposition ciphers – Product ciphers – Security analysis: language statistics Attributes of crypto systems – Avalanche effect – Unconditional security – Computational security Cryptanalysis – Ciphertext only attack, known plaintext attack, chosen plaintext attack, chosen ciphertext attack, chosen text attack – Brute force attack Week 3: Symmetric Encryption Stream cipher: RC4 Block cipher: DES/AES – Structure: Feistel / SP – Block size: 64-bit / 128-bit – Key size: 64-bit (56-bit in use) / 3 key sizes (128-bit, 192-bit, 256-bit) – Number of rounds: 16 / (10, 12, 14) – The operations within each round – Subkey generation Mode of operations for block cipher – ECB, CBC, CFB, OFB, and CTR – Characteristics, advantages, disadvantages, and differences Week 4: Number Theory Integer Factorisation Problem (IFP) – N=p*q, where p and q are primes Concept of groups, rings, fields – Modular arithmetic with integers – Finite fields GF(p) Fermat’s Little and Euler’s Theorems & (n) – a (n) = 1 (mod n), for any a,n where gcd(a,n)=1 Chinese Reminder Theorem (CRT) – Accelerate RSA encryption/decryption Primitive Roots Discrete Logarithm Problem (DLP) – Given , = !mod p, it’s hard to get Group, Ring, and Field Group (A1) Closure under addition: If a and b belong to S, then a + b is also in S (A2) Associativity of addition: a + (b + c)=(a + b) + c for all a,b,c in S (A3) Additive identity: There is an element 0 in R such that a + 0 = 0 + a=a for all a in S (A4) Additive inverse: For each a in S there is an element -a in S such that a + (-a) = (-a) + a =0 Abelian Group (A5) Commutativity of addition: a + b = b + a for all a, b in S Ring (M1) Closure under multiplication: If a and b belong to S, then ab is also in S (M2) Associativity of multiplication: a(bc) = (ab)c for all a, b, c in S (M3) Distributive laws: a(b + c) = ab + ac for all a, b, c in S (a + b)c = ac + bc for all a, b, c in S Com m utative Ring (M4) Commutativity of multiplication: ab = ba for all a, b in S Integral Dom ain (M5) Multiplicative Identity: There is an element 1 in S such that a1 = 1a = a for all a in S (M6) No zero divisors: If a, b in S and ab = 0, then either a = 0 or b = 0 Field (M7) Multiplicative inverse: If a belong to S and a ≠ 0, there is an element a-1 in S such that aa-1 = a-1a = 1 Week 5: Public-key Encryption Why public key cryptography – Key distribution of symmetric encryption – Digital signature The RSA public key cryptosystem Efficient Operations: – Square and multiply algorithm – Special e=3 or e=65537 – CRT RSA Security: – CCA – Side-channel attacks – Mathematical attacks Hybrid system Week 6: Public-key Encryption II Distribution of public key – Public announcement – Publicly available directory – Public-key authority and certificates No key distribution issue: – DH key exchange protocol > Man-in-the-middle attack > How to extend it to multiple parties – Advanced asymmetric cryptosystem > IDE: one-to-one encryption > ABE: one-to-many encryption Hash functions – Properties: one-way, collision resistance, deterministic Week 7: Digital Signature I Basic digital signature schemes – RSA – Schnorr Signature Scheme Advanced Signature Schemes – Threshold signature – Aggregate signature – What are the differences and similarities between the two schemes Anonymous Signature Schemes – Group Signature – Ring Signature – What are the differences and similarities between the two schemes – Linkable ring signature Week 8: Digital Signature II 5 Attacks models – How does they work 4 Forges – What are they Which attack works on RSA signature How does it work – What about the RSA signature with hash Blind signature – How it works MAC – Integrity & Authenticity – Based on symmetric crypto primitives – HMAC Week 8: ECC ECDLP – If Q=kP, given Q and P, it’s hard to get x Why the key size of ECC is shorter than RSA and DH Point addition: Q=P+P’ Scalar multiplication: Q=kP ECDSA Week 9: Lightweight Security TMD tradeoff attack – Offline/pre-computation phase > No access to online data > No target yet > Only done once – Online/real-time phase > Must be repeat for each target TMD attack on stream cipher Online/offline signatures – Trapdoor hash functions Online/offline encryption – DH related hard problems: DLP, CDH, DDH, DBDH – IBE: avoid online exponentiation operations Week 10: Database Security Searchable encryption: protect database from internal adversary Categories & Query types 2 typical primitives – Deterministic encryption – Order preserving encryption Leakage – Statistical information – Order information – Access pattern Leakage-abused attacks Primitives with stronger security guarantee – ORAM – Fully Homomorphic Encryption (FHE) Week 11: Attacks on Implementation Non-invasive attacks (low-cost) – Timing attack – Cache attack – Simple Power Analysis (SPA) attack – Differential Power Analysis (DPA) attack Semi-invasive attacks (affordable) – Fault-injection attack – Bellcore attack on RSA – Attack on CRT implementations of RSA Invasive attack (expensive) Final Exam 20 Multiple choices questions (10 marks in total, each 0.5 mark ) 6 Essay questions (50 marks in total) 2 hours + 10minutes Example MCQs How can a timing attack on RSA be prevented A. By performing the “square and multiply” modular exponentiation algorithm using keys with equal number of 1’s and 0’s B. By randomizing the exponent C. By performing an additional constant time operation after modular exponentiation is finished D. None of the above What is the result of the operation A. 1 B. 41 C. 10 D. 100 Example Essay Questions What are the difference and similarity between threshold signature scheme and aggregate signature scheme (8 marks) The Answer Difference (2 marks for each bullet): – Threshold signature requires t out of n users to sign a single message; Aggregate signature requires n users to sign n different messages – Threshold signature only has one public key, and each user has a unique private key; in aggregate signature, each user has a unique private and public key pairs – Threshold signature needs a leader or manager to generate a private key for each user; In aggregate signature, no leader is needed, each user generates its key pair Similarity: verify once only (2 marks) Example Essay Questions Which attacks the above algorithm can counter and cannot counter Justify your answer (6 marks) else T ← a × m mod n Answer It can counter timing attack (1 mark) . Because it takes constant time no matter what the d is (2 marks). It cannot counter fault-injection attack (1 mark). Because the dummy operation does not affect the final output, the attacker can still see how the injected fault affect the output (2 marks).
