Translation

English
English French Actions
When designing network protocols and applications that will be deployed on a large scale, it is important to take those DDoS attacks into account. Attackers use different strategies to launch DDoS attacks. Some have managed to gain control of a large number of sources by injecting malware on them. Others, and this is where protocol designers have an important role to play, simply exploit design flaws in some protocols. Consider a simple request-response protocol where the client sends a request and the server replies with a response. Often the response is larger or much larger than the request sent by the client. Consider that such a simple protocol is used over a datagram network. When Alice sends a datagram to Bob containing her request, Bob extracts both the request and Alice's address from the packet. He then sends his response in a single packet destined to Alice. Mallory would like to create a DoS attack against Alice without being identified. Since he has studied the specification of this protocol, he can send a request to Bob inside a packet having Alice's address as its source address. Bob will process the request and send his (large) response to Alice. If the response has the same size as the request, Mallory is producing a `reflection attack` since his packets are reflected by Bob. Alice would think that she is attacked by Bob. If there are many servers that operate the same service as Bob, Mallory could hide behind a large number of such reflectors. Unfortunately, the reflection attack can also become an amplification attack. This happens when the response sent by Bob is larger than the request that it has received. If the response is :math:`k` times larger than the request, then when Mallory consumes 1 Gbps of bandwidth to send requests, his victim receives :math:`k` Gbps of attack traffic. Such amplification attacks are a very important problem and protocol designers should ensure that they never send a large response before having received the proof that the request that they have received originated from the source indicated in the request.
Cryptographic primitives
Cryptography techniques have initially been defined and used by spies and armies to exchange secret information in manner that ensures that adversaries cannot decode the information even if they capture the message or the person carrying the message. A wide range of techniques have been defined. The first techniques relied on their secrecy to operate. One of the first encryption schemes is attributed to Julius Caesar. When he sent confidential information to his generals, he would encode each message by replacing each letter with another letter that is :math:`n` positions after this letter in the alphabet. For example, the message `SECRET` becomes `VHFUHW` when encoded using Caesar's cipher. This technique could have puzzled some soldiers during Caesar's wars, but today even young kids can recover the original message from the ciphered one.
The security of the Caesar cipher depends on the confidentiality of the algorithm, but experience has shown that it is impossible to assume that an algorithm will remain secret, even for military applications. Instead, cryptographic techniques must be designed by assuming that the algorithm will be public and known to anyone. However, its behavior must be controlled by a small parameter, known as the key, that will only be known by the users who need to communicate secretly. This principle is attributed to Auguste Kerckhoff, a French cryptographer who first documented it :
`A cryptographic algorithm should be secure even if the attacker knows everything about the system, except one parameter known as the secret key.`
This principle is important because it remains the basic assumption of all cryptographers. Any system that relies on the secrecy of its algorithm to be considered secure is doomed to fail and be broken one day.
With the Kerckhoff principle, we can now discuss a simple but powerful encryption scheme that relies on the `XOR` logic operation. This operation is easily implemented in hardware and is supported by all microprocessors. Given a secret, :math:`K`, it is possible to encode a message `M` by computing :math:`C_M = K \oplus M`. The receiver of this messages can recover the original message as since :math:`M = K \oplus (K \oplus M)`. This `XOR` operation is the key operation of the perfect cipher that is also called the Vernam cipher or the one-time pad. This cipher relies on a key that contains purely random bits. The encrypted message is then produced by XORing all the bits of the message with all the bits of the key. Since the key is random, it is impossible for an attacker to recover the original text (or plain text) from the encrypted one. From a security viewpoint, the one-time-pad is the best solution provided that the key is as long as the message.
Unfortunately, it is difficult to use this cipher in practice since the key must be as long as the message that needs to be transmitted. If the key is smaller than the message and the message is divided into blocks that have the same length as the key, then the scheme becomes less secure since the same key is used to decrypt different parts of the message. In practice, `XOR` is often one of the basic operations used by encryption schemes. To be usable, the deployed encryption schemes use keys that are composed of a small number of bits, typically 56, 64, 128, 256, ...
A secret key encryption scheme is a perfectly reversible functions, i.e. given an encryption function `E`, there is an associated decryption function `D` such that :math:`\forall k \forall M : D(K, E(M,K))=M`.
Various secret key cryptographic functions have been proposed, implemented and deployed. The most popular ones are :
DES, the Data Encryption Standard that became a standard in 1977 and has been widely used by industry. It uses 56 bits keys that are not considered sufficiently secure nowadays since attackers can launch brute-force attacks by testing all possible keys. Triple DES combines three 56 bits keys, making the brute force attacks more difficult.
RC4 is an encryption scheme defined in the late 1980s by Ron Rivest for RSA Security. Given the speed of its software implementation, it has been included in various protocols and implementations. However, cryptographers have identified several weaknesses in this algorithm. It is now deprecated and should not be used anymore :rfc:`7465`.
AES or the Advanced Encryption Standard is an encryption scheme that was designed by the Belgian cryptographers Joan Daemen and Vincent Rijmen in 2001 [DR2002]_. This algorithm has been standardized by the U.S. National Institute of Standards and Technology (NIST). It is now used by a wide range of applications and various hardware and software implementations exist. Many microprocessors include special instructions that ease the implementation of AES. AES divides the message to be encrypted in blocks of 128 bits and uses keys of length 128, 192 or 256 bits. The block size and the key length are important parameters of an encryption scheme. The block size indicates the smallest message that can be encrypted and forces the sender to divide each message in blocks of the supported size. If the message is larger than an integer number of blocks, then the message must be padded before being encrypted and this padding must be removed after decryption. The key size indicates the resistance of the encryption scheme against brute force attacks, i.e. attacks where the attacker tries all possible keys to find the correct one.
AES is widely used as of this writing, but other secret key encryption schemes continue to appear. ChaCha20, proposed by D. Bernstein is now used by several internet protocols :rfc:`7539`. A detailed discussion of encryption schemes is outside the scope of this book. We will consider encryption schemes as black boxes whose operation depends on a single key. A detailed overview of several of these schemes may be found in [MVV2011]_.
In the 1970s, Diffie and Hellman proposed in their seminal paper [DH1976]_, a different type of encryption : `public key cryptography`. In public key cryptography, each user has two different keys :
a public key (:math:`K_{pub}`) that he can distribute to everyone
a private key (:math:`K_{priv}`) that he needs to store in a secure manner and never reveal to anyone
These two keys are generated together and they are linked by a complex mathematical relationship that is such that it is computationally difficult to compute :math:`K_{priv}` from :math:`K_{pub}`.
A public key cryptographic scheme is a combination of two functions :
The public key is used to encrypt a message so that it can only be read by the intended recipient. For example, let us consider two users : Alice and Bob. Alice (resp. Bob) uses the keys :math:`A_{priv}` and :math:`A_{pub}` (resp. :math:`B_{priv}` and :math:`B_{pub}`). To send a secure message `M` to Alice, Bob computes :math:`CM=E_p(A_{pub},M)` and Alice can decrypt it by using :math:`D_p(A_{priv},CM)=D_p(A_{priv},E_p(A_{pub},M))=M`.
Several public key encryption schemes have been proposed. Two of them have reached wide deployment :
The Rivest Shamir Adleman (RSA) algorithm [#frsa]_ proposed in [RSA1978]_ that relies on modular exponentiation with large integers.
The Elliptic Curve Cryptography techniques [#fecc]_ that rely on special properties of elliptic curves.
Another interesting property of public key cryptography is its ability to compute `signatures` that can be used to authenticate a message. This capability comes from the utilization of two different keys that are linked together. If Alice wants to sign a message `M`, she can compute :math:`SM=E_p(A_{priv},M)`. Anyone who receives this signed messaged can extract its content as :math:`D_p(A_{pub},SM)=D_p(A_{pub},E_p(A_{priv},M))=M`. Everyone can use :math:`A_{pub}` to check that the message was signed by using Alice's private key (:math:`A_{priv}`). Since this key is only known by Alice, the ability to decrypt `SM` is a proof that the message was signed by Alice herself.
In practice, encrypting a message to sign it can be computationally costly, in particular if the message is a large file. A faster solution would be to summarize the document and only sign the summary of the document. A naive approach could be based on a checksum or CRC computed over the message. Alice would then compute :math:`C=Checksum(M)` and :math:`SC=E_p(A_{priv},C)`. She would then send both `M` and `SC` to the recipient of the message who can easily compute `C` from `SC` and verify the authenticity of the message. Unfortunately, this solution does not protect Alice and the message's recipient against a man-in-the-middle attack. If Mallory can intercept the message sent by Alice, he can easily modify Alice's message and tweak it so that it has the same checksum as the original one. The CRCs, although more complex to compute, suffer from the same problem.
To efficiently sign messages, Alice needs to be able to compute a summary of her message in a way that makes prohibits an attacker from generating a different message that has the same summary. `Cryptographic hash functions` were designed to solve this problem. The ideal hash function is a function that returns a different number for every possible input. In practice, it is impossible to find such a function. Cryptographic hash functions are an approximation of this perfect summarization function. They compute a summary of a given message in 128, 160, 256 bits or more. They also exhibit the `avalanche effect`. This effect indicates that a small change in the message causes a large change in the hash value. Finally hash functions are very difficult to invert. Knowing a hash value, it is computationally very difficult to find the corresponding input message. Several hash functions have been proposed by cryptographers. The most popular ones are :
MD5, originally proposed in :rfc:`1321`. It has been used in a wide range of applications. In 2010, attacks against MD5 were published and this hash function is now deprecated.
SHA-1 is a cryptographic hash function that was standardized by the NIST in 1995. It outputs 160 bits results. It is now used in a variety of network protocols.
SHA-2 is another family of cryptographic hash functions designed by the NIST. Different variants of SHA-2 can produce has values of 224, 256, 384 or 512 bits.

Loading…

User avatar None

New source string

cnp3-ebook / principles/securityFrench

New source string 3 years ago
Browse all component changes

Glossary

English French
No related strings found in the glossary.

String information

Source string location
../../principles/security.rst:367
String age
3 years ago
Source string age
3 years ago
Translation file
locale/fr/LC_MESSAGES/principles/security.po, string 31