Introduction to Information Security

Download Report

Transcript Introduction to Information Security

Copyright © 2005 David M. Wheeler, All Rights Reserved
Desert Code Camp:
Introduction to
Cryptography
David M. Wheeler
May 6th 2006
Phoenix, Arizona
Copyright © 2005 David M. Wheeler, All Rights Reserved
Introduction
David M. Wheeler, CISSP
15 Years Experience in Computer & Network Security, 20 Years in the Industry
Published papers on Key Management, Wireless Security, Java Security, Hardware
Cryptographic Modules, and Platform Trust
Built security systems and cryptographic algorithms at every system level,
including applications, web services, network stacks, Operating System
services, device drivers, and microcode firmware in CPUs.
Have worked for Honeywell Bull, Motorola Government Systems Group, Touch
Technology (Smartcard Services), and run my own consulting business
Currently working for Intel, as the Manager and Design Lead for Intel’s Wireless
Trusted Platform Module, a hardware cryptographic module embedded in an
ARM-compliant Cellphone processor
Copyright © 2005 David M. Wheeler, All Rights Reserved
Agenda







Terminology
Types of Algorithms
Symmetric Encryption Algorithms
Message Digest Algorithms
Public Key (Asymmetric) Algorithms
Digital Signature Algorithms
Resources
Copyright © 2005 David M. Wheeler, All Rights Reserved
For Each Algorithm…

What Class of Algorithms does this algorithm belong to?
–

Example: This is a Message Digest Algorithm, or This is a Symmetric Encryption Algorithm
Characteristics of the Algorithm
– Inputs, Outputs, Operations

What is this Algorithm used for?
–

What are the attacks and gotcha’s
–


Example: This algorithm is used to guarantee Confidentiality
What are some things a lot of people get wrong when using this algorithm
Some code in Java (and Maybe C++)
Resources and Links
Copyright © 2005 David M. Wheeler, All Rights Reserved
Disclaimer





This is a BRIEF introduction
This is intended to make you WISER in
your evaluation of security protections
This is NOT intended to make you able to
go roll-your-own security
Security expertise takes a lot of study, and a
long time to get right
There is a lot of bad security out there
Algorithms
Copyright © 2005 David M. Wheeler, All Rights Reserved
C.I.A.

Algorithm Usages
Confidentiality
– Concealment of information or resources
• Perhaps even concealment of the existence of information
•
E.g. Suppose you knew of the existence of a voluntary HIV test in a particular persons medical records but you did not know
the exact results or even the data of the test?
– Access Control supports Confidentiality by restricting the availability of
information to a particular group of entities

Integrity
– Trustworthiness of data or resources
– Data Integrity refers to the accuracy of the data (Integrity)
– Origin Integrity refers to the verity of the data (Authentication)

Availability
– Ability to use information or resources
– Non-Repudiation supports availability since any action that may
destabilize a system or information set will be traceable to the entity that
caused the problem, making that entity accountable for their actions
Copyright © 2005 David M. Wheeler, All Rights Reserved
Classes of Algorithms





Message Digest Algorithms
Symmetric Encryption Algorithms
Message Authentication Codes
Asymmetric Encryption Algorithms
Digital Signature Algorithms
Copyright © 2005 David M. Wheeler, All Rights Reserved
Java Cryptography

Crypto Examples will be shown in Java

What is the JCA
The Java Cryptography Architecture is a framework for accessing and developing
cryptographic functionality for the Java platform. The JCA includes classes for
digital signatures, message digests, certificates.

What is the JCE
The Java Cryptography Extension is an extension to the JCA that provides security
functionality restricted by export controls, including encryption, key exchange, and
message authentication codes.
Copyright © 2005 David M. Wheeler, All Rights Reserved
JCE Functions

Random Numbers
• uses a hash algorithm to generate random bytes

Hash Functions (digests)
• getInstance(), update(), digest(), reset()

Message Authentication Codes (MAC)
• getInstance(), init(), update(), doFinal()

Symmetric Ciphers
• getInstance(), init(), update(), doFinal()

Asymmetric Algorithms
Copyright © 2005 David M. Wheeler, All Rights Reserved
Java Cryptographic Service
Providers
JCA allows the cryptography provider to be selected by the
application
1. Edit the security properties file to add your provider to the
beginning of the provider list so that it is executed first by default
security.provider.1=cryptix.jce.provider.CryptixCrypto
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
security.provider.3=sun.security.provider.Sun
2. Install the service provider to use at runtime
Security.insertProviderAt( Security.getProvider(“cryptix.jce.provider.CryptoCryptix”), 1 );
3. Specify the service provider to use when accessing the JCA/JCE
Cipher c1 = Cipher.getInstance ( “DES/CBC/NoPadding”,
“cryptix.jce.provider.CryptoCryptix” );
The crypto provider must be on the classpath or installed in the jre/lib/ext
directory
Copyright © 2005 David M. Wheeler, All Rights Reserved
Identifying Providers

The JCE can identify the providers
Providers[] P = Security.getProviders();
P[i].getName();
P[i].getInfo();
P[i].getVersion();
Copyright © 2005 David M. Wheeler, All Rights Reserved
Using BSAFE Crypto-J

Crypto-J provides both JCE compliant and custom interfaces

INSTALL
– use CD to copy jar file and install using command
• jar xvf cryptoj32.jar

CONFIGURE PROVIDER
– add Crypto-J provider to java.security file as
• security.provider.1= com.rsa.jsafe.provider.JsafeJCE

SETUP CLASSES
– add the following jar files to the CLASSPATH
• crypto/jsafe.jar
• jceProvider/jsafeJCE.jar
Also must install the Sun JCE
Message Digest
Algorithms
Also known as HASH Functions
Copyright © 2005 David M. Wheeler, All Rights Reserved
What is a
Message Digest Algorithm?





Also referred to as
Hash Functions
Remember Hash Tables from
Data Structures Class? Hash
Maps?
A Hash Function maps any
message of any length, to an
element in a different set
(the set of n-bit numbers)
Two different messages could
map to the same value
Basically, this can be considered
lossy compression
The space of
all possible messages
The space of all
N-bit numbers
Copyright © 2005 David M. Wheeler, All Rights Reserved
Technical Definition of MDAs
Message





Message digest algorithms take a
message of arbitrary size and
512 bits
create a digest of fixed size.
The algorithm takes the message
and splits it into blocks of equal Block 0
length (the block size of the
algorithm)
The last block is padded, with a
total message length attached
(Merkle-Damgard Construction)
Each block is sent through the
function in order.
After all blocks are processed,
the fixed digest value is retrieved
Block 1 Block 2
<264
… Block n
H(x)
Digest Value
160 bits
The numeric values shown in this figure
represent the values for the SHA-1 algorithm
Copyright © 2005 David M. Wheeler, All Rights Reserved
Characteristics of MDAs
A Message Digest or Hash Algorithm must be:
» One-Way (pre-image resistance)
given an arbitrary digest z, it is infeasible to find y such that h(y) = z
Message
» Weakly Collision-Free (2nd preimage resistance)
infeasible to find x such that x != y and h(x) = h(y)
» Strongly Collision-Free (collision resistance)
infeasible to find x and x’ such that h(x) = h(x’)
Hash
Digest
Hash Functions are basically composed of series
of cryptographic primitives with bit loss.
Several Hash Functions are available:
» SHA-1 (http://csrc.nist.gov/pki/nist_crypto/welcome.html)
» RIPEMD 160 (http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html)
» MD5 (no longer holds as strongly collision free)
Handbook of Applied Cryptography, Menezes, Oorschot, and Vanstone, © 1997 CRC Press
Dr. Dobbs Journal, January 1997
Copyright © 2005 David M. Wheeler, All Rights Reserved
Uses for Hash Functions

Since hash functions...
– characterize their input
• can be used for proving data integrity (digital signatures)
– hide their actual input
• can be used to prove knowledge of input without
revealing the input (Sesame one-time passwords)
– appears highly random
• can be used to generate strong pseudo random data
for keys, nonces, etc (SecureRandom, key generation in SSL)
– cannot be reversed
• can be used for tokens or security tickets (IPv6 cookies)
Copyright © 2005 David M. Wheeler, All Rights Reserved
SHA-1
Secure Hash Algorithm 1

Class of Algorithm: Message Digest (Hash) Function
– the most widely used message digest (hash) algorithm
– Being replaced by SHA-2 (longer digest length)

Characteristics:
– Input: any binary data up to length 264 bits
– Output: a 160-bit (20 byte) output characterizing the input data

Usage: Integrity
– Create an integrity checksum for data
– Characterize a message for digital signature

Attacks and Gotcha's
– SHA-1 has been found to produce collisions in 2^32 work
– Still used for majority of operations, but industry is switching to
new algorithms
– SHA-2 and AES-MAC
Copyright © 2005 David M. Wheeler, All Rights Reserved
Secure Hash Algorithm 1
SHA-1, FIPS 180-1

SHA Input:
–
–
n-blocks 512 bits (16 words)
Maximum 264 bits
•


259 words
SHA Output: 160-bit (5 words)
SHA Processing:
1.
2.
3.
4.
5.
Message is separated into blocks
Last block is padded out to 512
bits, minus 64-bits reserved for
the bit length of the message
Blocks are processed through
algorithm in sequence
Each block requires 80 rounds
through the SHA operation
shown to the right.
Digest is result A B C D E
SHA-1 Mixing Function
Comparative analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512
By Grembowski et al, http://ccrc.wustl.edu/~roger/462M/comparative_study.pdf
B
C
W0
…
W15
W16
D
E
+
Wt
H0
+
H1
+
H2
+
…
Message Block
A
S1(Wt-3*Wt-8*Wt-16)
Copyright © 2005 David M. Wheeler, All Rights Reserved
SHA Operation Details
H3
+
H4
W79
Initial H Vector
0x5A827999 (0<=t<=10)
0x6ED9EBA1 (20<=t<=39)
0x8F1BBCDC (40<=t<=59)
0xCA62C1D6 (60<=t<=79)
H0: 0x67452301
H1: 0xEFCDAB89
H2: 0x98BADCFE
H3: 10325476
H4: 0xC3D2E1F0
MD-5, <reference>

MD-5 Input:
–
–
n-blocks 512 bits (16 words)
Maximum 264 bits
•


3.
4.
Message is separated into blocks
Last block is padded out to 512
bits, minus 64-bits reserved for
the bit length of the message
Blocks are processed through
algorithm in sequence
Digest is result A B C D
B
C
D
Round 1
259 words
MD-5 Output: 128-bit (4 words)
MD-5 Processing:
1.
2.
A
16 steps, one for each block
Round 2
16 steps, one for each block
Round 3
16 steps, one for each block
Round 4
Message Block
Copyright © 2005 David M. Wheeler, All Rights Reserved
Message Digest 5
16 steps, one for each block
A
B
C
D
Applied Cryptography, 2nd Edition, by Bruce Schneier
Copyright © 2005 David M. Wheeler, All Rights Reserved
Java Message Digest
Algorithm
import java.security.*;
class MDTest {
static String message = “This is a test”;
static void main(String args[]) {
int alg = 0;
if (args.length >= 1) {
alg = Integer.parseInt(args[0]);
}
try {
MessageDigest md;
// Select a hash function based upon input param
switch(alg) {
case 0:
md = MessageDigest.getInstance(“RIPEMD160”,
“CryptixCrypto”); break;
case 1:
md = MessageDigest.getInstance(“SHA1”, “CryptixCrypto”);
break;
}
// Send the data to be digested to the hash function
md.update(message);
md.update(message2); // can call this multiple times
byte[] digest = md.digest(); // could add last bit of data here as
well
// can now print out bytes or use digest
} catch(...
}
}
Symmetric Encryption
Algorithms
Copyright © 2005 David M. Wheeler, All Rights Reserved
Encryption Technology

Encryption is a mechanism which encodes information using
a secondary secret.
» A usable encryption mechanism has the following properties:
• The information encoded by the encryption mechanism may be recovered using a
decryption mechanism and a (possibly different) secondary secret.
• The information encoded by the encryption mechanism may not be easily
recovered without the appropriate secondary secret.
• The information produced by the encryption mechanism does not identify the
secondary secret used to encrypt (or decrypt) the information.
• There exists a large enough number of secondary secrets so that the secret used to
encrypt (or decrypt) the information cannot be easily guessed.
» A strong encryption mechanism has the following properties:
• The information produced by the encryption mechanism is of no value in
recovering the original information without possession of the secondary secret.
• Knowledge of the original information and the encoded information (produced by
the encryption mechanism) does not reveal the secondary secret used to create the
encoded information.

The rules which define how an encryption mechanism transforms the
original information is called a Cryptographic Algorithm
Copyright © 2005 David M. Wheeler, All Rights Reserved
Encryption Algorithms

Classified by the way in which they use the secondary
secret (or key) for encryption and decryption:
» Symmetric: Uses the same key for encryption and decryption
» Asymmetric: Uses one key for encryption and a different (but related) key
for decryption

Strength of an algorithm is based upon the difficulty to
perform certain functions
» Ciphertext-Only Attack: Recover the plaintext from the ciphertext
without any knowledge of the key
» Known-Plaintext Attack: Recover the key given one or more pairs
of plaintext and ciphertext
» Chosen-Plaintext Attack: Recover the key by observing the
ciphertext produced under encryption by the attacker’s choice of
plaintext.
» Chosen-Ciphertext: Recover the key by observing the plaintext
produced under decryption by the attacker’s choice of ciphertext.
Computer Security Basics, Russell and Gangemi, © 1991 O’Reilly & Associates
Copyright © 2005 David M. Wheeler, All Rights Reserved
Usage of Symmetric
Encryption Algorithms

Make private (encrypt) = Confidentiality
– Physical example (Seal message in an envelope)
Message
Message
Okiznxc
qwhoi
Okiznxc
qwhoi
“Only I can read
this message”
Internet
Bita
Hans
Copyright © 2005 David M. Wheeler, All Rights Reserved
Two Types of
Symmetric Algorithms
Block Cipher
Ki
PT Block
Block
Cipher
Algorithm
Ki
CT Block
Block PT Block
Cipher
Algorithm
Stream Cipher
Keystream
Generator
PT
Ki
EX OR
Keystream
Generator
CT
Ki
EX OR
PT
Copyright © 2005 David M. Wheeler, All Rights Reserved
AES
Advanced Encryption Standard

Class of Algorithm: Symmetric Block Cipher Algorithm
– the newest symmetric encryption algorithm
– replaced DES & 3DES (triple DES) as basic encryption

Characteristics:
– Input: any binary data of 128 bits (16 bytes)
– Input: a secret key (secondary secret) of 128, 192, or 256 bits
– Output: 128-bits (16 bytes) of binary data, transformed input

Usage: Confidentiality
– Create a protected representation of the input data (encrypted)

Attacks and Gotcha's
– Security is only as good as the key – the key must be random
– Raw AES (also called Electronic Code Book – ECB) not usually a
good implementation
Copyright © 2005 David M. Wheeler, All Rights Reserved
DES
Data Encryption Standard

Class of Algorithm: Symmetric Block Cipher Algorithm
– Created in mid 1970’s and adopted in 1976
– First public encryption standard, and 3DES still considered strong

Characteristics:
– Input: any binary data of 64 bits (8 bytes)
– Input: a secret key (secondary secret) of 56 bits (+parity)
– Output: 64-bits (8 bytes) of binary data, transformed input

Usage: Confidentiality
– Create a protected representation of the input data (encrypted)

Attacks and Gotcha's
– Security is only as good as the key – the key must be random
– There known weak and semi-weak keys (all zeros, all ones, and
other patterns)
– Raw DES/3DES (in ECB mode) not usually considered good
Input Plaintext

IP
16 Round DES Computation
Copyright © 2005 David M. Wheeler, All Rights Reserved
Block Ciphers Technical
Details
L0
R0
K1
f
L1
R1
K2
f
L15
R15
K16
f
L16
R16
IP-1
Output Ciphertext

Most block ciphers implement a Fiestel network,
which is a series [>=3 and usually even] of
rounds where each round is composed of a
product cipher. At the end of each round the
working ciphertext is swapped from right to left.
In addition, by convention, all work is done on
the right side of the inputs.
The product cipher [f] is a combination of two or
more transformations that are [usually]
reversible (e.g. XOR, bitwise expansion,
substitution, etc.). Certain elements of the block
cipher are inserted to equalize the use of bits
because the transformation favors some bits over
others
–
–
IP, Initial Permutation, reorders plaintext bytes in order to guarantee better
mixing [i.e. encryption] of the plaintext
The Ki’s are components of the key after key scheduling. Key scheduling
is performed to maximize the use of key bits
Copyright © 2005 David M. Wheeler, All Rights Reserved
Triple DES
TDES Encryption
k1
PT
DES
Encrypt
k2
DES
Decrypt
k3
DES
Encrypt
CT
• If key size = 128
bits, then k1 = k3
TDES Decryption
k1
CT
DES
Decrypt
k2
DES
Encrypt
• If key size = 192
bits, then k1.NE. k3
k3
DES
Decrypt
PT
Copyright © 2005 David M. Wheeler, All Rights Reserved
RC4
Rivest Cipher #4

Class of Algorithm: Symmetric Stream Cipher Algorithm
– Created by Ron Rivest (the ‘R’ in RSA) in 1987
– Trade Secret Released into the Public Domain (=free)

Characteristics:
– Input: any binary data, of any length (byte by byte)
– Input: a secret key (secondary secret) up to 256 bytes
– Output: transformed input (byte by byte)

Usage: Confidentiality
– Create a protected representation of the input data (encrypted)

Attacks and Gotcha's
– Security is only as good as the key – the key must be random
– Caution in use – stream ciphers can create some problems if the
key is re-used (remember the 802.11 WEP problems?)
– Also can be used to generate random numbers
Copyright © 2005 David M. Wheeler, All Rights Reserved
Other Symmetric
Algorithms






Rijndael (pronounced “rain doll”) (Same as AES)
RC5, RC6
MARS
Blowfish,
Twofish
IDEA (International Data Encryption Algorithm)
Copyright © 2005 David M. Wheeler, All Rights Reserved
Modes of Operation

ECB: Electronic Code Book (Insecure)
» Just encrypt each block according to the algorithm
» Duplicate blocks encrypt to same thing
» “the blue box is next to the blue boat
»

^
^
^
^
4444
CBC: Cipher Block Chaining (Most Common)
» the current plaintext is XOR’ed with the previous block’s cipher
text before being encrypted

PCBC: Propagating Cipher Block Chaining
» like CBC but uses both cipher text and plaintext blocks

CFB: Cipher Feedback
» the cipher produces a stream of encrypted bytes that are XOR’ed
with the plaintext, like a key. The resulting ciphertext is used as
input back into the cipher for the next block of bits to use to create
key bits. This operates like a stream cipher.

OFB: Output Feedback (Can be weak)
» like CFB, but uses cipher output, not cipher to feedback into cipher
Copyright © 2005 David M. Wheeler, All Rights Reserved
Electronic Code Book
Copyright © 2005 David M. Wheeler, All Rights Reserved
ECB Properties



For a given key, a PT block always encrypts
to the same CT
No error extension – errors impact only the
block containing the error
Encryption of the same message with the
same key results in the same cipher text
(bad)
Copyright © 2005 David M. Wheeler, All Rights Reserved
Cipher Block Chaining
Copyright © 2005 David M. Wheeler, All Rights Reserved
CBC Properties



IV must be random, but need not be secret
Error extension – error in received block n
will impact blocks n and n+1
Multiple encryptions of the same data with
the same key yield different Cipher Text
results
Copyright © 2005 David M. Wheeler, All Rights Reserved
Counter Mode
Copyright © 2005 David M. Wheeler, All Rights Reserved
CTR Mode Properties



For a given key, all count values for all
counters must be unique (no roll-over)
Uses the encryption (forward) cipher for
both encryption and decryption
No error extension
– A single bit error in the CT results in a single
bit error in the decrypted data in the same
position (good for media)
Copyright © 2005 David M. Wheeler, All Rights Reserved
Initialization Vectors

Why do we need an IV?
– When using a mode other than ECB, how do you
encrypt the first block (there is no previous cipher text
block)?
– How do I ensure two messages that start out the same
don’t start out as encrypted the same?

An Initialization Vector is a like a second key,
except it is not as important to keep absolutely
secret as the key
– Employed as the starting point for those modes that
require a cipher text at time t0.
Copyright © 2005 David M. Wheeler, All Rights Reserved
Padding for Block Ciphers

Why padding?
» Block ciphers must operate on a set number of bytes (8 or 16)
» Most messages don’t break up into an even number of blocks

Issues with padding
» Does padding start at the beginning of a message or at the end?
» How do you know how many bytes of padding there are, or if there are no
padding bytes?
» What do the padding characters look like? Is there a sure-fire way to tell if the
correct bytes are being taken off?

Typical use is the PKCS#5 Pad algorithm
» Pad always at the end of the message
» Always add padding, even if you add a full block of pad bytes
» The value of pad bytes are equal to the number of pad bytes
Examples
3 3 3
8 8 8 8 8 8 8 8
Java Symmetric Encrypti
w/ AES Algorithm
Copyright © 2005 David M. Wheeler, All Rights Reserved
try {
// try to see if the AES algorithm is available
Cipher c1 = Cipher.getInstance("AES/CBC/PKCS5Padding");
// If we do not fault, then the AES algorithm is available!
// generate an AES key, since AES is available
// there are no weak keys, so we can use a generic construction
skey = new byte[16]; // 128 bits for AES
secrand.nextBytes(skey);
confidentialityKey = new SecretKeySpec(skey, "AES");
} catch (java.security.NoSuchAlgorithmException e) {
// else handle exception ….
}
// make an IV for CBC mode
CommonUtils.MakeRandomSecret( ivbytes );
IvParameterSpec iv1 = new IvParameterSpec(ivbytes);
// initialize the cipher in ENCRYPT mode with key and IV
c1.init(Cipher.ENCRYPT_MODE, confidentialityKey,
(AlgorithmParameterSpec)iv1 );
// encrypt the data
ciphertext = c1.doFinal( data );
HMAC
Hashed Message
Authentication Codes
Copyright © 2005 David M. Wheeler, All Rights Reserved
Problems with Message
Digests

Assume you received the following message:
Dave,
The attached file includes a super-special update for Windows made just for
you.
Please run the attached file immediately on your computer.
- Bill Gates
< …. file contents …… >
SHA-1 Digest <352125D1-90993EED-DD87FA45-68EA99D8-BEEFC4DE>


You calculate the SHA-1 Digest over the message and the file contents
(including Bill Gate’s signature) and the Digest checks out.
QUESTION?
SOLUTION? YES!
Is this an authentic message?
If there was someway to tie something that only
Billisand
(a secret)
into the
hash operation,
Who
thisI know
an authentic
message
from?
Unknown!
no one could spoof us to each other
Copyright © 2005 David M. Wheeler, All Rights Reserved
Hashed Message
Authentication Code

Function
– HMAC(Algorithm, Key, Data) = Digest
• Algorithm: Message Digest Algorithm that provides basis for HMAC
compression function
• Key: A variable-length input that is used as the shared secret in
computing the HMAC
• Data: input to be integrity protected
• Digest: same size as the digest produced by the underlying MDA

Operation
– HMACK= H[ (K+opad)
(K+opad) || H
(K+
ipad) || M
H [[(K+ipad)
(K+ipad)
M]]]
Key ExpansionHashKey
Expansion
w/ Message
(Outer)
(Inner)
(Inner Hash)
Hash Outer w/ Inner
Copyright © 2005 David M. Wheeler, All Rights Reserved
HMAC Operation
Message
Key
Key+Pad

H(x)
ipad
Block 0 Block 1 Block 2
… Block n
(0x36)
H(x)
Digest Value
(Intermediate)
Key+Pad

opad
(0x5A)
H(x)
Digest Value
H(x)
(final)
Cryptography and Network Security: Principles and Practice, 2nd Edition
By William Stallings, Prentice Hall, Copyright 1999
Message Block
A
B
C
D
E
W0
…
+
W15
…
Wt
Effectively,
W16
the HMAC Key becomes a customized
Initialization Vector for the Hash Function
S1(Wt-3*Wt-8*Wt-16)
Copyright © 2005 David M. Wheeler, All Rights Reserved
SHA Operation on Input
H0
+
H1
+
H2
+
H3
+
H4
W79
Initial H Vector
0x5A827999 (0<=t<=10)
0x6ED9EBA1 (20<=t<=39)
0x8F1BBCDC (40<=t<=59)
0xCA62C1D6 (60<=t<=79)
H0: 0x67452301
H1: 0xEFCDAB89
H2: 0x98BADCFE
H3: 10325476
H4: 0xC3D2E1F0
Copyright © 2005 David M. Wheeler, All Rights Reserved
Message Authentication using
a Symmetric Block Cipher

Key Dependent one way hash function
using a block algorithm in CBC or CFB
Plaintext N-1
Plaintext N
Input Block N-1
Input Block N
CIPHk
CIPHk
Output Block N-1
Output Block N
Ciphertext N-1
Ciphertext N
Discard
Input Block N+1
CIPHk
Output Block N+1
MAC
Java HMAC Using
the SHA-1 Algorithm
Copyright © 2005 David M. Wheeler, All Rights Reserved
// Generate an HMAC-SHA1-KEY
secrand.nextBytes(hmackey);
integrityKey = new SecretKeySpec(hmackey,
"HmacSHA1");
// Now MAC the data to protect it's integrity
// Make a proper keyed-MAC object
Mac hmac = Mac.getInstance(“HmacSHA1”);
// Initialize the MAC with the key
hmac.init( integrityKey );
// Add data to the MAC
hmac.update( data );
// add more data to MAC and get the digest
digest = hmac.doFinal( more_data );
Copyright © 2005 David M. Wheeler, All Rights Reserved
Properties of MDAs & HMAC
Property
MDA
HMAC
Confidentiality
-
-
Data Integrity
+
+
Authentication
-
partial
-
-
(Origin Integrity)
NonRepudiation
Public Key
Algorithms
Copyright © 2005 David M. Wheeler, All Rights Reserved
Problem…
There was a huge problem in the world of secret
communication - Keys!
If I want to send you information secretly, we need
to share a key. The key, of course, must be known
only to you and I. However, if I could send you a
key secretly, then I could send you the original
information secretly also….
A new encryption technology was born
Copyright © 2005 David M. Wheeler, All Rights Reserved
Who Invented PK Technology?




Technology first publicly described by Whitfield Diffie
and Martin Hellman in, “New Directions in Cryptography”,
IEEE Transactions on Information Theory (Nov 1976)
First complete cryptosystem (RSA) described by Ronald
Rivest, Adi Shamir and Len Adleman in, “A Method for
Obtaining Digital Signatures and Public-Key
Cryptosystems”, in April 1977; later published in CACM
Vol 21 #2, Feb 1978
Elliptic curve cryptosystems were first publicly proposed
by Neal Koblitz and V. S. Miller in 1985; “Use of Elliptic
Curves in Cryptography”, Advances in Cryptology CRYPTO ‘85 Proceedings, Springer-Verlag, 1986.
First known inventors of PKT are now know to be British
Intelligence officers of the GCHQ: James Ellis, Clifford
Cocks and Malcolm Williamson (1973-1975).
The Code Book, Simon Sing, © 1999, Doubleday
Copyright © 2005 David M. Wheeler, All Rights Reserved
What is Public Key Technology?

Broad term applied to a class of
cryptographic algorithms whose decryption
key is different from their encryption key,
thereby allowing one key to be made
“public” and the other key held “private.”

Also know as Asymmetric algorithms, since
encryption is done with a different key than
decryption (no symmetry).
Copyright © 2005 David M. Wheeler, All Rights Reserved
Why Is Public Key Technology so Great?

PK Technology solves many problems with secure key
distribution.

PK Technology provides the raw capability to perform proof of
source and proof of receipt completely through digital means
using a technique called digital signatures.

PK Technology has been widely proven in theory and practice.

PK Technology patents are expiring.
• Diffie-Hellman key exchange and El Gamal are now free of patent
restrictions.
• RSA patent expires on 20 Sept 2000.
Copyright © 2005 David M. Wheeler, All Rights Reserved
How Does Public Key Technology Work?

Public Key Technology is based upon difficult mathematical
problems.
The mathematical problems are hard to solve, but easy to verify. One
such hard problem is factoring a large number; numerous repeated
division operations are required to solve this problem, however only a
small number of multiplications are required to verify a correct answer.
Different PK algorithms use different mathematical problems:
» RSA: Factorization of large numbers
» EC: Projection of a point on an elliptic curve
» El Gamal: Discrete Logarithm problem in a finite field


It is theorized that the security of a particular PK algorithm is
defined by the key length, and that the particular key length
required for a secure PK algorithm is directly proportional to
the difficulty of the mathematical problem upon which the PK
algorithm is based.
PK algorithms define an encryption operation, a decryption
operation, and (sometimes) a digital signature operation.
Copyright © 2005 David M. Wheeler, All Rights Reserved
Public Key Encryption &
Decryption
A User of PK has two keys
• A Public Key
• A Private Key
The keys are opposites (inverses); Each key reverses the
effects of the other.
Ciphertext
Message
Encrypt
Encrypt
Ciphertext
Message
How Does Public Key Technology Work:
Copyright © 2005 David M. Wheeler, All Rights Reserved
Encrypting with a Public Key
The Encryption Operation
1 Obtain the public key of the person with whom you want to
communicate securely;
2 Encrypt the message with the receiving party’s public key;
3 Transmit the message;
4 Receiving party decrypts using their private key.
Key delivery mechanism
Message
Encrypt
Bob
Encrypt
Alice
Message
Bob
Ciphertext
Message delivery mechanism
Ciphertext
How Does Public Key Technology Work
Copyright © 2005 David M. Wheeler, All Rights Reserved
Encrypting with a Private Key
The Encryption Operation
1 Encrypt the message with the your own private key;
2 Transmit the message;
3 Send your public key to the person with whom you want to
communicate securely;
4 Receiving party decrypts using your public key.
Key delivery mechanism
Message
Encrypt
Bob
Encrypt
Alice
Message
Bob
Ciphertext
Message delivery mechanism
Ciphertext
Copyright © 2005 David M. Wheeler, All Rights Reserved
RSA
Rivest-Shamir-Adleman

Class of Algorithm: Asymmetric Cipher Algorithm
– Publicly published in 1978
– Most widely used asymmetric algorithm (used in SSL/TLS)

Characteristics:
–
–
–
–

Key Generation: based on primes & inverses in a Field
Input: any binary data less than size of modulus
Input: public (or private key) plus the modulus
Output: integer < modulus
Usage: Confidentiality, Non-Repudiation
– Create a protected representation of the input data (encrypted)
– Create a digital signature (proof of source) of data
– Create a digital envelope (private delivery) containing data

Attacks and Gotcha's
– Security is only as good as the key – modulus components must be strong
primes
– Raw RSA encryption can be broken – formatting of data must be used
(PKCS standards)
– Complex issues around implementation – side-channel attacks
Copyright © 2005 David M. Wheeler, All Rights Reserved
RSA Algorithm
Md mod n = C
Ce mod n = M
Conditions:
1. n = p*q, where p, q are prime and pq
2. 1<d<f(n), where f(n)=(p-1)(q-1)
3. d*e  1 mod f(n)
Copyright © 2005 David M. Wheeler, All Rights Reserved
RSA Key Generation
n = p*q, where p, q are prime and pq


Primes must be selected randomly,
otherwise an attacker can guess what
prime you have used to generate your keys
Generalized method:
1. Select a random number, z, of the appropriate
number of bits
2. If z is even, z = z+ 1
3. Test if z is prime, if so stop.
4. If not prime, compute z = z + 2, goto step 2.
This can take a LONG time!
Digital Signatures
Remember Hash Functions?
Copyright © 2005 David M. Wheeler, All Rights Reserved
The Message Digest Algorithm
A Message Digest or Hash Algorithm must be:
» One-Way (pre-image resistance)
given an arbitrary digest z, it is infeasible to find y such that h(y) = z
Message
» Weakly Collision-Free (2nd preimage resistance)
infeasible to find x such that x != y and h(x) = h(y)
» Strongly Collision-Free (collision resistance)
infeasible to find x and x’ such that h(x) = h(x’)
Hash
Digest
Hash Functions are basically composed of series
of cryptographic primitives with bit loss.
Several Hash Functions are available:
» SHA-1 (http://csrc.nist.gov/pki/nist_crypto/welcome.html)
» RIPEMD 160 (http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html)
» MD5 (no longer holds as strongly collision free)
Handbook of Applied Cryptography, Menezes, Oorschot, and Vanstone, © 1997 CRC Press
Dr. Dobbs Journal, January 1997
Copyright © 2005 David M. Wheeler, All Rights Reserved
John Hancock circa the 21st Century:
The Digital Signature Operation
1
2
3
4
5
6
7
Message
Hash
Hash the message to be signed to produce a digest;
Encrypt the digest only using the signing party’s private key;
Transmit both the original message and the encrypted digest;
Receiving party obtains the sender’s public key;
Receiving party decrypts the digest with the sender’s public key
Receiving party hashes the message to obtain an original digest
Compare the decrypted digest with the original digest
a match validates the signature on the message.
Digest
Key delivery mechanism
Digest
Encrypt
Alice
Encrypt
Alice
Bob
Ciphertext
Message
Digest
Message delivery mechanism
Ciphertext
Message
Hash
The Pony Express in a Jetson’s World:
Alice
1 Create a digital signature over
the plaintext message using your
private key;
2 Generate a random symmetric
key and encrypt the message
with it;
3 Encrypt the symmetric key with
the recipients public key
4 Send all three enciphered
items to the recipient along
with your public key;
5 Only the intended recipient
can unlock and validate
your message.
Asymmetric
Encrypt
Random
Symmetric
Key
Symmetric
Encrypt
Protected Key
Enciphered
Message
Secret
Message
Hash
Digest
Copyright © 2005 David M. Wheeler, All Rights Reserved
Digital Envelopes
Asymmetric
Encrypt
Digital Signature
Copyright © 2005 David M. Wheeler, All Rights Reserved
Breaking a Digital Signature

Total Break
– Private Key is recovered

Selective Forgery
– Adversary can create a valid signature on a predetermined message

Existential Forgery
– Adversary can create a valid signature with no control over the
message
Copyright © 2005 David M. Wheeler, All Rights Reserved
PKCS#1.5 Signature Format



(M) = 00 01 ff … ff 00 || HashAlgID || Hash(M)
Ad hoc design
Resistant to multiplicative forgery
– moduli near 2k are more at risk, but still out of range

Widely deployed
– SSL certificates
– S/MIME

Included in IEEE P1363a; PKCS #1 v2.1
continues to support it
Copyright © 2005 David M. Wheeler, All Rights Reserved
Probable Signature Scheme (PSS)
Bellare-Rogaway (Eurocrypt ’96)

(M) = 00 || H || G(H)  [salt || 00 … 00]
where H = Hash(salt, M), salt is random, and G is a mask generation
function
– Mask Generation: T = T || Hash (mgfSeed || C) .
Note: The format above is as specified in PKCS #1 v2.1.
Note: PSS is patent pending (but generously licensed)


Is included in IEEE P1363a; ANSI X9.31 to be revised to include it
Provably Secure
– same paradigm as Optimal Asymmetric Encryption Padding (OAEP)

PSS has a tighter security proof, is less dependent on security of hash
function
Copyright © 2005 David M. Wheeler, All Rights Reserved
Digital Signature Standard (DSS)







US Govt approved signature scheme FIPS 186
uses the SHA hash algorithm
designed by NIST & NSA in early 90's
DSS is the standard, DSA is the algorithm
a variant on ElGamal and Schnorr schemes
creates a 320 bit signature, but comparable to RSA
512-1024 bit security
security depends on difficulty of computing
discrete logarithms
Considered potentially weak given issues
Surrounding SHA-1 Algorithm
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA Key Generation (2)

Have shared global public key values (p,q,g):
– a large prime p = 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q, a 160 bit prime factor of p-1
– choose g = h(p-1)/q
• where h<p-1, h(p-1)/q (mod p) > 1

Users choose private & compute public key:
– choose x<q
– compute y = gx (mod p)
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA Signature Generation

to sign a message M the sender:
– generates a random signature key k, k<q
– nb. k must be random, be destroyed after use,
and never be reused

then computes signature pair:
r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)

sends signature (r,s) with message M
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA Signature Verification

having received M & signature (r,s)

to verify a signature, recipient computes:
w =
u1=
u2=
v =

s-1(mod q)
(SHA(M).w)(mod q)
(r.w)(mod q)
(gu1.yu2(mod p)) (mod q)
if v=r then signature is verified
Copyright © 2005 David M. Wheeler, All Rights Reserved
Questions/Resources













SHA-1: FIPS 180-1
MD-5: RFC 1321
HMAC: RFC 2104
AES: FIPS 197
RSA: PKCS #1, ver 2.1
DSS: FIPS 186-2
ECC/RSA/DH: IEEE 1364
DISA PKI Site: http://www-pki.itsi.disa.mil
IETF PKIX: http://www.imc.org/ieft-pkix
PKCS Standards: http://www.rsa.com
Applied Cryptography, Bruce Schneier
Cryptography and Network Security, William Stallings
Cryptography Theory and Practice, Douglas Stinson
Backup
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA Algorithm : key generation
1.select a prime q of 160 bits
2.Choose 0t8, select 2511+64t <p< 2512+64t with
q|p-1
 Create p = q*r + 1
3.Select g in Zp*, and  = g(p-1)/q mod p, 1
4.Select 1  a q-1, compute y= a mod p
5.public key (p,q, ,y), private key (a)
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA signature generation
public key (p,q, ,y), private key (a)
1.
2.
3.
4.
5.
Select a random integer k, 0 < k < q
Compute r=(k mod p) mod q
compute k-1 mod q
Compute s=k-1 (h(m) + ar) mod q
signature = (r, s)
Copyright © 2005 David M. Wheeler, All Rights Reserved
DSA signature verification
public key (p,q, ,y),
–
–
–
–
–
Verify 0<r<q and 0<s<q, if not, invalid
Compute w= s-1mod q and h(m)
Compute u1=wh(m)mod q,u2=rw mod q
Compute v = (u1yu2 mod p) mod q
Valid iff v=r
h(m)  ar  ks (mod q)
wh(m)  arw  k (mod q)
u1  au2  k (mod q)
 u1 y u2 mod p(mod q)   k mod p(mod q)
Copyright © 2005 David M. Wheeler, All Rights Reserved
Whose key is THIS?
The need for Certificates

A Typical Public Key (PKCS#1, Appendix A)
30 47
02 40
0a
c0
d0
01
02 03

66
01
53
14
01
79
c6
b3
a1
00
1d
27
e3
df
01
c6
10
78
e6
98
27
2a
7c
81
00
1d
dc
68
75
e5
9a
de
14
dc
f5
7a
29
5a
5d
b7
42
f4
65
74
e1
eb
56
Public Keys are just numbers
19
9a
e9
20
bb
8d
94
bb
7f b0
8c 51
68 17
ab
Copyright © 2005 David M. Wheeler, All Rights Reserved
Certificates Identity Principles


A principle (or subject) is an entity (person,
machine, SW program, etc.) that owns a
public/private key pair.
A certificate binds a particular key pair to a
principle using “unique” information
•
•
•
•

The Distinguished Name
A Unique ID
An e-mail address
etc.
Version: 3
Serial Number: 01234567890
subject: David M. Wheeler, Intel, HPG, Chandler, AZ, US
subjectID: 10640401
Public: 0203010001
Modulus: 02400a66791dc6988168de7ab77419bb7fb0….
See RFC 2459 for a good example
Copyright © 2005 David M. Wheeler, All Rights Reserved
But Can I Trust It?
PKI and Certificate Authorities



A Certificate is really only an identity claim
Trust is bound into the certificate using a
digital signature from someone you would
likely trust (your grandmother, your bank, your company, your government)
This trusted entity is called a Certificate
Authority or CA
Version: 3
Serial Number: 01234567890
subject: David M. Wheeler, Intel, HPG, Chandler, AZ, US
subject ID: 10640401
Public: 0203010001
Modulus: 02400a66791dc6988168de7ab77419bb7fb0….
Issuer: Intel Corp
Issuer ID: 111xyz3456
INTEL DIGITAL SIGNATURE
Copyright © 2005 David M. Wheeler, All Rights Reserved
An Example PKI
Root
(i.e. Verisign)
Certificate
Signed by
CA - Intel
CA - HPG
certificates
CA - MS
CA - IAL
certificates
Self-Signed
Certificate
CA - Other
Verifying a certificate involves
checking the digital signature
on the certificate, and the signer
of the certificate, all the way
up the chain to a trusted entity
in the hierarchy (possibly the root).
What Are The Issues With Public Key?
Copyright © 2005 David M. Wheeler, All Rights Reserved

Does PK technology really solve all the problems of secure
communication?
»
No. There are issues involved with transmitting the correct pieces, encrypted with the correct
key, combined in the correct order. These are secure protocols which are used to guarantee the
trust associated with public keys and reduce the risk of misuse.
» How do I get other people’s public key? How do other people get my
public keys?
»

The easy answer is by using an X.500 directory service. However, there are many hidden issues
involved here: Who runs the directory? Can you trust them? How do all your applications get
access to the directory? What protocols should I use? Should I ever store public keys locally?
How many should I store? How often should I refresh them?
What prevents someone from creating keys and pretending to be me?
»
Because the Public keys are enclosed in a certificate (basically a signed envelope) they are
guaranteed to be as trusted as the CA chain that signed the certificate. Who can be a CA? Do I
have to pay a CA or a root for signing my keys? Can I be this entity for myself? How do I get
this entity to sign my keys in the first place?
» How can I trust the public keys that I have?
»
This is accomplished by verifying the signature on the certificate that contains the public key.
How do I verify that the signer is authentic? Using the PKI hierarchy up to a trusted root.
» What if I lose my private key? What if someone steals my private key?
»
Key revocation, Key recovery and Key escrow techniques may be used to protect against these
occurrences, however some of these approaches are not popular, and may not scale well, either.
Copyright © 2005 David M. Wheeler, All Rights Reserved
Information Security:
Security Services

Confidentiality
» Threat: Disclosure

Integrity
» Threat: Modification

Identification & Authentication (I&A)
» Threat: Masquerade (Impersonation), Fabrication, Spoofing

Non-Repudiation
» Threat: Retraction, Replay, Spoofing

Reliability
» Threat: Denial of Service, Interruption

Access Control
» Threat: Eavesdropping, Permission violation, Penetration,
Residue Recovery
Computer Security Basics, Russell and Gangemi, © 1991 O’Reilly & Associates
Copyright © 2005 David M. Wheeler, All Rights Reserved
Threats, Vulnerabilities,
Safeguards and Counter-Measures







Security Policy: A written or implied statement about a system reflecting the
expected support of CIA principles
Vulnerability: Characteristics of a system that make it susceptible to a
particular threat
Threat: Any potential action or condition that risks a violation of the security
policy by leveraging a vulnerability
Attack: An active instance of a threat attempting to leverage a vulnerability to
overcome CIA principles (e.g. the security policy)
Safeguard: A passive security measure that prevents a threat from being
successful
Counter-Measure: An active security measure that detects, and possibly
reverses or diminishes the negative effects of an attack
Example: A tank is vulnerable to being blow up; A threat on the battlefield is a shoulderlaunched missile; A safeguard is increased armor around sensitive areas of the tank
(engine, fuel storage, munitions storage); A counter-measure is a flare system to divert
heat-seeking missiles away from the tank engine