Transcript William Stallings, Cryptography and Network Security 5/e

Network Security
Essentials
Chapter 3
Fourth Edition
by William Stallings
Lecture slides by Lawrie Brown
Chapter 9 – Public Key
Cryptography and RSA
Every Egyptian received two names, which were
known respectively as the true name and the
good name, or the great name and the little
name; and while the good or little name was
made public, the true or great name appears to
have been carefully concealed.
—The Golden Bough, Sir James George Frazer
Message Authentication

message authentication is concerned with:




protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
the three alternative functions used:



hash function
message encryption
message authentication code (MAC)
Hash Functions
 condenses
arbitrary message to fixed size
h = H(M)
 usually
assume hash function is public
 hash used to detect changes to message
 want a cryptographic hash function


computationally infeasible to find data mapping
to specific hash (one-way property)
computationally infeasible to find two data to
same hash (collision-free property)
Two Simple Insecure Hash
Functions
 consider
two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block



Ci = bi1 xor bi2 xor . . . xor bim
a longitudinal redundancy check
reasonably effective as data integrity check
 one-bit

circular shift on hash value
for each successive n-bit block
• rotate current hash value to left by1bit and XOR block

good for data integrity but useless for security
Hash Function Requirements
Attacks on Hash Functions
 have
brute-force attacks and cryptanalysis
 a preimage or second preimage attack

find y s.t. H(y) equals a given hash value
 collision

resistance
find two messages x & y with same hash so
H(x) = H(y)
value 2m/2 determines strength of
hash code against brute-force attacks
 hence

128-bits inadequate, 160-bits suspect
Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993
 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme



standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
Revised Secure Hash
Standard
 NIST
issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA

SHA-256, SHA-384, SHA-512
 designed
for compatibility with increased
security provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher
SHA Versions
SHA-1
Message
digest size
SHA-224 SHA-256 SHA-384 SHA-512
160
224
256
384
512
< 264
< 264
< 264
< 2128
< 2128
Block size
512
512
512
1024
1024
Word size
32
32
32
64
64
Number of
steps
80
64
64
80
80
Message
size
SHA-512 Overview
SHA-512 Compression
Function
 heart
of the algorithm
 processing message in 1024-bit blocks
 consists of 80 rounds



updating a 512-bit buffer
using a 64-bit value Wt derived from the
current message block
and a round constant based on cube root of
first 80 prime numbers
Keyed Hash Functions as MACs
 want


a MAC based on a hash function
because hash functions are generally faster
crypto hash function code is widely available
 hash
includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)

some weaknesses were found with this
 eventually
led to development of HMAC
HMAC Design Objectives
 use,
without modifications, hash functions
 allow for easy replaceability of embedded
hash function
 preserve original performance of hash
function without significant degradation
 use and handle keys in a simple way.
 have well understood cryptographic analysis
of authentication mechanism strength
HMAC

specified as Internet standard RFC2104
 uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
+ is the key padded out to size
 where K
 opad, ipad are specified padding constants

overhead is just 3 more hash calculations than
the message needs alone
 any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC
Overview
HMAC Security
 proved
security of HMAC relates to that of
the underlying hash algorithm
 attacking HMAC requires either:


brute force attack on key used
birthday attack (but since keyed would need
to observe a very large number of messages)
 choose
hash function used based on
speed verses security constraints
CMAC
 previously
saw the DAA (CBC-MAC)
 widely used in govt & industry
 but has message size limitation
 can overcome using 2 keys & padding
 thus forming the Cipher-based Message
Authentication Code (CMAC)
 adopted by NIST SP800-38B
CMAC Overview
Authenticated Encryption
 simultaneously
protect confidentiality and
authenticity of communications

often required but usually separate
 approaches




Hash-then-encrypt: E(K, (M || H(M))
MAC-then-encrypt: E(K2, (M || MAC(K1, M))
Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
decryption /verification straightforward
 but security vulnerabilities with all these

Counter with Cipher Block
Chaining-Message
Authentication Code (CCM)
 NIST
standard SP 800-38C for WiFi
 variation of encrypt-and-MAC approach
 algorithmic ingredients



AES encryption algorithm
CTR mode of operation
CMAC authentication algorithm
 single
key used for both encryption & MAC
CCM
Operation
Private-Key Cryptography
şifreleme 1 anahtar kullanır
 Alıcı ve gönderen arasında bu anahtar
paylaştırılır.
 Eğer bu anahtar açığa çıkarsa tüm sistem
ele geçirilmiş olur
 Ayrıca simetriktir tüm eşler aynıdır.
 Bu şekilde alıcının, gönderenden
gelmeyen mesajı ondan gelmiş gibi iddaa
etme/belirtme ihtimali vardır.
 Klasik
Public-Key Cryptography
anahtarlı (açıl ve gizli)PKI yapısı en
önemli gelişmedir 3000 yıllık geçimişe
nazaran
 Eşler aynı olmadığı için asimetriktir.
 Number theory ı kullanır tek yönlü
çözülmesi zor olan problemler ile ilgilenir.
 Gizli anahtar yapısını tamamen
kaşldırmaktansa onu tamamlar
2
Why Public-Key
Cryptography?
2


porblemi çözmek için kullanılır:
Anahtar değiştokuşu– Bir KDC a ihtiyaç
duymadan nasıl güvenli iletişim kurulabilir.
digital signatures – gerçek gönderenden
mesaj değişmeden nasıl gönderilir.
gönderdiğimiz mesajların içinde tam
güvenlik. Askeri, Ticari, kişisel
 public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
 Kendi

Belirli bir grup tarafından daha önceden
biliniyordu 1960
Public-Key Cryptography

public-key/two-key/asymmetric 2 anahtar şu
sebepler için kullanılır :


a public-key, herkez tarafından bilinebilir, mesajları
mesajları şifrelemek, ve imzaları doğrulamak için
kullanılabilir
Ilgili private-key, sadece alıcı tarafından bilinir, mesajı
deşifre etmek, ve imzalama (create) signatures için
kullanılır
Açık anahtardan, gizli anahtarı temin etmek
zordur.
 Asimetriktir :


Mesajı şifreleyen ve mesajı kontrol eden kişi, mesajı
deşifre edemez veya bir digital imza atamaz
Public-Key Cryptography
Symmetric vs Public-Key
RSA

by Rivest, Shamir & Adleman (RSA) of MIT in
1977
 En iyi bilinen ve an fazla kullanılan PKI
 Matematikteki üssel sonlu alanlar a
dayanmaktadır (Galois) ve bir asal sayının tam
modülüne dayanmaktadır.

Çok büyük tam sayılar kullanır (eg. 1024
bits)

Çok büyük sayıların çarpanlara ayrımasına bağlı
güvenliği sahiptir.
RSA En/decryption
M


C


mesajını şifrelemek için:
Alıcının açık anahtarı alınır PU={e,n}
C hesaplanır C = Me mod n, 0≤M<n
yi deşifre etmek için alıcı:
Gizli anahtarını kullanır PR={d,n}
M = Cd mod n
 Mesaj
mutlaka modül n den küçük
olmalıdır (Gerekli oldulça bloklanır.)
RSA Anahtar seçimi



Her bir kullıcı gizli/açık anahtar eşleri üretir:
Rastgele iki çok büyük asal sayı seçilir. p, q
Bunların çarpımı n modülü oluşturur n=p.q

Hesaplanır ø(n)=(p-1)(q-1)
Bir anahtar SEÇİLİR e
 1<e<ø(n), gcd(e,ø(n))=1
(OBEB=gcd)
 Şifre çözme anahtarını bulmak için aşağıdaki
denklem çözülür d bulunur.
 e.d=1 mod ø(n) ve 0≤d≤n
 Açık anahtarı herkeze ver: PU={e,n}
 Gizli anahtar bilgisini sakla: PR={d,n}

Why RSA Works

Eular teoremine göre:


aø(n)mod n = 1 where gcd(a,n)=1
RSA da




n=p.q
ø(n)=(p-1)(q-1)
e ve d ters mod ø(n) olacak şekilde
dikkatlice seçilir.
böylece e.d=1+k.ø(n) bir k değeri için eşit olur
 hence
:
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
RSA Example - Key Setup
1.
2.
3.
4.
5.
6.
7.
Select primes: p=17 & q=11
Calculate
n = pq =17 x 11=187
Calculate
ø(n)=(p–1)(q-1)=16x10=160
Select e: gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
Publish public key PU={7,187}
Keep secret private key PR={23,187}
RSA Example - En/Decryption
 Örnek
RSA encryption/decryption
 Mesaj M = 88 (nb. 88<187)
 şifreleme:
C = 887 mod 187 = 11
 Deşifreleme:
M = 1123 mod 187 = 88
Diffie-Hellman Key Exchange
önerilen first PKI alt yapısıdır
 by Diffie & Hellman in 1976 along with the
exposition of public key concepts
 Ilk

note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
kullanılacak şifreleme için
anahtar değiştokuşuna olanak saülayan
pratik bir yöntemdir.
 used in a number of commercial products
 Sonradan
Diffie-Hellman Key Exchange

a Açık anahtar dağıtım şeması



genel bir mesajı göndermek için kullanılmaz
Fakat ortak bir anahar için kullanılabilir.
Sadece iki taraf tarafından bilinir
Anahtarın değeri katılanlara bağlıdır.(açık ve
gizli anahtar konumlarına )
 Sonlu alanların üssel gösterimine bağlıdır.
(Galois) alanı field (modulo a prime or a
polynomial) - easy
 Gücenlik ayrık logaitmanın hesabının
yapılmasınını zor olmasına bağlıdır (similar to
factoring) – hard

Diffie-Hellman Setup

Tüm kullanıcılar parametrelerde anlaşırlar:


Çok büyük bir asal tamsayı yada polinom q
a, mod q ya göre temel kökü
• primitive root a is a number whose powers successively
generate all the elements mod q

Her bir kullanıcı (ör. A) anahtar üretirler


Bir gizli anahtar SEÇ (number): xA < q
Onun açık anahtarını hesapla public key
• yA = a

xA
mod q
Her bir kullanıcı yA açık anahtar haline getirir
• For an attacker monitoring the exchange of the y's to
recover either of the x's, they'd need to solve the
discrete logarithm problem, which is hard
Diffie-Hellman Key Exchange

Ortak bir oturum anahtarı A & B için KAB:
x
x
KAB = a A. B mod q
xB
= yA mod q ( B hesaplayabilir)
xA
= yB mod q ( A hesaplayabilir)
KAB gizli anahtar şifrelemesi için oturum
anahtarı olarak kullanılır
 Eğer Alive ve Bob aynı public anahtarları
kullandıkça bu gizli anahtarı sonradan gene
haberleşmek için kullanabilirler
 Saldırganın bir X e ihtiyacı vardır ve ayrık
logaritmayı çözmelidirler

Diffie-Hellman Example
Alice & Bob anahtar değiş tokuşu yağmak isterler:
 Bir asal sayıda anlaşırlar q=353 ve a=3
 Bir gizli ANAHTAR SEÇERLER:



Karşılık gelen açıkanahtarları hesaplamak için :
97



A xA=97, B xB=233
yA=3
mod 353 = 40 (Alice)
233
yB=3
mod 353 = 248 (Bob)
Paylaşılan açık anahtarın hesaplanması:


xA
97
KAB= yB mod 353 = 248 mod 353= 160 (Alice)
xB
233
KAB= yA mod 353 = 40
mod 353= 160
(Bob)
Key Exchange Protocols
 Kullanıcılar
her iletişim kurmak
istediklerinde yeni anahtar çiftleri D-H
kullarak üretebilirler
 Kullanıcılar herkeze açık bir dizin içinde DH anahtarları koylabilir.
 Hepsi meet-in-the-Middle Attack a karşı
zayıftır.
 anahtarların denetimi lazım
Man-in-the-Middle Attack
1.
2.
3.
4.
5.
6.
7.
Darth 2 tane private / public keys üreterek başlar
Alice Bob a açık anahtarını gönderir
Darth araya girer ve ilk üretiği açık anahtarı BOB a
gönderir. Dart ayrıca Alice ile paylaşılan bir anahtar da
anlaşır
Bob açık anahtarı alır ve paylaşılan bir anahtar üretir.
(Fakat alice yerine Darth ile)
Bob “Alice” açık anahtarını gönderir.
Darth Alice giden açık anahtarı alır. Darth BOB ile
arasında bir paylaştıkları bir anahtar üretir (Alice
zanneder=
Darth Alice & Bob arasındaki tüm iletişimi inceler /
değiştirir
1.
2.
3.
4.
5.
6.
7.
Darth – Yd1, Xd1 – Yd2, Xd2
Alice---> “Bob” Ya
Darth -->Bob Yd1. K2 = (YA )^XD2 mod q
Bob -->Yd1 ile K1=(YD1 )^ XB mod q
Bob---> “Alice” Yb
Darth-->Alice Yd2 . K2=(YD2 )^ XA mod q .
Alice-->Yd2 ile K2=(YD2 )^ XA mod q .
Digital Signatures
 have

looked at message authentication
but does not address issues of lack of trust
 digital



signatures provide the ability to:
verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes
 hence
include authentication function with
additional capabilities
Digital Signature Model
Digital
Signature
Model
Digital Signatures
Lets receiver verify the message is authentic




Symmetric-Key signatures »
Public-Key signatures »
Message digests »
The birthday attack »
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Digital Signatures (1)
Requirements for a signature:



Receiver can verify claimed identity of sender.
Sender cannot later repudiate contents of message.
Receiver cannot have concocted message himself.
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Symmetric-key Signatures
Alice and Bob each trust and share a key with Big
Brother; Big Brother doesn’t trust anyone

A=Alice, B=Bob, P=message, RA=random, t=time
Only Alice can send this
encrypted message to BB
Only BB can send this
encrypted message to Bob
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Public-Key Signatures
No Big Brother and assumes encryption and
decryption are inverses that can be applied in
either order


But relies on private key kept and secret
RSA & DSS (Digital Signature Standard) widely used
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Message Digests (1)
Message Digest (MD) converts arbitrary-size
message (P) into a fixed-size identifier MD(P)
with properties:




Given P, easy to compute MD(P).
Given MD(P), effectively impossible to find P.
Given P no one can find P′ so that MD(P′) = MD(P).
Changing 1 bit of P produces very different MD.
Message digests (also called cryptographic hash)
can “stand for” messages in protocols, e.g.,
authentication


Example: SHA-1 160-bit hash, widely used
Example: MD5 128-bit hash – now known broken
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Message Digests (2)
Public-key signature for message authenticity but
not confidentiality with a message digest
Message sent
in the clear
Alice signs
message digest
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Message Digests (3)
In more detail: example of using SHA-1 message
digest and RSA public key for signing nonsecret
messages
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Message Digests (4)
SHA-1 digests the message 512 bits at a time to
build a 160-bit hash as five 32-bit components
SHA-1
Message in 512-bit blocks
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Five 32-bit
hashes output
Birthday Attack
How hard is it to find a message P′ that has the
same message digest as P?

Such a collision will allow P′ to be substituted for
P!
Analysis:
N possible values
 N bit hash has 2
N messages given P to find P′
 Expect to test 2
N/2 messages to find a collision
 But expect only 2
 This is the birthday attack
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Management of Public Keys
We need a trusted way to distribute public keys



Certificates »
X.509, the certificate standard »
Public Key infrastructures »
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Management of Public Keys
(1)
Trudy can subvert encryption if she can fake Bob’s
public key; Alice and Bob will not necessarily
know
Trudy replaces EB with ET and
acts as a “man in the middle”
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Certificates
CA (Certification Authority) issues signed statements
about public keys; users trust CA and it can be
offline
A possible certificate
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
X.509
X.509 is the standard for widely used
certificates

Ex: used with SSL for secure Web browsing
Basic fields in X.509 certificates
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Public Key Infrastructures (PKIs)
PKI is a system for managing public keys using CAs


Scales with hierarchy, may have multiple roots
Also need CRLs (Certificate Revocation Lists)
Trust anchor
Hierarchical
PKI
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Chain of certificates
for CA 5
Authentication Protocols
Authentication verifies the identity of a remote
party





Shared Secret Key »
Diffie-Hellman Key Exchange »
Key Distribution Center »
Kerberos »
Public-Key Cryptography »
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Authorization vs
Authentication
•
Authorization : process permitted to do smth.
Authentication: if you are actually
communicating with a specific process.
•
•
Hey I’m Your Boss, delete that debt file of Trudy.
•
•
Authentication : Are you really Boss
Authorization : is Boss really allowed to such an activity
Shared Secret Key (1)
Authenticating with a challenge-response (first
attempt)



Alice (A) and Bob (B) share a key KAB
RX is random, KX (M) is M encrypted with key KX
Reflection attack
Challenge
Response
Alice knows
it’s Bob
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Bob knows
it’s Alice
Shared Secret Key (2)
A shortened two-way authentication (second
attempt)

But it is vulnerable to reflection attack
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Shared Secret Key (3)
Trudy impersonates Alice to Bob with reflection
attack

Second session gets Bob to give Trudy the response
Bob thinks
he is talking
to Alice now
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Common pitfalls
Cevap veren kendini tanıtmadan önce, onun
hakkında doğrulayıcı bilgiye sahip olmak.
2. Iletişimi başlatan ve cevap verenin kanıtlamak
için farklı anahtarlar kullanmasını sağla. Bu iki
farklı anahtar olması anlamına gelsede
3. Iletişimi başlatan ve cevap verenin, cevapları
farklı doğrulamak için seçtikleri challengeları
farklı kümelerden seçmelidir
1.
Shared Secret Key (4)
First attempt is also vulnerable to reflection attack!

Trudy impersonates Bob to Alice after Alice initiates
Alice thinks
she is talking
to Bob
Alice thinks
she is talking
to Bob again
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Shared Secret Key (5)
Moral: Designing a correct authentication protocol
is harder than it looks; errors are often subtle.
General design rules for authentication:
1.
2.
3.
4.
Have initiator prove who she is before responder
Initiator, responder use different keys
Draw challenges from different sets
Make protocol resistant to attacks involving second
parallel session
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Shared Secret Key (6)
An authentication protocol that is not vulnerable

HMAC (Hashed Message Authentication Code) is an
authenticator, like a signature
Alice knows
it’s Bob
Bob knows
it’s Alice
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Diffie-Hellman Key Exchange (1)
Lets two parties establish a shared secret

Eavesdropper can’t compute secret gxy mod n without
knowing x or y
Shared secret
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Shared secret
Diffie-Hellman Key Exchange (2)
But it is vulnerable to a man-in-the-middle attack

Need to confirm identities, not just share a secret
gxz mod n
gxz mod n
gzy mod n
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
gzy mod n
KDC – Key Distribution Center (1)
Trusted KDC removes need for many shared secrets



Alice and Bob share a secret only with KDC (KA, KB)
End up with KS, a shared secret session key
First attempt below is vulnerable to replay attack in which
Trudy captures and later replays messages
Alice has
session key KS
Trudy can send this later to
impersonate Alice to Bob
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Bob has
session key KS
Key Distribution Center (2)
The Needham-Schroeder authentication protocol

Not vulnerable to replays; doesn’t use timestamps
Alice knows
it’s Bob
Bob knows
it’s Alice
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Key Distribution Center (3)
The Otway-Rees authentication protocol
(simplified)

Slightly stronger than previous; Trudy can’t replay
even if she obtains previous secret KS
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Kerberos
Kerberos V5 is a widely used protocol (e.g., Windows)

Authentication includes TGS (Ticket Granting Server)
Gets session
key KS
Gets shared
key KAB
Ticket
Alice asks for a secret
shared with Bob
Ticket
Bob gets
key KAB
Knows it’s Bob
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011
Knows it’s
Alice
Public-Key Cryptography
Mutual authentication using public-key cryptography

Alice and Bob get each other’s public keys (EA, EB) from a
trusted directory; shared KS is the result
CN5E by Tanenbaum & Wetherall, © Pearson EducationPrentice Hall and D. Wetherall, 2011