Transcript 544 Computer and Network Security

453 Network Security
Section 3b: Message Authentication
and Public-Key Cryptography
Dr. E.C. Kulasekere
Sri Lanka Institute of Information
Technology - 2006
Requirements for Hash Functions
•
•
•
•
can be applied to any sized message M, produces
fixed-length output h
is easy to compute h=H(M) for any message M
given h is infeasible to find x s.t. H(x)=h
– one-way property. See note 1 for reasoning.
given x is infeasible to find y s.t. H(y)=H(x)
–
–
•
weak collision resistance. Prevents forgery when
encrypted hash functions are used.
The opponent can read the message and also generate
the hash code. But will not be able to alter it without
detection since he does not have the secret key.
Encryption of H(M) guarantees this. (note4)
is infeasible to find any x,y s.t. H(y)=H(x)
– strong collision resistance
Simple Hash Functions
• based on XOR of message blocks
• not secure since can manipulate any
message and either not change hash or
change hash also.
Ci  bi1  bi 2   bim
• C_i is the ith bit of the hash code
• m – number of n bit blocks in the input
• b_ij – ith bit of the jth block
Simple Hash Functions …
Improvement to Simple Hash
Function (1)
• The above simple system is good for random
data for an integrity check.
• Each n-bit hash value is equally likely.
• The probability that a data error will result in an
unchanged hash value is ½^n.
• For more predictability formatted data, the
function is less effective.
• Eg: in most text files, the higher order bit of each
octet is mostly zero
Improvement to Simple Hash Function
(2)
• A known value will reduce the
effectiveness of the hash function from
128 to 128-16=112. This is because for a
128 hash 16 octets have to be lined up
and each will have the first bit 0 which will
effectively fix the hash value to only 112
bits that can change. To improve we
incorporate randomness.
Improvements to Simple Hash Function
• Initially set n-bit hash
function to zero
• Process each successive nbit block of data as follows
– Rotate current hash
value to left by one bit.
– XOR the block into the
hash value.
• This will randomize the input
and overcome any
regularities that appear in
the input.
• This procedure provides
good data integrity however
if the plaintext is sent with
the hash then no security.
(note 2)
Secure Hash Algorithm (SHA – 1)
• SHA was developed by the National
Institute of Standards and Technology.
• The algorithm takes as input a message
with maximum length of less than 2^64
bits.
• It produces an output of 160-bit message
digest.
• The input is processed in 512-bit blocks.
• The stages involved are (note 3)
– Append padding bits
– Append length
– Initialize (message digest) MD buffer
– Process message in 512-bit blocks
– Output
MD Generation using SHA-1
Note that this uses CBC mode
MD5 Message Digest Algorithm
• Similar to SHA-1 in structure.
• The algorithm takes as input a
message of arbitrary length and
produces as output a 128-bit message
digest.
• The input is processed in blocks of
512-bits.
• In recent times there have been
concerns of brute-force and crypt
analytic compromises.
Comparison of SHA-1 and MD5
• Brute force attack is harder (160 vs 128 bits for
MD5). You have to scan 2^160 different options.
• not vulnerable to any known attacks (compared
to MD4/5)
• SHA-1 is a little slower than MD5 (80 vs 64
steps)
• both designed as simple and compact
• Both of these are cryptographic hash functions
that do not use a secret key as in the case of
MACs.
Comparison of Secure Hash
Functions
Digest length
Basic unit of
processing
SHA-1
MD5
160 bits
512 bits
128 bits
512 bits
Number of steps 80
(4 rounds of
20)
Maximum
message size
264-1 bits
64
(4 rounds
of 16)
RIPEMD160
160 bits
512 bits
160
(5 paired
rounds of
16)
HMAC
• We observe the following
– MAC codes depend on secret key cryptography
(block cipher) such as DES and are very slow.
– Cryptographic hash codes are much faster,
specially in software.
• Hence developing a MAC derived from cryptographic
hash code such as SHA-1 will be interesting.
• However hash functions such as SHA-1 are not
designed for use as a MAC since it does not use a
secret key.
• HMAC is derived by incorporating a secret key into
an existing hash algorithm.
HMAC Design Objectives
• To use, without modifications, available hash functions.
• To allow for easy replacing of the embedded hash
functions in case faster or more secure hash function
are found or required.
• To preserve the original performance of the hash
function without incurring a significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of
the strength of the authentication mechanism based on
reasonable assumptions on the embedded hash
function.
HMAC Algorithm
• uses hash function
on the message:
HMACK = Hash[(K+
XOR opad) ||
Hash[(K+ XOR
ipad)||M)]]
• where K+ is the key
padded out to size
• and opad, ipad are
specified padding
constants
Some Observations of HMAC
• The message M is divided into L blocks using
the padding specified by the hash function.
• If the length of the key K is greater than the
block size b, the key will be input to the hash
function to produce the n-bit key.
• K^+ is K padded with zeros on the left to get bbit length. Note that n<b.
• Ipad and opad have the characteristic of flipping
one half of the bits in K. This is like generating
two sub-keys from the original key.
• HMAC executed the hash function three times.
Security of Hash Functions and
MACs
• Just as in symmetric and public key encryption the
attacks are grouped into brute-force and cryptanalysis
categories.
• Brute force attacks for hash functions
– The strength of the hash function against brute force
attack depends on the length of the hash code
produced by the algorithm.
• Brute force attacks on MACs
– Here the attacker would like to come up with a valid
MAC code for a given message x.
– This can be done by exhaustively searching the
message space or exhaustively checking the key
space.
Security of Hash Functions and
MACs …
• Cryptanalysis on Hash Functions
– This method seeks to exploit some property of the
algorithm to perform some attack rather than an
exhaustive search.
– This type of attack focuses on the internal structure of
the compression function.
– Based on finding out the bit change pattern from
round to round.
• Cryptanalysis of MACs
– Not much information is available.
– Based on a system similar to the attacks on
encryption algorithms.
Public-Key Cryptography Principles (1)
• public-key/two-key/asymmetric cryptography
involves two keys:
– a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
– a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• is asymmetric because
– those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key Cryptography Principles (2)
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to
trust a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
Public-Key Characteristics
• Public-Key algorithms rely on two keys
with the characteristics that it is:
– computationally infeasible to find decryption
key knowing only algorithm & encryption key
– computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption
(in some schemes)
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
Encryption
Authentication
Misconceptions about Public-Key
Encryption
• Public key encryption is not more secure than
private key in terms of cryptanalysis. It depends on
– Length of the key
– Work involved in breaking the cipher.
• Public key method is not a general purpose
technique that has made conventional encryption
obsolete.
• Key distribution is not trivial in public key systems
when compared to the key distributions centers
(KDCs) used for conventional encryption.
– Some protocol is necessary for key distribution and they are liable
to be insecure as well.
Public-Key Cryptography Requirements
1. Computationally easy for a party B to generate a pair
(public key KUb, private key KRb)
2. Easy for sender to generate ciphertext:
3. Easy for the receiver to decrypt ciphertext using private
key:
4. Computationally infeasible to determine private key
(KRb) knowing public key (KUb)
5. Computationally infeasible to recover message M,
knowing KUb and ciphertext C
6. Either of the two keys can be used for encryption, with
the other used for decryption:
M  DKRb[ EKUb (M )]  DKUb [ EKRb (M )]
Public-Key Crypto Systems
DSS = Digital Signature Standard
RSA Public-Key Algorithm
• Ron Rivest, Adi Shamir and Len Adleman at MIT, in
1977
• Most widely accepted and implemented approach
to public-key encryption
• This is a block cipher
• The plaintext and cipher text are integers between
0 and n-1 for some n.
• Both sender and receiver should know the values
of n and the public key e.
• Only receiver should know the private key d.
• Public key KU={e,n} and the private key KR={d,n}
The RSA Algorithm –
Generation
1.
2.
3.
4.
5.
6.
7.
Key
Select p,q
p and q both prime
Calculate n = p x q
Calculate Φ(n)  (p  1)(q 1)
Select integer e gcd((n), e)  1; 1  e  (n)
Calculate d d  e1 mod(n)
Public Key
KU = {e,n}
Private key
KR = {d,n}
The RSA Algorithm - Encryption
• Plaintext:
M<n
• Ciphertext:
C = Me (mod n)
The RSA Algorithm - Decryption
• Ciphertext:
C
• Plaintext:
M = Cd (mod n)
Example Implementation
• Select two prime numbers p=17 and q=11 (only divisible by 1
and the same number)
• Calculate n=pq=187
• Calculate φ(n)=(p-1)(q-1)=160
• Select e to be relatively prime to φ(n) and less than φ(n):e=7
(gcd=1)
• Determine d such that de=1 MOD 160 and d < 160: d=23 Use
de=kx160+1
• KU={17,187} and KR={23,187}
Diffie-Hellman Key Echange
• The algorithm helps two users to exchange a
secret key securely that can be used for
subsequent encryption of messages.
• The algorithm is limited to only key exchange.
Diffie-Hellman Key Echange ...
• The exchange produces identical results
• Since the X’s are private, an opponent has
only the following to work with: q, a, and
the Y’s.
• The opponent is forced to take a discrete
logarithm to determine the key.
• For larger primes finding the matching
discrete logarithm is near impossible.
Other Public-Key Cryptographic
Algorithms
• Digital Signature Standard (DSS)
– Makes use of the SHA-1
– Not for encryption or key echange
• Elliptic-Curve Cryptography (ECC)
– Good for smaller bit size
– Low confidence level, compared with RSA
– Very complex
• Remember that larger key sizes are required in
public key encryption to match the strength of the
private key security. Eg. Private key 128 bits
equivalent to private key 4K bits.
Key Management (1)
• One of the major roles in public-key
encryption is to address the problem of
key distribution.
• Two distinct aspects are considered.
– The distribution of public keys
– The use of public key encryption to distribute
secret keys.
• A symmetric key can be achieved using
the Diffie Hellman key exchange.
Key Management (2)
• Digital certificates for distribution of public keys
– Public key can be forged. This is because the public
key is broadcast freely
– C can claim to be A and broadcast a public key for A.
– C can now read any message for A encrypted using
the public key that was broadcast.
– This can go on until the real A detects the problem.
– The solution is to issue a public-key certificate which
consists of a public-key a user ID of the key owner
and the whole block signed by a trusted third party.
Key Management (3)
• Public-key distribution of secret keys
– One way is to use Diffie-Hellman key
exchange. However the drawback here is that
it provides no authentication of the
communicating parties.
– The other alternative is to use public-key
certificates. Consider Bob wishes to
communicate with Alice.
• Prepare a message
• Encrypt the message using conventional
encryption with a one time conventional session
key.
Key Management (4)
• Encrypt the session key using public key
encryption with Alice’s public key.
• Attach the encrypted session key to the message
and send it to Alice.
• Now only Alice is capable of decrypting the session
key and there fore recover the original message.
• If Bob obtained Alice’s public key by means of
Alice’s public-key certificate, then Bob is assured
that it is a valid key.
Next Lecture
•
•
•
•
Authentication applications
Kerberos
Session keys and management.
Key Exchange and authentication
mechanisms.
• E-mail and PGP
• Web security