Transcript Document

ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit
Chapter 3 - Public-Key Cryptography & Authentication
Authentication
Requirements - must be able to verify that:
1. Message came from the apparent source or author,
2. Contents have not been altered,
3. Sometimes, it was sent at a certain time or sequence.
Sometimes we would like to provide authentication without
encryption (public statements do not need privacy). Still,
authentication requires that the sender know something that the
forger does not (a secret key).
Conventional encryption can be used, but the sender must share
the secret key with the receivers (and keep it secret from others).
2
Key
MAC2
The MAC algorithm is a
“cryptographic hash” algorithm.
Key
3
Cryptographic (or Secure) Hash Function, H(x)
(note: 3 main properties are underlined)
1. Can be applied to a block of data “x” of any size (length)
an produces a fixed-length output (e.g., 512 bytes), H(x).
2. H(x) is relatively easy to compute.
3. It is computationally infeasible to get x from H(x).
4. For a given H(x), it is computationally infeasible to find
y != x such that H(y) = H(x) (weak collision resistance).
[You can not change a given message and get same hash]
5. It is computationally infeasible to find a pair x,y such that
H(y) = H(x) (strong collision resistance). [You can not
find any two messages in a generated bunch that have the
same hash (e..g., Birthday attack)]
4
y
Hash Key
x
Encrypt
(a) Using secret-key
encryption
(b) Using public-key
encryption (digital signature)
x
Decrypt
5
Secret Value is added by both parties to message before the “hash,”
function is used to get the Message Integrity Check (MIC). It is
removed before transmission.
No encryption is used,
only a secure hash.
MIC
MIC
It is critical that a forger can not compose a different message that
would produce the same MIC value.
6
Extremely not secure.
7
SHA-1
Secure Hash Algorithm 1 -> 160-bit "hash”
“Collision” can be found in 2^69 vs. 2^80
So new standards: SHA-256, SHA-512, … , SHA-3
8
9
HMAC Structure
10
MD5, SHA-1, -2, -3 Hashes
The MD5 hash (RFC 132) is typically expressed as a 32-digit
hexadecimal number (128 bits).
MD5 has been employed in a wide variety of security applications,
and is also commonly used to check the integrity of files. However, it
has been shown that MD5 is not collision resistant; as such, MD5 is
not suitable for applications like SSL certificates or digital signatures
that rely on this property. In 2012, the Flame malware exploited the
weaknesses in MD5 to fake a Microsoft digital signature.
US-CERT said MD5 "should be considered cryptographically broken
and unsuitable for further use,” and U.S. government applications are
required to move to the SHA-2 family of hash functions, 256 bits or
516 bits. Not replaced everywhere by SHA-3, approved in 2012.
mb2:~ copeland$ md5 ssl_manual.txt
MD5 (ssl_manual.txt) = 7f5f0f12da38523ccb4b090c772ae2f1
mb2:~ copeland$ openssl dgst -sha1 ssl_manual.txt
SHA1(ssl_manual.txt)= 0aa4ccc2ce12918bd87a1321b6086afe706186d8
11
Public-Key Cryptography
(Public-Private Key)
plaintext (data file or message)
encryption by key-1
decryption by key-1
ciphertext (stored or transmitted safely)
decryption by key-2
encryption by key-2
plaintext (original data or message)
12
Encryption using a
Public-Key System
Bob
Alice
13
Authentication using a
Public-Key System
or secure hash
or session key
or secure hash
or session key
Bob
Alice
14
RSA (Rivest, Shamir, and Adleman)
Key length is variable, 2048 bits recommended (2011).
The plaintext block ("m") must be less than the key length.
Key Generation
•
•
•
•
•
Choose two large prime numbers, p and q (secret)
n = pq,
Ø(n) = (p-1)(q-1)
Find a number, e, that is relatively prime* to Ø(n)
The public key is e and n : (e,n)
*no common factors
Find d, the multiplicative inverse to e mod Ø(n)
(by “Number Theory”: d * e mod Ø(n) = 1)
The private key is d and n (d,n), public key is (e,n)
Encryption: c = m^e mod n
Decryption: m = c^d mod n
("m" is message)
("c" is ciphertext)
15
Does RSA Work?
(Does D(E(m))=m)
c = E(m) =(m ^ e) mod n
D(c) = (c ^ d) mod n
(the ciphertext)
(decryption of c)
= m^(e*d) mod n
= m^(e*d mod Ø(n)) mod n
(Number Theory)
= m^(1) mod n
=m
(the plaintext message)
To experiment use: www.csc.gatech.edu/copeland/jac/6612/tools/RSA.xls
16
Is RSA Secure?
To factor a 512-bit number (to find p and q
from n) with the best known technique would take
500,000 MIPs-years.
•
In 500 years on a 1000 MIP/s CPU*, an
eavesdropper can encrypt a list of all
possible 512-bit messages (using the Public
Key), and compare the corresponding cipher
text to the transmitted cipher text.
• If the message is your password, make sure you
picked a good one (not in any dictionary).
•
A defense is to add random bits to the message.
MIPs - Millions of Instructions per second.
*4 x Intel Core i7’s (3.0 GHz)
The largest integer factored by 2014 had 768 bits (2000 cpu years)
17
How Efficient are RSA Operations
Efficient techniques for doing exponentiation:
X * Y mod n = (X mod n) * (Y mod n)
Do a "mod n" operation whenever a partial result is > n.
Using the following series, the largest number is < n^2
To calculate x^
1011011101100001
2
)^2
x^(10 12 ) = (x^100
2
mod n
first two bits
square first result,
to add "0" to exponent
x^10 2 = (x^1 2 )^2
x^100 2 = (x^10
2
)*x
if next bit was "1",
multiply result by "x"
Anytime an intermediate result is greater than n, reduce it by doing "mod n".
Taking mod 2^512 is simply dropping bits above the least (right) 512 bits.
18
Generating RSA Keys
Key pairs are generated by programs like “ssh-keygen”, or
“gpg --gen-key” (Gnu Privacy Guard, or OpenPGP).
The first step for a 256-bit key is to generate two 128-bit prime
numbers (p & q). A number of 128-bit numbers are produced
by a random number generator and tested for primality. To test
p, by Fermat’s little Theorem
for every trial witness number a, where: 1 ≤ a < p,
if p is prime (about 1% are), then
ap-1 mod p = 1
If p is not prime, the result could be any number from 0 to (p1), including 1. To be highly certain that p is prime, p must
pass the test about 8 times with different witness values, a.
The Miller-Rabin* test is an extension of the Fermat test that is
used in practice. In PGP the probability of a false prime is 2-50.
* see http://en.m.wikipedia.org/wiki/Miller-Rabin_primality_test
19
RSA Example with Small Numbers
For a 512-bit key (511-bit maximum message length),
"119" (above) would be replaced by 2^512 = 1.384078079 … E154 =
13,804,780,79x, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx,
xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx, xxx,
and the message, "19", in decimal would then be about the same
size (512 bits = 155 decimal places long).
xxx, xxx, xxx, xxx, xxx
To explore the RSA algorithm with small numbers, download
http://www.csc.gatech.edu/copeland/jac/6612/tools/RSA.xls Link
20
Diffie-Hellman Technique
Mutual Secret Keys or Public (but not Private) Keys
Global Public Elements: q (large prime) and a (a < q)
User A’s Key:
User B’s Key:
Joint Key =
Select secret Xa (Xa < q)
A’s public info is Ya = a^Xa mod q
Select secret Xb (Xb < q)
B’s public info is Yb = a^Xb mod q
Yb ^Xa mod q (A’s calculation)
Ya ^ Xb mod q (B’s calculation)
a^(Xa*Xb) mod q (in both cases)
No one else knows either Xa or Xb, so they can not find out K
since
Ya * Yb mod q = a^(Xa + Xb) mod q
21
Diffie-Hellman used for a
Public-Key System for Encryption
(can not sign messages)
+ a and q
YB + message
encrypted with “ K”
(YA, a,q are A’s Public Key)
B has to send “ YB” with
message so A can decrypt it.
“Trudie” does not know Xa: Can not read message.
Different correspondents (B's) will select different XB's and
generate different "public" keys (K's).Must tell A the YB.
22
Raw “Certificate” has user name, public key, expiration date, ...
Raw
Cert.
Generate hash code
of Raw Certificate
CA Secure Area
MIC
Hash
Signed
Cert.
Signed Certificate
Recipient can verify
signature using CA’s
public key.
Encrypt hash
code with CA’s
private key to
form CA’s
signature
Certificate Authority generates the
“signature” that is added to raw
“Certificate”
23
Browsers Come With a CA Cert Database
You can
add
additional
certificates
from sites
you trust.
24
The GT CA Certificate
25
Browsers Warn of Unconfirmed Certificates,
but Users can click through the warning.
26
Public-Key Systems
RSA
Encrypt/
Decrypt
X
*
Diffie-Hellman
DSS
Elliptic Curve
Digital
Signature
X
**
Key
Exchange
X
X
X
X
X
X
*Diffie-Hellman can be used to publish a Public-Key
for encryption back to the owner, but can not be used
as a general signature key.
** Can be used for interactive authentication.
27
Use of Session Keys with Public-Private Keys
Randomly generated session keys are used because:
(1) given a lot of ciphertext, any message is easier to
decipher with a session key and a symmetric encryption
algorithm (about 1/10 processing time)
(2) the private key is protected by having less ciphertext.
Public-Private Key encryption is generally used to transmit a
digital signature, or a random "session key" to be used with a
symmetric-key algorithm (like 3DES or AES).
Example: HTTPS -Amazon.com sends you a signed certificate
containing their Public Key. Your browser generates a random
session key and sends it to Amazon.com, encrypted with their
Public Key. The session key is then used for the encrypted
HTTPS (SSL) secure communication.
28
Using SSH
Logging on to “srv4” for the first time, from “pb-i2”.
pb-i2:~ copeland$ ssh srv4
The authenticity of 'srv4 (143.215.151.48)' can't be established.
RSA key fingerprint is 47:ff:bc:b8:09:21:ef:02:69:c8:e0:70:bc:d7:54:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'srv4' (RSA) to the list of known hosts.
copeland@srv4's password: XXXXXX
Now “srv4”s public key is stored in my ~/.ssh/known_hosts file.
In the future, I can log on to this account without typing in a
password by generating a pair of RSA keys in ~/.ssh/ on “pb-i2”,
“id_rsa” and “id_rsa.pub”, and adding “id_rsa.pub” to the
~/.ssh/authorized_keys file on “srv4”.
pb-i2:~ copeland$ ssh srv4
Last login: Thu Jan 13 12:06:00 2011 from ….vpn.gatech.edu
ecelinsrv4.ece.gatech.edu>
Man-in-the-Middle Attack
Man in the middle attack: Trudy poses as Alice (to
Bob) and as Bob (to Alice)
I am Alice
R
I am Alice
R
K (R)
T
K (R)
A
Send me your public key
+
K
T
Send me your public key
+
K
A
- +
m = K (K (m))
A A
+
K (m)
A
Trudy gets
- +
m = K (K (m))
T Alice
sends T
m to
encrypted with
Alice’s public
key
+
K (m)
T
from
Computer Networking: A Top Down
Approach Featuring the Internet, 5th
edition.
Jim Kurose, Keith Ross
Addison-Wesley, July 2009.
Text for Georgia Tech ECE 3076
Man-in-the-Middle Attack
Alice
Trudy
Bob
To defend against this attack, Alice and Bob can exchange
Public Keys in a secure way, before the attack (SSH) or
verify the other's Public Key by a Certificate signed by a
trusted third party (Certificate Authority - SSL in HTTPS)
pb-i2:~ copeland$ ssh srv4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
47:ff:bc:b8:09:21:ef:02:69:c8:e0:70:bc:d7:54:c7.
Please contact your system administrator.
Add correct host key in /Users/copeland/.ssh/known_hosts … of this message.
Offending key in /Users/copeland/.ssh/known_hosts:87
RSA host key for srv4 has changed and you have requested strict checking.
Host key verification failed.
pb-i2:~