Professional Documents
Culture Documents
Chapter 3
PublicPublic-Key Cryptography and Message Authentication
Dr. Sameer Abufardeh Dept. of Computer Science North Dakota State University
Slide 1 S.A.1 sa
Sameer, 10/2/2009
OUTLINE
Approaches to Message Authentication Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management
Security Attacks
Passive threats
Traffic analysis
Security Attacks
Active threats
Masquerade
Replay
Denial of service
Authentication
Requirements - must be able to verify that: 1. Message source is authentic masquerading, 2. Contents unaltered message modification 3. Sometimes, timely sequencing replay (Msg. timeliness not artificially delayed or replayed).
10
Shared key
11
Digital signature
No key distribution
13
MDM||M
MDM = H(SAB||M)
No encryption for message authentication Secret value never sent; can t modify the message Important technique for Digital Signatures
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 14
16
19
20
Problem: Eliminate predictability of data One-bit circular shift for each block is used to randomize the input Rotate current hash value to the left by one bit XOR the block into the hash value
21
Secure Hash Algorithm SHA-1 SHA SHA was developed by NIST in 1993 and revised in 1995. The revised version is called SHA-1. The input is less than
264 bits .
The output is a fixed 160 bit message digest (MD). Steps of SHA-1: see next slide
22
Secure Hash Algorithm SHA-1 SHAStep 1: Append padding bits. The message is padded so its length is congruent to 448 modulo 512. Step 2: Append length. A block of 64 bits is appended to the message. This block is an unsigned integer equal to the length of the message before padding. Step 3: Initialize MD buffer. A 160 bit buffer is used to hold intermediate and final results of the hash function. The buffer is represented as five 32 bit registers (A, B, C, D, E) and initialized which are initialized to some constants (32-bit integers). Step 4: Process message in 512 bit (16-word) blocks. This module consists of four rounds of processing of 20 steps each. The four rounds have similar structure, but each uses a different primitive logical function referred to as f1, f2, f3 and f4. The heart of the alg. is a module compression function, that consists of four rounds of processing, and each round has 20 steps. Step 5: Output. After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit message digest.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 23
Every bit of the hash code is a function of every bit of the input!
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 24
each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+W t+Kt),A,(B<<30),C,D) a,b,c,d refer to the 4 words of the buffer t is the step number f(t,B,C,D) is nonlinear function for round W t is derived from the message block Kt is a constant value derived from sin
SHASHA-1: Processing of single 512-Bit Block 512 f a logical function, different for each round. K a constant, different for each round. Each round updates the contents of the 160-bit buffer, i.e., the 5 registers ABCDE. Following certain rule, the 512 bit message block is used to create 5x512 bit chunk, which is then divided into eighty 32-bit words W0 , W1 ,..., W79
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 26
SHASHA-1: Processing of single 512-Bit Block 512 Update of the 160-bit vector: ABCDE B = old A; C = old B (left shift 30 bits) D = old C; E = old D A = E + A (left shift 5 bits) +Wt + K+ f(t,B,C,D) where t is the step #.
f 2 (t , B, C , D ) ! B C D CVq 1 ! CVq the output of the 4th round
The addition is done for each of the five words (32-bit), using modulo 2^32. CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
27
SHASHA-512 Overview
29
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
SHASHA-512 Process
Step 1: Append padding bits Step 2: Append length Step 3: Initialize hash buffer Step 4: Process the message in 1024-bit (128word) blocks, which forms the heart of the algorithm Step 5: Output the final state value as the resulting hash
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 30
The elements are: Ch(e,f,g) = (e AND f) XOR (NOT e AND g) Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c) (a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39) (e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41) + = addition modulo 2^64 Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block.
MD5 Overview
Pad message so its length is 448 mod 512 Append a 64-bit original length value to message Initialise 4-word (128-bit) MD buffer (A,B,C,D) Process message in 16-word (512-bit) blocks: Using 4 rounds of 16 bit operations on message block & buffer Add output to buffer input to form new buffer value 5. Output hash value is the final buffer value 1. 2. 3. 4.
MD5 Overview
Whirlpool
Based on the use of block cipher for compression endorsed by European NESSIE project uses modified AES internals as compression function with performance comparable to dedicated algorithms like SHA
Whirlpool Overview
A hash function (e.g., SHA-1) was not designed for use as a MAC and can not be used directly to create a MAC,
since it does not rely on a secret key. E.g., D could create a hash code and claim it is B.
HMAC was proposed, which can create a MAC using a hash function and a secret key. HMAC has been used in IP-security, SSL/TLS, etc.
44
HMAC Structure
HMAC Design Objectives:
HMAC K (M)=H[(K + opad)||H[(K + ipad)||M]]
To use available hash functions. To allow for easy replaceability of the embedded hash function. To preserve the original performance of the hash function To use and handle keys in a simple way To have a well-understood cryptographic analysis of the strength of the auth. mechanism.
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints
47
48
49
50
Requirements for Public-Key Cryptography Public1. 2. Computationally easy for a party B to generate a pair (public key KUb, private key KRb) Computationally Easy for a sender A knowing the public key and the message M to generate a ciphertext:
C ! EKUb (M )
3. Easy for the receiver B to decrypt ciphertext using its private key:
RSA - Ron Rivest, Adi Shamir and Len Adleman at MIT, in 1977.
ACM Turing award in 2002. RSA is a block cipher
Application s: Encryption/decryption, Digital signature, and Key exchange
Diffie-Hellman
Application s: Exchange a secret key securely Based on the difficulty of computing discrete logarithms
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 52
Prime Numbers
A prime number can be divided, without a remainder, only by itself and by 1. For example, 17 can be divided only by 17 and by 1.
Some facts: The only even prime number is 2. All other even numbers can be divided by 2. If the sum of a number's digits is a multiple of 3, that number can be divided by 3. No prime number greater than 5 ends in a 5. Any number greater than 5 that ends in a 5 can be divided by 5. Zero and 1 are not considered prime numbers. Except for 0 and 1, a number is either a prime number or a composite number. A composite number is defined as any number, greater than 1, that is not prime.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 53
Primality Test
Deterministic: tests determine with absolute certainty whether a number is prime. Probabilistic: tests can potentially (although with very small probability) falsely identify a composite number as prime (although not vice versa).
54
55
57
RSA Requirements
It is possible to find values of e, d, n such that Med = M mod n for all M<n It is relatively easy to calculate Me and C for all values of M<n It is infeasible to determine d given e and n
Here is the magic!
02/27/06
59
60
For any b<p, one can find a unique exponent i such that:
b ! a i mod p, where 0 e i e p 1.
i is referred to as the discrete logarithm (or index) of b for the base a, mod p . Notation used dlog a,p(b)
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 61
An attacker D could know q, E , YA & YB but not X A & X B To find out XB (and then K), D must compute a discrete log: XB = dlog ,q(YB) which has been proved very difficult.
62
At the end, user A and B will share a secret key K, which is not known to others.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 63
Example
A & B wish to exchange a key. Prime number q = 71, and its primitive root = 7 Generate, XA = 5 and XB = 12 random integers < q A computes his Public key YA = 75 mod 71 = 51 B computes his Public key YB = 712 mod 71 = 4 After they exchange the public keys: Each can computer the Shared secret key K A computes K= 45 mod 71 = 30 B computes K = 5112 mod 71 = 30
64
Breaking of Diffie-Hellman Diffie The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. Alice & Bob wish to exchange keys, and Carol is the opponent In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 65
Defeating the man-in-the-middle attack man-in-the Prior to execution of the protocol, the two parties Alice and Bob each obtain a public/private key pair and a certificate for the public key. Prime number p, and its primitive root During the protocol, Alice computes a signature on certain messages, covering the public value XA mod p. Bob proceeds in a similar way. Even though Carol is still able to intercept messages between Alice and Bob, she cannot forge signatures without Alice's private key and Bob's private key. Hence, the enhanced protocol defeats the man-in-the-middle attack. (see slide 70 for more details)
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 66
67
RSA & Diffi-Helman Diffi RSA depends on the difficulty of factoring large prime numbers. Diffi-Helman depends on the difficulty of computing discrete logarithms.
68
Key Management
Two aspects: The distribution of Public-Key The use of Public-Key encryption to distribute secret keys.
69
Henric Johnson
70
Distributing Shared Secret Keys by using Public-Key Algorithms PublicHow to distribute shared secret key? Using Diffie-Hellman key exchange.
No authentication of the two parties.