CS469 669 Chap3 F09

S.A.
Chapter 3
PublicPublic-Key Cryptography and Message Authentication
Dr. Sameer Abufardeh Dept. of Computer Science North Dakota State University
Slide 1 S.A.1 sa
Sameer, 10/2/2009
OUTLINE
Approaches to Message Authentication Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
Recall Security Services

Confidentiality protection from passive attacks Authentication you are who you say you are Integrity received as sent, no modifications, insertions, shuffling or replays
Security Attacks
Passive threats
Release of message contents
Traffic analysis
eavesdropping, monitoring transmissions
conventional encryption helped here

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 4
Security Attacks
Active threats
Masquerade
Replay
Modification of message contents
Denial of service
Message authentication helps prevents these!
What Is Message Authentication?

Its all about the source, of course! Procedure that allows communicating parties to verify that received messages are authentic Protection against active attack (falsification of data and transactions)
Authentication
Requirements - must be able to verify that: 1. Message source is authentic masquerading, 2. Contents unaltered message modification 3. Sometimes, timely sequencing replay (Msg. timeliness not artificially delayed or replayed).
Approaches to Message Authentication

Authentication Using Conventional Encryption
Only the sender and receiver should know the shared key Include a time stamp Include error detection code and sequence number
Message Authentication without Message Encryption

An authentication tag is generated and appended to each message E.g., Hash without encryption. Message read independent of authentication function No message confidentiality
Message Authentication Code (MAC)

use a secret key to generate a small block of data that is appended to the message Assume: A and B share a common secret key KAB MACM = F(KAB,M)
One Way Hash Function

Hash function accepts a variable size message M as input and produces a fixed-size message digest H(M) as output No secret key as input Message digest is sent with the message for authentication Produces a fingerprint of the message
10
OneOne-way HASH function

(Using Encryption)
Message digest H(M) Authenticity is assured
Shared key
11

(Using Encryption)
Digital signature
No key distribution
Less computation since message does not have to be encrypted


Ideally We Would Like To Avoid Encryption
Encryption software is slow Encryption hardware costs arent cheap Hardware optimized toward large data sizes Algorithms covered by patents Algorithms subject to export control
13

(Without Encryption)
A & B should share a secret value (e.g., a random #). Secret value is added before the hash and removed before transmission. Assumes secret value SAB
MDM||M
MDM = H(SAB||M)
No encryption for message authentication Secret value never sent; can t modify the message Important technique for Digital Signatures
Secure HASH Functions

Purpose of a HASH function is to produce a fingerprint. Properties of a HASH function H :
1. 2. 3. 4. H can be applied to a block of data at any size H produces a fixed length output << input H(x) is easy to compute for any given x. For any given h, it is computationally infeasible to find x such that H(x) = h (one way property - hard to invert). 5. For any given block x, it is computationally infeasible to find y { x with H(y) = H(x) (weak collision property). 6. It is computationally infeasible to find any pair (x, y) two distinct inputs, such that H(x) = H(y) (strong collision property). h: hash code output x & y: messages - input
15

1. H can be applied to a block of data at any size 2. H produces a fixed length output << input 3. H(x) is easy to compute for any given x. these properties are requirements for practical application of the hash function to message authentication
16

4. For any given h, it is computationally infeasible to find x such that H(x) = h (one way property - hard to invert). - given a hash code h find an input (x) which has the same hash code h Its easy to generate a hash code given a message, but virtually impossible to generate a message given a hash code. This property is important for when authentication technique using a secret value. (see slide 14)

5. For any given block x, it is computationally infeasible to find y { x with H(y) = H(x) (weak collision property). Guarantees that it is impossible to find an alternative message with the same hash value as the given message. given : x H(x) find another y where H(y) = H(x) Prevents forgery when an encrypted hash code is used (see slides 11 & 12)

6. It is computationally infeasible to find any pair (x, y) two distinct inputs, such that H(x) = H(y) (strong collision property).
- collision resistance Protects against a class of sophisticated attack know as the birthday attack Birthday attacks (time complexity 2n/2 )
Reduce the strength of an m-bit hash function from 2n to 2n/2
19
Attacks on hash functions

Birthday attacks (time complexity 2n/2 ) Probability of collision is > 1/2 We need n >= 128 up to 160 Pseudo-collision and compression function attacks Chaining attacks Attacks based on properties of underlying cipher.
20
Simple Hash Function

The input is divided into a sequence of n-bit blocks. The input is processed one block at a time in an iterative fashion to produce an n-bit hash function.
Ci ! bi1 bi 2 ... bim
Problem: Eliminate predictability of data One-bit circular shift for each block is used to randomize the input Rotate current hash value to the left by one bit XOR the block into the hash value

21
Secure Hash Algorithm SHA-1 SHA SHA was developed by NIST in 1993 and revised in 1995. The revised version is called SHA-1. The input is less than
264 bits .
The output is a fixed 160 bit message digest (MD). Steps of SHA-1: see next slide
22
Secure Hash Algorithm SHA-1 SHAStep 1: Append padding bits. The message is padded so its length is congruent to 448 modulo 512. Step 2: Append length. A block of 64 bits is appended to the message. This block is an unsigned integer equal to the length of the message before padding. Step 3: Initialize MD buffer. A 160 bit buffer is used to hold intermediate and final results of the hash function. The buffer is represented as five 32 bit registers (A, B, C, D, E) and initialized which are initialized to some constants (32-bit integers). Step 4: Process message in 512 bit (16-word) blocks. This module consists of four rounds of processing of 20 steps each. The four rounds have similar structure, but each uses a different primitive logical function referred to as f1, f2, f3 and f4. The heart of the alg. is a module compression function, that consists of four rounds of processing, and each round has 20 steps. Step 5: Output. After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit message digest.
Message Digest Generation Using SHASHA-1
Every bit of the hash code is a function of every bit of the input!
SHASHA-1 Compression Function
each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+W t+Kt),A,(B<<30),C,D) a,b,c,d refer to the 4 words of the buffer t is the step number f(t,B,C,D) is nonlinear function for round W t is derived from the message block Kt is a constant value derived from sin
SHASHA-1: Processing of single 512-Bit Block 512 f a logical function, different for each round. K a constant, different for each round. Each round updates the contents of the 160-bit buffer, i.e., the 5 registers ABCDE. Following certain rule, the 512 bit message block is used to create 5x512 bit chunk, which is then divided into eighty 32-bit words W0 , W1 ,..., W79
SHASHA-1: Processing of single 512-Bit Block 512 Update of the 160-bit vector: ABCDE B = old A; C = old B (left shift 30 bits) D = old C; E = old D A = E + A (left shift 5 bits) +Wt + K+ f(t,B,C,D) where t is the step #.
f 2 (t , B, C , D ) ! B C D CVq 1 ! CVq the output of the 4th round
The addition is done for each of the five words (32-bit), using modulo 2^32. CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
27
Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
SHASHA-512 Overview
29
SHASHA-512 Process
Step 1: Append padding bits Step 2: Append length Step 3: Initialize hash buffer Step 4: Process the message in 1024-bit (128word) blocks, which forms the heart of the algorithm Step 5: Output the final state value as the resulting hash
SHASHA-512 Compression Function

heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds updating a 512-bit buffer using a 64-bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers
SHASHA-512 Round Function
The elements are: Ch(e,f,g) = (e AND f) XOR (NOT e AND g) Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c) (a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39) (e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41) + = addition modulo 2^64 Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block.
MD5 Message Digest

Ron Rivest - 1992 specified as Internet standard RFC1321 Input: arbitrary Output: 128-bit digest Was the most widely used secure hash algorithm until recently
in recent times have both brute-force & cryptanalytic concerns
Security of 128-bit hash code has become questionable (1996, 2004)

02/27/06 Hofstra University Network Security Course, CSC290A 33
MD5 Overview
Pad message so its length is 448 mod 512 Append a 64-bit original length value to message Initialise 4-word (128-bit) MD buffer (A,B,C,D) Process message in 16-word (512-bit) blocks: Using 4 rounds of 16 bit operations on message block & buffer Add output to buffer input to form new buffer value 5. Output hash value is the final buffer value 1. 2. 3. 4.
MD5 Overview
MD5 Compression Function
Functions and Random Numbers

F(x,y,z) == (xy)(~x z) selection function G(x,y,z) == (x z) (y ~ z) H(x,y,z) == xy z I(x,y,z) == y(x ~z)
SHASHA-1 vs. MD5

brute force attack on SHA-1 is harder (160 vs 128 bits for MD5) SHA-1 not vulnerable to any known attacks (compared to MD4/5) SHA-1 a little slower than MD5 (80 vs 64 steps) both designed as simple and compact SHA-1 optimised for big endian CPU's (vs MD5 which is optimised for little endian CPUs)
Whirlpool
Based on the use of block cipher for compression endorsed by European NESSIE project uses modified AES internals as compression function with performance comparable to dedicated algorithms like SHA
Whirlpool Overview
Whirlpool Block Cipher

designed specifically for hash function use with security and efficiency of AES but with Msg. length is < 2^512-bit as input and 512-bit Msg. digest. similar structure & functions as AES but input is mapped row wise has 10 rounds uses different S-box design & values
Whirlpool Block Cipher W
Whirlpool Performance & Security

Whirlpool is a very new proposal hence little experience with use but many AES findings should apply does seem to need more h/w than SHA, but with better resulting performance
HMAC (HASH MAC)

Instead of using encryption algorithms, one may develop a MAC derived from a hash function, such as SHA-1. Motivations:
Hash functions execute faster in software than encryptoin algorithms such as DES. Library code for hash functions is widely available. No export restrictions on hash functions from the US.
A hash function (e.g., SHA-1) was not designed for use as a MAC and can not be used directly to create a MAC,
since it does not rely on a secret key. E.g., D could create a hash code and claim it is B.
HMAC was proposed, which can create a MAC using a hash function and a secret key. HMAC has been used in IP-security, SSL/TLS, etc.
44
HMAC Structure
HMAC Design Objectives:
HMAC K (M)=H[(K + opad)||H[(K + ipad)||M]]
To use available hash functions. To allow for easy replaceability of the embedded hash function. To preserve the original performance of the hash function To use and handle keys in a simple way To have a well-understood cryptographic analysis of the strength of the auth. mechanism.

K : K padded with zeros on the

left so it is b bits ipad: 00110110 repeated b/8 opad: 01011100 repeated b/8
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints
PublicPublic-Key Cryptography Principles

The use of two keys has consequences in: key distribution, confidentiality and authentication. The scheme has six ingredients:
Plaintext Encryption algorithm Public key Private key Ciphertext Decryption algorithm
47
Encryption using Public-Key system PublicEncryption
48
Authentication using Public-Key System PublicAuthintication
49
Applications for Public-Key PublicCryptosystems

Three categories: Encryption/decryption: The sender encrypts a message with the recipients public key. Digital signature: The sender signs a message with its private key. Key exchange: Two sides cooperate to exhange a session key.
50
Requirements for Public-Key Cryptography Public1. 2. Computationally easy for a party B to generate a pair (public key KUb, private key KRb) Computationally Easy for a sender A knowing the public key and the message M to generate a ciphertext:
C ! EKUb (M )
3. Easy for the receiver B to decrypt ciphertext using its private key:
M ! DKRb (C ) ! DKRb [ E KUb ( M )]

4. 5. 6. Computationally infeasible for an opponent to determine private key (KRb) knowing public key (KUb) Computationally infeasible for an opponent to recover message M, knowing KUb and ciphertext C Either of the two keys can be used for encryption, with the other used for decryption: M ! D [ E ( M )] ! D [ E ( M )]
KRb KUb KUb KRb
51
PublicPublic-Key Cryptographic Algorithms

The most widely used are RSA and Diffie-Hellman
RSA - Ron Rivest, Adi Shamir and Len Adleman at MIT, in 1977.
ACM Turing award in 2002. RSA is a block cipher
Application s: Encryption/decryption, Digital signature, and Key exchange
Diffie-Hellman
Application s: Exchange a secret key securely Based on the difficulty of computing discrete logarithms
Prime Numbers
A prime number can be divided, without a remainder, only by itself and by 1. For example, 17 can be divided only by 17 and by 1.
Some facts: The only even prime number is 2. All other even numbers can be divided by 2. If the sum of a number's digits is a multiple of 3, that number can be divided by 3. No prime number greater than 5 ends in a 5. Any number greater than 5 that ends in a 5 can be divided by 5. Zero and 1 are not considered prime numbers. Except for 0 and 1, a number is either a prime number or a composite number. A composite number is defined as any number, greater than 1, that is not prime.
Primality Test
Deterministic: tests determine with absolute certainty whether a number is prime. Probabilistic: tests can potentially (although with very small probability) falsely identify a composite number as prime (although not vice versa).
54
Relatively Prime Numbers & GCD

Two numbers are called relatively prime or co-prime if they have no common divisors greater than 1. Using the notation GCD(m, n) to denote the greatest common divisor, two integers m and n and are relatively prime if GCD(m, n) = 1 Example 1: 26 and 51 are relative primes. Example 2: 81 and 343 are relative primes.
55
The Euler Phi( ) or Totient function

Totient function (n) , is defined as the number of positive integers n that are relatively prime to (i.e., do not contain any factor in common with) , where 1 is counted as being relatively prime to all numbers. If n is a multiple of two prime numbers, p and q, then (n) = (p-1)(q-1). That is, there are (p-1)(q-1) numbers in R which are relatively prime to n.
Example : p =3, q =5, n = 15 (15) = (3-1)(5-1) =2*4 =8 (n) is always even for n 3. By convention, (0) = 1
The RSA Algorithm Key Generation
57
The RSA Algorithm Enc./Dec.

Encryption: Plaintext: M<n Ciphertext: C = Me (mod n) Decryption:
Ciphertext: C Plaintext: M = Cd (mod n)= Med (mod n) The plaintext and ciphertext are integers between 0 ~ n-1 for some large integer n. Both sender and receiver must know n and e, and only receiver knows d. The security of RSA comes from the computational difficulty of factoring large numbers. For large p & q, if n is known, it is hard to find p & q. The size of a key in RSA typically refers to the size of n. E.g., length of n - 1024-bits or about 300 decimal digits.
RSA Requirements
It is possible to find values of e, d, n such that Med = M mod n for all M<n It is relatively easy to calculate Me and C for all values of M<n It is infeasible to determine d given e and n
Here is the magic!
02/27/06
Hofstra University Network Security Course, CSC290A
59
An example of RSA Algorithm

1. p = 17; q = 11. 2. n = p x q = 187 3. J ( n) ! ( p 1)( q 1) ! 16 v10 ! 160 4. Select e that is relatively prime toJ ( n) ! 160, and e<160: We choose e =7. 5. Determine d such that de mod 160 = 1, and d<160: d = 23, since 23x7 = 161 = 160+1. (Use a program to find d.) 6. Public key KU={e,n}={7, 187}; private key KR={d,n}={23,187}
60
DiffieDiffie-Hellman Key Exchange

Diffie-Hellman algorithm enables two users to exchange a secret key securely. For a given prime number p, a is called a primitive root of p if:
a mod p, a 2 mod p,..., a p 1 mod p The numbers are distinct and consist of the integers from 1~p in some permutation.
For any b<p, one can find a unique exponent i such that:
b ! a i mod p, where 0 e i e p 1.
i is referred to as the discrete logarithm (or index) of b for the base a, mod p . Notation used dlog a,p(b)
DiffieDiffie-Hellman Key Exchange

User A B A selects a random integer X A B independently selects a random integer X B Both A and B make its public value YA / YB available to the other side.
23 ! 8 ! 1(mod 7)
An attacker D could know q, E , YA & YB but not X A & X B To find out XB (and then K), D must compute a discrete log: XB = dlog ,q(YB) which has been proved very difficult.
62
DiffieDiffie-Hellman Key Exchange - Alogorithm

K ! (YB ) X A mod q ! (E X B mod q) X A mod q (by the property of mod) ! (E X B ) X A mod q ! E X B X A mod q ! (E X A ) X B mod q (by the property of mod) ! (E X A mod q) X B mod q ! (YA ) X B mod q
At the end, user A and B will share a secret key K, which is not known to others.
Example
A & B wish to exchange a key. Prime number q = 71, and its primitive root = 7 Generate, XA = 5 and XB = 12 random integers < q A computes his Public key YA = 75 mod 71 = 51 B computes his Public key YB = 712 mod 71 = 4 After they exchange the public keys: Each can computer the Shared secret key K A computes K= 45 mod 71 = 30 B computes K = 5112 mod 71 = 30
64
Breaking of Diffie-Hellman Diffie The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. Alice & Bob wish to exchange keys, and Carol is the opponent In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.
Defeating the man-in-the-middle attack man-in-the Prior to execution of the protocol, the two parties Alice and Bob each obtain a public/private key pair and a certificate for the public key. Prime number p, and its primitive root During the protocol, Alice computes a signature on certain messages, covering the public value XA mod p. Bob proceeds in a similar way. Even though Carol is still able to intercept messages between Alice and Bob, she cannot forge signatures without Alice's private key and Bob's private key. Hence, the enhanced protocol defeats the man-in-the-middle attack. (see slide 70 for more details)
Other Public-Key Cryptographic PublicAlgorithms

Digital Signature Standard (DSS)
Makes use of the SHA-1 Not for encryption or key echange Only for digital signature
Elliptic-Curve Cryptography (ECC)

Good security for a small key size (compared with RSA, 1024-bit key) e.g., sensor nodes. Low confidence level (only being deployed in product for a few years), compared with RSA (tested for 30 years). Very complex
67
RSA & Diffi-Helman Diffi RSA depends on the difficulty of factoring large prime numbers. Diffi-Helman depends on the difficulty of computing discrete logarithms.
68
Key Management
Two aspects: The distribution of Public-Key The use of Public-Key encryption to distribute secret keys.
69
Key Management: PublicPublic-Key Certificate Use
Henric Johnson
70
Distributing Shared Secret Keys by using Public-Key Algorithms PublicHow to distribute shared secret key? Using Diffie-Hellman key exchange.
No authentication of the two parties.
Using public-key certificate.

Bob Alice (public key KUa; private key KRa) If Bob obtained Alices public key KUa by public-key certificate, then Bob is assured that KUa is a valid key. Bob prepare a message. Encrypt that message using conventional encryption (e.g., DES) with a one-time conventional session key K (a new key). Encrypt the session key K using public-key encryption with Alices public key KUa. Attach the encrypted session key K to the message and send it to Alice. Only Alice can decrypt the session key K (by her private key KRa) and recover the orginal message. EK[message] + EKUa[K]

CS469 669 Chap3 F09

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS469 669 Chap3 F09

Uploaded by

Copyright:

Available Formats

S.A.

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Recall Security Services

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Release of message contents

eavesdropping, monitoring transmissions

conventional encryption helped here

Modification of message contents

Message authentication helps prevents these!

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

What Is Message Authentication?

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Approaches to Message Authentication

Message Authentication without Message Encryption

Message Authentication Code (MAC)

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

One Way Hash Function

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

OneOne-way HASH function

Message digest H(M) Authenticity is assured

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

OneOne-way HASH function

Less computation since message does not have to be encrypted

OneOne-way HASH function

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

OneOne-way HASH function

Secure HASH Functions

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Secure HASH Functions

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Secure HASH Functions

Secure HASH Functions

Secure HASH Functions

Reduce the strength of an m-bit hash function from 2n to 2n/2

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Attacks on hash functions

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Simple Hash Function

Ci ! bi1 bi 2 ... bim

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Message Digest Generation Using SHASHA-1

SHASHA-1 Compression Function

Revised Secure Hash Standard

SHASHA-512 Compression Function

SHASHA-512 Round Function

MD5 Message Digest

Security of 128-bit hash code has become questionable (1996, 2004)

MD5 Compression Function

Functions and Random Numbers

SHASHA-1 vs. MD5

Whirlpool Block Cipher

Whirlpool Block Cipher W

Whirlpool Performance & Security

HMAC (HASH MAC)

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

K : K padded with zeros on the

PublicPublic-Key Cryptography Principles

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

Encryption using Public-Key system PublicEncryption

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

K : K padded with zeros on the