453 network security
DESCRIPTION
453 Network Security. Section 3b: Message Authentication and Public-Key Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006. Requirements for Hash Functions. can be applied to any sized message M, produces fixed-length output h - PowerPoint PPT PresentationTRANSCRIPT
453 Network Security453 Network Security
Section 3b: Message Authentication and Public-Key Cryptography
Dr. E.C. Kulasekere
Sri Lanka Institute of Information Technology - 2006
Requirements for Hash FunctionsRequirements for Hash Functions• can be applied to any sized message M, produces
fixed-length output h• is easy to compute h=H(M) for any message M• given h is infeasible to find x s.t. H(x)=h
– one-way property. See note 1 for reasoning.• given x is infeasible to find y s.t. H(y)=H(x)
– weak collision resistance. Prevents forgery when encrypted hash functions are used.
– The opponent can read the message and also generate the hash code. But will not be able to alter it without detection since he does not have the secret key. Encryption of H(M) guarantees this. (note4)
• is infeasible to find any x,y s.t. H(y)=H(x)– strong collision resistance
• based on XOR of message blocks
• not secure since can manipulate any message and either not change hash or change hash also.
• C_i is the ith bit of the hash code
• m – number of n bit blocks in the input
• b_ij – ith bit of the jth block
Simple Hash FunctionsSimple Hash Functions
imiii bbbC 21
Simple Hash Functions …Simple Hash Functions …
Improvement to Simple Hash Function (1)
Improvement to Simple Hash Function (1)
• The above simple system is good for random data for an integrity check.
• Each n-bit hash value is equally likely.• The probability that a data error will result in an
unchanged hash value is ½^n.• For more predictability formatted data, the
function is less effective.• Eg: in most text files, the higher order bit of each
octet is mostly zero
Improvement to Simple Hash Function (2)
Improvement to Simple Hash Function (2)
• A known value will reduce the effectiveness of the hash function from 128 to 128-16=112. This is because for a 128 hash 16 octets have to be lined up and each will have the first bit 0 which will effectively fix the hash value to only 112 bits that can change. To improve we incorporate randomness.
Improvements to Simple Hash FunctionImprovements to Simple Hash Function• Initially set n-bit hash function
to zero• Process each successive n-bit
block of data as follows– Rotate current hash value
to left by one bit.– XOR the block into the
hash value. • This will randomize the input
and overcome any regularities that appear in the input.
• This procedure provides good data integrity however if the plaintext is sent with the hash then no security. (note 2)
Secure Hash Algorithm (SHA – 1)Secure Hash Algorithm (SHA – 1)
• SHA was developed by the National Institute of Standards and Technology.
• The algorithm takes as input a message with maximum length of less than 2^64 bits.
• It produces an output of 160-bit message digest.
• The input is processed in 512-bit blocks.
• The stages involved are (note 3)– Append padding bits– Append length– Initialize (message digest) MD buffer– Process message in 512-bit blocks– Output
MD Generation using SHA-1MD Generation using SHA-1
Note that this uses CBC mode
MD5 Message Digest AlgorithmMD5 Message Digest Algorithm
• Similar to SHA-1 in structure.
• The algorithm takes as input a message of arbitrary length and produces as output a 128-bit message digest.
• The input is processed in blocks of 512-bits.
• In recent times there have been concerns of brute-force and crypt analytic compromises.
Comparison of SHA-1 and MD5Comparison of SHA-1 and MD5
• Brute force attack is harder (160 vs 128 bits for MD5). You have to scan 2^160 different options.
• not vulnerable to any known attacks (compared to MD4/5)
• SHA-1 is a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact• Both of these are cryptographic hash functions
that do not use a secret key as in the case of MACs.
Comparison of Secure Hash Functions
Comparison of Secure Hash Functions
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of processing
512 bits 512 bits 512 bits
Number of steps 80
(4 rounds of 20)
64
(4 rounds of 16)
160
(5 paired rounds of 16)
Maximum message size
264-1 bits
HMACHMAC• We observe the following
– MAC codes depend on secret key cryptography (block cipher) such as DES and are very slow.
– Cryptographic hash codes are much faster, specially in software.
• Hence developing a MAC derived from cryptographic hash code such as SHA-1 will be interesting.
• However hash functions such as SHA-1 are not designed for use as a MAC since it does not use a secret key.
• HMAC is derived by incorporating a secret key into an existing hash algorithm.
HMAC Design ObjectivesHMAC Design Objectives• To use, without modifications, available hash functions.
• To allow for easy replacing of the embedded hash functions in case faster or more secure hash function are found or required.
• To preserve the original performance of the hash function without incurring a significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on the embedded hash function.
HMAC AlgorithmHMAC Algorithm• uses hash function on
the message:HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size
• and opad, ipad are specified padding constants
Some Observations of HMACSome Observations of HMAC• The message M is divided into L blocks using the
padding specified by the hash function.• If the length of the key K is greater than the block size
b, the key will be input to the hash function to produce the n-bit key.
• K^+ is K padded with zeros on the left to get b-bit length. Note that n<b.
• Ipad and opad have the characteristic of flipping one half of the bits in K. This is like generating two sub-keys from the original key.
• HMAC executed the hash function three times.
Security of Hash Functions and MACs
Security of Hash Functions and MACs
• Just as in symmetric and public key encryption the attacks are grouped into brute-force and cryptanalysis categories.
• Brute force attacks for hash functions– The strength of the hash function against brute force
attack depends on the length of the hash code produced by the algorithm.
• Brute force attacks on MACs– Here the attacker would like to come up with a valid
MAC code for a given message x. – This can be done by exhaustively searching the
message space or exhaustively checking the key space.
Security of Hash Functions and MACs …
Security of Hash Functions and MACs …
• Cryptanalysis on Hash Functions– This method seeks to exploit some property of the
algorithm to perform some attack rather than an exhaustive search.
– This type of attack focuses on the internal structure of the compression function.
– Based on finding out the bit change pattern from round to round.
• Cryptanalysis of MACs– Not much information is available. – Based on a system similar to the attacks on encryption
algorithms.
Public-Key Cryptography Principles (1)Public-Key Cryptography Principles (1)
• public-key/two-key/asymmetric cryptography involves two keys: – a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
• is asymmetric because– those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key Cryptography Principles (2)Public-Key Cryptography Principles (2)
• developed to address two key issues:– key distribution – how to have secure
communications in general without having to trust a KDC with your key
– digital signatures – how to verify a message comes intact from the claimed sender
• public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
Public-Key CharacteristicsPublic-Key Characteristics• Public-Key algorithms rely on two keys with the
characteristics that it is:– computationally infeasible to find decryption key
knowing only algorithm & encryption key– computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known– either of the two related keys can be used for
encryption, with the other used for decryption (in some schemes)
• can classify uses into 3 categories:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)
EncryptionEncryption
AuthenticationAuthentication
Misconceptions about Public-Key Encryption
Misconceptions about Public-Key Encryption
• Public key encryption is not more secure than private key in terms of cryptanalysis. It depends on– Length of the key– Work involved in breaking the cipher.
• Public key method is not a general purpose technique that has made conventional encryption obsolete.
• Key distribution is not trivial in public key systems when compared to the key distributions centers (KDCs) used for conventional encryption.– Some protocol is necessary for key distribution and they are liable
to be insecure as well.
Public-Key Cryptography RequirementsPublic-Key Cryptography Requirements
1. Computationally easy for a party B to generate a pair (public key KUb, private key KRb)
2. Easy for sender to generate ciphertext:
3. Easy for the receiver to decrypt ciphertext using private key:
4. Computationally infeasible to determine private key (KRb) knowing public key (KUb)
5. Computationally infeasible to recover message M, knowing KUb and ciphertext C
6. Either of the two keys can be used for encryption, with the other used for decryption:
)]([)]([ MEDMEDM KRbKUbKUbKRb
Public-Key Crypto SystemsPublic-Key Crypto Systems
DSS = Digital Signature Standard
RSA Public-Key AlgorithmRSA Public-Key Algorithm• Ron Rivest, Adi Shamir and Len Adleman at MIT, in 1977• Most widely accepted and implemented approach to
public-key encryption• This is a block cipher• The plaintext and cipher text are integers between 0 and
n-1 for some n.• Both sender and receiver should know the values of n and
the public key e.• Only receiver should know the private key d.• Public key KU={e,n} and the private key KR={d,n}
The RSA Algorithm – Key Generation
The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
1)1)(q(pΦ(n)
)(1;1)),(gcd( neen
)(mod1 ned
The RSA Algorithm - EncryptionThe RSA Algorithm - Encryption
• Plaintext: M<n
• Ciphertext: C = Me (mod n)
The RSA Algorithm - DecryptionThe RSA Algorithm - Decryption
• Ciphertext: C
• Plaintext: M = Cd (mod n)
Example ImplementationExample Implementation
• Select two prime numbers p=17 and q=11 (only divisible by 1 and the same number)
• Calculate n=pq=187• Calculate φ(n)=(p-1)(q-1)=160• Select e to be relatively prime to φ(n) and less than φ(n):e=7 (gcd=1)• Determine d such that de=1 MOD 160 and d < 160: d=23 Use
de=kx160+1• KU={17,187} and KR={23,187}
Diffie-Hellman Key EchangeDiffie-Hellman Key Echange• The algorithm helps two users to exchange a
secret key securely that can be used for subsequent encryption of messages.
• The algorithm is limited to only key exchange.
Diffie-Hellman Key Echange ...Diffie-Hellman Key Echange ...
• The exchange produces identical results
• Since the X’s are private, an opponent has only the following to work with: q, a, and the Y’s.
• The opponent is forced to take a discrete logarithm to determine the key.
• For larger primes finding the matching discrete logarithm is near impossible.
Other Public-Key Cryptographic Algorithms
Other Public-Key Cryptographic Algorithms
• Digital Signature Standard (DSS)– Makes use of the SHA-1– Not for encryption or key echange
• Elliptic-Curve Cryptography (ECC)– Good for smaller bit size– Low confidence level, compared with RSA– Very complex
• Remember that larger key sizes are required in public key encryption to match the strength of the private key security. Eg. Private key 128 bits equivalent to private key 4K bits.
Key Management (1)Key Management (1)• One of the major roles in public-key
encryption is to address the problem of key distribution.
• Two distinct aspects are considered. – The distribution of public keys– The use of public key encryption to distribute
secret keys.
• A symmetric key can be achieved using the Diffie Hellman key exchange.
Key Management (2)Key Management (2)
• Digital certificates for distribution of public keys– Public key can be forged. This is because the public
key is broadcast freely– C can claim to be A and broadcast a public key for A.– C can now read any message for A encrypted using
the public key that was broadcast. – This can go on until the real A detects the problem. – The solution is to issue a public-key certificate which
consists of a public-key a user ID of the key owner and the whole block signed by a trusted third party.
Key Management (3)Key Management (3)• Public-key distribution of secret keys
– One way is to use Diffie-Hellman key exchange. However the drawback here is that it provides no authentication of the communicating parties.
– The other alternative is to use public-key certificates. Consider Bob wishes to communicate with Alice.
• Prepare a message• Encrypt the message using conventional encryption
with a one time conventional session key.
Key Management (4)Key Management (4)
• Encrypt the session key using public key encryption with Alice’s public key.
• Attach the encrypted session key to the message and send it to Alice.
• Now only Alice is capable of decrypting the session key and there fore recover the original message.
• If Bob obtained Alice’s public key by means of Alice’s public-key certificate, then Bob is assured that it is a valid key.
Next Lecture Next Lecture
• Authentication applications
• Kerberos
• Session keys and management.
• Key Exchange and authentication mechanisms.
• E-mail and PGP
• Web security