350 likes | 673 Views
Lecture 8 Overview. Secure Hash Algorithm (SHA). SHA-0 1993 SHA-1 1995 SHA-2 2002 SHA-224, SHA-256, SHA-384, SHA-512. SHA-1. 160-bit message digest. A message composed of b bits. Step 1 -- Padding. Padding the total length of a padded message is multiple of 512
E N D
Secure Hash Algorithm (SHA) • SHA-0 1993 • SHA-1 1995 • SHA-2 2002 • SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 160-bit message digest A message composed of b bits CS 450/650 Lecture 8: Secure Hash Algorithm
Step 1 -- Padding • Padding the total length of a padded message is multiple of 512 • Every message is padded even if its length is already a multiple of 512 • Padding is done by appending to the input • A single bit, 1 • Enough additional bits, all 0, to make the final 512 block exactly 448 bits long • A 64-bit integer representing the length of the original message in bits CS 450/650 Lecture 8: Secure Hash Algorithm
Padding (cont.) Message 1 0…0 Message length 1 bit 64 bits Multiple of 512 CS 450/650 Lecture 8: Secure Hash Algorithm
Example • M = 01100010 11001010 1001 (20 bits) • Padding is done by appending to the input • A single bit, 1 • 427 0s • A 64-bit integer representing 20 • Pad(M) = 01100010 11001010 10011000 … 00010100 CS 450/650 Lecture 8: Secure Hash Algorithm
Example • Length of M = 500 bits • Padding is done by appending to the input: • A single bit, 1 • 459 0s • A 64-bit integer representing 500 • Length of Pad(M) = 1024 bits CS 450/650 Lecture 8: Secure Hash Algorithm
Step 2 -- Dividing Pad(M) • Pad (M) = B1, B2, B3, …, Bn • Each Bi denote a 512-bit block • Each Bi is divided into 16 32-bit words • W0, W1, …, W15 CS 450/650 Lecture 8: Secure Hash Algorithm
Step 3 – Compute W16 – W79 • To Compute word Wj (16<=j<=79) • Wj-3, Wj-8, Wj-14 , Wj-16 are XORed • The result is circularly left shifted one bit CS 450/650 Lecture 8: Secure Hash Algorithm
Step 4 – Initialize A,B,C,D,E • A = H0 • B = H1 • C = H2 • D = H3 • E = H4 CS 450/650 Lecture 8: Secure Hash Algorithm
Initialize 32-bit words • H0 = 67452301 • H1 = EFCDAB89 • H2 = 98BADCFE • H3 = 10325476 • H4 = C3D2E1F0 • K0 – K19 = 5A827999 • K20 – K39 = 6ED9EBA1 • K40 – K49 = 8F1BBCDC • K60 – K79 = CA62C1D6 CS 450/650 Lecture 8: Secure Hash Algorithm
Step 5 – Loop For j = 0 … 79 TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP Done + addition (ignore overflow) CS 450/650 Lecture 8: Secure Hash Algorithm
Four functions • For j = 0 … 19 • fj(B,C,D) = (B AND C) OR ( B AND D) OR (C AND D) • For j = 20 … 39 • fj(B,C,D) = (B XOR C XOR D) • For j = 40 … 59 • fj(B,C,D) = (B AND C) OR ((NOT B) AND D) • For j = 60 … 79 • fj(B,C,D) = (B XOR C XOR D) CS 450/650 Lecture 8: Secure Hash Algorithm
Step 6 – Final • H0 = H0 + A • H1 = H1 + B • H2 = H2 + C • H3 = H3 + D • H4 = H4 + E CS 450/650 Lecture 8: Secure Hash Algorithm
Done • Once these steps have been performed on each 512-bit block (B1, B2, …, Bn) of the padded message, • the 160-bit message digest is given by H0 H1 H2 H3 H4 CS 450/650 Lecture 8: Secure Hash Algorithm
SHA CS 450/650 Lecture 8: Secure Hash Algorithm
Lecture 9 Digital Signatures CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini
Digital Signatures • A digital signature can be interpreted as indicating the signer’s agreement with the contents of an electronic document • Similar to handwritten signatures on physical documents CS 450/650 Lecture 9: Digital Signatures
Digital Signature Properties • Unforgeable: Only the signer can produce his/her signature • Authentic: A signature is produced only by the signer deliberately signing the document CS 450/650 Lecture 9: Digital Signatures
Digital Signature Properties • Non-Alterable: A signed document cannot be altered without invalidating the signature • Non-Reusable: A signature from one document cannot be moved to another document • Signatures can be validated by other users • the signer cannot reasonably claim that he/she did not sign a document bearing his/her signature CS 450/650 Lecture 9: Digital Signatures
Digital Signature Using RSA • The RSA public-key cryptosystem can be used to create a digital signature for a message m • Asymmetric Cryptographic techniques are well suited for creating digital signatures • The signer must have an RSA public/private key pair • c = Me mod n • M = cd mod n CS 450/650 Lecture 9: Digital Signatures
Signature Generation (Signer) Message Redundancy Function Formatted Message Encrypt Private Key Signature CS 450/650 Lecture 9: Digital Signatures
Signature Verification Signature Public Key Decrypt Formatted Message Verify Message CS 450/650 Lecture 9: Digital Signatures
Example • Generate signature S • d = 53 • e = 413 • n = 629 • m = 250 • Assume that R(X) = X • S = R(m)e mod n • S = 25053 mod 629 = 411 CS 450/650 Lecture 9: Digital Signatures
Example • Verify signature with message recovery • Public key (e) = 413 • n = 629 • S = 411 • R(m) = Se mod n • R(m) = 411413 mod 629 = 250 • Verifier checks that R(m) has proper redundancy created by R (none in this case) • m = R-1(m) = 250 CS 450/650 Lecture 9: Digital Signatures
Creating a forged signature • Choose a random number between 0 and n-1 for S • S = 323 • Use the signer’s public key to decrypt S • R(m) = 323413 mod 629 = 85 • Invert R(m) to m: m = 85 • A valid signature (323) has been created for a random message (85) CS 450/650 Lecture 9: Digital Signatures
Redundancy Function • The choice of a poor redundancy function can make RSA vulnerable to forgery • A good redundancy function should make forging signatures much harder CS 450/650 Lecture 9: Digital Signatures
Example • generate signature S • d = 53 • e = 413 • n = 629 • m = 7 • Assume that R(X) = XX • S = R(m)e mod n • S = 7753 mod 629 = 25 CS 450/650 Lecture 9: Digital Signatures
Example • verify signature with message recovery • Public key (e) = 413 • n = 629 • S = 25 • R(m) = Se mod n • R(m) = 25413 mod 629 = 77 • The verifier then checks that R(m) is of the form XX for some message X • m = R-1(m) = 7 CS 450/650 Lecture 9: Digital Signatures
Forging signature (revisited) • Choose a random number between 0 and n-1 for S • S = 323 • Use the signer’s public key to decrypt S • R(m) = 323413 mod 629 = 85 • However, 85 is not a legal value for R(m) • so S = 323 is not a valid signature CS 450/650 Lecture 9: Digital Signatures
Privacy • Signature provides only authenticity. • How can we provide privacy in addition? CS 450/650 Fundamentals of Integrated Computer Security
Getting a Message Digest from a document Hash Message Digest CS 450/650 Lecture 9: Digital Signatures
Generating Signature Message Digest Signature Encrypt using private key CS 450/650 Lecture 9: Digital Signatures
Appending Signature to document Append Signature CS 450/650 Lecture 9: Digital Signatures
Verifying Signature Hash Message Digest Message Digest Decrypt using public key CS 450/650 Lecture 9: Digital Signatures