320 likes | 456 Views
Fundamentals of Computer Security. Certificates & Trust Message Digests Message Authentication Codes. Public Key Infrastructure.
E N D
Fundamentals of Computer Security Certificates & Trust Message Digests Message Authentication Codes CSCI 379 Fundamentals of Computer Security
Public Key Infrastructure Goal: To distribute public keys. Who can say that the public keys you find in some database really belong to the people they are said to belong? What is needed is for someone trustworthy to distribute keys and to vouch for the authenticity of these keys (a Certification Authority, CA). A Public Key Infrastructure (PKI) consists of: • certificates, • a certificate repository, • a method for revoking certificates, and • a method for evaluating a chain of certificates from known and trusted public keys (trust anchors). CSCI 379 Fundamentals of Computer Security
Certificate Definition: a certificate is a signed message vouching that a certain public key really belongs to a particular name. Say you trust a specific CA called TrustMeDude. A certificated issued by TrustMeDude can tell you what Bob’s public key is: As long as you know the public key from TrustMeDude, you can verify the signature on the certificate and be sure that it was issued by that CA. CSCI 379 Fundamentals of Computer Security
Trust Chains Such trust chains allow for relationships to be verified and extended, but there are problems in this model... CSCI 379 Fundamentals of Computer Security
Trust Models Monopoly model: there is a single CA for the whole world which can be trusted by all. Monopoly plus Registration Authorities: the single CA chooses RAs to securely check, obtain, and vouch for public keys. Delegated CAs: the trust anchor CA can issue certificates to other CAs, vouching for their keys and trustworthiness. Oligarchy model: there are many trust anchors, a certificate from any of them is acceptable (web browsers). Anarchy model: each user is responsible for defining the trust anchors; anyone is allowed to vouch for anyone else (PGP). CSCI 379 Fundamentals of Computer Security
Message Digest Functions CSCI 379 Fundamentals of Computer Security
Overview • Cryptographic hash functions are functions that: • Map an arbitrary-length (but finite) input to a fixed-size output. • Are one-way (hard to invert). • Are collision-resistant (difficult to find two values that produce the same output). • Examples: • Message digest functions - protect the integrity of data by creating a fingerprint of a digital document. • Message Authentication Codes (MAC) - protect both the integrity and authenticity of data by creating a fingerprint based on both the digital document and a secret key. CSCI 379 Fundamentals of Computer Security
Checksums vs. Message Digests • Checksums: • Used to produce a compact representation of a message. • If the message changes the checksum will probably not match. • Good: accidental changes to a message can be detected. • Bad: easy to purposely alter a message without changing the checksum. • Message digests: • Used to produce a compact representation (called the fingerprint or digest) of a message. • If the message changes the digest will probably not match. • Good: accidental changes to a message can be detected. • Good: difficult to alter a message without changing the digest. CSCI 379 Fundamentals of Computer Security
Hash Functions • Message digest functions are hash functions: • A hash function, H(M)=h, takes an arbitrary-length input, M, and produces a fixed-length output, h. • Example hash function: • H = sum all the letters of an input word modulo 26. • Input = a word. • Output = a number between 0 and 25, inclusive. • Example: • H(“Elvis”) = ((‘E’ + ‘L’ + ‘V’ + ‘I’ + ‘S’) mod 26) • H(“Elvis”) = ((5+12+22+9+19) mod 26) • H(“Elvis”) = (67 mod 26) • H(“Elvis”) = 15 CSCI 379 Fundamentals of Computer Security
Collisions • For the hash function: • H = sum all the letters of an input word modulo 26. • There are more inputs (words) than possible outputs (numbers 0-25). • Some different inputs produce the same output. • A collision occurs when two different inputs produce the same output: • The values x and y are not the same, but H(x) and H(y) are the same. CSCI 379 Fundamentals of Computer Security
Collision-Resistant Hash Functions • Hash functions for which it is difficult to find collisions are called collision-resistant. • A collision-resistant hash function, H(M)=h: • For any message, M1, it is difficult to find another message, M2 such that: • M1 and M2 are not the same. • H(M1) and H(M2) are the same. CSCI 379 Fundamentals of Computer Security
One-Way Hash Functions • A function, H(M)=h, is one-way if: • Forward direction: given M it is easy to compute h. • Backward direction: given h it is difficult to compute M. • A one-way hash function: • Easy to compute the hash for a given message. • Hard to determine what message produced a given hash value. CSCI 379 Fundamentals of Computer Security
Message Digest Functions Message digest functions are collision-resistant, one-way hash functions: • Given a message it is easy to compute its digest. • Hard to find any message that produces a given digest (one-way). • Hard to find any two messages that have the same digest (collision-resistant). CSCI 379 Fundamentals of Computer Security
Using Message Digest Functions Message digest functions can be used to protect data integrity: • A company makes some software available for download over the World Wide Web. • Users want to be sure that they receive a copy that has not been tampered with. • Solution: • The company creates a message digest for its software. • The digest is transmitted (securely) to users. • Users compute their own digest for the software they receive. • If the digests match the software probably has not been altered. CSCI 379 Fundamentals of Computer Security
The Secure Hash Algorithm (SHA) • A Federal Information Processing Standard (FIPS 180-1) adopted by the U.S. government in 1995. • Based on a message digest function called MD4 created by Ron Rivest. • Developed by NIST and the NSA. • Input: a message of b bits. • Output: a 160-bit message digest. CSCI 379 Fundamentals of Computer Security
SHA - Padding • Input: a message of b bits • Padding makes the message length a multiple of 512 bits. • The input is always padded (even if its length is already a multiple of 512). • Padding is accomplished by appending to the input: • A single bit, 1, • Enough additional bits, all 0, to make the final 512-bit block exactly 448 bits long, • A 64-bit integer representing the length of the original message in bits. CSCI 379 Fundamentals of Computer Security
SHA – Padding Example • Consider the following message: • M = 01100010 11001010 1001 (20 bits) • To pad we append: • 1 (1 bit), • 427 0s (because 448-21 = 427 bits), • 64-bit binary representation of the number 20 (64 bits). • Result: • Pad(M) = 01100010 11001010 10011000 00000000 . . . 00000000 00010100 (512 bits). • 464 0s have been omitted above (denoted by the ellipsis). CSCI 379 Fundamentals of Computer Security
SHA – Constant Initialization After padding, constants are initialized to the following hexadecimal values: • Five 32-bit words: • H0= 67452301 • H1= EFCDAB89 • H2= 98BADCFE • H3= 10325476 • H4= C3D2E1F0 • Eighty 32-bit words: • K0– K19= 5A827999 • K20 – K39= 6ED9EBA1 • K40 – K59= 8F1BBCDC • K60– K79= CA62C1D6 CSCI 379 Fundamentals of Computer Security
SHA – Step 1 • The padded message contains a whole number of 512-bit blocks, denoted B1, B2, B3, . . ., Bn • Each 512-bit block, Bi, of the padded message is processed in turn: • Bi is divided into 16 32-bit words, W0, W1, . . ., W15 • W0 is composed of the leftmost 32 bits in Bi • W1 is composed of the second 32 bits in Bi … • W15 is composed of the rightmost 32 bits in Bi CSCI 379 Fundamentals of Computer Security
SHA – Step 2 • W0, W1, . . ., W15 are used to compute 64 new 32-bit words (W16, W17, . . ., W79) • Wj (16 <j < 79) is computed by: • XORing words Wj-3, Wj-8, Wj-14, and Wj-16 together • Circularly left shifting the result one bit for j = 16 to 79 do Wj= Circular_Left_Shift_1(Wj-3Wj-8Wj-14Wj-16) done CSCI 379 Fundamentals of Computer Security
SHA – Step 3 • The values of H0, H1, H2, H3, and H4are copiedinto five words called A, B, C, D, and E: • A = H0 • B = H1 • C = H2 • D = H3 • E = H4 CSCI 379 Fundamentals of Computer Security
SHA – Step 4 • Four functions are defined as follows: • For (0 <j < 19): • fj(B,C,D) = (B AND C) OR ((NOT B) AND D) • For (20 <j < 39): • fj(B,C,D) = (B C D) • For (40 <j < 59): • fj(B,C,D) = ((B AND C ) OR (B AND D) OR (C AND D)) • For (60 <j < 79): • fj(B,C,D) = (B C D) CSCI 379 Fundamentals of Computer Security
SHA – Step 4 (cont) • For each of the 80 words, W0, W1, . . ., W79, a 32-bit word called TEMP is computed • The values of the words A, B, C, D, and E are updated as shown below: for j = 0 to 79 do TEMP = Circular_Left_Shift_5(A) + fj(B,C,D) + E + Wj+ Kj E = D; D = C; C = Circular_Left_Shift_30(B); B = A; A = TEMP done CSCI 379 Fundamentals of Computer Security
SHA – Step 5 • The values of H0, H1, H2, H3, and H4, are updated: • H0= H0+ A • H1= H1+ B • H2= H2+ C • H3= H3+ D • H4= H4+ E CSCI 379 Fundamentals of Computer Security
SHA - Summary • Pad the message • Initialize constants • For each 512-bit block (B1, B2, B3, . . ., Bn): • Divide Bi into 16 32-bit words (W0– W15) • Compute 64 new 32-bit words (W16, W17, . . ., W79) • Copy H0 -H4 into A, B, C, D, and E • For each Wj (W0– W79) compute TEMP and update A-E • Update H0 - H4 • The 160-bit message digest is: H0 H1 H2 H3 H4 CSCI 379 Fundamentals of Computer Security
Message Digests are not enough… • Example: We want to use a message digest function to protect files on our computer from intruders: • Calculate digests for important files and store them in a table. • Recompute and check from time to time to verify that the files have not been modified. • Good: if someone modifies a file the change will be detected since the digest of that file will be different. • Bad: the attacker could just compute new digests for modified files and install them in the table. • What is needed is a function that depends not only on the message, but also on some kind of secret. CSCI 379 Fundamentals of Computer Security
Attacks on Message Digests • Brute-force: Let H be a message digest, a one-way function and M be some piece of data. Can you find a piece of data M’ such that H(M) = H(M’)? Say that you generate sequences of M’ and compute H(M’) for each one until you find a match. How many M’ would you have to test? • Birthday Attack: Say that H(.) produces n bits. If you choose M’ at random, you need to try at most 2n/2 messages to have greater than 50% chance of finding the M’ that you want. (See the Birthday Paradox in probability theory textbooks.) CSCI 379 Fundamentals of Computer Security
Message Authentication Codes • A message authentication code (MAC) is a key-dependent message digest function: MAC(Key,Message) = h • The MAC can only be created or verified by someone who knows Key. • One can turn a one-way hash function into a MAC by encrypting the hash value with a symmetric-key cryptosystem. CSCI 379 Fundamentals of Computer Security
Using a MAC MAC can be used to protect data integrity and authenticity: • Want to use a MAC to protect files on our computer against tampering: • Calculate MAC values for important files and store them in a table, • Recompute MACs from time to time and compare to stored values to verify that the files haven’t been modified. • Good: If someone modifies a file the hash of that file will be different. • Good: As long as no one knows the proper key, new MACs can’t be stored in the table to cover the intruder’s tracks. CSCI 379 Fundamentals of Computer Security
Implementing a MAC Question: Does this structure look familiar? CSCI 379 Fundamentals of Computer Security
Libraries for MDs and MACs mhash: Supports SHA1, GOST, HAVAL256, HAVAL224, HAVAL192, HAVAL160, HAVAL128, MD5, MD4, RIPEMD160, TIGER, TIGER160, TIGER128, CRC32B and CRC32 checksums. Free (GNU LGPL). http://mhash.sourceforge.net java.security: Offers a number of classes for applications needing crypto primitives. MessageDigest, for instance, is a class that produces digests according to MD5 or SHA. http://java.sun.com/j2se/1.4.2/docs/api/ CSCI 379 Fundamentals of Computer Security
Summary Message digests • Message digest functions are collision-resistant, one-way hash functions: • Collision-resistant: hard to find two values that produce the same output, • One-way: hard to determine what input produced a given output. • Protects the integrity of a digital document. MACs • A message authentication code is a key-dependent message digest function: • The output is a function of both the hash function and a secret key. • The MAC can only be created or verified by someone who knows the key. • Protects the integrityand the authenticity of a digital document. CSCI 379 Fundamentals of Computer Security