900 likes | 1.06k Views
Chapter 3. Public-Key Cryptography and Message Authentication. Recall :. In chapter 3 “Authentication” includes all three of these services. We need to defend against attacks such as:. ► bit flipping in stream cipher (my time-of-attack example). ► cut and paste attack with ECB.
E N D
Chapter 3 Public-Key Cryptography and Message Authentication
Recall: In chapter 3 “Authentication” includes all three of these services
We need to defend against attacks such as: ► bit flipping in stream cipher(my time-of-attack example) ► cut and paste attack with ECB
3.1 Approaches to Message Authentication Authentication Using Conventional (Symmetric) Encryption Assuming that only sender and receiver share a secret key, then successful decryption of a message proves that it is from the sender. But what about the Christmas bonus cut-and-paste attack? “If the message also includes error-detection and a sequence number, the receiver is assured that no alteration has been made and that the sequencing is proper.” Circular reasoning!
Message Authentication without Message Encryption We may want to be able to authenticate a message without encrypting it Examples: 1. Public announcement, e.g. The system is going down in 5 minutes! 2. Receiver to busy to decrypt incoming messages. 3. Checking integrity of a computer program downloaded from a server. Encryption and Authentication are separate; Either or both may be needed
Message Authentication Code A secret key is used to generate a small block of data, the MAC, which is appended to the message by the sender. Knowing the secret key and the message, the receiver re-calculates the MAC and compares it to the appended value. Secret Sender calculates MAC Recalculating the MAC is a “forward” calculation – fundamentally different from the “reverse” calculation in decryption.
Message Authentication Code – continued If the appended code and the freshly-calculated code agree, then: 1. The receiver is assured that the message has not been altered. (Chapter 1 – data integrity – connectionless) 2. The receiver is assured that the message is from the alleged sender, since nobody else knows the secret key. (Chapter 1 – participant authentication) 3. If the message includes a sequence number, the receiver is assured that there are no losses, duplications, or out-of-sequence elements. (Chapter 1 – data integrity – connection-oriented) 4. The sender cannot deny having sent the message, since nobody else knows the secret key. (Chapter 1 – nonrepudiation) Provided that suitable algorithms can be found to generate the Message Authentication Code!
One-Way Hash Functions Given a message, M, of arbitrary length a hash function produces a short, fixed-length block that is unique to M (“fingerprint”) A hash function is a component of a MAC system. It is not the complete system because a hash itself does not involve any secret information. Figure 3.2 shows three ways to use hash functions in producing a MAC.
Figure 3.2(a) is essentially the same as figure 3.1: Figure 3.2(b) is the same as 3.2(a), except using public-key encryption (defer until later).
One-Way Hash Functions – continued Figures 3.2 (a) and (b) involve encryption, which is slow and expensive. Figure 3.2(c) is an alternative that avoids encryption: Pre-Shared secret Not transmitted This method is used in HMAC (see later) Sometimes referred to as “keyed hash”
Recall from page 7: 2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features … 3. Because of point 2, the procedures used to provide particular services are often counterintuitive: It is not obvious from the statement of a particular requirement that such elaborate measures are needed. It is only when the various counter-measures are considered that the measures used make sense.
3.2 Secure Hash Functions Hash function requirements: • H can be applied to a block of data of any size. • H produces fixed-length output. • H(x) is relatively easy to compute for any x, making both hardware and software implementation practical. 4. For any given value h it is computationally infeasible to find x such that H(x) = h Called “one-way” or “preimage resistant”
4. For any given value h it is computationally infeasible to find x such that H(x) = h Without the “one-way” property method (c) would not work Encryption functions must be reversible; Hash functions must not be reversible!
5. For any given block x, it is computationally infeasible to find y≠x with H(y) = H(x) Called “second preimage resistant” or “weak collision resistant” Without property #5 methods 3.2 (a) and (b) would not work
3.2 Secure Hash Functions- continued 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) Called “(strong) collision-resistant” This property is necessary to defend against the “birthday attack.”
Birthday Attack Probability that two specific people have same birthday is 1/365 In a group of n people there are n*(n-1)/2 pairs Probability that any two people have same birthday is n*(n-1)/(2 * 365) What does n have to be for probability to be 0.5? Approximating n*(n-1) as n2 we get n2 = 2 * 365* 0.5 or n = √365 about 19 With 128-bit hash function, probability that two specific messages have same hash value is 2-128 But probability that two messagesexist with same hash value is 2-64
Security of Hash Functions Clearly, it is desirable to use a hash function that has property 6, strong collision resistance. For a hash code of length n bits we expect the level of effort required to break it by brute force to be 2n BUT Preimage-resistant (property 4): 2n/2 (yields to Birthday Attack) Second preimage resistant (property 5): 2n/2 (yields to Birthday Attack) Strong collision resistant (property 6): 2n (resists Birthday Attack) A 160-bit hash code is now regarded as suspect!
Simple Hash Functions Ci = bi1 XOR bi2 XOR bi3 …. XOR bim But XOR is commutative, so could permute blocks without changing C OK for accidental transmission errors, but useless for defense against Darth.
SHA Secure Hash Function Focus on SHA-512 - block size 1024 bits, hash code size 512 bits. “Security 256” indicates that SHA does not have property 6
Often referred to as the “compression function” property of SHA-512 : Every bit of hash code is a function of every bit of the input
3.3 Message Authentication Codes Hashed Message Authentication Code (HMAC) A hash function such as SHA-512 involves no secret information – hash must be combined with secret information to produce a message authentication code. Figure 3.2
HMAC Design Objectives 1. To use, without modification, available hash functions. 2. To allow for easy replaceability of the embedded hash function in case more secure hash functions are found or required (NIST competition for new hash function). 3. To preserve the original performance of the hash function without incurring significant degradation. 4. To use and handle keys in a simple way 5. To have a well-understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on the embedded hash function. HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths.
Repeat: HMAC Design Objectives 2. To allow for easy replaceability of the embedded hash function in case more secure hash functions are found or required If the embedded hash function were ever discovered to be insecure, a replacement (more secure) hash function could be inserted into HMAC. Use of the original hash function before the discovery would not be invalidated. This assumes that whoever discovered the insecurity announced it and didn’t exploit it privately! This contrasts with the situation with encryption: if an encryption algorithm were “broken,” messages previously encrypted with the algorithm could be decrypted.
The HMAC Algorithm First part of key padded to b bits Padded Message SHA-512 Second part of key padded to b bits Result of inner hash is “message” for outer hash HMAC adds three executions of the basic hash function – should not add significant time for long messages. SHA-512 Final result
MACs Based on Block Ciphers Cipher-Based Message Authentication Code We adopted the philosophy that encryption and authentication have separate objectives and techniques. Why merge them here? Quote from NIST publication 800-38B: CMAC may be appropriate for information systems in which an approved block cipher is more readily available than an approved hash function. This does not seem to be a compelling reason to study this. On the other hand, Stallings (p77) states that “systems that simultaneously protect confidentiality and authenticity (integrity) of communications” may have advantages (and may be mandated in federal systems). Because of the limited time we have available, we will omit this section.
3.4 Public-Key Cryptography Principles Public-Key Encryption Structure ► first publicly proposed by Diffie and Hellman in 1976 (but known to British cryptographers in WWII) ► first truly revolutionary advance in encryption in literally thousands of years ► public-key algorithms based on mathematical functions ► public-key cryptography is asymmetric, involving use of two separate keys, one made public and the other kept private.
Common misconceptions about public-key cryptography ► public-key cryptography more secure than symmetric (conventional) cryptography For same key length public-key is less secure 1024-bit asymmetric keys are about as secure as 80-bit symmetric keys.
Common misconceptions about public-key cryptography - continued ► public-key cryptography is a general-purpose technique that has made symmetric (conventional) cryptography obsolete public-key is about 1,000 times slower than symmetric, so will not replace symmetric for bulk encryption ► key distribution is trivial when using public-key encryption, compared to cumbersome key distribution centers in symmetric encryption public-key distribution usually involves a central agent
Recall from section 2.1: “A symmetric encryption scheme has five ingredients” Section 3.4: A public-key encryption scheme has six ingredients: ► plaintext ► encryption algorithm ► public and private key ► ciphertext ► decryption algorithm
► public and private key: The public key of the pair is made public for others to use; The private key is known only to its owner. One key of the pair is used for encryption, the other for decryption Terminology: although the private key is kept secret, we refer to it as “private” so as not to confuse with the “secret key” of symmetric encryption.
Figure 3.9 (a) Bob Alice “Essential steps” for confidentiality: 1. Each user generates a pair of keys 2. Each user places one of the keys in a public register or other accessible file 3. If Bob wishes to send a confidential message to Alice, he obtains her public key and encrypts the message with it. 4. Alice decrypts the message with her private key.
Bob obtained these from public register or other accessible file Figure 3.9 No authentication of Bob! Everybody knows Alice’s public key! We do not send long messages this way!
Applications for Public-Key Cryptosystems ► encryption/decryption – but not used for long messages, ► digital signatures – we will study in section 3.6 ► key exchange – we will study in section 4.3
Requirements for Encryption using Public-Key Cryptography 1. It is computationally easy for party B to generate a key pair PUB, PRB 2. It is computationally easy for a sender A, knowing PUB to encrypt a (short) message to send to B 3. It is computationally easy for B to decrypt the message using his/her private key 4. It is computationally infeasible for an opponent, knowing PUB to determine the private key PRB 5. It is computationally infeasible for an opponent, knowing PUB and the ciphertext, to recover the plaintext 6. (useful, not required) Either of the two related keys can be used for encryption, the other for decryption
3.5 Public-Key Cryptography Algorithms The RSA Algorithm Developed in 1977 by Rivest, Shamir, and Adleman at MIT. RSA is a block cipher in which the plaintext and ciphertext are represented by integers between 0 and n – 1 for some n (”modulus”) For plaintext block M, the ciphertext block C is obtained by: C = Me mod n e could be called the “encryption exponent ” The plaintext is recovered by: M = Cd mod n If both sender and receiver know n and e but only the receiver knows d, the receiver’s public key is { e, n } and private key is { d, n }
3.4 Public-Key Cryptography Algorithms- continued From previous slide: For plaintext block M, the ciphertext block C is obtained by C = Me mod n The plaintext is recovered by: M = Cd mod n M = Cd mod n = (Memod n)d mod n = Med mod n 1. For this to work, it must be possible to find n, e, and d such that Med mod n = M for all M <n 2. It must be relatively easy to calculate Me and Cd for all M <n 3. It must be infeasible to compute d, given e and n
1 – 3. Select p = 17, q = 11 so n = 187 and φ(n) = 160 4. Choose e such that it is relatively prime to 160 and less than 160 Divisors of 160? yes 1, 2, 4, 5, 8, 10 … no: 3 6, 7 9 11, 12, 13 …. Choose e = 7
1 – 3. Select p = 17, q = 11 so n = 187 and φ(n) = 160 4. e = 7 5. Determine d such that de mod 160 = 1 7d = 1, 161, 321, 481 ….. 7 * 23 = 161 Public key is { 7, 187 } Private key is { 23, 187 }
Encryption: evaluate 887 mod 187 Decryption: evaluate 1123 mod 187 1123 is a big number and hard to handle by simple programming! Factorize the big number and use properties of modular arithmetic (page 402)
An actual RSA key (from lab session #2): leftrsasigkey=0sAQOc8zS+aKhfo46XdLSBzFLDOadFDitIUXfL3bP9v7aWH5seCtYrDV7bfAnzHmYqJ6yClH8cJEEYUvdVtO3/2H2dGLeigTD1XuKQzxr+FeF+bV66W6s+06+WdVEZfu7k0gWVFH+TjAUkXDZV8+cVU94m7KHVjAyx45GPN4/YOoMgN3t1QCdSGytlulyc42oosrWow+8dv3+oxVgwHUsHRF1aUoT7RcOZ+9m9V6UsIZXK5coXOJAN6f2T690dUBMcZvCYiBmi6RJAZ1DZncrQFxOtFft75qC0VJvUufcMtLYQ6dMhcQFkO58efN2tXAtC+EuzGUSVh2ftm/hf7S0qsjW+aZXQWiCy9NH3V7HhZVF2KzTH # The exponent of the RSA public key is forced to the value 3 This modulus is 2238 bits long
Two possible approaches to defeating the RSA algorithm: ► brute force (try all possible keys) – for key-length (say) 1024 bits, this is infeasible ► try to factor n into p x q - most efforts do this, but with n (say) 300 decimal digits, it’s hard!
RSA 640: If modulus, n, is the 193-digit number: 310 7418240490 0437213507 5003588856 7930037346 0228427275 4572016194 8823206440 5180815045 5634682967 1723286782 4379162728 3803341547 1073108501 9195485290 0733772482 2783525742 3864540146 9173660247 7652346609 What are p and q? The factoring research team of F. Bahr, M. Boehm, J. Franke, T. Kleinjung continued its productivity with a successful factorization of the challenge number RSA-640, reported on November 2, 2005. The factors are: 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579 and 1900871281664822113126851573935413975471896789968 515493666638539088027103802104498957191261465571 The effort took approximately 30 2.2GHz-Opteron-CPU years according to the submitters, over five months of calendar time. They earned a prize of $20,000.
Diffie-Hellman Key Exchange “The purpose of the algorithm is to enable two users to exchange a secret key securely that can then be used for subsequent [symmetric] encryption of messages. The algorithm itself is limited to the exchange of the keys.” (however, an extension of D-H, known as El Gamal can be used for encryption) “The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms.”