1 / 52

5. Public Key Cryptography

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv. 5. Public Key Cryptography. Contents. 1. Message Authentication Code (MAC) 2. Calculating MAC with Hash Functions 3. Public Key Cryptography

kalona
Download Presentation

5. Public Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. King Mongkut’s University of TechnologyFaculty of Information TechnologyNetwork SecurityProf. Reuven Aviv 5. Public Key Cryptography Public Key Cryptography

  2. Contents 1. Message Authentication Code (MAC) 2. Calculating MAC with Hash Functions 3. Public Key Cryptography 4. Secure distribution Session Key using public key 5. Secure distribution Public keys using certificates Cryptography Short

  3. 1. Message Authentication Code Cryptography Short

  4. context: Attacks and mitigation techniques • Disclosure of data, Traffic Analysis • Mitigated by encryption • Sender spoofing & breaking data integrity (message insertion, Content, sequence or timing modification) • Mitigated by authentication, using hash funcs • Source repudiation (denial of sending) • Mitigated by digital signature Cryptography Short

  5. Authentication • Requirements – receiver must be able to verify that: • Message came from apparent source • Contents have not been altered • Also - • Message is not a replay • Message is not out of order • Protection against active attack (falsification of data and transactions) Encryption of messages provides authentication. Is that true? Cryptography Short

  6. Message Authentication Code • Sender: message & secret K block of bits, Ck • MAC = Ck(M) (about 128 – 1024 bits) • Append MAC to message, send • Receiver: recalculate MAC (no decryption) • compare with received MAC Cryptography Short

  7. Message Authentication Code • If the two MACs (at the receiver) match: • Receiver is assured that the sender knows K • This proves that none other then the sender sent the message is that true? • Also Message was not altered • (If message has sequence numbers then receiver checks that the number is correct) so what? • (If MAC depends on timestamp, or random nonce then the message is not a replay) Cryptography Short

  8. 2. MAC calculation using Hash functions Cryptography Short

  9. MAC by hash function method • hash function of M: One way function h(M) • How do we calculate MAC with hash func? • 1. calculate hash h(M), then encrypt the hash • 2. add secret to message, then calculate hash • Transmit two parts: {message, MAC} • Attacker cannot change the MAC why? • Key or secret must be known also to receiver Cryptography Short

  10. Example of a hash function (wikipedia) Is there a way to do the reverse operation? Cryptography Short

  11. 1. Authentication via encrypted hash Cryptography Short

  12. 2. Authentication via hash of (message + secret) • Add secret to message before calculating the hash. removed before transmission. Pros and cones? Cryptography Short

  13. Why use MAC as hash of message + secret? • No encryption at all • Encryption is slow • Encryption hardware is expensive • Encryption hardware is optimized towards large data size, but here we need small blocks Cryptography Short

  14. Example: a Simple hash • message X consists of m blocks, each of size n bits • X ≡ X1||X2||X3|| ... ||Xm (concatenation) • define hash: H(X) ≡ X1X2X3 ... Xm • Bitwise XOR. H(X) is one block size n • MAC: encrypted hash MAC(X)≡Ek[H(X)] • Using a key known to sender and receiver • Sender sends (X||M) not encrypted • Is there a problem? Cryptography Short

  15. Attacking the Simple hash: creating false message • Attacker catch (X||M). sends (Y||M) • Where MAC(Y) = MAC(X) • Attacker calculate H(X) • Attacker design false message Y1||Y2||Y3|| ... ||Ym • 1. create Y’ ≡ Y1||Y2||Y3|| ... ||Ym-1 arbitrary • 2. calculate H(Y’) = Y1Y2Y3 ... Ym-1 • 3. build Ym : s.t. H(Y) ≡ H(Y’) Ym = H(X) • Easy. how? Cryptography Short

  16. Structure of MD5 Hash Function • Input M: L 512-bit blocks Y0, Y1,… YL-1 • Output: L 128-bit blocks CVi = f(CVi-1, Yi-1) • The blocks are compressed and chained • CV0 = IV = initial value • The hash: HMD5(M) = CVL last block, 128 bits • f is a certain “compression function” secret? Cryptography Short

  17. Example: MD5 Cryptography Short

  18. Secure HASH functions Cryptography Short

  19. HMAC (Hash based MAC) standard • A standard way to calculate a Message Authentication Code • It uses variety of Hash functions • E.g. MD5, SHA-1 • Used by communication protocols employed today. Cryptography Short

  20. 3. Public-Key Cryptography Cryptography Short

  21. Public and private keys • User creates a pair of keys • One private (Known only to the owner): KR • The other is publicized: KU • KR cannot be revealed from the KU • Message encrypted by using the private key is decrypted by using the public key and v.v. • Encryption/decryption algorithms depend on method of creation of the keys • 3 applications what are they? Cryptography Short

  22. 1. Encryption using Public-Key cryptography • A  B: message Encrypted by B’s Public key • Y = EKUb(X) X=DKRb(X) Cryptography Short

  23. 1. Encryption by Public-Key cryptography • The sender encrypts a message with the recipient’s public key • Receiver decrypts by using his/her private key How does the receiver knows if the message was changed? How does the sender knows that the public key he used belongs to the recipient? How does does the sender knows that the recipient decipherd the message correctly? Cryptography Short

  24. 2. Authentication usingPublic-Key cryptography • A B: message encrypted by A’s Private key: • Y = EKRa(X) X= DKUa(Y) Encrypting X takes time. What can we do? Cryptography Short

  25. 2. Authentication by public key cryptography • Digital signature of a message: hash of the message, encrypted by the private key of sender • Sender: attach signature to message, send. • Receiver: decrypt the signature by the public key of the sender, reveal the original hash • calculates the hash and compares with original Can an attacker copy the message? what does the recipient knows about the identity of the sender? Cryptography Short

  26. 3. Session key generation by Public-Key cryptography • Session Key: a shared key to be used later in conventional encryption of data exchange session • Example of session key generation • A (Client) creates a random session key KS • A (Client) encrypts KS with the public key of B (Server), Y=EKUb(KS) • A sends Y to B. • B decrypts by his private key: KS =DKRb(Y) Cryptography Short

  27. RSA & Diffie Hellman algorithms (30 yr old) • RSA - Ron Rivest, Adi Shamir and Len Adleman • Used in all 3 applications • The most widely implemented • Strength is based on difficulty to factor a given large number into its primes. • Diffie-Hellman • Generating a secret (”session”) key securely • Strength is based on difficulty to calculate discrete logarithms Cryptography Short

  28. The RSA Algorithm – Key Generation • Select p,q p and q both prime • Calculate n = p x q • Calculate • Select integer e • Calculate d • Public Key KU = {e,n} • Private key KR = {d,n} F unknown to attacker. Cannot calculate d Cryptography Short

  29. The RSA Algorithm - Encryption • Plaintext: M<n • Ciphertext: C = Me (mod n) • {e, n} is the public key of the recipient Cryptography Short

  30. The RSA Algorithm - Decryption • Ciphertext: C • Plaintext: M = Cd (mod n) • {d, n} is the private key of the recipient Why an attacker can’t calculate M? Cryptography Short

  31. RSA Encryption example • p = 7, q = 17; n = pq = 119; f(n) = 96 • Select e = 5, d = 77 (relatively prime to 96); de =1 mod 96 • Message M = 19; • Encryption: C = 195 (mod 119) = 66 • Decryption: M = 6677(mod 119) = 19 Public Key Cryptography

  32. The RSA Algorithm - signing • Sender calculates Hash of message: H = H(M)<n • Sender calculates his signature: sig = Hd (mod n) • {d, n} is the private key of the sender • Sig is attached to the Message M, and sent Public Key Cryptography

  33. The RSA Algorithm – Verifying Signature • Signature received with message: sig • Receiver calculates Original Hash: • H = sige (mod n) • {e, n} is the public key of the sender • Receiver calculates the Hash, H’ of the message • Receiver compares H with H’ Public Key Cryptography

  34. Diffie Hellman algorithm • 1. q prime number, a is a primitive root of q • an (modq) generate all numbers from 1 to q • q and a are agreed by two parties • 2. Each side select x, calculates y = axmodq • xA, yA xB, yB respectively • 3. Sides exchange the y values • A: calculates SA = (yB)xA (modq) • B: calculates SB = (yA)xB (modq) • SA = SB = axBxA modq • This is the agreed session key Calculating x from y (discrete log) very difficult Cryptography Short

  35. Diffie-Hellman ”Key Exchange” What A knows about the identity of B? Cryptography Short

  36. Diffie Hellman Example • q = 23, a = 5 • User A selects XA = 6 • Calculates YA = 56 mod 23 = 8 • send to B • User B select XB = 15 • Calculates YB = 515 mod 23 = 19 • sends to A • User A calculates: 196 mod 23 = 2 • User B calculates: 815 mod 23 = 2 • The agreed session key is 2 • Attacker knows YA, YB. Cannot calculate key Public Key Cryptography

  37. 4. Secure distribution of session key Using Public keys Public Key Cryptography and PKI

  38. Fast creation of Ks, then distribution of Ks • 1. A B: (public key KUa, IDa) • 2. B generates a random Session key Ks (fast) • 3. B encrypts by KUa, transmits to A • A decrypts Ks with its private key KRa Imagine a M.I.M – what can he do? Public Key Cryptography and PKI

  39. Man in the middle attack • Attacker intercepts message 1 from A • replaces the KUa by its own KUm; The IDA of A remains; sends revised message to B • Attacker intercepts message 2 from B • learns the session Key Ks by decrypting the message by its own private key, KRm. • transmits the Ks to A, encrypted by KUa • From now attacker is eavesdropping What is really the problem? Public Key Cryptography and PKI

  40. 5. Secure distribution of public keys using certificates Public Key Cryptography and PKI

  41. distributing public keys via Certificates • A Certificate Authority (CA) provides each client a certificate (A file) Encrypted? • stating client’s identity, its public key, more • Certificates signed by the CA how ? why? • Certificates are to be presented by clients to each other how? • Who are “clients” here? • Example CA: Verisign • Clients are also called “subjects” Public Key Cryptography and PKI

  42. Certificate: details Public Key Cryptography and PKI

  43. Certificates • Certificates are not encrypted • Before issuing a certificate, the CA checks: • that the owner (‘subject”) ID is correct • Subject knows the public / private keys how? • By challenge response what is that? • Certificates include user ID, Public key, ID of CA, time stamp, signing algorithm, …and sigCA Public Key Cryptography and PKI

  44. X. 509 certificate Public Key Cryptography and PKI

  45. What does the CA do? hash of Certificate sigCA Public Key Cryptography and PKI

  46. Validation of a certificate • B gets a Cert CA={IDA ,KUA ,...sigCA } from party • how? Who is “party” here? • B decrypts the signature , gets hash. How? • B re-calculates hash of certificate, compare • If match, the certificate is authentic (valid) • B now knows that an entity whose ID is IDA has a public key, KUA, and knows the KRA • B only knows that the certificate is authentic • B doesn’t know whether its “party” is A. why? Public Key Cryptography and PKI

  47. receiving, exchanging and validating certs • Validation of a cert does not authenticates A! • How B verifies that its party’s ID is IDA? • (that is, how B authenticates A? Public Key Cryptography and PKI

  48. Appendix Knapsack Algorithms and Merkle Hellman public key Cryptosystem Cryptography Short

  49. Knapsack Algorithm • Hard Knapsack Problem • Given knapsack C, k weights ui, • Select weights to fill the knapsack • Mathematically: • For weight vector U = [u1, u2, ,,, uk] find M = [m1, m2,.. mk], mi = 0, 1 such that: C = U•M Hard problem Related Easier Problem? Cryptography Short

  50. Easy Knapsack Problem: • Sorted weights: ui ri, where ri >= Srj, j<i • ri super-increasing • Solution to Easy Knapsack: • Fill the sack from largest ri down • Init: C’ = 0; M = 0; i = k • repeat • if ri <= C - C’ • then {mi = 1; C’ = C’ + ri, i--} • until C’ >= C • If C’  C no solution; else solution is M Cryptography Short

More Related