1 / 55

Public-Key Cryptography and Message Authentication

Public-Key Cryptography and Message Authentication. Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se. OUTLINE. Approaches to Message Authentication Secure Hash Functions Digital Signatures. Message Authentication.

kevork
Download Presentation

Public-Key Cryptography and Message Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se

  2. OUTLINE • Approaches to Message Authentication • Secure Hash Functions • Digital Signatures

  3. Message Authentication • message authentication is concerned with: • protecting the integrity of a message • validating identity of originator • non-repudiation of origin (dispute resolution) • will consider the security requirements • then three alternative functions used: • message encryption • message authentication code (MAC) • hash function

  4. Security Requirements • disclosure • traffic analysis • masquerade • content modification • sequence modification • timing modification • source repudiation • destination repudiation

  5. Message Encryption • message encryption by itself also provides a measure of authentication • if symmetric encryption is used then: • receiver knows that the sender must have created the message • since only sender and receiver know key used, content of the message cannot have been altered • if message has a suitable structure, redundancy or a checksum to detect any changes

  6. Message Encryption • if public-key encryption is used: • encryption provides no confidence of sender • since anyone potentially knows public-key • however if • sender signs message using their private-key • then encrypts with recipients public key • have both secrecy and authentication • again need to recognize corrupted messages • but at cost of two public-key uses on message

  7. Message Authentication Code (MAC) • generated by an algorithm that creates a small fixed-sized block • depending on both message and some key • like encryption though need not be reversible • appended to message as a signature • receiver performs same computation on message and checks it whether matches the MAC • provides assurance that message is unaltered and comes from sender

  8. Message Authentication Code

  9. Message Authentication Codes • as shown the MAC provides authentication • can also use encryption for secrecy • generally use separate keys for each • can compute MAC either before or after encryption • is generally regarded as better done before • why use a MAC? • sometimes only authentication is needed • sometimes need authentication to persist longer than the encryption (eg. archival use) • note that a MAC is not a digital signature

  10. Authentication • Requirements - must be able to verify that: 1. Message came from apparent source or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. • Protection against active attack (falsification of data and transactions)

  11. Approaches to Message uthentication • Authentication Using Conventional Encryption • Only the sender and receiver should share a key • Hash Function:Message digest function • An authentication tag (fingerprint) is generated and appended to each message • Message Authentication Code • Calculate the MAC as a function of the message and the shared secret key. MAC= F(K, M) = Cryptographic cheksum

  12. One-way HASH function

  13. One-way HASH function • Secret value is added before the hash and removed before transmission.

  14. Using Symmetric Ciphers for MACs • can use any block cipher chaining (CBC) mode and use final block as a MAC • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security

  15. MAC Based on DES D1, D2, D3, ..., DN = 64bits Data blocks E = DES Encryption Algorithm, K = Secret key Q1 = E(K, D1) Q2 = E(K,[D2^Q1]) Q3 = E(K,[D3^Q2]) ... QN = E(K,[DN^QN-1])

  16. Data Authentication Algorithm

  17. Secure HASH Functions • Purpose of the HASH function is to produce a ”fingerprint. • Properties of a HASH function H : • H can be applied to a block of data of any size • H produces a fixed length output • H(x) is easy to compute for any given x. • For any given block x, it is computationally infeasible to find x such that H(x) = h • For any given block x, it is computationally infeasible to find with H(y) = H(x). • It is computationally infeasible to find any pair (x, y) such that H(x) = H(y)

  18. Hash Algorithm Structure

  19. Secure Hash Algorithm • SHA originally designed by NIST & NSA in 1993 • was revised in 1995 as SHA-1 • US standard for use with DSA signature scheme • standard is FIPS 180-1 1995, also Internet RFC3174 • nb. the algorithm is SHA, the standard is SHS • based on design of MD4 with key differences • produces 160-bit hash values • recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

  20. Revised Secure Hash Standard • NIST issued revision FIPS 180-2 in 2002 • adds 3 additional versions of SHA • SHA-256, SHA-384, SHA-512 • designed for compatibility with increased security provided by the AES cipher • structure & detail is similar to SHA-1 • hence analysis should be similar • but security levels are rather higher

  21. SHA-512 Overview

  22. SHA-512 Compression Function • heart of the algorithm • processing message in 1024-bit blocks • consists of 80 rounds • updating a 512-bit buffer • using a 64-bit value Wt derived from the current message block • and a round constant based on cube root of first 80 prime numbers

  23. SHA-512 Round Function

  24. SHA-512 Round Function

  25. Message Digest Generation Using SHA-1

  26. SHA-1 Processing of single 512-Bit Block

  27. Other Secure HASH functions

  28. HMAC • Uses a MAC derived from a cryptographic hash code, such as SHA-1. • Motivations: • Cryptographic hash functions executes faster in software than encryptoin algorithms such as DES • Library code for cryptographic hash functions is widely available • No export restrictions from the US

  29. HMAC Algorithm H = Embedded H function (e.g., MD5, SHA-1, RIPEMD-160) IV = Initial Value, input to hash function M = Message input including padding Yi = ith block of M, L = Number of blocks in M b = Number of bits in a block n = Length of hash code produced by embedded hash function K = Secret key K+ = Key padded with zeros on the left so that the result is b bits ipad = 00110110 (36Hexadecimal) repeated b/8 times opad = 01011100 (5CHexadecimal) repeated b/8 times

  30. HMAC Algorithm Append zeros to the left end of K to create a b-bit string K+ XOR K+ with ipad to produce the b-bit blocks Si Append M to Si Apply H to the stream generated in step 3 XOR K+ with opad to produce the b-bit blocks So Append the hash result from step 4 to So Apply H to the stream generated in step 6 and output the result

  31. HMAC Structure

  32. Public Key Cryptography and RSA

  33. Private-Key Cryptography • traditional private/secret/single key cryptography uses one key • shared by both sender and receiver • if this key is disclosed communications are compromised • also is symmetric, parties are equal • hence does not protect sender from receiver forging a message & claiming is sent by sender

  34. Public-Key Cryptography • probably most significant advance in the 3000 year history of cryptography • uses two keys – a public & a private key • asymmetric since parties are not equal • uses clever application of number theoretic concepts to function • complements rather than replaces private key crypto

  35. Why Public-Key Cryptography? • developed to address two key issues: • key distribution – how to have secure communications in general without having to trust a KDC with your key • digital signatures – how to verify a message comes intact from the claimed sender • public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 • known earlier in classified community

  36. Public-Key Cryptography • public-key/two-key/asymmetric cryptography involves the use of two keys: • a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures • a related private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures • infeasible to determine private key from public • is asymmetric because • those who encrypt messages or verify signatures cannot decrypt messages or create signatures

  37. Public-Key Cryptography

  38. Symmetric vs Public-Key

  39. RSA • by Rivest, Shamir & Adleman of MIT in 1977 • best known & widely used public-key scheme • based on exponentiation in a finite (Galois) field over integers modulo a prime • nb. exponentiation takes O((log n)3) operations (easy) • uses large integers (eg. 1024 bits) • security due to cost of factoring large numbers • nb. factorization takes O(e log n log log n) operations (hard)

  40. RSA En/decryption • to encrypt a message M the sender: • obtains public key of recipient PU={e,n} • computes: C = Me mod n, where 0≤M<n • to decrypt the ciphertext C the owner: • uses their private key PR={d,n} • computes: M = Cd mod n • note that the message M must be smaller than the modulus n (block if needed)

  41. Fermat’s Theorem

  42. Euler’s Theorem Euler’s totient function written as (n), and defined as the number of positive integers less than n and relatively prime to n. (1)=1 . For a prime number p (p)=p-1. Theorem: For every a and n that are relatively prime, we have

  43. The RSA Algorithm – Key Generation • Select p,q p and q both prime • Calculate n = p x q • Calculate • Select integer e • Calculate d • Public Key KU = {e,n} • Private key KR = {d,n}

  44. Example of RSA Algorithm

  45. The RSA Algorithm - Encryption • Plaintext: M<n • Ciphertext: C = Me (mod n)

  46. The RSA Algorithm - Decryption • Ciphertext: C • Plaintext: M = Cd (mod n)

  47. Why RSA Works • because of Euler's Theorem: • aø(n)mod n = 1 where gcd(a,n)=1 • in RSA have: • n=p.q • ø(n)=(p-1)(q-1) • carefully chose e & d to be inverses mod ø(n) • hence e.d=1+k.ø(n) for some k • hence :Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k = M1.(1)k = M1 = M mod n

  48. RSA Example - Key Setup • Select primes: p=17 & q=11 • Calculate n = pq =17 x 11=187 • Calculate ø(n)=(p–1)(q-1)=16x10=160 • Select e:gcd(e,160)=1; choose e=7 • Determine d:de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1 • Publish public key PU={7,187} • Keep secret private key PR={23,187}

  49. RSA Example - En/Decryption • sample RSA encryption/decryption is: • given message M = 88 (nb. 88<187) • encryption: C = 887 mod 187 = 11 • decryption: M = 1123 mod 187 = 88

More Related