1 / 26

IS 302: Information Security and Trust Week 5: Integrity

IS 302: Information Security and Trust Week 5: Integrity. 2012. Review. RSA Key generation Security (key size) Encryption and decryption with random padding Envelop encryption RSA+AES. Adversary. Passive adversary Eavesdropping: threat to message confidentiality

lovey
Download Presentation

IS 302: Information Security and Trust Week 5: Integrity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS 302: Information Security and TrustWeek 5: Integrity 2012

  2. Review • RSA • Key generation • Security (key size) • Encryption and decryption with random padding • Envelop encryption • RSA+AES

  3. Adversary • Passive adversary • Eavesdropping: threat to message confidentiality • Solution with encryption (AES, RSA…): an adversary is not able to understand the message • Active adversary • Unauthorized modification: threat to message integrity • Solution: if an adversary modifies the message, it can always be detected!

  4. Question • Assume that Mallory is an active adversary • Does encryption provide message integrity? Mallory Please transfer $1M to account A… Bob Alice

  5. Solution • Send a small piece of information as proof of message integrity Mallory Please transfer $1M to account A…, E7582D9C71D5DA1171293EF23FCD Bob Alice

  6. Proof of Message Integrity • Symmetric proof • Message authentication code (MAC) • Asymmetric proof • RSA signature • Both MAC and RSA signature are based on hash

  7. Hash • Hash function h=H(M) • One-way • easy to compute but hard to inverse • Collision resistant • hard to find MM’ such that H(M)=H(M’) • Fixed length • variable-length M fixed-length h

  8. Cryptool • Indiv. procedures  hash • MD5 • SHA1 • Sensitivity to change

  9. Attacks to Hash • Pre-image attack (against one-way feature) • Given h=H(M), find M’ such that H(M’)=h • Collision attack (against collision resistant feature) • Given H(), find M’ and M’’ such that H(M’)=H(M’’)

  10. Hash for Integrity Check • Can hash value h=H(M) be used as integrity proof for M? • Send h together with M over public channel? • Send h separately over secure channel? Mallory M: Please transfer $1M to account A…, Bob Alice

  11. Hash for Integrity Check • Can hash value h=H(M) be used as integrity proof for M? • Send h together with M over public channel (No!) • Send h separately over secure channel (Yes!) Mallory M: Please transfer $1M to account A…, Bob Alice h: E7582D9C71D5DA1171293EF23FCD

  12. Standard Hash: MD5 • MD5 • Output: 128 bits (32 Hex digits, 16 bytes) • internet standard, commonly used to check integrity of files • 1991: designed by Rivest • 1996: a flaw was discovered • 2004: more serious flaws • 2007: people can create a pair of files that share the same MD5 hash value

  13. Standard Hash: SHA1 • SHA1 • 160 bits (40 hex’s, 20 bytes), NIST standard • 1995: NSA, replaced SHA0 (1993) • 2005: potential weakness was found • http://www.rsa.com/rsalabs/node.asp?id=2834 • Collision attack: 2^80  2^39 for SHA0, 2^63 for SHA1 • 2010: last year to use as suggested by NIST • SHA2 • SHA224, SHA256, SHA384, SHA512 • SHA3 • 2 Nov 2007 – 31 Oct 2008: NIST call for competition • 2012: winner and new standard will be announced

  14. Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G) Output: 160 bits (5*32) Block size: 512 bits (16*32) Rounds: 80 A little bit more detail on SHA1

  15. MAC • Message authentication code (MAC) • MAC=H(K,M), where K is secret key (MAC key) • Alice sends MAC together with message M • Bob verifies M with K to see whether MAC=H(K,M) Mallory Please transfer $1M to account A, MAC Message & MAC Bob (k) Alice (k)

  16. Attack to MAC • Pre-image attack to the key • MAC key should be long enough against brute force attack

  17. HMAC • HMAC = H(K,H(K,M)) • H can be any hash function • H=MD5  HMAC-MD5 (128 bits) • H=SHA-1 HMAC-SHA-1 (160 bits) • Key size • JCE: HMAC key = 64 bytes (512 bits) • If key > 64 bytes, key  H(key) • Recommended key > output size of hash function

  18. Encryption-Based MAC • DES-MAC • DES encryption E(M,K)  blk1, blk2,…blkn • MAC = blk1 blk2 …blkn • K is a DES key (56 bits)  weak security • DES-MAC is 64 bits • AES-MAC • What is the key size? • How long is the AES-MAC?

  19. Cryptool • Indiv. procedures  hash  HMAC • SHA-256 • Double hashing

  20. Repudiation Problem with MAC • If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying Mallory Please transfer $1M to account A, MAC Message & MAC Bob (k) Alice (k) Secret channel

  21. Solution: RSA Signature • Alice with RSA public key (n,e) and private key d • Compute digital signature sig=H(M)d mod n (only Alice can generate this signature with her private RSA key d) • Send (M, sig) to Bob • Bob: • Compute H(M) • Verify sig by comparing if H(M) = sige mod n (anyone can verify the signature with Alice’s public RSA key e,n) (M, sig = H(M)d mod n) n,e d public channel Bob Alice d: Alice’s private key n,e: Alice’s public key

  22. Discussion • What is difference between RSA encryption and RSA signature? • What is the size of an RSA-1024 signature with SHA-256? • What is the size of HMAC with SHA-256? • In what scenarios should you choose RSA signature or MAC?

  23. Demo in CrypTool • Digital signatures/PKI • Sign document (SHA1+RSA-512) • Verify signature

  24. Security of some crypto-algorithms

  25. Hands-on Exercise • Download week5.zip into your IS302 directory • Unzip it (extract to week5 directory) • Follow the instructions in Lab.doc • 2.1 • HMAC in JCE • 2.2 • RSA signature in JCE

  26. Review • How long is an RSA-1024 with SHA1 signature 1) 128 bits 2) 160 bits 3) 1024 bits • Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature? 1) Alice’s private key 2) Alice’s public key 3) Bob’s public key • How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits

More Related