260 likes | 396 Views
IS 302: Information Security and Trust Week 5: Integrity. 2012. Review. RSA Key generation Security (key size) Encryption and decryption with random padding Envelop encryption RSA+AES. Adversary. Passive adversary Eavesdropping: threat to message confidentiality
E N D
IS 302: Information Security and TrustWeek 5: Integrity 2012
Review • RSA • Key generation • Security (key size) • Encryption and decryption with random padding • Envelop encryption • RSA+AES
Adversary • Passive adversary • Eavesdropping: threat to message confidentiality • Solution with encryption (AES, RSA…): an adversary is not able to understand the message • Active adversary • Unauthorized modification: threat to message integrity • Solution: if an adversary modifies the message, it can always be detected!
Question • Assume that Mallory is an active adversary • Does encryption provide message integrity? Mallory Please transfer $1M to account A… Bob Alice
Solution • Send a small piece of information as proof of message integrity Mallory Please transfer $1M to account A…, E7582D9C71D5DA1171293EF23FCD Bob Alice
Proof of Message Integrity • Symmetric proof • Message authentication code (MAC) • Asymmetric proof • RSA signature • Both MAC and RSA signature are based on hash
Hash • Hash function h=H(M) • One-way • easy to compute but hard to inverse • Collision resistant • hard to find MM’ such that H(M)=H(M’) • Fixed length • variable-length M fixed-length h
Cryptool • Indiv. procedures hash • MD5 • SHA1 • Sensitivity to change
Attacks to Hash • Pre-image attack (against one-way feature) • Given h=H(M), find M’ such that H(M’)=h • Collision attack (against collision resistant feature) • Given H(), find M’ and M’’ such that H(M’)=H(M’’)
Hash for Integrity Check • Can hash value h=H(M) be used as integrity proof for M? • Send h together with M over public channel? • Send h separately over secure channel? Mallory M: Please transfer $1M to account A…, Bob Alice
Hash for Integrity Check • Can hash value h=H(M) be used as integrity proof for M? • Send h together with M over public channel (No!) • Send h separately over secure channel (Yes!) Mallory M: Please transfer $1M to account A…, Bob Alice h: E7582D9C71D5DA1171293EF23FCD
Standard Hash: MD5 • MD5 • Output: 128 bits (32 Hex digits, 16 bytes) • internet standard, commonly used to check integrity of files • 1991: designed by Rivest • 1996: a flaw was discovered • 2004: more serious flaws • 2007: people can create a pair of files that share the same MD5 hash value
Standard Hash: SHA1 • SHA1 • 160 bits (40 hex’s, 20 bytes), NIST standard • 1995: NSA, replaced SHA0 (1993) • 2005: potential weakness was found • http://www.rsa.com/rsalabs/node.asp?id=2834 • Collision attack: 2^80 2^39 for SHA0, 2^63 for SHA1 • 2010: last year to use as suggested by NIST • SHA2 • SHA224, SHA256, SHA384, SHA512 • SHA3 • 2 Nov 2007 – 31 Oct 2008: NIST call for competition • 2012: winner and new standard will be announced
Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G) Output: 160 bits (5*32) Block size: 512 bits (16*32) Rounds: 80 A little bit more detail on SHA1
MAC • Message authentication code (MAC) • MAC=H(K,M), where K is secret key (MAC key) • Alice sends MAC together with message M • Bob verifies M with K to see whether MAC=H(K,M) Mallory Please transfer $1M to account A, MAC Message & MAC Bob (k) Alice (k)
Attack to MAC • Pre-image attack to the key • MAC key should be long enough against brute force attack
HMAC • HMAC = H(K,H(K,M)) • H can be any hash function • H=MD5 HMAC-MD5 (128 bits) • H=SHA-1 HMAC-SHA-1 (160 bits) • Key size • JCE: HMAC key = 64 bytes (512 bits) • If key > 64 bytes, key H(key) • Recommended key > output size of hash function
Encryption-Based MAC • DES-MAC • DES encryption E(M,K) blk1, blk2,…blkn • MAC = blk1 blk2 …blkn • K is a DES key (56 bits) weak security • DES-MAC is 64 bits • AES-MAC • What is the key size? • How long is the AES-MAC?
Cryptool • Indiv. procedures hash HMAC • SHA-256 • Double hashing
Repudiation Problem with MAC • If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying Mallory Please transfer $1M to account A, MAC Message & MAC Bob (k) Alice (k) Secret channel
Solution: RSA Signature • Alice with RSA public key (n,e) and private key d • Compute digital signature sig=H(M)d mod n (only Alice can generate this signature with her private RSA key d) • Send (M, sig) to Bob • Bob: • Compute H(M) • Verify sig by comparing if H(M) = sige mod n (anyone can verify the signature with Alice’s public RSA key e,n) (M, sig = H(M)d mod n) n,e d public channel Bob Alice d: Alice’s private key n,e: Alice’s public key
Discussion • What is difference between RSA encryption and RSA signature? • What is the size of an RSA-1024 signature with SHA-256? • What is the size of HMAC with SHA-256? • In what scenarios should you choose RSA signature or MAC?
Demo in CrypTool • Digital signatures/PKI • Sign document (SHA1+RSA-512) • Verify signature
Hands-on Exercise • Download week5.zip into your IS302 directory • Unzip it (extract to week5 directory) • Follow the instructions in Lab.doc • 2.1 • HMAC in JCE • 2.2 • RSA signature in JCE
Review • How long is an RSA-1024 with SHA1 signature 1) 128 bits 2) 160 bits 3) 1024 bits • Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature? 1) Alice’s private key 2) Alice’s public key 3) Bob’s public key • How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits