Integrity and Authentication Principles for Secure Data Transmission

Chapter 6 Integrity and Authentication

Session 4 – Contents • Integrity • Message Authentication Code (MAC) • Hash Functions • Authentication • Digital Signature Standard (FIPS 186-2) • DSA (ANSI X9.30 • RSA (ANSI X9.31) • ElGamal • ECDSA (ANSI X9.62)

Integrity Assurance that a message was not accidentally or deliberately modified in transit by replacement, insertion, or deletion. Integrity Hash Functions Encryption Digital Signature SHA MD5 MAC HMAC DES CBC HMAC-SHA-1-96 SHA-1 SHA-384 AES-XCBC-MAC-96 HMAC-MD5-96 SHA-256 SHA-512

What is Integrity? integrity / n.(1) The property of ensuring that data is transmitted from source to destination without undetected alteration. (2) The process of preventing undetected alteration of data.

Integrity Using a Message Summary Message digest (hash) was used to prove that the stated amount of money was not altered. Count money$567.34?Yes/No Yes I sent you $567.34 with Mary. Message digest (hash)

Message Authentication Code (MAC) Secret Key, Initial Variable MESSAGE MESSAGE MESSAGE Transmit Block Cipher (CBC Mode) MAC MAC MAC Compare MAC(last ciphertext block) Block Cipher (CBC Mode) • Both parties share a secret key. • Last ciphertext block sent as a hash. • IV is zero block (all “0” bits). • DES 64-bit hash, AES 128-bit hash used Secret Key, Initial Variable

+ Using CBC Mode as a Hash Function Cleartext Block Cleartext Block • Sends last ciphertext block as a hash. • Uses a fixed known IV. • DES hash: 64 bits. • AES hash: 128 bits IV + Block Cipher Block Cipher Crypto Variable Ciphertext Block Last ciphertext block

AES-XCBC-MAC-96 Seed 1 Seed 2 Seed 3 AESBlock Cipher AESBlock Cipher AESBlock Cipher K K K K1 K2 K3 Message Block Mn-1 Last Message Block Mn Message Block M1 Message Block M2 + + + + E(1) E(n-2) E(n-1) E(0) + K2 or K3 AESBlock Cipher AESBlock Cipher AESBlock Cipher AESBlock Cipher K1 K1 K1 K1 E(n) E(1) E(n-1) E(2) • RFC 3566 is proposed for use in IPSec, AH and ESP. • E (n) is a 128-bit authenticator value. AES-XCBC-MAC-96 is derived by truncating the 128-bit value in the same way as it is done in HMAC. • The length of 96 bits is the default authenticator length for use with either ESP or AH.

Hash Functions – One-way Functions Divisible by block size BR-bitPad Message Pad BR = Binary representation of the message length. Last Message Block Mn Message Block M1 Message Block M2 Compression Function Compression Function Compression Function Initial Value Hash Take an input m and return a fixed-size string. Hard to invert. Given the hash value, it is computationally infeasible to find the initial value m. Message Digest 5 (MD5) and Secure Hash Algorithm are hash functions.

Checking Integrity with a Hash Function Sender Receiver MEESSAGE MEESSAGE MEESSAGE Transmit Hash Function Message’s Hash Message’s Hash Message’s Hash Compare Message’s Hash • The message and the message’s hash are sent to the receiver. • The receiver compares the received hash with a newly generated hash. • If the hashes are the same, it is highly probable that the message has not been changed. Hash Function

Secure Hash Standard • On April 17, 1995, the National Institute of Standards and Technology, NIST, approved the Secure Hash Standard, FIPS PUB 180-1,which included one secure hash algorithm, the SHA-1. • On February 1, 2003, a new Secure Hash Signature Standard (SHS) (FIPS PUB 180-2) was approved; it added three hash algorithms, SHA-1, SHA-256, SHA-384, and SHA-512. • The SHA-1 algorithm specified in the FIPS PUB 180-2 is the same algorithm that was specified previously in FIPS 180-1, although some of the notation was modified to be consistent with the notation used in the SHA-256, SHA-384, and SHA-512 algorithms.

SHA Basic Properties

Secure Hash Algorithm SHA-1 • SHA-1 is used to generate a condensed representation of a message called a message digest. • The SHA-1 is required for use with the Digital Signature Algorithm (DSA), as specified in the Digital Signature Standard (DSS), and whenever a secure hash algorithm is required for federal applications. • The SHA-1 sequentially processes blocks of 512 bits when computing the message digest; padding is required, even if the message is a multiple of 512. Padding is done as follows: • Append a “1” bit followed by a “0” bits until the length is 64 bits less than a multiple of 512 (length = 448 mod 512). • Append a 64-bit representation of the pre-padded message length. • The padded message length is 512 × n. Hash functions are used to prove that the transmitted data was not altered.

512 bits Message Block M(N) 512 bits Message Block M1 . . .. Word [0] Word [0] 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits Word [15] Word [15] Computing SHA-1 Message Digest Message Block M(1) Message Block M(2) Message Block M(N) ... Compression Function Compression Function Compression Function Initial H Values New H Values New H Values New H Values H0(0)H1(0)H2(0)H3(0)H4(0) H0(1) = a + H0(0)H1(1) = b + H1(0)H2(1) = c + H2(0)H3(1) = d + H3(0)H4(1) = e + H4(0) a = H0(1)b = H1(1)c = H2(1)d = H3(1)e = H4(1) H0(2) = a + H0(1)H1(2) = b + H1(1)H2(2) = c + H2(1)H3(2) = d + H3(1)H4(2) = e + H4(1) H0(N) = a + H0(N - 1)H1(N) = b + H1(N - 1)H2(N) = c + H2(N - 1)H3(N) = d + H3(N - 1)H4(N) = e + H4(N - 1) a = H0(0)b = H1(0)c = H2(0)d = H3(0)e = H4(0) a = H0(N - 1)b = H1(N - 1)c = H2(N - 1)d = H3(N - 1)e = H4(N - 1)

+ + + + + et dt ct at H4(0) H2(0) H41 H0(0) H2(0) H11 H3(0) H0(0) H1(0) H3(0) H4(0) H1(0) a79 c79 bt d79 b79 H01 H21 H31 e79 SHA-1 Compression Function Initialization H0(0) = 67452301H1(0) = EFCDAB89H2(0) = 98BADCFEH3(0) = 10325476H4(0) = C3D2E1F0 Buffer 1 a b c d e H20) H0(0) Initial H1(0) H30) H40) Buffer 2 t = 0 t 0 - t 79 t = 78 t = 79 a = T;T = ROTL5(a) + ft (b,c,d) + e + Wt + Kt; c = ROTL30 (b) Next Block M(2)

SHA-1 Operations • Bitwise logical word operations • x ^ y = bitwise logical "and" of x and y. • x ν y = bitwise logical "inclusive-or" of x and y. • x XOR y = bitwise logical "exclusive-or" of x and y. • ¬ x = bitwise logical "complement" of x. • X + Y is defined as follows: words x and y represent integers x and y, where 0 ≤ x ≤ 232 and 0 ≤ y ≤ 232. For positive integers U and V, let U mod V be the remainder upon dividing U by V. Compute Z = (X + Y) mod 232. Then 0 ≤ Z ≤ 232. Convert Z to a word, z, and define z = x + y. • ROTLn(x) = (x << n) v (x >> 32-n). (Circular left shift operation) • x << n is obtained as follows: discard the left-most n bits of X and then pad the result with n zeroes on the right (the result will still be 32 bits). • x >> 32 - n is obtained by discarding the right-most 32 - n bits of X and then padding the result with n zeroes on the left.

512 bits Message Block M1 .. W0 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits W15 SHA-1 Rounds For t = 0 to 16 let Wt equal to the message W0 …W15 For t = 16 to 79 let Wt = ROTL1 (Wt-3 XOR Wt-8 XOR Wt-14 XOR Wt-16) For t = 0 to 79 do a = T; b = a; c = ROTL30 (b); d = c; e = d; Where: T = ROTL5(a) + ft (b,c,d) + e + Wt + Kt; ROTL5(a) = (a << 5) v (a >> 32-5) Kt = 5A827999 (0 ≤ t ≤19) Kt = 6ED9EBA1 (20 ≤ t ≤39) Kt = 8F1BBCDC (40 ≤ t ≤59) Kt = CA62C1D6 (60 ≤t ≤79) (0 ≤ t ≤ 19) (20 ≤ t ≤ 39) (40 ≤ t ≤ 59) (60 ≤ t ≤ 79). a b c d e H20) H0(0) Initial H1(0) H30) H40) t = 0 t = 78 t = 79

MD5 • MD2, MD4, and MD5 are message-digest algorithms developed by Ronald Rivest in 1989, 1990, and 1991. • All three algorithms produce a 128-bit message digest of the message input that may have any length, but, in reality it is expected that the message will have less than 264 bits. • The MD5 sequentially processes blocks of 512 bits when computing the message digest, and padding is required even if the message is a multiple of 512. Padding is done as follows: • Append a “1” bit followed by a “0” bits until the length is 64 bits less than a multiple of 512 (length = 448 mod 512). • Append a 64-bit representation of the pre-padded message length • The padded message length is 512 × n.

8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits Computing MD5 Message Digest 512 bits Message Block M1 512 bits Message Block Mn .. . . Word [0] Word [0] Word [15] Word [15] Message Block M1 Message Block M2 Message Block Mn ... Compression Function Compression Function Compression Function Initial Values New A,B,C,D Values New A,B,C,D Values New A,B,C,D Values ABCD AA1[64]BB1[64]CC1[64]DD1[64] A = A + AA1[64]B = B + BB1[64]C = C + CC1[64]D = D + DD1[64] AAn[64]BBn[64]CCn[64]DDn[64] A = A + AAn[64]B = B + BBn[64]C = C + CCn[64]D = D + DDn[64] AA2[64]BB2[64]CC2[64]DD2[64] A = A + AA2[64]B = B + BB2[64]C = C + CC2[64]D = D + DD2[64]

Ct DD CC A C D At At B Dt Bt AA BB Bt Dt Ct an MD5 Implementation Initialization A = 01 23 45 67B = 89 ab cd efC = fe dc ba 98D = 76 54 32 10 Buffer 1 A B C D Buffer 2 Round 1 t 0 - t 15 Buffer 2 After the last message block, Mn, has been processed, the message digest is the 128-bit string represented by the 4 words A B C D. t 0 - t 15 Round 4 Next Block

a n MD5 Rounds Round 1 a1 = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) Round 2 a2 = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s) Round 3 a3 = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s) Round 4 a4 = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s) Where: F(b,c,d) = bc v not (b) d G(b,c,d) = bd v c not (d) H(b,c,d) = b xor c xor d I (b,c,d) = c xor (b v not (d)) X[k] represents the kth sub-block of the message (from 0 to 15). T[i] is the integer part of 4294967296 times abs(sin(i)), where I is in radians. Note 4294967296 is 232. <<< s represents a left shift of s bits A B C D

Secure Hash Algorithm (SHA-1) Developed by NSA and is required for use with the Digital Signature Algorithm (DSA) Works on messages up to 264 in length. Produces a 160-bit message digest. Processes block messages of 512 bits. Has four rounds of twenty operations in main loop of algorithm. Performs a non-linear operation on three of the five variables a, b, c, d, e in each operation Message Digest 5 (MD5) Developed by Ronald Rivest in 1991 (MD2 in 89, MD4 in 90). Works on messages up to 264 in length. Produces a 128-bit message digest. Processes block messages of 512 bits. Has four rounds of sixteen operations in main loop of algorithm. Performs a non-linear operation on three of the four variables A, B, C, D in each operation Hash Functions

Keyed-Hash Message Authentication Code (HMAC) • HMAC is cryptographically strong way to use a specific hash function for MAC calculation. • The hash function is applied twice in succession. • In the first round, the input to the hash function is the shared secret key and the message. • The 160-bit or 128-bit output hash value and the key are input again to the hash function in the second round. • HMAC output could be truncated (i.e., the length of the MAC used is less than the length of the output of the MAC function). If HMAC is truncated to 96 bits, it is then called HMAC-MD5-96 or HMAC-SHA-1-96 IP Header AH Message PAD Hash Function SHA-1 or MD5 Shared Key 128 bit 160 or 128 bits Hash Function SHA-1 or MD5 160 or 128 bits

Determine K0 K0 XOR ipad K0 XOR ipad text K0 XOR opad H ((K0 XOR ipad) || text ) K0 XOR opad MAC (text)t = Leftmost “t” bytes of H ((K0 XOR opad) || H ((K0 XOR ipad) || text ) HMAC Implementation B Block size (in bytes) of the hash function input. H An approved hash function. ipad Inner pad; 00110110 (the byte 36 in hexadecimal) repeated B times. K Secret key shared between the originator and the intended receiver(s). K0 The key K after any necessary pre-processing to form a B byte key. L Byte-length of the hash function output. opad Outer pad; 01011100 (the byte 5c in hexadecimal repeated B times. t The number of bytes of MAC. text The data on which the HMAC is calculated; text does not include the padded key. The length of text is n bits, where 0 ≤ n < 2B - 8B. x’N’ Hexadecimal notation, where each symbol in the string ‘N’ represents 4 binary bits. || Concatenation XOR Exclusive-Or operation. H ((K0 XOR ipad) || text ) H ((K0 XOR opad) || H ((K0 XOR ipad) || text )

What is Authentication? authentication / n. (1) The act of identifying or verifying the entity that originated the message or the corroboration (proof) of the sender's identity, i.e., that he is who he claims to be. Written messages are authenticated with a handwritten signature so the receiver of the message is able to validate the message. (2) access. The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. digital signature / n. electronic equivalent of a signature on a message. It combines a one-way hash function with public key cryptography. A digital signature must be a function of the documents it signs. A Digital Signature is created by taking the hash function of a message and encrypting it with the sender’s private key.

Authentication Assurance that the message is coming from the source from which it claims to be. Authentication Digital signatures provide authentication, non-repudiation, and integrity. Digital Signatures Hash Functions MD5 SHA SHA ElGamal RSA DSA RSA DSA ECDSA A digital signature is created by taking the message’s hash and encrypting it with the sender’s private key.

Digital Signatures • A digital signature is the electronic analogue of a handwritten signature. Digital signatures provide the following: • Authentication -It should be possible for the recipient of a message to ascertain its origin; • Non-repudiation -A sender should not be able to later deny having sent and signed the message; • Integrity -It should be possible for the recipient of the message to verify that it has not been modified in transit. • A digital signature must provide the following assurances: • The signature is not forgeable. • The signature can be validated. • Once a message is signed, the sender must not be able to repudiate it.

Digital Signatures Alice’s Private Key Alice’s Public Key Hash Hash Digital Signature Digital Signature Encipher Decipher Hash Function Verification Cleartext Message Hash Function Cleartext Message Message Hash Alice (Sender) Bob (Recipient) If both values are equal, the message is from Alice and it has not been tampered with. A Digital Signature is created by taking the hash function of a message and encrypting it with the sender’s private key.

Digital Signatures • The Digital Signature Standard (DSS), FIPS Pub 186-2, prescribes three algorithms suitable for digital signatures: • Digital Signature Algorithm (DSA) • Standard for digital authentication. • Initial 512-bit key size increased to 1024 for better security. • RSA algorithm • Uses MD5 as a hash and RSA public Key for signing. • ECDSA algorithm. • Described in Appendix 6 of the FIPS Pub 186-2 are the recommended Elliptic Curves for Federal Government use. • ElGamal • Signs the message, not the message digest of the message.

Digital Signature Algorithm (DSA) Alice Bob p, q, g, y p, q, gxy = gx mod p r = (gk mod p) mod q s = (k-1(H(m) + x r)) mod q Bob verifies signature by computing w = (s′)-1 mod q u1 = ((H(m′)w) mod q u2 = ((r′) w) mod q v = ((gu1yu2) mod p) mod q If v = r, then the signature is verified. Send Message mand Alice’s signature,r and s H (m) = Secure Hash Algorithm of message m p, q, and g can be public. x is an integer with 0 < x < q. Alice’s private and public keys are x and y. x and k must be secret. k must be changed for each signature. m′, r′, and s′ are the received versions of m, r, and s,

Session Key Session Key Cleartext Message Digital Signature Hash SHA-1 Hash SHA-1 Encipher RSA Decipher DSS / RSA Verification Authentication and Confidentiality Encipher RSA Sender’s Private Key Hash Digital Envelope Encipher (Symmetric) Signed Cipher Message Sender’s Certificate Sender Message Digital Envelope Recipient Decipher Sender’s Public Key Sender’s Certificate Digital Signature Decipher Symmetric Signed Cipher Message Deciphered Message Hash Hash Yes/No

Hash M D 5 Hash M D 5 Encipher Encipher Decipher Decipher RSA Encryption and Digital Signature Receiver’s Public Key Signed Cipher Message Plaintext Message Encipher Message Digital Signature Sender Receiver’s Private Key DigitalSignature Deciphered Message Transmission Media Sender’s Private Key Digital Signature Sender’s Public Key Receiver Hash Yes/No Verification Hash

ElGamal Digital Signature Alice • Let M be a document to be signed, where 0 ≤ m ≤ p - 1. • Select a large prime number as p, the modulo. • Choose a random number RA, uniformly between 0 and p - 1, such that gcd (RA, p - 1) = 1. • Compute where a, the base, is a primitive root modulus p. • Generate the private and public keys according to Diffie-Hellman • Find IRA, the multiplicative inverse of RA such that RA * IRA≡ 1 [mod (p - 1)] • Compute SA, the signature Bob • Alice sends M, VA, and SA to Bob • For authentication, Bob computes • If CB = CB′ then M is authentic. M, VA, and SA

To Probe Further • MD5 Message Digest Algorithm, RFC 1321 • ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms (pp. 469-472). IEEE Transactions on Information Theory, Vol. IT-31. • Kohnfelder, L. M. (February 1978). On the Signature Reblocking Problem in Public-Key Cryptosystems (p. 179). Communications of the ACM, Vol. 21, No. 2. • National Institute of Standards and Technology (1995). Secure Hash Standard. FIPS PUB 180-1. • National Institute of Standards and Technology (1995). The Keyed-Hash Message Authentication Code. FIPS PUB 198 • National Institute of Standards and Technology (2000). Digital Signature Standard. FIPS PUB 186-2 • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for Network Security (pp. 12-13). IEEE Network Magazine, Vol. 1, No. 2.

Integrity and Authentication Principles for Secure Data Transmission

Integrity and Authentication Principles for Secure Data Transmission

Presentation Transcript

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

CHAPTER 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

CHAPTER 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6

Chapter 6