1.03k likes | 1.38k Views
Week 8: Hashes, Digital Signatures, Certificates, PKI. 68-525 Encryption and Authentication Systems Summer 2010. Topics. Hash Algorithms Digital Signatures Certificates Public Key Infrastructure Covers Chapters 12 and 13 and parts of 14 and 17. Hashes in General.
E N D
Week 8: Hashes, Digital Signatures, Certificates, PKI 68-525 Encryption and Authentication Systems Summer 2010
Topics • Hash Algorithms • Digital Signatures • Certificates • Public Key Infrastructure Covers Chapters 12 and 13 and parts of 14 and 17
Hashes in General • Take a variable-sized input and produce a fixed-size output • Are one-way functions • Are resistant to collisions • Are at the heart of digital signatures • Schneier – “One-way hash functions are the workhorses of modern cryptography.”
“At the heart of digital signatures” • Without a hash:
“At the heart of digital signatures” • With a hash:
Properties of One-Way Hash Functions • They are one-way (duh!) • easy to take a message and compute the hash value • can’t take a hash value and recreate the message in reasonable time. • They are collision-free • it is not feasible to find two messages that hash to the same hash value Breaking a hash means showing that either or both of these properties don’t hold.
This Whole Collision-Free Thing Sounds Fishy • I thought hash functions were many to one??? • They are • Then how can they be collision-free? • Many messages hash to the same hash value. Aren’t those collisions?
The Collision-Free Claim Explained • Consider SHA-1 • produces 160-bit hash. • Every message hashes down to a 160-bit number • since there are an infinite number of messages that hash to each value, there are an infinite number of collisions • But the number of different possible hashes is very large – 2160 for a 160-bit hash • You have to hash 2160/2 = 280 messages to find a collision • that’s the brute force way to break a cipher by finding collisions
A Brief History • 1990: Ron Rivest invented MD4. • 1992: Rivest improved MD4 to make MD5 • 1993: NSA published SHA based on MD5 • 1995: NSA found weakness in SHA and produced SHA-1 • Today: SHA-1 is most popular cipher but ...
Weakness in SHA-1 • SHA-1 is 160-bit • Birthday attack ~ 280 attempts • 2005: Chinese cryptographers report technique for finding collisions in SHA-1 after 269 calculations • about 2000 times faster than brute force • That kind of computational expense is starting to become manageable • Think about 56-bit DES keys broken by brute force • So, it’s time to migrate away from SHA-1 in favor of SHA-224, 256, 384, and 512
Where do we go from SHA-###? • SHA and all variants have same structure • just differ in sizes of data that are manipulated • Some argue that a completely new approach is desired
Whirlpool – a different approach • Whirlpool was co-developed by one of the people behind Rijndael. • It uses a block cipher called W that is based on Rijndael to do the compression function • Features performance comparable with SHA-512 • We’re not going to go into the details of how Whirlpool or the W function work • just let the following overview picture suffice
HMAC (Hashed MAC):A Hybrid • MAC is like a hash, except with a key • So, why not apply a modern hash algorithm in combination with a key? • That idea is called a Hashed MAC (HMAC)
HMAC • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • K+ is the key padded out to size • opad = 5C in hex (repeated to be long as block) • ipad = 36 in hex (repeated to be long as block) • overhead is just 3 times what a single hash takes • any hash function can be used
HMAC used for AH protocol From http://www.unixwiz.net/techtips/iguide-ipsec.html
Examples:Applications of Hashes • Digital Signatures • Application Security
Digital Signatures • Provides trust by providing proof of origin • verify author, date & time of signature • authenticate message contents • be verified by third parties to resolve disputes • Incorporates • crypts • hashes • MACs
Digital Signature Requirements • must depend on the message being signed • must use information unique to sender • to prevent both forgery and denial • must be relatively easy to produce • must be relatively easy to recognize/verify • must be computationally infeasible to forge • must be store-able
Two Categories of Digital Signatures • Direct • Arbitrated
Direct Digital Signature • involve only sender and receiver • sender encrypts using his private key • sender may then encrypt again using recipient’s public key • security depends on sender’s private key
Arbitrated Digital Signatures • Requires a trusted third party • May use • Symmetric key: • somewhat like Needham-Schroeder • PKE
PKE Approach • use a digital signature with a digital certificate: A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa] • Here • M message, • EPRa[H(M)] signature • EPRas[T||IDA||PUa] certificate • This particular signature is RSA’s approach • Alternative: DSS (Digital Signature Standard)
Digital Signature Standard (DSS) • the US Government’s approved signature scheme • designed by NIST & NSA in early 90's • revised in 1993, 1996 & then 2000 • uses the SHA hash algorithm • algorithm is called Digital Signature Algorithm (DSA)
Digital Signature Algorithm (DSA) • creates a 320 bit signature • with 512-1024-bit equivalent security • smaller and faster than RSA • security depends on mathematics
what we already know Comparison: RSA vs. DSA what we are learning now
DSA Key Generation • have shared global public key values (p,q,g): • choose q, a 160-bit number • choose a large prime p < 2L • where L= 512 to 1024 bits and is a multiple of 64 • and q is a factor of (p-1) • choose g = h(p-1)/q • where h<p-1, h(p-1)/q (mod p) > 1 • users choose private & compute public key: • choose x<q • compute y = gx (mod p)
DSA Signature Creation • to sign a message M the sender: • generates a random signature key k, k<q • k must be random, be destroyed after use, and never be reused • then computes signature pair: r = (gk(mod p))(mod q) s = (k-1 *(H(M)+ x*r))(mod q) • sends signature (r,s) with message M
DSA Signature Verification • having received M & signature (r,s) • to verify a signature, recipient computes: w = s-1(mod q) u1= (H(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q) • if v=r then signature is verified
Examples:Applications of Hashes • Digital Signatures • Application Security
Hash Example: Bookseller • Bookseller:http://www.deadleprechaun.com/Book/ • Two security issues: • Security of account names / passwords in the database • cure by storing hash of password in db • Transmitting password to server • cure by using SSL
What is SSL? • Short forSecure Sockets Layer • is a protocol • developed in 1996 by Netscape • purpose: • transmit private documents over http • works by using a shared key to encrypt data over a web connection • the shared key is sent from the client to the server using the server’s public key • URLs that require SSL begin with https
The Protocol Client side Server side Hello? Client initiates a connection Server responds by sending the client its Digital ID. The server may also request the client’s Digital ID for client authentication. Server Digital ID Client verifies the server’s Digital ID. If requested by the server, the client sends its Digital ID. Client Digital ID When the authentication is complete, the client sends the server a session key encrypted using the server’s public key. Sessionkey Once a session key is established, secure communications commence between client and server
How does SSL work?(Simplified View) Alice (Client) Bob (Server) Let’s talk securely. Here are the protocols and ciphers I understand. -------------------------------- I choose the protocols and ciphers. Here is my public key and some other stuff to make you believe it’s really my key. --------------------------------- Here is a fresh key encrypted with your public key so that only you can decipher it --------------------------------
Problem • How does Alice actually know she is talking with Bob? • There could be a man in the middle HTTP with SSL/TLS HTTP with SSL/TLS MIM Client Web Server
Potential Solutions • Alice and Bob could physically exchange keys • impractical • Other choice: take advantage of the “some other stuff to make you believe it’s really my key.”
What’s the “some other stuff”? • Someone Alice trusts could vouch to her for Bob and Bob’s key • A third party can certify Bob’s key in a way that convinces Alice. • That is what’s called a certificate.
What is a certificate? • A certificate is a digitally-signed statement that binds a public key to some identifying information. • It’s the marriage of a name and a key • It’s like any other id – driver’s license, passport, etc. • Anything that binds together rights and identity
Issuer Subject What is a certificate? • to summarize, a certificate is just a statement by an issuer about a subject
What’s in a certificate? • This is an incomplete list: • The domain for which the certificate was issued. • The legal owner of the certificate. • The physical location of the owner. • The validity dates of the certificate. • The server’s public key. • We’ll look at this in more detail later.
Why are certs believable? • This is the idea of functional equivalence • Just as in the pen-and-paper world, • We need to believe it’s hard to forge the digital signature on a signed document • We need to trust the issuer/signer not to lie to us
Cert Cert So, how does SSL with certs work? Let’s talk securely. Here are the protocols and ciphers I understand. Alice I choose this protocol and ciphers. Here is my public key and a certificate to convince you that thekey really belongs to me. Bob If Alice trusts the cert, she can send Bob a session key, encrypted with his public key, and the two can start talking.
Getting a certificate • How does Bob get a certificate for his key? • He goes to a Certificate Authority (CA) that issues certificates and asks for one by filing a CSR (Certificate Signing Request) • The CA issues Bob a certificate for his public key. • CA is the issuer • Bob is the subject
OK, so how do I create a CSR? • A CSR and the private key are created simultaneously. • Some web servers (including IIS) have wizards to create them • Alternatively, can use openssl