1 / 96

Week 8: Hashes, Digital Signatures, Certificates, PKI

Week 8: Hashes, Digital Signatures, Certificates, PKI. 68-525 Encryption and Authentication Systems Summer 2010. Topics. Hash Algorithms Digital Signatures Certificates Public Key Infrastructure Covers Chapters 12 and 13 and parts of 14 and 17. Hashes in General.

sanam
Download Presentation

Week 8: Hashes, Digital Signatures, Certificates, PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 8: Hashes, Digital Signatures, Certificates, PKI 68-525 Encryption and Authentication Systems Summer 2010

  2. Topics • Hash Algorithms • Digital Signatures • Certificates • Public Key Infrastructure Covers Chapters 12 and 13 and parts of 14 and 17

  3. Hashes in General • Take a variable-sized input and produce a fixed-size output • Are one-way functions • Are resistant to collisions • Are at the heart of digital signatures • Schneier – “One-way hash functions are the workhorses of modern cryptography.”

  4. “At the heart of digital signatures” • Without a hash:

  5. “At the heart of digital signatures” • With a hash:

  6. Properties of One-Way Hash Functions • They are one-way (duh!) • easy to take a message and compute the hash value • can’t take a hash value and recreate the message in reasonable time. • They are collision-free • it is not feasible to find two messages that hash to the same hash value Breaking a hash means showing that either or both of these properties don’t hold.

  7. This Whole Collision-Free Thing Sounds Fishy • I thought hash functions were many to one??? • They are • Then how can they be collision-free? • Many messages hash to the same hash value. Aren’t those collisions?

  8. The Collision-Free Claim Explained • Consider SHA-1 • produces 160-bit hash. • Every message hashes down to a 160-bit number • since there are an infinite number of messages that hash to each value, there are an infinite number of collisions • But the number of different possible hashes is very large – 2160 for a 160-bit hash • You have to hash 2160/2 = 280 messages to find a collision • that’s the brute force way to break a cipher by finding collisions

  9. General Structure of a Hash Function

  10. A Brief History • 1990: Ron Rivest invented MD4. • 1992: Rivest improved MD4 to make MD5 • 1993: NSA published SHA based on MD5 • 1995: NSA found weakness in SHA and produced SHA-1 • Today: SHA-1 is most popular cipher but ...

  11. Weakness in SHA-1 • SHA-1 is 160-bit • Birthday attack ~ 280 attempts • 2005: Chinese cryptographers report technique for finding collisions in SHA-1 after 269 calculations • about 2000 times faster than brute force • That kind of computational expense is starting to become manageable • Think about 56-bit DES keys broken by brute force • So, it’s time to migrate away from SHA-1 in favor of SHA-224, 256, 384, and 512

  12. Structure of SHA-512

  13. So what goes on in each round?

  14. Where do we go from SHA-###? • SHA and all variants have same structure • just differ in sizes of data that are manipulated • Some argue that a completely new approach is desired

  15. Whirlpool – a different approach • Whirlpool was co-developed by one of the people behind Rijndael. • It uses a block cipher called W that is based on Rijndael to do the compression function • Features performance comparable with SHA-512 • We’re not going to go into the details of how Whirlpool or the W function work • just let the following overview picture suffice

  16. Whirlpool Structure

  17. HMAC (Hashed MAC):A Hybrid • MAC is like a hash, except with a key • So, why not apply a modern hash algorithm in combination with a key? • That idea is called a Hashed MAC (HMAC)

  18. HMAC • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • K+ is the key padded out to size • opad = 5C in hex (repeated to be long as block) • ipad = 36 in hex (repeated to be long as block) • overhead is just 3 times what a single hash takes • any hash function can be used

  19. HMAC

  20. HMAC used for AH protocol From http://www.unixwiz.net/techtips/iguide-ipsec.html

  21. Examples:Applications of Hashes • Digital Signatures • Application Security

  22. Digital Signatures • Provides trust by providing proof of origin • verify author, date & time of signature • authenticate message contents • be verified by third parties to resolve disputes • Incorporates • crypts • hashes • MACs

  23. Digital Signature Requirements • must depend on the message being signed • must use information unique to sender • to prevent both forgery and denial • must be relatively easy to produce • must be relatively easy to recognize/verify • must be computationally infeasible to forge • must be store-able

  24. Two Categories of Digital Signatures • Direct • Arbitrated

  25. Direct Digital Signature • involve only sender and receiver • sender encrypts using his private key • sender may then encrypt again using recipient’s public key • security depends on sender’s private key

  26. Arbitrated Digital Signatures • Requires a trusted third party • May use • Symmetric key: • somewhat like Needham-Schroeder • PKE

  27. Symmetric Approach:Needham-Schroeder Protocol

  28. PKE Approach • use a digital signature with a digital certificate: A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa] • Here • M  message, • EPRa[H(M)]  signature • EPRas[T||IDA||PUa] certificate • This particular signature is RSA’s approach • Alternative: DSS (Digital Signature Standard)

  29. Picture of the Certificate Part of the PKE Approach

  30. Digital Signature Standard (DSS) • the US Government’s approved signature scheme • designed by NIST & NSA in early 90's • revised in 1993, 1996 & then 2000 • uses the SHA hash algorithm • algorithm is called Digital Signature Algorithm (DSA)

  31. Digital Signature Algorithm (DSA) • creates a 320 bit signature • with 512-1024-bit equivalent security • smaller and faster than RSA • security depends on mathematics

  32. what we already know Comparison: RSA vs. DSA what we are learning now

  33. DSA Key Generation • have shared global public key values (p,q,g): • choose q, a 160-bit number • choose a large prime p < 2L • where L= 512 to 1024 bits and is a multiple of 64 • and q is a factor of (p-1) • choose g = h(p-1)/q • where h<p-1, h(p-1)/q (mod p) > 1 • users choose private & compute public key: • choose x<q • compute y = gx (mod p)

  34. DSA Signature Creation • to sign a message M the sender: • generates a random signature key k, k<q • k must be random, be destroyed after use, and never be reused • then computes signature pair: r = (gk(mod p))(mod q) s = (k-1 *(H(M)+ x*r))(mod q) • sends signature (r,s) with message M

  35. DSA Signature Verification • having received M & signature (r,s) • to verify a signature, recipient computes: w = s-1(mod q) u1= (H(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q) • if v=r then signature is verified

  36. Examples:Applications of Hashes • Digital Signatures • Application Security

  37. Hash Example: Bookseller • Bookseller:http://www.deadleprechaun.com/Book/ • Two security issues: • Security of account names / passwords in the database • cure by storing hash of password in db • Transmitting password to server • cure by using SSL

  38. What is SSL? • Short forSecure Sockets Layer • is a protocol • developed in 1996 by Netscape • purpose: • transmit private documents over http • works by using a shared key to encrypt data over a web connection • the shared key is sent from the client to the server using the server’s public key • URLs that require SSL begin with https

  39. The Protocol Client side Server side Hello? Client initiates a connection Server responds by sending the client its Digital ID. The server may also request the client’s Digital ID for client authentication. Server Digital ID Client verifies the server’s Digital ID. If requested by the server, the client sends its Digital ID. Client Digital ID When the authentication is complete, the client sends the server a session key encrypted using the server’s public key. Sessionkey Once a session key is established, secure communications commence between client and server

  40. How does SSL work?(Simplified View) Alice (Client) Bob (Server) Let’s talk securely. Here are the protocols and ciphers I understand. -------------------------------- I choose the protocols and ciphers. Here is my public key and some other stuff to make you believe it’s really my key. --------------------------------- Here is a fresh key encrypted with your public key so that only you can decipher it --------------------------------

  41. Problem • How does Alice actually know she is talking with Bob? • There could be a man in the middle HTTP with SSL/TLS HTTP with SSL/TLS MIM Client Web Server

  42. Potential Solutions • Alice and Bob could physically exchange keys • impractical • Other choice: take advantage of the “some other stuff to make you believe it’s really my key.”

  43. What’s the “some other stuff”? • Someone Alice trusts could vouch to her for Bob and Bob’s key • A third party can certify Bob’s key in a way that convinces Alice. • That is what’s called a certificate.

  44. What is a certificate? • A certificate is a digitally-signed statement that binds a public key to some identifying information. • It’s the marriage of a name and a key • It’s like any other id – driver’s license, passport, etc. • Anything that binds together rights and identity

  45. Issuer Subject What is a certificate? • to summarize, a certificate is just a statement by an issuer about a subject

  46. What’s in a certificate? • This is an incomplete list: • The domain for which the certificate was issued. • The legal owner of the certificate. • The physical location of the owner. • The validity dates of the certificate. • The server’s public key. • We’ll look at this in more detail later.

  47. Why are certs believable? • This is the idea of functional equivalence • Just as in the pen-and-paper world, • We need to believe it’s hard to forge the digital signature on a signed document • We need to trust the issuer/signer not to lie to us

  48. Cert Cert So, how does SSL with certs work? Let’s talk securely. Here are the protocols and ciphers I understand. Alice I choose this protocol and ciphers. Here is my public key and a certificate to convince you that thekey really belongs to me. Bob If Alice trusts the cert, she can send Bob a session key, encrypted with his public key, and the two can start talking.

  49. Getting a certificate • How does Bob get a certificate for his key? • He goes to a Certificate Authority (CA) that issues certificates and asks for one by filing a CSR (Certificate Signing Request) • The CA issues Bob a certificate for his public key. • CA is the issuer • Bob is the subject

  50. OK, so how do I create a CSR? • A CSR and the private key are created simultaneously. • Some web servers (including IIS) have wizards to create them • Alternatively, can use openssl

More Related