250 likes | 463 Views
IE MS5710 Message Authentication and Digital Signature. 26 Feb 20 13 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong. Message Authentication. message authentication is concerned with: protecting the integrity of a message
E N D
IEMS5710Message Authentication and Digital Signature 26 Feb 2013 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong
Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) Possible attacks on messages content modification sequence modification timing modification source repudiation destination repudiation masquerade Three often-used functions: hash function message encryption message authentication code (MAC) IEMS5710 - Lecture 6
Hash Functions condenses arbitrary message to fixed size h = H(M) usually assume hash function is public hash used to detect changes to message want a cryptographic hash function computationally infeasible to find data mapping to specific hash (one-way property) computationally infeasible to find two data to same hash (collision-free property) IEMS5710 - Lecture 6
Cryptographic Hash Function • can use block ciphers as hash functions IEMS5710 - Lecture 6
Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS (Secure Hash Standard) produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications IEMS5710 - Lecture 6
Revised Secure Hash Standard NIST adds 3 additional versions of SHA in 2002 SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher IEMS5710 - Lecture 6
SHA Versions IEMS5710 - Lecture 6
SHA-512 Overview IEMS5710 - Lecture 6
Symmetric Message Encryption encryption can also provides authentication: if symmetric encryption is used then: receiver knows sender must have created it since only sender and receiver know key used, content cannot have been altered if message has suitable structure, redundancy or a checksum to detect any changes IEMS5710 - Lecture 6
Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender IEMS5710 - Lecture 6
Message Authentication Code • a small fixed-sized block of data • generated from message + secret key • MAC = C(K,M) • appended to message when sent IEMS5710 - Lecture 6
MAC Properties a MAC is a cryptographic checksum MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one mapping function potentially many messages have same MAC but finding these needs to be very difficult IEMS5710 - Lecture 6
Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: knowing a message and MAC, is infeasible to find another message with same MAC MACs should be uniformly distributed MAC should depend equally on all bits of the message IEMS5710 - Lecture 6
Authenticated Encryption IEMS5710 - Lecture 6 • simultaneously protect confidentiality and authenticity of communications • often required but usually separate • approaches • Hash-then-encrypt: E(K, (M || H(M)) • MAC-then-encrypt: E(K2, (M || MAC(K1, M)) • Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C) • Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M) • Cipher Block Chaining-Message Authentication Code (CCM) • NIST standard SP 800-38C for WiFi • variation of encrypt-and-MAC approach
Digital Signatures have looked at message authentication but does not address issues of lack of trust digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities IEMS5710 - Lecture 6
Public-Key Message Encryption (e.g. RSA) The RSA Digital Signature if public-key cryptography is used: sender “signs” message (encrypt) using their private-key (optional: then encrypts with recipients public key) To verify the signature (Optional: after decrypting the message with receiver’s private key, if this optional encryption step has been taken by the sender) “Decrypt” with sender’s (i.e. the signer’s) public key Verify if the decrypted content equals original message IEMS5710 - Lecture 6
Digital Signature Model IEMS5710 - Lecture 6
Digital Signature Model (verifying) (signing) IEMS5710 - Lecture 6
Direct Digital Signatures involve only sender (the signer) & receiver (the verifier) assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key (can then be encrypted using receivers public-key) (important that sign first then encrypt message & signature) security depends on sender’s private-key IEMS5710 - Lecture 6
Digital Signature Requirements must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message IEMS5710 - Lecture 6
Attacks and Forgeries IEMS5710 - Lecture 6 • attacks • key-only attack • known message attack • generic chosen message attack • directed chosen message attack • adaptive chosen message attack • break success levels • existential forgery • selective forgery • total break
ElGamal Digital Signatures signature variant of ElGamal, related to D-H so uses exponentiation in a finite (Galois) with security based difficulty of computing discrete logarithms, as in D-H use private key for signing uses public key for verification each user (eg. A) generates their key chooses a secret key (number): 1 < xA < q-1 compute the public key(q,a,yA) where yA = axA mod q IEMS5710 - Lecture 6
ElGamal Digital Signature Alice signs a message M to Bob by computing the hash m = H(M), 0 <= m <= (q-1) chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 compute temporary key: S1 = aK mod q compute K-1the inverse of K mod (q-1) compute the value: S2 = K-1(m-xAS1) mod (q-1) signature is:(S1,S2) any user B can verify the signature by computing V1 = am mod q V2 = yAS1S1S2 mod q signature is valid if V1 = V2 Note: from Fermat’s little theorem, ai≡ aj (mod q) iff i ≡ j (mod q – 1) IEMS5710 - Lecture 6
ElGamal Signature Example use field GF(19) q=19 and a=10 Alice computes her key: A chooses xA=16 & computes yA=1016 mod 19 = 4 Alice signs message with hash m=14 as (3,4): choosing random K=5 which has gcd(18,5)=1 computing S1 = 105 mod 19 = 3 finding K-1 mod (q-1) = 5-1 mod 18 = 11 computing S2 = 11(14-16∙3) mod 18 = 4 any user B can verify the signature by computing V1 = 1014 mod 19 = 16 V2 = 43 ∙34 = 5184 = 16 mod 19 since 16= 16signature is valid IEMS5710 - Lecture 6
References • William Stallings, Cryptography and Network Security Principles and Practices, 5/e, Pearson • Chapter 11 • Chapter 12 • Chapter 13 IEMS5710 - Lecture 6