Public-Key Cryptography and Message Authentication

Transcription

1 Public-Key Cryptography and Message Authentication (Most of the slides were provided by: Henric Johnson, Blekinge Institute of Technology, Sweden) 1 OUTLINE Approaches to Message Authentication Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management 2

2 Authentication Requirements - must be able to verify that: 1. Message came from apparent source or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) 3 Approaches to Message Authentication Authentication Using Conventional Encryption Only the sender and receiver should share a key Message Authentication Code Calculate the MAC as a function of the message M and the secret key K. MAC = F(K, M) is appended to message. 4

3 5 One-way HASH function 6

4 One-way HASH function Secret value is added before the hash and removed before transmission. 7 Secure HASH Functions Purpose of the HASH function is to produce a fingerprint. Properties of a HASH function H : 1. H can be applied to a block of data of any size 2. H produces a fixed length output 3. H(x) is easy to compute for any given x. 4. For any given code h, it is computationally infeasible to find x such that H(x) = h 5. For any given block x, it is computationally infeasible to find y x with H(y) = H(x). 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) (to withstand birthday attacks) 8

5 Simple Hash Function One-bit circular shift on the hash value after each block is processed would improve 9 Message Digest Generation Using SHA-1 10

6 SHA-1 Processing of single 512-Bit Block 11 Other Secure HASH functions SHA-1 MD5 RIPEMD- 160 Digest length 160 bits 128 bits 160 bits Basic unit of processing 512 bits 512 bits 512 bits Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16) Maximum message size bits 12

7 HMAC Use a MAC derived from a cryptographic hash code, such as SHA-1. Motivations: Cryptographic hash functions executes faster in software than encryptoin algorithms such as DES Library code for cryptographic hash functions is widely available No export restrictions from the US 13 HMAC Structure 14

8 Public-Key Cryptography Principles The use of two keys has consequences in: key distribution, confidentiality and authentication. The scheme has six ingredients (see Figure 3.7) Plaintext Encryption algorithm Public and private key Ciphertext Decryption algorithm 15 Encryption using Public- Key system 16

9 Authentication using Public- Key System 17 Applications for Public-Key Cryptosystems Three categories: Encryption/decryption: The sender encrypts a message with the recipient s public key. Digital signature: The sender signs a message with its private key. Key exchange: Two sides cooperate to exhange a session key. 18

10 Requirements for Public- Key Cryptography 1. Computationally easy for a party B to generate a pair (public key KUb, private key KR b ) 2. Easy for sender to generate ciphertext: C = EKUb(M) 3. Easy for the receiver to decrypt ciphertect using private key: M = D ( C) D [ E ( M )] KRb = KRb KUb 19 Requirements for Public- Key Cryptography 4. Computationally infeasible to determine private key (KR b ) knowing public key (KU b ) 5. Computationally infeasible to recover message M, knowing KU b and ciphertext C 6. Desireable: Either of the two keys can be used for encryption, with the other used for decryption: M= D [ E ( M)] D [ E ( M)] KRb KUb = KUb KRb 20

11 Public-Key Cryptographic Algorithms RSA - Ron Rivest, Adi Shamir and Len Adleman at MIT, in RSA is a block cipher The most widely implemented Based on difficulty of factorising Diffie-Hellman Exchange a secret key securely Based on difficulty to compute discrete logarithms 21 Public key: (e,n) Private key: (d,n) RSA Encryption: Plaintext: M [0, n-1] (A long message has to be broken into a series of smaller messages) Ciphertext: C = M e (mod n) Decryption: Ciphertext: C Plaintext: M = C d (mod n) 22

12 RSA (cont.) Enciphering and deciphering functions are mutual inverses: M = C d mod n = ((M e ) d ) mod n = ((M d ) e ) mod n = (M ed ) mod n => RSA scheme can be used for secrecy and authenticity (digital signatures) 23 The RSA Algorithm Generation Key 1. Select p,q p and q both prime 2. Calculate n = p x q 3. Calculate Φ( n) = ( p 1)( q 1) 4. Select integer e gcd( Φ( n), e) = 1;1 < e < Φ( n) 5. Calculate d d * e modφ( n) = 1 6. Public Key KU = {e,n} 7. Private key KR = {d,n} 24

13 Example of RSA Algorithm 25 Example 2 -RSA Choosing keys: p = 5, q = 7 => n = 5*7 = 35, (p-1) * (q-1) = 24 Since gcd (11, 24) =1 => we can choose e=11 Since 11*11 mod 24 = 121 mod 24 =1 => d =11 26

14 Example 2 -RSA Encryption: m = 3, then C = m e mod n = 3 11 mod 35 = ( mod 35) = (3 5 mod 35) 2 * 3 mod 35) = (( 3 2 mod 35) 2 * 3 mod 35) 2 * 3 mod 35 = 12 (Note: (a*b) mod n = ((a mod n) * (b mod n) ) mod n ) Decryption: C d mod n = mod 35 = 3 = m 27 RSA - Crytanalysis Brute-force (not feasible for large keys) Factorising n into prime factors (sub-exponential effort exp(sqrt(ln(n) *ln(ln(n)))) ) 1024 bit key size currently considered as strong Risk: Fast factorising algorithm for quantum computers 28

15 Diffie-Hellman Key exchange Global Public Elements: q: prime number α: α < q and α is a primitive root of q [If α is a primitive root of prime number p, then the numbers: α mod p, α 2 mod p,, α p-1 mod p are distinct and are a permutation of {1..p-1}. For any integer b<p, primitive root α of prime number p, one can find unique exponent i (discrete logarithm), such that b= α i mod p, 0= i = (p-1) ] 29 Diffie-Hellmann (cont.) User A Key Generation: Select private X A X A < q Calculate public Y A Y A = α X A mod q 30

16 Diffie-Hellmann (cont.) User B Key Generation: Select private X B X B < q Calculate public Y B Y B = α X B mod q 31 Diffie-Hellmann (cont.) Generation of Secret Key by User A: K = (Y B ) X A mod q = (α X B) X A mod q= α X B* X A mod q Generation of Secret Key by User B: K = (Y A ) X B mod q = (α X A) X B mod q = α X A* X B mod q 32

17 Diffie-Hellman Key Exchange q: prime number, α: primitive root of q K = α X A X B mod q No authentication of partners, man-in-the-middle attack possible! 33 Other Public-Key Cryptographic Algorithms Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key echange Elliptic-Curve Cryptography (ECC) Security for much smaller key size Low confidence level, compared with RSA Very complex 34

18 Key Management, Public-Key Certificate Use 35 Hybrid Encryption Scheme Bob wishes to communicate with Alice: 1. Prepare a message 2. Encrypt message using symmetric encryption and one-time session key 3. Encrypt session key with Alice s public key 4. Attach encrypted session key to the message and send it to Alice => Advantages: fast and secure symmetric encryption, key exchange with no risk of man in the middle attack 36