Introduction to Computer Security

Similar documents
Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic Hash Functions Message Authentication Digital Signatures

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Authentication requirement Authentication function MAC Hash function Security of

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Hash Functions. Integrity checks

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Public Key Cryptography Overview

SECURITY IN NETWORKS

Message Authentication

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Introduction to Cryptography CS 355

Message authentication and. digital signatures

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Introduction. Digital Signature

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

One-Way Encryption and Message Authentication

Message Authentication Codes

7! Cryptographic Techniques! A Brief Introduction

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 7: Network security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Cryptography Lecture 8. Digital signatures, hash functions

Data integrity and data origin authentication

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptography and Network Security

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Computer Security: Principles and Practice

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Practice Questions. CS161 Computer Security, Fall 2008

CRYPTOGRAPHY IN NETWORK SECURITY

CIS433/533 - Computer and Network Security Cryptography

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Lukasz Pater CMMS Administrator and Developer

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Signature Schemes. CSG 252 Fall Riccardo Pucella

CSCE 465 Computer & Network Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network Security. HIT Shimrit Tzur-David

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Application Layer (1)

Lecture 9 - Network Security TDTS (ht1)

Overview of Public-Key Cryptography

Message Authentication Codes. Lecture Outline

Cryptography and Network Security Chapter 11

CS 758: Cryptography / Network Security

HASH CODE BASED SECURITY IN CLOUD COMPUTING

What is network security?

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Recommendation for Applications Using Approved Hash Algorithms

1 Signatures vs. MACs

Symmetric Key cryptosystem

Principles of Network Security

Introduction to Cryptography

Information Security

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 37. Secure Networks

Public Key (asymmetric) Cryptography

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

Crittografia e sicurezza delle reti. Digital signatures- DSA

Lecture 9: Application of Cryptography

Fundamentals of Computer Security

IT Networks & Security CERT Luncheon Series: Cryptography

Authentication, digital signatures, PRNG

Cryptography and Security

Chapter 6 Electronic Mail Security

Security and Authentication Primer

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Digital signatures. Informal properties

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Cryptography & Digital Signatures

Chapter 10. Network Security

CSE/EE 461 Lecture 23

Cryptography and Network Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Overview. SSL Cryptography Overview CHAPTER 1

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

Authentication Application

SFWR ENG 4C03 - Computer Networks & Computer Security

Savitribai Phule Pune University

Cryptography and Network Security Chapter 15

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Cryptography and Network Security Chapter 14

A Novel Secure Hash Algorithm for Public Key Digital Signature Schemes

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

An Introduction to Cryptography as Applied to the Smart Grid

Hash Function JH and the NIST SHA3 Hash Competition

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

CS155. Cryptography Overview

Cryptography & Network Security

Transcription:

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science

Integrity objective in a wide sense Reliability Transmission errors Corruption of stored data Security Manipulation of data in transmission Manipulation of stored data

Integrity checking: a general framework Compute a for the original message D = h(m), such that. P(D is corrupt) P(M is corrupt) To check the integrity of a message M at a later time, compute D = h(m ) and verify that D = D.

Hash functions Hash function converts large, variable size input into small, fixed size output. Applications: Efficient search (hash tables) Indexing of variable size data Finding duplicate entries Finding similar entries keys John Smith Lisa Smith Sam Doe Sandra Dee hash function Requirements: Efficiency: less that log 2 n comparisons Determinism: always maps the same input to the same output Small probability of collisions Uniformity: equal probability of output values hashes 00 01 02 03 04 05 : 15

Hash function design Fixed length (numeric) keys: Division method: h(k) = k mod m Multiplication method: h(k) = m(ka mod 1) Variable length keys (e.g. strings): Convert a string into a fixed number (e.g. add up all characters) Compute a hash of a fixed number Hash function reduces the dimension of the key set: Collisions are unavoidable!

A simple message application Hashing algorithm Alice Bob Hashing algorithm Transmit equal?

Insecurity of message Alice Eve Bob Hashing algorithm A A B B B A A B B B equal? B

authentication code (MAC) Hashing algorithm Alice Bob Hashing algorithm Transmit Shared secret Shared secret equal?

Secure hash function requirements Compression: h reduces M to a fixed size. For any M, h(m) is easy to compute. Preimage resistance: For any value D, it is computationally infeasible to find M such that D = h(m). Second preimage resistance: For any values D and M such that D = h(m), it is computationally infeasible to find M = M such that D = h(m ). Collision resistance: It is computationally infeasible to find any pair M 1, M 2 such that h(m 1 ) = h(m 2 ).

A birthday paradox How many people must be in a room for someone to have the same birthday as you?

A birthday paradox How many people must be in a room for someone to have the same birthday as you? (365)

A birthday paradox How many people must be in a room for someone to have the same birthday as you? (365) How many people must be in a room for some people to have the same birthday?

A birthday paradox How many people must be in a room for someone to have the same birthday as you? (365) How many people must be in a room for some people to have the same birthday? (23)

A birthday paradox How many people must be in a room for someone to have the same birthday as you? (365) How many people must be in a room for some people to have the same birthday? (23) Probability that n people have different birthdays is: ( P(n) = 1 1 1 ) ( 1 2 ) (... 1 n 1 ) 365 365 365 ) ) ) (e 365 1 (e 365 2... (e n 1 365 = e ( 365 1 + 365 2 +... n 1 365 ) e 2 365 n2 Solving for n and equating to 0.5, we obtain: n = 2 ln 2 365 = 22.54

Brute force attacks For an ideal hash function with the output size n, it should take 2 n operations to stage a second-preimage attack, 2 n/2 operation to stage a collision attack. A cryptographic strength of a hash function strongly depends on its output size.

A simple hash function x 1 x 2... x n IV + + + + Fix an initialization value IV. Compute intermediate states s 1 = IV + x 1 s i = s i 1 + x i, i = 2,..., n Output the final state s n as a hash value

Insecurity of a simple hash function Suppose the D is known. The IV can be found by sending the word (0, 0,..., 0). Then the message (IV, D, 0,..., 0) will produce the hash value D: the second preimage property is broken!

General design of a hash function x 1 x 2 x n IV f s 1 f s 2... f s n Iterated application of a compression function s i f (x i, s i 1 ) s 0 is initialized to some fixed IV Collision resistance of f implies collision resistance of a hash function (Merkle s principle).

MD5 algorithm Pad a message to a the length 448 mod 512, add message length as a 64-bit value. Initialize 4 32-bit registers A, B, C, D with pre-defined values. Divide each 512-bit block in 16 words w of length 32; for i = 1... 64, do: compute A + f i (B, C, D) add M i = w gi add K i = sin(i + 1) 2 32 shift left by s i positions Add B and save in B, C B, D C, A D Mi Ki A B C D <<< s F A B C D Proceed to the next block using the state A, B, C, D.

Insecurity of MD5 [1996]: H. Dobbertin demonstrated a collision of the compression function of MD5. [2004]: X. Wang and H. Yu showed a modular differential attack on the complete MD5 hash function. [2007]: M. Stevens, A. Lenstra and B. de Weger demonstrated a chosen prefix attack: given a prefix P, find suffixes S 1 and S 2 such that MD5 hashes of P S 1 and P S 2 are the same. [2008]: A. Sotirov et al. generated a rogue X.509 certificate to demonstrate practical consequences of MD5 vulnerability.

SHA-1 algorithm 160-bit output instead of 128 in MD5; 80 rounds per 512-bit block. Similar initialization and overall scheme. 16 initial words w i are extended into the total of 80 words, one per round: w i = (w i 3 w i 8 w i 14 w i 16 ) 1 Fixed constants and shifts per round. Best known collision attack requires 2 69 operations, compared to 2 80 by brute force. A B C D E F <<< 5 <<< 30 A B C D E W t K t

Authentication The reciever must verify the claimed identity of a sender. The sender cannot deny having sent a message. The reciever cannot have created the message himself.

Symmetric key signatures A,K A (B,P) Alice TTP K B (A,P,K T (A,P)) Bob Identity of A is proved to T by K A. The fact of A s sending a message is proved by K T (A, P). B cannot forge having received a message from A because he does not know K T.

Public key signatures Alice s computer Bob s computer P Alice s private key, K r A Alice s public key, K u A P D K r A (P) E K u A (D K r A (P)) Identity of A is proved by B s being able to encrypt a message with K u A. The fact of A s sending a message is proved by the existence of a message decrypted by K r A. B cannot forge having received a message from A because he cannot produce D K r A (M).

Digest signatures: DSS Alice s private key, K r A Alice s plaintext message M SHA-1 algorithm H ElGamal algorithm D K r A (H) Sent to Bob For efficiency reasons, public-key decryption is applied to a short of the plaintext message. ElGamal public-key encryption/decryption algorithm is used.

Digest signature application Private key Signature algorithm Alice Bob Hashing algorithm Transmit Public key Public key equal?

Digest signature attack Private key Signature algorithm Eve Bob Hashing algorithm Transmit Public key Public key equal?

Public key certificates A certificate is a binding between an entity name and its public key. Certificates are issued by a certification authority (CA), a trusted third party. A certificate is generated locally on a computer. To grant a certificate its validity, a CA signes it with its private key. Since the CA s public key is well known everybody can verify the validity of a certificate.

The structure of a X.509 certificate

Signature computation The signature in the X.509 certificate is computed as: where CA<<A>>= K CA [V, SN, AI, CA, T A, A, K + A ], V : X.509 version SN : certificate serial number AI : Algorithm ID CA : certificate authority name T A : validity timespan of the certificate K + A A : subject name : subject public key

Certificate chains D D F B F C E G A C E G If a client trusts a root CA, it uses a top-down trust chain to verify a target certificate: D<<B>> B<<C>> If a client trusts a local CA, e.g., G, is must traverse the certificate hierarchy: G<<F>> F<<D>> D<<B>> B<<C>>

Rogue certificate authority An attacker obtains a legitimate (end) certificate G D He creates a rogue certificate H and signs it with G as a CA E F G H

Rogue certificate authority An attacker obtains a legitimate (end) certificate G D He creates a rogue certificate H and signs it with G as a CA The use of certificates as CA is restricted by the extension field basicconstraints E F G H

Summary Integrity of data can be enforced by computing cryptografic hash functions (one-way, collision-resistant). Authentication and non-repudiation objectives are attained by digital signatures that combine public key cryptography with secure hashing. Binding of digital signatures to entities is achieved by putting the relevant information in X.509 certificate issued by a trusted certification authority (CA).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information