Ch.20 Public-Key Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 1630-1830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic devices: cell phone/pda/laptop/calculator» Open book/notes Extra credit project due on the same day of final Technical Details for Sec 2.2 to 2.4 secure hash functions and HMAC RSA & Diffie-Hellman Public-Key Algorithms 1 Public Key Cryptography Overview Message authentication authentication codes and hash functions Public key encryption: principles and algorithms Exchange of conventional keys Digital signatures Revisit key management 2 1
Recall Security Services (CIA) Confidentiality protection from passive attacks Integrity received as sent, no modifications, insertions, shuffling or replays Authentication you are who you claim you are Both message content and message source 3 Security Attacks On the Internet, nobody knows you re a dog - by Peter Steiner, New York, July 5, 1993 4 2
Security Attacks Active threats Masquerade Replay Modification of message contents Denial of service Message authentication helps prevent these! 5 What Is Message Authentication It s the source, of course! Procedure that allows communicating parties to verify that received messages are authentic Characteristics: source is authentic masquerading contents unaltered message modification timely sequencing replay 6 3
Can We Use Conventional Encryption? Yes, Only when sender and receiver share a key Include a time stamp Include an error detection code and a sequence number Active threats Masquerade Replay Modification of message contents Denial of service 7 Message Authentication Without Encryption: Fast! Append an authentication tag to a message Message read at the destination independent of the authentication function No message confidentiality 8 4
App. of Message Authentication w/o Confidentiality Application that broadcasts a message Broadcast to many different destinations only one destination needs to monitor for authenticity Too heavy a load to decrypt A control center collects massive amount of data random authentication checking Computer executables and files Do not need to decrypt every execution checked when assurance required 9 Life Without Authentication like airport without traffic control 10 5
Message Authentication Code Message Authentication Code (MAC) use a secret key to generate a small block of data that is appended to the message Assume: A and B share a common secret key K AB MAC M = F(K AB,M) 11 Message Authentication Code 12 6
Benefits of Message Authentication Code Receiver assured that message is not altered no modification Receiver assured that the message is from the alleged sender no masquerading Include a sequence number, assured proper sequence no replay 13 Message Authentication Code using DES DESis used to encrypt the message, and the last 16 or 32 bits is used as the MAC MACsneed not be reversible Less vulnerable to being broken than encryption Like Checksum Stands up to attack But there is an alternative... 14 7
One-Way Hash Function Hash functionis a building block of MAC accepts a variable size message M as input produces a fixed-size message digest H(M) as output No secret keyas input Message digest is sent with the message for authentication Produces a fingerprint of the message 15 One-Way Hash Function: method 1 Shared key Message digest H(M) Authenticity is assured 16 8
One-Way Hash Function: method 2 Digital signature No key distribution Less computation since message does not have to be encrypted 17 One-Way Hash Function Ideally We Would Like To Avoid Encryption Encryption software is slow Encryption hardware costs aren t cheap Hardware optimized toward large data sizes Algorithms covered by patents Algorithms subject to export control 18 9
One-Way Hash Function: method 3 secret value S AB MD M M MD M = H(S AB M) No encryption for message authentication Secret value never sent; can t modify the message Important technique for Digital Signatures 19 Weak Strong Hash Function Requirements 1. H can be applied to a block of data of any size 2. H produces a fixed length output 3. H(x) is relatively easy to compute 4. For any given code h, it is computationally infeasible to find x such that H(x) = h; (one way) 5. For any given block x, it is computationally infeasible to find y x with H(y) = H(x) (weak collision resistance) For a given block 6. It is computationally infeasible to find any pair (x,y) such that H(x) = H(y) (strong collision resistance) NOT a single pair 20 10
Simple Hash Functions secure (or one-way) hash function used in message authentication and digital signatures a hash functions processes an input block at a time in an iterative fashion Input: a sequence of n-bit blocks Processed: one block at a time, producing an n-bit hash Simplest: Bit-by-bit XOR of every block C Longitudinal redundancy check i = b i1 b i2 L b im 21 Bitwise XOR Problem: to easy to find the same H(x) for a different y E.g., Switch the order of two blocks Solution: Eliminate predictability of data One-bit circular shift: RXOR, randomizing Rotate the current hash value to the left by one bit 22 11
Secure Hash Algorithm (SHA) SHA-1, FIPS 180, (RFC3174) Developed by NIST in 1995 Input is processed in 512-bit blocks Produces as output a 160-bit message digest Every bit of the hash code is a function of every bit of the input Very secure, so far! --- WANG05: 2 80 2 69 NIST issued revised FIPS 180-2 in 2002 adds 3 additional versions: SHA-256, SHA-384, SHA-512 with 256/384/512-bit hash values same basic structure as SHA-1 but greater security NIST intend to phase out SHA-1 use in 2010 23 Comparison of SHA Parameters 24 12
SHA-512 Structure input a message with a max length of less than 2 128 bits output a 512-bit message digest Step 1: Append padding bits: Step 2: Append length: an unsigned 128-bit integer length of the original message (before padding). Step 3: Initialize hash buffer: 8 registers of 64-bit Step 4: Process the msg. in 1024-bit blocks, in 80 rounds Step 5: Output the final hash buffer value The SHA-512 algorithm has the property that every bit of the hash code is a function of every bit of the input. the difficulty of coming up with two messages having the same message digest is on the order of 2 256 operations 25 SHA-512 Secure Hash Function append padding bits append length compression function output Every bit of the hash code is a function of every bit of the input! 26 13
SHA-512 Secure Hash Function 27 Other Secure Hash Functions most based on iterated hash function design (Merkle 1979) Most follow basic structure of SHA-1 If the compression function is collision resistant, then so is the resultant iterated hash function Proven secure; new structures may bring new vulnerability MD5, Message Digest (RFC1321) most widely used hash until recently, Ron Rivest, 1992 produces 128-bit hash, now too small» Security of 128-bit hash code has become questionable (1996, 2004)» CPU is faster, 2^64 is not a big deal any more Whirlpool (EU NESSIE endorsed hash) developed by Vincent Rijmen & Paulo Barreto compression function is AES derived W block cipher produces 512-bit hash 28 14
keyed-hash Message Authentication Code (HMAC ) Needs of generate MAC (message authentication code) using a cryptographic hash Executes faster in software; No export restrictions Simultaneously verify integrity and authenticity due to fast speed and broad code availability Modifying secure hash function to generate MACs SHA was not designed for generating MACs HAMC incorporates a key into use of hash algorithm HMAC (RFC2104) widely supported used in IPsec, TLS & SET HMAC treats a hash as black box HMAC proven secure if embedded hash function has reasonable cryptographic strength 29 K + is padded K HMAC Structure 00110110 repeat Message, M (including any padding) Two generated secret keys output 01011100 repeat By passing S i and S o through the hash algorithm, we have pseudoradomly generated two keys from K. HMAC(K,M) = Hash[(K + XOR opad) Hash[(K + XOR ipad) M)] 30 15
Security of HMAC security based on underlying hash strength Security of MAC: prob of successful forgery with a given time and a given # of msg-mac pairs Attack 1: either attacker computes an output even with a random secret IV (unknown to attacker) brute force key O(2 n ), or use birthday attack Attack 2: attacker finds collisions in hash function even when the IV is random and secret i.e., find M and M' such that H(M) = H(M') birthday attack O(2 n/2 ) MD5 secure in HMAC due to the time limit to collect msg-mac pairs 31 Public Key Encryption Diffieand Hellman, New Directions In Cryptography 1976 First revolutionary advance in cryptography in thousands of years Based on mathematical functions, not bit manipulation Asymmetric, two separate key Profound effecton confidentiality, key distribution and authentication 32 16
Public Key Ingredients Plaintext: message input into the algorithm Encryption algorithm: transformations on plaintext Public & Private Key: pair of keys, one for encryption; one for decryption Ciphertext: scrambled message Decryption algorithm: produces original plaintext 33 Basic Steps of Encryption Each user generates a pair of keys: wiliki The public key goes in a public register The private key is kept private If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice s public key When Alice receives the message, she decrypts using her private key 34 17
Public Key Encryption 35 Public Key Authentication 36 18
Public Key Applications Encryption/decryption encrypts a message with the recipient s public key Digital signature sender signs a message with private key Key Exchange two sides cooperate to exchange a session key 37 38 19
Requirements For Public Key, 1/2 Easy for party B to generate pairs: public key KU b ; private key KR b Easy for sender A to generate cipertext using public key: C = E KUb (M) Easy for receiver B to decrypt using the private key to recover original message M = D KRb (C) = D KRb [E KUb (M)] 39 Requirements For Public Key, 2/2 It is computationally infeasible for an opponent, knowing the public key KU b to determine the private key KR b It is computationally infeasible for an opponent, knowing the public key KU b and a ciphertext C, to recover the original message M Either of the two related keys can be used for encryption, with the other used for decryption M = D KRb [E KUb (M)]= D KUb [E KRb (M)] 40 20
RSA Algorithm Ron Rivest, Adi Shamir, Len Adleman 1977 Most widely accepted and implemented approach to public key encryption Block cipher, where message M and ciphertext C are integers between 0 and n-1 for some n Theory behind RSA: uses the exponentiation of integers modulo a prime Encryption: C = M e mod n Decryption: M = C d mod n = (M e ) d mod n = M ed mod n = M 1 mod n = M 41 RSA Algorithm Sender and receiver know the values of n and e but only the receiver knows the value of d Receiver s Public key: KU = {e,n} Receiver s Private key: KR = {d,n} 42 21
RSA Requirements It is possible to find values of e, d, n such that M ed = M mod n for all M < n It is relatively easy to calculate C = M e mod n, for all values of M < n It is infeasible to determine d, given e and n 43 RSA Algorithm: Key Generation 1. Select p,q p and q both prime 2. Calculate n = p x q 3. Calculate φ(n) = (p-1)(q-1) 4. Select integer e, such that gcd(φ(n), e) = 1; greatest common divisor, 1 < e < φ(n) 5. Calculate d d = e -1 mod φ(n) 6. Public Key KU = {e,n} 7. Private key KR = {d,n} 44 22
RSA Algorithm Encryption Plaintext: M<n Ciphertext: C = M e (mod n) Decryption Ciphertext: C Plaintext: M = C d (mod n) 45 RSA Example Select two prime numbers, p=7 and q=17 Calculate n = pq = 7 x 17 = 119 this is the modulus Calculate φ(n) = (p-1)(q-1) = 96 Euler totient Select e, such that e is relatively prime to φ(n) = 96 and less than φ(n); in this case, e= 5 Determine d such that de = 1 mod 96 and d<96 multiplicative inverse of e The correct value is d=77, because 77 x 5 = 385 = 4 x 96 + 1 46 23
RSA Example M C M e d 47 RSA Strength Brute force attack: try all possible keys the larger e and d, the more secure the larger the key, the slower the system mathematical attacks: factor n into two prime number For large n with large prime factors, factoring is a hard problem Cracked a 428 bit key in 1994 Currently 1024 key size is considered strong enough timing attacks on decryption implementation E.g., round on decrypting 1 is longer than that of 0 Defense uses constant time, random delays, blinding chosen ciphertext attacks (on RSA props) 48 24
Diffie-Hellman Key Exchange first public-key type scheme proposed in 1976 along with the exposition of public key concepts note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 practical method to set up a secret key Allows two separate keys» Compute discrete logarithms Exchange keys securely: Key exchange algorithm using public and private values security relies on difficulty of computing discrete logarithms Mathematical functions rather than simple operations on bit patterns 49 Diffie-Hellman used in a number of commercial products Some misconceptions about public key cryptography, corrected NOT more secure than symmetric key Does NOT Makes symmetric key obsolete Central agent is needed for both in key distribution» KDC for symmetric encryption» Certificate Agency (CA) for public key certificate 50 25
discrete logarithm a is a primitive root of p if a mod p, a 2 mod p, a 3 mod p,, a p-1 mod p, are distinct, and consist of the integers from 1 through (p-1) in some order For integer b < p, we find b = a i mod p, where 0 i p-1 Then, i is referred to as the discrete logarithm of b, for base a and modulus p Denoted as dlog a,p (b) It is hard to calculate i, for given b = (a i mod p) 51 Diffie-Hellman Key Exchange Enables two users to exchange info to build a shared secret 52 26
Key Exchange Protocols Insecure against man-in-the-middle attack can not authenticate the source 53 Diffie-Hellman Key Exchange key setup Pick secret, random X Pick secret, random Y Alice a x mod p a y mod p Bob Compute shared secret k=(a y ) x =a xy mod p Compute shared secret k=(a x ) y =a xy mod p 54 27
have Diffie-Hellman Example prime number q = 353 primitive root α = 3 A and B each compute their public values A computes Y A = 3 97 mod 353 = 40 B computes Y B = 3 233 mod 353 = 248 exchange public values and compute secret key: for A: K = (Y B ) XA mod 353 = 248 97 mod 353 = 160 for B: K = (Y A ) XB mod 353 = 40 233 mod 353 = 160 attacker must solve: 3 a mod 353 = 40, which is hard desired answer is 97, then compute key as B does 55 attack is: Man-in-the-Middle Attack 1. Darth generates private keys X D1 & X D2, and their public keys Y D1 & Y D2 2. Alice transmits Y A to Bob 3. Darth intercepts Y A and transmits Y D1 to Bob. Darth also calculates K2 4. Bob receives Y D1 and calculates K1 5. Bob transmits X A to Alice 6. Darth intercepts X A and transmits Y D2 to Alice. Darth calculates K1 7. Alice receives Y D2 and calculates K2 all subsequent communications compromised 56 28
Other Public-Key Algorithms Digital Signature Standard (DSS) FIPS PUB 186 from 1991, revised 1993 & 96 makes use of SHA-1 presents a new digital signature algorithm (DSA) Only used for digital signatures, not encryption or key exchange Elliptic Curve Cryptography (ECC) it is beginning to challenge RSA Equal security for a far smaller bit size than RSA still very new, but promising: Confidence level is not as high yet seen in standards such as IEEE P1363 based on a mathematical construct known as the elliptic curve 57 Summary discussed technical detail concerning: secure hash functions and HMAC RSA & Diffie-Hellman Public-Key Algorithms 58 29
Final: Wen (5/13) 1630-1830 HOLM 248 Return hws sample exam Sample questions for Ch.19 and Ch.20 Mostly similar to homework questions and problems no electronic devices: cell phone/pda/laptop/calculator Open book/notes Extra credit project due on the same day of final Requirements: A written report include three basic components: Description of the installation of the system and present sufficient proof that the system running correctly propose to use the tool to perform specific tasks and methods to collect data traces for these tasks Analysis the collected data, and draw conclusions from your data Class evaluation 59 30