CS549: Cryptography and Network Security

Similar documents
Authentication Applications

Cryptography and Network Security Digital Signature

Digital Signature. Raj Jain. Washington University in St. Louis

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Authentication requirement Authentication function MAC Hash function Security of

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Key Management and Distribution

Key Management and Distribution

Overview of Public-Key Cryptography

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

CSCE 465 Computer & Network Security

Authentication Applications

Introduction to Cryptography

Introduction to Network Security Key Management and Distribution

2. Cryptography 2.4 Digital Signatures

Introduction to Cryptography CS 355

Signature Schemes. CSG 252 Fall Riccardo Pucella

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Message authentication and. digital signatures

CS 392/681 - Computer Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Overview. SSL Cryptography Overview CHAPTER 1

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Public Key (asymmetric) Cryptography

Digital signatures. Informal properties

Crittografia e sicurezza delle reti. Digital signatures- DSA

1 Signatures vs. MACs

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Cryptography and Network Security

Authentication Application

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

CS 356 Lecture 28 Internet Authentication. Spring 2013

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

SSL/TLS: The Ugly Truth

Public Key Infrastructure

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Authentication, digital signatures, PRNG

Ciphermail S/MIME Setup Guide

Introduction. Digital Signature

7 Key Management and PKIs

DIGITAL SIGNATURES 1/1

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

Cryptography and Network Security Chapter 15

CALIFORNIA SOFTWARE LABS

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Understanding Digital Certificates and Secure Sockets Layer (SSL)

PGP from: Cryptography and Network Security

SECURITY IN NETWORKS

Public Key Infrastructure (PKI)

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

How To Encrypt Data With Encryption

Digital Signatures. Prof. Zeph Grunschlag

Understanding digital certificates

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Efficient construction of vote-tags to allow open objection to the tally in electronic elections

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

VoteID 2011 Internet Voting System with Cast as Intended Verification

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

CRYPTOGRAPHY IN NETWORK SECURITY

A New Generic Digital Signature Algorithm

Public Key Encryption and Digital Signature: How do they work?

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Computer Science A Cryptography and Data Security. Claude Crépeau

Lukasz Pater CMMS Administrator and Developer

A Noval Approach for S/MIME

Chapter 6 Electronic Mail Security

Content Teaching Academy at James Madison University

Computer and Network Security. Outline

Capture Resilient ElGamal Signature Protocols

WiMAX Public Key Infrastructure (PKI) Users Overview

Grid Computing - X.509

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

SBClient SSL. Ehab AbuShmais

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Lecture 9: Application of Cryptography


Digital Signatures. What are Signature Schemes?

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

EXAM questions for the course TTM Information Security May Part 1

Computer Security: Principles and Practice

Network Security Essentials Chapter 7

What Are Certificates?

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Transcription:

CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1

Notice This lecture note (Cryptography and Network Security) is prepared by Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the Cryptography and Network Security 2 nd edition by William Stallings and the Cryptography: Theory and Practice by Douglas Stinson. You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author. The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these. Cryptography and Network Security 2

Cryptography and Network Security Digital Signature Xiang-Yang Li Cryptography and Network Security 3

Digital Signature Cryptography and Network Security 4

Digital Signatures have looked at message authentication but does not address issues of lack of trust digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities Cryptography and Network Security 5

Digital Signature Properties must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message be practical save digital signature in storage Cryptography and Network Security 6

Securities A total break results in the recovery of the signing key. A universal forgery attack results in the ability to forge signatures for any message. A selective forgery attack results in a signature on a message of the adversary's choice. An existential forgery merely results in some valid message/signature pair not already known to the adversary. Cryptography and Network Security 7

Classification of Digital Signature Undeniable --- need signer to interact Fail-Stop Blind One-time Multi-party (group signature) (n,k)-multi-party Oblivious Multi-undeniable Cryptography and Network Security 8

Algorithm and legal concerns several prior requirements quality algorithms. Some public key algorithms are known to be insecure, practicable attacks against them having been identified. quality implementations. An implementation of a good algorithm with mistake(s) will not work. (about 1 defect per 1,000 lines). the private key must remain actually secret; if it becomes known to some other party, that party can produce perfect digital signatures of anything whatsoever. distribution of public keys must be done in such a way that the public key claimed to belong to Bob actually belongs to Bob, and vice versa. This is commonly done using a public key infrastructure and the public key user association is attested by the operator of the PKI (called a certificate authority). For 'open' PKIs in which anyone can request such an attestation, the possibility of mistake is non trivial. users (and their software) must carry out the signature protocol properly. Legal concerns Cryptography and Network Security 9

Direct Digital Signatures involve only sender & receiver assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key Cryptography and Network Security 10

Arbitrated Digital Signatures involves use of arbiter A validates any signed message then dated and sent to recipient requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message Cryptography and Network Security 11

From wikipedia Cryptography and Network Security 12

RSA signature N=p q,where p and q are large primes Alice s private key (e,n), Alice s public key (d,n) Signature of message m by Alice S=H(m) e mod n Verification of signature by Bob Check if h(m) = S d mod n Cryptography and Network Security 13

Cont. Typically d is chosen small (3 or 2 16 +1) Problem: Easy to create the signature of h(m 1 )h(m 2 ) RSA-PSS Use some more randomization to enhance security It was added in version 2.1 of PKCS #1 (see RFC 3447). Cryptography and Network Security 14

ElGamal Signature Global public components Prime number p with 512-1024 bits Primitive element g in Z p Users private key Random integer x less than p Users public key Integer y=g x mod p Cryptography and Network Security 15

Elgamal Signature For each message M, generates random k Computes r=g k mod p Computes s=k -1 (H(M)-xr) mod (p-1) Signature is (r,s) Verifying Computes v 1 =g H(M) mod p Computes v 2 =y r r s mod p Test if v 1 = v 2 Cryptography and Network Security 16

Proof of Correctness Computes v 2 =y r r s mod q So v 2 =y r r s mod q =g xr g ks mod p = g xr+k k-1 (H(M)-xr) mod (p-1) mod p =g H(M) mod p=v 1 Notice that here it uses Fermat theorem to show That g (H(M)-xr) mod (p-1) mod p = g (H(M)-xr) mod p Cryptography and Network Security 17

Cont. The main disadvantage of ElGamal is the need for randomness (sometimes it is good), and its slow speed (especially for signing). Another potential disadvantage of the ElGamal system is that message expansion by a factor of two takes place during encryption. However, such message expansion is negligible if the cryptosystem is used only for exchange of secret keys. Cryptography and Network Security 18

Digital Signature Standard FIPS PUB 186 by NIST, 1991 Final announcement 1994 It uses Secure Hashing Algorithm (SHA) for hashing Digital Signature Algorithm (DSA) for signature The hash code is set as input of DSA The signature consists of two numbers DSA Based on the difficulty of discrete logarithm Based on Elgamal and Schnorr system Cryptography and Network Security 19

DSA Global public components Prime number p with 512-1024 bits Prime divisor q of (p-1) with 160 bits Integer g=h (p-1)/q mod p Users private key Random integer x less than q Users public key Integer y=g x mod p Cryptography and Network Security 20

DSA Signature For each message M, generates random k Computes r=(g k mod p) mod q Computes s=k -1 (H(M)+xr) mod q Signature is (r,s) Verifying Computes w=s -1 mod q, u 1 =H(M)w mod q Computes u 2 =rw mod q,v=(g u 1y u 2 mod p) mod q Test if v=r Cryptography and Network Security 21

Proof of Correctness Notice that v=(g u 1y u 2 mod p) mod q =(g H(M)w mod q y rw mod q mod p) mod q =(g H(M)w mod q g xrw mod q mod p) mod q =(g H(M)w +xrw mod q mod p) mod q =(g (H(M)+xr)w mod q mod p) mod q =(g (H(M)+xr)k(H(M)+xr)-1 mod q mod p) mod q =(g k mod p) mod q =r Cryptography and Network Security 22

In practice (Sun Java Library) g = F7E1A085D69B3DDE CBBCAB5C36B857B9 7994AFBBFA3AEA82 F9574C0B3D078267 5159578EBAD4594F E67107108180B449 167123E84C281613 B7CF09328CC8A6E1 3C167A8B547C8D28 E0A3AE1E2BB3A675 916EA37F0BFA2135 62F1FB627A01243B CCA4F1BEA8519089 A883DFE15AE59F06 928B665E807B5525 64014C3BFECF492A p = FD7F53811D751229 52DF4A9C2EECE4E7 F611B7523CEF4400 C31E3F80B6512669 455D402251FB593D 8D58FABFC5F5BA30 F6CB9B556CD7813B 801D346FF26660B7 6B9950A5A49F9FE8 047B1022C24FBBA9 D7FEB7C61BF83B57 E7C6A8A6150F04FB 83F6D3C51EC30235 54135A169132F675 F3AE2B61D72AEFF2 2203199DD14801C7 q = 9760508F15230BCC B292B982A2EB840B F0581CF5 Here g and p have 1024 bits, while q has 160 bits. They fulfill the requirement that g q = 1 mod p, Cryptography and Network Security 23

Note Can we use the random number k twice? What will happen if k used twice? We have r=(g k mod p) mod q s 1 =k -1 (H(M 1 )+xr) mod q and s 2 =k -1 (H(M 2 )+xr) mod q We have s 1 - s 2 =k -1 (H(M 1 )-H(M 2 )) mod q Another attack (for OpenPGP) Replace p and g http://www.tigertools.net/board/?topic=topic4&msg=14 http://www.orlingrabbe.com/dsaflaw_openpgp.htm Cryptography and Network Security 24

Cont. We cannot use small k Cryptography and Network Security 25

Non-deterministic Non-determined signatures For each message, many valid signatures exist DSA, Elgamal Deterministic signatures For each message, one valid signature exists RSA Cryptography and Network Security 26

Comparisons Speed DSS has faster signing than verifying RSA could have faster verifying than signing Message be signed once, but verified many times This prefers the faster verification But the signer may have limited computing power Example: smart card This prefers the faster siging Cryptography and Network Security 27

Blind Signature (digital cash) first introduced by Chaum, allow a person to get a message signed by another party without revealing any information about the message to the other party. Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let (n,e) be Bob's public key and (n,d) be his private key. Alice generates a random value r such that gcd(r, n) = 1 and sends x = (r e m) mod n to Bob. The value x is ``blinded'' by the random value r; hence Bob can derive no useful information from it. Bob returns the signed value t = x d mod n to Alice. Since x d (r e m) d r m d mod n, Alice can obtain the true signature s of m by computing s = r -1 t mod n. Cryptography and Network Security 28

Security Concerns GnuPG permits creating ElGamal keys are usable for both encryption and signing. It is even possible to have one key (the primary one) used for both operations. This is not considered good cryptographic practice, but is permitted by the OpenPGP standard. signature is much larger than a RSA or DSA signature verification and creation takes far longer and the use of ElGamal for signing has always been problematic due to a couple of cryptographic weaknesses when not done properly. Cryptography and Network Security 29

Applications of Blind Signature In an online context the blind signature works as follows. Voters encrypt their ballot with a secret key and then blinds it. Then the voter signs the encrypted vote and sends it to the validator. The validator checks to see if the signature is valid (the signature acts as a I.D. tag and will have to be registered with the voter before the voting process has started) and if it is the validator signs it and returns it to the voter. The voter removes the blinding encryption layer, which then leaves behind an encrypted ballot with the validator's signature. Cryptography and Network Security 30

Cont. This is then sent to the tallier who checks to make sure the validator's signature is present on the votes. He then waits until all votes haven been collected and then publishes all the encrypted votes so that the voters can verify their votes have been received. The voters then send their keys to the tallier to decrypt their ballots. Once the vote has been counted the tallier publishes the encrypted votes and the decryption keys so that voters can then verify the results. Next we illustrate the transfer of ballots between the various parties. Cryptography and Network Security 31

Cont. Cryptography and Network Security 32

Cont, This protocol has been implemented used in reality and has been found that the entire voting process can be completed in a matter of minutes despite the complex nature of the voting procedure. Most of the tasks can be automated with the only user interaction needed being the actual vote casting. Encryption, blinding and all the verification needed can be performed by software in the background. Of course we'd have to trust this software to handle the voting procedures correctly and accurately and to assume it has not been compromised in some way. Cryptography and Network Security 33

Cryptography and Network Security Certificate Xiang-Yang Li Cryptography and Network Security 34

Certificate A public-key certificate is a digitally signed statement from one entity, saying that the public key (and some other information) of another entity has some specific value. Cryptography and Network Security 35

More terms Digitally Signed If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entitys' private key. Identity A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an Email address to an X.509 Distinguished Name. Entity An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree. Cryptography and Network Security 36

More about CA Why need it In a large-scale networked environment it is impossible to guarantee that prior relationships between communicating entities have been established or that a trusted repository exists with all used public keys. Certificates were invented as a solution to this public key distribution problem. Now a Certification Authority (CA) can act as a Trusted Third Party. CAs are entities (e.g., businesses) that are trusted to sign (issue) certificates for other entities. It is assumed that CAs will only create valid and reliable certificates as they are bound by legal agreements. There are many public Certification Authorities, such as VeriSign, Thawte, Entrust, and so on. You can also run your own Certification Authority using products such as the Netscape/Microsoft Certificate Servers or the Entrust CA product for your organization. Cryptography and Network Security 37

Who uses Certificate? Probably the most widely visible application of X.509 certificates today is in web browsers (such as Netscape Navigator and Microsoft Internet Explorer) that support the SSL protocol. SSL (Secure Socket Layer) is a security protocol that provides privacy and authentication for your network traffic. These browsers can only use this protocol with web servers that support SSL. Other technologies that rely on X.509 certificates include: Various code-signing schemes, such as signed Java Archives, and Microsoft Authenticode. Various secure E-Mail standards, such as PEM and S/MIME. E-Commerce protocols, such as SET. Cryptography and Network Security 38

How to create certificate? There are two basic techniques used to get certificates: you can create one yourself (using the right tools, such as keytool) Not everyone will accept self-signed certificates, you can ask a Certification Authority to issue you one (either directly or using a tool such as keytool to generate the request). The main inputs to the certificate creation are: Matched public and private keys, generated using some special tools (such as keytool), or a browser. information about the entity being certified (e.g., you). This normally includes information such as your name and organizational address. If you ask a CA to issue a certificate for you, you will normally need to provide proof to show correctness of the information. Cryptography and Network Security 39

business Many companies sale the service of creating the certificate (such as SSL certificate) Comodo Verisign Thawte Entrust Geotrust Cryptography and Network Security 40

X.509 Authentication Service Public key certificate associated with user The certificates are created by Trusted Authority Then placed in the directory by TA or user Itself is not responsible for creating certificate It includes Version, serial number, signature algorithm identifier, Issuer name, issuer identifier, validity period, the user, user identifier, user s public key, extensions, signature by TA The signature by TA guarantees the authority Certificates can be used to certify other TAs Y<<X>>: certificate of user X issued by TA Y Cryptography and Network Security 41

What is inside X.509 certificate? Version Thus far, three versions are defined. Serial Number distinguish it from other certificates it issues. This information is used in numerous ways, for example when a certificate is revoked its serial number is placed in a Certificate Revocation List (CRL). Signature Algorithm Identifier This identifies the algorithm used by the CA to sign the certificate. Issuer Name The X.500 name of the entity that signed the certificate. This is normally a CA. Using this certificate implies trusting the entity that signed this certificate. root or top-level CA certificates, the issuer signs its own certificate. Cryptography and Network Security 42

cont Validity Period This period is described by a start date and time and an end date and time, and can be as short as a few seconds or almost as long as a century. It depends on a number of factors, such as the strength of the private key used to sign the certificate or the amount one is willing to pay for a certificate. This is the expected period that entities can rely on the public value, if the associated private key has not been compromised. Subject Name The name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. Subject Public Key Information together with an algorithm identifier Cryptography and Network Security 43

Certificate Revocation Need the private key together with the certificate to revoke it The revocation is recorded at the directory Each time a certificate is arrived, check the directory to see if it is revoked Cryptography and Network Security 44

X.509 Authentication Service part of CCITT X.500 directory service standards distributed servers maintaining some info database defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority also defines authentication protocols uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended Cryptography and Network Security 45

X.509 Certificates issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) notation CA<<A>> denotes certificate for A signed by CA Cryptography and Network Security 46

X.509 Certificates Cryptography and Network Security 47

Obtaining a Certificate any user with access to CA can get any certificate from it only the CA can modify a certificate because cannot be forged, certificates can be placed in a public directory Cryptography and Network Security 48

CA Hierarchy if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy Cryptography and Network Security 49

CA Hierarchy Use Cryptography and Network Security 50

Certificate Revocation certificates have a period of validity may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised CA s maintain list of revoked certificates the Certificate Revocation List (CRL) users should check certs with CA s CRL Cryptography and Network Security 51

Authentication Procedures X.509 includes three alternative authentication procedures: One-Way Authentication Two-Way Authentication Three-Way Authentication all use public-key signatures Cryptography and Network Security 52

One-Way Authentication 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message message must include timestamp, nonce, B's identity and is signed by A Cryptography and Network Security 53

Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply reply includes original nonce from A, also timestamp and nonce from B Cryptography and Network Security 54

Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks has reply from A back to B containing signed copy of nonce from B means that timestamps need not be checked or relied upon Cryptography and Network Security 55

X.509 Version 3 has been recognised that additional information is needed in a certificate email/url, policy details, usage constraints rather than explicitly naming new fields defined a general extension method extensions consist of: extension identifier criticality indicator extension value Cryptography and Network Security 56

Certificate Extensions key and policy information convey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints allow constraints on use of certificates by other CA s Cryptography and Network Security 57

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information