1 / 38

Electronic Payment Systems 20-763 Lecture 5 Epayment Security I

Electronic Payment Systems 20-763 Lecture 5 Epayment Security I. Cryptography. Message digest (hash) algorithms Secure Hash Algorithm Defending against attacks Salting, nonces Symmetric encryption DES and variations AES: Rijndael Public-key algorithms RSA. One-Way Hash Functions.

brigit
Télécharger la présentation

Electronic Payment Systems 20-763 Lecture 5 Epayment Security I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Payment Systems20-763Lecture 5Epayment Security I

  2. Cryptography • Message digest (hash) algorithms • Secure Hash Algorithm • Defending against attacks • Salting, nonces • Symmetric encryption • DES and variations • AES: Rijndael • Public-key algorithms • RSA

  3. One-Way Hash Functions • For any input x, H(x), the hash of x, is of fixed length (shorter than x), sometimes called a message digest • Easy to compute • Computationally difficult to invert: can’t find a message corresponding to a hash • Diffusion property: Altering any bit of the message changes many bits of the hash • Weakly collision-free: given x, can’t find another message y with H(y) = H(x) • Strongly collision-free: can’t find any two messages with the same hash

  4. Uses of One-Way Hash Functions • Message authentication (message digests) • Password verification • Prevention of replay attack • Digital signatures

  5. Message Digest • A message digest is a “fingerprint” of a message • Much shorter than the original message (e.g. 160 bits) • Easy to compute • Can’t recover the message from the digest • Changing the message changes the digest MESSAGE (VERY LONG) DIGEST CAN BE USED TO VERIFY THAT THE MESSAGE HAS NOT BEEN ALTERED DIGEST

  6. Secure Hash Algorithm SHA-1 • Federal Information Processing Standard 180-1 (NIST) • For any message shorter than 264 1019bits, produces a 160-bit message digest • Uses exclusive-OR operation  A = 0 0 1 1 0 1 1 1 1 0 0 0 1 B = 1 1 0 1 0 0 1 1 0 1 0 1 1 A  B = 1 1 1 0 0 1 0 0 1 1 0 1 0 • Exclusive-OR islossy; knowing A B does not reveal even one bit of either A or B • Regular OR: If a bit of A B is zero, then both corresponding bits of both A and B were zero

  7. Secure Hash Algorithm SHA-1 • Pad M so it is a multiple of 512 bits long • Process M in blocks of 512 bits (16 32-bit words):W(0) . . . W(15) • Expand 16-word block to 80 words for j = 16..79 byW(j) = W(j-3) W(j-8) W(j-14) W(j-16) • Perform 4 rounds of 20 operations each using these functions ft(X,Y,Z) on three words at a time:Rounds 0-19 (X  Y)  (Z  X)Rounds 20-39 X  Y  ZRounds 40-59 (X  Y)  (X  Z)  (Y  Z) Rounds 60-79 X  Y  Z

  8. Single Step of SHA-1 80 WORDS INPUT HERE, 1 EACH STEP MAGIC CONSTANTS Operates on 16-word (512-bit) blocks Expands 16 words to 80 words Wt Performs 80 operations as shown for t = 0..79 a, b, c, d, e are special constants Kt are special constants + + + + REVISED CONSTANTS FOR NEXT STEP INITIALLY CONSTANTS “<<< 5” means “cyclic left shift 5 bits” SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY

  9. Secure Hash Algorithm SHA-1 INITIALIZE “MAGIC” HEX CONSTANTS (8 HEX DIGITS = 32 BITS): A=67452301; B=efcdab89; C=98badcfe; D=10325476; E=c3d2e1f0; K0-19=5a827999; K20-39=6ed9eba1; K40-59=8f1bbdcd; K60-79=ca62c1d6; PROCESS THE MESSAGE IN 512-BIT BLOCKS: For each block B of 16 words in message M Expand B to 80 wordsFor t = 0 to 79 MIX UP PARTS OF THE 80 WORDS:TEMP = (a <<< 5) + ft(b,c,d) + e + W(t) + Kt e = d; d = c; c = b <<< 30; b = a; a = TEMP; ADD RESULTS TO OUTPUT FROM PREVIOUS BLOCK:A = A+a; B = B+b; C = C+c; D= D+d; E = E+e; FINALDIGEST IS CONCATENATION OF PARTIAL DIGESTS: H(M) = A | B | C | D | E (5 words = 160 bits)

  10. Birthday Attack • Dave’s birthday is Aug. 27. How many people must be in a room for the probability to be > 1/2 that someone else was born on Aug. 27? • Probability that 1 person was not born on Aug. 27 =364/365. • Probability that n people were not born on Aug. 27 is p(n) = (364/365)n. Now choose n so that p(n) < 0.5 • log p(n) < n log (364/635) • n > log(1/2)/log(364/365)  253 • If n = 183 (half of 366), p(n) = 0.6053. Less then 40% chance that someone else has same birthday

  11. Birthday Probabilities • Suppose a year has d days. How many people must be in a room for the probability to be > 1/2 that some pair of people have the same birthday? • Label the people 1 … n • Probability that person i has no birthday in common with people 1 … i -1 is (d - i + 1)/d, so • If d = 365 and n = 23, p(n)  0.4927 • If d = 365 and n = 50, p(n)  0.0296 • For large d, taking n  1.17 gives p(n) > 1/2

  12. Attacking Hash Algorithms • If two strings M and M* can be found such thatH(M) = H(M*) then a hash algorithm can be compromised • Let M = PO for $100; M* = PO for $100,000 • John digitally signs H(M), so it can’t be altered! • If H(M*) = H(M) then we can “prove” in court that John signed the $100,000 PO • Birthday attack: If the hash length is b bits, then d = 2b ;= 2b/2 • Try about 2b/2 small variations of the message. Prob.~ 50% we will find one that hashes to the same value • If the digest is 64 bits, try 232 variations. Possible!

  13. Storing Passwords • A system must be able to verify that a password is correct • Store the plaintext passwords. TERRIBLE IDEA • Store hashed passwords. BAD IDEA • Passwords come from a small universe (~50,000 words). Possible to compare all possible hashes against the hashed file to discover passwords • Hash each password differently. NOT SO BAD • Defends against dictionary attack • Want to be sure that two people who have the same password have different hashes, so compromise of one password does not reveal others • Don’t store H(P), the hash of the password • Store H(P + S), where S, called salt, is different for each user

  14. Salting Example • A’s password is “13524”; B’s password is “13524” • A’s salt is “ABC”; B’s salt is “DEF” • The hash of A’s salted password is “1663az78fz” • System stores “A, ABC, 1663az78fz” • The hash of B’s salted password is “v134c27a8” • System stores “B, DEF, v134c27a8” • A logs on. Sends user “A”, password “13524” • System looks up A’s salt, hashes salted password, compares with stored salted password • Someone who discovers A’s salted password can’t use it • Can’t tell that A and B have the same password

  15. Nonce • Time-dependent value used in challenge-response protocols to prevent replay attack • Random numbers, timestamps • System sends a nonce, e.g. “1992884665” • User sends a hash of username|password|nonce • System computes what the hash should be, verifies user • Replay fails since the nonce will be different when the attacker tries to gain access • Nonce: “for the nonce” means “for the time being,” “just for now”

  16. Data Encryption Standard (DES) • Symmetric, key-based encryption-decryption standard. No public keys • Block cipher: operates on 64-bit blocks • Uses 56-bit key • 16 “rounds” -- key for each round is a 48-bit function of the original 56-bit key. Each key bit participates in an average of 14 rounds • Reversible (if the keys are known) • Fast implementation in hardware: 1 gigabit/second

  17. Encryption “Rounds” Key K Key Expansion KE Round Keys k1 k2 k3 kn-2 kn-1 kn X r1 r2 r3 rn-2 rn-1 rn Y Encryption Rounds r1 … rn • Key K is expanded to a set of n round keyski • Input block X undergoes n rounds of operations (each operation is based on value of the nth round key), until it reaches the final round rn • Strength of algorithm: difficulty of going backwards from the intermediate result of round m+1 to round m without knowing the round key rm. SOURCE: MEL TSAI

  18. Data Encryption Standard (DES) INPUT PERMUTATION 64 BITS OF MESSAGE LEFT HALF OF BLOCK (32 BITS) SUBKEYS: EACH IS A 48-BIT FUNCTION OF A 56-BIT KEY f IS A COMPLICATED FUNCTION INVOLVING VARIOUS PERMUTATIONS OUTPUT: 64 BITS OF ENCRYPTED TEXT INVERSE OF INPUT PERMUTATION SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY

  19. One Round of DES SOURCE: FORD & BAUM, SECURE ELECTRONIC COMMERCE

  20. Modes of DES Use • ECB - Electronic Codebook Mode • Straight DES. Independent groups of 64 bit. Weakness: same 64 bits always encrypts to the same ciphertext • CFB - Cipher Feedback Mode • XOR next plaintext block before encrypting • CBC - Cipher Block Chaining • encrypt previous output block, XOR with plaintext • OFB - Output Feedback Mode • XOR encrypted plaintext with next plaintext block • 3DES - Triple DES • Encrypt with K1, decrypt with K2, encrypt with K1 • Windows NT uses DES, DES-CBC and 3DES

  21. PLAINTEXT BLOCK 2 PLAINTEXT BLOCK 1   INITIALIZATION STRING etc. DES DES CIPHERTEXT BLOCK 2 CIPHERTEXT BLOCK 1 Cipher Block Chaining Example • In ECB mode, the same input text always produces the same output. This creates risk of partial decryption.

  22. Triple DES • Security can be increased by encrypting multiple times with different keys • Double DES is not much more secure than single DES because of a “meet-in-the-middle” attack • If K1 = K2 = K3 this is just single DES K1 K2 K3 DES ENCRYPT DES DECRYPT DES ENCRYPT CIPHERTEXTBLOCK 1 PLAINTEXTBLOCK 1

  23. AES, the DES Replacement • AES = Advanced Encryption Standard • DES has weaknesses: • slow (by modern standards) • weak (can be broken by fast computers) • NIST ran a competition to replace DES • Winner: Rijndael, invented by Vincent Rijmen and Joan Daeman • No patenting allowed • Round block cipher of similar structure to DES but faster, more secure

  24. Rijndael • Allows 128, 192, and 256-bit key sizes • Variable block length: 128, 192, or 256 bits. All nine combinations of key/block length possible. • A block is the smallest data size the algorithm will encrypt • Huge speed improvement over DES in both hardware and software implementations • Software: 8416 bytes/sec on a 20MHz 8051 • Software: 53 Mbytes/sec on a 800MHz Pentium • Hardware: currently up to 25 Gbps • Each input block is treated as a matrix of bits (rows and columns)

  25. Rijndael kn ByteSub ShiftRow MixColumn AddRoundKey Result from round n-1 Pass to round n+1 Detailed view of round n • Each round consists of: • ByteSub: each 8 bits of input is replaced with a different 8 bits • ShiftRow: each row of the block matrix is cyclically shifted • MixColumn • AddRoundKey SOURCE: MEL TSAI

  26. Rijndael: ByteSub Each byte at the input of a round is transformed as follows: Substitution (“S”)-box: SOURCE: MEL TSAI

  27. Rijndael: ShiftRow Depending on block length, each row of the block is cyclically shifted according to this table: SOURCE: MEL TSAI

  28. Rijndael: MixColumn Each column is multiplied by a fixed polynomial C(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’ This corresponds to matrix multiplication b(x) = c(x)  a(x): SOURCE: MEL TSAI

  29. Rijndael: Key Expansion and Addition Each block is XOR’ed with the expanded round key ki SOURCE: MEL TSAI

  30. One-Way Trapdoor Function • A function that is easy to compute • Computationally difficult to invert without knowing the secret (the “trapdoor”) • Example: f(x, y) = x•y • Given f(x, y), it is difficult to find either x or y • Given f(x, y) and x (the secret), it is easy to find y • One-way trapdoor functions can be used in public-key cryptography.

  31. RSA Encryption • Select two large prime numbers p, q (e.g. 1024 bits) • Let n = p • q • Choose a small odd integer e that does not dividem = (p - 1)(q - 1). Then x(p-1)(q-1) = 1 (mod n) • Compute d = e-1(mod m) • That is, d • e gives remainder 1 when divided by m • Then xe•d = x (mod n) (by Fermat’s “Little” Theorem) • Public key is the pair (e, n) • Private key is the pair (d, n) • Knowing (e, n) is of no help in finding d. Still need p and q, which involves factoring n

  32. 6 • 2 = 12 WHEN DIVIDED BY 7 GIVES REMAINDER 5 MULTIPLICATION MOD 7 EACH ROW EXCEPT THE ZERO ROW HAS EXACTLY ONE 1 EACH ELEMENT HAS A UNIQUE INVERSE Multiplicative InversesOver Finite Fields • The inverse e-1 of a number e satisfies e-1 • e = 1 • The inverse of 5 is 1/5 • If we only allow numbers from 0 to n-1 (mod n), then for special values of n, each e 0 has a unique inverse

  33. RSA Encryption • Message M is a number • To encrypt message M using key (e, n): • Compute C(M) = Me (mod n) • To decrypt message C using key (d, n): • Compute P(C) = Cd (mod n) • Note that P(C(M)) = C(P(M)) = (Me)d (mod n) = Me•d (mod n) = M

  34. RSA Example p = 61; q = 53 n = pq = 3233 (modulus, can be given to others) e = 17 (public exponent, can be given to others) d = 2753 (private exponent, kept secret!) PUBLIC KEY = (3233, 17) PRIVATE KEY = (3233, 2753) To encrypt 123, compute 12317 (mod 3233) =337587917446653715596592958817679803 mod 3233 = 855 To decrypt 855, compute 8552753 (mod 3233) = 123 (intermediate value has 8072 digits) 37 digits SOURCE: FRANCIS LITTERIO

  35. RSA in One PERL Statement print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc` (uses dc, an Unix arbitrary precision arithmetic package) • RSA U.S. patent expired September 20, 2000 SOURCE: ADAM BACK

  36. Major Ideas • We need secure hashing algorithms to create message digests • SHA has not been cracked (reversed) • Encryption algorithms are complex • must be studied carefully (by cryptographers) • subject to sophisticated attacks • Symmetric encryption is fast • DES is not secure • 3DES will soon not be secure • DES family being replaced with Rijndael • Salting defends against dictionary attacks • Nonces defend against replay attacks • RSA is the principal public-key encryption algorithm

  37. Q A &

  38. Meet-in-the-Middle Attack • Exhaustive search for keys to crack 2DES would seem to require testing 2128 keys • Start with (m, c), a plaintext/ciphertext pair • Encrypt a two-block plaintext m with all possible 264 single DES keys k1; sort the resulting pairs (k1, cmiddle) • Decrypt the 2-block ciphertext c with all possible 264 single DES keys k2; for each result cmiddle, check to see whether it occurs in the sorted list • If so, (k1, k2) is a possible key. enc2DES((k1, k2),m) = encDES(k2, encDES(k1,m)) = encDES(k2, cmiddle1) = c • This only requires testing 264 keys (and sorting them)

More Related