1 / 40

453 Network Security

453 Network Security. Section 3b: Message Authentication and Public-Key Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006. Requirements for Hash Functions. can be applied to any sized message M, produces fixed-length output h

elewa
Télécharger la présentation

453 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 453 Network Security Section 3b: Message Authentication and Public-Key Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006

  2. Requirements for Hash Functions • can be applied to any sized message M, produces fixed-length output h • is easy to compute h=H(M) for any message M • given h is infeasible to find x s.t. H(x)=h • one-way property. See note 1 for reasoning. • given x is infeasible to find y s.t. H(y)=H(x) • weak collision resistance. Prevents forgery when encrypted hash functions are used. • The opponent can read the message and also generate the hash code. But will not be able to alter it without detection since he does not have the secret key. Encryption of H(M) guarantees this. (note4) • is infeasible to find any x,y s.t. H(y)=H(x) • strong collision resistance

  3. Simple Hash Functions • based on XOR of message blocks • not secure since can manipulate any message and either not change hash or change hash also. • C_i is the ith bit of the hash code • m – number of n bit blocks in the input • b_ij – ith bit of the jth block

  4. Simple Hash Functions …

  5. Improvement to Simple Hash Function (1) • The above simple system is good for random data for an integrity check. • Each n-bit hash value is equally likely. • The probability that a data error will result in an unchanged hash value is ½^n. • For more predictability formatted data, the function is less effective. • Eg: in most text files, the higher order bit of each octet is mostly zero

  6. Improvement to Simple Hash Function (2) • A known value will reduce the effectiveness of the hash function from 128 to 128-16=112. This is because for a 128 hash 16 octets have to be lined up and each will have the first bit 0 which will effectively fix the hash value to only 112 bits that can change. To improve we incorporate randomness.

  7. Improvements to Simple Hash Function • Initially set n-bit hash function to zero • Process each successive n-bit block of data as follows • Rotate current hash value to left by one bit. • XOR the block into the hash value. • This will randomize the input and overcome any regularities that appear in the input. • This procedure provides good data integrity however if the plaintext is sent with the hash then no security. (note 2)

  8. Secure Hash Algorithm (SHA – 1) • SHA was developed by the National Institute of Standards and Technology. • The algorithm takes as input a message with maximum length of less than 2^64 bits. • It produces an output of 160-bit message digest. • The input is processed in 512-bit blocks.

  9. The stages involved are (note 3) • Append padding bits • Append length • Initialize (message digest) MD buffer • Process message in 512-bit blocks • Output

  10. MD Generation using SHA-1 Note that this uses CBC mode

  11. MD5 Message Digest Algorithm • Similar to SHA-1 in structure. • The algorithm takes as input a message of arbitrary length and produces as output a 128-bit message digest. • The input is processed in blocks of 512-bits. • In recent times there have been concerns of brute-force and crypt analytic compromises.

  12. Comparison of SHA-1 and MD5 • Brute force attack is harder (160 vs 128 bits for MD5). You have to scan 2^160 different options. • not vulnerable to any known attacks (compared to MD4/5) • SHA-1 is a little slower than MD5 (80 vs 64 steps) • both designed as simple and compact • Both of these are cryptographic hash functions that do not use a secret key as in the case of MACs.

  13. Comparison of Secure Hash Functions

  14. HMAC • We observe the following • MAC codes depend on secret key cryptography (block cipher) such as DES and are very slow. • Cryptographic hash codes are much faster, specially in software. • Hence developing a MAC derived from cryptographic hash code such as SHA-1 will be interesting. • However hash functions such as SHA-1 are not designed for use as a MAC since it does not use a secret key. • HMAC is derived by incorporating a secret key into an existing hash algorithm.

  15. HMAC Design Objectives • To use, without modifications, available hash functions. • To allow for easy replacing of the embedded hash functions in case faster or more secure hash function are found or required. • To preserve the original performance of the hash function without incurring a significant degradation. • To use and handle keys in a simple way. • To have a well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on the embedded hash function.

  16. HMAC Algorithm • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • where K+ is the key padded out to size • and opad, ipad are specified padding constants

  17. Some Observations of HMAC • The message M is divided into L blocks using the padding specified by the hash function. • If the length of the key K is greater than the block size b, the key will be input to the hash function to produce the n-bit key. • K^+ is K padded with zeros on the left to get b-bit length. Note that n<b. • Ipad and opad have the characteristic of flipping one half of the bits in K. This is like generating two sub-keys from the original key. • HMAC executed the hash function three times.

  18. Security of Hash Functions and MACs • Just as in symmetric and public key encryption the attacks are grouped into brute-force and cryptanalysis categories. • Brute force attacks for hash functions • The strength of the hash function against brute force attack depends on the length of the hash code produced by the algorithm. • Brute force attacks on MACs • Here the attacker would like to come up with a valid MAC code for a given message x. • This can be done by exhaustively searching the message space or exhaustively checking the key space.

  19. Security of Hash Functions and MACs … • Cryptanalysis on Hash Functions • This method seeks to exploit some property of the algorithm to perform some attack rather than an exhaustive search. • This type of attack focuses on the internal structure of the compression function. • Based on finding out the bit change pattern from round to round. • Cryptanalysis of MACs • Not much information is available. • Based on a system similar to the attacks on encryption algorithms.

  20. Public-Key Cryptography Principles (1) • public-key/two-key/asymmetric cryptography involves two keys: • a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures • a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures • is asymmetric because • those who encrypt messages or verify signatures cannot decrypt messages or create signatures

  21. Public-Key Cryptography Principles (2) • developed to address two key issues: • key distribution – how to have secure communications in general without having to trust a KDC with your key • digital signatures – how to verify a message comes intact from the claimed sender • public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976

  22. Public-Key Characteristics • Public-Key algorithms rely on two keys with the characteristics that it is: • computationally infeasible to find decryption key knowing only algorithm & encryption key • computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known • either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) • can classify uses into 3 categories: • encryption/decryption (provide secrecy) • digital signatures (provide authentication) • key exchange (of session keys)

  23. Encryption

  24. Authentication

  25. Misconceptions about Public-Key Encryption • Public key encryption is not more secure than private key in terms of cryptanalysis. It depends on • Length of the key • Work involved in breaking the cipher. • Public key method is not a general purpose technique that has made conventional encryption obsolete. • Key distribution is not trivial in public key systems when compared to the key distributions centers (KDCs) used for conventional encryption. • Some protocol is necessary for key distribution and they are liable to be insecure as well.

  26. Public-Key Cryptography Requirements • Computationally easy for a party B to generate a pair (public key KUb, private key KRb) • Easy for sender to generate ciphertext: • Easy for the receiver to decrypt ciphertext using private key: • Computationally infeasible to determineprivate key (KRb) knowing public key (KUb) • Computationally infeasible to recover message M, knowing KUb and ciphertext C • Either of the two keys can be used for encryption, with the other used for decryption:

  27. Public-Key Crypto Systems DSS = Digital Signature Standard

  28. RSA Public-Key Algorithm • Ron Rivest, Adi Shamir and Len Adleman at MIT, in 1977 • Most widely accepted and implemented approach to public-key encryption • This is a block cipher • The plaintext and cipher text are integers between 0 and n-1 for some n. • Both sender and receiver should know the values of n and the public key e. • Only receiver should know the private key d. • Public key KU={e,n} and the private key KR={d,n}

  29. The RSA Algorithm – Key Generation • Select p,q p and q both prime • Calculate n = p x q • Calculate • Select integer e • Calculate d • Public Key KU = {e,n} • Private key KR = {d,n}

  30. The RSA Algorithm - Encryption • Plaintext: M<n • Ciphertext: C = Me (mod n)

  31. The RSA Algorithm - Decryption • Ciphertext: C • Plaintext: M = Cd (mod n)

  32. Example Implementation • Select two prime numbers p=17 and q=11 (only divisible by 1 and the same number) • Calculate n=pq=187 • Calculate φ(n)=(p-1)(q-1)=160 • Select e to be relatively prime to φ(n) and less than φ(n):e=7 (gcd=1) • Determine d such that de=1 MOD 160 and d < 160: d=23 Use de=kx160+1 • KU={17,187} and KR={23,187}

  33. Diffie-Hellman Key Echange • The algorithm helps two users to exchange a secret key securely that can be used for subsequent encryption of messages. • The algorithm is limited to only key exchange.

  34. Diffie-Hellman Key Echange ... • The exchange produces identical results • Since the X’s are private, an opponent has only the following to work with: q, a, and the Y’s. • The opponent is forced to take a discrete logarithm to determine the key. • For larger primes finding the matching discrete logarithm is near impossible.

  35. Other Public-Key Cryptographic Algorithms • Digital Signature Standard (DSS) • Makes use of the SHA-1 • Not for encryption or key echange • Elliptic-Curve Cryptography (ECC) • Good for smaller bit size • Low confidence level, compared with RSA • Very complex • Remember that larger key sizes are required in public key encryption to match the strength of the private key security. Eg. Private key 128 bits equivalent to private key 4K bits.

  36. Key Management (1) • One of the major roles in public-key encryption is to address the problem of key distribution. • Two distinct aspects are considered. • The distribution of public keys • The use of public key encryption to distribute secret keys. • A symmetric key can be achieved using the Diffie Hellman key exchange.

  37. Key Management (2) • Digital certificates for distribution of public keys • Public key can be forged. This is because the public key is broadcast freely • C can claim to be A and broadcast a public key for A. • C can now read any message for A encrypted using the public key that was broadcast. • This can go on until the real A detects the problem. • The solution is to issue a public-key certificate which consists of a public-key a user ID of the key owner and the whole block signed by a trusted third party.

  38. Key Management (3) • Public-key distribution of secret keys • One way is to use Diffie-Hellman key exchange. However the drawback here is that it provides no authentication of the communicating parties. • The other alternative is to use public-key certificates. Consider Bob wishes to communicate with Alice. • Prepare a message • Encrypt the message using conventional encryption with a one time conventional session key.

  39. Key Management (4) • Encrypt the session key using public key encryption with Alice’s public key. • Attach the encrypted session key to the message and send it to Alice. • Now only Alice is capable of decrypting the session key and there fore recover the original message. • If Bob obtained Alice’s public key by means of Alice’s public-key certificate, then Bob is assured that it is a valid key.

  40. Next Lecture • Authentication applications • Kerberos • Session keys and management. • Key Exchange and authentication mechanisms. • E-mail and PGP • Web security

More Related