1 / 64

PKCS ( Public-key cryptography standards )

PKCS ( Public-key cryptography standards ). Network Access Security Model. Confidentiality Protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Non-repudiation

kalli
Télécharger la présentation

PKCS ( Public-key cryptography standards )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKCS (Public-key cryptography standards)

  2. Network Access Security Model

  3. Confidentiality Protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Non-repudiation Originator of communications can't deny it later Authorization Identity combined with an access policy grants the rights to perform some action Security Levels

  4. Encryption provides confidentiality, can provide authentication and integrity protection Checksums/hash algorithms provide integrity protection, can provide authentication Digital signatures provide authentication, integrity protection, and non-repudiation Security Building Blocks

  5. Symetric Keys Both parties share the same secret key A major problem is securely distributing the key DES - 56 bit key considered unsafe for financial purposes since 1998 3 DES uses three DES keys Keys

  6. Public/Private keys One key is the mathematical inverse of the other Private keys are known only to the owner Public key are stored in public servers, usually in a X.509 certificate. RSA (patent expires Sept 2000), Diffie-Hellman, DSA Keys

  7. A Simplified Model of Conventional Encryption

  8. Public-Key Cryptography

  9. Public-Key Cryptography

  10. Message Digest • A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block. • A good message digest algorithm possesses the following qualities • The algorithm accepts any input data length. • The algorithm produces a fixed length output for any input data. • The digest does not reveal anything about the input that was used to generate it. • It is computationally infeasible to produce data that has a specific digest. • It is computationally infeasible to produce two different unit of data that produce the same digest.

  11. Reduce variable-length input to fixed-length (128 or 160bit) output Requirements Can't deduce input from output Can't generate a given output Can't find two inputs which produce the same output Hash Algorithms

  12. Used to Produce fixed-length fingerprint of arbitrary-length data Produce data checksums to enable detection of modifications Distill passwords down to fixed-length encryption keys Also called message digests or fingerprints Hash Algorithms

  13. Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) hash( key, hash( key, data )) Key affects both start and end of hashing process Naming: hash + key = HMAC-hash MD51 HMAC-MD5 SHA-11 HMAC-SHA (recommended) Message Authentication Code MAC

  14. RSA: An Example

  15. Combines a hash with a digital signature algorithm To sign hash the data encrypt the hash with the sender's private key send data signer’s name and signature To verify hash the data decrypt the signature with the sender's public key the result of which should match the hash Digital Signatures

  16. Digital Signatures • A data string associating a message with an originating entity • Signature generation algorithm • Signature verification algorithm • Signature scheme • Used for authentication, integrity, and nonrepudiation • Public key certification is one of the most significant applications

  17. Digital Signature/Verification Schemes

  18. Digital Signature/Verification Schemes

  19. Digital Signature/Verification Schemes

  20. Diffie-Hellman protocol

  21. Diffie-Hellman protocol

  22. Diffie-Hellman protocol

  23. Machine A MachineB Key exchange: Diffie-Hellman protocol 1. Picks a  GF(p)at random 2. Computes TA = ga mod p 3. Sends TA 4. Receives TB 5. Computes KA = TBamod p 1. Picks b  GF(p) at random 2. Computes TB = gb mod p 3. Receives TA 4. Sends TB 5. Computes KB = TAbmod p Where K = KA =KB, Because: TBa= (gb)a= gba= gab= (ga)b= TAb mod p

  24. Querida Anita de mi corazón: Quisiera pedirte que nuestro número primo sea 128903289023 y nuestra g23489. Te quiere Betito. Mensaje para Anita en La Jornada

  25. Middle-person attack. • Consider the following scenario: AnitaMiddlepersonBetito ga = 8389 gx = 5876 gb = 9267 8389 5876 5876 9267 Shared key KAX: Shared key KBX 5876a = 8389x 9267x = 5876b • After this exchange, the middle-person attacker simply decrypts any • messages sent out by A or B, and then reads any possibly modifies • them before re-encrypting with the appropriate key and transmitting • them to the correct party. • Middle-person attack is possible due to the fact that DHC does not • authenticate the participants. Possible solutions are digital signatures • and other protocol variants.

  26. Solution: Mutual authentication I am A, R1 A B R2, KAB {R1} KAB{R2}

  27. Reflection attack I am A, R1 T B R2, KAB{R1} B • I am A, R2 B T R3, KAB{R2}

  28. Encryption across a packet-switching network

  29. Certificate Authorities (CA) OpenSSL, Netscape, Verisign, Entrust, RSA Keon Public/Private Key Pairs - Key management x.509 Identity Certificates - Certificate management LDAP servers Elements of PKI

  30. Public-key cryptography standards (PKCS) Owned by RSA and motivated to promote RSA Created in early 1990’s Numbered from PKCS1 to PKCS15 Some along the way have lost interest folded into other PKCS taken over by other standards bodies Continue to evolve PKCS

  31. RSA cryptosystem by layers Protocols and Applications: SSL, TLS, WTLS, WAP, etc. PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign, PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc RSA primitive Operations: Encryption: C = Me mod n, Decryption M = Cd mod n. FPfinite field operations : Addition, Squaring, multiplication, inversion and exponentiation

  32. RSA Cryptography Standard Version 2.0 onwards (1998) RSA Encryption Standard Version 1.5 (1993) PKCS 1

  33. Specifies how to use the RSA algorithm securely for encryption and signature Why do we need this? Padding for encryption Different schemes for signature PKCS 1

  34. Chosen ciphertext attack based on multiplicative property of RSA Attacker wishes to decrypt c Choose r, compute c’ = c re mod n Get victim to decrypt c’ giving cd r mod n cd r  r-1 mod n = cd mod n Padding destroys multiplicative property PKCS 1

  35. RSA: Key Generation

  36. RSA: Encryption, Decryption

  37. RSA: An Example

  38. RSA encryption is deterministic We can check whether M is the message of C by C=Me mod n. Attack example: C = (PIN)e mod n, where PIN is 4-digit number. We can find M by a brute force attack within several 10 seconds. => We need a semantically secure cryptosystem! Semantically secure: For two messages M0, M1, and C = Mb2 mod n, attackers can not guess whether C is encryption of Mb (b=0,1). An easy way is to pad M with random integer R like M||R, but no security proof!

  39. Chosen Ciphertext Attack (CCA) Decryption oracle ciphertext C d Information based on C,d • An attack example: • (0) We assume the decryption oracle computes Ad mod n for a request. • (1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to the decryption oracle. • Decryption oracle computes B = Ad mod n and send B back to the attacker. • The attacker computes B/R = M mod n and get the message M. There are several models, which are secure against the chosen ciphertext attack

  40. Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c; The time or the power to execute c2and c*a are different (side channel information). Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];

  41. Differential Fault Attack (DFA) An attacker obtains a decryption which is computed in a wrong way. M = Cd mod n n dq = d mod (q-1) Mq =Cdq mod q v = (Mq – Mp) p-1 mod q, dp = d mod (p-1) Mp = Cdp mod p p q M = Mp + pv mod n. n In the RSA using the CRT, if an attacker can break the computation of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.

  42. Klima-Rosa attack against PGP PGP dose not encrypt the key file which includes n. Decryption oracle integer X d, n’ Xd mod n’ An attacker can change the public key n to n’ The attacker can obtain Xd mod n’ for changed n’. He/she can recover d by Silver-Pohlig-Hellman algorithm

  43. Bleichenbacher’s CCA Decryption oracle any integer C mod n d Cd∈ PKCS-format or not PKCS-Format for a message m most significant byte least significant byte 00 02 random padding 00 message m at least 8 bytes Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C, the value Cd mod n can be computed by about 220 accesses to the decryption oracle, where d is the secret key.

  44. Version 1.5, 1993 Encryption padding was found defective in 1998 by Bleichenbacher Possible to generate valid ciphertext without knowing corresponding plaintext with reasonable probability of success (chosen ciphertext) PKCS 1

  45. Uses Optimal asymmetric encryption protocol (OAEP) by Bellare-Rogoway 1994 provably secure in the random oracle model. Informally, if hash functions are truly random, then an adversary who can recover such a message must be able to break RSA plaintext-awareness: to construct a valid OAEP encoded message, an adversary must know the original plaintext PKCS 1 version 1.5 padding continues to be allowed for backward compatibility Accommodation for multi-prime RSA Speed up private key operations PKCS 1

  46. Cryptographic primitives Cryptographic scheme Encryption scheme Signature scheme Signature with appendix: supported Signature with message recovery: not supported Encoding and decoding Converting an integer message into an octet string for use in encryption or signature scheme and vice versa PKCS 1

  47. Cryptographic primitives Encrypt RSAEP((n,e),m) Decrypt RSADP((n,d),c) Sign RSASP1((n,d),m) Verify RSAVP1((n,e),s) Basically exponentiation with differently named inputs!! PKCS 1

  48. Encryption scheme Combines encryption primitive with an encryption encoding method message  encoded message  integer message representative  encrypted message Decryption scheme Combines decryption primitive with a decryption decoding method encrypted message  integer message representative  encoded message  message Original version 1.5 scheme and new version 2.0 scheme PKCS 1

  49. Encryption scheme Combines signature primitive with a signature encoding method. message  encoded message  integer message representative  signature Decryption scheme Combines verification primitive with a verification decoding method signature  integer message representative  encoded message  message Original version 1.5 scheme Signature with appendix PKCS 1

  50. PKCS 1

More Related