1 / 23

Eran Tromer Slide credits: John Mitchell, Stanford

Introduction to Information Security 0368-3065, Spring 2014 Lecture 6: Cryptography overview (2/2). Eran Tromer Slide credits: John Mitchell, Stanford. Hash functions and message integrity. Cryptographic hash functions. Length-reducing function h

keon
Télécharger la présentation

Eran Tromer Slide credits: John Mitchell, Stanford

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Information Security0368-3065, Spring 2014Lecture 6: Cryptography overview (2/2) Eran TromerSlide credits:John Mitchell, Stanford

  2. Hash functions and message integrity

  3. Cryptographic hash functions • Length-reducing function h • Map arbitrary strings to strings of fixed length • One way (“preimage resistance”) • Given y, hard to find x with h(x)=y • Collision resistant • Hard to find any distinct m, m’ with h(m)=h(m’) • Also useful: 2nd preimage resistance • Given x, hard to find x’x with h(x’)=h(x) • Collision resistance  2nd preimage resistance

  4. Applications of one-way hash • Password files (one way) • Digital signatures (collision resistant) • Sign hash of message instead of entire message • Data integrity • Compute and securely store hash of some data • Check later by recomputing hash and comparing • Keyed hash for message authentication • MAC – Message Authentication Code

  5. Common hash functions: SHA-1, SHA-256 Merkle-Damgard construction: (simplified) m[0] m[1] m[2] m[3] H(m) IV h h h h (Expanded)message Fixedconstants 64 x

  6. Symmetric-key integrity:MAC (Message Authentication Code) Verify tag: V(k, m, tag) = 0/1 ? • Goal: message integrity. No confidentiality. Keygeneration k k Alice Bob Message m tag Generate tag: tag  S(k, m) note: non-keyed checksum (CRC) is an insecure MAC!

  7. Secure MACs • Attacker’s power: chosen message attack. • for m1,m2,…,mq attacker is given ti S(k,mi) • Attacker’s goal: existential forgery. • produce some new valid message/tag pair (m,t). (m,t)  { (m1,t1) , … , (mq,tq) } • Existential unforgeability security:no feasible attacker can witn the above game with more than negligible probability.

  8. Construction 1: ECBC m[0] m[1] m[2] m[3]    E(k,) E(k,) E(k,) E(k,) Raw CBC E(k1,) tag key = (k, k1)

  9. Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( kopad || H( kipad || m ))

  10. Public-key Cryptography

  11. Complexity Classes Answer in polynomial space may need exhaustive search If yes, can guess and check in polynomial time Answer in polynomial time, with high probability Answer in polynomial time compute answer directly hard PSpace NP BPP P easy

  12. Example: RSA n • Arithmetic modulo pq • Generate secret primes p, q • Generate secret numbers e, d with xed  x mod pq(typically, e=65537) • Public encryption key n, e • Encrypt(n, e, x) = xe mod n • Private decryption key n, b • Decrypt(n, d, y) = yd mod n • Main properties • This appears to be a “trapdoor permutation” • Cannot compute d from n,e • Apparently, need to factor n = pq

  13. Why RSA works • Let p, q be two distinct primes and let n=pq • Encryption, decryption based on group Zn* • For n=pq, order (n) = (p-1)*(q-1) • Key pair: e, d with ed  1 mod (n) • Encrypt(x) = xe mod n • Decrypt(y) = yd mod n • Since ed  1 mod (n), have xed  x mod n • By Eurler’s theorem, generalizing Fermat’s little theorem • (if gcd(x,n) != 1, then by “Chinese remainder theorem”)

  14. Textbook RSA is insecure • What if message is from a small set (yes/no)? • Can build table • What if I want to outbid you in secret auction? • I take your encrypted bid c and submit c (101/100)e mod n • What if there’s some protocol in which I can learn other message decryptions?

  15. OAEP [BR94, Shoup ’01] 00..0 01 Message rand. H + G + Plaintext to encrypt with RSA Preprocess message for RSA • If RSA is trapdoor permutation, then this is • chosen-ciphertext secure(if H,G “random oracles”) • In practice: use SHA-1 or MD5 for H and G Check padon decryption.Reject CT if invalid. {0,1}n-1

  16. Digital Signatures • Public-key encryption • Alice publishes encryption key • Anyone can send encrypted message • Only Alice can decrypt messages with this key • Digital signature scheme • Alice publishes key for verifying signatures • Anyone can check a message signed by Alice • Only Alice can send signed messages

  17. Properties of signatures • Functions to sign and verify • Sign(Key-1, message) • Verify(Key, x, m) = • Resists forgery • Cannot compute Sign(Key-1, m) from m and Key • Resists existential forgery: given Key, cannot produce Sign(Key-1, m) for any random or arbitrary m • true if x = Sign(Key-1, m) • false otherwise

  18. RSA Signature Scheme • Publish decryption instead of encryption key • Alice publishes decryption key • Anyone can decrypt a message encrypted by Alice • Only Alice can send encrypt messages • In more detail, • Alice generates primes p, q and key pair e, d • Sign(x) = xd mod n • Verify(y) = ye mod n • Since ed  1 mod (n), have xde  x mod n Generally, sign hash of message instead of full plaintext

  19. Public-key infrastructure

  20. Public-Key Infrastructure (PKI) • Anyone can send Bob a secret message • Provided they know Bob’s public key • How do we know a key belongs to Bob? • If imposter substitutes another key, can read Bob’s mail • One solution: PKI • Trusted root authority (VeriSign, IBM, United Nations) • Everyone must know the verification key of root authority • Check your browser; there are hundreds!! • Root authority can sign certificates • Certificates identify others, including other authorities • Leads to certificate chains • Most common standard “X.509”

  21. Public-Key Infrastructure Known public signature verification key Ka Certificate Authority Certificate Sign(Ka-1, Ks) Ka Ks Sign(Ka-1, Ks), Sign(Ks, msg) Client Server Server certificate can be verified by any client that has CA key Ka Certificate authority is “off line”

  22. CA

  23. Certificate authorities – practical problems • Certification policy – when to sign server’s certificates? • Inclusion in database of trusted Cas • Default database in browsers, OSs • Updates • Transitive trusts, sub-CAs • Practically: • Lax verification (attacks known) • Lax security (attacks known) • National/commercial bodies with diverse interests

More Related