Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Hash Function, Digital Signature & Public Key Infrastructure

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Hash Function,**Digital Signature & Public Key Infrastructure**Review: Security Requirements**• In the context of communications across a network, the following attacks can be identified: • disclosure • traffic analysis • masquerade • content modification • sequence modification • timing modification • source repudiation • destination repudiation Symmetric/Asymmetric cryptography Generally regarded as Message Authentication Come under the heading of digital signature Require a combination of the use of digital signature and protocol design**Review: Security Services**• Authentication: Provides the assurance of someone’s identity • Confidentiality: Protects against disclosure to unauthorized identities • Non-Repudiation: Protects against communications originator to later deny it • Integrity: Protects from unauthorized data alteration**Review: Services, Mechanisms, Algorithms**A typical security protocol provides one or more services SSL, IPSEC, TLS, SSH, etc... Services Signatures Encryption Hashing Mechanisms DSA RSA RSA DES SHA MD5 Algorithms Services are built from Mechanisms Mechanisms are implemented using Algorithms**Review: Message Authentication**Message Authentication Message Encryption Message Authentication Code Hash Function**Message Authentication:**Hash functions**Hash Functions**• Can use for encryption, authentication and digital signature. • Hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). • A cryptographic hash function h takes as input a message or arbitrary length and produces as output a message digest of fixed length, for example 160 bits as depicted in Figure.**Defining Hashing**If you were to give someone the number 1,765,335 and ask he/she to determine your original number, it would be virtually impossible for he/she to “work backwards” and derive to the original number of 12,345. If you give her/him the multiplier (143), she could easily determine the original number. Input Value Multiplier Formula Result 12,345 143 Value * Multiplier 1,765,335 Plaintext Key Algorithm Ciphertext**DRJ Independent Bank DRJ Independent Bank DRJ**DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ INDEPENDENT BANK DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank DRJ Independent Bank DRJ DRJ Independent Bank 459384502392 A Practical Use of Hash Algorithm Hashed value Store on card 123456 PIN entered on keypad 459384502392 = 123456 hashed**DRJ Independent Bank**DRJ Independent Bank DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK DRJ INDEPENDENT BANK 459384502392 459384502392 A Practical Use of Hash Algorithm Hashed value Store on card 459384502392 = 123456 hashed 123456 PIN entered on keypad Use Hashing Algorithm The hash value is based on algorithm Haval MD2 MD4 MD5 SHA Hash Functions (SHA-1, SHA-2)**Hash Functions**• Hash code does not use a key. • Hash code is a function only of the input message. • Hash code is also referred to as a message digest or hash value. • The hash code is a function of all the bits of the message and provides an error-detection capability. • A change to any bit or bits in the message results in a change to the hash code.**Hash Function Properties**• a Hash Function produces a fingerprint of some file/message/data h = H(M) • condenses a variable-length message M • to a fixed-sized fingerprint • assumed to be public**Requirements for Hash Functions**• Purpose of the HASH function is to produce a ”fingerprint. • Properties of a HASH function H : • H can be applied to a block of data at any size • H produces a fixed length output • H(x) is easy to compute for any given x. • For any given block x, it is computationally infeasible to find x such that H(x) = h • One-way property • For any given block x, it is computationally infeasible to find with H(y) = H(x). • Weak collision resistance • It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) • Strong collision resistance**Simple Hash Functions**• are several proposals for simple functions • based on XOR of message blocks • not secure since can manipulate any message and either not change hash or change hash also • need a stronger cryptographic function**Hash Functions Operations(In term of: Hashing, Signing, and**Applications) One useful application of hash functions is to make signature schemes more efficient. The hash function is made public. Starting with a message m, Alice calculates the hash h(m). This output h(m) is significantly smaller, and hence signing the hash may be done more quickly than signing the entire message. Alice calculates the signed message sig(h(m)) for the hash function and uses it as the signature of the message. The pair (m, sig(h(m))) now conveys basically the same knowledge as the original signature scheme did. It has the advantages that it is faster to create (under the reasonable assumption that the hash operation is quick) and requires less resources for transmission or storage.**In Term of Security**• Suppose Eve has possession of Alice’s signed message (m, sig(h(m))). • She has another message m’ to which she wants she to add Alice’s signature. • This means that she needs sig(h(m’)) = sig(h(m)); in particular, she needs h(m’) = h(m). • If the hash function is one-way, Eve will find it hard to find any such m’. • The chance that her desired m’ will work is very small. Moreover, since we require our hash function to be strongly collision-free, it is unlikely that eve can find two messages m1 ≠ m2 with the same signatures. • Of course, if she did, she could have Alice sign m1, then transfer her signature to m2. But Alice would get suspicious since m1 (and m2) would very likely be meaningless messages.**Integrity**The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion. Check on Data Integrity • Hash function also can be employed as a check on data integrity. • The question of data integrity comes up in basically two scenarios. • First: when the data (encrypted or not) are being transmitted to another person and a noisy communication channel introduces errors to the data. • Second: An observer rearranges the transmission in some manner before it gets to the receiver. Either way, the data have become corrupted. • Example: • Suppose Alice sends Bob long messages about financial transactions • with Eve and encrypts them in blocks. • Perhaps Eve deduces that the tenth block of each message lists the • amount of money that is to be deposited to Eve’s account. • She could easily substitute the tenth block from one message into • another and increase the deposit.**Check on Data Integrity**• Another situation: • Alice might send Bob a message consisting of several blocks of • data, but one of the blocks is lost during transmission. Bob might not ever realize that the block is missing. • Here is how function can be used. Say we send (m, h(m)) over the communications channel and it is received as (M, H). To check whether errors might have occurred, the recipient computes h(M) and sees whether it equals H. If any errors occurred, it is likely that h(M) ≠ H, because of the collision-free properties of h.**List of Cryptographic Hash Function**• Haval • MD2 • MD4 • MD5 • N-Hash • RIPEMD-160 • SHA Hash Functions (SHA-0, SHA-1, SHA-2) • Snefru • Tiger • Whirlpool**Signature schemes**digital signature schemes ≈ MACs in the public-key setting**Scenario**26**Scenario**27**Scenario**28**Scenario**29**Scenario**30**Digital Signatures**• have looked at message authentication • but does not address issues of lack of trust • A few scenarios (transfer funds, mail message) • digital signatures provide the ability to (properties): • verify author, date & time of signature • authenticate message contents • be verified by third parties to resolve disputes • hence include authentication function with additional capabilities**Digital Signature Properties**• must depend on the message signed • must use information unique to sender • to prevent both forgery and denial • must be relatively easy to produce • must be relatively easy to recognize & verify • be computationally infeasible to forge • with new message for existing digital signature • with fraudulent digital signature for given message • be practical save digital signature in storage**Digital Signatures Categories**Digital signatures Direct Digital Signature Arbitrated Digital Signature**Direct Digital Signatures**• involve only sender & receiver • assumed receiver has sender’s public-key • digital signature made by sender signing entire message or hash with private-key • can encrypt using receivers public-key • important that sign first then encrypt message & signature • security depends on sender’s private-key**Arbitrated Digital Signatures**• involves use of arbiter A • validates any signed message • then dated and sent to recipient • requires suitable level of trust in arbiter • can be implemented with either private or public-key algorithms • arbiter may or may not see message**Authentication Protocols**• used to convince parties of each others identity and to exchange session keys • may be one-way or mutual • key issues are • confidentiality – to protect session keys • timeliness – to prevent replay attacks**Replay Attacks**• where a valid signed message is copied and later resent • simple replay • repetition that can be logged • repetition that cannot be detected • backward replay without modification • countermeasures include • use of sequence numbers (generally impractical) • timestamps (needs synchronized clocks) • challenge/response (using unique nonce)**Using Symmetric Encryption**• as discussed previously can use a two-level hierarchy of keys • usually with a trusted Key Distribution Center (KDC) • each party shares own master key with KDC • KDC generates session keys used for connections between parties • master keys used to distribute these to them**Needham-Schroeder Protocol**• original third-party key distribution protocol • for session between A B mediated by KDC • protocol overview is: 1. A→KDC: IDA|| IDB|| N1 2. KDC→A: EKa[Ks|| IDB|| N1 || EKb[Ks||IDA] ] 3. A→B: EKb[Ks||IDA] 4. B→A: EKs[N2] 5. A→B: EKs[f(N2)]**Needham-Schroeder Protocol**• used to securely distribute a new session key for communications between A & B • but is vulnerable to a replay attack if an old session key has been compromised • then message 3 can be resent convincing B that is communicating with A • modifications to address this require: • timestamps (Denning 81) • using an extra nonce (Neuman 93)**Using Public-Key Encryption**• have a range of approaches based on the use of public-key encryption • need to ensure have correct public keys for other parties • using a central Authentication Server (AS) • various protocols exist using timestamps or nonces**Denning AS Protocol**• Denning 81 presented the following: 1. A→AS: IDA|| IDB 2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]] • note session key is chosen by A, hence AS need not be trusted to protect it • timestamps prevent replay but require synchronized clocks**One-Way Authentication**• required when sender & receiver are not in communications at same time (eg. email) • have header in clear so can be delivered by email system • may want contents of body protected & sender authenticated**Using Symmetric Encryption**• can refine use of KDC but can’t have final exchange of nonces, vis: 1. A→KDC: IDA|| IDB|| N1 2. KDC→A: EKa[Ks|| IDB|| N1 || EKb[Ks||IDA] ] 3. A→B: EKb[Ks||IDA] || EKs[M] • does not protect against replays • could rely on timestamp in message, though email delays make this problematic**Public-Key Approaches**• have seen some public-key approaches • if confidentiality is major concern, can use: A→B: EKUb[Ks] || EKs[M] • has encrypted session key, encrypted message • if authentication needed use a digital signature with a digital certificate: A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa] • with message, signature, certificate**Digital Signature Standard (DSS)**• US Govt approved signature scheme FIPS 186 • uses the SHA hash algorithm • designed by NIST & NSA in early 90's • DSS is the standard, DSA is the algorithm • a variant on ElGamal and Schnorr schemes • creates a 320 bit signature, but with 512-1024 bit security • security depends on difficulty of computing discrete logarithms**DSA Key Generation**• have shared global public key values (p,q,g): • a large prime p = 2L • where L= 512 to 1024 bits and is a multiple of 64 • choose q, a 160 bit prime factor of p-1 • choose g = h(p-1)/q • where h<p-1, h(p-1)/q (mod p) > 1 • users choose private & compute public key: • choose x<q • compute y = gx (mod p)**DSA Signature Creation**• to sign a message M the sender: • generates a random signature key k, k<q • nb. k must be random, be destroyed after use, and never be reused • then computes signature pair: r = (gk(mod p))(mod q) s = (k-1.SHA(M)+ x.r)(mod q) • sends signature (r,s) with message M**DSA Signature Verification**• having received M & signature (r,s) • to verify a signature, recipient computes: w = s-1(mod q) u1= (SHA(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q) • if v=r then signature is verified • see book web site for details of proof why**Summary**• have considered: • digital signatures • authentication protocols (mutual & one-way) • digital signature standard