1 / 102

Chapter 21

Chapter 21. Public-Key Cryptography and Message Authentication. Secure Hash Algorithm (SHA). SHA was originally developed by NIST published as FIPS 180 in 1993 was revised in 1995 as SHA-1 produces 160-bit hash values NIST issued revised FIPS 180-2 in 2002

ulla
Télécharger la présentation

Chapter 21

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 21 Public-Key Cryptography and Message Authentication

  2. Secure Hash Algorithm(SHA) • SHA was originally developed by NIST • published as FIPS 180 in 1993 • was revised in 1995 as SHA-1 • produces 160-bit hash values • NIST issued revised FIPS 180-2 in 2002 • adds 3 additional versions of SHA • SHA-256, SHA-384, SHA-512 • with 256/384/512-bit hash values • same basic structure as SHA-1 but greater security • in 2005 NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by 2010

  3. Table 21.1Comparison of SHA Parameters

  4. SHA-512 Structure

  5. SHA-512 Round

  6. SHA-3 • SHA-1 considered insecure and has been phased out for SHA-2 • SHA-2 shares same structure and mathematical operations as its predecessors and causes concern • due to time required to replace SHA-2 should it become vulnerable, NIST announced in 2007 a competition to produce SHA-3

  7. SHA-3 Evaluation Criteria • designed to reflect requirements for the main applications supported by SHA-2 • digital signatures, hashed message authentication codes, key generation, and pseudorandom number generation • security • strength should be close to the theoretical maximum for the different required hash sizes and for both preimage resistance and collision resistance • must be designed to resist any potentially successful attack on SHA-2 functions • cost • should be both time and memory efficient over a range of hardware platforms • algorithm and implementation characteristics • consideration will be given to characteristics such as flexibility and simplicity • NIST plans to select the SHA-3 winner by late 2012

  8. HMAC • has been interest in developing a MAC derived from a cryptographic hash code • cryptographic hash functions generally execute faster • library code is widely available • SHA-1 was not deigned for use as a MAC because it does not rely on a secret key • issued as RFC2014 • has been chosen as the mandatory-to-implement MAC for IP security • used in other Internet protocols such as Transport Layer Security (TLS) and Secure Electronic Transaction (SET)

  9. HMAC Design Objectives

  10. HMAC Structure

  11. Security of HMAC • A compression function splits the message to be hashed into blocks of a specified size of, say, k bits. Typically messages are padded, using a specified padding scheme, so that the padded message consists of an integral number of full blocks. If the hash function produces digests of size n bits, we use a compression function e.g. i. g : {0, 1}n X {0, 1}k → {0, 1}n .   • A function h: X →Y is collision resistant if it is computationally infeasible to find two different points x1, x2 ∈ X such that h(x1) = h(x2) • or attacker finds collisions in hash function even when IV is random and secret • ie. find M and M' such that H(M) = H(M') • birthday attack O( 2n/2) • MD5 secure in HMAC since only observe

  12. Cryptography Encryption methods have historically been divided into two categories: substitution ciphers and transposition ciphers. Substitution ciphers preserve the order of the plaintext symbols but disguise them. Transposition ciphers, in contrast, reorder the letters but do not disguise them. Plaintext is the common term for the original text of a message before it has been encrypted

  13. Caesar Cipher • The cipher attributed to Caesar is very simple for it involves shifting the letters of the alphabet along three places. • A message can then be quickly deciphered, especially if one has the shifted alphabet before ones eyes: • A B C D E F G H I J K L M N O P Q R S T U V W X Y Z • D E F G H I J K L M N O P Q R S T U V W X Y Z A B C • In this Caesar cipher, the message CROSS THE RUBICON (this is known as the plaintext message) is enciphered as FURVV WKH UXELFRQ (called the ciphertext message).

  14. Caesar Cipher Weakness • This might be enough to confound the enemy, at least the first time around. • However it is not very secure, and indeed if the enemy knew, or guessed that the cipher was based on an alphabet shift, the code could well be cracked in a minute or two upon intercepting even a short message like this one. • Indeed once the enciphered form of one single letter is correctly guessed then the whole code is blown as the cyclic shift in the alphabet is revealed: • ….. for instance if we guess that A -> D when enciphered, and we know that the cipher is a simple Caesar shift, then the key to the cipher is there for all to see. • A more difficult cipher is to swap each letter with another in no particular pattern. In this way if the enciphered form of a letter such as I or A is guessed (often an easy task as these two are the only one-letter words) we cannot immediately find the rule for the rest of the cipher because there is none.

  15. Mono-Substitution Weakness • The arbitrary nature of the substitution is an inconvenience for the code users as well as it can be difficult to remember how to form the cipher. • Mistakes will be made unless the secret cipher is written down and then it could easily fall into the wrong hands. • We can crack mono-substitution ciphers with frequency analysis, pattern matching, and trial and error until all is revealed. • Given a fairly long intercepted message encoded as a simple substitution cipher, it is not hard to spot the true meaning of letters. • The symbols for I and A are likely to occur in isolation and common letters such as E and T will have equally common symbols substituting for each of them. • From this, short words can be guessed, giving more of the cipher ….

  16. Frequency Analysis

  17. Frequency Analysis

  18. Vigenère cipher • Nonetheless, by the 16th century these basic ideas had been taken further to develop military codes that were considered impregnable in their day yet could easily be deciphered by those who held their key. • The main type, which stood defiant for several centuries, goes by the name of the Vigenère cipher. • Its beauty is that the key is simply a single word, such as LIBERTY. Any unauthorised interceptor, even one who knows that his enemy is using a Vigenère cipher, will have the greatest of difficulty unravelling the code without the secret code word. • Indeed it was widely accepted that cracking these codes was a practical impossibility and so was not even worth attempting directly.

  19. Vigenère cipher • The only hope lay in somehow acquiring the code word. • …….. Thiscould be any string of letters at all so the system looked completely secure to those who used it with due care and attention.

  20. Vigenère cipher – how it works • Each letter of the key word, which is written vertically, represents the first letter in a simple Caesar cipher. • We then encipher the first letter of the message using the first cipher, the second using the second, and so on, starting the cycle of Caesar ciphers over again once we reach the end of the key word. • For example, suppose our plain text message is • A MAN A PLAN A CANAL PANAMA • The idea seems first to have been formulated by Leon Battista Alberti of Florence in a visit to the Vatican in the 1460’s. So quite old…..

  21. Vigenère Table . Vigenère cipher table based on LIBERTY.

  22. Vigenère cipher – how it works • Using LIBERTY as our watch word, the sender and legitimate receiver of the message would set up a cipher table as in previous slide. • The initial A is then enciphered as L; the word MAN is enciphered using the 13th letter of the second cipher, the first of the third, and the 14th of the fourth respectively, giving the encoded form of the word as UBR. • Continuing, we discover the full enciphered message as shown below. • We repeat the key word above plaintext message as a reminder of which of the seven shifted alphabets to use in the encoding for each letter.

  23. Vigenère cipher – maths • The maths behind the Vigenère cipher can be written as follows: • To encrypt a message: Ca = Ma + Kb (mod 26) • To decrypt a message: Ma = Ca – Kb (mod 26) • (Where C = Code, M = Message, K = Key, and where a = the ath character of the message bounded by the message, and b is the bth character of the Key bounded by the length of the key.)

  24. Vigenère cipher – how it works • Immediately it is clear that the codebreaker meets some new obstacles. • The standard trick of assuming that an isolated letter represents either the word A or I is still valid, but we see that the three instances of the letter A in this case are enciphered differently on each occasion, sowing the seeds of real confusion in the mind of the codebreaker. • Simple frequency analysis will also be found wanting, the real frequencies being disguised by the changing nature of the code throughout the message. • ----- Is there any way of ever tackling such a perplexing cipher? • Indeed there is, and the first to show that these ciphers could be cracked was the English mathematician Charles Babbage (1791–1871).

  25. Cryptography Cryptanalysis is the study of methods for obtaining the plain text of encrypted information without access to the key that is usually required to decrypt. In lay-man's terms it is the practice of code breaking or cracking code. The dictionary defines cryptanalysis as the analysis and deciphering of cryptographic writings/systems, or the branch of cryptography concerned with decoding encrypted messages.

  26. Cryptography Cryptanalyst's are the natural adversary of a cryptographer, in that a cryptographer works to protect or secure information and a cryptanalyst works to read date that has been encrypted. Although they also complement each other well as without cryptanalyst's, or the understanding of the cryptanalysis process it would be very difficult to create secure cryptography. So when designing a new cryptogram it is common to use cryptanalysis in order to find and correct any weaknesses in the algorithm. Most cryptanalysis techniques exploit patterns found in the plain text code in order to crack the cipher; however compression of the data can reduce these patterns and hence enhance the resistance to cryptanalysis

  27. Code Breaking Jobs

  28. Unbreakable Codes • Is it possible to devise a code so strong that it is absolutely unbreakable?

  29. Unbreakable Codes The Short Answer is Yes….but….

  30. Code talkers…..A unique method

  31. Code Talkers • Code talkers was a term used to describe people who talk using a coded language. • It is frequently used to describe 400 Native American Marines who served in the United States Marine Corps whose primary job was the transmission of secret tactical messages. • Code talkers transmitted these messages over military telephone or radio communications nets using formal or informally developed codes built upon their native languages. • Their service improved communications in terms of speed of encryption at both ends in front line operations during World War II.

  32. Code Talkers The name code talkers is strongly associated with bilingual Navajo speakers specially recruited during WWII by the Marines to serve in their standard communications units in the Pacific Theater. Code talking, however, was pioneered by Choctaw Indians serving in the U.S. Army during World War I. These soldiers are referred to as Choctaw Code Talkers. Other Native American code talkers were deployed by the United States Army during World War II, including Cherokee, Choctaw, Lakota, Meskwaki, and Comanche soldiers. Soldiers of Basque ancestry were used for code talking by the U.S. Marines during World War II in areas where other Basque speakers were not expected to be operating.

  33. Code Talkers • Using a substitution method similar to the Navajo, the Comanche code word for tank was "turtle", bomber was "pregnant airplane", machine gun was "sewing machine" and Adolf Hitler became "crazy white man". • Two Comanche code-talkers were assigned to each regiment, the rest to 4th Infantry Division headquarters. • Shortly after landing on Utah Beach on June 6, 1944, the Comanches began transmitting messages

  34. Navajo Code • A codebook was developed to teach the many relevant words and concepts to new initiates. • Text was for classroom purposes only, and never to be taken into the field. • The code talkers memorized all these variations and practiced their rapid use under stressful conditions during training. • Uninitiated Navajo speakers would have no idea what the code talkers' messages meant; they would hear only truncated and disjointed strings of individual, unrelated nouns and verbs. • The Navajo code talkers were commended for their skill, speed and accuracy accrued throughout the war. At the Battle of Iwo Jima, Major Howard Connor, 5th Marine Division signal officer, had six Navajo code talkers working around the clock during the first two days of the battle.

  35. Navajo Cryptographic Properties • Non-speakers would find it extremely difficult to accurately distinguish unfamiliar sounds used in these languages. • Additionally, a speaker who has acquired a language during their childhood sounds distinctly different from a person who acquired the same language in later life, thus reducing the chance of successful impostors sending false messages. • Finally, the additional layer of an alphabet cypher was added to prevent interception by native speakers not trained as code talkers, in the event of their capture by the Japanese. • A similar system employing Welsh was used by British forces, but not to any great extent during World War II. Welsh was used more recently in the Balkan peace-keeping efforts for non-vital messages.

  36. Navajo Cryptographic Properties • Navajo was an attractive choice for code use because few people outside the Navajo themselves had ever learned to speak the language. • Virtually no books in Navajo had ever been published. Outside of the language itself, the Navajo spoken code was not very complex by cryptographic standards and would likely have been broken if a native speaker and trained cryptographers worked together effectively. • The Japanese had an opportunity to attempt this when they captured Joe Kieyoomia in the Philippines in 1942 during the Bataan Death March. • Kieyoomia, a Navajo Sergeant in the U.S. Army, but not a code talker, was ordered to interpret the radio messages later in the war.

  37. Navajo Cryptographic Properties • However, since Kieyoomiahad not participated in the code training, the messages made no sense to him. • When he reported that he could not understand the messages, his captors tortured him. • Given the simplicity of the alphabet code involved, it is probable that the code could have been broken easily if Kieyoomia's knowledge of the language had been exploited more effectively by Japanese cryptographers. • The Japanese Imperial Army and Navy never cracked the spoken code. • So do not underestimate the power of words……

  38. Back to Unbreakable Codes • We have said that it is possible to devise a code so strong that it is absolutely unbreakable. • Indeed this can be achieved in practice by following the idea behind the Vigenère cipher to its natural conclusion. • As we have already pointed out, the weakness of the Vigenère cipher lay in the key word being short and recognizable. • The answer then was to make it long and unrecognizable.

  39. Back to Unbreakable Codes • But how long? • Longer than any message you would ever send. • To make it unrecognizable, we make the key word • completely random. • The result of this approach is known as the one-time pad cipher.

  40. One Time Pads • The sender and receiver each need identical copies of the one- time pad, which consists of no more than a very long totally random string of letters from the alphabet. • Only they possess this super key word. The secret message is then sent in whatever way convenient using the one-time pad in the Vigenère fashion. • Since the key word never ends (or more precisely does not end before the message is concluded) there is no cycle of ciphers. • Since each individual letter in the key word is random, and bears no relation to any other letter, the string that is transmitted is itself a totally random string. After the message is transmitted the sender destroys the pad, as does the receiver after he has deciphered the message.

  41. One Time Pads • …Although cumbersome, the method is secure. If the enciphered message is intercepted during transmission it is of little use to the unauthorised interceptor without access to the one-time pad. • He may be able to tell something about how long the message is, but little more. • Even the lengths of individual words can be masked, symbols like punctuation marks and spaces can themselves be given a symbol in an augmented alphabet. • The one-time pad could then be a random string from this enhanced alphabet, completing disguising the structure of the grammar in the transmitted message.

  42. One Time Pads • In principle, all aspects of the message can be written in binary code • the message becomes a string consisting of the symbols 0 and 1, which is disguised by adding to it a random binary string as represented by one-time pad. • If the message digit were a , and the random digit in the corresponding random string were b, then the transmitted digit would be a + b, where this sum is calculated according to the rules of arithmetic modulo 2: • that is 0 + 1 = 1 + 0 = 1 and 0 + 0 = 1 + 1 = 0.

  43. One Time Pads • e.g. if the message were simply the string of ten consecutive 1 symbols 1111111111, and the first ten digits on the one-time pad were 0111011011, then the transmitted string would be that of the random string with the digits 0 and 1 interchanged throughout: 1000100100. • The unauthorised interceptor is left holding a random string that contains no information, which, in isolation, is meaningless. • Even if the eavesdropper happened to know part of the message, the intercepted string would be of no use to him in deciphering the remainder as there is no relationship whatever between the remainder of the transmitted string and the remainder of the message—the connection is a totally random substring on the one-time pad. • He cannot decipher any further without getting hold of that pad.

  44. One Time Pads • Although completely secure, the one-time pad is used for only the highest priority intelligence, as the production of a large number of pads and the care that must go in to ensuring they are never copied and fall into the wrong hands soon becomes excessive.

  45. Book Ciphers • A very secure cipher that can be produced without too much difficulty is a book cipher. This involves both parties holding copies of a very long piece of text, a book perhaps. • The book is the key to the whole cipher and this must remain secret. • For this reason, it would be best if the ‘book’ is written by the code makers themselves—no literary merit is required, indeed the more arbitrary and nonsensical the better.

  46. Book Ciphers • The words of the book are then numbered 1, 2, · · · and so on up to however many words can be produced. • If the sender wishes to code the message PAP, she starts reading the book and follows through till she find the first word beginning with P: it may be the 40th word, in which case the plaintext P is enciphered as the number 40. • Since the next letter is A, she would find a word beginning with A, it might be 8, so that would become the next cipher symbol. • To encipher the final P, she would locate the next word in the text beginning with P, it might be word number 104, and so her enciphered message would be 40 8 104. • Without the ‘book’ , this is a near impossible code to break, even if long messages are intercepted.

  47. Book Ciphers • To be as secure as possible, the enciphering should involve always going forward in the book and, after enciphering each symbol, a good practice is to jump to the midline of the next paragraph before continuing the search for a suitable word. • This ensures that there is little or no correlation between the words that are used in forming the cipher by separating them by large near-random distances in the text. • Although the text itself is being used up very wastefully, words are cheap. • The underlying idea is similar to the one-time pad as the first letters of the words of the text are being thought of as a random string from the alphabet and the message just tells the recipient which letters to pick out of this string in order to form the plaintext message.

  48. So finally, we get to Public Key Cryptography

  49. Alice, Bob and Eve • The three fictitious characters involved in secret transmissions traditionally go by the names of Alice and Bob with Eve, the eavesdropper, intercepting their messages and generally causing mischief. • Perhaps because of the name, Eve is usually regarded as the evil figure in the drama although this is quite unfair: • ……as Alice and Bob could be hatching plots of their own and Eve represents a benign intelligence service striving to protect citizens from the conspiratorial schemes of the other pair.

  50. Secure Key Exchange • Transmission of a secure message from Alice to Bob does not in itself necessitate the exchange of the key to a cipher, for they can proceed as follows. • Alice writes her plaintext message for Bob, and places it in a box that she secures with her own padlock. Only Alice has the key to this lock. • She then posts the box to Bob, who of course cannot open it. Bob however then adds a second padlock to the box, for which he alone possesses the key. • The box is then returned to Alice, who then removes her own lock, and sends the box for a second time to Bob. • This time Bob may unlock the box and read Alice’s message, secure in the knowledge that Eve could not have peeked at the contents during delivery process.

More Related