5 Applied Cryptography

ITCS461 Computer and Communication
Security
Applications of Cryptography:
Key Exchange, Message Digest, Signatures, Certificates
2/2016
I n st r u c to rs:
S e c t i o n : 1 D r. A s s a d a ra t K h u ra t a s s a d a ra t . k h u @ m a h i d o l . a c .t h
S e c t i o n : 2 D r. S u d s a n g u a n N ga m s u r i ya ro j s u d s a n g u a n . n ga @ m a h i d o l . a c .t h
S e c t i o n : 3 D r. D a m ra s Wo n g s a wa n g d a m ra s .w o n @ m a h i d o l . a c .t h
Applications of Cryptography
Public Key encryption is much slower than
Symmetric Key encryption
Public Key is only for specialized, infrequent tasks
Symmetric key is a real workhorse
Four applications of encryption
Key Exchange
Hash/Message Digest for Message Authentication/
Message Integrity
Digital Signatures
Certificates
ITCS461 COMPUTER AND COMMUNICATION
SECURITY
2
Key Exchange
Motivation:
X and Y dont know each other
X needs to send a secure message to Y (e.g. a credit card number
for shopping on a web site)
How to securely exchange the same key between two parties
Problems of key exchange
Important but not easy
To establish a secure session, we need a secure channel
Solved by public key cryptography since we can send a public key
even on an insecure channel

SECURITY
3
Key Exchange via Key Distribution
ITCS461 COMPUTER AND COMMUNICATION SECURITY 4

Symmetric Key Exchange via Public Key
Given S and R and two pairs of keys
KPRV-S, KPUB-S and KPRV-R, KPUB-R
Solution 1:
S determines a secret key x
S encrypts x with KPRV-S : C = E(KPRV-S, x)
S sends C to R
R decrypts C to get x: D(KPUB-S, C) = x
S & R communicate using the secret (symmetric) key x
BUT: Solution 1 is not good!!!
Any one knowing KPUB-S can do the decryption to get x!

SECURITY
5

Solution 2:
S determines the secret key x
S encrypts x with KPUB-R : C = E(KPUB-R, x)
S sends C to R
R decrypts C to get x : D(KPRV-R, C) = x
S & R can communicate using secret (symmetric) key x
Solution 2 is better
Only R can decrypt x since it knows its private key
But it is still not quite good. Why?
Reason: No message authentication
How do you know the key x is sent by S since anybody knows the public key
of R

SECURITY
6
Solution 3:
S determines the secret key x
S encrypts x with both KPRIV-S & KPUB-R :
C = E(KPUB-R , E(KPRIV-S, x))
S sends C to R
R decrypts C to get x :
D( KPUB-S , D(KPRIV-R, C) ) The order is very important !
Solution 3 is now good!

Only R can decode x (only R knows KPRIV-R)
Authentication: R is assured that S sent C since only S can encrypt
x with KPRIV-S
SECURITY
7
Diffie-Hellman Key Exchange

The first public-key exchange proposed by Diffie & Hellman
in 1976 along with the public key concept
It allows two users to exchange a key publicly and securely
A practical method to exchange a secret key
Used in a number of commercial products
Security relies on the difficulty of computing discrete
logarithms
Primitive root a of p if ai mod p generate all elements
1,2,,p-1 in some permutations

SECURITY
8
All users agree on global parameters:
A large prime integer or polynomial q
Select a < q and a is a primitive root mod q
(a mod q, a2 mod q, . ap-1 mod q are distinct from 1 to q-1)
For example, q = 7 and a =3
31 = 3, 32 = 2, 33 = 6, 34 = 4, 35 = 5, 36 = 1
Each user generates his key

Choose a secret key (number): xA < q
x
Compute his public key: yA= a A mod q
Each user makes the key yA public

Shared session key for users A & B is KAB:
x x
KAB = a A. B mod q
x
= yA B mod q (which B can compute)
x
= yB A mod q (which A can compute)
Proof:
x x x
KAB = yB A mod q = (a B mod q) A mod q
x x x x
= (a B) A mod q = (a A) B mod q
x x
= (a A mod q) B mod q = yAxB mod q

SECURITY
10
Another Diffie-Hellman Example

Alice & Bob agree to use a prime q=23 and a=5
Select random secret keys:
Alice chooses xA=6, Bob chooses xB=15
Alice computes
6
her public key, and sends to Bob
yA=5 mod 23 = 8
Bob computes
15
his public key, and sends to Alice
yB=5 mod 23 = 19
Alice
x
computes shared
6
session key KAB as:
A
yB mod 23 = 19 mod 23 = 2
Bobx computes shared
15
session key KAB as:
B
yA mod 23 = 8 = 2
SECURITY
12
Man-
Man-in-
in-the-
the-Middle Attack
Both YA and YB can No authentication
be intercepted between A and B
Solution: usingdigital signatures

and certificates
A Simple Hash Function

Ci = bi1 bi2 bim

SECURITY
14
One-Way hash function
A fixed-sized message, called message digest (MD), is
generated using a hash function: MD = H(M)
No secret-key involves
Hash function has the property that
Given M, it is easy to compute MD, but given MD it
is almost impossible to compute H-1(MD) to get M
Hash & Message Digest

Map a message of variable length n bits to a
fingerprint of fixed length m bits, with m < n
Thus, it is a one-way function
A hash does a many-to-one mapping, so collisions can
happen
Two fundamental properties: compression and easy to
compute
Thus, hash functions can be used to detect changes to
a message

SECURITY
16

SECURITY
17

SECURITY
18
Using Hash functions to compute the following:
Checksum
Message Integrity Code (Check) (MIC)
Message Authentication Code (MAC)
Message Digest (MD)
Solution: Send a message having n+k bits
n bits original message
k bits a checksum/MIC/MAC/MD/Hash generated based on n
bits
Receiver can easily verify by computing k-bits hash and see
whether it is matched with the received k-bits one

Checksums
simple odd/even parity
Can detect multiple errors
Can even repair multiple errors
These checksums are to fix errors, not deal with
attacks
For attacks need cryptographic checksums / strong
hash functions

SECURITY
20
Using hash to compute MIC (Message Integrity Check)
Do not use a key
One-Way Hash Functions
Collision Resistant Hash Functions
Using hash to compute MAC (Message Authentication Check)

Use a key
Used for both authentication and integrity
Other uses
As key stream generation
For password security
Use as a fingerprint of a program or document to detect any modification

SECURITY
21

Message Integrity Check (MIC)
How can we be sure that a received message
was not modified by an attacker or had errors
during the transmission?
Answer: use cryptography to ensure integrity
Idea:
Wax seals on letters in ancient history
easy to see if broken
Electronic (Cryptographic) seal on message
so that any change will be detected
SECURITY
22
Attacks on Message Integrity:
Pigeon Hole Principle
n containers for n+1 objects
at least 1 container will hold two objects
Example:
Length of a message = 5, Length of hash= 3
25=32 possible messages vs. 23= 8 possible hash values
at least 4 (32/8) different messages will be hashed into the same
value (collisions !)
Real messages and hash values are much longer than 5 or 3 bits!
Thus, we know that collisions exist but it is much tougher to find
collisions and much tougher to forge them

SECURITY
23

Message Authentication Check
Encryption protects against passive attack
(eavesdropping)
We also need protection against active attack
(falsification of data)
Thus, we need message or data authentication

SECURITY
24
Message Authentication

SECURITY
25
Attacks on Message Authentication:

Birthday Paradox
Hashes are used to protect against intentional
misuse
Two things can happen
Signing one and claiming that the other was actually
sent
Getting someone else to sign a message but sending
another with the signature of the first
The hash size must be twice as long as we would
need for 64 bits need 128-bit hash
Attacks on Message Authentication:
Birthday Paradox
Given a group of people, the minimum number of people such
that two people will share the same birthday with probability >
0.5 is only 23
Why 23 ?
From probability computation, P(K) = 0.5,
K ~ sqrt(n) and since n=365 K ~ 22.54 ~ 23
Main idea: it is possible that any two messages may have the
same hash value !!!
It is a threat to the security of the system
Thus, the length of the hash code should be substantial

SECURITY
27
Requirements for Hash Functions

Hash can be applied to a block of data of any size
Hash produces a fixed-length output
Hash (x) is relatively easy to compute for any given x,
making both hardware and software implementation
practical

SECURITY
28
Requirements for Hash Functions
Given a function h:X Y, then we say that h has:
resistance (one-way property):
if given y, it is computationally infeasible to find a value x such
that h(x) = y
weak collision resistance:
if given x, it is computationally infeasible to find a value x, x
x such that h(x) = h(x)
strong collision resistance:
if it is computationally infeasible to find any two distinct
values x,x, such that h(x) = h(x)

SECURITY
29
Types of Hash Functions for MD
MD2: produces a 128-bit hash value, perceived as slower

and less secure than MD4 and MD5
MD4: produces a 128-bit hash of the message, using bit
operations on 32-bit operands for fast implementation
MD5: produces a 128-bit output, was widely used.

SECURITY
30
MD5

SECURITY
31
MD5
Process arbitrary length of input
32-bit word computations
128-bit message digest as the output
Padded to 64 bits less than a multiple of 64 bytes (512 bits)
64-bit length field is added at the end
Processed in 16-byte chunks (16x8=128 bits)
Have 128-bit intermediate results
Do 4 passes per stage
Different constants for each message word in all passes
SECURITY
32
MD5 Details
The message is padded (1 followed by 0s) such that its L
= 448 mod 512
Append an unsigned 64-bit which tells the length of the
message before padding
Initialize the 4-word (128-bit) buffer (A,B,C,D) as
shown in the diagram
The message is processed in 16-word (512-bit) chunks,
using 4 rounds of 16 bit operations each

SECURITY
33

SECURITY
34
Processing of Block mi for 4 Passes
mi MDi
ABCD=fF(ABCD,mi,T[1..16])
Mangling Functions A B C D
and Random Numbers ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
+ + + +
MD i+1

SECURITY
35
MD5 Compression Function
in a single step
MD5 Compression Function

SECURITY
37
MD5 Insecurity
1993: Two different IV produce the same digest
1996: Collision of the compression function
2004: A project was done to crack MD5 using birthday attack
Aug 2004: collisions were found in 1 hour on IBM P690
March 2005: collisions within a few hours on a single notebook
March 2006: collisions within 1 minute on a single notebook
"Rainbow Tables" are available on the Internet to crack MD5

SECURITY
38
Message Authentication without
Encryption
Many situations in which authentication without
confidentiality is preferable
1. Message is broadcast to a number of destinations
2. Each party has not enough time to do decryption
3. Computer program that can be executed without
having to decrypt it every time which would be
wasteful of processor resources

SECURITY
39
Message Authentication Codes

(MAC)
MAC is a small block of data generated from a message
using secret key
MAC is appended to the message and sent to a receiver
Upon receiving, the receiver generates a new MAC using
the same secret key, and compare the two MACs:
If they are equal, the authenticity is assured
Otherwise, it is not

SECURITY
40
(MAC)
Assume that only receiver and sender know the
same secret key. Thus, the receiver is :
1. Assured that the message has not been altered
2. Assured that the message is from the alleged
sender
3. Assured of a proper sequence if message
includes a sequence number

SECURITY
41

(MAC) using Secret Key

SECURITY
42
Verification for MAC
In general, hash functions are known to public, but the key
shared between the sender and the receiver is secret
The output of MAC cannot be produced without knowing the
secret key
Sender computes mac1 = MAC(M, K) and sends it along with
the message M
Receiver computes mac2 = MAC(M, K) and checks if mac1 =
mac2 ?
-- If yes: accept the message; If no: reject
Because mac1 could be generated only by someone that knew
the secret key K, this mechanism provides data source
authentication.
SECURITY
43

(MAC) using Public/Private Key

SECURITY
44
Secure Hash Algorithm (SHA)
Similar to MD5 but with Key
SHA-0: FIPS PUB 180, 1993. Withdrawn shortly after published
SHA-1: FIPS PUB 180-1, 1995. 160 bit hash
SHA-2: FIPS PUB 180-2, 2002
SHA-224, SHA-256, SHA-384, SHA-512
SHA-3 standard released by NIST on August 5, 2015, and not
meant to replace SHA-2
Used in TLS, SSL, PGP, SSH, S/MIME, and IPsec
Required by law in US Govt applications
Used in Digital Signature Standard
NIST certifies the implementations

SECURITY
45
Secure Hash Algorithm (SHA)
SHA-2

SECURITY
46
Overview of SHA-1
Developed by NIST (1993) as a message digest function or hash
function in Digital Signature Standard (DSS)
Message is processed in 512-bit blocks sequentially
Input message must be < 264 bits (not a problem)
Produce a message digest of 160 bits
SHA design is similar to MD5, but a little slower to execute and
more secure
MD5 made 4 passes
SHA-1 made 5 passes

SECURITY
47
Overview of SHA-1
160 bit hash using 512 bit blocks and 32 bit operations
Five passes
Maximum message size is 264 bits
512 bits are expanded to 5x512 bits: nth word = xor of n-3,
n-8, n-14, and n-16
In SHA-1, these words are rotated left by one bit before
xor
Total 80 words: W0, ..., W79

SECURITY
48
Overview of SHA-1

SECURITY
49
SHA-1 Single Block Process

A = 67452301
B = efcdab89
C = 98badcfe
D = 10325476
E = c3d2e1f0
W[0..19] f1 = (BC)(~B D)
W[20..39] f2 = BCD
W[40..59] f3 =
(BC)(BD)(CD)
W[60..79] f4 = BCD

SECURITY
50
SHA-1 One Round Process
W(0..19) Kt = 5A827999
A B C D E
W(20..39) Kt = 6ED9EBA1
+ W(40..59) Kt = 8F1BBCDC
ft
W(60..79) Kt = CA62C1D6
CLS5 +
+ Wt
CLS 30 Kt
+
A B C D E

SECURITY
51
Secure Hash Algorithm (SHA-512)

Create a digest of 512 bits from a multiple block
message of size 1024 bits per block
Length of input message must be less than 2128
bits

Overview of SHA-512
Overview of SHA-512
SHA-512
Rounds

New Standard SHA-3
SHA-1 has not yet been broken but considered insecure (a
serious flaw has been found in 2004)
SHA-2 has been phased out
In 2007, NIST called for SHA-3 competition
SHA-3 basic requirements
Must be possible to replace SHA-2
Must preserve the online nature of SHA-2
On Oct 1, 2012, Keccak (pronounced catch-ack) was declared
to be the winner for a new SHS
NIST released SHA-3 on August 5, 2015, and not meant to
replace SHA-2

SECURITY
55
SHA Insecurity
SHA-0:
1998: Time complexity of SHA-0 was shown to be 2^61
compared to 2^80
12 Aug 2004: Collision for SHA-0 with 2^51 complexity
17 Aug 2004: Collision for SHA-0 with 2^40
SHA-1:
Phased out by 2010 by SHA-2
Feb 2005: 2^69 operations instead of 2^80
17 Aug 2005: 2^63 for finding a collision
2^35 compression function evaluations for 64-round SHA-1
SHA Comparison

SECURITY
57
Keyed Hash Function as MAC

Desire to create a MAC using a hash function rather than a block cipher
Hash functions are generally faster
Library code availability
Hash includes a key along with the message
KeyedHash = Hash(Key|Message)
Eventually led to the development of HMAC
HMACK=Hash[(K+XORopad)||Hash[(K+XORipad)||M)]]
where K+ is the key padded with zeros to the size of block, and 2 constants :
ipad = 0011 0110 (36 in hex repeat b/8 times) and
opad = 0101 1100 (5C in hex repeat b/8 times)

SECURITY
58
Keyed Hash Function as MAC
HMAC Structure

SECURITY
59
Security of HMAC
Security based on underlying hash strength have a
chance of successful forgery given time and number of
msg-MAC pairs
The successful attack on HMAC is equivalent to
either attacker is able to compute output, even IV with
random, secret and unknown
brute force key O(2n), or use birthday attack
or attacker finds collisions in hash function even when
IV is random and secret, that is, find M and M' such that
H(M) = H(M')

SECURITY
60
Password Security with Hash
Unix uses a secret key algorithm to compute the hash of a password and
store it
It never has to reverse the hash to obtain a password
Convert the first 8 characters of the password into a 56-bit key of DES
Using it as the key to encrypt a constant (0 for Unix)
A 12-bit salt value is used to modify DES data expansion algorithm to
determine which bits are duplicated when expanding from 32 to 48 bits
Each time a password is set, a salt is generated
So same password with different salts has different hash values

SECURITY
61

5 Applied Cryptography

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

5 Applied Cryptography

Hochgeladen von

Copyright:

Verfügbare Formate

ITCS461 Computer and Communication

ITCS461 COMPUTER AND COMMUNICATION

Key Exchange via Key Distribution

ITCS461 COMPUTER AND COMMUNICATION SECURITY 4

ITCS461 COMPUTER AND COMMUNICATION

Symmetric Key Exchange via Public Key

ITCS461 COMPUTER AND COMMUNICATION

Solution 3 is now good!

Diffie-Hellman Key Exchange

ITCS461 COMPUTER AND COMMUNICATION

Each user generates his key

ITCS461 COMPUTER AND COMMUNICATION SECURITY 9

Diffie-Hellman Key Exchange

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION SECURITY 11

Another Diffie-Hellman Example

Solution: usingdigital signatures

ITCS461 COMPUTER AND COMMUNICATION SECURITY 13

A Simple Hash Function

ITCS461 COMPUTER AND COMMUNICATION

Hash & Message Digest

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Hash & Message Digest

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION SECURITY 19

Hash & Message Digest

ITCS461 COMPUTER AND COMMUNICATION

Using hash to compute MAC (Message Authentication Check)

ITCS461 COMPUTER AND COMMUNICATION

Hash & Message Digest

ITCS461 COMPUTER AND COMMUNICATION

Hash & Message Digest

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Attacks on Message Authentication:

ITCS461 COMPUTER AND COMMUNICATION

Requirements for Hash Functions

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Types of Hash Functions for MD

MD2: produces a 128-bit hash value, perceived as slower

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

MD5 Compression Function

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Message Authentication Codes

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Message Authentication Codes

ITCS461 COMPUTER AND COMMUNICATION

Message Authentication Codes

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

Secure Hash Algorithm (SHA)

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION

ITCS461 COMPUTER AND COMMUNICATION