Public Key Cryptography Overview

1

Ch.20 Public-Key Cryptography and Message Authentication

• I will talk about it later in this class

» give you a sample exam

» Mostly similar to homeworks

» no electronic devices: cell phone/PDA/laptop/calculator

» Open book/notes

– Extra credit project due on the same day of final

• Technical Details for Sec 2.2 to 2.4

• secure hash functions and HMAC

• RSA & Diffie-Hellman Public-Key Algorithms

Public Key Cryptography Overview

• Message authentication

– authentication codes and hash functions

• Public key encryption:

– principles and algorithms

• Exchange

of conventional keys

• Digital signatures

• Revisit key management

3

Recall Security Services (CIA)

• Confidentiality

– protection from passive attacks

• Integrity

– received as sent, no modifications, insertions, shuffling or replays

• Authentication

– you are who you claim you are

– Both message content and message source

4

Security Attacks

On the Internet, nobody knows you’re a dog - by Peter Steiner, New York, July 5, 1993

5

Security Attacks

Masquerade Denial of

service Active threats

Replay Modification of message contents

• Message authentication helps prevent these!

What Is Message Authentication

• It’s the “source,” of course!

• Procedure that allows communicating parties to verify that received messages are authentic

• Characteristics:

– source is authentic –

masquerading

– contents unaltered –

message modification

– timely sequencing –

replay

7

Can We Use Conventional Encryption?

Yes, Only when sender and receiver share a key

• Include a time stamp

• Include an error detection code and a sequence number

Masquerade Denial of

service Active threats

Replay Modification of message contents

8

Message Authentication Without Encryption: Fast!

• Append an authentication tag to a message

• Message read at the destination

– independent of the authentication function

• No message confidentiality

9

App. of Message Authentication w/o Confidentiality

• Application that broadcasts a message

– Broadcast to many different destinations

– only one destination needs to monitor for authenticity

• Too heavy a load to decrypt

– A control center collects massive amount of data – random authentication checking

• Computer executables and files

– Do not need to decrypt every execution – checked when assurance required

Life Without Authentication like

airport without traffic control

11

Message Authentication Code

• Message Authentication Code (MAC)

– use a

secret key

small block

• Assume : A and B share a common secret key K

• MAC

12

Message Authentication Code

13

Benefits of Message Authentication Code

• Receiver assured that message is not altered

• Receiver assured that the message is from the alleged sender

– no masquerading

• Include a sequence number, assured proper sequence

– no replay

Message Authentication Code using DES

• DES is used to encrypt the message, and the last 16 or 32 bits is used as the MAC

• MACs need not be reversible

– Less vulnerable to being broken than encryption

• Like Checksum

– Stands up to attack

• But there is an alternative...

15

One-Way Hash Function

• Hash function is a building block of MAC

output

• No secret key as input

• Message digest

is sent with the message for authentication

• Produces a fingerprint of the message

16

One-Way Hash Function: method 1

Message digest H(M)

Shared key

Authenticity is assured

17

One-Way Hash Function: method 2

Digital signature No key distribution Less computation since message does not have to be encrypted

One-Way Hash Function

• Encryption software is slow

• Encryption hardware costs aren’t cheap

• Hardware optimized toward large data sizes

• Algorithms covered by patents

• Algorithms subject to export control

Ideally We Would Like To Avoid Encryption

19

One-Way Hash Function: method 3

• No encryption for message authentication

• Secret value never sent; can’t modify the message

• Important technique for Digital Signatures secret value S_AB

MD_M = H(S_AB||M)

MD_M||M

20

Hash Function Requirements

1. Hcan be applied to a block of data of any size 2. Hproduces a fixed length output

3. H(x)is relatively easy to compute

4. For any given code h, it is computationally infeasible to find x such that H(x) = h; (one way) 5. For any given block x, it is computationally

infeasible to find y ≠xwith H(y) = H(x) (weak collision resistance)

• For a given block

6. It is computationally infeasible to find any pair (x,y) such that H(x) = H(y) (strong collision resistance)

• NOT a single pair

Weak

Strong

21

Simple Hash Functions

• secure (or one-way) hash function used in message authenticationand digital signatures

• a hash functions processes an input blockat a time in an iterative fashion

• Input:a sequence of n-bit blocks

• Processed:one block at a time, producing an n-bit hash

• Simplest: Bit-by-bit XOR of every block

• Longitudinal redundancy check

im i2

i1

i

= b b b

C ⊕ ⊕ L ⊕

Bitwise XOR

• Problem: to easy to find the same H(x) for a different y

– E.g., Switch the order of two blocks – Solution: Eliminate predictability of data

23

Secure Hash Algorithm (SHA)

• SHA-1, FIPS 180, (RFC3174) Developed by NISTin 1995

– Input is processed in 512-bit blocks

– Produces as output a 160-bit message digest

– Every bit of the hash code is a function of every bit of the input

– Very secure, so far! --- WANG05: 2⁸⁰ Æ 2⁶⁹

• NIST issued revised FIPS 180-2 in 2002

– adds 3 additional versions: SHA-256, SHA-384, SHA-512 – with 256/384/512-bit hash values

– same basic structure as SHA-1 but greater security

• NIST intend to phase out SHA-1 use in 2010

24

Comparison of SHA Parameters

25

SHA-512 Structure

• input a message with a max length of less than 2¹²⁸bits

– output a 512-bit message digest

• Step 1: Append padding bits:

• Step 2: Append length: an unsigned 128-bit integer length of the original message (before padding).

• Step 3: Initialize hash buffer: 8 registers of 64-bit

• Step 4: Process the msg. in 1024-bit blocks, in 80 rounds

• Step 5: Output the final hash buffer value

• The SHA-512 algorithm has the property that every bit of the hash code is a function of every bit of the input.

– the difficulty of coming up with two messages having the same message digest is on the order of 2²⁵⁶ operations

SHA-512 Secure Hash Function

append padding bits

append length

compression function

27

SHA-512 Secure Hash

Function

28

Other Secure Hash Functions

• most based on iterated hash function design (Merkle 1979)

– Most follow basic structure of SHA-1

– If the compression function is collision resistant, then so is the resultant iterated hash function

– Proven secure; new structures may bring new vulnerability

• MD5, Message Digest (RFC1321)

– most widely used hash until recently, Ron Rivest, 1992 – produces 128-bit hash, now too small

» Security of 128-bit hash code has become questionable (1996, 2004)

» CPU is faster, 2^64 is not a big deal any more

• Whirlpool (EU NESSIE endorsed hash)

– developed by Vincent Rijmen & Paulo Barreto

– compression function is AES derived W block cipher – produces 512-bit hash

29

keyed-Hash Message Authentication Code (HMAC )

• Needs of generate MAC (message authentication code) using a cryptographic hash

– Executes faster in software; No export restrictions – Simultaneously verify integrity and authenticity – due to fast speed and broad code availability

• Modifying secure hash function to generate MACs

– SHA was not designed for generating MACs

– HAMC incorporates a key into use of hash algorithm

• HMAC (RFC2104) widely supported

– used in IPsec, TLS & SET

• HMAC treats a hash as “black box”

• HMAC proven secure if embedded hash function has reasonable cryptographic strength

HMAC Structure

Message, M(including any padding)

By passing S_iand S_o through the hash algorithm, we have pseudoradomly generated two keys from K.

Two generated secret keys

output

00110110 repeat

01011100 repeat

K⁺is padded K

31

Security of HMAC

• security based on underlying hash strength

• Security of MAC: prob of successful forgery with a given time and a given # of msg-MAC pairs

• Attack 1: either attacker computes an output even with a random secret IV (unknown to attacker)

– brute force key O(2ⁿ), or use birthday attack

• Attack 2: attacker finds collisions in hash function even when the IV is random and secret

– i.e., find M and M' such that H(M) = H(M') – birthday attack O(2^n/2)

– MD5 secure in HMAC due to the time limit to collect msg-MAC pairs

32

Public Key Encryption

• Diffie and Hellman, New Directions In

– 1976

• First revolutionary advance in cryptography in thousands of years

• Based on mathematical functions, not bit manipulation

• Asymmetric, two separate key

• Profound effect on confidentiality, key

distribution and authentication

33

Public Key Ingredients

•

Plaintext: message input into the algorithm

•

Encryption algorithm: transformations on plaintext

•

Public & Private Key: pair of keys, one for encryption; one for decryption

•

Ciphertext: scrambled message

•

Decryption algorithm: produces original plaintext

Basic Steps of Encryption

• Each user generates a pair of keys: wiliki

• The public key goes in a public register

• The private key is kept private

• If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key

• When Alice receives the message, she

decrypts using her private key

35

Public Key Encryption

36

Public Key

Authentication

37

Public Key Applications

• Encryption/decryption – encrypts a message with the recipient’s public key

• Digital signature – sender signs a message with private key

• Key Exchange – two sides cooperate to

exchange a session key

39

Requirements For Public Key, 1/2

• Easy for party B to generate pairs:

public key

; private key

• Easy for sender A to generate cipertext using public key:

C = E _KUb(M)

• Easy for receiver B to decrypt using the private key to recover original message

M = D_KRb(C) = D_KRb[E _KUb(M)]

40

Requirements For Public Key, 2/2

• It is computationally infeasible for an opponent, knowing the public key KU

to determine the private key

• It is computationally infeasible for an opponent, knowing the public key KU

and a ciphertext C, to recover the original message M

• Either of the two related keys can be used for encryption, with the other used for decryption

M = D_KRb[E_KUb(M)]= D_KUb[E_KRb(M)]

41

RSA Algorithm

• Ron Rivest, Adi Shamir,

– 1977

• Most widely accepted and implemented approach to public key encryption

• Block cipher, where message M and ciphertext

are integers between 0 and n-1 for some n

• Theory behind RSA: uses the exponentiation of integers modulo a prime

–Encryption: C = M

mod n –Decryption: M = C

mod n

= (M^e)^d

mod n = M

RSA Algorithm

• Sender and receiver know the values of n and e

• but only the receiver knows the value of d

• Receiver’s Public key: KU = {e,n}

• Receiver’s Private key: KR = {d,n}

43

RSA Requirements

• It is possible to find values of e, d, n – such that M

for all M < n

• It is relatively easy to calculate C = M

mod n, for all values of M < n

• It is infeasible to determine d, given e and n

44

RSA Algorithm: Key Generation

1. Select p,q p and q both prime 2. Calculate n = p x q

3. Calculate φ

4. Select integer e, such that gcd( φ

greatest common divisor,

φ

5. Calculate d d = e

mod φ

6. Public Key KU = {e,n}

7. Private key KR = {d,n}

45

RSA Algorithm

• Encryption

– Plaintext: M<n

– Ciphertext: C = M

(mod n)

• Decryption

– Ciphertext: C

– Plaintext: M = C

(mod n)

RSA Example

• Select two prime numbers, p=7 and q=17

• Calculate n = pq = 7 x 17 = 119

• Calculate φ

• Select e, such that e is relatively prime to φ

and less than φ

; in this case, e= 5

• Determine d such that de = 1 mod 96 and d<96

• The correct value is d=77, because 77 x 5 = 385

Euler totient

multiplicative inverse of e

47

RSA Example

M

e

C

d

M

48

RSA Strength

• Brute force attack: try all possible keys

– the larger e and d, the more secure – the larger the key, the slower the system

• mathematical attacks: factor n into two prime number

– For large n with large prime factors, factoring is a hard problem

– Cracked a 428 bit key in 1994

– Currently 1024 key size is considered strong enough

• timing attacks on decryption implementation

– E.g., round on decrypting ‘1’ is longer than that of ‘0’

– Defense uses constant time, random delays, blinding

• chosen ciphertext attacks (on RSA props)

49

Diffie-Hellman Key Exchange

• first public-key type scheme proposed in 1976

secretly proposed the concept in 1970

• practical method to set up a secret key – Allows two separate keys

» Compute discrete logarithms

– Exchange keys securely: Key exchange algorithm using public and private values

• security relies on difficulty of computing discrete logarithms

– Mathematical functions rather than simple operations on bit patterns

Diffie-Hellman

• used in a number of commercial products

• Some misconceptions about public key cryptography, corrected

– NOT more secure than symmetric key – Does NOT Makes symmetric key obsolete

– Central agent is needed for both in key distribution

» KDC for symmetric encryption

» Certificate Agency (CA) for public key certificate

51

discrete logarithm

• a is a primitive root of pif

– a mod p, a² mod p, a³ mod p, …, a^p-1 mod p, are distinct, and consist of the integers from 1 through (p-1) in some order

• For integer b < p, we find b = aⁱmod p, where 0≤ i ≤ p-1

• Then, i is referred to as the discrete logarithmof b, for base a and modulus p

– Denoted as dlog_a,p(b)

• It is hard to calculate i, for given b = (aⁱ mod p)

52

Diffie-Hellman Key Exchange

Enables two users

to exchange info

to build a shared

secret

53

Key Exchange Protocols

• Insecure against man-in-the-middle attack

• can not authenticate the source

Diffie-Hellman Key Exchange key setup

Alice Bob

Pick secret, random X Pick secret, random Y

a

a

Compute shared secret k=(a

)

=a

mod p

Compute shared secret

k=(a

)

=a

mod p

55

Diffie-Hellman Example

• have

– prime number q = 353 – primitive root α = 3

• A and B each compute their public values

– B computes Y_B = 3²³³ mod 353 = 248

• exchange public values and compute secret key:

– for A: K = (Y_B)^XA mod 353 = 248⁹⁷ mod 353 = 160 –for B: K = (Y_A)^XB mod 353 = 40²³³ mod 353 = 160

• attacker must solve:

– 3^a mod 353 = 40, which is hard

– desired answer is 97, then compute key as B does

56

Man-in-the-Middle Attack

• attack is:

1. Darth generates private keys X_D1 & X_D2, and their public keys Y_D1 & Y_D2

2. Alice transmits Y_A to Bob

3. Darth intercepts Y_A and transmits Y_D1 to Bob.

Darth also calculates K2

4. Bob receives Y_D1 and calculates K1 5. Bob transmits X_A to Alice

6. Darth intercepts X_A and transmits Y_D2 to Alice.

Darth calculates K1

7. Alice receives Y_D2 and calculates K2

• all subsequent communications compromised

57

Other Public-Key Algorithms

• Digital Signature Standard (DSS)

– FIPS PUB 186 from 1991, revised 1993 & 96 – makes use of SHA-1

– presents a new digital signature algorithm (DSA) – Only used for digital signatures, not encryption or key

exchange

• Elliptic Curve Cryptography(ECC)

– it is beginning to challenge RSA

– Equal security for a far smaller bit size than RSA

– still very new, but promising: Confidence level is not as high yet

– seen in standards such as IEEE P1363

– based on a mathematical construct known as the elliptic curve

Summary

• discussed technical detail concerning:

– secure hash functions and HMAC

– RSA & Diffie-Hellman Public-Key Algorithms

59

Final: Wen (5/13) 1630-1830 HOLM

• Return hws

248

• sample exam

– Sample questions for Ch.19 and Ch.20

– Mostly similar to homework questions and problems – no electronic devices: cell phone/PDA/laptop/calculator – Open book/notes

• Extra credit project due on the same day of final

– Requirements: A written report include three basic components:

– Description of the installation of the system and present sufficient proof that the system running correctly

– propose to use the tool to perform specific tasks and methods to collect data traces for these tasks

– Analysis the collected data, and draw conclusions from your data

• Class evaluation