Computer Security(CP24158)
Public-Key Cryptography and Message Authentication (RSA)
부산대학교 공과대학 정보컴퓨터공학부 Learning Objectives
Discuss Technical Detail Concerning:
. Secure Hash Functions and HMAC
. RSA & Diffie-Hellman Public-Key Algorithms
2 Simple Hash Functions
Purpose is to produce a “fingerprint” of a file, message, or other block of data
A one-way or secure hash function used in message authentication, digital signatures
Accepts a variable-size message M as input and produces a fixed- size message digest H(M) as output in an iterative fashion
One of simplest hash functions is the bit-by-bit exclusive-OR (XOR) of each block
Ci = bi1 bi2 . . . bim . Effective data integrity check on random data
. Less effective on more predictable data
3 Cryptograph Hash Function
A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length.
There are two most promising cryptographic hash algorithms - SHA-512 and Whirlpool.
Iterated Cryptographic Hash Function
. The best way to create such function is using iteration, and used a necessary number of times.
. A compression function transforms one large fixed-length input into a shorter, fixed-length output.
• Compresses an n-bit string to create an m-bit string, where n > m.
. The design of a compression function must be collision resistant.
4 Cryptograph Hash Function Properties of
Secure Hash • H can be applied to a block of data of any size. 1. Functions
. To be useful for • H produces a fixed-length output. message 2. authentication, • H(x) is relatively easy to compute for any given x, making both hardware and a hash function 3. software implementations practical. H must have
the following • For any given code h, it is computationally infeasible to find x such that H(x) properties: = h. A hash function with this property is referred to as one-way or 4. preimage resistant.
• For any given block x, it is computationally infeasible to find y≠x with H(y) = H(x). A hash function with this property is referred to as weak collision 5. resistant.
• It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). • A hash function with this property is referred to as collision resistant or strong 6. collision resistant.
5 Cryptograph Hash Function Two Groups of Compression Functions . The compression function is made from scratch. . A symmetric-key block cipher serves as a compression function.
Groups of Compression Functions
Hash Functions Hash Functions Made from Based on Block Scratch Ciphers
Message Digest Secure Hash Matyas-Meyer Miyaguchi- Rabin Scheme (MD) Algorithms (SHA) Oseas Scheme Preneel Scheme
• MD5: Divides message into blocks of 512 bits, and creates a 128-bit digest. – The digest size of 128-bit is too small to resist collision attack.
6 Iterated Cryptographic Hash Function
Merkle-Damagard Scheme
Rabin Scheme
7 Iterated Cryptographic Hash Function
Matyas-Meyer-Oseas Scheme
Miyaguchi-Preneel Scheme
8 SHA Secure Hash Algorithms (SHAs) . Originally developed by NIST/NSA in 1993 . Was revised in 1995 as SHA-1 • US standard for use with DSA(digital signature algorithm) signature scheme • standard is FIPS 180-1 1995, also Internet RFC3174 • produces 160-bit hash values . NIST issued revised FIPS 180-2 in 2002 • adds 3 additional versions of SHA • SHA-256, SHA-384, SHA-512 • with 256/384/512-bit hash values • same basic structure as SHA-1 but greater security NIST phased out SHA-1 use Characteristics of SHAs
9 SHA-512 Structure SHA-512 creates a 512-bit message digest out of a message less than 2128. SHA-512 is based on the Merkle-Damgard scheme.
Compression function in SHA-512 . Values of constants in message digest
Initialization of SHA-512
10 SHA-512 Structure
Padding and Length Field in SHA-512
. What is the number of padding bits if the length of the original message is 2590 bits?
• The padding consists of one 1 followed by 353 0’s. A message block and the digest as words
Word expansion in SHA-512
11 SHA-512 Structure
Word Expansion in SHA-512
. How W60 is made
• Each word in the range W16 to W79 is made from four previously-made words.
• W60 is made as
12 SHA-512 Structure
Structure of Each Round in Eighty constant, K0 to K79, used for SHA-512 eight rounds in SHA-512
13 Other Secure Hash Functions
Most based on iterated hash function design
. If compression function is collision resistant, so is resultant iterated hash function MD5 (RFC1321)
. was a widely used hash developed by Ron Rivest
. produces 128-bit hash, now too small
. also have cryptanalytic concerns Whirlpool (NESSIE endorsed hash)
. developed by Vincent Rijmen & Paulo Barreto
. an iterated cryptographic hash function, based on the Miyaguchi-Preneel scheme, that uses AES derived W block cipher in place of the compression function.
. produces 512-bit hash
14 Whirlpool
Whirlpool hash function
General idea of the Whirlpool cipher
15 Whirlpool
16 HMAC
Interest a MAC using a cryptographic hash
. Due to speed and code availability Must incorporate key into use of hash algorithm
HMAC (RFC2104) widely supported
. used in IPsec, TLS & SET HMAC treats hash as “black box”
HMAC proven secure if embedded hash function has reasonable cryptographic strength
17 Nested Message Authentication Code (MAC)
Message Authentication Code
. The security of a MAC depends on the security of the underlying hash algorithm
Nested MAC
18 HMAC Structure
Details of HMAC Details of CMAC
19 Security of HMAC
Security based on underlying hash strength
Either attacker computes output even with random secret IV
. Brute force key O(2n), or use birthday attack Or attacker finds collisions in hash function even when IV is random and secret
. i.e. find M and M‘’ such that H(M) = H(M‘’)
. birthday attack O(2n/2)
• A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. (from wikipedia)
– The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutation.
– With a birthday attack, it is possible to find a collision of a hash function in 2n/2 being the classical preimage resistance security.
20 Key Management: Diffie-Hellman Key Exchange
First published public-key algorithm
A number of commercial products employ this key exchange technique
Purpose of the algorithm is to enable two users to exchange a secret key securely that then can be used for subsequent encryption of messages
. The algorithm itself is limited to the exchange of the keys Depends for its effectiveness on the difficulty of computing discrete logarithms
21 Key Management: Diffie-Hellman Key Exchange
A Key Exchange Protocol
. provide a secure way for two communicating party to share a symmetric key (so called a session key)
. This session key is then used to provide privacy and authentication for subsequent message flow.
. History: problem first posed by Merkle at UC Berkeley, Diffie and Hellman came up with the protocol:
Alice Bob a
gb mod p
Shared Session Key = gab mod p
• W. Diffie, M. E. Hellman, “New directions in Cryptography”, IEEE Trans. Information Theory, IT-22, pp. 64-654, Nov 1976.
22 Key Management: Diffie-Hellman Key Exchange
Example
. Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows:
1. Alice chooses x = 3 and calculates R1 = 7^3 mod 23 = 21.
2. Bob chooses y = 6 and calculates R2 = 7^6 mod 23 = 4. 3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 4^3 mod 23 = 18.
6. Bob calculates the symmetric key K = 21^6 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
gxy mod p = 7^(18) mod 35 = 18.
23 Security of Diffie-Hellman
Man-in-the-middle (MITM) attack
24 RSA Public-Key Encryption By Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key algorithm Uses exponentiation of integers modulo a prime ∗ It works in group 푍푛 Based on the assumed one-way property of modular powering
Public-key encryption algorithm with . Public key PU = {e, n} & private key PR = {d, n}. . Encrypt: C = Me mod n easy . Decrypt: M = Cd mod n = (Me)d mod n = M hard . Both sender and receiver know values of n and e . Only receiver knows value of d
25 RSA Public-Key Encryption
Complexity of operations in RSA
Encryption, decryption, and key generation in RSA
26 RSA Public-Key Encryption
Two Algebraic Structures R =
Proof of RSA . Looking for a trapdoor: (xe)d mod n = x • If d is a number such that ed=1 mod f(n), then ed=kf(n)+1 for some k, and
. Because of Euler's Theorem: • aø(n)mod N = 1 – where gcd(a, N)=1 • In RSA have: – N=p.q, ø(N)=(p-1)(q-1) – carefully chosen e & d to be inverses mod ø(N) – Hence, e·d=1+k.ø(N) for some k • Hence : Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q = M1 = M mod N
27 RSA Public-Key Encryption
RSA Key Setup
. Each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p·q
– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e
– where 1 • solving following equation to find decryption key d – e·d=1 mod ø(N) and 0≤d≤N . Publish their public encryption key: KU={e, N} . Keep secret private decryption key: KR={d, p, q} 28 RSA Public-Key Encryption Pseudo Code of Encryption Pseudo Code of Decryption Pseudo Code of RSA Key Generation 29 RSA Example Jennifer creates a pair of keys for herself. She chooses p = 397 and q = 401. She calculates n = 159197. She then calculates f(n) = 158400. She then chooses e = 343 and d = 12007. Show how Ted can send a message to Jennifer if he knows e and n. . Suppose Ted wants to send the message “NO” to Jennifer. He changes each character to a number (from 00 to 25), with each character coded as two digits. He then concatenates the two coded characters and gets a four-digit number. The plaintext is 1314. 30 Attacks on RSA 31 Other Public-Key Algorithms Digital Signature Standard (DSS) . FIPS PUB 186 from 1991, revised 1993 & 96 . uses SHA-1 in a new digital signature algorithm . cannot be used for encryption Elliptic Curve Cryptography (ECC) . equal security for smaller bit size than RSA . seen in standards such as IEEE P1363 . still very new, but promising . based on a mathematical construct known as the elliptic curve 32 33