ComputerComputer Security:Security: PrinciplesPrinciples andand PracticePractice
ChapterChapter 2020 –– PublicPublic--KeyKey CryptographyCryptography andand MessageMessage AuthenticationAuthentication FirstFirst EditionEdition byby WilliamWilliam StallingsStallings andand LawrieLawrie BrownBrown
LectureLecture slidesslides byby LawrieLawrie BrownBrown PublicPublic--KeyKey CryptographyCryptography andand MessageMessage AuthenticationAuthentication ¾¾ nownow looklook atat technicaltechnical detaildetail concerning:concerning:
z securesecure hashhash functionsfunctions andand HMACHMAC
z RSARSA && DiffieDiffie--HellmanHellman PublicPublic--KeyKey AlgorithmsAlgorithms SimpleSimple HashHash FunctionsFunctions
¾¾ aa oneone--wayway oror securesecure hashhash functionfunction usedused inin messagemessage authentication,authentication, digitaldigital signaturessignatures ¾¾ allall hashhash functionsfunctions processprocess inputinput aa blockblock atat aa timetime inin anan iterativeiterative fashionfashion ¾¾ oneone ofof simplestsimplest hashhash functionsfunctions isis thethe bitbit-- byby--bitbit exclusiveexclusive--OROR (XOR)(XOR) ofof eacheach blockblock
CCi == bbi1 ⊕⊕ bbi2 ⊕⊕ ...... ⊕⊕ bbim z effectiveeffective datadata integrityintegrity checkcheck onon randomrandom datadata
z lessless effectiveeffective onon moremore predictablepredictable datadata
z virtuallyvirtually uselessuseless forfor datadata securitysecurity SHASHA SecureSecure HashHash FunctionsFunctions
¾ SHASHA originallyoriginally developeddeveloped byby NIST/NSANIST/NSA inin 19931993 ¾ waswas revisedrevised inin 19951995 asas SHASHA--11
z US standard for use with DSA signature scheme
z standard is FIPS 180-1 1995, also Internet RFC3174
z produces 160-bit hash values ¾ NISTNIST issuedissued revisedrevised FIPSFIPS 180180--22 inin 20022002
z adds 3 additional versions of SHA
z SHA-256, SHA-384, SHA-512
z with 256/384/512-bit hash values
z same basic structure as SHA-1 but greater security ¾ NISTNIST intendintend toto phasephase outout SHASHA--11 useuse SHASHA--512512 StructureStructure SHASHA--512512 RoundRound OtherOther SecureSecure HashHash FunctionsFunctions
¾ mostmost basedbased onon iteratediterated hashhash functionfunction designdesign
z if compression function is collision resistant
z so is resultant iterated hash function ¾ MD5MD5 (RFC1321)(RFC1321)
z was a widely used hash developed by Ron Rivest
z produces 128-bit hash, now too small
z also have cryptanalytic concerns ¾ WhirlpoolWhirlpool (NESSIE(NESSIE endorsedendorsed hash)hash)
z developed by Vincent Rijmen & Paulo Barreto
z compression function is AES derived W block cipher
z produces 512-bit hash HMACHMAC
¾¾ interestinterest aa MACMAC usingusing aa cryptographiccryptographic hashhash
z duedue toto speedspeed andand codecode availabilityavailability ¾¾ mustmust incorporateincorporate keykey intointo useuse ofof hashhash algalg ¾¾ HMACHMAC (RFC2104)(RFC2104) widelywidely supportedsupported
z usedused inin IPsecIPsec,, TLSTLS && SETSET ¾¾ HMACHMAC treatstreats hashhash asas ““blackblack boxbox”” ¾¾ HMACHMAC provenproven securesecure ifif embeddedembedded hashhash functionfunction hashas reasonablereasonable cryptographiccryptographic strengthstrength HMACHMAC StructureStructure SecuritySecurity ofof HMACHMAC
¾¾ securitysecurity basedbased onon underlyingunderlying hashhash strengthstrength ¾¾ havehave probprob givengiven timetime andand nono msgmsg--MACMAC’’ss ¾¾ eithereither attackerattacker computescomputes outputoutput eveneven withwith randomrandom secretsecret IVIV n z brutebrute forceforce keykey O(2O(2 ),), oror useuse birthdaybirthday attackattack ¾¾ oror attackerattacker findsfinds collisionscollisions inin hashhash functionfunction eveneven whenwhen IVIV isis randomrandom andand secretsecret
z ieie.. findfind MM andand MM'' suchsuch thatthat H(H(MM)) == H(H(MM')') n/2 z birthdaybirthday attackattack O(O( 22 ))
z MD5MD5 securesecure inin HMACHMAC sincesince onlyonly observeobserve RSARSA PublicPublic--KeyKey EncryptionEncryption
¾ byby RivestRivest,, ShamirShamir && AdleAdlemanman ofof MITMIT inin 19771977 ¾ bestbest knownknown && widelywidely usedused publicpublic--keykey algalg ¾ usesuses exponentiationexponentiation ofof integersintegers modulomodulo aa primeprime ¾ encrypt:encrypt: CC == MMe modmod nn ¾ decrypt:decrypt: MM == CCd modmod nn == ((MMe))d modmod nn == MM ¾ bothboth sendersender andand receiverreceiver knowknow valuesvalues ofof nn andand ee ¾ onlyonly receiverreceiver knowsknows valuevalue ofof dd ¾ publicpublic--keykey encryptionencryption algorithmalgorithm withwith
z public key PU = {e, n} & private key PR = {d, n}. RSARSA AlgorithmAlgorithm RSARSA ExampleExample AttacksAttacks onon RSARSA
¾¾ brutebrute forceforce
z tryingtrying allall possiblepossible privateprivate keyskeys
z useuse largerlarger key,key, butbut thenthen slowerslower ¾¾ mathematicalmathematical attacksattacks (factoring(factoring n)n)
z seesee improvingimproving algorithmsalgorithms (QS,(QS, GNFS,GNFS, SNFS)SNFS)
z currentlycurrently 10241024--20482048--bitbit keyskeys seemseem securesecure ¾¾ timingtiming attacksattacks (on(on implementation)implementation)
z useuse -- constantconstant time,time, randomrandom delays,delays, blindingblinding ¾¾ chosenchosen ciphertextciphertext attacksattacks (on(on RSARSA props)props) DiffieDiffie--HellmanHellman KeyKey ExchangeExchange
¾¾ firstfirst publicpublic--keykey typetype schemescheme proposedproposed ¾¾ byby DiffieDiffie && HellmanHellman inin 19761976 alongalong withwith thethe expositionexposition ofof publicpublic keykey conceptsconcepts
z note:note: nownow knowknow thatthat WilliamsonWilliamson (UK(UK CESG)CESG) secretlysecretly proposedproposed thethe conceptconcept inin 19701970 ¾¾ practicalpractical methodmethod toto exchangeexchange aa secretsecret keykey ¾¾ usedused inin aa numbernumber ofof commercialcommercial productsproducts ¾¾ securitysecurity reliesrelies onon difficultydifficulty ofof computingcomputing discretediscrete logarithmslogarithms DiffieDiffie-- HellmanHellman AlgorithmAlgorithm DiffieDiffie--HellmanHellman ExampleExample
¾ havehave
z prime number q = 353
z primitive root α = 3 ¾ AA andand BB eacheach computecompute theirtheir publicpublic keyskeys 97 z A computes YA = 3 mod 353 = 40 233 z B computes YB = 3 mod 353 = 248 ¾ thenthen exchangeexchange andand computecompute secretsecret key:key: XA 97 z for A: K = (YB) mod 353 = 248 mod 353 = 160 XB 233 z for B: K = (YA) mod 353 = 40 mod 353 = 160 ¾ attackerattacker mustmust solve:solve: a z 3 mod 353 = 40 which is hard
z desired answer is 97, then compute key as B does KeyKey ExchangeExchange ProtocolsProtocols ManMan--inin--thethe--MiddleMiddle AttackAttack
¾ attackattack is:is:
1. Darth generates private keys XD1 & XD2, and their public keys YD1 & YD2 2. Alice transmits YA to Bob 3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2
4. Bob receives YD1 and calculates K1 5. Bob transmits XA to Alice 6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1
7. Alice receives YD2 and calculates K2 ¾ allall subsequentsubsequent communicationscommunications compromisedcompromised OtherOther PublicPublic--KeyKey AlgorithmsAlgorithms
¾¾ DigitalDigital SignatureSignature StandardStandard (DSS)(DSS)
z FIPSFIPS PUBPUB 186186 fromfrom 1991,1991, revisedrevised 19931993 && 9696
z usesuses SHASHA--11 inin aa newnew digitaldigital signaturesignature algalg
z cannotcannot bebe usedused forfor encryptionencryption ¾¾ ellipticelliptic curvecurve cryptographycryptography (ECC)(ECC)
z equalequal securitysecurity forfor smallersmaller bitbit sizesize thanthan RSARSA
z seenseen inin standardsstandards suchsuch asas IEEEIEEE P1363P1363
z stillstill veryvery new,new, butbut promisingpromising
z basedbased onon aa mathematicalmathematical constructconstruct knownknown asas thethe ellipticelliptic curvecurve (difficult(difficult toto explain)explain) SummarySummary
¾¾ discusseddiscussed technicaltechnical detaildetail concerning:concerning:
z securesecure hashhash functionsfunctions andand HMACHMAC
z RSARSA && DiffieDiffie--HellmanHellman PublicPublic--KeyKey AlgorithmsAlgorithms