DOCSLIB.ORG

Cryptography and Public Key Infrastructure

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Cryptography and Public Key Infrastructure 1 Agenda Cryptography . What is it? Public-key infrastructure (PKI) . How PKI uses cryptography? Standards and specifications . What are the standards that we adhere to? Smart cards role in PKI . What are smart cards for? Applications . PKI enabled applications ACS’s product line 2 . What role does ACS play? Motivation Almost all smart card applications use cryptography. Cryptography is all around us! We are using more PKI than you think! 3 Crypto and PKI are everywhere! 4 Part 1: Cryptography What is Cryptography? . Cryptography is a tool to provide security . Cryptography has 4 purpose… 5 Four purposes of cryptography No one else has seen it. Confidentiality (encryption/decryption) No one else has modified it. Data integrity (digital signature) You are who you say you are. Authentication (digital signature) If you signed it, you cannot deny signing it. Non-repudiation (digital signature) 6 Encryption Two main types of encryption schemes 1. Symmetric-key (Secret-key) encryption - Same key for both sender and recipient 2. Asymmetric-key (Public-key) encryption 7 - Each user have a public encryption key euser and a private decryption key duser. Secret key encryption Alice Channel Bob 8 Secret key encryption Standard symmetric key algorithms: . DES, 3DES, AES. To demonstrate: 9 Courtesy of Pike Wong of HKUST Secret key encryption &(*_+#LPLD)!?”: <@!)(&^$%ras^ Encrypt *() Let’s invade the earth at 17:00 today I See … heehee Let’s invade the earth at 17:00 Decrypttoday 10 Secret key encryption Problem: KeyNext Distribution time I will . Potential keyknow leakage whenHere’s they my key start the attack!Me too! . Difficult to manage Here’s my key OK, I got your key Human spy 11 Secret key encryption Problem: Repudiation . 2 parties have the same key . EncryptThe encrypted message can be viewed and modified by both Hey,CanHey,parties I’ve you remember notbuy asked 1000 thatsharesyou you to ofhave buy MS thefor sameanything!me? key! Ok, I will buy 1000 ButGive the me email the is shares of MS for moneyencrypted for withthat you Decrypt1000your shares! key! The Next Day 12 Public key encryption Pair of public/private key per user. Base on mathematical hard problem. Bob’s Bob’s Public Key Private Key Alice Channel Bob 13 Public key encryption Advantages: . Only distribute public key to other (key distribution) . Only owner knows his private key (non-repediation) Disadvantages: . Computational expensive Standard asymmetric key encryption algorithms: . RSA, ECC. 14 Public key encryption Even&(*_+#LPLD)!?”: we got the key, we cannot<@!)(&^$%ras^ know the secret!? Pong’s public *() key encrypt Pong’s private key decrypt Human spy 15 Combining two techniques for encryption Bob’s Bob’s Public Key Private Key Session Session Key Key Alice Channel Bob 16 Hash functions A one-way function H(•) that takes a message m and output a “fingerprint” of the message (digest). (e.g. SHA- 1, SHA-256) Used as a part of digital signatures. 17 Digital signatures Supports data integrity, authentication and non- repudiation. Use public key algorithms. Use hash functions to create a short message for signing. Standard signature algorithms are: . RSA, DSA, ECDSA 19 Digital signatures Alice signing a document with her private key. 20 Signature verification Bob verifying Alice’s signed document with her public key. 21 Difference between public key encryption and signature Encryption: . Anyone encrypt with public key . Owner decrypt with private key Signature: . Owner sign with private key . Anyone verify signature with public key 22 Notes on secret key algorithms Key Strength Input Comments DES 56 64 Standardized in1977, insecure now 2 key 3DES 80 64 Secured up to 2010 3 key 3DES 112 64 Most peer reviewed. Secured up to 2030 CAST5 128 64 Secure, standard in PGP IDEA 128 64 Patent issues, efficient AES (Rijndael) 128,192,256 128 International standard (2001) Twofish 128,192,256 128 AES Finalist 23 Summary of public key algorithms The most popular algorithms today are RSA and ECC. Longer the key length, the harder it is to crack. RSA (Rivest, Shamir, Adleman) is based on the difficulty of factoring large integers. N . Given N where N=pq where p and q are prime, Multiply Factor find p and q. Easy Hard . Widely used in electronic commerce. p q . Freely available (patent expired) 24 Summary of public key algorithms Elliptic Curve Cryptography (ECC) is based on the difficulty of finding discrete log on an elliptic curve. Given P and Q where Q = mP, find m . Next generation and very efficient. MS Vista and 7 support in CNG. Numerous patents hampering acceptance. Others such as Digital Signature Algorithm and Diffie- 25 Hellman is not popular anymore. Notes on public key algorithms Use of symmetric key algorithm requires public key algorithms of equivalent strength. Algorithm Bits of Symmetric Key FFC IFC ECC security security Algorithm (e.g., DSA, D-H) (e.g., RSA) (e.g., ECDSA) Lifetimes Through 2010 80 2TDEA L = 1024 k = 1024 f = 160-223 N = 160 Through 2030 112 3TDEA L = 2048 k = 2048 f = 224-255 N = 224 Beyond 2030 128 AES-128 L = 3072 k = 3072 f = 256-383 N = 256 … 192 AES-192 L = 7680 k = 7680 f = 384-511 N = 384 … 256 AES-256 L = 15360 k = 15360 f = 512+ N = 512 26 Source: NIST SP800-57 Part 1. Public Key Infrastructure 27 Why do we need a PKI? Public key security issues: . Users can generate their own public/private key pairs and exchange them – but how do other parties trust them? . If you receive a public key from Alien Pkie, how do you know it’s Pkie’s key and not the human spy’s? Solution: Digital Certificates . Bind the user’s public key with a digital certificate signed by a trusted third party. The trusted third party is called the certification authority (CA). CA will vouch for its subscribers. 28 Entities of PKI Certificate Authority (CA) Corporations Trust each other 29 Relying Parties Individual Subscribers Components of a Certification Authority Registration Authority (RA) – Registers subscribers into the system. Certification Authority (CA) – Creates digital certificates by binding user identity to public key. Certificate Repository – a directory service to store certificates for subscribers. Certificate Revocation System – Service to invalidate any certificates that has been compromised. 30 Hong Kong Post Repository and CRL So, what is a digital certificate? Used to establish trust between entities. Ensures that: . The integrity of the public key is protected . The public key and identity information are bounded to the claimed owner in a trusted manner. Digital signatures. Your identifying information and public key is signed with the CA’s private key. 31 X.509 Certificate - Format X.509 Certificate The de facto standard is •Signature Algorithm Identifier •Signature Value the X.509 v3 certificate format. To Be Signed (TBS) Certificate •Version Specified in IETF RFC •Serial Number •Certificate Signature Algorithm 3280. •Issuer Name •Validity •Subject Name •Subject Public Key Info •Issuer Unique ID •Subject Unique ID •Extensions 32 X.509 Certificate - Example X.509 Certificate Version 3 •Signature Algorithm Identifier •Signature Value 0D:0C:B0 PKCS#1 SHA-1 RSA To Be Signed (TBS) Certificate •Version CN = Hongkong Post e-Cert CA 1 •Serial Number O = Hongkong Post •Certificate Signature Algorithm C = HK •Issuer Name •Validity Not Before: 19/3/2004 6:26:26 •Subject Name Not After: 19/3/2007 6:26:26 •Subject Public Key Info CN = Andrew Chan •Issuer Unique ID E = [email protected] •Subject Unique ID O = Hongkong Post e-Cert (Personal) •Extensions C = HK Algorithm = PKCS#1 RSA Public Key = 0x30..01 33 X.509 Certificate – Signing certificate X.509 Certificate •Signature Algorithm Identifier •Signature Value To Be Signed (TBS) Certificate •Version •Serial Number •Certificate Signature Algorithm •Issuer Name •Validity •Subject Name •Subject Public Key Info •Issuer Unique ID •Subject Unique ID •Extensions 34 Certificate Revocation List (CRL) When a certificate has been revoked or suspended, an entry (of their serial number) is made into the CRL. Clients can download CRL at the CA’s repository. CA updates their CRL according to their Certificate Practice Statement (CPS). 35 The steps in subscribing to a CA Provides Proof of identity and (optionally) generate public/private key pair Requests Certificate Subscriber RA CA Receives certificate Issues Certificate and posts in the repository Validate subscriber’s public key Relying Parties Repository 37 Life Cycle of a Certificate 38 How does your PC uses certificates? Windows has number of Root CA certificates in the Certificate Store. Root CA certificates are certificates that your PC trust implicitly. All intermediate CA certs and end-entity certs that are signed by or chained to those Root CA certs are implicity trusted. Microsoft has a Root Certificate Program to determine who to trust. Root CA cert Intermediate CA certs 39 Your cert or a website’s cert How trust is established on your PC 40 Certificates 41 Trusted Certificate Authority 42 Non-trusted CA 43 Smart Card Role in PKI Secure, temper-resistant and portable way of transporting and using cryptographic keys. Cryptographic smart cards: . Contains powerful crypto co-processors . All private key and secret key never leaves the card. Public/private key pair can be generated inside the smart card. All private key and secret key computations are performed in the card. Users can have their card with them at all times. Sometimes called “PKI Smart Card” 44 Using a crypto smart card for digital signature. 45 Using a crypto smart card for digital signature. 46 Digital Certificate Generation • 2 methods of generating digital certificate: 1. The CA generate a key pair in a secure environment, signed by CA and import the cert to the smart card 1.
Recommended publications
  • Public Key Cryptography And

    Public Key Cryptography And

    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
  • Ch 13 Digital Signature

    Ch 13 Digital Signature

    1 CH 13 DIGITAL SIGNATURE Cryptography and Network Security HanJung Mason Yun 2 Index 13.1 Digital Signatures 13.2 Elgamal Digital Signature Scheme 13.3 Schnorr Digital Signature Scheme 13.4 NIST Digital Signature Algorithm 13.6 RSA-PSS Digital Signature Algorithm 3 13.1 Digital Signature - Properties • It must verify the author and the date and time of the signature. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • The digital signature function includes authentication. 4 5 6 Attacks and Forgeries • Key-Only attack • Known message attack • Generic chosen message attack • Directed chosen message attack • Adaptive chosen message attack 7 Attacks and Forgeries • Total break • Universal forgery • Selective forgery • Existential forgery 8 Digital Signature Requirements • It must be a bit pattern that depends on the message. • It must use some information unique to the sender to prevent both forgery and denial. • It must be relatively easy to produce the digital signature. • It must be relatively easy to recognize and verify the digital signature. • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. • It must be practical to retain a copy of the digital signature in storage. 9 Direct Digital Signature • Digital signature scheme that involves only the communication parties. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • Thus, the digital signature function includes the authentication function.
  • Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
  • Key Improvements to XTR

    Key Improvements to XTR

    To appear in Advances in Cryptology|Asiacrypt 2000, Lecture Notes in Computer Science 1976, Springer-Verlag 2000, 220-223. Key improvements to XTR Arjen K. Lenstra1, Eric R. Verheul2 1 Citibank, N.A., Technical University Eindhoven, 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A., [email protected] 2 PricewaterhouseCoopers, GRMS Crypto Group, Goudsbloemstraat 14, 5644 KE Eindhoven, The Netherlands, Eric.Verheul@[nl.pwcglobal.com, pobox.com] Abstract. This paper describes improved methods for XTR key rep- resentation and parameter generation (cf. [4]). If the ¯eld characteristic is properly chosen, the size of the XTR public key for signature appli- cations can be reduced by a factor of three at the cost of a small one time computation for the recipient of the key. Furthermore, the para- meter set-up for an XTR system can be simpli¯ed because the trace of a proper subgroup generator can, with very high probability, be com- puted directly, thus avoiding the probabilistic approach from [4]. These non-trivial extensions further enhance the practical potential of XTR. 1 Introduction In [1] it was shown that conjugates of elements of a subgroup of GF(p6)¤ of order 2 dividing Á6(p) = p ¡ p + 1 can be represented using 2 log2(p) bits, as opposed to the 6 log2(p) bits that would be required for their traditional representation. In [4] an improved version of the method from [1] was introduced that achieves the same communication advantage at a much lower computational cost. The resulting representation method is referred to as XTR, which stands for E±cient and Compact Subgroup Trace Representation.
  • Efficient Encryption on Limited Devices

    Efficient Encryption on Limited Devices

    Rochester Institute of Technology RIT Scholar Works Theses 2006 Efficient encryption on limited devices Roderic Campbell Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Campbell, Roderic, "Efficient encryption on limited devices" (2006). Thesis. Rochester Institute of Technology. Accessed from This Master's Project is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Masters Project Proposal: Efficient Encryption on Limited Devices Roderic Campbell Department of Computer Science Rochester Institute of Technology Rochester, NY, USA [email protected] June 24, 2004 ________________________________________ Chair: Prof. Alan Kaminsky Date ________________________________________ Reader: Prof. Hans-Peter Bischof Date ________________________________________ Observer: Prof. Leonid Reznik Date 1 1 Summary As the capstone of my Master’s education, I intend to perform a comparison of Elliptic Curve Cryptography(ECC) and The XTR Public Key System to the well known RSA encryption algorithm. The purpose of such a project is to provide a further understanding of such types of encryption, as well as present an analysis and recommendation for the appropriate technique for given circumstances. This comparison will be done by developing a series of tests on which to run identical tasks using each of the previously mentioned algorithms. Metrics such as running time, maximum and average memory usage will be measured as applicable. There are four main goals of Crypto-systems: Confidentiality, Data Integrity, Authentication and Non-repudiation[5]. This implementation deals only with confidentiality of symmetric key exchange.
  • Key Derivation Functions and Their GPU Implementation

    Key Derivation Functions and Their GPU Implementation

    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
  • Public Key Cryptography Public Key Cryptography

    Public Key Cryptography Public Key Cryptography

    Public Key Cryptography Public Key Cryptography • Symmetric Key: – Same key used for encryption and decrypiton – Same key used for message integrity and validation • Public-Key Cryptography – Use one key to encrypt or sign messages – Use another key to decrypt or validate messages • Keys – Public key known to the world and used to send you a message – Only your private key can decrypt the message Public Key Private Key Plaintext Ciphertext Plaintext Encryption Decryption ENTS 689i | Network Immunity | Fall 2008 Lecture 2 Public Key Cryptography • Motivations – In symmetric key cryptography, a key was needed between every pair of users wishing to securely communicate • O(n2) keys – Problem of establishing a key with remote person with whom you wish to communicate • Advantages to Public Key Cryptography – Key distribution much easier: everyone can known your public key as long as your private key remains secret – Fewer keys needed • O(n) keys • Disadvantages – Slow, often up to 1000x slower than symmetric-key cryptography ENTS 689i | Network Immunity | Fall 2008 Lecture 2 Cryptography and Complexity • Three classes of complexity: – P: solvable in polynomial time, O(nc) – NP: nondeterministic solutions in polynomial time, deterministic solutions in exponential time – EXP: exponential solutions, O(cn) • Cryptographic problems should be: increasing P – Encryption should be P difficult – Decryption should be P with key NP – Decryption should be NP for attacker EXP • Need problems where complexity of solution depends on knowledge of a key ENTS
  • The Double Ratchet Algorithm

    The Double Ratchet Algorithm

    The Double Ratchet Algorithm Trevor Perrin (editor) Moxie Marlinspike Revision 1, 2016-11-20 Contents 1. Introduction 3 2. Overview 3 2.1. KDF chains . 3 2.2. Symmetric-key ratchet . 5 2.3. Diffie-Hellman ratchet . 6 2.4. Double Ratchet . 13 2.6. Out-of-order messages . 17 3. Double Ratchet 18 3.1. External functions . 18 3.2. State variables . 19 3.3. Initialization . 19 3.4. Encrypting messages . 20 3.5. Decrypting messages . 20 4. Double Ratchet with header encryption 22 4.1. Overview . 22 4.2. External functions . 26 4.3. State variables . 26 4.4. Initialization . 26 4.5. Encrypting messages . 27 4.6. Decrypting messages . 28 5. Implementation considerations 29 5.1. Integration with X3DH . 29 5.2. Recommended cryptographic algorithms . 30 6. Security considerations 31 6.1. Secure deletion . 31 6.2. Recovery from compromise . 31 6.3. Cryptanalysis and ratchet public keys . 31 1 6.4. Deletion of skipped message keys . 32 6.5. Deferring new ratchet key generation . 32 6.6. Truncating authentication tags . 32 6.7. Implementation fingerprinting . 32 7. IPR 33 8. Acknowledgements 33 9. References 33 2 1. Introduction The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some key agreement protocol (such as X3DH [1]) to agree on the shared secret key. Following this, the parties will use the Double Ratchet to send and receive encrypted messages. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones.
  • The RSA Algorithm

    The RSA Algorithm

    The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau of Standards (NBS) algorithm. Most impor- tantly, RSA implements a public-key cryptosystem, as well as digital signatures. RSA is motivated by the published works of Diffie and Hellman from several years before, who described the idea of such an algorithm, but never truly developed it. Introduced at the time when the era of electronic email was expected to soon arise, RSA implemented two important ideas: 1. Public-key encryption. This idea omits the need for a \courier" to deliver keys to recipients over another secure channel before transmitting the originally-intended message. In RSA, encryption keys are public, while the decryption keys are not, so only the person with the correct decryption key can decipher an encrypted message. Everyone has their own encryption and decryption keys. The keys must be made in such a way that the decryption key may not be easily deduced from the public encryption key. 2. Digital signatures. The receiver may need to verify that a transmitted message actually origi- nated from the sender (signature), and didn't just come from there (authentication). This is done using the sender's decryption key, and the signature can later be verified by anyone, using the corresponding public encryption key. Signatures therefore cannot be forged. Also, no signer can later deny having signed the message. This is not only useful for electronic mail, but for other electronic transactions and transmissions, such as fund transfers.
  • On the Security of the PKCS#1 V1.5 Signature Scheme

    On the Security of the PKCS#1 V1.5 Signature Scheme

    On the Security of the PKCS#1 v1.5 Signature Scheme Tibor Jager1 Saqib A. Kakvi1 Alexander May2 September 10, 2018 1Department of Computer Science, Universitat¨ Paderborn ftibor.jager,[email protected] 2Hortz Gortz¨ Institute, Ruhr Universitat¨ Bochum [email protected] Abstract The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply.
  • Hash, DH and RSA

    Hash, DH and RSA

    CSE468/598 Computer Network Security Hash, DH and RSA Short Version Chun-Jen Chung Arizona State University CSE468/598 Computer Network Security Outline . Background . Hash Functions . Public key cryptography (PKC) • DH • RSA . Summary 2 CSE468/598 Computer Network Security Background CSE468/598 Computer Network Security Crypto algorithms review Encryption Authentication Hash functions Symmetric Asymmetric SHA-1 MD5 MAC Secret key: Public key: (message authentication code) DES, 3DES, AES RSA, ECC HMAC Digital Signature (secret key) (public key) Key management Manual Secret key Exchange: Public key Exchange: operation Diffie-Hellman Certificate Authority on PKI CSE468/598 Computer Network Security Introduction to Hash Functions CSE468/598 Computer Network Security Hash Algorithms Message of hash H A fixed-length arbitrary length Math transformation short message . Also known as • (Cryptographic) Hash functions • Message digests • One-way transformations • One-way functions . Length of H(m) much shorter than length of m . Usually fixed lengths: 128 or 160 bits . Example algorithms • MD5 (Message-Digest) – 128 bits output • SHA-1 (secure hash algorithm) : 160 bits output • SHA-2: 256/224, 512/384 CSE468/598 Computer Network Security Hash Algorithms (cont’d) Image from scanner All files of a floppy disk All files of a hard disk User password 8 bytes 512 K bytes 1.4 M bytes 80Giga bytes One way hash One way hash One way hash One way hash (SHA-1) (SHA-1) (SHA-1) (SHA-1) 43 B0 4C 54 3B 73 BF 4C 34 3B 54 3B 4C 34 3B 32 2B 23 70 7A 67 A2 23 3F 7D 67 A2 45 23 76 62 3C D3 AF A2 2B 4F 43 B0 4C 36 2B 7A 2B 49 3F 76 D2 37 F6 45 67 A2 23 3F 54 3B 49 28 67 3C D3 AF 27 4A 44 47 8F 93 D2 7D 43 B0 4C 19 A2 23 8F 7D 36 Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes (160 bits) CSE468/598 Computer Network Security Applications of Hash Functions .
  • PKCS #15— a Cryptographic-Token Information Format Standard

    PKCS #15— a Cryptographic-Token Information Format Standard

    THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10–11, 1999 PKCS #15— A Cryptographic-Token Information Format Standard Magnus Nyström RSA Laboratories © 1999 by The USENIX Association All Rights Reserved Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org PKCS #15 – A Cryptographic Token Information Format Standard Magnus Nyström RSA Laboratories, Bedford MA 01730, USA E-mail: [email protected] acceptance and use of them both by application Abstract developers and by consumers will be muted. We identify the need for a portable format for storage of To optimize the benefit to both the industry and end- user credentials (certificates, keys) on cryptographic users, it is important that solutions to these issues be tokens such as integrated circuit cards (IC cards). Given developed in a manner that supports a variety of this need, a recent proposal in the area, RSA operating environments, application programming Laboratories' PKCS #15 is described and compared with interfaces, and a broad base of applications. Only previous and related work. through this approach can the needs of constituencies be supported and the development of credentials-activated applications encouraged, as a cost-effective solution to 1 Background and Motivation meeting requirements in a very diverse set of markets.