PKCS (Public-key cryptography standards) Códigos y Criptografía Francisco Rodríguez Henríquez Network Access Security Model Códigos y Criptografía Francisco Rodríguez Henríquez Security Levels • Confidentiality – Protection from disclosure to unauthorized persons • Integrity – Maintaining data consistency • Authentication – Assurance of identity of person or originator of data • Non-repudiation – Originator of communications can't deny it later • Authorization – Identity combined with an access policy grants the rights to perform some action Códigos y Criptografía Francisco Rodríguez Henríquez Security Building Blocks • Encryption provides – confidentiality, can provide authentication and integrity protection • Checksums/hash algorithms provide – integrity protection, can provide authentication • Digital signatures provide – authentication, integrity protection, and non- repudiation Códigos y Criptografía Francisco Rodríguez Henríquez Keys • Symetric Keys – Both parties share the same secret key – A major problem is securely distributing the key – DES - 56 bit key considered unsafe for financial purposes since 1998 – 3 DES uses three DES keys Códigos y Criptografía Francisco Rodríguez Henríquez Keys • Public/Private keys – One key is the mathematical inverse of the other – Private keys are known only to the owner – Public key are stored in public servers, usually in a X.509 certificate. – RSA (patent expires Sept 2000), Diffie- Hellman, DSA Códigos y Criptografía Francisco Rodríguez Henríquez A Simplified Model of Conventional Encryption Códigos y Criptografía Francisco Rodríguez Henríquez Public-Key Cryptography Códigos y Criptografía Francisco Rodríguez Henríquez Public-Key Cryptography Códigos y Criptografía Francisco Rodríguez Henríquez Message Digest • A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block. • A good message digest algorithm possesses the following qualities – The algorithm accepts any input data length. – The algorithm produces a fixed length output for any input data. – The digest does not reveal anything about the input that was used to generate it. – It is computationally infeasible to produce data that has a specific digest. – It is computationally infeasible to produce two different unit of data that produce the same digest. Códigos y Criptografía Francisco Rodríguez Henríquez Hash Algorithms • Reduce variable-length input to fixed- length (128 or 160bit) output • Requirements – Can't deduce input from output – Can't generate a given output – Can't find two inputs which produce the same output Códigos y Criptografía Francisco Rodríguez Henríquez Hash Algorithms • Used to – Produce fixed-length fingerprint of arbitrary- length data – Produce data checksums to enable detection of modifications – Distil passwords down to fixed-length encryption keys • Also called message digests or fingerprints Códigos y Criptografía Francisco Rodríguez Henríquez Message Authentication Code MAC • Hash algorithm + key to make hash value dependant on the key • Most common form is HMAC (hash MAC) – hash( key, hash( key, data )) • Key affects both start and end of hashing process • Naming: hash + key = HMAC-hash – MD5 1 HMAC-MD5 – SHA-1 1 HMAC-SHA (recommended) Códigos y Criptografía Francisco Rodríguez Henríquez RSA: An Example Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signatures • Combines a hash with a digital signature algorithm • To sign – hash the data – encrypt the hash with the sender's private key – send data signer’s name and signature • To verify – hash the data – decrypt the signature with the sender's public key – the result of which should match the hash Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signatures • A data string associating a message with an originating entity – Signature generation algorithm – Signature verification algorithm – Signature scheme • Used for authentication, integrity, and nonrepudiation • Public key certification is one of the most significant applications Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol Códigos y Criptografía Francisco Rodríguez Henríquez Key exchange: Diffie-Hellman protocol 1. Picks a ∈ GF(p) at random 1. Picks b ∈ GF(p) at random a b 2. Computes TA = g mod p 2. Computes TB = g mod p 3. Sends TA 3. Receives TA 4. Receives TB 4. Sends TB a b 5. Computes KA = TB mod p 5. Computes KB = TA mod p Machine A Machine B Where K = KA = KB, Because: a b a ba ab a b b TB = (g ) = g = g = (g ) = TA mod p Códigos y Criptografía Francisco Rodríguez Henríquez Mensaje para Anita en La Jornada Querida Anita de mi corazón: Quisiera pedirte que nuestro número primo sea 128903289023 y nuestra g 23489. Te quiere Betito. Códigos y Criptografía Francisco Rodríguez Henríquez Middle-person attack. • Consider the following scenario: Anita Middleperson Betito ga = 8389 gx = 5876 gb = 9267 8389 5876 5876 9267 Shared key KAX: Shared key KBX 5876a = 8389x 9267x = 5876b • After this exchange, the middle-person attacker simply decrypts any messages sent out by A or B, and then reads any possibly modifies them before re-encrypting with the appropriate key and transmitting them to the correct party. • Middle-person attack is possible due to the fact that DHC does not authenticate the participants. Possible solutions are digital signatures and other protocol variants. Códigos y Criptografía Francisco Rodríguez Henríquez Solution: Mutual authentication I am A, R1 R2, KAB {R1} A B KAB{R2} Códigos y Criptografía Francisco Rodríguez Henríquez Reflection attack I am A, R T 1 B R2, KAB{R1} I am A, R2 T B R3, KAB{R2} Códigos y Criptografía Francisco Rodríguez Henríquez Encryption across a packet-switching network Códigos y Criptografía Francisco Rodríguez Henríquez Elements of PKI • Certificate Authorities (CA) – OpenSSL, Netscape, Verisign, Entrust, RSA Keon • Public/Private Key Pairs - Key management • x.509 Identity Certificates - Certificate management • LDAP servers Códigos y Criptografía Francisco Rodríguez Henríquez PKCS • Public-key cryptography standards (PKCS) • Owned by RSA and motivated to promote RSA • Created in early 1990’s • Numbered from PKCS1 to PKCS15 • Some along the way have – lost interest – folded into other PKCS – taken over by other standards bodies • Continue to evolve Códigos y Criptografía Francisco Rodríguez Henríquez RSA cryptosystem by layers Protocols and Applications: SSL, TLS, WTLS, WAP, etc. PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign, PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc RSA primitive Operations: Encryption: C = Me mod n, Decryption M = Cd mod n. FP finite field operations : Addition, Squaring, multiplication, inversion and exponentiation Códigos y Criptografía Francisco Rodríguez Henríquez PKCS 1 • RSA Cryptography Standard Version 2.0 onwards (1998) RSA Encryption Standard Version 1.5 (1993) Códigos y Criptografía Francisco Rodríguez Henríquez PKCS 1 • Specifies how to use the RSA algorithm securely for encryption and signature • Why do we need this? – Padding for encryption – Different schemes for signature Códigos y Criptografía Francisco Rodríguez Henríquez PKCS 1 • Chosen ciphertext attack based on multiplicative property of RSA • Attacker wishes to decrypt c Choose r, compute c’ = c⋅ re mod n Get victim to decrypt c’ giving cd ⋅ r mod n cd ⋅ r ⋅ r-1 mod n = cd mod n • Padding destroys multiplicative property Códigos y Criptografía Francisco Rodríguez Henríquez RSA: Key Generation Códigos y Criptografía Francisco Rodríguez Henríquez RSA: Encryption, Decryption Códigos y Criptografía Francisco Rodríguez Henríquez RSA: An Example Códigos y Criptografía Francisco Rodríguez Henríquez RSA encryption is deterministic We can check whether M is the message of C by C=Me mod n. Attack example: C = (PIN)e mod n, where PIN is 4-digit number. We can find M by a brute force attack within several 10 seconds. => We need a semantically secure cryptosystem! 2 Semantically secure: For two messages M0, M1, and C = Mb mod n, attackers can not guess whether C is encryption of Mb (b=0,1). An easy way is to pad M with random integer R like M||R, but no security proof! Códigos y Criptografía Francisco Rodríguez Henríquez Chosen Ciphertext Attack (CCA) Decryption oracle ciphertext C d Information based on C,d An attack example: (0) We assume the decryption oracle computes Ad mod n for a request. (1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to the decryption oracle. (2) Decryption oracle computes B = Ad mod n and send B back to the attacker. (3) The attacker computes B/R = M mod n and get the message M. There are several models, which are secure against the chosen ciphertext attack Códigos y Criptografía Francisco Rodríguez Henríquez Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent