CSE468/598 Computer Network Security Hash, DH and RSA Short Version Chun-Jen Chung Arizona State University CSE468/598 Computer Network Security Outline . Background . Hash Functions . Public key cryptography (PKC) • DH • RSA . Summary 2 CSE468/598 Computer Network Security Background CSE468/598 Computer Network Security Crypto algorithms review Encryption Authentication Hash functions Symmetric Asymmetric SHA-1 MD5 MAC Secret key: Public key: (message authentication code) DES, 3DES, AES RSA, ECC HMAC Digital Signature (secret key) (public key) Key management Manual Secret key Exchange: Public key Exchange: operation Diffie-Hellman Certificate Authority on PKI CSE468/598 Computer Network Security Introduction to Hash Functions CSE468/598 Computer Network Security Hash Algorithms Message of hash H A fixed-length arbitrary length Math transformation short message . Also known as • (Cryptographic) Hash functions • Message digests • One-way transformations • One-way functions . Length of H(m) much shorter than length of m . Usually fixed lengths: 128 or 160 bits . Example algorithms • MD5 (Message-Digest) – 128 bits output • SHA-1 (secure hash algorithm) : 160 bits output • SHA-2: 256/224, 512/384 CSE468/598 Computer Network Security Hash Algorithms (cont’d) Image from scanner All files of a floppy disk All files of a hard disk User password 8 bytes 512 K bytes 1.4 M bytes 80Giga bytes One way hash One way hash One way hash One way hash (SHA-1) (SHA-1) (SHA-1) (SHA-1) 43 B0 4C 54 3B 73 BF 4C 34 3B 54 3B 4C 34 3B 32 2B 23 70 7A 67 A2 23 3F 7D 67 A2 45 23 76 62 3C D3 AF A2 2B 4F 43 B0 4C 36 2B 7A 2B 49 3F 76 D2 37 F6 45 67 A2 23 3F 54 3B 49 28 67 3C D3 AF 27 4A 44 47 8F 93 D2 7D 43 B0 4C 19 A2 23 8F 7D 36 Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes (160 bits) CSE468/598 Computer Network Security Applications of Hash Functions . Message Authentication Code (keyed hash) Key k Send MAC= H(k||m) Message Append to Message, hash H m Message MAC Key k MAC= Receive H(k||m) Yes: the message is authentic and Message m, hash H = ? integrity checked. MAC No: something MAC wrong CSE468/598 Computer Network Security Applications of Hash Functions . Generate/verify digital signature Send Sig(H(m))= E _ (H(m)) Message H(m) pri k hash H Sign Message, m Sig(H(m)) Private key Receive Yes: the signature H(m) Message hash H = ? is valid. m H(m) No: something wrong Sig(H(m)) Dpub_k(Sig(H(m)) Public key CSE468/598 Computer Network Security HMAC = H(S0 || H(Si || M)) CSE468/598 Computer Network Security Problem of Symmetric key Crypto How can you share a secret key securely? CSE468/598 Computer Network Security Problem of Symmetric key Crypto . Sharing key in Secret key cryptosystem • Given complete graph with n nodes (entities), nC2 = n(n-1)/2 pairs secret keys are required. • Ex.) If n=100, 99x50=4,950 keys • Problem: managing large number of secret keys is difficult. (e.g., all ASU students? Keys are lost? add new members? remove new member) b Q: how many different secret keys for five students? a A: Secret keys are required between c (a,b), (a,c), (a,d), (a,e), (b,c), (b,d), (b,e) (c,d), (c,e), (d,e) e d CSE468/598 Computer Network Security Crypto algorithms review Encryption Authentication Hash functions Symmetric Asymmetric SHA-1 MD5 MAC Secret key: Public key: (message authentication code) DES, 3DES, AES RSA, ECC HMAC Digital Signature (secret key) (public key) Key management Manual Secret key Exchange: Public key Exchange: operation Diffie-Hellman Certificate Authority on PKI CSE468/598 Computer Network Security DLP (Discrete logarithm problem) Exponentiation Logarithm x g = Y x = loggY P x (Polynomial problem) e.g., 10 = 10,000,000,000: x=10 NP Modular Exponentiation Discrete Logarithm (Hard) (Nondeterministic x Polynomial problem) g mod p = Y x=? e.g., 10x mod 19 = 9: x=10 Q: how difficult? 14 CSE468/598 Computer Network Security An example . Q: 7x mod 13 = 8, x=? . A: • x=0 70 mod 13 = 1 • x=1 71 mod 13 = 7 • x=2 72 mod 13 = 10 • x=3 73 mod 13 = 5 How difficult?? • x=4 74 mod 13 = 9 Brute Force: • x=5 75 mod 13 = 11 It would take p steps at least. • x=6 76 mod 13 = 12 What if prime p is a large • x=7 77 mod 13 = 6 number with at least 512 bits? • x=8 78 mod 13 = 3 • x=9 79 mod 13 = 8 CSE468/598 Computer Network Security P & NP problem . P problem (Polynomial problem): • fast solutions exist . NP problem (Nondeterministic Polynomial problem): • Fast solutions do not exist. • As input increases, time to solve the problem increases exponentially • But validation (Yes/No) of the answer can be done quickly . NP-complete problem: • Most hard problem among NP problems. CSE468/598 Computer Network Security DLP (Discrete logarithm problem) . Problem: • Given g, y, and prime p, find an integer x, if any, such that y = gx mod p easy x Modular Given g, x, p y=g mod p Exponentiation hard Discrete x Given g, y, p Logarithm . Application: • Used to construct Diffie-Hellman & ElGamal-type public systems: DH, DSA (Digital Signature Algorithm), … CSE468/598 Computer Network Security Diffie and Hellman key exchange CSE468/598 Computer Network Security Diffie and Hellman (DH) key exchange . Diffie-Hellman is a public key distribution scheme . First public-key type scheme, proposed in 1976. Whitfield Diffie Martin Hellman Diffie, W., and Hellman, M. New directions in cryptography. IEEE Trans. Inform. Theory IT-22, (Nov. 1976), 644-654. CSE468/598 Computer Network Security DH Applications . DH is currently used in many protocols, namely: • Internet Protocol Security (IPSec) o Internet Key Exchange (IKE) • Secure Sockets Layer (SSL)/Transport Layer Security (TLS) o Key agreement; in conjunction with DES (40-bit key) or 3-DES (128-bit key) • Secure Shell (SSH) • Public Key Infrastructure (PKI) HTTP FTP SMTP HTTP FTP SMTP SSH PGP TCP SSL/TLS FTP SMTP IPsec? TCP TCP IP IP IP At the network layer At the presentation layer At the application layer Source: Riley Lochridge, The Diffie-Hellman Algorithm, 2003 CSE468/598 Computer Network Security DH key agreement protocol . Allows two users to exchange a secret key . Requires no prior secrets . Real-time over an untrusted network . Based on the difficulty of computing discrete logarithms of large numbers. Requires two large numbers: g is a generator of a • p: one prime group G if every element in G can be expressed as • g: a primitive root of p (or a base), the product of finitely e.g: 3 is a primitive root modulo 7, why? many powers of g. • x: a secret key x y = g mod p CSE468/598 Computer Network Security DH Key Exchange Protocol F={1,2,3,…,p-1} (1) Pick secret, (1) Pick secret, random a from F random b from F (2) X = ga mod p Alice (3) Y = gb mod p Bob (4) Compute (4) Compute a b a b a b k=Y mod p = (g ) mod p k=X mod p = (g ) mod p ab = g mod p = gab mod p Eve has to compute gab from ga and gb without knowing a and b… She faces the Discrete Logarithm Problem in finite fields Source: D. Mukhopadhyay, ECC, IITM CSE468/598 Computer Network Security DH example . Alice and Bob get public numbers a • g = 2, p = 3 X = g mod p Y = gb mod p . Alice and Bob compute public values with their private key a=4, b=3 respectively • X = 24 mod 3 = 16 mod 3 = 1 • Y = 23 mod 3 = 8 mod 3 = 2 . Alice and Bob exchange public numbers Q: How? CSE468/598 Computer Network Security DH Example (cont’d) X = 24 mod 3 = 16 mod 3 = 1 Y = 23 mod 3 = 8 mod 3 = 2 . Alice and Bob compute symmetric keys a 4 • ka = Y mod p = 2 mod 3 = 1 b 3 • kb = X mod p = 1 mod 3 = 1 CSE468/598 Computer Network Security DH for three parties . How can three persons (Alice, Bob, Charlie) share a common secret key using DH key exchange? (1) ga mod p, (2) gac mod p abc Bob Alice Key = g mod p (1) gc mod p, (1) gb mod p, (2) gbc mod p (2) gab mod p Charlie CSE468/598 Computer Network Security MITM attack in DH Scheme (formal) xa : private xb : private x Yg a xb a : public Yg b : public Bob Alice Ya Yc xc Yc Ycc g for some x Yb Alice computes the Bob computes the session key session key xa x c x a xb x c x b Kac Y g C (MITM) Kbc Y g Adversary computes Man-in-the middle both session keys attack comes from no x x x Q: why this c c b authentication Kbb Y g happens? Use authentication xc x c x a Kaa Y g (e.g., signature) CSE468/598 Computer Network Security A Possible Solution A B ga b a b ab B, g , SIGB(g ,g ,g ) b a ab A, SIGA(g ,g ,g ) Is this protocol secure? Identity misbinding E b a ab E, SIGE(g ,g ,g ) attack Source: Hugo Krawczyk, Design and Analysis of Authenticated Diffie-Hellman Protocols, 2003 CSE468/598 Computer Network Security A Possible Solution (ISO-9796) A a B A, g b a b B, g , SIGB(g ,g ,A) b a SIGA(g ,g ,B) Thwarts the identity-misbinding attack by including the identity of the peer under the signature Source: Hugo Krawczyk, Design and Analysis of Authenticated Diffie-Hellman Protocols, 2003 CSE468/598 Computer Network Security The ISO defense A a a B A, g E E, g b a b b a b B, g , SIGB(g ,g ,E) B, g , SIGB(g ,g ,E) A: aha! B is talking to E not to me! a b Note that E cannot produce SIGB(g ,g ,A) .