Lecture 10:
Certificates and Hashes
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• PS3
– Work with different people from PS2 or
your project group
– Due Oct 10
• Midterm postponed until 24 Oct
• Public Key Infrastructures (PKI)
• Hashing
1 Oct 2001
University of Virginia CS 588
2
Key Management
Public keys only useful if you
know:
1. The public key matches the
entity you think it does (and no
one else).
2. The entity is trustworthy.
1 Oct 2001
University of Virginia CS 588
3
Approach 1:
Public Announcement
• Publish public keys in a public forum
– USENET groups
– Append to email messages
– New York Time classifieds
• Easy for rogue to pretend to be
someone else
1 Oct 2001
University of Virginia CS 588
4
Approach 2: Public Directory
• Trusted authority maintains directory
mapping names to public keys
• Entities register public keys with
authority in some secure way
• Authority publishes directory
– Print using watermarked paper, special
fonts, etc.
– Allow secure electronic access
1 Oct 2001
University of Virginia CS 588
5
One Key
• Electronic access requires directory
have key (public/private key pair might
work, but how do entities validate public
key?)
• If authority’s key is compromised,
everything is vulnerable!
– Keep the key locked up well
• Directory is single point of failure
1 Oct 2001
University of Virginia CS 588
6
Certificates
TrustMe.com
{ alice@alice.org, KUA }
{ bob@bob.com, KUB}
CA = EKRTrustMe[“alice@alice.org”, KUA]
CB = EKRTrustMe[“bob@bob.com”, KUB]
CA
Alice
Bob
CB
Use anything like this?
1 Oct 2001
University of Virginia CS 588
7
Data encrypted using secret key
exchanged using some public key
associated with some certificate.
1 Oct 2001
University of Virginia CS 588
8
1 Oct 2001
University of Virginia CS 588
9
SSL (Secure Sockets Layer)
Client
Server
Hello
KRCA[Server Identity, KUS]
Check Certificate
using KUCA
Pick random K
KUS[K]
Find K
using
KRS
Secure channel using K
1 Oct 2001
University of Virginia CS 588
10
Certificates
TrustMe.com
{ alice@alice.org, KUA }
{ bob@bob.com, KUB}
CA = EKRTrustMe[“alice@alice.org”, KUA]
CB = EKRTrustMe[“bob@bob.com”, KUB]
CA
Alice
Bob
CB
How does TrustMe.com decide whether
to provide Certificate?
1 Oct 2001
University of Virginia CS 588
11
Verifying Identities
$$$$
TrustMe.com
{ alice@alice.org, KUA }
{ bob@bob.com, KUB}
CA = EKRTrustMe[“alice@alice.org”, KUA]
CB = EKRTrustMe[“bob@bob.com”, KUB]
CA
Alice
Bob
CB
1 Oct 2001
University of Virginia CS 588
12
VeriSign’s Certificate Classes
• Class 1: Individuals Only, No Identity Check
– Proves: you are communicating with someone
willing to pay VeriSign $14.95
– Except they have a free 60-day trial
• Class 2: Individuals Only, No longer available
– “Confirmation is based upon VeriSign proprietary
matching criteria of third-party databases against
the information in the application.”
– $20/year
• Class 3: Individuals and Organizations
– Require physical appearance before notary
– Businesses: “out-of-band” communication, records
– ~$1000, VeriSign’s liability up to $100,000
1 Oct 2001
University of Virginia CS 588
13
1 Oct 2001
University of Virginia CS 588
14
Limiting The Damage
VerySine.com
{ alice@alice.org, KUA }
CA = EKRTrustMe[“alice@alice.org”, cert id, expiration time, KUA]
CA
Alice
Bob
Checks expiration time > now
1 Oct 2001
University of Virginia CS 588
15
1 Oct 2001
University of Virginia CS 588
16
Revoking Certificates
VerySine.com
{ alice@alice.org, KUA }
CA
EKRTrustMe[CRL]
Send me the
CRL
CA
Alice
1 Oct 2001
<certid, Date Revoked>
<certid, Date Revoked>
<certid, Date Revoked>
…
University of Virginia CS 588
Bob
17
Revoked!
1 Oct 2001
University of Virginia CS 588
18
Web Treasure Hunt
• Click on “lock” next time when you
browse the web
• Find a certificate with a hierarchy of
trust more than one level deep
– The CA has a certificate
1 Oct 2001
University of Virginia CS 588
19
PGP (Pretty Good Privacy)
• Keyring: list of public keys, signed by owner’s
private key
Alice’s keyring:
EKRAlice (<“bob@bob.com”, KUBob>,
<“cathy@sharky.com”, KUCathy>)
• Exchanging Keyrings (Web of Trust)
– Complete Trust: I trust Alice’s keyring (add the public
key pairings to my own keyring)
– Partial Trust: I sort of trust Alice, but require
confirmation from someone else too (I need to get
EKRCathy (<“bob@bob.com”, KUBob>) before trusting
KUBob
1 Oct 2001
University of Virginia CS 588
20
Anonymous Quiz
1 Oct 2001
University of Virginia CS 588
21
Using RSA to Encrypt
• Use 1024-bit modulus (RSA recommends at
least 768 bits)
• Encrypt 1M file
– 1024 1024-bit messages
– To calculate Me requires log2e 1024-bit modular
multiplies
• Why does no one use RSA like this?
– About 100-1000 times slower than DES
– Can speed up encryption by choosing e that is an
easy number to multiply by (e.g., 3 or 216 + 1)
– But, decryption must use non-easy d (around 1024
bits)
1 Oct 2001
University of Virginia CS 588
22
Alternatives
• Use RSA to establish a shared secret
key for symmetric cipher (DES, RC6, ...)
– Lose external authentication, nonrepudiation properties of public-key
cryptosystems
• Sign (encrypt with private key) a hash of
the message
– A short block that is associated with the
message
1 Oct 2001
University of Virginia CS 588
23
0
Hashing
1
2
3
“dog”
“neanderthal”
4
5
6
7
“horse”
8
9
H (char s[]) = (s[0] – ‘a’) mod 10
1 Oct 2001
University of Virginia CS 588
24
Regular Hash Functions
1. Many-to-one: maps a large number of
values to a small number of hash values
2. Even distribution: for typical data sets,
P(H(x) = n) = 1/N where N is the number
of hash values and n = 0 .. N – 1.
3. Efficient: H(x) is easy to compute.
How well does
H (char s[]) = (s[0] – ‘a’) mod 10
satisfy these properties?
1 Oct 2001
University of Virginia CS 588
25
Cryptographic Hash Functions
4. One-way: for given h, it is hard to find x
such that H(x) = h.
5. Collision resistance:
Weak collision resistance: given x, it is hard
to find y  x such that H(y) = H(x).
Strong collision resistance: it is hard to find
any x and y  x such that H(y) = H(x).
1 Oct 2001
University of Virginia CS 588
26
Using Hashes
• Alice wants to send Bob and “I owe you”
message.
• Bob should be able to show the
message to a judge to compel Alice to
pay up.
• Bob should not be able to make his own
“I owe you” from Alice, or change the
contents of the one she sent him.
1 Oct 2001
University of Virginia CS 588
27
IOU Protocol (Attempt 1)
M
H(M)
Bob
Alice
M
H(M)
Hmmm...Bob can just make
up M and H(M)!
Judge
1 Oct 2001
University of Virginia CS 588
28
IOU Protocol (Attempt 2)
M
EKA[H(M)]
Bob
Alice
secret key KA
Use Diffie-Hellman
to establish shared
secret KA
1 Oct 2001
M
Judge
knows KA
EKA[H(M)]
Can Bob cheat?
Can Alice cheat?
Yes, send Bob: M, junk.
Judge will think Bob cheated!
University of Virginia CS 588
29
IOU Protocol (Attempt 3)
M
EKRA[H(M)]
Bob
knows KUA
Alice
{KUA, KRA}
1 Oct 2001
M
Judge
knows KUA
EKRA[H(M)]
Bob can verify H(M) by
decrypting, but cannot forge
M, EKRA[H(M)] pair without
knowing KRA.
University of Virginia CS 588
30
No Collision Resistance
• Suppose we use: H (char s[]) = (s[0] – ‘a’) mod
10
• Alice sends Bob:
“I, Alice, owe Bob $2.”, EKRA[H (M)]
• Bob sends Judge:
“I, Alice, owe Bob $2000000000000000.”, EKRA[H
(M)]
• Judge validates EKUA [ EKRA[H (M)]] = H(“I, Alice,
owe Bob $2000000000000000.”) and makes
Alice pay.
1 Oct 2001
University of Virginia CS 588
31
Weak Collision Resistance
• Given x, it should be hard to find y  x
such that H(y) = H(x).
• Similar to a block cipher except no need
for secret key:
– Changing any bit of x should change most
of H(x).
– The mapping between x and H(x) should
be confusing (complex and non-linear).
1 Oct 2001
University of Virginia CS 588
32
A Better Hash Function?
• H(x) = DES (x, 0)
• Weak collision resistance?
– Given x, it should be hard to find y  x such
that H(y) = H(x).
– Yes – DES is one-to-one. (These is no
such y.)
• A good hash function?
– No, its output is as big as the message!
1 Oct 2001
University of Virginia CS 588
33
What we need:
• Produce small number of bits (say 64)
that depend on the whole message in a
confusing, non-linear way.
• Have we seen anything like this?
Cipher Block Chaining
P1
P2
IV


K
DES
C1
to receiver
30 Aug 2000
1 Oct 2001
University of Virginia CS 588
K
DES
...
C2
to receiver
University of Virginia CS 551
8
34
Cipher Block Chaining
IV
K
P1
P2
Pn



DES
C1
K
DES
...
K
DES
Cn
C2
Use last ciphertext block as
hash. Depends on all plaintext
blocks.
1 Oct 2001
University of Virginia CS 588
35
Actual Hashing Algorithms
• Based on cipher block chaining
• No need for secret key or IV (just use 0)
• Don’t use DES
– Performance
– Better to use bigger blocks
• MD5 [Rivest92] – 512 bit blocks, produces
128-bit hash
• SHA [NIST95] – 512 bit blocks, 160-bit
hash
1 Oct 2001
University of Virginia CS 588
36
Why big hashes?
• 3DES is (probably) secure with 64-bit
blocks, why do secure hash functions
need at least 128 bit digests?
• 64 bits is fine for weak collision
resistance, but we need strong collision
resistance too.
1 Oct 2001
University of Virginia CS 588
37
Strong Collision Resistance
• It is hard to find any x and y  x such
that H(y) = H(x).
• Difference from weak:
– Attacker gets to choose both x and y, not
just y.
• Scenario:
– Suppose Bob gets to write IOU message,
send it to Alice, and she signs it.
1 Oct 2001
University of Virginia CS 588
38
Charge
• Next time: why strong collision
resistance is hard
• Return PS2’s
1 Oct 2001
University of Virginia CS 588
39