Chapter 3
Public-Key Cryptography
and Message Authentication
1
Recall: 1.4 Security Services
* Authentication
* Access Control
* Data Confidentiality
In chapter 3
“Authentication”
includes all three of
these services
* Data Integrity
* Non- repudiation
* Availability Service
2
We need to defend against attacks such as:
► bit flipping in stream cipher (my time-of-attack example)
► cut and paste attack with ECB
3
3.1 Approaches to Message Authentication
Authentication Using Conventional (Symmetric) Encryption
Assuming that only sender and receiver share a secret key, then successful
decryption of a message proves that it is from the sender.
But what about the Christmas bonus cut-and-paste attack?
“If the message also includes error-detection and a sequence number,
the receiver is assured that no alteration has been made and that the
sequencing is proper.”
Circular reasoning!
4
Message Authentication without Message Encryption
We may want to be able to authenticate a message without encrypting it
Examples:
1. Public announcement, e.g. The system is going down in 5 minutes!
2. Receiver to busy to decrypt incoming messages.
3. Checking integrity of a computer program downloaded from a server.
Encryption and Authentication are separate;
Either or both may be needed
5
Message Authentication Code
A secret key is used to generate a small block of data, the MAC, which is
appended to the message by the sender.
Secret
Sender calculates MAC
Knowing the secret key and the
message, the receiver re-calculates the
MAC and compares it to the appended
value.
Recalculating the MAC is a “forward” calculation – fundamentally
different from the “reverse” calculation in decryption.
6
Message Authentication Code – continued
If the appended code and the freshly-calculated code agree, then:
1. The receiver is assured that the message has not been altered.
(Chapter 1 – data integrity – connectionless)
2. The receiver is assured that the message is from the alleged
sender, since nobody else knows the secret key.
(Chapter 1 – participant authentication)
3. If the message includes a sequence number, the receiver is assured
that there are no losses, duplications, or out-of-sequence elements.
(Chapter 1 – data integrity – connection-oriented)
4. The sender cannot deny having sent the message,
since nobody else knows the secret key.
(Chapter 1 – nonrepudiation)
Provided that suitable algorithms can be found to
generate the Message Authentication Code!
7
One-Way Hash Functions
Given a message, M, of arbitrary length a hash function produces a
short, fixed-length block that is unique to M (“fingerprint”)
A hash function is a component of a MAC system.
It is not the complete system because a hash itself does not
involve any secret information.
Figure 3.2 shows three ways to use hash functions in producing a MAC.
8
Figure 3.2(a) is essentially the same as figure 3.1:
Figure 3.2(b) is
the same as
3.2(a), except
using public-key
encryption (defer
until later).
9
One-Way Hash Functions – continued
Figures 3.2 (a) and (b) involve encryption, which is slow and expensive.
Figure 3.2(c) is an alternative that avoids encryption:
Pre-Shared secret
Not transmitted
This method is used in HMAC (see later)
Sometimes referred to as “keyed hash”
10
Recall from page 7:
2. In developing a particular security mechanism or algorithm, one
must always consider potential attacks on those security features …
3. Because of point 2, the procedures used to provide particular
services are often counterintuitive: It is not obvious from the statement
of a particular requirement that such elaborate measures are needed.
It is only when the various counter-measures are considered that the
measures used make sense.
11
3.2 Secure Hash Functions
Hash function requirements:
1. H can be applied to a block of data of any size.
2. H produces fixed-length output.
3. H(x) is relatively easy to compute for any x, making both
hardware and software implementation practical.
4. For any given value h it is computationally infeasible to find x
such that H(x) = h
Called “one-way” or “preimage resistant”
12
4. For any given value h it is computationally infeasible to find x
such that H(x) = h
Without the “one-way” property method (c) would not work
Encryption functions must be reversible;
Hash functions must not be reversible!
13
5. For any given block x, it is computationally infeasible to find y ≠ x
with H(y) = H(x)
Called “second preimage resistant” or “weak collision resistant”
Without property #5 methods 3.2 (a) and (b) would not work
14
3.2 Secure Hash Functions - continued
6. It is computationally infeasible to find any pair (x, y) such that
H(x) = H(y)
Called “(strong) collision-resistant”
This property is necessary to defend against the “birthday attack.”
15
Birthday Attack
Probability that two specific people have same birthday is 1/365
In a group of n people there are n*(n-1)/2 pairs
Probability that any two people have same birthday is n*(n-1)/(2 * 365)
What does n have to be for probability to be 0.5?
Approximating n*(n-1) as n2 we get
n2 = 2 * 365* 0.5
or
n = √365
about 19
With 128-bit hash function, probability that two specific messages
have same hash value is 2-128
But probability that two messages exist with same hash value is 2-64
16
Security of Hash Functions
Clearly, it is desirable to use a hash function that has property 6, strong
collision resistance.
For a hash code of length n bits we expect the level of effort required to
break it by brute force to be 2n BUT
Preimage-resistant (property 4):
2n/2
(yields to Birthday Attack)
Second preimage resistant (property 5): 2n/2
(yields to Birthday Attack)
Strong collision resistant (property 6):
2n
(resists Birthday Attack)
A 160-bit hash code is now regarded as suspect!
17
Simple Hash Functions
Ci = bi1 XOR bi2 XOR bi3 …. XOR bim
But XOR is commutative, so could
permute blocks without changing C
OK for accidental transmission errors,
but useless for defense against Darth.
18
SHA Secure Hash Function
Focus on SHA-512 - block size 1024 bits,
hash code size 512 bits.
“Security 256” indicates that SHA does not have property 6
19
Step 1: Append padding bits. Step 2: Append original length
20
Often referred to as
the “compression
function”
property of SHA-512 :
Every bit of hash
code is a function of
every bit of the input
21
3.3 Message Authentication Codes
Hashed Message Authentication Code (HMAC)
A hash function such as SHA-512 involves no secret
information – hash must be combined with secret information
to produce a message authentication code.
Figure 3.2
22
HMAC Design Objectives
1. To use, without modification, available hash functions.
2. To allow for easy replaceability of the embedded hash function in
case more secure hash functions are found or required
(NIST competition for new hash function).
3. To preserve the original performance of the hash function without
incurring significant degradation.
4. To use and handle keys in a simple way
5. To have a well-understood cryptographic analysis of the strength of
the authentication mechanism based on reasonable
assumptions on the embedded hash function.
HMAC can be proven secure provided that the embedded
hash function has some reasonable cryptographic strengths.
23
Repeat:
HMAC Design Objectives
2. To allow for easy replaceability of the embedded hash function
in case more secure hash functions are found or required
If the embedded hash function were ever discovered to be insecure, a
replacement (more secure) hash function could be inserted into HMAC.
Use of the original hash function before the discovery would not be
invalidated.
This assumes that whoever discovered the insecurity announced it
and didn’t exploit it privately!
This contrasts with the situation with encryption: if an
encryption algorithm were “broken,” messages previously
encrypted with the algorithm could be decrypted.
24
The HMAC Algorithm
First part of
key padded
to b bits
Padded Message
SHA-512
Second part of
key padded to
b bits
HMAC adds three
executions of the basic
hash function – should
not add significant time
for long messages.
Result of inner
hash is
“message” for
outer hash
SHA-512
25
Final result
MACs Based on Block Ciphers
Cipher-Based Message Authentication Code
We adopted the philosophy that encryption and authentication
have separate objectives and techniques. Why merge them here?
Quote from NIST publication 800-38B:
CMAC may be appropriate for information systems in which an approved
block cipher is more readily available than an approved hash function.
This does not seem to be a compelling reason to study this.
On the other hand, Stallings (p77) states that “systems that
simultaneously protect confidentiality and authenticity (integrity) of
communications” may have advantages (and may be mandated in
federal systems).
Because of the limited time we have available, we will omit this section.
26
3.4 Public-Key Cryptography Principles
Public-Key Encryption Structure
► first publicly proposed by Diffie and Hellman in 1976
(but known to British cryptographers in WWII)
► first truly revolutionary advance in encryption
in literally thousands of years
► public-key algorithms based on mathematical functions
► public-key cryptography is asymmetric, involving use of two
separate keys, one made public and the other kept private.
27
28
Common misconceptions about public-key cryptography
► public-key cryptography more secure than symmetric
(conventional) cryptography
For same key length public-key is less secure
1024-bit asymmetric keys are about as
secure as 80-bit symmetric keys.
29
Common misconceptions about public-key cryptography - continued
► public-key cryptography is a general-purpose technique that has made
symmetric (conventional) cryptography obsolete
public-key is about 1,000 times slower than symmetric,
so will not replace symmetric for bulk encryption
► key distribution is trivial when using public-key encryption, compared to
cumbersome key distribution centers in symmetric encryption
public-key distribution usually involves a central agent
30
Recall from section 2.1:
“A symmetric encryption scheme has five ingredients”
Section 3.4: A public-key encryption scheme has six ingredients:
► plaintext
► encryption algorithm
► public and private key
► ciphertext
► decryption algorithm
31
► public and private key:
The public key of the pair is made public for others to use;
The private key is known only to its owner.
One key of the pair is used for encryption,
the other for decryption
Terminology: although the private key is kept secret,
we refer to it as “private” so as not to confuse with
the “secret key” of symmetric encryption.
32
Figure 3.9 (a)
Bob
Alice
“Essential steps” for confidentiality:
1. Each user generates a pair of keys
2. Each user places one of the keys in a public register
or other accessible file
3. If Bob wishes to send a confidential message to Alice,
he obtains her public key and encrypts the message with it.
4. Alice decrypts the message with her private key.
33
Bob obtained these
from public register
or other accessible
file
Figure 3.9
No authentication of Bob! Everybody knows Alice’s public key!
We do not send long messages this way!
34
Applications for Public-Key Cryptosystems
► encryption/decryption – but not used for long messages,
► digital signatures – we will study in section 3.6
► key exchange – we will study in section 4.3
35
Requirements for Encryption using Public-Key Cryptography
1. It is computationally easy for party B to generate a key pair PUB, PRB
2. It is computationally easy for a sender A, knowing PUB
to encrypt a (short) message to send to B
3. It is computationally easy for B to decrypt the message
using his/her private key
4. It is computationally infeasible for an opponent, knowing PUB
to determine the private key PRB
5. It is computationally infeasible for an opponent, knowing PUB and
the ciphertext, to recover the plaintext
6. (useful, not required) Either of the two related keys
can be used for encryption, the other for decryption
36
3.5 Public-Key Cryptography Algorithms
The RSA Algorithm
Developed in 1977 by Rivest, Shamir, and Adleman at MIT.
RSA is a block cipher in which the plaintext and ciphertext are
represented by integers between 0 and n – 1 for some n (”modulus”)
For plaintext block M, the ciphertext block C is obtained by:
C = Me mod n
The plaintext is recovered by:
e could be called the
“encryption exponent ”
M = Cd mod n
If both sender and receiver know n and e but only the receiver knows d,
the receiver’s public key is { e, n } and private key is { d, n }
37
3.4 Public-Key Cryptography Algorithms - continued
From previous slide:
For plaintext block M, the ciphertext block C is obtained by C = Me mod n
The plaintext is recovered by: M = Cd mod n
M = Cd mod n = (Me mod n)d mod n
= Med mod n
1. For this to work, it must be possible to find n, e, and d such that
Med mod n = M for all M < n
2. It must be relatively easy to calculate Me and Cd for all M < n
3. It must be infeasible to compute d, given e and n
38
1 – 3. Select p = 17, q = 11 so n = 187 and φ(n) = 160
4. Choose e such that it is relatively prime to 160 and less than 160
Divisors of 160? yes 1, 2, 4, 5,
no:
3
8,
6, 7
Choose e = 7
10 …
9
11, 12, 13 ….
39
1 – 3. Select p = 17, q = 11 so n = 187 and φ(n) = 160
4. e = 7
5. Determine d such that de mod 160 = 1
7d = 1, 161, 321, 481 …..
7 * 23 = 161
Public key is { 7, 187 } Private key is { 23, 187 }
40
41
Encryption: evaluate 887 mod 187
Decryption: evaluate 1123 mod 187
1123 is a big number and hard to handle by simple programming!
Factorize the big number and
use properties of modular arithmetic (page 402)
42
43
44
An actual RSA key (from lab session #2):
leftrsasigkey=0sAQOc8zS+aKhfo46XdLSBzFLDOadFDitIUXfL3bP9v7a
WH5seCtYrDV7bfAnzHmYqJ6yClH8cJEEYUvdVtO3/2H2dGLeigTD1XuKQzxr+F
eF+bV66W6s+06+WdVEZfu7k0gWVFH+TjAUkXDZV8+cVU94m7KHVjAyx45GP
N4/YOoMgN3t1QCdSGytlulyc42oosrWow+8dv3+oxVgwHUsHRF1aUoT7RcOZ+
9m9V6UsIZXK5coXOJAN6f2T690dUBMcZvCYiBmi6RJAZ1DZncrQFxOtFft75qC
0VJvUufcMtLYQ6dMhcQFkO58efN2tXAtC+EuzGUSVh2ftm/hf7S0qsjW+aZXQW
iCy9NH3V7HhZVF2KzTH
# The exponent of the RSA public key is forced to the value 3
This modulus is 2238 bits long
45
Two possible approaches to defeating the RSA algorithm:
► brute force (try all possible keys)
– for key-length (say) 1024 bits, this is infeasible
► try to factor n into p x q
- most efforts do this, but with n (say) 300 decimal digits, it’s hard!
46
RSA Challenges:
47
48
RSA 640:
If modulus, n, is the 193-digit number:
310 7418240490 0437213507 5003588856 7930037346 0228427275 4572016194
8823206440 5180815045 5634682967 1723286782 4379162728 3803341547
1073108501 9195485290 0733772482 2783525742 3864540146 9173660247
7652346609
What are p and q?
The factoring research team of F. Bahr, M. Boehm, J. Franke, T. Kleinjung
continued its productivity with a successful factorization of the challenge
number RSA-640, reported on November 2, 2005. The factors are:
1634733645809253848443133883865090859841783670033
092312181110852389333100104508151212118167511579
and
1900871281664822113126851573935413975471896789968
515493666638539088027103802104498957191261465571
The effort took approximately 30 2.2GHz-Opteron-CPU years according to the
49
submitters, over five months of calendar time. They earned a prize of $20,000.
Diffie-Hellman Key Exchange
“The purpose of the algorithm is to enable two users to exchange a
secret key securely that can then be used for subsequent [symmetric]
encryption of messages. The algorithm itself is limited to the
exchange of the keys.”
(however, an extension of D-H, known as El Gamal can be used for encryption)
“The Diffie-Hellman algorithm depends for its effectiveness
on the difficulty of computing discrete logarithms.”
50
modulus
generator
51
52
Global public parameters q
and α established in advance
Figure 3.13
53
Required to prove: the two computations of K give the same value
54
Required to prove: the two computations of K give the same value
55
Trivial example of Diffie-Hellman – problem 3.21
56
Problem 3.21(a): If A has public key YA = 9. what is A’s private key XA?
Recall YA = αXA mod q
Want
9 = 2XA mod 11
From previous slide: 64 mod 11 = 9 so XA = 6
Because of the difficulty of computing discrete logarithms, an
attacker knowing α, q, YA and YB cannot easily compute K
Problem 3.21(b): If B has public key YB = 3, what is shared key K ?
Recall K = (YB)XA mod q
= 36 mod 11 = 729 mod 11 = 3
57
3192-bit DiffieHellman public key
(from lab session #4)
58
Key Exchange Protocols – ways of using Diffie-Hellman
► “simple protocol” – figure 3.13
► using a central repository of public D-H keys (next slide).
59
In this
implementation,
both private and
public DH keys are
semi-permanent
60
Man-in-the-Middle Attack
Alice
Bob
Problem: the “simple protocol” does not authenticate
the participants.
We’ll return to this problem in chapter 8
61
Other Public-Key Cryptography Algorithms
► Digital Signature Standard - use in lab session #1
► Elliptic-Curve Cryptography – know it exists
(increasing importance)
62
3.6 Digital Signatures
Bob wants to send a message to Alice; it’s not confidential, but he
wants her to be sure that it is from him (authentication).
Fig 3.9(b)
Bob
Alice
Here, the entire message serves as a digital signature;
Bob would normally encrypt just a hash of the message
and append it (next slide).
63
Figure 3.2(b) was a better representation of “digital signatures”:
Caution! Alice and Bob swapped from previous slide!
Alice
Bob
Figure 3.2
64
Benefits of the Digital Signature
► Since only Alice knows her private key, if Bob can decode
and verify the signature with her public key, the message
must have come from Alice
(giving authentication and non-repudiation).
► Without Alice’s private key, Darth cannot substitute a different
message and produce a correctly-encrypted hash
(giving message integrity).
65
Benefits of the Digital Signature
But this does not provide message confidentiality!
► The signature (encrypted hash of the message) can be
detached from the message itself. Because the hash refers
uniquely to the particular message, Darth cannot claim that
the detached signature belongs to a different message (useful
when several people in different countries must sign).
66
End of Chapter 3
At this point in the course we have covered all
the basic techniques needed to provide
confidentiality and authentication services. In
the rest of the course we examine specific
implementations for use in various situations.
67
68
Part Two
Network Security Applications
Chapter 4
Key Distribution and User Authentication
69
4.1 Symmetric Key Distribution Using Symmetric Encryption
Possible methods of key sharing between A and B :
1. A selects key, physically delivers to B
2. Third party C selects key, physically delivers to A and B
3. If A and B have previously shared a key,
a new key could be chosen by one of them
and sent to the other encrypted with the old key
Problem: If an attacker ever succeeds in gaining access to
one key, then all subsequent keys are revealed.
4. If A and B each have an encrypted connection to a trusted third
party C, C could generate the key and transmit it
to A and B over the encrypted connections
C is called the Key Distribution Center (KDC)
70
Key Distribution Center (KDC) uses two types of key:
► Session Key – used to protect messages between two users
► Master key – used to protect messages between a user
and the KDC
Master key
B↔C
Master key
A↔C
Session key
A ↔B
71
Oppliger:
“Unfortunately, KDCs have many disadvantages.”
“The most important disadvantage is that each entity must
unconditionally trust the KDC and share a secret master
key with it. There are situations in which this level of trust
is neither justified nor can be accepted by the
communicating entities.”
“Consequently, the use of key establishment protocols
(that typically make used of public key cryptography in
some way or another) provide a viable alternative in
many situations.”
72
4.3 Key Distribution Using Asymmetric Encryption
Two aspects:
► distribution of public keys
► use of public-key encryption to share secret keys for
symmetric cryptography.
At first thought there is no problem:
just put your public key on a bulletin board!
Problem: somebody else posts a key, stating it to be yours.
Need a trusted third party to certify that the
public key is yours, and distribute it.
The trusted third party is called a Certificate Authority,
which issues Public Key Certificates (next section).
73
Fig 4.3 Public-Key Certificate Generation
74
This uses a digital signature to
authenticate the certificate.
The certificate can then be used to
authenticate the holder’s digital signatures.
Bob
Alice
Figure 3.2
75
Public-Key Distribution of Secret (symmetric cryptography) Keys
Bob and Alice may be geographically distant – how to exchange key?
► Diffie-Hellman (but no authentication)
► use public-key encryption
1. Bob prepares a message
2. He encrypts it using symmetric algorithm, using one-time “session key”
3. He encrypts the session key with Alice’s public key
4. He attaches the encrypted session key to the encrypted message
5. Alice uses her private key to decrypt the session key
6. Alice reverses the symmetric encryption of the message
76
4.4 X.509 Certificates
We used public-key certificates in the previous section
Here we give details of the generation and standard form of a public-key
certificate, X.509
X.509 defines a framework for the provision of authentication services by
the X.500 directory to its users
77
hash
Figure 4.4 X.509 Formats
78
“little, if any, utility”
Certificate binds
these two together
The only encryption
in the certificate
hash
79
80
Characteristics of the X.509 Certificate
User certificates generated by a CA have the following characteristics:
► Any user with access to the public key of the CA can verify
the user public key that was certified.
► No party other than the certification authority can modify the
certificate without this being detected.
How do you get the CA’s public key?
81
Tools
=> Options
=> Advanced
=> View
Certificates
82
83
84
85
Revocation of Certificate
Although the certificate includes an expiration date, it may be
necessary to revoke a certificate before then (eg. private key revealed).
CA needs to publish periodic revocation lists.
Must be signed by CA!
hash
86
Reasons for Revocation of Certificates
► Confidentiality of the user’s private key has been compromised.
► The user is no longer certified by this CA
► The CA’s certificate is assumed to be compromised
(CA’s private key has been released)
From Peterson and Davie:
“.. If all certificates had unlimited life spans, the Certificate Revocation
List would always be getting longer, since you could never take a
certificate off the CRL for fear that some copy of the revoked certificate
might be used. However, by attaching an expiration date to a certificate
when it is issued, we can limit the length of time that a revoked
certificate has to stay on the CRL.”
87
Omit 4.2 Kerberos
Omit 4.5 Public-Key Infrastructure
Omit 4.6 Federated Identity Management
End Chapter 4
88