SCSC 455 Computer Security Chapter 3 Public Key Cryptography and Message Authentication Dr. Frank Li Index Approaches to Message Authentication Secure Hash Functions Message Authentication Public Key Cryptography Principles Public Key Cryptography Algorithms Digital Signatures Message Authentication Three aspects of message authentication in this chapter: message authentication code and hash function Public key encryption principles Digital signature Protect against active attack is known as message authentication Contents have NOT been altered and the source is authentic Verify message’s timeliness (delay and replay) Authentication using conventional encryption Authentication using conventional encryption Only sender and receiver share a key Error detection code and sequence number Time stamp However, symmetric encryption alone is NOT a suitable tool e.g. block reordering Message authentication without encryption Typically, message authentication is provided as a separate function from message encryption. Message authentication code (MAC) Use of a secret key to generate a small block of data appended to the message. MAC_m = F(K_ab, M) FIPS recommends the use of DES – A 16- or 32-bit code The difference between authentication algorithm and encryption Need NOT be reversible Message authentication without encryption One-way hash function is alternative to MAC No need for secret key Hash value (message digest) is sent with the message Three ways: Using conventional encryption Using public key encryption Using secret value MD_m = H(S_ab || MD_m) Secure Hash Function (3.2) Hash function H must have properties: 1. 2. 3. 4. 5. 6. H can be applied to a block of data of any size H produce fixed-length output H(x) is relatively easy to compute Computationally infeasible to find x such that H(x) = h (one-way or pre-image resistant) Computationally infeasible to find x<>y with H(y) = H(x) i.e. weak collision resistant. Computationally infeasible to find any pair (x, y), such that H(x) = H(y) i.e. strong collision resistant Hash Function Weak hash function v.s. strong hash function The sixth property protects against birthday attack What is birthday attack A message digest also provide data integrity Attack Against One-Way Hash Functions If the hash algorithm produces the same hash value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. Birthday paradox Q: How many people must be in the same room for the probability is more than 50% that at least two of them will have the same birthday? 9 Birthday paradox Given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday. For 60 or more people, the probability is greater than 99%, although it cannot actually be 100% unless there are at least 366 people 10 Birthday paradox Q: What is the implication of birthday paradox to hash functions? 11 Birthday attack Attackers can find the corresponding hashing value that matches a specific message is through a brute force attack. Q: Why? If an attacker finds two messages with the same hash values, it is equivalent to finding two people with the same birthday. Birthday attack is a type of brute force attack. Based on birthday paradox, if the output of a hashing algorithm is n bits, finding two messages that hash to the same value would require check of only 2^n/2 messages. e.g., SHA-1 generates a 160-bit hash value. The attacker need approximately 2^80 computation to find a collision. A larger bit hash value is less vulnerable to brute force attack. 12 Security of Hash function Two approaches to attacking a secure hash function Cryptoanalysis: exploit logic weakness Brute-force attack: the length of the hash code is n Pre-image resistant Second Pre-image resistant Collision resistant 128 bit ? 160 bits ? Simple Hash function General principle E.g.1 Bit-by-bit XOR E.g.2 Rotated XOR (RXOR) The input is viewed as a sequence of n-bit blocks The input is processed one block at a time in an iterative fashion to produce an n-bit hash value Step 1 … Step 2 … Potential problem with simple hash functions SHA – Secure Hash Function SHA was developed by NIST published as FIPS 180 in1993 SHA-1: 160-bit SHA-2: 256, 384, 512 bits Details on SHA-512 Steps 1 – 5 (page 67 – 70) Figure 3.4 is important! Detail on figure 3.5 is not required SHA-3 Two basic requirements: 1. can replace SHA-2 (224, 256, 384, and 512 bits) 2. perserve the online nature of SHA-2 (process small blocks 512 or 1024 bits) at a time Asymmetric Cryptography In public key systems, each entity has a pair of different keys, or asymmetric keys. The two different asymmetric keys are mathematically related. The public key can be known to everyone The private key must be known and used only by the owner. It must be computationally infeasible to derive the private key from the public key. Asymmetric Cryptography In different scenarios, we can choose to use either public key or private key to encrypt and decrypt. Scenario 1 Q: Is there any problem in scenario 1? Scenario 2 Q: Is there any problem in scenario 2? Scenario 3 Q: Is this any problem in scenario 3? Asymmetric Cryptography Common asymmetric algorithms Diffie-Hellman RSA Elliptic curve cryptosystem (ECC) El Gamal Digital Signature Algorithm (DSA) Knapsack RSA is the most popular public-key encryption Developed by Ronald Rivest, Adi Shamir, and Len Adleman RSA is used in a number of products from many vendors Web browsers, Virtual private networks (VPN) Asymmetric vs. Symmetric Cryptography Pro: Asymmetric algorithms Can provide authentication and non-repudiation. also provide for easier and more manageable key distribution Cons: Asymmetric algorithm works much more slowly than a symmetric algorithm Symmetric algorithms carry out relatively simplistic mathematical functions – substitution and transposition Asymmetric algorithm uses much more complex mathematics to carry out their functions. Features of Asymmetric Cryptography Asymmetric algorithm works much more slowly than a symmetric algorithm Symmetric algorithms carry out relatively simplistic mathematical functions – substitution and transposition Asymmetric algorithm uses much more complex mathematics to carry out their functions Asymmetric algorithms Can provide authentication and non-repudiation. also provide for easier and more manageable key distribution 23 Diffie-Hellman algorithm (1) Diffie-Hellman algorithm, a.k.a. Diffie-Hellman (D-H) key exchange Was invented in 1976 is a cryptographic protocol that allows two parties that jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. 24 Diffie-Hellman algorithm (2) Alice and Bob share a prime p and g. •g<p • g is a primitive root of p (detail is not required in this course) 25 Diffie-Hellman algorithm (3) Example: Precondition: Alice and Bob agree to use a prime number p =23 and a base g = 5. 1. Alice chooses a secret integer a=6, then sends Bob g^a mod p = 5^6 mod 23 = 8. 2. Bob chooses a secret integer b=15, then sends Alice g^b mod p = 5^15 mod 23 = 19. 3. Alice computes (g^b mod p)^a mod p=19^6 mod 23 = 2. 4. Bob computes (g^a mod p)^b mod p=8^15 mod 23 = 2. 26 Diffie-Hellman algorithm (4) The D-H algorithm is considered secure against eavesdroppers if g and p are chosen properly. The eavesdropper ("Eve") must solve the Diffie-Hellman problem to obtain the key. This is currently considered very difficult. The D-H algorithm is vulnerable to a man-in-the-middle attack The attacker may establish two distinct Diffie-Hellman keys, one with Tanya and the other with Erika, then try to masquerade as Alice to Bob and/or vice-versa, by decrypting and re-encrypting messages passed between them. 27 Man-in-the-middle attack on Diffie-Hellman algorithm Q: How to prevent man-in-the-middle attack? 28 Man-in-the-middle attack on Diffie-Hellman algorithm The cause of man-in-the-middle attack is no authentication occurs before public keys are exchanged. To prevent man-in-the-middle attack: When Alice and Bob have a public key infrastructure (PKI), they may digitally sign their public keys authenticating each other’s public keys 29 RSA RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, in 1977 de facto standard used for digital signatures, key exchange, and encryption. The security of RSA comes from the difficulty of factoring large numbers. The public and private keys are functions of a pair of large prime numbers RSA is the most popular public key algorithm. It has been implemented in applications, operating systems, and at the hardware level in network interface cards, secure telephones, and smart cards. 30 RSA – background Totient function (n) Number of positive integers less than n and relatively prime to n (Relatively prime means with no factors in common with n) e.g.1: (10) = 4: 1, 3, 7, 9 e.g.2: (21) = 12 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 31 RSA – Create a pair of keys 1. 2. 3. Choose two random large prime numbers, p and q. and generate the product: n = pq. Choose a random number e. So that e and (n) = (p – 1)(q – 1) are relatively prime. Compute the decryption key d. e d = 1 mod (n) (calculate d by using Extended Euclidean algorithm) The public key = (n, e), the private key = d. 32 RSA – Encryption / Decryption Modulo operations are computational expensive. Thus, public cryptosystem is slower than symmetric cryptosystems. 33 RSA Example Alice calculates her key pair. Let p = 7, q = 11 n = 77, (n) = (p-1)(q-1) = 60 chooses e = 17 through calculating d * 17 = 1 mod 60 d = 53 Public Key (e=17, n=77); Private key: (d=53) Encryption process: Bob wants to send Alice a secret message “HELLO” (07 04 11 11 14) Bob knows Alice’s pulic key (e=17, n=77), and encrypts message 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1117 mod 77 = 44 1417 mod 77 = 42 Bob sends 28 16 44 44 42 34 RSA Example Decryption process : Alice receives 28 16 44 44 42 Alice uses private key d = 53, to decrypt message: 2853 mod 77 = 07 1653 mod 77 = 04 4453 mod 77 = 11 4453 mod 77 = 11 4253 mod 77 = 14 Alice translates message to letters “ HELLO” No one else could read it, as only Alice knows her private key and that is needed for decryption 35 Authentication the public key A potential weakness of public-key cryptography Q: How do you know that the pubic key you have for an individual is really for that individual? The solution is authentication public key Authentication is the process of proving that you are in fact the person you say you are. E.g., A phone ID is commonly used to authenticate a person. Q: How to authenticate a public key? One way to authenticate public key: Signatures Signatures let you authenticate a public key How the signature works? You verify that another person’s key really belongs to that person. And then sign that public key with your own private key. Others get that public key can see your signature and know you trust that key, so they may decide to trust it OR may decide to verify that key themselves. Form a web of trust -- a peer to peer trust relationship Example … Q: How to verify another person’s public key? Verify public key Verify the public key in person or call the owner of the public key and check the key A key usually has hundred of digits Check bit by bit is not very efficient A fingerprint is a smaller number that is derived from a very lengthy public key Fingerprints are created by hashing the public key, Hashing is a process by which a mathematical function is used that converts larger numbers into smaller numbers Hash function A hash function is a function that takes a variablelength string, and produces a fixed-length hash value. The hash value is also called fingerprint, checksum, or message digest A fingerprint is changed the contents have been altered Example … Two commonly used hash functions Message digest hash (MD5) provides 128 bits fingerprint Secure hash algorithm (SHA-1) provides 160 bits fingerprint The second way to authenticate public key: Certificate Using digital certificate -- with PKI A certificate is a numeric code that is used to identify an organization Certificate authority (CA) verifies the credential of an organization or individual. Then CA issues a client’s public key and sign it with CA’s private key E.g. VeriSign is an well-known CA