Lecture 10: Certificates and Hashes CS588: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • PS3 – Work with different people from PS2 or your project group – Due Oct 10 • Midterm postponed until 24 Oct • Public Key Infrastructures (PKI) • Hashing 1 Oct 2001 University of Virginia CS 588 2 Key Management Public keys only useful if you know: 1. The public key matches the entity you think it does (and no one else). 2. The entity is trustworthy. 1 Oct 2001 University of Virginia CS 588 3 Approach 1: Public Announcement • Publish public keys in a public forum – USENET groups – Append to email messages – New York Time classifieds • Easy for rogue to pretend to be someone else 1 Oct 2001 University of Virginia CS 588 4 Approach 2: Public Directory • Trusted authority maintains directory mapping names to public keys • Entities register public keys with authority in some secure way • Authority publishes directory – Print using watermarked paper, special fonts, etc. – Allow secure electronic access 1 Oct 2001 University of Virginia CS 588 5 One Key • Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) • If authority’s key is compromised, everything is vulnerable! – Keep the key locked up well • Directory is single point of failure 1 Oct 2001 University of Virginia CS 588 6 Certificates TrustMe.com { alice@alice.org, KUA } { bob@bob.com, KUB} CA = EKRTrustMe[“alice@alice.org”, KUA] CB = EKRTrustMe[“bob@bob.com”, KUB] CA Alice Bob CB Use anything like this? 1 Oct 2001 University of Virginia CS 588 7 Data encrypted using secret key exchanged using some public key associated with some certificate. 1 Oct 2001 University of Virginia CS 588 8 1 Oct 2001 University of Virginia CS 588 9 SSL (Secure Sockets Layer) Client Server Hello KRCA[Server Identity, KUS] Check Certificate using KUCA Pick random K KUS[K] Find K using KRS Secure channel using K 1 Oct 2001 University of Virginia CS 588 10 Certificates TrustMe.com { alice@alice.org, KUA } { bob@bob.com, KUB} CA = EKRTrustMe[“alice@alice.org”, KUA] CB = EKRTrustMe[“bob@bob.com”, KUB] CA Alice Bob CB How does TrustMe.com decide whether to provide Certificate? 1 Oct 2001 University of Virginia CS 588 11 Verifying Identities $$$$ TrustMe.com { alice@alice.org, KUA } { bob@bob.com, KUB} CA = EKRTrustMe[“alice@alice.org”, KUA] CB = EKRTrustMe[“bob@bob.com”, KUB] CA Alice Bob CB 1 Oct 2001 University of Virginia CS 588 12 VeriSign’s Certificate Classes • Class 1: Individuals Only, No Identity Check – Proves: you are communicating with someone willing to pay VeriSign $14.95 – Except they have a free 60-day trial • Class 2: Individuals Only, No longer available – “Confirmation is based upon VeriSign proprietary matching criteria of third-party databases against the information in the application.” – $20/year • Class 3: Individuals and Organizations – Require physical appearance before notary – Businesses: “out-of-band” communication, records – ~$1000, VeriSign’s liability up to $100,000 1 Oct 2001 University of Virginia CS 588 13 1 Oct 2001 University of Virginia CS 588 14 Limiting The Damage VerySine.com { alice@alice.org, KUA } CA = EKRTrustMe[“alice@alice.org”, cert id, expiration time, KUA] CA Alice Bob Checks expiration time > now 1 Oct 2001 University of Virginia CS 588 15 1 Oct 2001 University of Virginia CS 588 16 Revoking Certificates VerySine.com { alice@alice.org, KUA } CA EKRTrustMe[CRL] Send me the CRL CA Alice 1 Oct 2001 <certid, Date Revoked> <certid, Date Revoked> <certid, Date Revoked> … University of Virginia CS 588 Bob 17 Revoked! 1 Oct 2001 University of Virginia CS 588 18 Web Treasure Hunt • Click on “lock” next time when you browse the web • Find a certificate with a hierarchy of trust more than one level deep – The CA has a certificate 1 Oct 2001 University of Virginia CS 588 19 PGP (Pretty Good Privacy) • Keyring: list of public keys, signed by owner’s private key Alice’s keyring: EKRAlice (<“bob@bob.com”, KUBob>, <“cathy@sharky.com”, KUCathy>) • Exchanging Keyrings (Web of Trust) – Complete Trust: I trust Alice’s keyring (add the public key pairings to my own keyring) – Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get EKRCathy (<“bob@bob.com”, KUBob>) before trusting KUBob 1 Oct 2001 University of Virginia CS 588 20 Anonymous Quiz 1 Oct 2001 University of Virginia CS 588 21 Using RSA to Encrypt • Use 1024-bit modulus (RSA recommends at least 768 bits) • Encrypt 1M file – 1024 1024-bit messages – To calculate Me requires log2e 1024-bit modular multiplies • Why does no one use RSA like this? – About 100-1000 times slower than DES – Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1) – But, decryption must use non-easy d (around 1024 bits) 1 Oct 2001 University of Virginia CS 588 22 Alternatives • Use RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...) – Lose external authentication, nonrepudiation properties of public-key cryptosystems • Sign (encrypt with private key) a hash of the message – A short block that is associated with the message 1 Oct 2001 University of Virginia CS 588 23 0 Hashing 1 2 3 “dog” “neanderthal” 4 5 6 7 “horse” 8 9 H (char s[]) = (s[0] – ‘a’) mod 10 1 Oct 2001 University of Virginia CS 588 24 Regular Hash Functions 1. Many-to-one: maps a large number of values to a small number of hash values 2. Even distribution: for typical data sets, P(H(x) = n) = 1/N where N is the number of hash values and n = 0 .. N – 1. 3. Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] – ‘a’) mod 10 satisfy these properties? 1 Oct 2001 University of Virginia CS 588 25 Cryptographic Hash Functions 4. One-way: for given h, it is hard to find x such that H(x) = h. 5. Collision resistance: Weak collision resistance: given x, it is hard to find y x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y x such that H(y) = H(x). 1 Oct 2001 University of Virginia CS 588 26 Using Hashes • Alice wants to send Bob and “I owe you” message. • Bob should be able to show the message to a judge to compel Alice to pay up. • Bob should not be able to make his own “I owe you” from Alice, or change the contents of the one she sent him. 1 Oct 2001 University of Virginia CS 588 27 IOU Protocol (Attempt 1) M H(M) Bob Alice M H(M) Hmmm...Bob can just make up M and H(M)! Judge 1 Oct 2001 University of Virginia CS 588 28 IOU Protocol (Attempt 2) M EKA[H(M)] Bob Alice secret key KA Use Diffie-Hellman to establish shared secret KA 1 Oct 2001 M Judge knows KA EKA[H(M)] Can Bob cheat? Can Alice cheat? Yes, send Bob: M, junk. Judge will think Bob cheated! University of Virginia CS 588 29 IOU Protocol (Attempt 3) M EKRA[H(M)] Bob knows KUA Alice {KUA, KRA} 1 Oct 2001 M Judge knows KUA EKRA[H(M)] Bob can verify H(M) by decrypting, but cannot forge M, EKRA[H(M)] pair without knowing KRA. University of Virginia CS 588 30 No Collision Resistance • Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10 • Alice sends Bob: “I, Alice, owe Bob $2.”, EKRA[H (M)] • Bob sends Judge: “I, Alice, owe Bob $2000000000000000.”, EKRA[H (M)] • Judge validates EKUA [ EKRA[H (M)]] = H(“I, Alice, owe Bob $2000000000000000.”) and makes Alice pay. 1 Oct 2001 University of Virginia CS 588 31 Weak Collision Resistance • Given x, it should be hard to find y x such that H(y) = H(x). • Similar to a block cipher except no need for secret key: – Changing any bit of x should change most of H(x). – The mapping between x and H(x) should be confusing (complex and non-linear). 1 Oct 2001 University of Virginia CS 588 32 A Better Hash Function? • H(x) = DES (x, 0) • Weak collision resistance? – Given x, it should be hard to find y x such that H(y) = H(x). – Yes – DES is one-to-one. (These is no such y.) • A good hash function? – No, its output is as big as the message! 1 Oct 2001 University of Virginia CS 588 33 What we need: • Produce small number of bits (say 64) that depend on the whole message in a confusing, non-linear way. • Have we seen anything like this? Cipher Block Chaining P1 P2 IV K DES C1 to receiver 30 Aug 2000 1 Oct 2001 University of Virginia CS 588 K DES ... C2 to receiver University of Virginia CS 551 8 34 Cipher Block Chaining IV K P1 P2 Pn DES C1 K DES ... K DES Cn C2 Use last ciphertext block as hash. Depends on all plaintext blocks. 1 Oct 2001 University of Virginia CS 588 35 Actual Hashing Algorithms • Based on cipher block chaining • No need for secret key or IV (just use 0) • Don’t use DES – Performance – Better to use bigger blocks • MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash • SHA [NIST95] – 512 bit blocks, 160-bit hash 1 Oct 2001 University of Virginia CS 588 36 Why big hashes? • 3DES is (probably) secure with 64-bit blocks, why do secure hash functions need at least 128 bit digests? • 64 bits is fine for weak collision resistance, but we need strong collision resistance too. 1 Oct 2001 University of Virginia CS 588 37 Strong Collision Resistance • It is hard to find any x and y x such that H(y) = H(x). • Difference from weak: – Attacker gets to choose both x and y, not just y. • Scenario: – Suppose Bob gets to write IOU message, send it to Alice, and she signs it. 1 Oct 2001 University of Virginia CS 588 38 Charge • Next time: why strong collision resistance is hard • Return PS2’s 1 Oct 2001 University of Virginia CS 588 39