Electronic Payment Systems
20-763
Lecture 4:
ePayment Security I
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
ePayment Security
• Keep financial data secret from unauthorized parties
(privacy)
– CRYPTOGRAPHY
• Verify that messages have not been altered in transit
(integrity)
– HASH FUNCTIONS
• Prove that a party engaged in a transaction
(nonrepudiation)
– DIGITAL SIGNATURES
• Verify identity of users (authentication)
– PASSWORDS, DIGITAL CERTIFICATES
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Outline
• Message digest (hash) algorithms
– Secure Hash Algorithm
– HMACs
– Passwords, nonces
• Symmetric encryption
– DES and variations
– AES: Rijndael
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Hash Functions
A “HASH” IS A SHORT FUNCTION OF A MESSAGE (USUALLY  160 BITS)
THE ORIGINAL MESSAGE CAN BE VERY LONG (MEGABYTES)
MESSAGE SPACE
(ALL POSSIBLE
PLAINTEXT MESSAGES)
“TRANSFER
$5000 TO MY
SAVINGS
ACCOUNT”
•
•
HASH SPACE
(ALL POSSIBLE
HASHED MESSAGES)
•
•
•
ELECTRONIC PAYMENT SYSTEMS 20-763
•
?
SPRING 2004
MUST NOT BE
REVERSIBLE
•
•
“AF0E891B293”
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Hash Functions
MESSAGE SPACE
(ALL POSSIBLE
PLAINTEXT MESSAGES)
“TRANSFER
$5000 TO MY
SAVINGS
ACCOUNT”
•
•
•
HASH SPACE
(ALL POSSIBLE
HASHED MESSAGES)
•
•
•
•
ELECTRONIC PAYMENT SYSTEMS 20-763
HASH FUNCTIONS ARE NOT ONE-TO-ONE
AND NOT REVERSIBLE
MANY MESSAGES HAVE THE SAME HASH
•
•
•
•
“AF0E891B293”
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
One-Way Hash Functions
• For any string s, H(s), the hash of s, is of fixed length
(shorter than s), sometimes called a message digest
• Easy to compute
• “One-way”: computationally difficult to invert: can’t
find any message corresponding to a given hash
• Diffusion property: Altering any bit of the message
changes many bits of the hash
– This prevents trying similar messages to see if they hash to
the same thing
• One-way hashes are not reversible
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Uses of One-Way Hash Functions
•
•
•
•
Password verification
Message authentication (message digests)
Prevention of replay attack
Digital signatures
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Secure Hash Algorithm SHA-1
• Federal Information Processing Standard 180-1 (NIST)
• For any message shorter than 2 64  10 19 bits, produces
a 160-bit message digest
• Uses exclusive-OR operation 
A= 0011011110001
B= 1101001101011
AB= 1110010011010
• Exclusive-OR is lossy; knowing A  B does not reveal
even one bit of either A or B
• Regular OR: If a bit of A  B is zero, then both
corresponding bits of both A and B were zero
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Information Hiding with Exclusive-OR
• x  y = 1 if either x or y is 1 but not both:
y
x
xy
0
1
0
0
1
1
1
0
• If x  y = 1 we can’t tell which one is a 1
• Can’t trace backwards to determine values
• If x  y = 1 then BOTH x and y are 1
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Single Step of SHA-1
80 WORDS INPUT HERE, 1 EACH STEP
Operates on 16-word (512-bit) blocks
Expands 16 words to 80 words Wt
Performs 80 operations as shown
for t = 0..79
a, b, c, d, e are special constants
Kt are special constants
MAGIC CONSTANTS
+
+
+
+
REVISED
CONSTANTS
FOR NEXT
STEP
INITIALLY CONSTANTS
“<<< 5” means
“cyclic left shift 5 bits”
SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Secure Hash Algorithm Flow
LONG MESSAGE TO BE HASHED
TAKE FIRST 16 WORDS (512 BITS)
STARTING
HASH
FIVE 32-BIT
WORDS
(160 BITS)
EXPAND TO 80 WORDS
(2560 BITS)
REPEAT 79 MORE TIMES …
FINAL
HASH
(160 BITS)
111011
010111
100010
000110
110110
011110
011001
100101
110010
111011
010111
100010
011101
110101
101011
001111
101100
100011
000110
110110
011110
ELECTRONIC PAYMENT SYSTEMS 20-763
REPEAT FOR EACH
512-BIT BLOCK
111011
010111
100010
001111
101100
100011
011101
110101
101011
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Secure Hash Algorithm SHA-1
• Pad M so it is a multiple of 512 bits long
• Process M in blocks of 512 bits (16 32-bit words):
W(0) . . . W(15)
• Expand 16-word block to 80 words for j = 16..79 by
W(j) = W(j - 3)  W(j - 8)  W(j - 14)  W(j - 16)
• Perform 4 rounds of 20 operations each using these
functions f t(X,Y,Z) on three words at a time:
Rounds 0-19
(X  Y)  (Z  X)
Rounds 20-39
XYZ
Rounds 40-59
(X  Y)  (X  Z)  (Y  Z)
Rounds 60-79
XYZ
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Secure Hash Algorithm SHA-1
INITIALIZE “MAGIC” HEX CONSTANTS (8 HEX DIGITS = 32 BITS):
A=67452301; B=efcdab89; C=98badcfe; D=10325476; E=c3d2e1f0;
K0-19=5a827999; K20-39=6ed9eba1; K40-59=8f1bbdcd; K60-79=ca62c1d6;
PROCESS THE MESSAGE IN 512-BIT BLOCKS:
For each block B of 16 words in message M
Expand B to 80 words
For t = 0 to 79
MIX UP PARTS OF THE 80 WORDS:
TEMP = (a <<< 5) + f t(b,c,d) + e + W(t) + K t
e = d; d = c; c = b <<< 30; b = a; a = TEMP;
ADD RESULTS TO OUTPUT FROM PREVIOUS BLOCK:
A = A+a; B = B+b; C = C+c; D= D+d; E = E+e;
FINAL DIGEST IS CONCATENATION OF PARTIAL DIGESTS:
H(M) = A | B | C | D | E
ELECTRONIC PAYMENT SYSTEMS 20-763
(5 words = 160 bits)
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Key-Hashed Message
Authentication Codes (HMACs)
Shared Key
Original Plaintext
Hashing with MD5, SHA, etc.
HMAC
Key-Hashed Message Authentication Code (HMAC)
Appended to Plaintext Before Transmission
HMAC
Original Plaintext
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
Note: No encryption;
only hashing
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Key-Hashed Message
Authentication Codes (HMACs)
Receiver Repeats the HMAC Computation
On the Received Plaintext
Shared Key
Received Original Plaintext
Hashing with same algorithm
Computed HMAC

COMPARE

Received HMAC
If computed and received HMACs are the same,
The sender must know the key and so is authenticated
AND the message has not been altered
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Math Break: A Birthday Problem
• Dave’s birthday is Feb. 1. How many people can
there be in a room for the probability to be > 1/2 that
someone else was born on Feb. 1?
• Probability that 1 person was not born on Feb. 1 =
364/365.
• Probability that n people were not born on Feb. 1 is
p(n) = (364/365)n. Now choose n so that p(n) < 0.5
• log p(n) < n log (364/635)
• n > log(1/2)/log(364/365)  253
• If n = 183 (half of 366), p(n) = 0.6053. Less then
40% chance that someone else has same birthday
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
A Generalized Birthday Problem
• Suppose a year has d days. How many people must
be in a room for the probability to be > 1/2 that some
pair of people have the same birthday?
• Label the people 1 … n
• Probability p(n) that person i has no birthday in
common with people 1 … i -1 is (d - i + 1)/d, so
 d  i 1
p( n)   

d 
d 2 
n
• If d = 365 and n = 23, p(n)  0.4927
• If d = 365 and n = 50, p(n)  0.0296
• For large d, taking n  1.17 d gives p(n) > 1/2
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Attacking Hash Algorithms
• If two strings M and M* can be found such that
H(M) = H(M*) then a hash algorithm can be
compromised
• Let M = PO for $100; M* = PO for $100,000
• John digitally signs H(M), so it can’t be altered!
• If H(M*) = H(M) then we can “prove” in court that John
signed the $100,000 PO
• Birthday attack: If the hash length is b bits, then d = 2 b ;
d = 2 b/2
• Try about 2 b/2 small variations of the message. Prob.
~ 50% we will find one that hashes to the same value
• If the digest is 64 bits, try 232 variations. Possible!
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Nonce to Prevent Replay Attack
• Time-dependent value used in challenge-response
protocols to prevent replay attack
• Random numbers, timestamps
• System sends a nonce, e.g. “1992884665”
• User sends a hash of username|password|nonce
• System computes what the hash should be, verifies
user
• Replay fails since the nonce will be different when the
attacker tries to gain access
• Nonce is an obsolete word:
“for the nonce” means “for the time being,” “just for now”
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Cryptography
CODE SPACE
(ALL POSSIBLE
ENCRYPTED MESSAGES)
MESSAGE SPACE
(ALL POSSIBLE
PLAINTEXT MESSAGES)
“TRANSFER
$5000 TO MY
SAVINGS
ACCOUNT”
•
•
•
MUST BE REVERSIBLE
(BUT ONLY IF YOU
KNOW THE SECRET)
•
•
•
ELECTRONIC PAYMENT SYSTEMS 20-763
•
•
•
SPRING 2004
•
“1822UX S4HHG7 803TG
0J71D2 MK8A36 18PN1”
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Cryptography
MESSAGE SPACE
(ALL POSSIBLE
PLAINTEXT MESSAGES)
“TRANSFER
$5000 TO MY
SAVINGS
ACCOUNT”
•
•
•
ENCRYPTION IS SECURE IF
ONLY AUTHORIZED PEOPLE
KNOW HOW TO REVERSE IT
•
•
•
•
•
•
ENCRYPTION IS ONE-TO-ONE
AND REVERSIBLE
EVERY CODE CORRESPONDS
TO EXACTLY ONE MESSAGE
ELECTRONIC PAYMENT SYSTEMS 20-763
CODE SPACE
(ALL POSSIBLE
ENCRYPTED MESSAGES)
SPRING 2004
•
“1822UX S4HHG7 803TG
0J71D2 MK8A36 18PN1”
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Data Encryption Standard (DES)
• Symmetric, key-based encryption-decryption
standard. No public keys
• Block cipher: operates on 64-bit blocks
• Uses 56-bit key
• 16 “rounds” -- key for each round is a 48-bit function
of the original 56-bit key. Each key bit participates in
an average of 14 rounds
• Completely symmetric. Same algorithm decrypts.
• Fast implementation in hardware: 1 gigabit/second
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Encryption “Rounds”
Key
Round
Keys
X
K
KE Key Expansion
k1
k2
k3
kn-2
kn-1
kn
r1
r2
r3
rn-2
rn-1
rn
Y
Encryption Rounds r1 … rn
 Key K is expanded to a set of n round keys ki
 Input block X undergoes n rounds of operations (each operation is based on
value of the nth round key), until it reaches the final round rn
 Strength of algorithm: difficulty of going backwards from the intermediate result
of round m+1 to round m without knowing the round key rm.
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Classical Feistel Encryption Network
SOURCE: WILLIAM STALLINGS
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
DES Encryption
SOURCE: WILLIAM STALLINGS
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Data Encryption Standard (DES)
INPUT PERMUTATION
64 BITS OF MESSAGE
LEFT HALF OF
BLOCK (32 BITS)
SUBKEYS:
EACH IS A 48-BIT
FUNCTION OF A
56-BIT KEY
 IS EXCLUSIVE-OR
f IS A COMPLICATED
FUNCTION INVOLVING
VARIOUS PERMUTATIONS
OUTPUT: 64 BITS OF
ENCRYPTED TEXT
INVERSE OF INPUT
PERMUTATION
SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Years To Crack Symmetric Encryption
Key Length
SOURCE: WILLIAM STALLINGS
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Cipher Block Chaining Example
• In ECB mode, the same input text always produces the same
output. This creates risk of partial decryption.
INITIALIZATION
STRING
PLAINTEXT
BLOCK 1
PLAINTEXT
BLOCK 2


DES
DES
CIPHERTEXT
BLOCK 1
CIPHERTEXT
BLOCK 2
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
etc.
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Modes of DES Use
• ECB - Electronic Codebook Mode
– Straight DES. Independent groups of 64 bit. Weakness:
same 64 bits always encrypts to the same ciphertext
• CFB - Cipher Feedback Mode
– XOR next plaintext block before encrypting
• CBC - Cipher Block Chaining
– encrypt previous block, XOR with plaintext
• OFB - Output Feedback Mode
– XOR encrypted plaintext with next plaintext block
• 3DES - Triple DES
– Encrypt with K1, decrypt with K2, encrypt with K3
• Windows NT uses DES, DES-CBC and 3DES
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Meet-in-the-Middle Attack
(Diffie-Hellman, 1977)
•
•
•
•
•
Suppose we use two DES keys K1 and K2
Pick an input text block x
Let y = EK2(EK1(x)) – the encryption of x
DK2(y) = EK1(x) – the “middle”
Generate two lists:
– encrypt x with all 256 possible keys K1
– decrypt y with all 256 possible keys K2
• Check matches on each list; see if the match
works for a new ciphertext/plaintext pair
• Now know BOTH K1, K2 in 257 tests, not 2112
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Triple DES
• Security can be increased by encrypting multiple times with
different keys
• Double DES is not much more secure than single DES because of
a “meet-in-the-middle” attack
• 3DES (168 bits of keys) can be cracked by trying 112 bits of keys
PLAINTEXT
BLOCK 1
K1
K2
K3
DES
DES
DES
ENCRYPT
DECRYPT
ENCRYPT
CIPHERTEXT
BLOCK 1
• If K1 = K2 = K3 this is just single DES
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
AES, the DES Replacement
• AES = Advanced Encryption Standard
• DES has weaknesses:
– slow (by modern standards)
– weak (can be broken by fast computers)
• NIST ran a competition to replace DES
• Winner: Rijndael, invented by Vincent Rijmen and
Joan Daeman (both male)
• No patenting allowed
• Round block cipher of similar structure to DES but
faster, more secure
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael
kn
ByteSub
ShiftRow
MixColumn
AddRoundKey
Result from
round n-1
Pass to
round n+1
Detailed view of round n
 Each round consists of:
 ByteSub: each 8 bits of input is replaced with a different 8 bits
 ShiftRow: each row of the block matrix is cyclically shifted
 MixColumn
 AddRoundKey
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael: ByteSub
Each byte at the input of a round is transformed as follows:
Substitution (“S”)-box:
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael: ShiftRow
Depending on block length, each row of the block
is cyclically shifted according to this table:
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael: MixColumn
Each column is multiplied by a fixed polynomial
C(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’
This corresponds to matrix
multiplication b(x) = c(x)  a(x):
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael: Key Expansion and Addition
Each block is XOR’ed with the expanded round key ki
SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rijndael
• Allows 128, 192, and 256-bit key sizes
• Variable block length: 128, 192, or 256 bits. All nine
combinations of key/block length possible.
– A block is the smallest data size the algorithm will
encrypt
• VERY FAST, much faster than DES
– Software: 8416 bytes/sec on a 20MHz 8051
– Software: 53 Mbytes/sec on a 800MHz Pentium
– Hardware: currently up to 25 Gbps
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Major Ideas
• Secure hash algorithms create message digests
• Encryption algorithms are complex
– must be studied carefully (by cryptographers)
– subject to sophisticated attacks
• Symmetric encryption is fast
• AES is the new standard symmetric encryption
algorithm – very fast
• Nonce is a defense against replay attacks
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Q&A
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS