csce 815 network security lecture 8 sha operation and kerberos
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 8 Lecture 8CSCE 815 Network Security CSCE 815 Network Security Lecture 8 Lecture 8
SHA Operation and KerberosSHA Operation and Kerberos
– 2 – CSCE 815 Sp 03
ResourcesResources
Stallings Web Site: Stallings Web Site: http://williamstallings.com/http://williamstallings.com/
Network Security Essentials, Second EditionNetwork Security Essentials, Second Edition
Instructors ResourcesInstructors Resources PowerPoint Slides Henric Johnson Tables and Figures
Student Resources: look here for yourself!Student Resources: look here for yourself!
Resources for Cryptography and Network Security, Resources for Cryptography and Network Security, Third Edition Third Edition http://williamstallings.com/Crypto3e.htmlhttp://williamstallings.com/Crypto3e.html
Instructors ResourcesInstructors Resources Figures, Tables PowerPoint Lawrie Brown
– 3 – CSCE 815 Sp 03
Test 1 Feb 20Test 1 Feb 20
Sample Test ??? (next Time) Open vs Closed???Sample Test ??? (next Time) Open vs Closed???
QuestionsQuestions
1.1. Analyze this sequence of ciphertext given table of Analyze this sequence of ciphertext given table of frequencies.frequencies.
2.2. Analyze this ciphertext knowing it is a very simple Analyze this ciphertext knowing it is a very simple permutation.permutation.
3.3. Describe approach to decipher composition of Describe approach to decipher composition of substitution and permutation.substitution and permutation.
4.4. DES ?DES ?
5.5. RSA ?RSA ?
6.6. SHA, MAC, SHA, MAC,
– 4 – CSCE 815 Sp 03
– 5 – CSCE 815 Sp 03
Birthday AttacksBirthday Attacks
You might think a 64-bit hash is secureYou might think a 64-bit hash is secure
But by Birthday Paradox is notBut by Birthday Paradox is not
The Birthday attackThe Birthday attack works thus:works thus: opponent generates 2
m/2 variations of a valid message all with essentially the same meaning
opponent also generates 2m/2 variations of a
desired fraudulent message two sets of messages are compared to find pair
with same hash (probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the forgery which will have a valid signature
Conclusion is that need to use larger MACsConclusion is that need to use larger MACs
– 6 – CSCE 815 Sp 03
One-way HASH One-way HASH functionfunction
– 7 – CSCE 815 Sp 03
One-way HASH functionOne-way HASH function
Secret value is added before the hash and removed Secret value is added before the hash and removed before transmission.before transmission.
– 8 – CSCE 815 Sp 03
SHA OverviewSHA Overview
pad message so its length is 448 mod 512 pad message so its length is 448 mod 512
append a 64-bit length value to messageappend a 64-bit length value to message
initialize 5-word (160-bit) buffer (A,B,C,D,E) to initialize 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
process message in 16-word (512-bit) chunks:process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value
output hash value is the final buffer value output hash value is the final buffer value
– 9 – CSCE 815 Sp 03
Message Digest Generation Using SHA-1Message Digest Generation Using SHA-1
– 10 – CSCE 815 Sp 03
SHA-1
Process-ing of single 512-Bit Block
SHA-1
Process-ing of single 512-Bit Block
– 11 – CSCE 815 Sp 03
Figure 12-6 (C&NS) SHA one stepFigure 12-6 (C&NS) SHA one step
– 12 – CSCE 815 Sp 03
SHA-1 Compression FunctionSHA-1 Compression Function
Each round has 20 steps which replaces the 5 buffer Each round has 20 steps which replaces the 5 buffer words thus:words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D)
A,B,C,D,E refer to the five words of the bufferA,B,C,D,E refer to the five words of the buffer
t is the step numbert is the step number
KKtt is a constant value derived from step is a constant value derived from step
fft(t,B,C,D) (t,B,C,D) is nonlinear function for roundis nonlinear function for round
WWt t is derived from the message block is derived from the message block
SSk – circular shift by k bits – circular shift by k bits
+ here means addition modulo 2+ here means addition modulo 23232
– 13 – CSCE 815 Sp 03
Kt - Constants for SHA-1 stepsKt - Constants for SHA-1 steps
Step NumberStep Number KKt (in hex) Integer portion of
-1 < t <20 5A827999 230 x sqrt(2)
19 < t <40 6ED9EBA1 230 x sqrt(3)
39 < t <60 8F1BBCDC 230 x sqrt(5)
59 < t <80 CA62C1D6 230 x sqrt(10)
– 14 – CSCE 815 Sp 03
ft – Round Functions for SHA-1 stepsft – Round Functions for SHA-1 steps
Step NumberStep Number fft (t,B,C,D)
-1 < t <20 (B ^ C) V (B’ ^ D)
19 < t <40 B + C + D
39 < t <60 (B ^ C) V (B ^ D) V (C ^ D)
59 < t <80 B + C + D
Where B’ means B complement, and
+ on this slide means XOR
– 15 – CSCE 815 Sp 03
Wt wordsWt words
32 bit Wt words32 bit Wt words
For the first 16 words WFor the first 16 words Wt t = 16 words of current block= 16 words of current block
Henceforth Henceforth
WWtt = S = S11(W(Wt-16t-16 + W + Wt-14t-14 + W + Wt-8t-8 + W + Wt-3t-3))
+ means XOR+ means XOR
– 16 – CSCE 815 Sp 03
– 17 – CSCE 815 Sp 03
Message Digest Generation Using SHA-1 revisitedMessage Digest Generation Using SHA-1 revisited
– 18 – CSCE 815 Sp 03
Output Stage of SHA-1Output Stage of SHA-1
After all 512 bit blocks have been processedAfter all 512 bit blocks have been processed
WhereWhere
IV = initial vector, initial value of five wordsIV = initial vector, initial value of five words
L = number of 512 bit blocks in padded messageL = number of 512 bit blocks in padded message
MD = final Message DigestMD = final Message Digest
ABCDEABCDEqq = output of last round of processing of the q = output of last round of processing of the qthth block block
AlgorithmAlgorithm
CVCV00 = IV = IV
for q = 0 to Lfor q = 0 to L
CVCVq+1q+1 = CV = CVqq + ABCDE + ABCDEqq
MD = CVMD = CVLL
– 19 – CSCE 815 Sp 03
Other Secure Hash FunctionsOther Secure Hash Functions
MD5 Message Digest AlgorithmMD5 Message Digest Algorithm
RFC 1321 Ron RivestRFC 1321 Ron Rivest
128 bit message digest128 bit message digest
with faster processors security has become questionablewith faster processors security has become questionable
RIPEMD-160 RoundRIPEMD-160 Round
European groupEuropean group
produces 160 bit digestproduces 160 bit digest
processes text in 512 bit blocksprocesses text in 512 bit blocks
– 20 – CSCE 815 Sp 03
Other Secure HASH functions- table 3.1Other Secure HASH functions- table 3.1
SHA-1SHA-1 MD5MD5 RIPEMD-160RIPEMD-160
Digest lengthDigest length 160 bits160 bits 128 bits128 bits 160 bits160 bits
Basic unit of Basic unit of processingprocessing
512 bits512 bits 512 bits512 bits 512 bits512 bits
Number of stepsNumber of steps 80 (4 rounds of 80 (4 rounds of 20)20)
64 (4 rounds 64 (4 rounds of 16)of 16)
160 (5 paired 160 (5 paired rounds of 16)rounds of 16)
Maximum message Maximum message sizesize
226464-1 bits-1 bits
– 21 – CSCE 815 Sp 03
Message Authentication Codes revisitedMessage Authentication Codes revisited
MAC based on MAC algorithm and Key KMAC based on MAC algorithm and Key K
Hash FunctionsHash Functions
one way function not based on keyone way function not based on key
– 22 – CSCE 815 Sp 03
Keyed Hash Functions as MACsKeyed Hash Functions as MACs
have desire to create a MAC using a hash function rather than a have desire to create a MAC using a hash function rather than a block cipherblock cipher because hash functions are generally faster not limited by export controls unlike block ciphers
hash includes a key along with the messagehash includes a key along with the message
original proposal:original proposal:
KeyedHash = Hash(Key|Message) some weaknesses were found with this
eventually led to development of HMAC eventually led to development of HMAC
– 23 – CSCE 815 Sp 03
HMACHMAC
Use a MAC derived from a cryptographic hash code, Use a MAC derived from a cryptographic hash code, such as SHA-1such as SHA-1..
Motivations:Motivations:
Cryptographic hash functions executes faster in software than encryption algorithms such as DES
Library code for cryptographic hash functions is widely available
No export restrictions from the US
RFC 2104RFC 2104
– 24 – CSCE 815 Sp 03
HMAC Design ObjectivesHMAC Design Objectives
Proposal to include secret key in hash functionProposal to include secret key in hash function
RFC 2104 lists design objectives for HMACRFC 2104 lists design objectives for HMAC
1.1. To use available hash functionsTo use available hash functions
2.2. Allow easy replaceability of hash functionAllow easy replaceability of hash function
3.3. Maintain performance of original hashMaintain performance of original hash
4.4. Use and handle keys simplyUse and handle keys simply
5.5. Have well understood cryptographic analysis of Have well understood cryptographic analysis of strength of the authentication methodstrength of the authentication method
– 25 – CSCE 815 Sp 03
HMAC Structure fig 3.6HMAC Structure fig 3.6
– 26 – CSCE 815 Sp 03
HMAC DetailsHMAC Details
Hash = embedded hash function (e.g., SHA-1)Hash = embedded hash function (e.g., SHA-1)
M – messageM – message
L – number of blocks in ML – number of blocks in M
YYi i – the ith block of M 0 < i < L– the ith block of M 0 < i < L
b = number of bits in a blockb = number of bits in a block
n = length of hash code produced by embedded hashn = length of hash code produced by embedded hash
K = secret KeyK = secret Key
K+ = K padded on left with zeroes so length is bK+ = K padded on left with zeroes so length is b
Ipad = 00110110 repeated b/8 timesIpad = 00110110 repeated b/8 times
Opad = 01011100 repeated b/8 timesOpad = 01011100 repeated b/8 times
– 27 – CSCE 815 Sp 03
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
First published public-key algorithm (1976)First published public-key algorithm (1976)
Purpose is to allow two users to exchange a private keyPurpose is to allow two users to exchange a private key
Diffie-Hellman depends on the difficulty in computing Diffie-Hellman depends on the difficulty in computing discrete logarithms (inverse exponentials)discrete logarithms (inverse exponentials)
Choose a prime p, consider the sequenceChoose a prime p, consider the sequence a mod p, a2 mod p, a3 mod p, … ap-1 mod p
If these are distinct and a permutation of 1 … p-1, thenIf these are distinct and a permutation of 1 … p-1, then1. b = ai mod p then ‘i’ is the discrete logarithm of b
2. a is called a primitive root of p
Diffie-Hellman fig 3.10Diffie-Hellman fig 3.10
– 28 – CSCE 815 Sp 03
Diffie-Hellman Algorithm fig 3.10Diffie-Hellman Algorithm fig 3.10
Global public elementsGlobal public elements
q – a prime and ‘a’ a primitive root of qq – a prime and ‘a’ a primitive root of q
User A key generationUser A key generation
Select private XSelect private XAA, calculate public Y, calculate public YAA = a = aXXAA mod q mod q
User B key generationUser B key generation
Select private XSelect private XBB, calculate public Y, calculate public YBB = a = aXXBB mod q mod q
Generation of Secret Key by User AGeneration of Secret Key by User A
K = (YK = (YBB))XXAA mod q mod q
Generation of Secret Key by User BGeneration of Secret Key by User B
K = (YK = (YAA))XXBB mod q mod q
– 29 – CSCE 815 Sp 03
Other Public-Key Cryptographic AlgorithmsOther Public-Key Cryptographic Algorithms
Meaning other than RSAMeaning other than RSA
Digital Signature Standard (DSS)Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key echange
Elliptic-Curve Cryptography (ECC)Elliptic-Curve Cryptography (ECC) Good for smaller bit size Low confidence level, compared with RSA Very complex
– 30 – CSCE 815 Sp 03
Diffie-Hellman Key Exchange fig 3.11Diffie-Hellman Key Exchange fig 3.11
– 31 – CSCE 815 Sp 03
Key ManagementKey Management
Major contribution of public-key encryption is to Major contribution of public-key encryption is to address the problem of key distributionaddress the problem of key distribution Private keys as in RSA to distribute key for AES Public keys
Public Key CertificatesPublic Key Certificates Public keys are public. Why not just broadcast? Forgery of public announcement
Darth sends out “I’m Bob and my public key is XXX”Then Darth can read secret messages for Bob and Bob can’t
Public Key certificate: public key + User Id signed by Public Key certificate: public key + User Id signed by trusted third partytrusted third party
X.509 protocol for certificates (next time)X.509 protocol for certificates (next time)
– 32 – CSCE 815 Sp 03
Key ManagementPublic-Key Certificate Use fig 3.12Key ManagementPublic-Key Certificate Use fig 3.12
– 33 – CSCE 815 Sp 03
Public-Key Distribution of Secret KeysPublic-Key Distribution of Secret Keys
How to share private key between Bob and AliceHow to share private key between Bob and Alice
Diffie-HellmanDiffie-Hellman Works but no user authentication
AlternativeAlternative
1.1. Prepare message.Prepare message.
2.2. Encrypt message using conventional encryption using one-Encrypt message using conventional encryption using one-time session key.time session key.
3.3. Encrypt session key using public-key with Alice’s public key.Encrypt session key using public-key with Alice’s public key.
4.4. Attach the encrypted session key to the message and send to Attach the encrypted session key to the message and send to Alice.Alice.
Only Alice is capable of decrypting the session key.Only Alice is capable of decrypting the session key.
Bob get’s public key from Alice’s public-key certificate.Bob get’s public key from Alice’s public-key certificate.
– 34 – CSCE 815 Sp 03
SummarySummary
have considered:have considered: message authentication using message encryption MACs hash functions some current hash algorithms: MD5, SHA-1, RIPEMD-160 HMAC authentication using hash function Diffie-Hellman Key Exchange