network security essentials chapter 3 fourth edition by william stallings lecture slides by lawrie...
TRANSCRIPT
Network Security Network Security EssentialsEssentialsChapter 3Chapter 3
Fourth EditionFourth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 9 – Chapter 9 – Public Key Public Key Cryptography and RSACryptography and RSA
Every Egyptian received two names, which were Every Egyptian received two names, which were known respectively as the true name and the known respectively as the true name and the good name, or the great name and the little good name, or the great name and the little name; and while the good or little name was name; and while the good or little name was made public, the true or great name appears to made public, the true or great name appears to have been carefully concealed.have been carefully concealed.
——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer
Message AuthenticationMessage Authentication
message authentication is concerned with: message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating identity of originator validating identity of originator non-repudiation of origin (dispute resolution)non-repudiation of origin (dispute resolution)
the three alternative functions used:the three alternative functions used: hash functionhash function message encryptionmessage encryption message authentication code (MAC)message authentication code (MAC)
Hash FunctionsHash Functions
condenses arbitrary message to fixed sizecondenses arbitrary message to fixed sizeh = H(M)h = H(M)
usually assume hash function is publicusually assume hash function is public hash used to detect changes to messagehash used to detect changes to message want a cryptographic hash functionwant a cryptographic hash function
computationally infeasible to find data mapping computationally infeasible to find data mapping to specific hash (one-way property)to specific hash (one-way property)
computationally infeasible to find two data to computationally infeasible to find two data to same hash (collision-free property)same hash (collision-free property)
Two Simple Insecure Hash Two Simple Insecure Hash FunctionsFunctions
consider two simple insecure hash functionsconsider two simple insecure hash functions bit-by-bit exclusive-OR (XOR) of every blockbit-by-bit exclusive-OR (XOR) of every block
CCii = b = bi1i1 xor b xor bi2i2 xor . . . xor b xor . . . xor b imim a longitudinal redundancy checka longitudinal redundancy check reasonably effective as data integrity checkreasonably effective as data integrity check
one-bit circular shift on hash valueone-bit circular shift on hash value for each successive for each successive n-bit n-bit blockblock
• rotate current hash value to left by1bit and XOR blockrotate current hash value to left by1bit and XOR block good for data integrity but useless for securitygood for data integrity but useless for security
Hash Function RequirementsHash Function Requirements
Attacks on Hash FunctionsAttacks on Hash Functions
have brute-force attacks and cryptanalysishave brute-force attacks and cryptanalysis a preimage or second preimage attacka preimage or second preimage attack
find find yy s.t. s.t. H(y) H(y) equals a given hash value equals a given hash value collision resistancecollision resistance
find two messages find two messages xx & & yy with same hash so with same hash so H(x) = H(y)H(x) = H(y)
hence value 2hence value 2m/2 m/2 determines strength of determines strength of hash code against brute-force attackshash code against brute-force attacks 128-bits inadequate, 160-bits suspect128-bits inadequate, 160-bits suspect
Secure Hash AlgorithmSecure Hash Algorithm
SHA originally designed by NIST & NSA in 1993SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1was revised in 1995 as SHA-1 US standard for use with DSA signature scheme US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences based on design of MD4 with key differences produces 160-bit hash values produces 160-bit hash values recent 2005 results on security of SHA-1 have recent 2005 results on security of SHA-1 have
raised concerns on its use in future applicationsraised concerns on its use in future applications
Revised Secure Hash Revised Secure Hash StandardStandard
NIST issued revision FIPS 180-2 in 2002NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512SHA-256, SHA-384, SHA-512 designed for compatibility with increased designed for compatibility with increased
security provided by the AES ciphersecurity provided by the AES cipher structure & detail is similar to SHA-1structure & detail is similar to SHA-1 hence analysis should be similarhence analysis should be similar but security levels are rather higherbut security levels are rather higher
SHA VersionsSHA Versions
SHA-512 OverviewSHA-512 Overview
SHA-512 Compression SHA-512 Compression FunctionFunction
heart of the algorithmheart of the algorithm processing message in 1024-bit blocksprocessing message in 1024-bit blocks consists of 80 roundsconsists of 80 rounds
updating a 512-bit buffer updating a 512-bit buffer using a 64-bit value Wt derived from the using a 64-bit value Wt derived from the
current message blockcurrent message block and a round constant based on cube root of and a round constant based on cube root of
first 80 prime numbersfirst 80 prime numbers
Keyed Hash Functions as MACsKeyed Hash Functions as MACs
want a MAC based on a hash function want a MAC based on a hash function because hash functions are generally fasterbecause hash functions are generally faster crypto hash function code is widely availablecrypto hash function code is widely available
hash includes a key along with messagehash includes a key along with message original proposal:original proposal:
KeyedHash = Hash(Key|Message) KeyedHash = Hash(Key|Message) some weaknesses were found with this some weaknesses were found with this
eventually led to development of HMAC eventually led to development of HMAC
HMAC Design ObjectivesHMAC Design Objectives
use, without modifications, hash functionsuse, without modifications, hash functions allow for easy replaceability of embedded allow for easy replaceability of embedded
hash functionhash function preserve original performance of hash preserve original performance of hash
function without significant degradationfunction without significant degradation use and handle keys in a simple way.use and handle keys in a simple way. have well understood cryptographic analysis have well understood cryptographic analysis
of authentication mechanism strengthof authentication mechanism strength
HMACHMAC
specified as Internet standard RFC2104 specified as Internet standard RFC2104 uses hash function on the message:uses hash function on the message:
HMACHMACKK(M)= Hash[(K(M)= Hash[(K++ XOR opad) || XOR opad) || Hash[(KHash[(K++ XOR ipad) || XOR ipad) ||
M)] ]M)] ] where where KK++ is the key padded out to size is the key padded out to size opadopad, , ipad ipad are specified padding constants are specified padding constants
overhead is just 3 more hash calculations than the overhead is just 3 more hash calculations than the message needs alonemessage needs alone
any hash function can be usedany hash function can be used eg. MD5, SHA-1, RIPEMD-160, Whirlpooleg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC HMAC OverviewOverview
HMAC SecurityHMAC Security
proved proved security of HMAC relates to that of security of HMAC relates to that of the underlying hash algorithmthe underlying hash algorithm
attacking HMAC requires either:attacking HMAC requires either: brute force attack on key usedbrute force attack on key used birthday attack (but since keyed would need birthday attack (but since keyed would need
to observe a very large number of messages)to observe a very large number of messages) choose hash function used based on choose hash function used based on
speed verses security constraintsspeed verses security constraints
CMACCMAC
previously saw the DAA (CBC-MAC)previously saw the DAA (CBC-MAC) widely used in govt & industrywidely used in govt & industry but has message size limitationbut has message size limitation can overcome using 2 keys & paddingcan overcome using 2 keys & padding thus forming the Cipher-based Message thus forming the Cipher-based Message
Authentication Code (CMAC)Authentication Code (CMAC) adopted by NIST SP800-38Badopted by NIST SP800-38B
CMAC OverviewCMAC Overview
Authenticated EncryptionAuthenticated Encryption simultaneously protect confidentiality and simultaneously protect confidentiality and
authenticity of communicationsauthenticity of communications often required but usually separateoften required but usually separate
approachesapproaches Hash-then-encrypt: E(K, (M || H(M))Hash-then-encrypt: E(K, (M || H(M)) MAC-then-encrypt: E(K2, (M || MAC(K1, M)) MAC-then-encrypt: E(K2, (M || MAC(K1, M)) Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C) Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C) Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
decryption /verification straightforwarddecryption /verification straightforward but security vulnerabilities with all thesebut security vulnerabilities with all these
Counter with Cipher Block Counter with Cipher Block Chaining-Message Chaining-Message
Authentication Code (CCM) Authentication Code (CCM) NIST standard SP 800-38C for WiFi NIST standard SP 800-38C for WiFi variation of encrypt-and-MAC approachvariation of encrypt-and-MAC approach algorithmic ingredients algorithmic ingredients
AES encryption algorithmAES encryption algorithm CTR mode of operationCTR mode of operation CMAC authentication algorithmCMAC authentication algorithm
single key used for both encryption & MAC single key used for both encryption & MAC
CCM CCM OperationOperation
Private-Key CryptographyPrivate-Key Cryptography
traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key
shared by both sender and receiver shared by both sender and receiver if this key is disclosed communications are if this key is disclosed communications are
compromised compromised also is also is symmetricsymmetric, parties are equal , parties are equal hence does not protect sender from hence does not protect sender from
receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender
Public-Key CryptographyPublic-Key Cryptography
probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography
uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number
theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private
key cryptokey crypto
Why Public-Key Why Public-Key Cryptography?Cryptography?
developed to address two key issues:developed to address two key issues: key distributionkey distribution – how to have secure – how to have secure
communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key
digital signaturesdigital signatures – how to verify a message – how to verify a message comes intact from the claimed sendercomes intact from the claimed sender
public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976 known earlier in classified communityknown earlier in classified community
Public-Key CryptographyPublic-Key Cryptography
public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and can , which may be known by anybody, and can
be used to be used to encrypt messagesencrypt messages, and , and verify signaturesverify signatures a related a related private-keyprivate-key, known only to the recipient, used , known only to the recipient, used
to to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures infeasible to determine private key from publicinfeasible to determine private key from public is is asymmetricasymmetric because because
those who encrypt messages or verify signatures those who encrypt messages or verify signatures cannotcannot decrypt messages or create signaturesdecrypt messages or create signatures
Public-Key CryptographyPublic-Key Cryptography
Symmetric vs Public-KeySymmetric vs Public-Key
RSARSA
by Rivest, Shamir & Adleman of MIT in 1977 by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme best known & widely used public-key scheme based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field
over integers modulo a prime over integers modulo a prime nb. exponentiation takes O((log n)nb. exponentiation takes O((log n)33) operations (easy) ) operations (easy)
uses large integers (eg. 1024 bits)uses large integers (eg. 1024 bits) security due to cost of factoring large numbers security due to cost of factoring large numbers
nb. factorization takes O(e nb. factorization takes O(e log n log log nlog n log log n) operations (hard) ) operations (hard)
RSA En/decryptionRSA En/decryption
to encrypt a message M the sender:to encrypt a message M the sender: obtains obtains public keypublic key of recipient of recipient PU={e,n}PU={e,n} computes: computes: C = MC = Mee mod n mod n, where , where 00≤≤MM<<nn
to decrypt the ciphertext C the owner:to decrypt the ciphertext C the owner: uses their private key uses their private key PR={d,n}PR={d,n} computes: computes: M = CM = Cdd mod n mod n
note that the message M must be smaller note that the message M must be smaller than the modulus n (block if needed)than the modulus n (block if needed)
RSA Key SetupRSA Key Setup
each user generates a public/private key pair by: each user generates a public/private key pair by: selecting two large primes at random: selecting two large primes at random: p, qp, q computing their system modulus computing their system modulus n=p.qn=p.q
note note ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1) selecting at random the encryption key selecting at random the encryption key ee
where where 1<e<ø(n), gcd(e,ø(n))=1 1<e<ø(n), gcd(e,ø(n))=1 solve following equation to find decryption key solve following equation to find decryption key dd
e.d=1 mod ø(n) and 0e.d=1 mod ø(n) and 0≤≤dd≤≤nn publish their public encryption key: PU={e,n} publish their public encryption key: PU={e,n} keep secret private decryption key: PR={d,n} keep secret private decryption key: PR={d,n}
Why RSA WorksWhy RSA Works
because of Euler's Theorem:because of Euler's Theorem: aaø(n)ø(n)mod n = 1 mod n = 1 where where gcd(a,n)=1gcd(a,n)=1
in RSA have:in RSA have: n=p.qn=p.q ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1) carefully chose carefully chose ee & & dd to be inverses to be inverses mod ø(n)mod ø(n) hence hence e.d=1+k.ø(n)e.d=1+k.ø(n) for some for some kk
hence :hence :CCdd = M = Me.d e.d = M= M1+k.ø(n)1+k.ø(n) = M = M11.(M.(Mø(n)ø(n)))kk = M= M11.(1).(1)kk = M = M11 = M mod n = M mod n
RSA Example - Key SetupRSA Example - Key Setup
1.1. Select primes: Select primes: pp=17 & =17 & qq=11=112.2. CalculateCalculate n n = = pq pq =17=17 x x 11=18711=1873.3. CalculateCalculate ø(ø(nn)=()=(p–p–1)(1)(q-q-1)=161)=16xx10=16010=1604.4. Select Select ee:: gcd(e,160)=1; gcd(e,160)=1; choose choose ee=7=75.5. Determine Determine dd:: de=de=1 mod 1601 mod 160 and and d d < 160< 160
Value is Value is d=23d=23 since since 2323xx7=161= 107=161= 10xx160+1160+16.6. Publish public key Publish public key PU={7,187}PU={7,187}7.7. Keep secret private key Keep secret private key PR={23,PR={23,187}187}
RSA Example - En/DecryptionRSA Example - En/Decryption
sample RSA encryption/decryption is: sample RSA encryption/decryption is: given message given message M = 88M = 88 (nb. (nb. 88<18788<187)) encryption:encryption:
C = 88C = 8877 mod 187 = 11 mod 187 = 11 decryption:decryption:
M = 11M = 112323 mod 187 = 88 mod 187 = 88
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the
exposition of public key conceptsexposition of public key concepts note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)
secretly proposed the concept in 1970 secretly proposed the concept in 1970 is a practical method for public exchange is a practical method for public exchange
of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants
value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)
based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy
security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard
Diffie-Hellman SetupDiffie-Hellman Setup
all users agree on global parameters:all users agree on global parameters: large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq
each user (eg. A) generates their keyeach user (eg. A) generates their key chooses a secret key (number): chooses a secret key (number): xxAA < q < q
compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q
each user makes public that key each user makes public that key yyAA
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
shared session key for users A & B is Kshared session key for users A & B is KABAB: :
KKABAB = = aaxxA.A.xxBB mod q mod q
= y= yAA
xxBB mod q (which mod q (which BB can compute) can compute)
= y= yBB
xxAA mod q (which mod q (which AA can compute) can compute)
KKABAB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob
if Alice and Bob subsequently communicate, they if Alice and Bob subsequently communicate, they will have the will have the samesame key as before, unless they key as before, unless they choose new public-keys choose new public-keys
attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log
Diffie-Hellman Example Diffie-Hellman Example
users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys: agree on prime agree on prime q=353q=353 and and aa=3=3 select random secret keys:select random secret keys:
A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233 compute respective public keys:compute respective public keys:
yyAA==3397 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)
yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)
compute shared session key as:compute shared session key as: KKABAB= y= yBB
xxAA mod 353 = mod 353 = 2482489797 = 160= 160 (Alice)(Alice)
KKABAB= y= yAAxxBB mod 353 = mod 353 = 4040
233233 = 160 = 160 (Bob)(Bob)
Key Exchange ProtocolsKey Exchange Protocols users could create random private/public users could create random private/public
D-H keys each time they communicateD-H keys each time they communicate users could create a known private/public users could create a known private/public
D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them
both of these are vulnerable to a meet-in-both of these are vulnerable to a meet-in-the-Middle Attackthe-Middle Attack
authentication of the keys is neededauthentication of the keys is needed
Man-in-the-Middle AttackMan-in-the-Middle Attack1.1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys
2.2. Alice transmits her public key to BobAlice transmits her public key to Bob
3.3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with AliceBob. Darth also calculates a shared key with Alice
4.4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key (with Darth instead of Alice) (with Darth instead of Alice)
5.5. Bob transmits his public key to Alice Bob transmits his public key to Alice
6.6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bobto Alice. Darth calculates a shared key with Bob
7.7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with Darth instead of Bob)Darth instead of Bob)
Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bobmessages between Alice & Bob
Digital SignaturesDigital Signatures
have looked at have looked at message authentication message authentication but does not address issues of lack of trustbut does not address issues of lack of trust
digital signatures provide the ability to: digital signatures provide the ability to: verify author, date & time of signatureverify author, date & time of signature authenticate message contents authenticate message contents be verified by third parties to resolve disputesbe verified by third parties to resolve disputes
hence include authentication function with hence include authentication function with additional capabilitiesadditional capabilities
Digital Signature ModelDigital Signature Model
Digital Digital Signature Signature
ModelModel