Chapter 4( crypto)

8/10/2019 Chapter 4( crypto)

1/42

STRONG AND PROVABLE

SECURITY FOR DIGITALSIGNATURES

1


2/42

People can eavesdrop, intercept, relay, modify, forge or

inject messages.

Try to fool the targeted receivers that the messages are sent by thereal person.

In vulnerable connection, to depend only on cryptography

mechanisms are inadequate.

We need a mechanism which can enable receiver to verify

that a message indeed come from the claimed source andhas not been altered.

Data integrityis the security service against unauthorized

modification of messages.

Data integrity in modern cryptography is closely related to,

and evolves from error-detection code.

The error-detection code is a procedure for detecting

errors which can be introduced into messages due to fault

in communications.


3/42

Using information which has been modified in a malicious way is

at the same risk as using information which contains defects due

to errors introduce in communication or data processing.

Data integrity and error-detection codes are essentially the same.

A transmitter of a message creates a checking value by

encoding some redundancy into the message to be transmitted

and attaches the checking value to the message. A receiver of the

message then verifies the correctness of the message receivedusing the attached checking value according to a set of rules

agreed with the transmitter.

In Error-detection code: The redundancy is encoded in such a way

that the receiver can use a maximum likelihood detector to

decide which message he should infer as having most likely beentransmitted from the possibly altered codes that were received.

In Data integrity: The redundancy is encoded in such a way that

the attached checking value will be distributed as uniform as

possible to the entire message space of the checking values to

minimize the probability for an attacker to forge a valid checking.


4/42

Like an encryption algorithm, the

cryptographic transformations for achieving

data integrity should also be parameterized

by keys.

Thus, in the usual sense, a correct data-

integrity verification result will also providethe verifier with the knowledge of the

message source, that is, the principal who had

created the data integrity protection.

However, recently a notion of "data integritywithout source identification" has emerged.

This new notion is important in the study of

public key cryptosystems secure againstadaptive attackers.


5/42

A digital signature or digital signature scheme is a mathematical

scheme for demonstrating the authenticity of a digital message

or document.

A valid digital signature gives a recipient reason to believe that

the message was created by a known sender, and that it was not

altered in transit.

Commonly used for software distribution, financial transactions,

and in other cases where it is important to detect forgery or

tampering.

A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects a private key uniformly at random

from a set of possible private keys. The algorithm outputs the private key

and a corresponding public key.

A signing algorithm that, given a message and a private key, produces a

signature.

A signature verifying algorithm that, given a message, public key and a

signature, either accepts or rejects the message's claim to authenticity.


6/42


7/42

Digital certificate

Is a multipurpose document developed to be

used primarily over the internet and its used in

either identification or encryption.

Identification : Proves identity (verifies the sender of the information).

Grant the right to access information or other services online.

Includes insuring the identity of all parties involved in a transaction.

Encryption: Used in secure web transactions.

Contain the key used to encrypt the data.

Non-repudiation: the person later deny that he or she send it.


8/42

Digital signature has two typesAssymetricand Symmetric.

A conventional digital signature uses asymmetric

cryptography to create a tamper-evident seal which enablesdetermining through a simple test whether data has been

altered since the signature was applied, and also the identity

of the private key that was used to encrypt the signature.

More recently, digital signatures are being created with

symmetriccryptography based upon a key that is derivedfrom the identity of the user and is known only to a trusted

server that both creates and verifies the signatures and

generates proof of signature certificates when queried to

verify a signature.

Such symmetric digital signatures share a syntax similar to Message

Authentication Codes ("MAC's")

Symmetric digital signatures have additional advantages over

asymmetric digital signatures of being less processer-intensive than

asymmetric digital signatures and thus are more efficient and cheaper

to maintain.


9/42

Elgamal signature ElGalmal is a digital signature scheme which is based on the difficulty of

computing discrete logarithms.

Described by Taher ElGamal in 1984

Not to be confused with ElGamal encryption which was also invented by

Taher ElGamal.

The ElGamal signature scheme allows a third-party to confirm the

authenticity of a message sent over an insecure channel.

Attacks on ElGamal is discovered by Bleichenbacher in 1996.

There are a number of ElGamal-like signature schemes. They are

different in details, but have the same basic idea.

Trapdoor one-way function A trapdoor function is a function that is easy to compute in one

direction, yet believed to be difficult to compute in the opposite

direction (finding its inverse) without special information, called

the "trapdoor". Examples: RSA and Rabin

Trapdoor functions are widely used in cryptography.


10/42

Signcryption is a public-key primitive that simultaneously

performs the functions of both digital signature and encryption.

Offers three frequently used security: Confidentiality, Authenticity, and Non-repudiation

In public key schemes, a traditional method is to digitally sign a

message then followed by an encryption.

It own two problems:

Low efficiency and High cost of such summation.

Signcryption is a relatively new cryptographic technique that is

supposed to fulfill the functionalities of digital signature and

encryption in a single logical step and can effectively decrease

the computational costs and communication overheads in

comparison with the traditional signature-then-encryptionschemes.

Signcryption provides the properties of both digital signatures

and encryption schemes in a way that is more efficient than

signing and encrypting separately.


11/42

Any signcryption scheme should have the following properties:

Correctness:Any signcryption scheme should be correctly

verifiable. Efficiency:The computational costs and communication costs of

a signcryption scheme should be smaller than those of the best

known signature-then-encryption schemes with the same

provided functionalities.

Security:A signcryption scheme should simultaneously fulfill thesecurity attributes of an encryption scheme and those of a digital

signature.

Such additional properties mainly include:

Confidentiality, Unforgeability, Integrity, and Non-repudiation.

Some signcryption schemes provide further attributes such as:

Public verifiability and Forward secrecy of message confidentiality while

the others do not provide them.

Such properties are the attributes that are required in many

applications while the others may not require them.


12/42

clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search

attacks

can use Triple-DES but slow, has smallblocks

US NIST issued call for ciphers in 1997

15 candidates accepted in Jun 98

5 were shortlisted in Aug-99Rijndael was selected as the AES in Oct-

2000

issued as FIPS PUB 197 standard in Nov-

2001


13/42

private key symmetric block cipher

128-bit data, 128/192/256-bit keys

stronger & faster than Triple-DES active life of 20-30 years (+ archival use)

provide full specification & design details

both C & Java implementations

NIST have released all submissions &unclassified analyses


14/42

initial criteria: security effort for practical cryptanalysis

cost in terms of computational efficiency

algorithm & implementation characteristics

final criteria general security

ease of software & hardware implementation

implementation attacks

flexibility (in en/decrypt, keying, other factors)


15/42

It is based on Rijndale algorithm.

Use acombinationof substitutionand a couple oftranspositions approaches together with a keyingfunction.

Consists of nroundsof the above said

combination, where n depends on the key length(i.e. unlike DES, the length of AES key variesamongst 3 types).

Use block encryption where 1 block is a fixedsize

of 128 bits. Use symmetric encryption where the size of a key

can either be 128 bits (still double the size of DES64 bits of key!!), 192 bits, or 256 bits, where thenumber of nrounds are 9, 11and 13respectively.


16/42

designed by Rijmen-Daemen in Belgium

has 128/192/256 bit keys, 128 bit data

an iterativerather than feistelcipher

processes data as block of 4 columns of 4 bytes operates on entire data block in every round

designed to be: resistant against known attacks

speed and code compactness on many CPUs design simplicity


17/42

data block of 4 columns of 4 bytes is state

key is expanded to array of words

has 9/11/13 rounds in which state undergoes:

byte substitution (1 S-box used on every byte)

shift rows (permute bytes between groups/columns)

mix columns (subs using matrix multipy of groups)

add round key (XOR state with key material)

view as alternating XOR key & scramble data bytes

initial XOR key material & incomplete last

round

with fast XOR & table lookup implementation


18/42


19/42


20/42


21/42

1. an iterativerather than feistelcipher2. key expanded into array of 32-bit words

1. four words form round key in each round

3. 4 different stages are used

4. has a simple structure

5. only AddRoundKey uses key

6. AddRoundKey a form of Vernam cipher

7. each stage is easily reversible8. decryption uses keys in reverse order

9. decryption does recover plaintext

10. final round has only 3 stages


22/42

In AES, the block of 128 bits are treated asindividual 4*4 matrix of bytes(i.e. a total of 16matrices)

Each round in AES consists of 4 steps:-(1) Byte Substitution

by substituting each byte in a block basedon a substitution table.

Byte1 Byte5 Byte9 Byte13





23/42

a simple substitution of each byte uses one table of 16x16 bytes containing a

permutation of all 256 8-bit values

each byte of state is replaced by byte

indexed by row (left 4-bits) & column(right 4-bits)eg. byte {95} is replaced by byte in row 9

column 5

which has value {2A} designed to be resistant to all known

attacks


24/42


25/42


26/42

a circular byte shift in each1strow is unchanged

2ndrow does 1 byte circular shift to left

3rd row does 2 byte circular shift to left

4th row does 3 byte circular shift to left

decrypt inverts using shifts to right

since state is processed by columns, this

step permutes bytes between the columns


27/42


28/42

each column is processed separately

each byte is replaced by a value dependent

on all 4 bytes in the column

effectively a matrix multiplication in GF(28)using prime poly m(x) =x8+x4+x3+x+1


29/42


30/42


31/42

XOR state with 128-bits of the round key

again processed by column (though

effectively a series of byte operations)

inverse for decryption identical since XOR own inverse, with reversed keys

designed to be as simple as possible

a form of Vernam cipher on expanded key

requires other stages for complexity / security


32/42


33/42


34/42

takes 128-bit (16-byte) key and expands into

array of 44/52/60 32-bit words

start by copying key into first 4 words

then loop creating words that depend onvalues in previous & 4 places back

in 3 of 4 cases just XOR these together

1stword in 4 has rotate + S-box + XOR round

constant on previous, before XOR 4th

back


35/42


36/42

designed to resist known attacks

design criteria included knowing part key insufficient to find many more

invertible transformation

fast on wide range of CPUs

use round constants to break symmetry

diffuse key bits into round keys

enough non-linearity to hinder analysis

simplicity of description


37/42


38/42


39/42

AES decryption is not identical to encryptionsince steps done in reverse

but can define an equivalent inverse cipherwith steps as for encryption but using inverses of each step

with a different key schedule

works since result is unchanged when swap byte substitution & shift rows

swap mix columns & add (tweaked) round key


40/42


41/42

can efficiently implement on 8-bit CPU

byte substitution works on bytes using a table of

256 entries

shift rows is simple byte shift

add round key works on byte XORs

mix columns requires matrix multiply in GF(28)

which works on byte values, can be simplified to

use table lookups & byte XORs


42/42

can efficiently implement on 32-bit CPU redefine steps to use 32-bit words

can precompute 4 tables of 256-words

then each column in each round can be

computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables

designers believe this very efficientimplementation was a key factor in its

selection as the AES cipher

Chapter 4( crypto)

Documents

Transcript of Chapter 4( crypto)