CS469_669_Chap3_F09
Transcript of CS469_669_Chap3_F09
-
8/3/2019 CS469_669_Chap3_F09
1/72
Chapter 3Chapter 3PublicPublic--Key Cryptography andKey Cryptography and
Message AuthenticationMessage Authentication
Dr. Sameer Abufardeh
Dept. of Computer ScienceNorth Dakota State University
S.A.1
-
8/3/2019 CS469_669_Chap3_F09
2/72
Slide 1
S.A.1 saSameer, 10/2/2009
-
8/3/2019 CS469_669_Chap3_F09
3/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 2
OUTLINEOUTLINE
Approaches to Message Authentication
Secure Hash Functions and HMAC
Public-Key Cryptography Principles
Public-Key Cryptography Algorithms
Digital Signatures
Key Management
-
8/3/2019 CS469_669_Chap3_F09
4/72
Recall Security ServicesRecall Security Services Confidentiality protection from passive attacks
Authentication you are who you say you are
Integrity received as sent, no modifications,
insertions, shuffling or replays
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 3
-
8/3/2019 CS469_669_Chap3_F09
5/72
Security AttacksSecurity Attacks
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 4
Release ofmessage contents
Traffic
analysis
eavesdropping, monitoring transmissions
conventional encryption helped here
Passive threats
-
8/3/2019 CS469_669_Chap3_F09
6/72
Security AttacksSecurity Attacks
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 5
Masquerade Denial of
service
Active threats
Replay Modification ofmessage contents
Message authentication helpspreventsthese!
-
8/3/2019 CS469_669_Chap3_F09
7/72
WhatIs Message Authentication?WhatIs Message Authentication?
Its all about the source, of course!
Procedure that allows communicating parties toverify that received messages are authentic
Protection against active attack (falsification of
data and transactions)
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 6
-
8/3/2019 CS469_669_Chap3_F09
8/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 7
AuthenticationAuthentication
Requirements - must be able to verify that:
1. Message source is authentic masquerading,2. Contents unaltered message modification3. Sometimes,timely sequencing replay
(Msg. timeliness not artificially delayed or replayed).
-
8/3/2019 CS469_669_Chap3_F09
9/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 8
Approaches to Message AuthenticationApproaches to Message Authentication
Authentication Using Conventional Encryption Only the sender and receiver should know the shared key
Include a time stamp
Include error detection code and sequence number
Message Authentication without Message Encryption
An authentication tag is generated and appended to each message E.g.,Hash without encryption.
Message read independent of authentication function
No message confidentiality
Message Authentication Code (MAC) use a secret key to generate a small block of data that is appendedto the
message
Assume: A and B share a common secret keyKAB
MACM= F(KAB,M)
-
8/3/2019 CS469_669_Chap3_F09
10/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 9
-
8/3/2019 CS469_669_Chap3_F09
11/72
One Way Hash Function
One Way Hash Function
Hash function accepts a variable size messageM
as input and produces a fixed-size message digest
H(M) as output No secret key as input
Message digest is sent with the message for
authentication
Produces a fingerprint of the message
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 10
-
8/3/2019 CS469_669_Chap3_F09
12/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 11
OneOne--way HASH functionway HASH function(Using Encryption)(Using Encryption)
Shared key
Authenticity is assured
Message digest H(M)
-
8/3/2019 CS469_669_Chap3_F09
13/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 12
OneOne--way HASH functionway HASH function(Using Encryption)(Using Encryption)
Digital signature No key distribution
Less computation since message does nothave to be encrypted
-
8/3/2019 CS469_669_Chap3_F09
14/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 13
OneOne--way HASH functionway HASH function
Ideally We Would Like To Avoid Encryption
Encryption software is slow
Encryption hardware costs arent cheap
Hardware optimized toward large data sizes
Algorithms covered bypatents
Algorithms subject to export control
-
8/3/2019 CS469_669_Chap3_F09
15/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 14
A & B should share a secret value (e.g., a random #).
Secret value is added before the hash and removed before transmission.
OneOne--way HASH functionway HASH function(Without Encryption)(Without Encryption)
No encryption for message authenticationSecret value never sent; cant modify the message
Important technique for Digital Signatures
Assumes secret value SAB
MDM||M
MDM = H(SAB||M)
-
8/3/2019 CS469_669_Chap3_F09
16/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 15
Secure HASH FunctionsSecure HASH Functions
Purpose of a HASH function is to produce a fingerprint.
Properties of a HASH function H :
1. H can be applied to a block of data at any size
2. H produces a fixed length output
-
8/3/2019 CS469_669_Chap3_F09
17/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 16
Secure HASH FunctionsSecure HASH Functions
Purpose of a HASH function is to produce afingerprint.
Properties of a HASH function H :
1. H can be applied to a block of data at any size2. H produces a fixed length output
-
8/3/2019 CS469_669_Chap3_F09
18/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 17
Secure HASH FunctionsSecure HASH Functions
Purpose of a HASH function is to produce afingerprint.
Properties of a HASH function H :
4. For any given h, it is computationally infeasible tofind x such that H(x) = h (one way property - hardto invert).
- given a hash code h findaninput(x) which hasthesame hash code h
Itseasytogeneratea hash codegivenamessage,butvirtuallyimpossibletogenerateamessagegivenahash code.
Thispropertyisimportantfor whenauthenticationtechniqueusingasecretvalue.(seeslide 14)
-
8/3/2019 CS469_669_Chap3_F09
19/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 18
Secure HASH FunctionsSecure HASH Functions
Purpose of a HASH function is to produce afingerprint.
Properties of a HASH function H :
5. For any given block x, it is computationally infeasible to findwith H(y) = H(x) (weak collision property).
Guaranteesthatitisimpossibletofindanalternativemessagewith thesame hash valueasthegivenmessage.
given : x H(x) findanothery whereH(y) = H(x)
Preventsforgery whenanencryptedhash codeisused
(seeslides 11 & 12)
xy {
-
8/3/2019 CS469_669_Chap3_F09
20/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 19
Secure HASH FunctionsSecure HASH Functions
Purpose of a HASH function is to produce a fingerprint.
Properties of a HASH function H :
6. It is computationally infeasible to find any pair (x, y) two distinctinputs, such that H(x) = H(y) (strong collision property).
- collisionresistance
Protectsagainstaclassofsophisticatedattackknow asthebirthdayattack
Birthday attacks (time complexity 2n/2
)
Reduce the strength of an m-bit hash function from 2n to 2n/2
-
8/3/2019 CS469_669_Chap3_F09
21/72
Attacks on hash functionsAttacks on hash functions
Birthday attacks (time complexity 2n/2 )
Probability of collision is > 1/2 We need n >= 128 up to 160
Pseudo-collision and compression function attacks
Chaining attacks
Attacks based on properties of underlying cipher.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 20
-
8/3/2019 CS469_669_Chap3_F09
22/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 21
Simple Hash FunctionSimple Hash Function The input is divided into a sequence of n-bit blocks.
The input is processed one block at a time in an iterative fashion
to produce an n-bit hash function.
1 2 ...i i i imC b b b!
Problem: Eliminate predictability of data
One-bit circular shift for each block is used to randomize the input
Rotate current hash value to the left by one bit
XOR the block into the hash value
-
8/3/2019 CS469_669_Chap3_F09
23/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 22
Secure Hash Algorithm SHASecure Hash Algorithm SHA--11 SHA was developed by NIST in 1993 and revised in 1995.
The revised version is called SHA-1.
The input is less than bits .
The output is a fixed 160 bit message digest (MD).
Steps of SHA-1: see next slide
642
-
8/3/2019 CS469_669_Chap3_F09
24/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 23
Secure Hash Algorithm SHASecure Hash Algorithm SHA--11Step 1: Append padding bits. The message is padded so its length is congruent to448 modulo 512.
Step 2: Append length. A block of 64 bits is appended to the message. This blockis an unsigned integer equal to the length of the message before padding.
Step 3: Initialize MD buffer. A 160 bit buffer is used to hold intermediate and final
results of the hash function. The buffer is represented as five 32
bit registers (A,B,C, D, E) and initialized which are initialized to some constants (32-bit integers).
Step 4: Process message in 512 bit (16-word) blocks. This module consists of fourrounds of processing of20 steps each. The four rounds have similar structure, buteach uses a different primitive logical function referred to as f1, f2, f3 and f4. Theheart of the alg. is a module compression function, that consists of four rounds of
processing, and each round has 20 steps.
Step 5: Output. After all L 512-bit blocks have been processed, the output from theLth stage is the 160-bit message digest.
-
8/3/2019 CS469_669_Chap3_F09
25/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 24
Message Digest Generation UsingMessage Digest Generation Using
SHASHA--11
Every bit of the hash code is a function of every bit of the input!
-
8/3/2019 CS469_669_Chap3_F09
26/72
SHASHA--1 Compression Function1 Compression Function
each round has 20 steps which replaces the 5 buffer words thus:
(A,B,C,D,E)
-
8/3/2019 CS469_669_Chap3_F09
27/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 26
SHASHA--1: Processing of single 5121: Processing of single 512--Bit BlockBit Block f a logical function,
different for each round.
K a constant, differentfor each round.
Each round updates thecontents of the 160-bitbuffer, i.e., the 5
registers ABCDE. Following certain rule,
the 512 bit messageblock is used to create5x512 bit chunk, whichis then divided into
eighty 32-bit words
0 1 79, ,...,W W W
-
8/3/2019 CS469_669_Chap3_F09
28/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 27
SHASHA--1: Processing of single 5121: Processing of single 512--Bit BlockBit Block Update of the 160-bit
vector: ABCDE
B = old A; C = old B (left shift 30
bits)
D = old C;
E = old D
A = E + A (left shift 5bits) +Wt + K+ f(t,B,C,D)
where t is the step #.
The addition is done foreach of the five words(32-bit), using modulo2^32.
2
1
( , , , )
the output of the 4th roundq q
f t B C D B C D
CV CV
!
!
-
8/3/2019 CS469_669_Chap3_F09
29/72
Revised Secure Hash Standard
Revised Secure Hash Standard
NIST issued revision FIPS 180-2 in 2002
adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512 designed for compatibility with increased security
provided by the AES cipher
structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher
-
8/3/2019 CS469_669_Chap3_F09
30/72
SHASHA--512 Overview512 Overview
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
29
-
8/3/2019 CS469_669_Chap3_F09
31/72
SHASHA--512 Process512 Process Step 1: Append padding bits
Step 2: Append length
Step 3: Initialize hash buffer
Step 4: Process the message in 1024-bit (128-
word) blocks, which forms the heart of the
algorithm Step 5: Output the final state value as the
resulting hash
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 30
-
8/3/2019 CS469_669_Chap3_F09
32/72
SHASHA--512 Compression Function512 Compression Function heart of the algorithm
processing message in 1024-bit blocks
consists of 80 rounds updating a 512-bit buffer
using a 64-bit value Wt derived from the
current message block
and a round constant based on cube root of first80 prime numbers
-
8/3/2019 CS469_669_Chap3_F09
33/72
SHASHA--512 Round Function512 Round Function
The elements are:
Ch(e,f,g) = (e AND f) XOR (NOT e AND g)Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)
(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)
+ = addition modulo 2^64
Kt = a 64-bit additive constant
Wt = a 64-bit word derived from the current 512-bit input block.
-
8/3/2019 CS469_669_Chap3_F09
34/72
02/27/06 Hofstra University Network Security Course, CSC290A 33
MD5 Message DigestMD5 Message Digest
Ron Rivest - 1992
specified as Internet standard RFC1321
Input: arbitrary Output: 128-bit digest
Was the most widely used secure hash algorithm
until recently
in recent times have both brute-force & cryptanalytic
concerns
Security of 128-bit hash code has become
questionable (1996, 2004)
-
8/3/2019 CS469_669_Chap3_F09
35/72
MD5 OverviewMD5 Overview
1. Pad message so its length is 448 mod 512
2. Append a 64-bit original length value to message
3. Initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. Process message in 16-word (512-bit) blocks: Using 4 rounds of 16 bit operations on message block
& buffer
Add output to buffer input to form new buffer value
5. Output hash value is the final buffer value
-
8/3/2019 CS469_669_Chap3_F09
36/72
MD5 OverviewMD5 Overview
-
8/3/2019 CS469_669_Chap3_F09
37/72
MD5 Compression FunctionMD5 Compression Function
-
8/3/2019 CS469_669_Chap3_F09
38/72
Functions and RandomFunctions and Random
NumbersNumbers F(x,y,z) == (xy)(~x z)
selection function
G(x,y,z) == (x z) (y ~ z)
H(x,y,z) == xy z
I(x,y,z) == y(x ~z)
-
8/3/2019 CS469_669_Chap3_F09
39/72
SHASHA--11 vs.vs. MD5MD5
brute force attack on SHA-1 is harder (160 vs 128
bits for MD5)
SHA-1 not vulnerable to any known attacks(compared to MD4/5)
SHA-1 a little slower than MD5 (80 vs 64 steps)
both designed as simple and compact
SHA-1 optimised for big endian CPU's (vs MD5
which is optimised for little endian CPUs)
-
8/3/2019 CS469_669_Chap3_F09
40/72
WhirlpoolWhirlpool
Based on the use of block cipher for compression
endorsed by European NESSIE project
uses modified AES internals as compressionfunction
with performance comparable to dedicated
algorithms like SHA
-
8/3/2019 CS469_669_Chap3_F09
41/72
Whirlpool OverviewWhirlpool Overview
-
8/3/2019 CS469_669_Chap3_F09
42/72
Whirlpool BlockWhirlpool Block CipherCipher
designed specifically for hash function use
with security and efficiency of AES
but with Msg. length is < 2^512-bit as input and512-bit Msg. digest.
similar structure & functions as AES but
input is mapped row wise
has 10 rounds
uses different S-box design & values
-
8/3/2019 CS469_669_Chap3_F09
43/72
Whirlpool Block CipherWWhirlpool Block CipherW
-
8/3/2019 CS469_669_Chap3_F09
44/72
Whirlpool Performance &Whirlpool Performance &
SecuritySecurity Whirlpool is a very new proposal
hence little experience with use
but many AES findings should apply
does seem to need more h/w than SHA, but with
better resulting performance
-
8/3/2019 CS469_669_Chap3_F09
45/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 44
HMAC (HASH MAC)HMAC (HASH MAC) Instead of using encryption algorithms, one may develop a
MAC derived from a hash function, such as SHA-1. Motivations:
Hash functions execute faster in software than encryptoinalgorithms such as DES.
Library code for hash functions is widely available.
No export restrictions on hash functions from the US.
A hash function (e.g., SHA-1) was not designed for use as aMAC and can not be used directly to create a MAC,
since it does not rely on a secret key.
E.g., D could create a hash code and claim it is B.
HMAC was proposed, which can create a MAC using a
hash function and a secret key. HMAC has been used in IP-security, SSL/TLS, etc.
-
8/3/2019 CS469_669_Chap3_F09
46/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 45
HMAC StructureHMAC Structure
HMAC DesignObjectives:
To use available hashfunctions.
To allow for easyreplaceability of the embeddedhash function.
To preserve the original
performance of the hashfunction
To use and handle keys in asimple way
To have a well-understoodcryptographic analysis of the
strength of the auth.mechanism. : K padded with zeros on the
left so it isbbits
ipad: 00110110 repeatedb/8
opad: 01011100 repeatedb/8
+ +
KHMAC (M)=H[(K opad)||H[(K ipad)||M]]
K
-
8/3/2019 CS469_669_Chap3_F09
47/72
HMAC SecurityHMAC Security
proved security of HMAC relates to that of theunderlying hash algorithm
attacking HMAC requires either:brute force attack on key used
birthday attack (but since keyed would need toobserve a very large number of messages)
choose hash function used based on speed versessecurity constraints
-
8/3/2019 CS469_669_Chap3_F09
48/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 47
PublicPublic--Key Cryptography PrinciplesKey Cryptography Principles
The use of two keys has consequences in: key
distribution, confidentiality and authentication.
The scheme has six ingredients:
Plaintext
Encryption algorithm
Public key
Private key
Ciphertext Decryption algorithm
-
8/3/2019 CS469_669_Chap3_F09
49/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 48
Encryption using PublicEncryption using Public--Key systemKey system
Encryption
-
8/3/2019 CS469_669_Chap3_F09
50/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 49
Authentication usingAuthentication using PublicPublic--Key SystemKey System
Authintication
-
8/3/2019 CS469_669_Chap3_F09
51/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 50
Applications for PublicApplications for Public--KeyKey
CryptosystemsCryptosystems Three categories:
Encryption/decryption: The sender encrypts a
message with the recipients public key. Digital signature: The sender signs a
message with its private key.
Key exchange: Two sides cooperate to
exhange a session key.
-
8/3/2019 CS469_669_Chap3_F09
52/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
51
Requirements for PublicRequirements for Public--Key CryptographyKey Cryptography
1. Computationally easy for a party B to generate a pair (public key KUb,
private key KRb)2. Computationally Easy for a sender A knowing the public key and the
message M to generate a ciphertext:
3. Easy for the receiver B to decrypt ciphertext using its private key:
4. Computationally infeasible for an opponent to determine private key (KRb)
knowing public key (KUb)
5. Computationally infeasible for an opponent to recover message M, knowing
KUb and ciphertext C
6. Either of the two keys can be used for encryption, with the other used for
decryption:
)(MECKUb!
)]([)( MEDCDMKUbKRbKRb !!
)]([)]([ MEDMEDMKRbKUbKUbKRb !!
-
8/3/2019 CS469_669_Chap3_F09
53/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh
52
PublicPublic--Key Cryptographic AlgorithmsKey Cryptographic Algorithms
The most widely used are RSA and Diffie-Hellman
RSA - Ron Rivest, Adi Shamir and Len Adleman atMIT, in 1977.
ACM Turing award in 2002.
RSA is a block cipher Application s: Encryption/decryption, Digital signature, and Key
exchange
Diffie-Hellman Application s: Exchange a secret key securely
Based on the difficulty of computing discrete logarithms
-
8/3/2019 CS469_669_Chap3_F09
54/72
Prime NumbersPrime Numbers Aprimenumbercanbedivided, withoutaremainder,onlyby
itselfandby 1. For example, 17 can be divided only by 17 and by 1.
Some facts:
The only even prime number is 2. All other even numbers can be
divided by 2.
If the sum of a number's digits is a multiple of 3, that number can be
divided by 3.
No prime number greater than 5 ends in a 5. Any number greater than
5 that ends in a 5 can be divided by 5.
Zero and 1 are not considered prime numbers.
Except for 0 and 1, a number is either a prime number or a composite
number. A composite number is defined as any number, greater than 1,
that is not prime.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 53
-
8/3/2019 CS469_669_Chap3_F09
55/72
PrimalityPrimality TestTest
Deterministic: tests determine with absolute
certainty whether a number is prime.
Probabilistic: tests can potentially (although with
very small probability) falsely identify a
composite number as prime (although not vice
versa).
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 54
-
8/3/2019 CS469_669_Chap3_F09
56/72
Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD
Tw
onumbers
are
called
relati
vely
prime
or
co-prime
if
they havenocommondivisorsgreaterthan 1.
Using the notation GCD(m,n) to denote the greatest
commondivisor, two integers m and n and are relatively
prime ifGCD(m,n) = 1
Example 1: 26 and 51 are relative primes.
Example 2: 81 and 343 are relative primes.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 55
-
8/3/2019 CS469_669_Chap3_F09
57/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 56
The Euler Phi(The Euler Phi() orTotient function) orTotient function Totient function (n) , is defined as thenumberofpositive
integers
nth
atare
relati
vely
prime
to
(i.e.,
do
not
contain
any
factorincommon with), where 1 iscountedasbeingrelatively
primetoallnumbers.
Ifn is a multiple of twoprime numbers,p and q,
then (n) = (p-1)(q-1).
That is, there are (p-1)(q-1) numbers in Rwhich are
relatively prime to n.
Example : p =3, q =5, n = 15
(15) = (3-1)(5-1)
= 2 * 4= 8
(n) is always even for n 3. By convention, (0) = 1
-
8/3/2019 CS469_669_Chap3_F09
58/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 57
The RSA AlgorithmThe RSA Algorithm Key GenerationKey Generation
{
Th RSA Al ithTh RSA Al ith E /DE /D
-
8/3/2019 CS469_669_Chap3_F09
59/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 58
The RSA AlgorithmThe RSA Algorithm Enc./Dec.Enc./Dec.
Encryption:
Plaintext: M < n Ciphertext: C = Me (mod n)
Decryption:
Ciphertext: C
Plaintext: M = Cd (mod n)= Med (mod n)
The plaintext and ciphertext are integers between 0 ~ n-1 for some large
integern.
Both sender and receiver must know n and e, and only receiver knows d.
The security of RSA comes from the computational difficulty of factoring
large numbers.
For largep & q, ifn is known, it is hard to findp & q.
The size of a key in RSA typically refers to the size ofn.
E.g., length ofn - 1024-bits or about 300 decimal digits.
-
8/3/2019 CS469_669_Chap3_F09
60/72
02/27/06 Hofstra University Network Security Course, CSC290A 59
RSA RequirementsRSA Requirements
It ispossible to find values ofe, d, n
such thatMed = Mmodn for all M
-
8/3/2019 CS469_669_Chap3_F09
61/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 60
An example ofRSA AlgorithmAn example ofRSA Algorithm1. p = 17; q = 11.
2. n = p x q = 1873.
4. Select e that is relatively prime to , and e
-
8/3/2019 CS469_669_Chap3_F09
62/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 61
DiffieDiffie--Hellman Key ExchangeHellman Key Exchange
Diffie-Hellman algorithm enables two users to
exchange a secret key securely. For a given prime numberp, a is called aprimitive root
ofp if:
The numbers
are distinct and consist of the integers from 1~p in somepermutation.
For any b
-
8/3/2019 CS469_669_Chap3_F09
63/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 62
DiffieDiffie--Hellman Key ExchangeHellman Key Exchange User A B
A selects a random integer
B independently selects a randominteger
Both A and B make its public
value available to the other
side.
An attackerD could know
q, but not
To find out XB (and then K), D
must compute a discrete log:
XB = dlog ,q(YB) which has been proved very
difficult.
32 8 1(mod 7)! !
AX
BX
, &A BY YE &A BX X
/A BY Y
-
8/3/2019 CS469_669_Chap3_F09
64/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 63
DiffieDiffie--Hellman Key ExchangeHellman Key Exchange -- AlogorithmAlogorithm
( ) mod
( mod ) mod
(by the property of mod)
( ) mod
mod( ) mod
(by the property of mod)
( mod ) mod
( ) mod
A
B A
B A
B A
A B
A B
B
X
BX X
X X
X X
X X
X X
X
A
K Y q
q q
q
qq
q q
Y q
E
E
EE
E
!
!
!
!
!
!
!
At the end, user A and B will share a secret
key K, which is not known to others.
-
8/3/2019 CS469_669_Chap3_F09
65/72
ExampleExample
A & B wish to exchange a key.
Prime numberq = 71, and its primitive root = 7
Generate, XA = 5 and XB = 12 random integers < q
A computes his Public key YA = 75 mod 71 = 51
B computes his Public key YB = 712 mod 71 = 4
After they exchange the public keys:
Each can computer the Shared secret keyK
A computesK= 45 mod 71 = 30
B computesK= 5112 mod 71 = 30
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 64
-
8/3/2019 CS469_669_Chap3_F09
66/72
Breaking ofBreaking of DiffieDiffie--HellmanHellman The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle
attack. Alice & Bob wish to exchange keys, and Carol is the opponent
In this attack, an opponent Carol intercepts Alice's public value and sends
her own public value to Bob.
When Bob transmits his public value, Carol substitutes it with her own and
sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on
another shared key.
After this exchange, Carol simply decrypts any messages sent out by Alice
or Bob, and then reads and possibly modifies them before re-encrypting
with the appropriate key and transmitting them to the other party. This vulnerability is presentbecause Diffie-Hellman key exchange does
not authenticate the participants. Possible solutions include the use of
digital signatures and other protocol variants.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 65
-
8/3/2019 CS469_669_Chap3_F09
67/72
Defeating the manDefeating the man--inin--thethe--middle attackmiddle attack
Prior to execution of the protocol, the two parties Alice andBob each obtain a public/private key pair and a certificate
for the public key.
Prime numberp, and its primitive root
During the protocol, Alice computes a signature on certain
messages, covering the public value XA mod p. Bob
proceeds in a similar way.
Even though Carol is still able to intercept messages
between Alice and Bob, she cannot forge signatureswithout Alice's private key and Bob's private key. Hence,
the enhanced protocol defeats the man-in-the-middle
attack. (see slide 70 for more details)CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 66
-
8/3/2019 CS469_669_Chap3_F09
68/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 67
Other PublicOther Public--Key CryptographicKey Cryptographic
AlgorithmsAlgorithms Digital Signature Standard (DSS)
Makes use of the SHA-1
Not for encryption or key echange
Only for digital signature Elliptic-Curve Cryptography (ECC)
Good security for a small key size (compared with RSA,1024-bit key) e.g., sensor nodes.
Low confidence level (only being deployed in product for a
few years), compared with RSA (tested for 30 years). Very complex
-
8/3/2019 CS469_669_Chap3_F09
69/72
RSA &RSA & DiffiDiffi--HelmanHelman
RSA depends on the difficulty of factoring largeprime numbers.
Diffi-Helman depends on the difficulty ofcomputing discrete logarithms.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 68
-
8/3/2019 CS469_669_Chap3_F09
70/72
Two aspects:
The distribution of Public-Key
The use of Public-Key encryption to distributesecret keys.
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 69
Key ManagementKey Management
KK M tM t
-
8/3/2019 CS469_669_Chap3_F09
71/72
Henric Johnson 70
KeyKey Management:Management:
PublicPublic--Key Certificate UseKey Certificate Use
Distributing Shared Secret KeysDistributing Shared Secret Keys
-
8/3/2019 CS469_669_Chap3_F09
72/72
CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 71
Distributing Shared Secret KeysDistributing Shared Secret Keys
by using Publicby using Public--Key AlgorithmsKey Algorithms
How to distribute shared secret key?
Using Diffie-Hellman key exchange. No authentication of the two parties.
Using public-key certificate. Bob Alice (public key KUa;private key KRa)
If Bob obtained Alices public key KUaby public-key certificate, then
Bob is assured that KUa is a valid key. Bob prepare a message.
Encrypt that message using conventional encryption (e.g., DES) with aone-time conventional session key K(a new key).
Encrypt the session key Kusing public-key encryption with Alicespublic key KUa.
Attach the encrypted session key Kto the message and send it to Alice. Only Alice can decrypt the session key K(by her private key KRa) and
recover the orginal message.
EK[message] + EKUa[K]