1

•Public-Key Public-Key Cryptography and Cryptography and Message Message AuthenticationAuthentication

Henric Johnson

Blekinge Institute of Technology, Sweden

http://www.its.bth.se/staff/hjo/

henric.johnson@bth.se

2

OUTLINEOUTLINE

• Approaches to Message Authentication

• Secure Hash Functions • Digital Signatures

3

Message Message AuthenticationAuthentication

• message authentication is concerned with: – protecting the integrity of a message – validating identity of originator – non-repudiation of origin (dispute resolution)

• will consider the security requirements• then three alternative functions used:

– message encryption– message authentication code (MAC)– hash function

4

Security RequirementsSecurity Requirements

• disclosure• traffic analysis• masquerade• content modification• sequence modification• timing modification• source repudiation• destination repudiation

5

Message EncryptionMessage Encryption

• message encryption by itself also provides a measure of authentication

• if symmetric encryption is used then:– receiver knows that the sender must have

created the message– since only sender and receiver know key used,

content of the message cannot have been altered

– if message has a suitable structure, redundancy or a checksum to detect any changes

6

Message EncryptionMessage Encryption

• if public-key encryption is used:– encryption provides no confidence of sender– since anyone potentially knows public-key– however if

• sender signs message using their private-key• then encrypts with recipients public key• have both secrecy and authentication

– again need to recognize corrupted messages– but at cost of two public-key uses on message

7

Message Authentication Message Authentication Code (MAC)Code (MAC)

• generated by an algorithm that creates a small fixed-sized block– depending on both message and some key– like encryption though need not be reversible

• appended to message as a signature• receiver performs same computation on

message and checks it whether matches the MAC

• provides assurance that message is unaltered and comes from sender

8

Message Message Authentication CodeAuthentication Code

9

Message Authentication Message Authentication CodesCodes

• as shown the MAC provides authentication

• can also use encryption for secrecy– generally use separate keys for each– can compute MAC either before or after

encryption– is generally regarded as better done before

• why use a MAC?– sometimes only authentication is needed– sometimes need authentication to persist

longer than the encryption (eg. archival use)

• note that a MAC is not a digital signature

10

AuthenticationAuthentication

• Requirements - must be able to verify that:

1. Message came from apparent source or author,

2. Contents have not been altered,3. Sometimes, it was sent at a

certain time or sequence.

• Protection against active attack (falsification of data and transactions)

11

Approaches to Message Approaches to Message uthenticationuthentication

• Authentication Using Conventional Encryption– Only the sender and receiver should share a

key

• Hash Function: Message digest function– An authentication tag (fingerprint) is

generated and appended to each message

• Message Authentication Code– Calculate the MAC as a function of the

message and the shared secret key.

MACMAC = F(K, M)= F(K, M) = Cryptographic cheksum = Cryptographic cheksum

12

13

One-way HASH One-way HASH functionfunction

14

One-way HASH functionOne-way HASH function• Secret value is added before the

hash and removed before transmission.

15

Using Symmetric Ciphers Using Symmetric Ciphers for MACsfor MACs

• can use any block cipher chaining (CBC) mode and use final block as a MAC

• Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC– using IV=0 and zero-pad of final block– encrypt message using DES in CBC mode– and send just the final block as the MAC

• or the leftmost M bits (16≤M≤64) of final block

• but final MAC is now too small for security

16

MAC Based on DESMAC Based on DESD1, D2, D3, ..., DN = 64bits Data blocks

E = DES Encryption Algorithm,

K = Secret key

Q1 = E(K, D1)

Q2 = E(K,[D2^Q1])

Q3 = E(K,[D3^Q2])

...

QN = E(K,[DN^QN-1])

17

Data Authentication Data Authentication AlgorithmAlgorithm

18

Secure HASH FunctionsSecure HASH Functions• Purpose of the HASH function is to

produce a ”fingerprint.• Properties of a HASH function H :

1. H can be applied to a block of data of any size

2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given block x, it is computationally

infeasible to find x such that H(x) = h5. For any given block x, it is computationally

infeasible to find with H(y) = H(x).6. It is computationally infeasible to find any

pair (x, y) such that H(x) = H(y)

xy

19

Hash Algorithm Hash Algorithm StructureStructure

0

1 1( , ) 1

( )i i i

L

CV IV Initial n bit value

CV f CV Y i L

H M CV

20

Secure Hash AlgorithmSecure Hash Algorithm• SHA originally designed by NIST & NSA in 1993• was revised in 1995 as SHA-1• US standard for use with DSA signature scheme

– standard is FIPS 180-1 1995, also Internet RFC3174

– nb. the algorithm is SHA, the standard is SHS • based on design of MD4 with key differences • produces 160-bit hash values • recent 2005 results on security of SHA-1 have

raised concerns on its use in future applications

21

Revised Secure Hash Revised Secure Hash StandardStandard

• NIST issued revision FIPS 180-2 in 2002• adds 3 additional versions of SHA

– SHA-256, SHA-384, SHA-512

• designed for compatibility with increased security provided by the AES cipher

• structure & detail is similar to SHA-1• hence analysis should be similar• but security levels are rather higher

22

SHA-512 OverviewSHA-512 Overview

23

SHA-512 Compression SHA-512 Compression FunctionFunction

• heart of the algorithm• processing message in 1024-bit

blocks• consists of 80 rounds

– updating a 512-bit buffer – using a 64-bit value Wt derived from

the current message block– and a round constant based on cube

root of first 80 prime numbers

24

SHA-512 Round SHA-512 Round FunctionFunction

25

SHA-512 SHA-512 Round Round FunctionFunction

26

Message Digest Message Digest Generation Using SHA-Generation Using SHA-

11

27

SHA-1 Processing of SHA-1 Processing of single 512-Bit Blocksingle 512-Bit Block

28

Other Secure HASH Other Secure HASH functionsfunctions

SHA-1 MD5 RIPEMD-160

Digest length 160 bits 128 bits 160 bits

Basic unit of processing

512 bits 512 bits 512 bits

Number of steps

80 (4 rounds of 20)

64 (4 rounds of 16)

160 (5 paired rounds of 16)

Maximum message size

264-1 bits

29

HMACHMAC

• Uses a MAC derived from a cryptographic hash code, such as SHA-1.

• Motivations:– Cryptographic hash functions executes faster

in software than encryptoin algorithms such as DES

– Library code for cryptographic hash functions is widely available

– No export restrictions from the US

HMAC AlgorithmHMAC Algorithm

30

H = Embedded H function (e.g., MD5, SHA-1, RIPEMD-160)IV = Initial Value, input to hash functionM = Message input including paddingYi = ith block of M,L = Number of blocks in Mb = Number of bits in a blockn = Length of hash code produced by embedded hash functionK = Secret keyK+ = Key padded with zeros on the left so that the result is b bitsipad = 00110110 (36Hexadecimal) repeated b/8 timesopad = 01011100 (5CHexadecimal) repeated b/8 times

( , ) [( ) || [( ) || ]HMAC K M H K opad H K ipad M

HMAC AlgorithmHMAC Algorithm1. Append zeros to the left end of K to create a b-bit

string K+

2. XOR K+ with ipad to produce the b-bit blocks Si3. Append M to Si

4. Apply H to the stream generated in step 35. XOR K+ with opad to produce the b-bit blocks So

6. Append the hash result from step 4 to So

7. Apply H to the stream generated in step 6 and output the result

31

32

HMAC StructureHMAC Structure

Public Key Public Key CryptographCryptography and RSAy and RSA

Private-Key Private-Key CryptographyCryptography

traditional private/secret/single key cryptography uses one key

shared by both sender and receiver if this key is disclosed

communications are compromised also is symmetric, parties are equal hence does not protect sender from

receiver forging a message & claiming is sent by sender

Public-Key Public-Key CryptographyCryptography

• probably most significant advance in the 3000 year history of cryptography

• uses two keys – a public & a private key• asymmetric since parties are not

equal • uses clever application of number

theoretic concepts to function• complements rather than replaces

private key crypto

Why Public-Key Why Public-Key Cryptography?Cryptography?

• developed to address two key issues:– key distribution – how to have secure

communications in general without having to trust a KDC with your key

– digital signatures – how to verify a message comes intact from the claimed sender

• public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976– known earlier in classified community

Public-Key Public-Key CryptographyCryptography

• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody,

and can be used to encrypt messages, and verify signatures

– a related private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• infeasible to determine private key from public

• is asymmetric because– those who encrypt messages or verify signatures

cannot decrypt messages or create signatures

Public-Key Public-Key CryptographyCryptography

Symmetric vs Public-Symmetric vs Public-KeyKey

RSARSAby Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field

over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits) security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

RSA En/decryptionRSA En/decryption• to encrypt a message M the sender:

– obtains public key of recipient PU={e,n} – computes: C = Me mod n, where 0≤M<n

• to decrypt the ciphertext C the owner:– uses their private key PR={d,n} – computes: M = Cd mod n

• note that the message M must be smaller than the modulus n (block if needed)

FermatFermat’s Theorem’s Theorem

42

if is prime and is positive integer not divisible by , then1 1(mod )7; 19

27 49 11(mod19)47 121 7(mod19)87 49 11(mod19)167 49 7(mod19)

1 18 16 27 7 7 7 11 1(mod19)An alternative form of Ferm

p a ppa pa p

pa

at's theorem is such that, if is prime and is positive integer, then

(mod )

p apa a p

Euler’s TheoremEuler’s Theorem

43

Euler’s totient function written as (n), and defined as the number of positive integers less than n and relatively prime to n.(1)=1 . For a prime number p (p)=p-1.Theorem: For every a and n that are relatively prime, we have ( )

( ) 4

( ) 10

1(mod )

3; 10; (10) 4:

3 81 1(mod10) 1(mod )

2; 11; (11) 10:

2 1024 1(mod11) 1(mod )

n

n

n

a n

a n

a n

a n

a n

( ) 1 (mod )na a n

44

The RSA Algorithm – The RSA Algorithm – Key GenerationKey Generation

1. Select p,q p and q both prime2. Calculate n = p x q3. Calculate 4. Select integer e5. Calculate d6. Public Key KU = {e,n}7. Private key KR = {d,n}

)1)(1()( qpn)(1;1)),(gcd( neen

)(mod1 ned

45

Example of RSA Example of RSA AlgorithmAlgorithm

46

The RSA Algorithm - The RSA Algorithm - EncryptionEncryption

• Plaintext: M<n

• Ciphertext: C = Me (mod n)

47

The RSA Algorithm - The RSA Algorithm - DecryptionDecryption

• Ciphertext: C

• Plaintext: M = Cd (mod n)

Why RSA WorksWhy RSA Works

• because of Euler's Theorem:– aø(n)mod n = 1 where gcd(a,n)=1

• in RSA have:– n=p.q– ø(n)=(p-1)(q-1) – carefully chose e & d to be inverses mod ø(n)

– hence e.d=1+k.ø(n) for some k• hence :

Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k = M1.(1)k = M1 = M mod n

RSA Example - Key RSA Example - Key SetupSetup

1. Select primes: p=17 & q=112. Calculate n = pq =17 x 11=1873. Calculate ø(n)=(p–1)(q-1)=16x10=1604. Select e: gcd(e,160)=1; choose e=75. Determine d: de=1 mod 160 and d < 160

Value is d=23 since 23x7=161= 10x160+16. Publish public key PU={7,187}7. Keep secret private key PR={23,187}

RSA Example - RSA Example - En/DecryptionEn/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)encryption:

C = 887 mod 187 = 11 decryption:

M = 1123 mod 187 = 88

ExponentiationExponentiation• can use the Square and Multiply Algorithm• a fast, efficient algorithm for exponentiation • concept is based on repeatedly squaring base • and multiplying in the ones that are needed

to compute the result • look at binary representation of exponent

• only takes O(log2 n) multiples for number n – eg. 75 = 74.71 = 3.7 = 10 mod 11– eg. 3129 = 3128.31 = 5.3 = 4 mod 11

ExponentiationExponentiation

c = 0; f = 1for i = k downto 0 do c = 2 x c f = (f x f) mod n if bi == 1 then c = c + 1 f = (f x a) mod n return f

53

Diffie-Hellman Key Diffie-Hellman Key EchangeEchange

54

Other Public-Key Other Public-Key Cryptographic Cryptographic

AlgorithmsAlgorithms• Digital Signature Standard (DSS)

– Makes use of the SHA-1– Not for encryption or key echange

• Elliptic-Curve Cryptography (ECC)– Good for smaller bit size– Low confidence level, compared with

RSA– Very complex

55

Key ManagementKey ManagementPublic-Key Certificate Public-Key Certificate

UseUse