Pasang Surut

5/18/2018 Pasang Surut

1/33

Authentication Methods: FromAuthentication Methods: From

Digital Signatures to HashesDigital Signatures to Hashes


2/33

Lecture MotivationLecture Motivation

We have looked at confidentiality services, and also examined

the information theoretic framework for security. Confidentiality between Alice and Bob only guarantees that Eve

cannot read the message, it does not address: !s Alice really talking to Bob"

!s Bob really talking to Alice" !n this lecture, we will look at the following #roblems:

Entity Authentication:$roof of the identity of an individual

Message Authentication:%&ata origin authentication' $roof thatthe source of information really is what it claims to be

Message Signing:Binding information to a #articular entity

Data Integrity:Ensuring that information has not been altered byunknown entities


3/33

Lecture OutlineLecture Outline

&iscrete (ogarithms and El)amal

$rimitive elements and some more number theory %*uickly'

&(+)

El)amal, another $ublic ey Algorithm-

&igital ignatures:

/he basic idea 0A ignatures and El)amal ignatures

!nefficiencies: 1ashing and igning

1ash 2unctions:

&efinitions and terminology C1$ 1ash

1A34

5essage Authentication Codes

Note:ome attacks will be discussed. 5ore attacks and cry#tanalysis will come later in the semester


4/33

Primitive RootsPrimitive Roots

Consider the following #owers of 6 %mod 7':

8ote that we obtain all non39ero numbers mod 7.

When this ha##ens, we call 6 aprimitive root%or generator' mod 7.

!s a number always a #rimitive root" 8o.

!f # is #rime there are %#34' #rimitive roots mod #.

1ow to find them" )ood homework #roblem-

Proposition:(et g be a #rimitive root for the #rime #

4. !f n is an integer, then gn4 %mod #' if and only if and only if n; %mod #3

4' .

6,?6,@6,?6


5/33

Discrete LogarithmsDiscrete Logarithms

(et # be a #rime, and and non9ero integers %mod #' with

/he #roblem of finding x is called the discrete logarithm

problem, and is written:

+ften will be a #rimitive root mod #.

/he discrete log behaves like the normal log in many ways:

)enerally, finding the discrete log is a hard #roblem.

f%x' x%mod #' is an exam#le of a one-way function.

'#%modx=

( )= (x

( ) ( ) ( )


6/33

ElGamal Public e! "r!#tos!stemElGamal Public e! "r!#tos!stem

+ne way functions are often used to construct #ublic key

cry#tosystems. We saw one in 0A, we now show an exam#leusing the &(+) #roblem.

Alice wants to send m to Bob. Bob chooses a large #rime # and a#rimitive root . We assume ; m #. Bob also chooses asecret integer a and com#utes a%mod #'.

Bobs $ublic key is: %#, , '

Alice does:

4. Chooses a secret random integer k and com#utes rk%mod #'


7/33

ElGamal Public e! "r!#tos!stem$ #g% &ElGamal Public e! "r!#tos!stem$ #g% &

!m#ortant issues-

a must be ke#t secret, else Eve can decry#t

Eve sees %r,t': t is the #roduct of two random numbers and is

hence random. nowing r does not really hel# as Eve would

need to be able to solve &(+) in order to get k.

ery important:A different random k must be used for eachmessage

!f we have m4and m


8/33

Overvie' o( Digital SignaturesOvervie' o( Digital Signatures

u##ose you have an electronic document %e.g. a Word file'.

1ow do you sign the document to #rove to someone that itbelongs to you"

ou cant use a scanned signature at the end this is easy to

forge and use elsewhere.

Conventional signing cant work in the digital world.

We re*uire a digital signature to satisfy:

4. &igital signatures cant be se#arated from the message and

attached to another message.


9/33

An A##lication (or Digital SignaturesAn A##lication (or Digital Signatures

u##ose we have two countries, A and B, that have agreed not

to test any nuclear bombs %which #roduce seismic waves whendetonated'. 1ow can A monitor B by using seismic sensors"

4. /he sensors need to be in country B, but A needs to access

them. /here is a conflict here.


10/33

)reat! *eri(ication E+am#le)reat! *eri(ication E+am#le

0A #rovides a solution:

4. Country A makes an 0A #ublicD#rivate key. %n,e' are given to

B but %#,*,d' are ke#t #rivate in the tam#er3#roof sensor.


11/33

RSA SignaturesRSA Signatures

/he treaty exam#le is an exam#le of 0A signatures. We now

formali9e it with Alice and Bob.

Alice #ublishes %n,eA' and kee#s #rivate %#,*,dA'

Alice signs m by calculating ymdA%mod n'. /he #air %m,y' is

the signed document.

Bob can check that Alice signed m by:

4. &ownloading Alices %n,eA' from a trusted third #arty.

)uaranteeing that he gets the right %n,eA' is another #roblem

%well talk about this in a later lecture'.


12/33

RSA Signatures$ #g% &RSA Signatures$ #g% &

u##ose Eve wants to attach Alices signature to another message m4. he

cannot sim#ly use %m4, y' since

/herefore, she needs y4with y4eAm4%mod n'.

m4looks like a ci#hertext and y4like a #laintext. !n order for Eve to make a

fake y4she needs to be able to decry#t m4to get y4 he cant due to hardnessof 0A.

E!istential "orgery:Eve could choose y4first and then calculate an m4using

%n,eA' via m4y4eA%mod n'. 8ow %m4, y4' will look like a valid message and

signature that Alice created since m4y4eA%mod n'.

$roblem with existential forgery: Eve has made an m4that has a signature, but

m4 might be gibberish

Hsefulness of existential forgery de#ends on whether there is an underlying

FlanguageG structure.

( )nmodmy 4eA


13/33

,lind RSA Signatures,lind RSA Signatures

ometimes we might want Alice to sign a document without knowing itscontents %e.g. #rivacy concerns: #urchaser does not want Bank to know what isbeing #urchased, but wants Bank to authori9e #urchase'.

We can accom#lish this with 0A signatures %Bob wants Alice to sign adocument m':

4. Alice generates an 0A #ublic and #rivate key #air.


14/33

ElGamal SignaturesElGamal Signatures

We may modify the El)amal #ublic key #rocedure to become a

signature scheme.

Alice wants to sign m. Alice chooses a large #rime # and a

#rimitive root . Alice also chooses a secret integer a andcom#utes a%mod #'.

Alices $ublic key is: %#, , '. ecurity of the signature de#endson the fact a is #rivate.

Alice does:

4. Chooses a secret random integer k with gcd%k,#34'4, andcom#utes rk%mod #'


15/33

ElGamal Signatures$ #g% &ElGamal Signatures$ #g% &

Bob can verify by:

4. &ownloading Alices #ublic key %#, , '.


16/33

-aste(ulness o( #lain signatures-aste(ulness o( #lain signatures

!n signature schemes with a##endix, where we attach the

signature to the end of the document, we increase thecommunication overhead.

!f we have a long message mJm4,m


17/33

Hash FunctionsHash Functions

traight3forward a##lication of digital signatures can be

ex#ensive when the message is large

!n general, many security #rotocols benefit from using a

FdigestedG or Fcom#ressedG re#resentative of a message

We ty#ically need additional cry#togra#hic #ro#erties in order for

the com#ression o#eration to be useful

/his Fcom#ression functionG is a hashfunction:

Domain #angeh%m'


18/33

Hash Functions$ #g% &Hash Functions$ #g% &

2ormally, a cryptographic hash functionh takes an in#ut

message of arbitrary length and #roduces a message digestoffixed length, and satisfies:

4. )iven a message m, h%m' is *uick to calculate

$% &ne-'ay (preimage resistance):)iven a digest y, it is

com#utationally infeasible to find an m with h%m'y.

*% Strongly +ollision "ree:!t is com#utationally infeasible to

find messages m4and m


19/33

"haum$ vanHei.st$ P(it/man Hash"haum$ vanHei.st$ P(it/man Hash

We may use the &(+) #roblem to construct a hash function

Choose a #rime # such that *%#34'D< is also #rime. %/heres an

algorithm for doing this, but thats not our goal today'. Choose

two #rimitive roots and .

/he hash function h%m' will take integers %mod *


20/33

"HP Hash is strongl! collision0(ree"HP Hash is strongl! collision0(ree

Proposition:!f we know with , then

we can solve the discrete logarithm .

$roof: Will be given on the board after we cover all of the slides.

mm

( )= (a

'm%h'm%h =


21/33

SHA01SHA01

!n order to get fast hash functions, we need to o#erate at the bit3

level. 1A34 is one such algorithm.

5any of the #o#ular hash functions %e.g. 5&>, 1A34' use an

iterative design:

tart with a message m of arbitrary length and break it into

n3bit blocks, mJm4,m


22/33

SHA01$ #g% &SHA01$ #g% &

!n 1A34, we #ad according to the rule:

tart with a message m of arbitrary length and break it into

n3bit blocks.

/he last block is #added with a 4 followed by enough ; bits

to make the new message @? bits short of a multi#le of >44< bits.

/he a##ended message becomes mJm4,m4


23/33

SHA01$ #g% 2 3,asic O#erations4SHA01$ #g% 2 3,asic O#erations4

We will need the following bit o#erations:


24/33

SHA01$ #g% 5 3,asic Algorithm4SHA01$ #g% 5 3,asic Algorithm4


25/33

SHA01$ #g% 6 37nside the Alg%4SHA01$ #g% 6 37nside the Alg%4

!nitial 4@;3bit register

O;J10,11,12,13,14K


26/33

SHA01$ #g% 8 3Subregister O#erations4SHA01$ #g% 8 3Subregister O#erations4

P /he o#erations done byft%b,C,&' de#end on the round

number t

P /he word Wtde#ends on the

round number tP /he constant tde#ends on

the round number t


27/33

Message Authentication "odesMessage Authentication "odes

A message authentication code %5AC' is a function that is used

to #revent alteration of messages: 5ACs use a shared key between Alice and Bob

Alice will send not only the message m, but also 5AC%m'.

Bob checks whether the attached 5AC matches what he calculates

Eve cannot alter the message because she does not have . /he 5AC takes two in#uts: the key and an arbitrary si9e m.

!deally, a 5AC should be a random ma##ing from all #ossiblein#uts to n3bits of out#ut.

/he uncertainty %and security' of the 5AC is directly associatedwith the si9e of the key 0emember: to Eve, the message is known, so its the key that

contains the security


28/33

","0MA"","0MA"

CBC35AC is a method for turning a block ci#her into a 5AC:

!dea: encry#t m using CBC mode and throw away all but lastblock of ci#hertext.

2or messages $4, $


29/33

","0MA"$ #g% &","0MA"$ #g% &

Be careful when using CBC35AC. 1eres a #ossible #rotocol

failure: &bser,e:2ix . !f 5AC%a'5AC%b', then 5AC%aQQc'

5AC%bQQc', where c is a single block length in si9e.

4. 8ow, su##ose attacker collects many 5AC values and finds a

collision. /his gives a and b for which 5AC%a'5AC%b'.


30/33

","0MA"$ #g% 2","0MA"$ #g% 2

$ractical !m#lementation &etails:

4. )enerally, if your message is m, do not =ust calculate 5AC%m',

rather you should make an intermediate message s%lQQm',

where l is the length of m in a fixed3length format.


31/33

HMA"HMA"

We may also use hash functions to build 5ACs.

We cannot sim#ly use 5AC%m'h%QQm' or h%mQQ':

1aving the key at the front allows for length extensionattacks

1aving the key at the end allows for key3recovery attacks

&esigners of 15AC considered these issues

15AC com#utes

Where a and b are constants that are s#ecified.

15AC has been around for a while and has been cry#tanaly9ed.!ts the #referred 5AC to use.

( ) ( )( )mQQbhQQahm5AC =


32/33

9sing MA"s9sing MA"s

We must be careful using 5ACs.

!f Alice sends Bob JmQQ5AC%m'K and Eve records this, she may

send it again at a later time %the replayattack'

)enerally, you want to authenticate not =ust the message, but the

context. /hat is, you want to authenticate m and additional data

d %such as message number, source, destination, #rotocol

identifier, si9es for different fields, etc.'

Why all these #ossibilities" !f you tie the message to the s#ecific

context, then it is harder for an adversary to mani#ulate context

fields to forge.

5ake certain, though, that you have clear rules on how to s#lit

concatenations %dQQm' back into d and m.


33/33

Problems 'ith HashesProblems 'ith Hashes

We must be careful when using hash functions, they are sub=ect to some

FattacksG ength E!tension Attac.:Consider a block3based hash like 1A34, with

in#ut blocks m%m4, m

Pasang Surut

Documents

Transcript of Pasang Surut