Pasang Surut
-
Upload
ryan-pahrun -
Category
Documents
-
view
242 -
download
0
description
Transcript of Pasang Surut
-
5/18/2018 Pasang Surut
1/33
Authentication Methods: FromAuthentication Methods: From
Digital Signatures to HashesDigital Signatures to Hashes
-
5/18/2018 Pasang Surut
2/33
Lecture MotivationLecture Motivation
We have looked at confidentiality services, and also examined
the information theoretic framework for security. Confidentiality between Alice and Bob only guarantees that Eve
cannot read the message, it does not address: !s Alice really talking to Bob"
!s Bob really talking to Alice" !n this lecture, we will look at the following #roblems:
Entity Authentication:$roof of the identity of an individual
Message Authentication:%&ata origin authentication' $roof thatthe source of information really is what it claims to be
Message Signing:Binding information to a #articular entity
Data Integrity:Ensuring that information has not been altered byunknown entities
-
5/18/2018 Pasang Surut
3/33
Lecture OutlineLecture Outline
&iscrete (ogarithms and El)amal
$rimitive elements and some more number theory %*uickly'
&(+)
El)amal, another $ublic ey Algorithm-
&igital ignatures:
/he basic idea 0A ignatures and El)amal ignatures
!nefficiencies: 1ashing and igning
1ash 2unctions:
&efinitions and terminology C1$ 1ash
1A34
5essage Authentication Codes
Note:ome attacks will be discussed. 5ore attacks and cry#tanalysis will come later in the semester
-
5/18/2018 Pasang Surut
4/33
Primitive RootsPrimitive Roots
Consider the following #owers of 6 %mod 7':
8ote that we obtain all non39ero numbers mod 7.
When this ha##ens, we call 6 aprimitive root%or generator' mod 7.
!s a number always a #rimitive root" 8o.
!f # is #rime there are %#34' #rimitive roots mod #.
1ow to find them" )ood homework #roblem-
Proposition:(et g be a #rimitive root for the #rime #
4. !f n is an integer, then gn4 %mod #' if and only if and only if n; %mod #3
4' .
6,?6,@6,?6
-
5/18/2018 Pasang Surut
5/33
Discrete LogarithmsDiscrete Logarithms
(et # be a #rime, and and non9ero integers %mod #' with
/he #roblem of finding x is called the discrete logarithm
problem, and is written:
+ften will be a #rimitive root mod #.
/he discrete log behaves like the normal log in many ways:
)enerally, finding the discrete log is a hard #roblem.
f%x' x%mod #' is an exam#le of a one-way function.
'#%modx=
( )= (x
( ) ( ) ( )
-
5/18/2018 Pasang Surut
6/33
ElGamal Public e! "r!#tos!stemElGamal Public e! "r!#tos!stem
+ne way functions are often used to construct #ublic key
cry#tosystems. We saw one in 0A, we now show an exam#leusing the &(+) #roblem.
Alice wants to send m to Bob. Bob chooses a large #rime # and a#rimitive root . We assume ; m #. Bob also chooses asecret integer a and com#utes a%mod #'.
Bobs $ublic key is: %#, , '
Alice does:
4. Chooses a secret random integer k and com#utes rk%mod #'
-
5/18/2018 Pasang Surut
7/33
ElGamal Public e! "r!#tos!stem$ #g% &ElGamal Public e! "r!#tos!stem$ #g% &
!m#ortant issues-
a must be ke#t secret, else Eve can decry#t
Eve sees %r,t': t is the #roduct of two random numbers and is
hence random. nowing r does not really hel# as Eve would
need to be able to solve &(+) in order to get k.
ery important:A different random k must be used for eachmessage
!f we have m4and m
-
5/18/2018 Pasang Surut
8/33
Overvie' o( Digital SignaturesOvervie' o( Digital Signatures
u##ose you have an electronic document %e.g. a Word file'.
1ow do you sign the document to #rove to someone that itbelongs to you"
ou cant use a scanned signature at the end this is easy to
forge and use elsewhere.
Conventional signing cant work in the digital world.
We re*uire a digital signature to satisfy:
4. &igital signatures cant be se#arated from the message and
attached to another message.
-
5/18/2018 Pasang Surut
9/33
An A##lication (or Digital SignaturesAn A##lication (or Digital Signatures
u##ose we have two countries, A and B, that have agreed not
to test any nuclear bombs %which #roduce seismic waves whendetonated'. 1ow can A monitor B by using seismic sensors"
4. /he sensors need to be in country B, but A needs to access
them. /here is a conflict here.
-
5/18/2018 Pasang Surut
10/33
)reat! *eri(ication E+am#le)reat! *eri(ication E+am#le
0A #rovides a solution:
4. Country A makes an 0A #ublicD#rivate key. %n,e' are given to
B but %#,*,d' are ke#t #rivate in the tam#er3#roof sensor.
-
5/18/2018 Pasang Surut
11/33
RSA SignaturesRSA Signatures
/he treaty exam#le is an exam#le of 0A signatures. We now
formali9e it with Alice and Bob.
Alice #ublishes %n,eA' and kee#s #rivate %#,*,dA'
Alice signs m by calculating ymdA%mod n'. /he #air %m,y' is
the signed document.
Bob can check that Alice signed m by:
4. &ownloading Alices %n,eA' from a trusted third #arty.
)uaranteeing that he gets the right %n,eA' is another #roblem
%well talk about this in a later lecture'.
-
5/18/2018 Pasang Surut
12/33
RSA Signatures$ #g% &RSA Signatures$ #g% &
u##ose Eve wants to attach Alices signature to another message m4. he
cannot sim#ly use %m4, y' since
/herefore, she needs y4with y4eAm4%mod n'.
m4looks like a ci#hertext and y4like a #laintext. !n order for Eve to make a
fake y4she needs to be able to decry#t m4to get y4 he cant due to hardnessof 0A.
E!istential "orgery:Eve could choose y4first and then calculate an m4using
%n,eA' via m4y4eA%mod n'. 8ow %m4, y4' will look like a valid message and
signature that Alice created since m4y4eA%mod n'.
$roblem with existential forgery: Eve has made an m4that has a signature, but
m4 might be gibberish
Hsefulness of existential forgery de#ends on whether there is an underlying
FlanguageG structure.
( )nmodmy 4eA
-
5/18/2018 Pasang Surut
13/33
,lind RSA Signatures,lind RSA Signatures
ometimes we might want Alice to sign a document without knowing itscontents %e.g. #rivacy concerns: #urchaser does not want Bank to know what isbeing #urchased, but wants Bank to authori9e #urchase'.
We can accom#lish this with 0A signatures %Bob wants Alice to sign adocument m':
4. Alice generates an 0A #ublic and #rivate key #air.
-
5/18/2018 Pasang Surut
14/33
ElGamal SignaturesElGamal Signatures
We may modify the El)amal #ublic key #rocedure to become a
signature scheme.
Alice wants to sign m. Alice chooses a large #rime # and a
#rimitive root . Alice also chooses a secret integer a andcom#utes a%mod #'.
Alices $ublic key is: %#, , '. ecurity of the signature de#endson the fact a is #rivate.
Alice does:
4. Chooses a secret random integer k with gcd%k,#34'4, andcom#utes rk%mod #'
-
5/18/2018 Pasang Surut
15/33
ElGamal Signatures$ #g% &ElGamal Signatures$ #g% &
Bob can verify by:
4. &ownloading Alices #ublic key %#, , '.
-
5/18/2018 Pasang Surut
16/33
-aste(ulness o( #lain signatures-aste(ulness o( #lain signatures
!n signature schemes with a##endix, where we attach the
signature to the end of the document, we increase thecommunication overhead.
!f we have a long message mJm4,m
-
5/18/2018 Pasang Surut
17/33
Hash FunctionsHash Functions
traight3forward a##lication of digital signatures can be
ex#ensive when the message is large
!n general, many security #rotocols benefit from using a
FdigestedG or Fcom#ressedG re#resentative of a message
We ty#ically need additional cry#togra#hic #ro#erties in order for
the com#ression o#eration to be useful
/his Fcom#ression functionG is a hashfunction:
Domain #angeh%m'
-
5/18/2018 Pasang Surut
18/33
Hash Functions$ #g% &Hash Functions$ #g% &
2ormally, a cryptographic hash functionh takes an in#ut
message of arbitrary length and #roduces a message digestoffixed length, and satisfies:
4. )iven a message m, h%m' is *uick to calculate
$% &ne-'ay (preimage resistance):)iven a digest y, it is
com#utationally infeasible to find an m with h%m'y.
*% Strongly +ollision "ree:!t is com#utationally infeasible to
find messages m4and m
-
5/18/2018 Pasang Surut
19/33
"haum$ vanHei.st$ P(it/man Hash"haum$ vanHei.st$ P(it/man Hash
We may use the &(+) #roblem to construct a hash function
Choose a #rime # such that *%#34'D< is also #rime. %/heres an
algorithm for doing this, but thats not our goal today'. Choose
two #rimitive roots and .
/he hash function h%m' will take integers %mod *
-
5/18/2018 Pasang Surut
20/33
"HP Hash is strongl! collision0(ree"HP Hash is strongl! collision0(ree
Proposition:!f we know with , then
we can solve the discrete logarithm .
$roof: Will be given on the board after we cover all of the slides.
mm
( )= (a
'm%h'm%h =
-
5/18/2018 Pasang Surut
21/33
SHA01SHA01
!n order to get fast hash functions, we need to o#erate at the bit3
level. 1A34 is one such algorithm.
5any of the #o#ular hash functions %e.g. 5&>, 1A34' use an
iterative design:
tart with a message m of arbitrary length and break it into
n3bit blocks, mJm4,m
-
5/18/2018 Pasang Surut
22/33
SHA01$ #g% &SHA01$ #g% &
!n 1A34, we #ad according to the rule:
tart with a message m of arbitrary length and break it into
n3bit blocks.
/he last block is #added with a 4 followed by enough ; bits
to make the new message @? bits short of a multi#le of >44< bits.
/he a##ended message becomes mJm4,m4
-
5/18/2018 Pasang Surut
23/33
SHA01$ #g% 2 3,asic O#erations4SHA01$ #g% 2 3,asic O#erations4
We will need the following bit o#erations:
-
5/18/2018 Pasang Surut
24/33
SHA01$ #g% 5 3,asic Algorithm4SHA01$ #g% 5 3,asic Algorithm4
-
5/18/2018 Pasang Surut
25/33
SHA01$ #g% 6 37nside the Alg%4SHA01$ #g% 6 37nside the Alg%4
!nitial 4@;3bit register
O;J10,11,12,13,14K
-
5/18/2018 Pasang Surut
26/33
SHA01$ #g% 8 3Subregister O#erations4SHA01$ #g% 8 3Subregister O#erations4
P /he o#erations done byft%b,C,&' de#end on the round
number t
P /he word Wtde#ends on the
round number tP /he constant tde#ends on
the round number t
-
5/18/2018 Pasang Surut
27/33
Message Authentication "odesMessage Authentication "odes
A message authentication code %5AC' is a function that is used
to #revent alteration of messages: 5ACs use a shared key between Alice and Bob
Alice will send not only the message m, but also 5AC%m'.
Bob checks whether the attached 5AC matches what he calculates
Eve cannot alter the message because she does not have . /he 5AC takes two in#uts: the key and an arbitrary si9e m.
!deally, a 5AC should be a random ma##ing from all #ossiblein#uts to n3bits of out#ut.
/he uncertainty %and security' of the 5AC is directly associatedwith the si9e of the key 0emember: to Eve, the message is known, so its the key that
contains the security
-
5/18/2018 Pasang Surut
28/33
","0MA"","0MA"
CBC35AC is a method for turning a block ci#her into a 5AC:
!dea: encry#t m using CBC mode and throw away all but lastblock of ci#hertext.
2or messages $4, $
-
5/18/2018 Pasang Surut
29/33
","0MA"$ #g% &","0MA"$ #g% &
Be careful when using CBC35AC. 1eres a #ossible #rotocol
failure: &bser,e:2ix . !f 5AC%a'5AC%b', then 5AC%aQQc'
5AC%bQQc', where c is a single block length in si9e.
4. 8ow, su##ose attacker collects many 5AC values and finds a
collision. /his gives a and b for which 5AC%a'5AC%b'.
-
5/18/2018 Pasang Surut
30/33
","0MA"$ #g% 2","0MA"$ #g% 2
$ractical !m#lementation &etails:
4. )enerally, if your message is m, do not =ust calculate 5AC%m',
rather you should make an intermediate message s%lQQm',
where l is the length of m in a fixed3length format.
-
5/18/2018 Pasang Surut
31/33
HMA"HMA"
We may also use hash functions to build 5ACs.
We cannot sim#ly use 5AC%m'h%QQm' or h%mQQ':
1aving the key at the front allows for length extensionattacks
1aving the key at the end allows for key3recovery attacks
&esigners of 15AC considered these issues
15AC com#utes
Where a and b are constants that are s#ecified.
15AC has been around for a while and has been cry#tanaly9ed.!ts the #referred 5AC to use.
( ) ( )( )mQQbhQQahm5AC =
-
5/18/2018 Pasang Surut
32/33
9sing MA"s9sing MA"s
We must be careful using 5ACs.
!f Alice sends Bob JmQQ5AC%m'K and Eve records this, she may
send it again at a later time %the replayattack'
)enerally, you want to authenticate not =ust the message, but the
context. /hat is, you want to authenticate m and additional data
d %such as message number, source, destination, #rotocol
identifier, si9es for different fields, etc.'
Why all these #ossibilities" !f you tie the message to the s#ecific
context, then it is harder for an adversary to mani#ulate context
fields to forge.
5ake certain, though, that you have clear rules on how to s#lit
concatenations %dQQm' back into d and m.
-
5/18/2018 Pasang Surut
33/33
Problems 'ith HashesProblems 'ith Hashes
We must be careful when using hash functions, they are sub=ect to some
FattacksG ength E!tension Attac.:Consider a block3based hash like 1A34, with
in#ut blocks m%m4, m