Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.1)
Chaffing & WinnowingConfidentiality without Encryption !
Ronald RivestCryptobytes, Summer 1998, p12-17
ftp://ftp.rsa.com/pub/cryptobytes/crypto4nto1.pdf
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.2)
Introduction
Chaff -> worthless parts To Winnow -> to separate out the chaff
Add MACsAdd ChaffP
Winnow: Remove Chaff by
Checking MACsP
No Encryption, no decryption ! No Export control ?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.3)
Chaffing
1, Hi Bob, 4623122, Meet me at, 7822903, 7 PM, 2382914, Love Alice, 839128
1, Hi Bob, 4623121, Hi Larry, 3882312, I’ll call you at, 5623812, Meet me at, 7822903, 7 PM, 2382913, 6 PM, 8239114, Yours Sue, 7283774, Love Alice, 839128
Wheat - Good packets Chaff - Bad packets
Chaffing -> adding fake packets with bogus MACs. MAC based on sequence number and message.
Winnowing -> discarding packets with bogus MACs
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.4)
Security
Security depends on difficulty (for the adversary) ofdistinguishing the chaff from the wheat
Chaffing will normally add at least one chaff packet foreach wheat packet.
We also need to make wheat packets unintelligible. How canwe do this?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.5)
Make Wheat packets a single byte or bit !
1, 1, 4623121, 0, 8232312, 1, 5623812, 0, 7822903, 0, 2382913, 1, 8239114, 1, 7283774, 0, 839128
Which bits are bogus?Which bits are authentic?
Note: adding a bogus MAC is trivial, justadd a random number (e.g. 64 bits).
For efficiency would like to process manybits per packet instead of one or 8.
Can use a so-called package transformthat transforms message such thatreceiver can only produce original if hereceives entire transformed message(transform is keyless).
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.6)
Variations on a Theme
Creating chaff can be done by a 3rd party, who doesn’t know any secretMAC keys!
Alice & Bob may not even be aware of the chaff maker!
Charles the Chaff Maker could multiplex Alice-to-Bob packets andDavid-to-Elaine packets.
Alice can hide messages. So could use 2 (or more MACs). If asked toreveal MAC, she reveals MAC for innocuous message.
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.7)
Public Key CryptographyPublic Key Cryptography& Digital Signatures& Digital Signatures
Michael [email protected]
www.doc.ic.ac.uk/~mrh/430/
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.8)
Introduction Also known as ASYMMETRIC
KEY, TWO KEY encryption
Based on mathematics ratherthan on substitution ortransposition ciphers
Different keys for encryptionand for decryption.
One key is kept private (secret),the other can be made public(not secret). Private and Publickeys are related mathematically
PUBLIC-KEY vs SYMMETRIC-KEY Public-Key cryptography is not
“better” than Symmetric-Key
Symmetric-Key cryptography ismuch faster than Public-Key version-> up to 1000 times faster
Public-Key cryptography used for:authentication, digital signatures,and key-management
Symmetric-Key cryptography usedfor: bulk encryption, e.g. high-volumepacket flow on network
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.9)
Merkle's Puzzles (has applications inelectronic contract signing)
PuzzleNo: 6248128-bit Key: 10010...01101
1 Million Encrypted Puzzles. Each encrypted with a diff. 20-bitkey, each holds a diff. 128-bit key. Puzzle order is random.
Randomly picks 1puzzle to crack,cracks it
PuzzleNo: 6248Msg: EK128("Hello")
Looks up 128-bit keyfor Puzzle 6248
EK20(6248, K128)
6248, EK128("Hello")
Attacker needs to crack ~ 0.5 million puzzles!
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.10)
Confidentiality (Secrecy)
E CP
Receiver’s (Bob’s) public key
D P
Receiver’s (Bob’s) private key
C
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.11)
Authentication
SEP
Sender’s (Alice’s) private key
D P
Sender’s (Alice’s) public key
S
sign
verify
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.12)
Confidentiality with Authentication
EP
Sender’s (Alice’s) private key
S E C
Receiver’s (Bob’s) public key
PD
Receiver’s (Bob’s) private key
DS
Sender’s (Alice’s) public key
C
sign
verify
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.13)
Requirements for Public-Key Cryptography
Should be easy & efficient togenerate keys (public and private)
Should be easy & “efficient” toencrypt and decrypt
Should be hard to computePRIVATE-KEY from PUBLIC-KEY
Should be hard to computePLAINTEXT from PUBLIC-KEY andCIPHERTEXT
Encryptions, Decryption might beapplied in either order
ONE-WAY FUNCTION f
C = f (P) “Easy”
P = f-1 (C) Infeasible
TRAP-DOOR 1-WAY FUNCTION f
C = f (K, P) “Easy” if K & P known
P = f-1 (K, C) “Easy” if K & C known
P = f-1 (K, C) “Infeasible” if K not known, C known
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.14)
Diffie-Hellman Key Exchange A and B agree on two numbers (r, p)
A picks a secret number a A computes f(r, p, a) Call result fA
A sends B the value fA
A computes f(fB, p, a) call result kA
r and p can be public
B picks a secret number b B computes f(r, p, b) Call result fB
B sends A the value fB
B computes f(fA, p, b) call result kB
Correct protocol should
ensure that kA = kB
kA & kB shoud be hard topredict, knowing r, p, fA, fB
and f
But what is f ?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.15)
Exercise
Try out kA and kB for f (r, p, x) = r + p + x, r = 3 and p = 12
Now crack f (r, p, x) = (r * x) mod p , r = 4, p = 10, fA = 8, fB=6
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.16)
Discrete Logs
Find x where 3x = 13 mod 17
Find x where 3x = 7 mod 13
For:
gx =f mod p
given integers g, f and prime p itis computationally expensive tocalculate the discrete log x if pis large, e.g. > 200 digits
… (and if p meets some other
conditions hold that shieldagainst know discrete-logarithmattacks)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.17)
Background: primitive roots Let n be a natural number. Recall: m is co-prime to n iff greatest common divisor of n and m is 1. Example: 5 and 6 are co-prime wheras 3 and 6 are not.
Definition: A primitive root modulo n is some integer g such that anynumber co-prime to n is some power of g modulo n.
Formally, g is primitive root of n iff for all m with gcd(n,m) = 1, thereis some k such that gk = m (mod n).
FACT: Every prime number has a primitive root.
Example: 3 is a primitive root of 7. (Verify this.)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.18)
Diffie-Hellman Key Exchange
r = 5, p = 563
f (r, p, x) = rx mod p p is a very large prime r is a primitive root of p
kA = (fB)a mod pkA = (rb )a mod pkA = rba mod p
kA = 5349 = 117 mod 563
a = 9 fA = ra mod p
fA = 59 = 78 mod 563
b = 14 fB = rb mod p
fB = 514 = 534 mod 563
kB = (fA)b mod pkB = (ra)b mod pkB = rab mod p
kB = 7814 = 117 mod 563
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.19)
Question
To ensure the correctness of the Diffie-Hellmanexchange protocol:
What is the key algebraic property of thefunction that sends x to rx mod p ?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.20)
RSA (Rivest-Shamir-Adleman)
Observation: easy to multiply twolarge primes, p and q:
p * q = N
Very difficult to factorise Nback into p and q.
Instrumentation of plain-textprior to encryption:
Split large messages into blocks lessthan p*q in value, e.g. for N = 7 *5 you could use 4-bit blocks
RSA patent expired inSeptember 2000.
Hardware RSA 1000 timesslower than hardware DES.Software RSA 100 times slowerthan software DES
(similar factors for AES)
Remaining question: how toefficiently generate large primenumbers p and q?
(You are welcome to researchthis. E.g. Miller-Rabinrandomized algorithm.)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.21)
RSAKEY GENERATIONKEY GENERATION Pick two large primes, p and q
(keep p and q secret) Calculate N = p * q (result not
secret)Calculate Ø(N) = (p – 1) * (q – 1)
Calculate E and D such thatE * D = 1 mod Ø(N).
E and D must be co-prime to Ø(N) Public Key = (E, N)
Private Key = (D, N)ENCRYPTIONENCRYPTION C = PE mod NDECRYPTIONDECRYPTION P = CD mod N
Example:Example:KEY GENERATIONKEY GENERATION p = 47, q = 71
N = 47 * 71 = 3337Ø(N) = (47–1) * (71–1) = 3220
E * D = 1 mod 3220e.g. Encryption key E = 79e.g. Decryption key D = 1019
Public Key = (79, 3337)Private Key = (1019, 3337)
ENCRYPT P = 688ENCRYPT P = 688 C = 68879 = 1570 mod 3337DECRYPT DECRYPT C = 1570C = 1570 P = 15701019 = 688 mod 3337
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.22)
RSA p and q can be destroyed after N, E,
and D are generated. Useful forprivate key holder to keep p and qfor faster decryption - can use theChinese Remainder Theorem toperform calculations mod p and modq instead of mod pq
Ø (N) is Euler’s totient functionapplied to N: the number ofnumbers less than N that are co-prime to N, e.g. Ø (p*q) = (p-1)*(q-1)
Relatively prime means “co-prime”,i.e. that x and y share no commonfactors, i.e. GCD (x,y)=1
If Ø (N) can be computed efficientlyfrom N, this breaks RSA, how so?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.23)
Explanation of equations relating D and E C = PE mod N
P = CD mod NP = (PE)D mod NP = PED mod N (P < N)
Can we find E, D and N such that
P = PED mod N
and also such that it is “Easy” tocompute PE and CD, butinfeasible to get D given E andN?
Euler showed thatP = Pk*Ø(pq)+1 mod (pq)
So ED = k*Ø(pq) + 1
Which is equivalent to:
ED = 1 mod Ø(pq)
D = E-1 mod Ø(pq)
D = E-1 mod (p-1)(q-1)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.24)
IssuesIMPLEMENTATIONIMPLEMENTATION How to pick two large random
primes?(Algorithms are based onprobabilistic testing).
How to derive E & D? How to quickly compute
XY mod N ? (Iterative squaring)
UNCONDITIONAL SECURITYUNCONDITIONAL SECURITY A public-key cryptosystem can never
provide Unconditional Security!Why?
ATTACKSATTACKS
Factorise N. Very hard if N islarge, e.g. if N has 1024 bits wewould need 1015 MIP years. ForN having 431 bits, about 500MIP years
Reverse engineer and try tobreak prime-number generator
Timing attacks (ciphertext only).Determine how long decryptionoperations take and makeinferences on resulting bits.Counter-measures? Codeobfuscation, etc.
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.25)
Hybrid Cryptosystem
Use RSA to pass an encrypted AES session key, then use AES toencrypt-decrypt subsequent messages
sessionK C1
C2
RSA
Bob’s publicK
C1 RSA
Bob’s privateK
sessionK
P C2AES PAES
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.26)
Authentication, Integrity, Non-repudiation
AUTHENTICATION Verify the source of a message.
-> MACs, Digital Signatures
INTEGRITY Has message been tampered with?
-> MACs, 1-Way Hash Functions,Digital Signatures
NON-REPUDIATION Prevent sender/receiver from later
denying sending/receiving a message.-> Arbitrated Digital Signatures,Digital Certified Email, SimultaneousContract Signing
Message Authentication Code(MAC): think of it as a key-basedhash function
One-Way Hash Functionse.g. MD5, SHA (Secure HashAlgorithm)
Digital Signaturese.g. RSA, DSS (Digital SignatureStandard)
Authentication Protocols
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.27)
Symmetric-Key AuthenticationAUTHENTICATION Only sender and receiver know
secret key. If decrypted messageappears “valid” then sender musthave sent it?
What if message is binary data or ishard to “validate”?
We could add a checksum and/orother checks to message (e.g.sequence numbers, timestamps) toreduce chances that we do notaccept a bogus message
Such authentication protects A andB from C, but not from each other ->Arbitration, AuthenticationProtocols.
Message Authentication Code (MAC) Also known as a Cryptographic
Checksum. Provides Authenticationand Integrity
Use a secret key to generate a smalloutput block from Message e.g. useAES in CBC mode; last encryptedblock acts as a MAC.
Best if MAC key is different fromsecret key
MACs are similar to, but notidentical with, hash functions
Key
AESMessage P(10 Mb)
MAC(128-bits)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.28)
Digital Signatures Hand-written Signatures:
Do they satisfy these properties?
Are their feature needed fordigital signatures that have noequivalent or need for hand-written signatures?
AUTHENTIC: Can verify whosigned msg
UNFORGEABLE: Only signer couldhave signed msg
NOT REUSABLE: Cannot bindsignature to different msg
UNALTERABLE: Cannot alter msgwithout affecting its signature
CANNOT BE REPUDIATED: Signercannot later deny signing.
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.29)
Digital Signatures
Digital Signatures can be used forencrypted and unencryptedmessages.
Symmetric-Key digital signatureschemes exist but are not elegant(We won’t cover them.)
Encrypting a message with one’s RSAprivate key yields a digital signature,but signature is as long as themessage !
Should be message-dependent
Should be sender-dependent(Dependent on information unique tosender)
Should be easy to produce
Should be easy to verify
Should be infeasible to forge
Useful if signatures can be storedseparately from signed message
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.30)
One-Way Hash Functions Also known as SECURE HASH
FUNCTIONS, MESSAGE DIGESTS Provide INTEGRITY only, no key
needed (unlike MACs)
EXAMPLESMD5 (Message Digest 5)SHA (Secure Hash Algorithm)
One-Way Hash
Function
Plaintext P(e.g. 10Mb)
Hash Value H(e.g. 256 bits)
Easy to produce H from P Size of P >>> Size of H (Compression) Infeasible to
produce P from H (One-Way) find P2 such that Hash (P2) = H (Weak Collision Resistance) find P1 & P2 such that Hash(P1)=Hash(P2) (Strong Collision Resistance)
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.31)
Birthday Attack If hash value is too short then we
can employ a birthday attack.
If an element can take on Ndifferent values, then we can expecta collision after about sqrt(N)random elements. For N= 2M , wehave a collision after about 2M/2
Given a hash value H, to find P, suchthat Hash (P) = H requires 2Mrandom messages.
However to find two P1, P2 such thatHash(P1) and Hash(P2) produce thesame hash value only requires 2M/2random messages.
Generate 2M/2 variations of non-fraudulent message
Generate 2M/2 variations offraudulent message
Probability of finding a non-fraudulent/fraudulent pair > 0.5
Note we can insert space-space-backspace-newline (etc.)sequences to generate variations
CONCLUSION: Use lengthy hashvalues, e.g. 256 bits
Caution: even 265 bits may beinsecure, e.g. attacks on SHA-1
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.32)
Digital Signature
1-Way Hash FunctionPlaintext
PEncrypt
Alice’s Private Key
SignatureS
Common technique is to encrypt a one-way Hash Value with Signer’sPrivate (Signing) Key -> AUTHENTICATION + INTEGRITY
Timestamps are often hashedalong with message P. Why?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.33)
Verifying a Digital Signature
SignatureS
Decrypt
Alice’s Public Key
Hash Value H1
PlaintextP
1-Way Hash Function
Hash Value H2
H1=H2?
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.34)
SIGN
Signed Messages
Append
VERIFY
AlicePrivK
EHF S
=
AlicePubK
D
HFSplit
SP
P
P
P,S
P,S
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.35)
Sending a Signed Encrypted Message
sessionK RSA
Bob’s publicK
C1
C2AESP,S
Sign
AlicePrivK
AES P,S
P P
AlicePubK
Verify
C1
C2
RSA
Bob’s privateK
sessionK
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.36)
Public-Key Certificates
Combination of a name andPublic Key signed by a moretrusted, third party
SignAlice’s Name
&Public Key
Alice’sCertificate
Certificates include additional information, e.g. expiration date ofpublic key. What other information would be of interest?
Trusted Party’sPrivate Key
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.37)
Disavowed Signatures
What if the sender wants todisavow sending a message, e.g.the sender anonymously publishesher private key and then falselyclaims that her private key waslost or stolen and that someoneelse has forged her signature onsent messages e.g. a contract tobuy shares which then fall inprice?
Timestamp messages?
Best if Private Keys are held intamper-proof devices.
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.38)
Arbitrated Digital Signature (Unencrypted)
1) A →T: idA, signA ( idA, signA (P))T: check (idA)
verifyA (idA, signA (P))
2) T → B: signT (timestamp, idA, signA (P))B: verifyT (timestamp, idA, signA(P))
check (idA)check (timestamp)verifyA (P)
T should also send the second message to A. IfA did not originate it, A should own upimmediately.
21
T
A B
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.39)
Some variants of digital signatures Blind Signatures
Sign documents without seeingcontents.
Undeniable SignaturesCannot be verified withoutsigner’s consent.
Proxy SignaturesPass power to sign to someoneelse.
Group SignaturesAny member of a group can sign.
Fail-stop SignaturesEach public key has many privatekeys.
Simultaneous Contract SigningNeither party wishes to signunless others sign as well i.e.simultaneously
Digital Certified MailReceiver must sign a receiptbefore reading mail
Secure Electronic Voting Digital Cash Zero Knowledge, Anonymous
Broadcast, EncryptedComputation
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.40)
Elliptical Curve Cryptography
Michael [email protected]
www.doc.ic.ac.uk/~mrh/430/
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.41)
Reading Stallings Chapters 9/10/11
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.42)
Elliptical Curve Cryptography (ECC)
A possible successor to RSA (and DSA). Already being adopted in various standards. For a (believed to be) similar level of security, ECC public/private keys
are much smaller than RSA keys
Time to Break RSA ECC RSA/ECC RatioMIPS years keysize keysize104 512 106 5:1108 768 132 6:11011 1024 160 7:1
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.43)
ECC Speed
Function ECC-163 RSA-1024msecs msecs
Sign 2.1 228
Verify 9.9 12.7
Key Generation 3.8 4708
Key Exchange 7.3 1654
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.44)
Basic Idea Take elliptic Curves of the form:
y2 = x3 + ax + b mod p (a, b are constants, p a large prime)
If P=(x,y) satisfies the equation, then P is a “point on the curve” Points can be “added” to generate a new Point. Note: Point addition is
not simple number addition but a “non-linear” operation.
R = P + Q
For Q = n P (nP is P added to itself n times)
It is relatively easy to calculate Q given n and P But is very hard to calculate n given P and Q. For more details see Stallings.
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.45)
Interlude: Modular Arithmetic
Congruence a ≡ b mod nmeans a/n and b/n have the same remainder
(a+b) = (b+a) mod n, (a*b) mod n = (b*a) mod n
[(a+b)+c] mod n = [a+(b+c)] mod n, [(a*b)*c] mod n = [a*(b*c)] mod n
[a*(b+c)] mod n = [(a*b)+(a*c)] mod n a + b mod n = [(a mod n) + (b (mod n))] mod n
a – b mod n = [(a mod n) – (b (mod n))] mod n
a * b mod n = [(a mod n) * (b (mod n))] mod n
ab mod n = [a * ab–1] mod n
abc mod n = [ab mod n] c mod n
if A * B = 1 mod nthen A and B aremultiplicative (ormodular) inverses modn. Often written:
A-1 = B mod n orB-1 = A mod n
Network Security (N. Dulay & M.Huth)
Public Key Cryptography & Digital Signatures (4.46)
Euclid’s Algorithms
def gcd (a, b): # find greatest common divisor of a, bif b == 0: return aelse: return gcd (b, a % b)
def ExtendedGcd (a,b): # returns gcd(a,b), inv of a, inv of bif b == 0: return a, 1, 0else:
x, y, z = ExtendedGcd (b, a % b)return x, z, y - int (a/b)*z
gcd550_1759, inv550, inv1759 = ExtendedGcd (550, 1759)print “inverse of 550 mod 1759 is “, inv550 % 1759