Upload
terena
View
17
Download
0
Embed Size (px)
DESCRIPTION
Lecture 8 Overview. Secure Hash Algorithm (SHA). SHA-01993 SHA-11995 SHA-22002 SHA-224, SHA-256, SHA-384, SHA-512. SHA-1. 160-bit message digest. A message composed of b bits. Step 1 -- Padding. Padding the total length of a padded message is multiple of 512 - PowerPoint PPT Presentation
Citation preview
Lecture 8 Overview
Secure Hash Algorithm (SHA)
• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512
SHA-1SHA-1
A message A message composed of composed of b bitsb bits
160-bit 160-bit message message digestdigest
CS 450/650 Lecture 8: Secure Hash Algorithm 2
Step 1 -- Padding
• Padding the total length of a padded message is multiple of 512– Every message is padded even if its length is
already a multiple of 512
• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512
block exactly 448 bits long– A 64-bit integer representing the length of the
original message in bitsCS 450/650 Lecture 8: Secure Hash Algorithm 3
Padding (cont.)
Message Message length1 0…0
64 bits
Multiple of 512
1 bit
CS 450/650 Lecture 8: Secure Hash Algorithm 4
Example
• M = 01100010 11001010 1001 (20 bits)
• Padding is done by appending to the input– A single bit, 1– 427 0s– A 64-bit integer representing 20
• Pad(M) = 01100010 11001010 10011000 … 00010100
CS 450/650 Lecture 8: Secure Hash Algorithm 5
Example
• Length of M = 500 bits
• Padding is done by appending to the input:– A single bit, 1– 459 0s– A 64-bit integer representing 500
• Length of Pad(M) = 1024 bits
CS 450/650 Lecture 8: Secure Hash Algorithm 6
Step 2 -- Dividing Pad(M)
• Pad (M) = B1, B2, B3, …, Bn
• Each Bi denote a 512-bit block
• Each Bi is divided into 16 32-bit words– W0, W1, …, W15
CS 450/650 Lecture 8: Secure Hash Algorithm 7
Step 3 – Compute W16 – W79
• To Compute word Wj (16<=j<=79)
– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed
– The result is circularly left shifted one bit
CS 450/650 Lecture 8: Secure Hash Algorithm 8
Step 4 – Initialize A,B,C,D,E
• A = H0
• B = H1
• C = H2
• D = H3
• E = H4
CS 450/650 Lecture 8: Secure Hash Algorithm 9
Initialize 32-bit words• H0 = 67452301
• H1 = EFCDAB89
• H2 = 98BADCFE
• H3 = 10325476
• H4 = C3D2E1F0
• K0 – K19 = 5A827999
• K20 – K39 = 6ED9EBA1
• K40 – K49 = 8F1BBCDC
• K60 – K79 = CA62C1D6CS 450/650 Lecture 8: Secure Hash Algorithm 10
Step 5 – Loop
For j = 0 … 79 TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj
E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP
Done
+ addition (ignore overflow)
CS 450/650 Lecture 8: Secure Hash Algorithm 11
Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR ( B AND D) OR (C AND D)
• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)
• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)
• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)
CS 450/650 Lecture 8: Secure Hash Algorithm 12
Step 6 – Final
• H0 = H0 + A
• H1 = H1 + B
• H2 = H2 + C
• H3 = H3 + D
• H4 = H4 + E
CS 450/650 Lecture 8: Secure Hash Algorithm 13
Done
• Once these steps have been performed on each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by
H0 H1 H2 H3 H4
CS 450/650 Lecture 8: Secure Hash Algorithm 14
SHAOutput
size (bits)
Internal state size
(bits)
Block size
(bits)
Max message size (bits)
Word size
(bits)Rounds Operations Collisions
found
SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes
SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot
None (252 attack)
SHA-2
256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None
512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None
CS 450/650 Lecture 8: Secure Hash Algorithm 15
Lecture 9
Digital Signatures
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
Digital Signatures
• A digital signature can be interpreted as indicating the signer’s agreement with the contents of an electronic document– Similar to handwritten signatures on physical
documents
CS 450/650 Lecture 9: Digital Signatures 17
Digital Signature Properties
CS 450/650 Lecture 9: Digital Signatures 18
• Unforgeable: Only the signer can produce his/her signature
• Authentic: A signature is produced only by the signer deliberately signing the document
Digital Signature Properties• Non-Alterable: A signed document cannot be
altered without invalidating the signature
• Non-Reusable: A signature from one document cannot be moved to another document
• Signatures can be validated by other users– the signer cannot reasonably claim that he/she did
not sign a document bearing his/her signature
CS 450/650 Lecture 9: Digital Signatures 19
Digital Signature Using RSA
• The RSA public-key cryptosystem can be used to create a digital signature for a message m– Asymmetric Cryptographic techniques are well
suited for creating digital signatures
• The signer must have an RSA public/private key pair– c = Me mod n– M = cd mod n
CS 450/650 Lecture 9: Digital Signatures 20
Signature Generation (Signer)
Message
SignaturePrivate Key
Redundancy
Function
Formatted Message
Encrypt
CS 450/650 Lecture 9: Digital Signatures 21
Signature Verification
Message
Signature
Public Key
Verify
Formatted Message
Decrypt
CS 450/650 Lecture 9: Digital Signatures 22
Example
• Generate signature S – d = 53– e = 413– n = 629– m = 250– Assume that R(X) = X
• S = R(m)e mod n – S = 25053 mod 629 = 411
CS 450/650 Lecture 9: Digital Signatures 23
Example
• Verify signature with message recovery– Public key (e) = 413– n = 629– S = 411
• R(m) = Se mod n – R(m) = 411413 mod 629 = 250
• Verifier checks that R(m) has proper redundancy created by R (none in this case) – m = R-1(m) = 250
CS 450/650 Lecture 9: Digital Signatures 24
Creating a forged signature
• Choose a random number between 0 and n-1 for S– S = 323
• Use the signer’s public key to decrypt S – R(m) = 323413 mod 629 = 85
• Invert R(m) to m: m = 85– A valid signature (323) has been created for a
random message (85)CS 450/650 Lecture 9: Digital Signatures 25
Redundancy Function
• The choice of a poor redundancy function can make RSA vulnerable to forgery
• A good redundancy function should make forging signatures much harder
CS 450/650 Lecture 9: Digital Signatures 26
Example
• generate signature S– d = 53– e = 413– n = 629– m = 7– Assume that R(X) = XX
• S = R(m)e mod n – S = 7753 mod 629 = 25
CS 450/650 Lecture 9: Digital Signatures 27
Example
• verify signature with message recovery– Public key (e) = 413– n = 629– S = 25
• R(m) = Se mod n – R(m) = 25413 mod 629 = 77
• The verifier then checks that R(m) is of the form XX for some message X– m = R-1(m) = 7
CS 450/650 Lecture 9: Digital Signatures 28
Forging signature (revisited)
• Choose a random number between 0 and n-1 for S– S = 323
• Use the signer’s public key to decrypt S – R(m) = 323413 mod 629 = 85
• However, 85 is not a legal value for R(m)– so S = 323 is not a valid signature
CS 450/650 Lecture 9: Digital Signatures 29
Privacy
• Signature provides only authenticity.• How can we provide privacy in addition?
CS 450/650 Fundamentals of Integrated Computer Security 30
Simple Scenario of Digital Signature
Getting a Message Digest from a document
Hash
Message
Digest
CS 450/650 Lecture 9: Digital Signatures 32
Generating Signature
Message
DigestSignature
Encrypt using private keyEncrypt using private key
CS 450/650 Lecture 9: Digital Signatures 33
Appending Signature to document
Append
Signature
CS 450/650 Lecture 9: Digital Signatures 34
Verifying Signature
Hash
Decrypt using public keyDecrypt using public key
Message
Digest
Message
Digest
CS 450/650 Lecture 9: Digital Signatures 35