Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Transcription

1 Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper document specifies the person responsible for that document Signature becomes physically a part of the document Signature can be verified by comparing it to known authentic signatures (e.g., signature on a check, credit card) A copy of a signed paper document can usually be distinguished from the original 2 Page 1

2 Digital Signatures A digital signature scheme is a method of signing a message stored in electronic form A digital signature is not attached physically to the message, so the scheme must somehow bind the signature to the message A digital signature can be verified by a publicly known verification algorithm (so anyone can verify a digital signature) A copy of a signed message cannot be distinguished from the original (so we must add some information such as a date to ensure that the signed message cannot be reused) 3 Digital Signature Construct that authenticated origin and/or contents of message in a manner provable to a disinterested third party ( judge ) Sender cannot deny having sent message (service is nonrepudiation ) Limited to technical proofs Inability to deny one s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here 4 Page 2

3 Digital Signature Scheme Consists of two components A signing algorithm Given a message, produces a signature A verification algorithm Given a pair (m, s), returns true if s is the signature of the message m; false otherwise 5 Common Error Classical:, share key k sends m { m } k to This is a digital signature WRONG This is not a digital signature Why? Third party cannot determine whether or generated message 6 Page 3

4 Classical Digital Signatures Require trusted third party, each share keys with trusted party Cathy To resolve dispute, judge gets { m } k, { m } k, and has Cathy decipher them; if messages matched, contract was signed Cathy Cathy { m }k { m }k { m }k 7 Public Key Digital Signatures s keys are d, e sends m { m } d In case of dispute, judge computes { { m } d } e and if it is m, signed message She is the only one who knows d! 8 Page 4

5 Digital Signatures in RSA RSA has an important property, not shared by other public key systems: encryption and decryption are commutative Encryption followed by decryption yields the original message (M e mod n) d mod n = M Decryption followed by encryption yields the original message (M d mod n) e mod n = M 9 RSA Digital Signatures Use private key to encipher message Protocol for use is critical Key points: Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer Sign message first, then encipher Changing public keys causes forgery 10 Page 5

6 Attack #1 Example:, communicating n A = 95, e A = 59, d A = 11 n B = 77, e B = 53, d B = contracts, numbered 00 to 25 has sign 05 and 17: c = m db mod n B = mod 77 = 3 c = m db mod n B = mod 77 = 19 computes mod 77 = 08; corresponding signature is mod 77 = 57; claims signed 08 Judge computes c eb mod n B = mod 77 = 08 Signature validated; is toast 11 Attack #2: s Revenge, agree to sign contract 06 enciphers, then signs: (m eb mod 77) da mod n A = (06 53 mod 77) 11 mod 95 = 63 now changes his public key Computes r such that 13 r mod 77 = 6; say, r = 59 Computes re B mod φ(n B ) = mod 60 = 7 Replace public key e B with 7, private key d B = 43 claims contract was 13. Judge computes: (63 59 mod 95) 43 mod 77 = 13 Verified; now is toast 12 Page 6

7 El Gamal Digital Signature Relies on discrete log problem Choose p prime, g, d < p, compute y = g d mod p Public key: (y, g, p); private key: d To sign contract m: Choose k relatively prime to p 1, and not yet used Compute a = g k mod p Find b such that m = (da + kb) mod p 1 Signature is (a, b) To validate, check that y a a b mod p = g m mod p 13 Example chooses p = 29, g = 3, d = 6 y = 3 6 mod 29 = 4 wants to send signed contract 23 Chooses k = 5 (relatively prime to 28) This gives a = g k mod p = 3 5 mod 29 = 11 Then solving 23 = ( b) mod 28 gives b = 25 sends message 23 and signature (11, 25) verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = mod 29 = 8 They match, so signed 14 Page 7

8 Attack Eve learns k, corresponding message m and signature (a, b) Extended Euclidean Algorithm gives d, the private key Example from above: Eve learned signed last message with k = 5 m = (da + kb) mod (p 1) = (11d ) mod 28 so s private key is d = 6 15 Digital Signature Standard (DSS) Developed by NSA Proposed in 1991, adopted as a standard in 1994 Modification of El Gamal signature scheme NIST Digital Signature Standard System-wide constants p bit prime (approx.170 digits) q 160 bit prime divisor of p-1 a = h ((p-1)/q) mod p, for chosen h with1<h<p-1 x selected random between 1 and q-1 inclusive y = a x mod p The public key is (p, q, a, y) 16 Page 8

9 Protocols: notation X Y : { Z W } k X,Y X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A T : { Z } k A { W } k A,T A sends T a message consisting of the concatenation of Z enciphered using k A, A s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers) 17 Session, Interchange Keys wants to send a message m to Assume public key encryption generates a random cryptographic key k s and uses it to encipher m To be used for this message only Called a session key She enciphers k s with s public key k B k B enciphers all session keys uses to communicate with Called an interchange key sends { m } k s { k s } k B 18 Page 9

10 Benefits Limits amount of traffic enciphered with single key Standard practice, to decrease the amount of traffic an attacker can obtain Prevents some attacks Example: will send message that is either BUY or SELL. Eve computes possible ciphertexts { BUY } k B and { SELL } k B. Eve intercepts enciphered message, compares, and gets plaintext at once 19 Key Exchange Algorithms Goal:, get shared key Key cannot be sent in clear Attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper, may trust third party All cryptosystems, protocols publicly known Only secret data is the keys, or information known only to and needed to derive keys Anything transmitted is assumed known to attacker 20 Page 10

11 Classical Key Exchange Bootstrap problem: how do, begin? cannot send it to in the clear! Assume trusted third party, Cathy and Cathy share secret key k A and Cathy share secret key k B Use this to exchange shared key k s 21 Simple Protocol { request for session key to } k A Cathy { k s } k A { k s } k B Cathy { k s } k B 22 Page 11

12 Problems How does know he is talking to? Replay attack: Eve records message from to, later replays it; may think he s talking to, but he isn t Session key reuse: Eve replays message from to, so re-uses session key Protocols must provide authentication and defense against replay 23 Needham-Schroeder r 1 Cathy { r 1 k s { k s } k B } k A Cathy { k s } k B { r 2 } k s { r 2 1 } k s 24 Page 12

13 Argument: & talking Second message Enciphered using key only she, Cathy knows So Cathy enciphered it Response to first message As r 1 in it matches r 1 in first message Third message knows only can read it As only can derive session key from message Any messages enciphered with that key are from 25 Argument: talking to Third message Enciphered using key only he, Cathy know So Cathy enciphered it Names, session key Cathy provided session key, says is other party Fourth message Uses session key to determine if it is replay from Eve If not, will respond correctly in fifth message If so, Eve can t decipher r 2 and so can t respond, or responds incorrectly 26 Page 13

14 Denning-Sacco Modification Assumption: all keys are secret Question: suppose Eve can obtain session key. How does that affect protocol? In what follows, Eve knows k s Eve { k s } k B Eve Eve { r 2 } k s { r 2 1 } k s 27 Solution In protocol above, Eve impersonates Problem: replay in third step First in previous slide Solution: use time stamp T to detect replay Weakness: if clocks not synchronized, may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to replay Resetting clock does not eliminate vulnerability 28 Page 14

15 Needham-Schroeder with Denning-Sacco Modification r 1 Cathy { r 1 k s { T k s } k B } k A Cathy { T k s } k B { r 2 } k s { r 2 1 } k s 29 Public Key Key Exchange Here interchange keys known e A, e B and s public keys known to all d A, d B and s private keys known only to owner Simple protocol k s is desired session key { k s } e B 30 Page 15

16 Problem and Solution Vulnerable to forgery or replay Because e B known to anyone, has no assurance that sent message Simple fix uses s private key k s is desired session key { { k s } d A } e B 31 Notes Can include message enciphered with k s Assumes has s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI) 32 Page 16

17 Key Generation Goal: generate keys that are difficult to guess Problem statement: given a set of K potential keys, choose one randomly Equivalent to selecting a random number between 0 and K 1 inclusive Why is this hard: generating random numbers Actually, numbers are usually pseudo-random, that is, generated by an algorithm 33 Best Pseudorandom Numbers Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits Examples: DES, MD5, SHA-1 In UNIX-based multiuser systems, the list of all information about all processes on system 34 Page 17

18 Crypto Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (seen earlier) Public key: bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key Erroneous binding means no secrecy between principals Assume principal identified by an acceptable name 35 Key Distribution Solutions Certificate Authority: Centralized Approach Has a very well publicized public key, so that clients can be sure that they re talking to the CA This is the public key version of the Kerberos protocol 36 Page 18

19 Digital Certificates A digital certificate is an assertion Digitally signed by a certificate authority, famous and with known public key An assertion Typically an identity assertion, sometimes a list of authorizations Create token (message) containing Identity of principal (here, ) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) signed by trusted authority (here, Cathy) C A = { e A T } d C 37 Use gets s certificate If he knows Cathy s public key, he can decipher the certificate When was certificate issued? Is the principal? Now has s public key Problem: needs Cathy s public key to validate certificate Problem pushed up a level Two approaches: Merkle s tree, signature chains 38 Page 19

20 Certificate Signature Chains Create certificate Generate hash of certificate Encipher hash with issuer s private key Validate Obtain issuer s public key Decipher enciphered hash Recompute hash from certificate and compare Problem: getting issuer s public key 39 Key Distribution Solutions Certificate Authority: Distributed Approach PGP web of trust Each client maintains a list of Who you know Transitive set of people that they have introduced you to Confidence ratings on Their identity Their veracity 40 Page 20

21 Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms Encipher file containing key Attacker can monitor keystrokes to decipher files Key will be resident in memory that attacker may be able to read Use physical devices like smart card Key never enters system Card can be stolen, so have 2 devices combine bits to make single key 41 Key Revocation Certificates invalidated before expiration Usually due to compromised key May be due to change in circumstance (e.g., someone leaving company) Problems Entity revoking certificate authorized to do so Revocation information circulates to everyone fast enough Network delays, infrastructure problems may delay information 42 Page 21

22 Key secrecy There are problems with truly secret keys: What if someone loses or forgets a key? What if the holder of the key resigns or is killed? What if the user is a criminal? On the other hand simply divulging the key to anybody (even - or perhaps especially! - the government) is very insecure Encryption Dilemma Public s need for secure communication Government s need for lawful access to information 43 Key Escrow A proposed solution is Key Escrow: The private key is broken into pieces, which can be verified to be correct Each piece is given to some authority The whole key can only be reconstructed if all the authorities agree This is the basis of the US Clipper Chip Page 22