Cryptography and Security in Communication Networks. Data authentication. ETTI - Master - Advanced Wireless Communications

Transcription

1 Cryptography ad Security i Commuicatio Networks Data autheticatio ETTI - Master - Advaced Wireless Commuicatios

2 Overview Outlie Data itegrity. Data-origi autheticatio. Digital sigature. Cryptographic hash fuctios Defiitio. Security properties ad requiremets. Iterated hash fuctios. Costructios based o block ciphers. Dedicated algorithms. Message Autheticatio Code (MAC) schemes Defiitio. Security model ad requiremets. Iterated MAC algorithms. Costructios based o block ciphers. Costructios based o hash fuctios. Digital sigature schemes Defiitio. Security model. RSA digital sigatures. Digital sigature schemes based o discrete logarithm problem. Octavia Catria 2

3 Data itegrity Data itegrity Detects uauthorized data substitutio, isertio, or deletio. No-malicious (accidetal) modificatios Example: data trasmissio errors. Defese: error detectio codes (CRC, XOR checksum). Malicious (itetioal) modificatios Example: Modify a $10 moey trasfer by addig five 0s. Defese: secure modificatio detectio methods, usually based o a secure hash fuctio. Geeric model for modificatio detectio m Usecured chael Geeric terms: Modificatio Detectio Code (MDC) or Message Itegrity Check (MIC). Octavia Catria MDC geeratio H : H(m)=c Must be protected: itegrity, autheticatio MDC verificatio V : {accept,reject} 3

4 Data-origi autheticatio Data-origi autheticatio allows to verify the idetity of the message origiator through evidece associated with the message. Data-origi autheticatio implies data itegrity. Usually they caot be separated, so itegrity mechaisms implicitly provide data-origi autheticatio, ad vice-versa. Data origi ca be proved by kowledge of a secret. Message autheticatio code: symmetric key scheme (secret key). Digital sigature: asymmetric key scheme (key-pair: private, public). Data autheticatio usig a message autheticatio code m MAC geeratio H K : Usecured chaels H K (m)=c MAC verificatio V K : {accept, reject} Octavia Catria K Key geeratio Distributio of the secret key K Requires cofidetiality ad autheticatio MAC: Message Autheticatio Code 4

5 Digital sigatures Assurace of data itegrity ad origi are ot sufficiet whe the commuicatig parties do ot trust each other: Seder ca dey havig set the message (origi repudiatio). Receiver ca forge the received message. A digital sigature provides data itegrity ad origi assurace as well as o-repudiatio. Private key for sigig. Public key for verifyig the sigature. Resolutio of disputes: A trusted third party ca verify the sigature without kowig the secret sigig key. Data autheticatio usig a digital sigature scheme m Sigature geeratio S Ks : Usecured chaels S Ks (m)=s Sigature verificatio V Kv : {accept, reject} Octavia Catria K s K v Key-pair geeratio Distributio of the public key K v Requires autheticatio 5

6 Cryptographic Hash Fuctios

7 Cryptographic hash fuctios Hash fuctio A hash fuctio is a mappig h :, where = {0,1} * is the set of iput strigs, = {0,1} is the set of -bit hash values. Geeral properties Compressio: Maps a iput bit-strig x of fiite arbitrary legth, to a output bit-strig h(x) of fixed legth. Ease of computatio: h(x) is easy to compute for ay x. Cryptographic hash fuctios Octavia Catria arbitrary message legth Message x Hash fuctio h : h(x) fixed legth hash value (e.g., 160, 256, 512 bits) Special algorithms that satisfy a set of specific properties. Mai applicatio: data autheticatio schemes (data itegrity, message autheticatio, digital sigature). Other applicatios: algorithms for pseudoradom sequece geeratio, i particular key expasio. 7

8 Security properties 1/2 Preimage resistace (oe-way fuctio) Give a hash value y, it is computatioally ifeasible to fid a message x such that h(x) = y (fid ay preimage x of y). Brute force attack is expected to require 2 trials o average. Secod-preimage resistace Give a message x, it is computatioally ifeasible to fid aother message x', x' x such that h(x') = h(x) (fid a 2 d preimage x' of y = h(x), besides x). Brute force attack is expected to require 2 trials o average. Collisio resistace It is computatioally ifeasible to fid ay two messages (x, x'), such that x x' ad h(x) = h(x'). Brute force attack is expected to fid a collisio with high probability after O(2 /2 ) trials (birthday paradox). Octavia Catria 8

9 Security properties 2/2 Relatios betwee properties Collisio resistace is the strogest requiremet: implies 2dpreimage resistace; also implies preimage resistace (for usual hash fuctio costructios). Applicatios may eed oly a subset of these properties. Summary of security requiremets Esure that o cryptaalytic attack is more efficiet tha the brute force attacks (e.g., differetial cryptaalysis, etc.). A -bit hash fuctio should require 2 operatios to fid a preimage or 2d-preimage, ad 2 /2 operatios for a collisio. The mappig should be "radom" ad regular ( h -1 (y) roughly equal to / ). Hash value legth Curretly, mi = 256 bits for collisio resistace. Octavia Catria 9

10 Iterated hash fuctios Typical structure of hash fuctio Iput strigs of arbitrary legth are processed as a sequece of blocks by a compressio fuctio with fixed-legth iput. Chaiig of itermediate results esures that the hash value depeds o all message bits. b m 0 m 1 m L-1 v i = Chaiig variable m i = i-th iput block IV = Iitializatio value b b f = Compressio fuctio IV = v 0 f v 1 f v 2... v L-1 f v L = h(m) Octavia Catria Preprocessig: Pad iput strig such that m 0 mod b. Parse m as m 0 m 1... m L-1 such that m i = b. Hash computatio: v 0 = IV (fixed) v i+1 = f(v i, m i ), for 0 i t-1 h(m) = v L 10

11 Security of iterated hash fuctios Compressio fuctio Must satisfy the security properties of a hash fuctio: 1st-preimage ad 2d-preimage resistace (O(2 )), collisio resistace (O(2 /2 )). Iitial value (IV) is fixed To avoid trivial collisios. E.g., h(m) = h (m ), where m is obtaied from m by discardig m 0 ad IV = v 1. Merkle-Damgård theorem Assume that the paddig is a ijective fuctio x x pad(x) such that x pad(x) = 0 mod b, ad pad(x) icludes the legth of the origial message at the ed (M-D stregtheig). The, if the compressio fuctio is collisio resistat, the hash fuctio is also collisio resistat. Hece, the costructio is safe. The desig (ad cryptaalysis) ca focus o the compressio fuctio. Octavia Catria 11

12 Hash fuctios based o block ciphers Motivatio Desigig a secure compressio fuctio from scratch is a difficult task. We ca try to costruct it usig a existig, trusted primitive: a block cipher. Examples Two dual costructios that are provably secure compressio fuctios (other variats exist). Similar costructios are used i the compressio fuctio of dedicated hash fuctios. Disadvatages Octavia Catria v i K x i v i+1 E Matyas-Meyer-Osias v i+1 = E Vi (x i ) x i Block ciphers are ot actually desiged to operate like this. x i K v i v i+1 E Davies-Meyer v i+1 = E Xi (v i ) v i Block legth might be isufficiet: e.g., AES offers oly 128 bits. Slower tha dedicated hash algorithms. 12

13 Dedicated hash algorithms Dedicated algorithms Optimized desig of the compressio fuctio. The MD4 (Message Digest) family MD4: Algorithm desiged i 1990 by Ro Rivest (b = 512 bits, = 128 bits). Iovative, optimized for SW implemetatio. MD5: Stregtheed variat of MD4 itroduced i 1991 (to elimiate some MD4 weakesses). The mai hash algorithms desiged durig are based o the MD4/MD5 desig ideas: SHA algorithms (NIST), RIPEMD algorithms (Europe), HAVAL (Australia). MD5 ad later SHA-1: most widely used hash fuctios. Successful cryptaalytic attacks o MD4 ad MD5 Collisio attacks o MD4, 1996 ad later: secods o a PC. Successful collisio attacks o MD5 i : 2 34 hash operatios (istead of 2 64 ). Collisio resistace is broke. Octavia Catria 13

14 SHA hash fuctios SHA: Secure Hash Algorithm SHA-1: NIST, 1995, FIPS Ehaced variat of MD4/5. SHA-2: NIST, 2002, FIPS Algorithms with loger hash values, added to provide a security level matchig that of the AES block cipher. Still follow the MD family approach. SHA-3: NIST. Approved i Fial stage of stadardizatio. Differet kid of hash fuctio algorithm. SHA-1 SHA-256 SHA-384 SHA-512 Size of hash value () Message block size (b) Number of rouds/steps Best collisio attack 2 66 (attack) < I 2004, NIST was still trustig SHA-1, plaig to remove it i 2010 (cryptaalytic attacks foud i 2004 were ot covicig). However, successful collisio attacks o SHA-1 were reported i 2005, with 2 69 hash operatios, later improved to Octavia Catria 14

15 MAC schemes

16 Message Autheticatio Code MAC algorithm A MAC algorithm is a family of fuctios h :, where = {0,1} k is the set of keys, = {0,1} * is the set of messages, ad = {0,1} is the set of autheticatio codes. Each key K selects a MAC fuctio istace h K :, h K (x) = h(k, x). Hece, MAC is a keyed hash fuctio. Basic properties Compressio: maps a iput bit-strig x of fiite arbitrary legth to a output bit-strig h K (x) of fixed bit-legth. Ease of computatio: h K (x) is easy to compute for ay K ad iput x. Applicatios Octavia Catria Secret key K arbitrary legth message m MAC fuctio h K : h K (x) fixed legth MAC value (e.g., 128 bits) Message autheticatio (data-origi autheticatio). Also, pseudoradom sequece geeratio, key expasio. 16

17 Security model for MAC Review of security models Security model: must take ito accout the goals of the adversary, the attack models, ad the resources. Security statemet: A adversary caot achieve a particular goal, i a specified attack model, give specified resources. Geeral assumptio A adversary kows the MAC algorithm, but does ot kow the secret MAC key. Attack models Specify what additioal iformatio a attacker ca obtai: kow-message, chose-message, side-chael. Basic adversary goal for message autheticatio The basic goal is to forge messages: produce a message-mac pair (x, h K (x)) that is accepted by the verificatio algorithm. Octavia Catria 17

18 Attack models for MAC Kow-message attack (KMA) The adversary obtais oe or more message-mac pairs (x i, h K (x i )). Usually, a passive attack is sufficiet. Most MAC applicatios expose large amouts of message- MAC pairs (messages with MAC oly, or ecrypt the MAC). Chose-message attack (CMA) The adversary ca choose oe or more messages ad is give the correspodig MAC strigs. Active, stroger attack. Equivalet to (black-box) access either to the MAC geeratio module, or to the MAC verificatio module (guess ad verify). Ca be adaptive or o-adaptive. Some typical applicatios (e.g., autheticatio protocols) expose MAC to such attacks. Side-chael attacks Computatio duratio, power cosumptio, etc. Octavia Catria 18

19 Types of forgery Adversary goals for MAC Selective forgery: Produce a ew message-mac pair for ay message (at least partially cotrol message cotets). Existetial forgery: Produce a ew message-mac pair, but with o cotrol over the message cotets. Verifiable forgery: The adversary kows that the message-mac pair he produced is correct (selective or existetial forgery). Cocrete goals Key recovery: Total break, allows verifiable selective forgery. Message forgery: Forge idividual messages (fid MAC for give message, fid message for give MAC). Compariso Total break is the strogest goal. Existetial forgery is the weakest (the message might ot "make sese" for the app.). Octavia Catria 19

20 Security requiremets Stadard (strog) security requiremet UF-CMA (Uforgeability uder Chose-Message Attack): Existetial forgery (weakest goal) is computatioally ifeasible uder adaptive chose-message attacks (strogest attacks). Give ay set of message-mac pairs {(x i, h K (x i ))}, for some ukow key K, it is computatioally ifeasible to fid ay message-mac pair (x, h K (x)) with x x i. Formally defied usig experimets (game) as for ecryptio. MAC ad radom fuctios A radom fuctio would be a ideal MAC. (Why?) Practically, we try to costruct a secure pseudoradom fuctio h : {0,1} k {0,1} * {0,1}. Security parameters are k ad. We assume i the followig a MAC algorithm that behaves like a pseudoradom fuctio. Octavia Catria 20

21 Brute force attacks Key recovery (exhaustive key search) Start from a kow pair (m, h K0 (m)), try all the 2 k key values K, checkig if h K (m) = h K0 (m). There are about 1+2 k /2 cadidate keys. Must check about k/ more pairs to fid the right oe. Overall complexity: O(2 k ) MAC computatios, ad 1+k/ pairs. Ca be doe off-lie. Message forgery usig brute force Give a message m, guess h K (m): success probability is 2 -. Give h K (m), fid a preimage m: success probability is 2 -. I all these cases, forgery must be verified o-lie. Coclusio: security requiremets About mi(2, 2 k ) MAC computatios for brute force attacks. Esure that o shortcut attack ca do better. Octavia Catria 21

22 Iterated MAC algorithms Typical MAC algorithm costructio Similar to hash fuctios: Process messages of arbitrary legth by iteratig a compressio fuctio with fixed-legth iputs. The MAC key ca be added as: Iitial value (IV), message prefix ad/or suffix, keyed compressio fuctio, etc. Costructios based o block ciphers ad hash fuctios. Collisio attack o iterated MAC algorithms Collisios of the compressio fuctio eable verifiable forgery: If h K (m) = h K (m') due to a collisio of the compressio fuctio, the h K (m y) = h K (m' y) for ay block y. Obtai h K (m y) ad you lear h K (m' y). About O(2 c/2 ) iput blocks are sufficiet to fid a collisio of the compressio fuctio with high probability, where c is the legth of the chaiig variable. Must be obtaied o-lie. Octavia Catria 22

23 Basic CBC-MAC v 0 =IV K m 0 E K K v 1 m 1 E K v 2... v L-1 K m L-1 (+pad) E K Basic CBC-MAC: v 0 = IV (usually IV = 0) v i+1 = E K (m i v i ), for 0 i L-1 h K (m) = v L Fixed IV = 0. Paddig: 10* MAC K = v L The IV must be fixed to prevet trivial forgery of the first block: Ca replace m 0 by ay m 0 : use v 0 such that v 0 m 0 = v 0 m 0. Basic CBC-MAC is provably secure for fixed-legth messages, assumig that the block cipher is a pseudoradom permutatio. However, it is NOT secure for variable-legth messages. Vulerable to XOR forgery. Example: kowig (m, h K (m)), where m is a -bit message, the adversary ca compute (m, h K (m )), where m' = m (m IV h K (m)) ad h K (m') = h K (m). Hece, ot really useful. Octavia Catria 23

24 Example: XOR forgery o CBC-MAC Simple XOR forgery: Aother XOR forgery: IV m 0 E K IV m 0 E K v 1 m 1 E K IV m' 0 E K v 1 m' 1 E K h K (m 0 ) h K (m) h K (m') Apped m 1 = m 0 IV h K (m 0 ). Cocateate the messages m ad m' We wat: m' 0 IV = m'' 0 h K (m) Hece: m'' 0 = m' 0 IV h K (m) IV m 0 E K m 1 = m 0 IV h K (m 0 ) v 1 E K IV m 0 E K v 1 m 1 E K m' 0 IV h K (m) E K v 1 m' 1 E K h K (m 0 ) h K (m) h K (m') Octavia Catria 24

25 EMAC (Ecrypted MAC) EMAC Add a output trasformatio: ecrypt with a differet key K', usually derived from K (o eed for a idepedet key). v 0 =IV K m 0 E K K v 1 m 1 E K v 2... v L-1 K m L-1 (+pad) E K Output trasformatio K' v L E K' Fixed IV = 0. Paddig: 10* MAC K (m)= E K' (v L ) EMAC security Elimiates CBC-MAC weakesses (but forgery based o iteral collisios remais possible). Provably UF-CMA secure for messages of arbitrary legth (uforgeability uder chose-message attacks). Octavia Catria 25

26 CMAC CMAC (Cipher-based MAC) Avoids EMAC's additioal ecryptio ad re-keyig of the block cipher. Avoids a full block of paddig whe m mod = 0. Uses 3 keys that ca be derived from commo MAC key. NIST stadard (SP B), based o earlier proposals from the research commuity (XCBC, OMAC). K 1 IV m 1 E K1 K 1 v 1 m 2 E K1 v 2... v L-1 K 1 m L-1 (+pad) K 2, if m L-1 ot padded E K1 K 3, if m L-1 padded Fixed IV = 0. Paddig: 10* MAC K = v L CMAC security As secure as EMAC (formal proof). Octavia Catria 26

27 MAC based o hash fuctios Some simple but isecure methods Assume a iterated hash fuctio. We wat a MAC algorithm that uses the hash fuctio without ay modificatio ad is secure assumig stadard hash fuctio security requiremets. Secret prefix: h(k m) vulerable to message extesio attack. Secret suffix: h(m K) vulerable to collisio attack. Evelope method: h(k m K') OK, but we ca do better. IV f K b f m 0 b f m 1 b... m L-1 f b f K' b Prefix Suffix Octavia Catria Evelope 27

28 HMAC HMAC (Hash-based MAC) Widely used MAC algorithm. Simple, efficiet. Stadards: RFC 2104, NIST FIPS 198, ISO , ANSI X9.71. HMAC K (m) = h((k 0 opad) h((k 0 ipad) m))) Provably secure assumig that h is a collisio resistat hash fuctio, ad f is a secure MAC fuctio with fixed-legth data iput ad key as chaiig variable iput. Octavia Catria K 0 ipad IV m 0 b v v 1 b 2 f f Pre-computed K' = K 0 ipad K'' = K 0 opad K 0 = K exteded to b bits by paddig with 0 ipad = octet 0x36 repeated b/8 times opad = octet 0x5c repeated b/8 times IV f m 1 b... K 0 opad f b v 1 v L-1 v L m L-1 (+pad) f Pre-computed HMAC K (m) = h(k'' h(k' m)) f b b h(k' m) (+pad) 28

29 Digital sigature schemes

30 Defiitio A digital sigature scheme (with appedix) is a 5-tuple (,,,, ): ad are fiite sets. is the set of messages that ca be siged. is the set of possible sigatures. is a radomized key geeratio algorithm. It outputs a keypair (K s, K v ) from a key space. K s is the private-key used for sigature geeratio. K v is the matchig public-key used for sigature verificatio. is a sigature geeratio algorithm. Iputs are the private-key K s ad a message m. The output is a sigature S Ks (m). is a determiistic sigature verificatio algorithm. Iputs are the public key K v, a message m, ad a sigature s. The output is a result V Kv (m, s) {accept, reject}. For ay (K s, K v ) ad m, the algorithms ad satisfy: If s = S Ks (m) the V Kv (m, s) = accept, otherwise V Kv (m, s) = reject. Octavia Catria 30

31 Basic requiremets m Sigature geeratio S Ks : Usecured chaels S Ks (m)=s Sigature verificatio V Kv : {accept, reject} K s K v Key-pair geeratio Distributio of the public key K v Requires autheticatio Prevet forgery Give the public key K v it is computatioally ifeasible to fid the private sigig key K s. Without K s, it is computatioally ifeasible to fid m ad s such that VKv(m, s) = true. Oly the ower of the key-pair ca geerate a valid sigature data autheticatio ad o-repudiatio. Efficiet sigig ad verificatio Sigature with appedix (usual solutio): Hash the message ad the apply the sigig algorithm to the hash value. Octavia Catria 31

32 Geeral assumptio Security model 1/2 A adversary kows the digital sigature algorithm ad the public-key, but does ot kow the private-key. Geeral goal of a adversary Forge messages/sigatures: produce a message-sigature pair (x, s) that is accepted by the sigature verificatio algorithm. Similar to MAC schemes. Particular goals Key recovery: The adversary determies the private sigig key. Total break. Message forgery: Selective or existetial forgery of idividual messages; verifiable or ot. Existetial forgery is the weakest achievemet (the forged message might ot eve "make sese" for the applicatio). Octavia Catria 32

33 Security model 2/2 Key-oly attack The adversary kows oly the public-key (sig. verificatio key). Kow-message attack (KMA) The adversary obtais oe or more message-sigature pairs (x i, S Ks (x i )). Usually, a passive attack is sufficiet. Chose-message attack (CMA) The adversary ca choose oe or more messages ad is give the correspodig sigatures. Active, stroger attack. Equivalet to (black-box) access to the sigature geeratio module. Side-chael attacks Stadard strog security requiremet UF-CMA (Uforgeability uder Chose-Message Attack): Octavia Catria Existetial forgery (weakest goal) is computatioally ifeasible uder adaptive chose-message attacks (strogest attacks). 33

34 RSA (textbook) digital sigature Key-pair geeratio Use the same algorithm as for ecryptio to obtai p, q,, e, d, where: p, q are two radom distict primes. = pq, () = (p-1)(q-1). 1 e (), gcd(e, ()) = 1. 1 d (), d = e -1 mod (). Private-key (sig): (d, ) Sigature geeratio Message m, hash fuctio H. Compute: s = H(m) d mod. The sigature is s. Public-key (verify): (e, ) Verificatio Siged message m', s'. Compute: h = (s ) e mod. Accept if h = H(m ), else reject. Correctess: RSA(m) = m e mod is the RSA permutatio. Its iverse is RSA -1 (c) = c d mod. If m = m, s = s the h = RSA(RSA -1 (H(m)) = H(m). Security: Based o the assumptio that RSA is oe-way. However, i geeral, H(m) eeds to be properly ecoded before applyig RSA -1. Performace is improved usig the same methods as for ecryptio. Octavia Catria 34

35 Practical RSA digital sigatures m Hash Ecode h d mod H E h RSA -1 A sigs m (d,) m s m s B verifies (m, s) s e mod RSA (e,) H h'? m Accept/ Reject Valid ecodig? Equal hash value? Why do we eed to ecode H(m)? To exted H(m) to the RSA modulus legth. To avoid attacks based o RSA math properties. To protect agaist chose message attacks (achieve UF-CMA). RSA sigature with ecoded H(m) Sig: Compute the ecoded hash h = E(H(m)). Geerate the sigature usig RSA -1 ad the private-key: s = h d mod. Verify: Compute RSA with the public-key: h = s e mod. If icorrect ecodig reject. If E -1 (h ) = H(m ) accept else reject. Octavia Catria 35

36 Ecodig methods for RSA sigatures PKCS #1 v1.5 ecodig (mod 1 - sigature) Itroduced i 1991, still widely used i practice due to its simplicity. No security proof. Determiistic scheme. M Hash Octets with value 0xFF Hash algorithm idetifier DER ASN.1 DER ecodig of hash algortihm id ad message hash value 0 1 Paddig strig 0 DER(hashAlgId, mhash) Octavia Catria Mi 8 octets k octets (modulus legth) Max k-11 octets PSS: Probabilistic Sigature Scheme The RSA sigature with PSS ecodig is provably UF-CMA secure, assumig that RSA is a oe-way permutatio. First proposed by Bellare ad Rogaway i RSA PSS is icluded i PKCS #1 v2.1, IEEE 1363a,... 36

37 PSS ecodig (PKCS #1 v2.1) The diagram shows the PSS ecodig accordig to PKCS #1 v2.1 The verificatio operatio follows the reverse steps to recover salt, ad the the forward steps to re-compute ad compare H. Octavia Catria MGF = Mask Geeratio Fuctio. Pseudoradom fuctio costructed usig the hash fuctio. The strig salt is radomly chose for each sigature. Typical salt legth sle is either hle or 0. The scheme with sle = 0 is determiistic ad kow as FDH (Full Domai Hash). The rightmost octet of the ecoded strig is a costat with the value 0xbc emle-hle-1 maskeddb salt M H hle mhash salt MGF emle Hash 8+hle+sle Hash hle bc 37

38 Sigatures based o discrete logarithms A first example: ElGamal digital sigature scheme Domai parameters (public): (p, g) Select a large prime p ad a geerator g of Z* p. Key-pair geeratio: (x, y) Choose a radom secret x, 1 x p 2, compute y = g x mod p. Private key: x, (p, g). Public key: y, (p, g). Sigature geeratio: (r, s) Message m, hash fuctio H. Select a radom secret k, 1 k p 2, gcd(k, p 1) = 1. Compute: r = g k mod p ad s = k 1 (H(m) xr) mod (p 1). The sigature is (r, s). Sigature verificatio Siged message m', (r ', s'). If r, s out of rage, the reject. Compute: v 1 = y r r s mod p v 2 = g H(m) mod p. Verificatio: Accept if v 1 = v 2, else reject. Correctess (hit): The scheme verifies that g H(m ) g xr + ks (mod p). Strog security requires workig i a group of prime order. See DSA. Octavia Catria 38

39 Digital Sigature Algorithm (DSA) DSA was desiged by NIST ad NSA. Published i FIPS 186, 1991, ad updated several times. Curret versio: FIPS 186-4, Variat of the ElGamal sigature scheme for a subgroup of Z* p with prime order best DLP algorithms have expoetial complexity. Now also defied for groups based o elliptic curves (ECDSA). Geeratio of DSA domai parameters: (p, q, g) Select prime q of N bits. Select prime p of L bits such that q divides (p - 1). Determie g = h (p-1)/q mod p such that g 1 for some iteger h, 1 h (p - 1). (This implies g q 1 mod p hece g has order q i Z* p, i.e., g geerates a subgroup of Z* p of order q.) L = bit-legth of prime p N = bit-legth of prime q 2 L-1 < p < 2 L 2 N-1 < q < 2 N Variats i FIPS 186-4: L = 1024, N = 160 L = 2048, N = 224 L = 3072, N = 256 Geeratio of DSA (private, public) key-pair: (x, y) Select a radom iteger x, 1 x q. Compute y = g x mod p. Octavia Catria Private key: x, (p, q, g) Public key: y, (p, q, g) 39

40 DSA: Sigature ad verificatio Sigature geeratio: (r, s) Message m, hash fuctio H. Private key (x, (p, q, g)). Select a radom iteger k, 1 k q. k = per-message secret umber. r = (g k mod p) mod q. s = k -1 (H(m) + xr) mod q. (Use hash fuctio with hle = N bits) Sigature: (r, s). Sigature verificatio Siged message m', (r ', s'). Authetic public-key (y, (p, q, g)). If r, s are out of rage the reject. w = s ' 1 mod q. u 1 = wh(m') mod q. u 2 = wr ' mod q. v = (g u 1y u 2 mod p) mod q. Verificatio: Accept if v = r '. Correctess of the verificatio g = h (p-1)/q mod p (1) g q 1 (mod p) (2) a b (mod q) g a g b (mod p). Substitutig y = g x mod p i v, we obtai: (3) v = (g u 1+xu 2 mod p) mod q. (4) u 1 + xu 2 (s ) -1 (H(m ) + xr ) (mod q); (5) s -1 k (H(m) + xr)) -1 (mod q). If m = m, s = s, r = r, the (4, 5) (6) (u 1 + xu 2 ) k (mod q). Fially, (3, 6, 2) v = (g k mod p) mod q = r. Octavia Catria 40

41 Forgery usig attacks o hash fuctios A sigs m m B verifies m Hash H(m) m Hash H(m) Sig s s s s Verify Accept/ Reject K s K v If H(m) = H(m') the S Ks (H(m)) = S Ks (H(m')). If you kow the sigature of m, you kow the sigature of m'. Attack o 2 d pre-image resistace Give (m, s = S Ks (H(m)) fid m' such that H(m') = H(m). E.g., forge a siged documet (attack itegrity/autheticity). Complexity for -bit hash (brute force attack): O(2 ). Attack o collisio resistace Fid (m, m') such that H(m') = H(m) the obtai s = S Ks (H(m)). E.g., forge documet before sigig (also attack o-repudiatio). Complexity for -bit hash (brute force attack): O(2 /2 ). Octavia Catria 41

42 DS attacks based o hash collisios Forgery scearios (examples) A dishoest siger provides to aother party his sigature o m' 1 ad later repudiates sigig m' 1, claimig that the message siged was m' 2. A dishoest verifier covices a ususpectig party to sig a message m' 1, ad later claims that party s sigature o m' 2. Birthday attack o digital sigatures (Yuval, 1979) Iput: legitimate message m 1, fraudulet message m 2, -bit hash fuctio H. Output: (m' 1, m' 2 ), variats of (m 1, m 2 ), with H(m' 1 ) = H(m' 2 ). A sigature o m' 1 ca serve as a valid sigature o m' Geerate 2 /2 mior modificatios m' 1 of m1. 2. Hash each such modified message ad store the hash-values. 3. Geerate mior modificatios m' 2 of m 2, compute H(m' 2 ) for each, ad check for matches with ay H(m' 1 ) computed before. Cotiue util a match is foud. Accordig to the birthday paradox a match ca be expected after checkig about 2 /2 cadidates. Octavia Catria Iterestig, but I real life? 42

43 Rogue PKCs from MD5 collisios 1/5 Web site autheticatio usig public-key certificates (PKC) Step 3 is the TLS/SSL coectio setup. The browser autheticates the server as follows: - The server ows a key pair. The server's ame is associated to the public key by a PKC siged by a CA (gree). - Durig the autheticatio protocol, the server seds to the browser the PKC ad a autheticator that proves kowledge of the correspodig private key (e.g., by sigig a challege strig). - The browser verifies the PKC, to autheticate the server's key, usig the CA's public key, which is distributed i a CA PKC (white). The it verifies the autheticator set by the server.(e.g., by verifyig the received sigature for the challege strig). Step 1 shows how the CA's PKC is distributed to the user's browser via the browser vedor. The CA PKC appears i the browser's list of trusted CAs (which are implicitly also trusted by the user). Step 2 shows how the CA issues the server's PKC. The server geerates the key pair, ad seds the public key ad server DNS ame to the CA. The CA makes the ecessary verificatio ad issues a PKC bidig the public key to the server's ame. Octavia Catria 43

44 Rogue PKCs from MD5 collisios 2/5 Attack o web site autheticatio Uses PKCs that are forged usig collisios of the MD5 hash fuctio. I this example, the goal is to forge a CA PKC (ot just a server PKC), ad thus become a rogue CA. The attacker ca use the private key of the rogue CA to issue fake PKCs for ay website (red). If the CA is i the browsers' trust list, all browsers accept these fake PKCs. A successful attack was first preseted at the 25th Chaos Commuicatio Cogress, Berli, Dec. 2008: "MD5 cosidered harmful today. Creatig a rogue CA Certificate." This was followed by several research papers published i Octavia Catria The attacker fids 2 PKCs with the same MD5 hash usig a cryptaalytic attack: a legitimate PKC ad a fake CA PKC. The CA sigs the legitimate PKC (blue). The same sigature is valid for the fake CA PKC (black). 44

45 Rogue PKCs from MD5 collisios 3/5 Data: Versio: 3 (0x2) Serial Number: (0x9cfc7) Sigature Algorithm: md5withrsaecryptio Issuer: C=US, O=Equifax Secure Ic., CN=Equifax Secure Global ebusiess CA-1 Validity Not Before: Nov 3 07:52: GMT Not After : Nov 4 07:52: GMT Subject: C=US, O=i.broke.the.iteret.ad.all.i.got.was.this.t-shirt.phreedom.org, OU=GT , OU=See (c)08, OU=Domai Cotrol Validated - RapidSSL(R), CN=i.broke.the.iteret.ad.all.i.got.was.this.t-shirt.phreedom.org Subject Public Key Ifo: Public Key Algorithm: rsaecryptio Public-Key: (2048 bit) Modulus: 00:b2:d3:25:81:aa:28:e8:78:b1:e5:0a:d5:3c:0f:36:57:6e:a9:5f:06:41:0e:6b:b4:cb:07:17:00:00:00:5b:fd:6b:1c:7b:9c:e8:a9:a3:c5:45:0b: 36:bb:01:d1:53:aa:c3:08:8f:6f:f8:4f:3e:87:87:44:11:dc:60:e0:df:92:55:f9:b8:73:1b:54:93:c5:9f:d0:46:c4:60:b6:35:62:cd:b9:af:1c:a8:6b: 1a:c9:5b:3c:96:37:c0:ed:67:ef:bb:fe:c0:8b:9c:50:2f:29:bd:83:22:9e:8e:08:fa:ac:13:70:a2:58:7f:62:62:8a:11:f7:89:f6:df:b6:67:59:73:16: fb:63:16:8a:b4:91:38:ce:2e:f5:b6:be:4c:a4:94:49:e4:65:51:0a:42:15:c9:c1:30:e2:69:d5:45:7d:a5:26:bb:b9:61:ec:62:64:f0:39:e1:e7:bc: 68:d8:50:51:9e:1d:60:d3:d1:a3:a7:0a:f8:03:20:a1:70:01:17:91:36:4f:02:70:31:86:83:dd:f7:0f:d8:07:1d:11:b3:13:04:a5:da:f0:ae:50:b1: 28:0e:63:69:2a:0c:82:6f:8f:47:33:df:6c:a2:06:92:f1:4f:45:be:d9:30:36:a3:2b:8c:d6:77:ae:35:63:7f:4e:4c:9a:93:48:36:d9:9f Expoet: (0x10001) X509v3 extesios: X509v3 Key Usage: critical ad public-key ecryptio. This etity is NOT a CA. Digital Sigature, No Repudiatio, Key Eciphermet, Data Eciphermet X509v3 Subject Key Idetifier: CD:A6:83:FA:A5:60:37:F7:96:37:17:29:DE:41:78:F1:87:89:55:E7 X509v3 CRL Distributio Poits: Full Name: URI: X509v3 Authority Key Idetifier: keyid:be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c X509v3 Exteded Key Usage: TLS Web Server Autheticatio, TLS Web Cliet Autheticatio X509v3 Basic Costraits: critical CA:FALSE Sigature Algorithm: md5withrsaecryptio a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90:47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57:75:91:da:e5:2b:b3:90:45:1c: 30:63:56:3f:8a:d9:50:fa:ed:58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce:7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44:ed: f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec:1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8:76:67 Octavia Catria Legitimate PKC obtaied by the adversary from the CA. This is (supposed to be) a legitimate subject ame... Matchig private key ca be used for digital sigature 45

46 Rogue PKCs from MD5 collisios 4/5 Data: Versio: 3 (0x2) Serial Number: 65 (0x41) Sigature Algorithm: md5withrsaecryptio Issuer: C=US, O=Equifax Secure Ic., CN=Equifax Secure Global ebusiess CA-1 Validity Not Before: Jul 31 00:00: GMT Not After : Sep 2 00:00: GMT Name of the rogue etity Subject: CN=MD5 Collisios Ic. ( Subject Public Key Ifo: Public Key Algorithm: rsaecryptio Fake web site PKC siged by rogue CA. Public-Key: (1024 bit) Browsers accept these PKCs, because Modulus: they trust the root CA ad the PKC format 00:ba:a6:59:c9:2c:28:d6:2a:b0:f8:ed:9f:46:a4:a4:37:ee:0e:19:68:59:d1:b3:03:99:51:d6:16:9a:5e:37:6b:15:e0:0e:4b:f5:84:64:f8:a3:db: is correct. 41:6f:35:d5:9b:15:1f:db:c4:38:52:70:81:97:5e:8f:a0:b5:f7:7e:39:f0:32:ac:1e:ad:44:d2:b3:fa:48:c3:ce:91:9b:ec:f4:9c:7c:e1:5a:f5:c8:37: 6b:9a:83:de:e7:ca:20:97:31:42:73:15:91:68:f4:88:af:f9:28:28:c5:e9:0f:73:b0:17:4b:13:4c:99:75:d0:44:e6:7e:08:6c:1a:f2:4f:1b:41 Expoet: (0x10001) X509v3 extesios: X509v3 Key Usage: key ca be used to sig PKCs. Digital Sigature, No Repudiatio, Certificate Sig, CRL Sig X509v3 Basic Costraits: critical CA:TRUE X509v3 Subject Key Idetifier: A7:04:60:1F:AB:72:43:08:C5:7F:08:90:55:56:1C:D6:CE:E6:38:EB X509v3 Authority Key Idetifier: keyid:be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c Netscape Commet: 3 Sigature Algorithm: md5withrsaecryptio a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90:47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57:75:91:da:e5:2b:b3:90:45:1c: 30:63:56:3f:8a:d9:50:fa:ed:58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce:7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44:ed: f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec:1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8:76:67 Octavia Catria Rogue CA PKC based o MD5 collisio. Compare the sigature of this PKC with the sigature of the previous PKC. This etity is a CA! Matchig private Impressive, but I real life? 46

47 Rogue PKCs from MD5 collisios 5/5 Usig a forged certificate for Microsoft's Widows Update service, the Flame malware ca spread usig a ma-i-the-middle attack. The Flame malware uses a valid code-sigig certificate, which geerally esures that code comes from a valid source. I this case, a "world-class cryptaalysis" effort had maaged to create a certificate with the same sigature, that could be used to sig code so that it appeared to have come from Microsoft, Marc Steves, a cryptaalyst with CWI i Amsterdam, said i a olie aalysis. O Jue 6, Microsoft released a patch to revoke the certificate ad chage the process to disallow code-sigig capabilities for Widows systems that use termial services, ad created a separate autheticatio chai. Flame is a highly sophisticated malware that targeted maily computers i Ira ad other Middle Easter Coutries. Octavia Catria I 2008, Steves ad a group of researchers created a way of geeratig such collisios ad preseted their research at the Chaos Commuicatios Coferece. Called the chose-prefix attack, the method allows the creatio of fake MD5 certificates that match the sigature of a valid MD5 certificate. Usig the attack, the researchers created a rogue certificate authority, which could have bee used to allow attacks o major Iteret browsers. "The results have show that, ot our published chose-prefix collisio attack was used, but a etirely ew ad ukow variat," said Steves. "Therefore, it is ot ureasoable to assume that the particular chose-prefix collisio attack variat uderlyig Flame had already bee i developmet before Jue 2009." 47

48 NIST: Recommeded hash fuctios Hash fuctio that ca be used to provide the targeted security stregths Security Stregth Digital Sigatures ad hash-oly applicatios 80 SHA-121, SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA SHA-256, SHA-512/256, SHA-384, SHA-512 HMAC SHA-1, SHA-512/224, SHA-224, SHA-256, SHA-512/256, SHA-384, SHA-512 SHA-1, SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512 SHA-1, SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA SHA-384, SHA-512 SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512 Key Derivatio Fuctios Radom Number Geeratio SHA-1, SHA-224, SHA-1, SHA-224, SHA-512/224, SHA-256, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512-/256, SHA-384, SHA-512 SHA-512 SHA-1, SHA-224, SHA-1, SHA-224, SHA-512/224, SHA-256, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512/256, SHA-384, SHA-512 SHA-512 SHA-1, SHA-224, SHA-1, SHA-224, SHA-512/224, SHA-256, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512/256, SHA-384, SHA-512 SHA-512 SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA-512 SHA-224, SHA-512/224, SHA-256, SHA-512/256, SHA-384, SHA SHA-512 SHA-256, SHA-512/256, SHA-384, SHA-512 SHA-256, SHA-512/256, SHA-384, SHA-512 SHA-256, SHA-512/256, SHA-384, SHA-512 Referece: NIST Special Publicatio , Recommedatios for Key Maagemet Part 1: Geeral (Revisio 3), July Octavia Catria 48

49 NIST: Recommeded key legths Comparable Algorithm Stregths Bits of security Symmetric key algorithms 80 2TDEA 112 3TDEA 128 AES AES AES-256 Security-stregth time frames FFC (e.g., DSA, D-H) L = 1024 N = 160 L = 2048 N = 224 L = 3072 N = 256 L = 7680 N = 384 L = N = 512 IFC (e.g., RSA) ECC (e.g., ECDSA) k = 1024 f = k = 2048 f = k = 3072 f = k = 7680 f = k = f = 512+ Security Stregth 2011 through through ad Beyod Applyig Deprecated Disallowed 80 Processig Legacy use 112 Applyig Processig Acceptable Acceptable Disallowed Legacy use 128 Acceptable Acceptable Acceptable Applyig, 192 Acceptable Acceptable Acceptable Processig 256 Acceptable Acceptable Acceptable FFC Fiite Field Cryptography IFC Iteger Factorizatio Cryptography ECC Elliptic Curve Cryptography DSA Digital Sigature Algorithm D-H Diffie-Hellma key agreemet ECDSA Elliptic Curve DSA TDEA Triple DEA (DES) L Size of public key N Size of private key Referece: NIST Special Publicatio , Recommedatios for Key Maagemet Part 1: Geeral (Revisio 3), July Octavia Catria 49