Message authentication

Transcription

1 Message authentication -- Reminder on hash unctions -- MAC unctions hash based block cipher based -- Digital signatures (c) Levente Buttyán Hash unctions a hash unction is a unction H: {0, 1}* {0, 1} n that maps arbitrary long messages into a ixed length output notation and terminology: x (input) message y = H(x) hash value, message digest, ingerprint typical application: the hash value o a message can serve as a compact representative image o the message (similar to ingerprints) H is a many-to-one mapping collisions are unavoidable however, inding collisions are very diicult (practically ineasible) increase the eiciency o digital signatures by signing the hash instead o the message (expensive operation is perormed on small data) examples: (MD5,) SHA-1, SHA-256 Protocols (message authentication, session key establishment) 2

2 Desired properties o hash unctions ease o computation given an input x, the hash value H(x) o x is easy to compute weak collision resistance (2 nd preimage resistance) given an input x, it is computationally ineasible to ind a second input x such that H(x ) = H(x) strong collision resistance (collision resistance) it is computationally ineasible to ind any two distinct inputs x and x such that H(x) = H(x ) one-way hash unction (preimage resistance) given a hash value y (or which no preimage is known), it is computationally ineasible to ind any input x such that H(x) = y collision resistant hash unctions are similar to block ciphers in the sense that they can be modeled as a random unction Protocols (message authentication, session key establishment) 3 Iterative hash unctions operation: input is divided into ixed length blocks last block is padded i necessary each input block is processed according to the ollowing scheme input x = x 1 x 2 x 3 x L, input block x i (b) CV 0 = IV CV i-1 (n) compression unction (n) CV i chaning variable alternative illustration: H(x) = CV L x 1 x 2 x 3 x L (b) (b) (b) (b) CV 0 (n) (n) CV 1 (n) CV 2 (n) CV 3 CV L-1 (n) H(x) = CV L Protocols (message authentication, session key establishment) 4

3 MAC unctions MAC = Message Authentication Code a MAC unction is a unction MAC: {0, 1}* x {0, 1} k {0, 1} n that maps an arbitrary long message and a key into a ixed length output can be viewed as a hash unction with an additional input (the key) terminology and usage: the sender computes the MAC value M = MAC(m, K), where m is the message, and K is the MAC key the sender attaches M to m, and sends them to the receiver the receiver receives (m, M ) the receiver computes M = MAC(m, K) and compares it to M ; i they are the same, then the message is accepted, otherwise rejected services: message authentication and integrity protection: ater successul veriication o the MAC value, the receiver is assured that the message has been generated by the sender and it has not been altered examples: HMAC, CBC-MAC schemes Protocols (message authentication, session key establishment) 5 MAC generation and veriication illustrated generation message secret key MAC MAC MAC veriication message secret key MAC MAC MAC compare compare yes/no Protocols (message authentication, session key establishment) 6

4 Desired properties o MAC unctions ease o computation key non-recovery it is computationally ineasible to recover the secret key K, given one or more message-mac pairs (m i, M i ) or that K computation resistance given zero or more message-mac pairs (m i, M i ), it is computationally ineasible to ind a valid message-mac pair (m, M) such that m m i computation resistance implies key non-recovery but the reverse is not true in general Protocols (message authentication, session key establishment) 7 Secret preix method MAC k (x) = H(k x) insecure! assume an attacker knows the MAC on x: M = H(k x) he can produce the MAC on x y as M = (M,y), where x is x with padding and is the compression unction o H k x 1 x 2 x L padding y padding CV 0 M M = MAC k (x y) Protocols (message authentication, session key establishment) 8

5 A similar mistake MAC k (x) = H k (x) where H k (.) is H(.) with CV 0 = k x 1 x 2 x L padding y padding K M M = MAC k (x y) Protocols (message authentication, session key establishment) 9 Secret suix method MAC k (x) = H(x k) insecure i H is not collision resistant using a birthday attack, the attacker inds two inputs x and x such that H(x) = H(x ) (can be done o-line without the knowledge o k) then obtaining the MAC M on one o the inputs, say x, allows the attacker to orge a text-mac pair (x, M) weaknesses MAC depends only on the last chaining variable key is involved only in the last step x 1 x 1 x 2 x 2 x L x L k padding CV 0 H(x) = H(x ) M Protocols (message authentication, session key establishment) 10

6 HMAC HMAC k (x) = H( (k + opad) H( (k + ipad) x ) ) where h is a hash unction with input block size b and output size n k + is k padded with 0s to obtain a length o b bits ipad is repeated b/8 times opad is repeated b/8 times k + ipad x 1 x L padding 1 H CV 0 CV 1 inner k + opad M padding 2 H CV 0 CV 1 outer HMAC k (x) Protocols (message authentication, session key establishment) 11 CBC-MAC x 1 x 2 x 3 x N c N-1 + k E k E k E k E c 1 c 2 c 3 k E -1 CBC MAC is secure or messages o a ixed number o blocks orgery is possible i variable length messages are allowed k E CBC MAC optional c N Protocols (message authentication, session key establishment) 12

7 How to use CBC-MAC in practice? use the optional inal encryption reduces the threat o exhaustive key search (key is (k, k ) key length is doubled) prevents known existential orgeries has marginal overhead (only last block is encrypted multiple times) prepend the message with a block containing the length o the message beore the MAC computation use k to encrypt the length and obtain k = E k (length), and use k as the MAC key (i.e., use message dependent MAC keys) Protocols (message authentication, session key establishment) 13 Digital signature schemes unctions (algorithms) and terminology: key-pair generation unction G() = (K +, K - ) K + public key K - private key signature generation unction S(K -, m) = s m message s signature signature veriication unction V: V(K +, m, s) = accept or reject services: message authentication and integrity protection: ater successul veriication o the signature, the receiver is assured that the message has been generated by the sender and it has not been altered non-repudiation o origin: the receiver can prove this to a third party (hence the sender cannot repudiate) examples: RSA, DSA, ECDSA (shorter key and signature length!) Protocols (message authentication, session key establishment) 14

8 Hash-and-sign paradigm public/private key operations are slow increase eiciency by signing the hash o the message instead o the message it is essential that the hash unction is collision resistant (why?) generation private key o sender message hash signature h enc enc veriication message h h hash compare compare yes/no dec dec public key o sender signature Protocols (message authentication, session key establishment) 15 Security o digital signature schemes as in the case o public-key encryption, security is usually related to the diiculty o solving the underlying hard problems attack objectives: existential orgery attacker is able to compute a valid signature or at least one message selective orgery attacker is able to compute valid signatures or a particular class o messages total break the attacker is able to orge signatures or all messages or he can deduce the private key attack models: key-only attack known-message attack (adaptive) chosen-message attack Protocols (message authentication, session key establishment) 16

9 RSA signature scheme key pair generation same as or RSA encryption: public key is (n, e), private key is d signature generation (input: m, d; output: σ) compute µ = h(m) (PKCS #1 ormatting) compute σ = µ d mod n signature veriication (input: m, σ, (n, e); output: yes/no) compute µ = σ e mod n (PKCS #1 processing, reject i µ is not well ormatted) compute µ = h(m) compare µ and µ i they match, then output yes (accept) otherwise, output no (reject) Protocols (message authentication, session key establishment) 17 Management requirements or key pairs RSA has the interesting property that the same key pair can be used or both encryption and digital signature however, such double use o key-pairs is not advisable; users should have dierent key-pairs or dierent applications the main reason is in the dierence in key management requirements digital signature private key should never leave the key owner s system private key doesn t need back up and archive (why?) public key (certiicate) needs to be archived encryption private key oten needs to be backed up and archived (why?) public key usually doesn t need to be archived the two applications have conlicting requirements Protocols (message authentication, session key establishment) 18

10 Session key establishment protocols -- Motivations and design objectives -- Basic concepts and techniques -- Key transport and key agreement protocols -- Password based key exchange (c) Levente Buttyán Motivation communicating parties must share a secret key in order to use symmetric key cryptographic algorithms (e.g., block ciphers, stream ciphers, and MAC unctions) it is desired that a dierent shared key is established or each communication session session key to ensure independence across sessions to avoid long-term storage o a large number o shared keys to limit the number o ciphertexts available or cryptanalysis we need mechanisms that allow two (or more) remote parties to set up a shared secret in a dynamic (on-demand) manner session key establishment protocols Protocols (message authentication, session key establishment) 20

11 Design objectives at the end o the protocol Alice and Bob should learn the value o the session key K (eectiveness) no other parties (with the possible exception o a trusted third party) should know the value o K (implicit key authentication) Alice and Bob should believe that K is reshly generated (key reshness) optionally, Alice should believe that Bob knows the key K, and vice versa (key conirmation) Protocols (message authentication, session key establishment) 21 Adversary model the underlying cryptographic primitives used in the protocol are secure however, the adversary may obtain old session keys the adversary has ull control over the communications o the honest parties can eavesdrop, modiy, delete, inject, and replay messages can coerce honest parties to engage into protocol runs the adversary may be a legitimate protocol participant (an insider), or an external party (an outsider), or the combination o both Protocols (message authentication, session key establishment) 22

12 Basic classiication o protocols key transport protocols one party (typically a trusted third party) creates a new session key, and securely transers it to the other parties key agreement protocols the session key is derived by the parties as a unction o inormation contributed by each, such that no party can predetermine the resulting value o the key Protocols (message authentication, session key establishment) 23 First attempt or a key transport protocol Alice Server Bob A, B K generate K A, K most obvious problem: the adversary can eavesdrop K implicit key authentication is not provided Protocols (message authentication, session key establishment) 24

13 Second attempt Alice Server Bob A, B E Kas (K), E Kbs (K) generate K A, E Kbs (K) problems: Alice cannot be sure that K has been created or the session between hersel and Bob similarly, Bob cannot be sure that he shares K with Alice implicit key authentication is still not provided Protocols (message authentication, session key establishment) 25 An attack against the second attempt Alice A, B Mallory (intercepted by Mallory) Server Bob M, A E Kas (K), garbage A, garbage generate K E Kms (K), E Kas (K) (intended or Bob, but intercepted by Mallory) notes: typical man-in-the-middle (MitM) attack Alice believes that she shares K with Bob, but she shares it with the adversary derived design principle: i the name o a party is essential to the meaning o a message, then it must be mentioned explicitly in the message Protocols (message authentication, session key establishment) 26

14 Third attempt Alice Server Bob A, B generate K E Kas (B K), E Kbs (A K) E Kbs (A K) problem: neither Alice nor Bob can be sure that K is resh no key reshness is provided Protocols (message authentication, session key establishment) 27 An attack against the third attempt Alice Mallory Bob A, B E Kas (B K), E Kbs (A K) E Kbs (A K) notes: typical replay attack i K is compromised by the adversary, then she can decrypt ollow-up communications between Alice and Bob even i K is not compromised, the adversary can replay encrypted messages to Alice and Bob rom the past session where K was used Protocols (message authentication, session key establishment) 28

15 How to achieve reshness? use timestamps use random nonces (nonce = number used once) use a key agreement protocol Protocols (message authentication, session key establishment) 29 Timestamps E Kas (B K T s ), where T s is the current time on the clock o S key is accepted only i the timestamp is within an acceptable window o the current time at the receiver can provide strong assurances, but requires synchronized clocks important warning: i a party s clock is advanced, then (s)he may generate messages that will be considered resh in the uture (although they may be dropped near the time o their generation) Protocols (message authentication, session key establishment) 30

16 Random nonces E Kas (B K N A ), where N A is a resh and unpredictable random number generated by A (and sent to S beorehand) key is accepted only i the time that elapsed between sending the nonce and receiving the message containing the nonce is acceptably short less precise than a timestamp (exact time o key generation is not known), but it provides suicient guarantees o reshness in most practical cases it requires an extra message to send the nonce, and some temporary state to store the nonce or veriication purposes Protocols (message authentication, session key establishment) 31 Random nonces important warning: i nonces were predictable, the adversary could obtain a message containing a uture nonce o Alice, which would later be considered as resh by Alice Alice Mallory Server A, B, N A E Kas (B K N A ), T T A t A, B, N A E Kas (B K N A ), Alice believes that the key is younger than T A -t, while in act, it is older than T A -T Protocols (message authentication, session key establishment) 32

17 Key reshness in key agreement protocols K = (k A, k B ), where k A and k B are the contributions o Alice and Bob, respectively i (x,.) is a one-way unction (or any x), then once Alice has chosen k A, Bob cannot ind any k B, such that (k A, k B ) has a pre-speciied value (e.g., an old session key) similarly, i (., y) is a one-way unction (or any y), then once Bob has chosen k B, Alice cannot ind any k A, such that (k A, k B ) has a pre-speciied value i the contribution o a party is resh, then (s)he can be sure that the resulting session key is resh too Protocols (message authentication, session key establishment) 33 Fourth attempt Alice Server Bob A, B, N A generate K E Kas (B K N A E Kbs (A K)) E Kbs (A K) N B E K (A B K N B ) notes: nested encryption provides key conirmation or Bob this protocol is similar to the well-known Needham-Schroeder protocol (symmetric key) seemingly correct, but Protocols (message authentication, session key establishment) 34

18 An attack against the ourth attempt Mallory E Kbs (A K) N B E K (A B K N B ) Bob notes: K is an old session key that is compromised by the adversary E Kbs (A K) is replayed rom the old protocol run (where K was established as the session key) Bob will believe that he established a session with A, but A is not present derived design principles: the act that a key K is used recently to encrypt a message does not mean that K is resh when proving the reshness o a key K by binding it to some resh data (timestamp or nonce), don t use K itsel or the binding Protocols (message authentication, session key establishment) 35 Fith attempt Alice Bob Server A, N A A, N A, B, N B generate K E Kas (B K N A ) E Kas (B K N A ), E Kbs (A K N B ) any problems? Protocols (message authentication, session key establishment) 36

19 Protocol engineering checklist be explicit interpretation o messages shouldn t depend on context inormation, but it should be based solely on the content o the messages include names that are needed to correctly interpret the message consider including protocol type, run identiier, and message number to avoid protocol intererence, interleaving, and message relection attacks, respectively think twice about key reshness decide on how you want to ensure key reshness or the dierent participants consider the advantages and disadvantages o nonces and timestamps in a given application environment state assumptions explicitly state all the assumptions on which the security o your protocol depends so that someone who wants to use your protocol can veriy i they hold in a given application environment Protocols (message authentication, session key establishment) 37 Key agreement with the Diie-Hellman protocol summary: a key agreement protocol based on one-way unctions; in particular, security o the protocol is based on the hardness o the discrete logarithm problem and that o the Diie-Hellman problem assumptions: p is a large prime, g is a generator o Z p*, both are publicly known system parameters Alice Bob select random x compute g x mod p g x mod p g y mod p select random y compute g y mod p compute k = (g y ) x mod p compute k = (g x ) y mod p characteristics: NO AUTHENTICATION, key reshness with randomly selected exponents, no party can control the key, no need or a trusted third party Protocols (message authentication, session key establishment) 38

20 The Station-to-Station protocol summary: three-pass variation o the basic Diie-Hellman protocol; it uses digital signatures to provide mutual entity authentication and mutual explicit key authentication Alice Bob select random x compute g x mod p g x mod p g y mod p, E k (S Kb (g y, g x )) select random y compute g y mod p compute k = (g x ) y mod p compute k = (g y ) x mod p E k (S Ka (g x, g y )) characteristics: mutual entity authentication, mutual explicit key authentication, key reshness with random exponents, no party can control the key, o-line third party or issuing public key certiicates may be required, initial exchange o public keys between the parties may be required Protocols (message authentication, session key establishment) 39 Password based key exchange assume that two parties (e.g., a user and a server) share a password (relatively weak secret) how to set up a cryptographic key (strong secret) with the help o this password? Protocols (message authentication, session key establishment) 40

21 A naïve solution Alice can generate a key K and encrypt it with the password pwd (or its hash value): A B : A, E H(pwd) (K) Bob can use the hash o the password to obtain K rom E H(pwd) (K), and then use K to encrypt messages or Alice or example: B A : E K ( Last login at 16:34, Monday ) Protocols (message authentication, session key establishment) 41 The problem (key reshness is not provided by the naïve protocol, but it could be added by including a timestamp) i a weak password is used, then the naïve solution is vulnerable to an o-line dictionary attack: assume that the attacker eavesdropped a protocol run or each candidate password pwd?, compute the candidate key K? = D H(pwd?) (E H(pwd) (K)) test K? by checking i D K? (E K ( Last login )) is a meaningul message i so, then pwd? is Alice s password, otherwise throw away pwd? and try a new candidate password rom the dictionary Protocols (message authentication, session key establishment) 42

22 Encrypted Key Exchange (EKE) the basic idea Alice generates a public key / private key pair K + and K -, and encrypts K + with the (hash o the) password pwd: A B : A, E H(pwd) (K + ) Bob uses the (hash o the) password to obtain K +, then generates a (symmetric) key K, and encrypts it with K + in the public key cryptosystem; the result is urther encrypted with the (hash o the) password: B A : E H(pwd) (AE K+ (K)) Alice uses the (hash o the) password and K - to obtain K rom E H(pwd) (AE K+ (K)); then she can use K to send messages to Bob: A B : E K ( Last login at 16:34, Monday ) Protocols (message authentication, session key establishment) 43 Why is this good? or a candidate password pwd?, the attacker can compute a candidate public key K +? as D H(pwd?) (E H(pwd) (K + )) but K +? cannot really be tested the attacker needs to ind a key K? such that AE K+? (K?) = D H(pwd?) (E H(pwd) (AE K+ (K))) D K? (E K ( Last login )) makes sense both would require an exhaustive search over the key space rom which K is chosen (or breaking the symmetric or the asymmetric cipher) the relatively small space o passwords is thus multiplied by the large key space rom which K is chosen (privacy ampliication eect) Protocols (message authentication, session key establishment) 44

23 What about key reshness? as Bob generates K, key reshness is provided or Bob or Alice K + is resh, and this guarantees reshness o K through the encryption AE K+ (K) (assuming that Alice trusts Bob or generating resh session keys) Alice can conclude that someone who knows the password (which can only be Bob) has recently sent K to the other holder o the password (which can only be Alice) Protocols (message authentication, session key establishment) 45