Hash functions. Hash functions, certification and secure protocols. Contents. Solution : use a hash function

Similar documents
Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Information Security CS 526

CSC/ECE 774 Advanced Network Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CS Computer Networks 1: Authentication

UNIT - IV Cryptographic Hash Function 31.1

E-commerce security: SSL/TLS, SET and others. 4.1

(2½ hours) Total Marks: 75

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 774 Network Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Introduction and Overview. Why CSCI 454/554?

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Encryption. INST 346, Section 0201 April 3, 2018

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Digital Certificates Demystified

CS408 Cryptography & Internet Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Fall 2010/Lecture 32 1

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Network Security Chapter 8

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Chapter 4: Securing TCP connections

CS November 2018

Computer Networks. Wenzhong Li. Nanjing University

BCA III Network security and Cryptography Examination-2016 Model Paper 1

T Cryptography and Data Security

Cryptographic Hash Functions

Authentication and Key Distribution

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Securing Internet Communication: TLS

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

14. Internet Security (J. Kurose)

Kurose & Ross, Chapters (5 th ed.)

Lecture 1: Course Introduction

Lecture 15 Public Key Distribution (certification)

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Data Integrity. Modified by: Dr. Ramzi Saifan

APNIC elearning: Cryptography Basics

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography (Overview)

Transport Level Security

CPSC 467b: Cryptography and Computer Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

WAP Security. Helsinki University of Technology S Security of Communication Protocols

CS 161 Computer Security

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Security: Focus of Control. Authentication

Cryptographic Checksums

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSE 565 Computer Security Fall 2018

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Datasäkerhetsmetoder föreläsning 7

CSE 127: Computer Security Cryptography. Kirill Levchenko

Spring 2010: CS419 Computer Security

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Cryptographic Protocols 1

Chapter 9: Key Management

Information Security & Privacy

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Crypto Background & Concepts SGX Software Attestation

Lecture 2 Applied Cryptography (Part 2)

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

ECEN 5022 Cryptography

Configuring SSL. SSL Overview CHAPTER

CS 356 Internet Security Protocols. Fall 2013

Course Administration

Integrity of messages

Diffie-Hellman. Part 1 Cryptography 136

Key management. Pretty Good Privacy

Data Integrity & Authentication. Message Authentication Codes (MACs)

User Authentication Principles and Methods

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Spring 2010: CS419 Computer Security

Security: Focus of Control

Authentication in Distributed Systems

Total No. of Questions : 09 ] [ Total No.of Pages : 02

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Study Guide for the Final Exam

Cryptographic Hash Functions

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CIS 6930/4930 Computer and Network Security. Final exam review

Transcription:

Hash functions Hash functions, certification and secure protocols Signature can be used only for small sized messages. Naive solution : cut the message to sign into fixed sized blocks ; then sign independently each block Many problems the size of the signature becomes huge signing algorithms are pretty slow Contents Hash functions Certification Key management Identification and authentication Example of real protocols Solution : use a hash function Use a cryptographic hash function, quick to compute ; transforms a message of arbitrary length into a fingerprint of fixed size. Then, sign the fingerprint message x arbitrary length # fingerprint z = h(x) 60 bits # signature y = sig sk (z) depends upon the signature Principle : When Bob signs x he first computes the fingerprint z = h(x), then he signs with y = sig sk (z) and sends the pair (x, y). Everyone can check the validity by. re-computing the fingerprint ẑ = h(x) 2. using the verification algorithm, ver pk (ẑ, y).

Conditions to fulfill A hash function h computes z = h(m) for m a message of arbitrary length ; z is a fixed size fingerprint. We require h to be one way, i.e. h(m) must be easy to compute from m z must be hard to invert Collision of h : pair of distinct words (x, x 0 ) st h(x) =h(x 0 ). h is weak collision resistant if, given a x, it is difficult to find a collision. h is strong collision resistant if it is difficult to find any collision (x, x 0 ). We approximate Q k i= i n by Q k e x = x + x 2 2! is our case). Thus, x 3 q = Q k i i= n (k )k ln q 2n 2n ln( q q ) k 2 2n ln( p ) k i= e i n since 3!, thus e x x for x small (which i n e i n. e n P k i= i = e (k )k 2n p = /2, proba to have at least one collision for k p 2n ln 2 Example : n = 365, k = 23 people ; we have more that proba /2 to have 2 people with the same birthday day. Application : find the size n of the image by the hash function to avoid collisions. We have k in O( p n). Birthday paradox Attack based on the paradox Given : B =(b,...,b k ) 2 {, 2,...,n} k. Problem : proba p to have at least 2 identical elements in B? Let us consider k messages m i randomly chosen with i 2 [, k] and we consider the proba that two m i have the same image. z i = h(m i ). Proba that all z i are different : p = q = ky ky n k (n i) = i=0 i= i = n n k n Where is the probability to choose z, ( n ) the probability to choose z 2 6= z (since there is one chance over n that i z = z 2 ),..., ( n ) the probability to choose z i 6= z,...,z i. Compute and sort as many pairs (x, h(x)) as possible. Detect one (ore more) collisions. There are 2 n values corresponding to the birthdays ;. We assume that the images by h are uniformly distributed. If we consider k inputs, we have more than /2 chance to find a collision when k 2 n 2. Taking the logarithm, n 50 00 50 200 log 2 k 25 50 75 00 Thus, by computing a little bit more than 2 n/2 images by h, we can find a collision with proba > /2. For h strongly resistant, we choose n great enough to avoid that the computation of the 2 n/2 images by h be feasible. Currently, n 60.

One-way compression function Compression Function Like MD5, m is split into n blocs, each of fixed length and the following is applied : From : e k : {0, } n {0, } n! {0, } n one can design a compression function g : {0, } n {0, } n! {0, } n for n 2 N valeur initiale message bloc bloc 2 bloc n MD5 MD5 MD5 valeur hachée whose image size is n. The cipher is used either directly if it is collision-resistant or by modifying it : g(k, x) =e k (x) x g(k, x) =e k (x) x k g(k, x) =e k (x k) x g(k, x) =e k (x k) x k Classical construction Start from your favorite e k, and build a compression function : g : {0, } m! {0, } n for m, n 2 N, m > n Use function g to build a hash function : h : {0, }?! {0, } n Proposition h collision resistant if g collision resistant for n 2 N Hash Function Merkle : constructs a hash function from a compression function g : {0, } m! {0, } n. Let r = m n >. We want to build h : {0, }?! {0, } n. Let x 2 {0, }? and ` its length in binary fill x with "0" : u = 0i x st u 0 mod r fill ` with "0" : y = 0j` st y 0 mod r cut y in blocks of r bits and add a "" at the beginning of each block to form the word v build w = u0r v made of t blocks of size r. Example : r = 4, x = 0, ` = 0. u = 000 0, v = 0. w = 000 0 0000 0 = w w 2 w 3 w 4 (t = 4) H inductively defined : H 0 = 0 n et H i = g(h i w i ),apple i apple t h(x) =H t

Modern hash functions PK Certificate The hash functions which are commonly used are designed according to the previous construction. name bits round steps relative speed MD5 28 4 6 SHA 60 4 20 0,28 Application to DSA Digital Signature Algorithm is a signature standard combining the use of a hash function (MD5 or SHA) and DSS, the latter being an improvement of El Gamal s signature scheme. A certificate of B s PK contains B s identity together with PK B signed by a third party. Usage : counter MIM attacks A certificate contains the public key informations relative to B s identity (name, e-mail... ) the signature by a third party, Ivan Ivan signs the key the informations relative to B Ivan guarantees the correctness of those informations and that the public key corresponds to B s identity. Contents How it works Hash functions Certification Key management Identification and authentication Certification is done by the means of a signature scheme. It consists in [2] : signing after hashing providing a verification algorithm Example : if the contents of the certificate follows X509 norm, we provide a digital id like a numerical identity card. Example of real protocols

(X.509) Certificate Associates a public key to the identity of a subject ; it contains : Subject : Distinguished name ; public key Issuer : Distinguished name, signature Period of Validity : not before, not after Administrative Information : version, serial number Extended Information : The information «Distinguised name» contains : Common Name : name to be certified Organization Company : context UNS Organizational Unit : more specific Deptinfo City/Locality : town State/Province : for US PACA Country : country code fr Bruno Martin Sophia Antipolis CA also provides a certificate to another CA. Alice can traverse the certification chain until she finds a CA she trusts to check the validity of the relation (Id S, PKS) Certification Chain AC r Id B,clé B AC r Id ACr,K ACr AC r Id AC,K AC AC Id AC,K AC AC Id S,PKS AC r Id C,clé C Certification & Verification Root CA creation AC Id S,PKS Id S,PKS Id S,PKS Clé de S certifiée par AC Sign AC (h(id S,PKS)) hachage h AC Id S,PKS Sign AC Clé de S certifiée par AC hachage h Ver AC Sign AC (h(id S,PKS)) Id S,PKS Sign AC (h(id S,PKS)) h(id S,PKS) Algorithme public de vérification de AC Problem of the certification chains : we need a root CA. This root CA cannot be certified : its certificate is self-signed. The trust relies on a wide distribution of the root CA s public key. Clients and servers are configured to trust some root CA by default like CertiSign or VeriSign. Those firms propose techniques to request for signatures, have procedures for verifying the information and they sell, provide and manage certificates. Note that, by default, openssl is not preconfigured with any trusted root certificates. They re provided by the OS vendor or embedded in software applications (firefox). oui/non

With no trusted CA... Key exchange All ciphers require the keys to be securely exchanged. Obvious with symmetrical ciphers and PKC to counter MIM. What are the solutions? Some solutions. Fix a meeting to exchange the keys 2. Sending the key by surface mail 3. Use a key previously shared by both parties and compute a new key First two cases : not always possible ; if two army corps are isolated. Contents Hash functions Certification Key management Identification and authentication Example of real protocols Key management techniques [] Make use of enciphering mechanisms key usage security policy counter : modification unintended disclosure relay generation Ready Active Used activation destruction modification During the lifetime of the keys, we need to ensure : reactivation desactivation secure generation suppression revocation certification storing distribution destruction installation destruction

Models for key establishment Process which makes a key available to one or several entities ; covers : key agreement key transportation (public, secret) key update key derivation Diffie Hellman key agreement protocol Let q be a big prime and a, < a < q. Each user U randomly selects a secret value X U,< X U < q publishes Y U = a X U mod q A and B build a shared key only known by them : A computes K =(Y B) X A mod q B computes K =(Y A) X B mod q A and B share the key K : Y X A B (a X B) X A a X BX A a X AX B (a X A) X B Y X B A mod q Key agreement Security Imagine a solution based on the problem hardness (complexity) which is easy to compute for legitimate users and hard for an attacker. We use a one-way function. A good candidate is the discrete log. problem.. Shared keys are secure : if an attacker is able to compute the key, X A of A from Y A = a X A mod q, he must solve DLP 2. Is it possible to find the shared key from the published information? It is known as hard as solving DLP.

Secret keys transport mechanism Kerberos Process which allows to transfer a secret key by an entity to another entity. By using ciphers either asymmetrical or symmetrical. ISO/IEC 770-2 and 3 define 8 mechanisms, 5 are point to point, the remaining ones use a trusted third party as key distribution center. For short : distribution in the same domain between domains Other examples, see http://www.microsoft.com/technet/ prodtechnol/windows2000serv/reskit/distrib/dsch_key_ xihm.mspx?mfr=true Allow a user connected on a client to prove his identity to a service or an application server without transmitting its credentials over the network. Requires a trusted third party acting as a key distribution center (KDC) for the domain ; it is made of : authentication server (AS) ticket granting service (TGS) which are both secured U/ C U,TGS,T,L AS 2 4 K U (K,N,T c,tgs ) 6 S,N,T c,tgs,a c,tgs K(T c,s,k') K'(T+) T c,s,a c,s 5 3 serv eur S TGS T c,tgs =K TGS (U,C,TGS,T,L,K) tick et TGT T c,s =K S (U,C,S,T, L,K') tick et de session A c,tgs =K(C,T) authentificateur pour T c,tgs A c,s =K'(C,T ) authentificateur pour T c,s A Models for key distribution 2 KDC Model pull 3 A B 2 3 KDC 2 A Mix Model KDC 2 4 Model push B 3 3 B Keys update Let the key evolve session after session : key update. Process which allows to share keys previously constructed by updating them by the means of a session parameter. A new session key K is defined from : a shared key K AB a parameter F (random, time stamp, sequence number) a key updating function f Works in two steps :. the initiator A chooses a derivation parameter F which is transmitted to B. 2. A and B compute the new key K by f st K = f (K AB, F) Example of function f : crypto hash function h applied to the data concatenation : K = h(k AB ; F)

Contents Example of asymmetrical authentication Hash functions Certification Key management Identification and authentication Example of real protocols msg-alea DeB(MD(msg-alea) If we do not use a fingerprint (MD) of the random message, this protocol can be attacked by a known plaintext/ciphertext attack : (msg-alea/de B (msg-alea)). Requires that Alice knows Bob s public key prior the use of the protocol. Identification & auth Contents Authentication : process of determining whether someone or something is, in fact, who or what it is declared to be (I m Bruno and here s the proof of my identity) Identification : permits to prove the identity of an entity by means of its identifier (I m Bruno) Identification gives the entity s identity and authentication to check its validity. Hash functions Certification Key management Identification and authentication Example of real protocols

IP Security Add crypto techniques (IPSec working groups) to the Internet standard protocols. The IP security architecture provides security mechanisms (described in RFC825) which provide authentication, integrity, access control and confidentiality services. SMTP HTTP FTP TCP (Transmission Control Protocol) IP Security Protocol (AH, ESP) IP Internet Protocol SSL & TLS SSL provides authentication, compression, integrity, confidentiality. allows several auth. or confidentiality mechanisms and secures all applicative protocol. SSL becomes TLS, a standard, by IETF. It contains two layers : Agreement or Handshake Protocol Communication or Record Protocol which provide the following services : connection confidentiality by AES, Camellia, DES, 3DES connection integrity by a MAC using a non-zero IV (SHA- or SHA256 or SHA384) TCP security Authentication Protocols used to secure TCP : Secure Socket Layer used by netscape Private Communication Technology by Microsoft (stopped with SSL3) Transport Layer Security IETF standard SMTP HTTP Transport Layer Security (SSL, TLS) TCP (Transmission Control Protocol) IP (Internet Protocol) Current libraries for TLS : BoringSSL designed by Google (205) OpenSSL, LibreSSL coming from OpenBSD and GnuTLS. This is how Alice verifies Bob s identity. Let us call SKB Bob s private key and PKB its public key A! B B! A r = a random message c = {r} SKB But signing a random message r given by someone and sending the signature can be dangerous. An idea would be to use a hash function h : Bob signs h(r) but the danger remains.

Authentication Transmit a certificate It s better if Bob signs a message he has chosen provided he avoids sending m and its signature together : A! B "Hi, are you Bob?" B! A m = "Alice, I m Bob" c = {h(m)} SKB A certificate provides evidence between an identity and the corresponding PK. A! B B! A A! B B! A "Hi" "Hi, I m Bob. Here s my certificate" cert B "Prove it." m = "Alice, I m Bob" c = {h(m)} SKB Marjorie could usurp Bob s identity during the 3 first exchanges but it would fail after. (Tell when it might not be the case) Identification Exchange a secret Alice does not know Bob s PK in advance. How to securely send his PK? A! B B! A A! B B! A "Hi" "Hi, I m Bob. Here s my PK" PKB "Prove it." m = "Alice, I m Bob" c = {h(m)} SKB Anybody can usurp Bob s identity for Alice by giving his own PK (MIM). Securing communications with public key crypto is costly. Once the authentication step is completed, it s better to share a secret key to use a symmetrical cipher. A! B "Hi" B! A "Hi, I m Bob. Here s my certificate" cert B A! B "Prove it". B! A m = "Alice, I m Bob" c = {h(m)} SKB A! B "Ok Bob, here s our secret :" s = {secret} PKB B! A m 0 = {message from Bob} secret

Attack Communication Melchior, the man in the middle can be active during the 5 first steps. At step 6, he can scramble Bob s message and Alice receives an un-readable message : B! M M! A m 0 = {message from Bob} secret m 0 changed This protocol allows to send messages of arbitrary size. It splits it into blocks, eventually compresses, adds a MAC, enciphers and adds a sequence number to ensure integrity. Alice has no proof of Melchior s existence, even if she finds suspicious Bob s last message. SSL References To counter this attack, it s better to use a MAC : M = h( message from Bob secret) A! B "Hi" B! A "Hi, I m Bob. Here s my certificate" cert B A! B "Prove it". B! A m = "Alice, I m Bob" c = {h(m)} SKB A! B "Ok Bob, here s our secret :" s = {secret} PKB B! A m 0 = {message from Bob} secret h(message from Bob secret) W. Fumy. Key management techniques. In State of the art in applied cryptography, number 528 in LNCS, pages 209 223. Springer Verlag, 997. RSA Laboratories. PKCS ] v2.0, RSA cryptography standard. Technical report, RSA Data Security, 998. Melchior can scramble everything, but Alice will be warned of Melchior s existence.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback