Lecture Data security and encryption - Chapter 32: Review 16-30

The contents of this chapter include all of the following: RSA, RSA En/decryption, Diffie-Hellman key exchange, man-in-the-middle attack, ElGamal cryptography, ElGamal message exchange, hash function, secure hash algorithm, SHA-3 requirements,...

(CSE348)

Lectures 16-30

Ø Implemented general-purpose approach to key encryption

public-3

Ø It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using large integers (eg 1024 bits)

Ø Its security is due to the cost of factoring large numbers

Ø By Rivest, Shamir & Adleman of MIT in 1977

Ø Best known & widely used public-key scheme

Ø based on exponentiation in a finite (Galois) field over integers modulo a prime

l nb exponentiation takes O((log n)3) operations (easy)

Ø Uses large integers (eg 1024 bits)

Ø Security due to cost of factoring large numbers

l nb factorization takes O(e log n log log n) operations (hard)

RSA En/decryption

• The scheme developed by Rivest, Shamir, and Adleman makes use of an expression with

exponentials

• Plaintext is encrypted in blocks

• with each block having a binary value less than some number n

• The actual RSA encryption and decryption

computations are each simply a single

exponentiation mod (n)

• Thus, this is a public-key encryption algorithm

with a public key of PU = {e, n} and a private key

of PR = {d, n}

• The message must be smaller than the modulus

• The “magic” is in the choice of the modulus and exponents which makes the system work

RSA En/decryption

• To encrypt a message M the sender:

– obtains public key of recipient PU={e,n}

– computes: C = Me mod n, where 0≤M<n

• To decrypt the ciphertext C the owner:

– uses their private key PR={d,n}

– computes: M = Cd mod n

• The message M must be smaller than the

modulus n (block if needed)

Diffie-Hellman Key Exchange

ØPublic-key cryptography systems (PKCSs)

ØBegins with a description of one of the earliest

and simplest PKCS

ØDiffie-Hellman key exchange

ØThis first published public-key algorithm

appeared in the seminal paper by Diffie and Hellman

Diffie-Hellman Key Exchange

ØThat defined public-key cryptography [DIFF76b]

ØAnd is generally referred to as Diffie-Hellman key

exchange

ØThe concept had been previously described in a

classified report in 1970 by Williamson (UK

CESG)

ØAnd subsequently declassified in 1987, see

[ELLI99]

Diffie-Hellman Key Exchange

ØThe purpose of the algorithm is to enable two

users to securely exchange a key

ØThat can then be used for subsequent encryption

of messages

ØThe algorithm itself is limited to the exchange of

secret values

ØA number of commercial products employ this

key exchange technique

Diffie-Hellman Key Exchange

ØFirst public-key type scheme proposed

ØBy Diffie & Hellman in 1976 along with the

exposition of public key concepts

lnow know that Williamson (UK CESG)

secretly proposed the concept in 1970

ØPractical method for public exchange of a secret

key

ØUsed in a number of commercial products

Diffie-Hellman Key Exchange

ØThe purpose of the algorithm is to enable two

users to securely exchange a key

ØThat can then be used for subsequent encryption

of messages

ØThe algorithm itself is limited to the exchange of

secret values

ØWhich depends on the value of the public/private

keys of the participants

Diffie-Hellman Key Exchange

ØDiffie-Hellman algorithm uses exponentiation in a

finite (Galois) field (modulo a prime or a

polynomial)

ØAnd depends for its effectiveness on the difficulty

of computing discrete logarithms

Diffie-Hellman Key Exchange

ØA public-key distribution scheme

lcannot be used to exchange an arbitrary

message

lrather it can establish a common key

lknown only to the two participants

ØValue of key depends on the participants

Øand their private and public key information

Diffie-Hellman Key Exchange

ØBased on exponentiation in a finite (Galois) field

(modulo a prime or a polynomial) - easy

ØSecurity relies on the difficulty of computing

discrete logarithms (similar to factoring) – hard

Man-in-the-Middle Attack

Ø Darth prepares by creating two private / public keys

Ø Alice transmits her public key to Bob

Ø Darth intercepts this and transmits his first public key to Bob

Ø Darth also calculates a shared key with Alice

Ø Bob receives the public key and calculates the shared key (with Darth instead of Alice)

Man-in-the-Middle Attack

Ø Bob transmits his public key to Alice

Ø Darth intercepts this and transmits his second public key to Alice

Ø Darth calculates a shared key with Bob

Ø Alice receives the key and calculates the shared key (with Darth instead of Bob)

Ø Darth can then intercept, decrypt, re-encrypt,

ElGamal Cryptography

ØIn 1984, T Elgamal announced a public-key

scheme based on discrete logarithms

ØClosely related to the Diffie-Hellman technique

[ELGA84, ELGA85]

ØThe ElGamal cryptosystem is used in some form in

a number of standards

ØIncluding the digital signature standard (DSS) and

the S/MIME email standard

ElGamal Cryptography

ØAs with Diffie-Hellman, the global elements of

ElGamal are a prime number q and a

ØWhich is a primitive root of q

ElGamal Cryptography

ØUser A generates a private/public key pair as shown

ØThe security of ElGamal is based on the difficulty of

computing discrete logarithms

ØTo recover either x given y, or k given K

ElGamal Cryptography

ØPublic-key cryptosystem related to D-H

ØUses exponentiation in a finite field

ØWith security based difficulty of computing discrete

logarithms, as in D-H

ØEach user (eg A) generates their key

lchooses a secret key (number): 1 < xA < q-1

lcompute their public key: yA = axA mod q

ElGamal Message Exchange

ØAny user B that has access to A's public key can

encrypt a message as shown

ØThese steps correspond to Figure 9.1a in that

Alice generates a public/private key pair

ØBob encrypts using Alice's public key; and Alice

decrypts using her private key

ØSee text for details of why these steps result in M

being recovered

ElGamal Message Exchange

ElGamal Message Exchange

ØK functions as a one-time key, used to encrypt

and decrypt the message

ØIf a message must be broken up into blocks and

sent as a sequence of encrypted blocks, a

unique value of k should be used for each

block

ØIf k is used for more than one block, knowledge

of one block m of the message enables the user to compute other blocks

ElGamal Message Exchange

ØThe basic idea with El Gamal encryption is to

choose a random key, protect it

ØThen use it to scramble the message by

multiplying the message with it

ØTwo bits of info have to be sent: the first to

recover this temporary key

ØThe second the actual scrambled message

ElGamal Message Exchange

ØSee that El Gamal encryption involves 1 modulo

exponentiation

ØAnd a multiplication (vs 1 exponentiation for

RSA)

Hash Function

– hash functions

• uses, requirements, security

– hash functions based on block ciphers

– SHA-1, SHA-2, SHA-3

Hash Functions

h = H(M)

– computationally infeasible to find data mapping

to specific hash (one-way property)

– computationally infeasible to find two data to same hash (collision-free property)29

Cryptographic Hash Function

Secure Hash Algorithm

• SHA originally designed by NIST & NSA in 1993

• was revised in 1995 as SHA-1

• US standard for use with DSA signature scheme

– standard is FIPS 180-1 1995, also Internet RFC3174

– nb the algorithm is SHA, the standard is SHS

• Based on design of MD4 with key differences

• Produces 160-bit hash values

• Recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

• SHA-1 not yet "broken”

– but similar to broken MD5 & SHA-0

– so considered insecure

• SHA-2 (esp SHA-512) seems secure

– shares same structure and mathematical

operations as predecessors so have concern

• NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function

– goal to have in place by 2012 but not fixed

SHA-3 Requirements

• Replace SHA-2 with SHA-3 in any use

– so use same hash sizes

• Preserve the online nature of SHA-2

– so must process small blocks (512 / 1024 bits)

• Evaluation criteria

– security close to theoretical max for hash sizes

– cost in time & memory

– characteristics: such as flexibility & simplicity

Message Authentication

• Message authentication is concerned with:

– protecting the integrity of a message

– validating identity of originator

– non-repudiation of origin (dispute resolution)

• Will consider the security requirements

• Then three alternative functions used:

– hash function

– message encryption

– message authentication code (MAC)

Message Security Requirements

Message Authentication

– message authentication requirements

– message authentication using encryption

– HMAC authentication using a hash function

– CMAC authentication using a block cipher

– Pseudorandom Number Generation (PRNG) using Hash Functions and MACs

Digital Signatures

• Have looked at message authentication

– but does not address issues of lack of trust

• Digital signatures provide the ability to:

– verify author, date & time of signature

– authenticate message contents

– be verified by third parties to resolve disputes

• Hence include authentication function with

Digital Signature Model

Digital Signature Model

Ø Stallings Figure 13.1 is a generic model of

the process of making and using digital

signatures

Ø Bob can sign a message using a digital

signature generation algorithm

Ø The inputs to the algorithm are the message

and Bob's private key

Digital Signature Model

Ø Any other user, say Alice, can verify the

signature using a verification algorithm

Ø Whose inputs are the message, the

signature, and Bob's public key

Attacks and Forgeries

– key-only attack

– known message attack

– generic chosen message attack

– directed chosen message attack

– adaptive chosen message attack

– total break

– selective forgery

existential forgery

Digital Signature Requirements

Ø Must depend on the message signed

Ø Must use information unique to sender

l to prevent both forgery and denial

Ø Must be relatively easy to produce

Ø Must be relatively easy to recognize & verify

Ø Be computationally infeasible to forge

l with new message for existing digital signature

l with fraudulent digital signature for given message

Be practical save digital signature in storage43

Digital Signatures

– digital signatures

– ElGamal & Schnorr signature schemes

– digital signature algorithm and standard

Key Management and

Distribution

• Topics of cryptographic key management / key

distribution are complex

– cryptographic, protocol, & management issues

• Symmetric schemes require both parties to share

a common secret key

• Public key schemes require parties to acquire

valid public keys

Have concerns with doing both 45

Key Distribution

Ø For symmetric encryption to work

Ø Two parties to an exchange must share the

Key Distribution

Ø This is one of the most critical areas in security systems

Ø On many occasions systems have been broken

Ø Not because of a poor encryption algorithm

Ø But because of poor key selection or

management

It is absolutely critical to get this right!

47

Key Distribution

Ø Symmetric schemes require both parties to

share a common secret key

Ø Issue is how to securely distribute this key

Ø Whilst protecting it from others

Ø Frequent key changes can be desirable

Ø Often secure system failure due to a break in the

Key Distribution

Given parties A and B have various key

distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can

use previous key to encrypt a new key

4. if A & B have secure communications with a

third party C, C can relay key between A & B

Ø Physical delivery (1 & 2) is simplest

Ø But only applicable when there is personal

Key Distribution

Ø Then all subsequent keys will be revealed

Ø A third party, whom all parties trust, can be used

as a trusted intermediary

Ø To mediate the establishment of secure

communications between them (4)

Ø Must trust intermediary not to abuse the

Key Distribution

Ø As number of parties grow

Ø Some variant of 4 is only practical solution to the huge growth in number of keys potentially

needed

Key Management and

– distribution of public keys

• announcement, directory, authority, CA

– X.509 authentication and certificates

User Authentication

• This chapter examines some of the

authentication functions that have been

developed to support network-based use

User Authentication

• RFC 2828 defines user authentication as the

process of verifying an identity claimed by or for

a system entity

• An authentication process consists of two steps:

• Identification step

• Verification step

User Authentication

• Identification step: Presenting an identifier to

the security system

• Identifiers should be assigned carefully

• Because authenticated identities are the basis for other security services

• Such as access control service

User Authentication

• In essence, identification is the means by which

a user provides a claimed identity to the system

• User authentication is the means of establishing the validity of the claim

• User authentication is distinct from message

authentication

User Authentication

Ø Fundamental security building block

lbasis of access control & user accountability

Ø Process of verifying an identity claimed by or for

a system entity

Ø Has two steps:

lidentification - specify identifier

lverification - bind entity (person) and identifier

Ø Distinct from message authentication

Means of User Authentication

Ø Four means of authenticating user's identity

Ø Based one something the individual

l knows - e.g password, PIN

l possesses - e.g key, token, smartcard

l is (static biometrics) - e.g fingerprint, retina

l does (dynamic biometrics) - e.g voice, sign

Ø Can use alone or combined

Ø All can provide user authentication

Ø All have issues

Ø Trusted key server system from MIT

Ø Provides centralised private-key third-party

authentication in a distributed network

l allows users access to services distributed through network

l without needing to trust all workstations

l rather all trust a central authentication server

Ø Two versions in use: 4 & 5

Kerberos Requirements

• In a more open environment, in which network connections to other machines are supported

• An approach that requires the user to prove his

or her identity for each service invoked

• And also require that servers prove their identity

to clients, is needed to protect user information and resources housed at the server

User Authentication

l remote user authentication issues

l authentication using symmetric encryption

l the Kerberos trusted key server system

l authentication using asymmetric encryption

l federated identity management

Wireless Network Security

– IEEE 802.11 Wireless LANs

• protocol overview and security

– Wireless Application Protocol (WAP)

• protocol overview

– Wireless Transport Layer Security (WTLS)

frequencies and data rates, has exploded

standards issued

Email Security

• Email is one of the most widely used and

regarded network services

• Currently message contents are not secure

– may be inspected either in transit

– or by suitably privileged users on destination system

Email Security Enhancements