Public Key And Management UNIT III Prof R

Public Key And Management UNIT III Prof. R. B. Rathod

Public Key Cryptography • It is used two keys for encryption and for decryption. – a public-key, which may be known by anybody, and can be used to encrypt messages – a private-key, known only to the recipient, used to decrypt messages • It has six ingredient 1 Plain text 2 Encryption algorithm 3 Public and private keys 4 Ciphertext 5 Decryption algorithm

Public-Key Characteristics • Public-Key algorithms rely on two keys where: – it is computationally infeasible to find decryption key knowing only algorithm & encryption key – it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known – either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms)

Public key Cryptosystem : Authentication and secrecy

Requirement of Public key Cryptography It is easy for party B to generate a pair of keys (public key PUb , Private key PRb). 2. It is easy for a sender A , knowing the public key and message to be encrypt. C=E(PUb, M) 3. It is easy for receiver B to decrypt the resulting ciphertext using the private key. M=D(PRb, C)=D[PRb, E(PUb, M)] 4. It is infeasible for an any person , to know the public key PUb to determine the private key PRb. 5. It is infeasible for any person to know the public key PUb and a ciphertext C to recover the original message M. 1. 6. Two keys can be applied in either order M=DP[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

Exercise • Explain the difference between conventional and public key encryption. • What are the different requirements for public key cryptography.

Related Links • http: //docs. sun. com/source/816 -6154 -10/contents. htm

RSA • Invented by Rivest, Shamir & Adleman of MIT in 1977 • It is a best known & widely used public-key scheme. • It is a block cipher algorithm in which palintext and ciphertext integers between 0 to n-1 for some n. • A typical size for n is 1024 bits or 309 decimal digits.

RSA Algorithm

An Example • • • • Let p= 3 and q=5, n= 3 X 5 =15 Q(n)= (3 -1) * (5 -1) = 2 x 4= 8 Select e such that gcd(Q(n), e) =1 where, 1<e<Q(n) Say e=3 (any prime number) Calculate d , such that d e mod Q(n)=1 8 k+1= 9, 17, 25, 33, 41……. . where k=1, 2, 3, 4…. Now check which number is divisible by 3. 33 is divisible by 3. So, d=33/3=11. //9 is also divisible by 3. Now k 1=(3, 15) and K 2=(11, 15) Take plan text M =13 , where (M<n) Encryption C= 133 mod 15 =7 Decryption D= 711 mod 15 =13 Video

Exercise • Perform encryption and decryption using the RSA algorithm for the following 1. p=3, q=11, e=7, M=5 2. P=5, q=11, e=3 , M=9 • Explain various Asymmetric Encryption Algorithms. • Draw an algorithm, flowchart for implementing the RSA Algo.

Key Management and Distribution topics of cryptographic key management / key distribution are complex cryptographic, protocol, & management issues symmetric schemes require both parties to share a common secret key public key schemes require parties to acquire valid public keys have concerns with doing both

Road Map symmetric key distribution using symmetric encryption symmetric key distribution using public-key encryption distribution of public keys • announcement, directory, authrority, CA X. 509 authentication and certificates public key infrastructure (PKIX)

Key Distribution symmetric schemes require both parties to share a common secret key issue is how to securely distribute this key whilst protecting it from others frequent key changes can be desirable often secure system failure due to a break in the key distribution scheme

Key Distribution given parties A and B have various key distribution alternatives: 1. 2. 3. 4. A can select key and physically deliver to B third party can select & deliver key to A & B if A & B have communicated previously can use previous key to encrypt a new key if A & B have secure communications with a third party C, C can relay key between A & B

Key Distribution Task

Key Hierarchy typically have a hierarchy of keys session key temporary key used for encryption of data between users for one logical session then discarded master key used to encrypt session keys shared by user & key distribution center

Key Hierarchy

Key Distribution Scenario

Key Distribution Issues hierarchies of KDC’s required for large networks, but must trust each other session key lifetimes should be limited for greater security use of automatic key distribution on behalf of users, but must trust system use of decentralized key distribution controlling key usage

Road Map symmetric key distribution using symmetric encryption symmetric key distribution using public-key encryption distribution of public keys • announcement, directory, authrority, CA X. 509 authentication and certificates public key infrastructure (PKIX)

Symmetric Key Distribution Using Public Keys public key cryptosystems are inefficient so almost never use for direct data encryption rather use to encrypt secret keys for distribution

Simple Secret Key Distribution Merkle proposed this very simple scheme allows secure communications no keys before/after exist

Man-in-the-Middle Attack this very simple scheme is vulnerable to an active man-in-the-middle attack

Secret Key Distribution with Confidentiality and Authentication

Hybrid Key Distribution retain use of private-key KDC shares secret master key with each user distributes session key using master key public-key used to distribute master keys especially useful with widely distributed users rationale performance backward compatibility

Road Map symmetric key distribution using symmetric encryption symmetric key distribution using public-key encryption distribution of public keys • announcement, directory, authority, CA X. 509 authentication and certificates public key infrastructure (PKIX)

Distribution of Public Keys can be considered as using one of: public announcement publicly available directory public-key authority public-key certificates

Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to email messages or post to news groups or email list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user

Publicly Available Directory can obtain greater security by registering keys with a public directory must be trusted with properties: contains {name, public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery

Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed may be vulnerable to tampering

Public-Key Authority

Road Map symmetric key distribution using symmetric encryption symmetric key distribution using public-key encryption distribution of public keys • announcement, directory, authrority, CA X. 509 authentication and certificates public key infrastructure (PKIX)

Public-Key Certificates certificates allow key exchange without real- time access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public- Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key

Diffie –Hellman Key Exchange in 1976 • It is used by two users to securely exchange a key that can be used for subsequent encryption of messages. a public-key distribution scheme – cannot be used to exchange an arbitrary message – rather it can establish a common key – known only to the two participants value of key depends on the participants (and their private and public key information) based on mathematical principles security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Diffe-Hellman Key Exchange Algorithm Global Public Elements q = prime number(300 decimal, i. e. 1024 bits) = Integer User A key Generation Select private Xa , Xa < q Calculate public Ya , Ya= Xa mod q User B Key Generation Select private Xb , Xb < q Calculate public Yb , Yb= Xb mod q

Diffe-Hellman Key Exchange Algorithm Generation of secret key by user A K=(Yb)Xa mod q Generation of secret key by user B K=(Ya)Xb mod q Video

• users Alice & Bob who wish to swap keys: • agree on prime q=353 and =3 • select random secret keys: – A chooses x. A=97, B chooses x. B=233 • compute respective public keys: (Alice) – y. A=397 mod 353 = 40 (Bob) – y. B=3233 mod 353 = 248 • compute shared session key as: x. A 97 (Alice) – KAB= y. B mod 353 = 248 = 160 (Bob) – KAB= y. Ax. B mod 353 = 40233 = 160

Diffie –Hellman Key Exchange

Exercise users Alice & Bob who wish to swap keys: agree on prime q=5 and =7 select random secret keys: – A chooses x. A= 8, B chooses x. B= 13

Exercise Using diffie- hellman key exchange techniques , Find A’s public key YA and B’s public key YB. If, q=71 and = 7 , XA =5 and XB = 12 Draw an algorithm, flowchart and write C++ program to implement Diffe-Hellman Key Exchange Algorithm

Elliptic Curve Cryptography

What’s wrong with RSA? RSA is based upon the ‘belief’ that factoring is ‘difficult’ – never been proven Prime numbers are getting too large Amount of research currently devoted to factoring algorithms Quantum computing will make RSA obsolete overnight

What exactly is an elliptic curve? Let a ∈ ℝ, be constants such that 4 a³ + 27 b² ≠ 0. A non-singular elliptic curve is the set E of solutions (x, y) ∈ ℝ x ℝ to the equation: y² = x³ + ax + b together with a special point O called the point at infinity.

Singular Elliptic Curve If 4 a³ + 27 b² = 0, then we have a singular elliptic curve This could potentially lead to having to not having 3 distinct roots Therefore, we must deal with non-singular elliptic curves with the condition 4 a³ + 27 b² ≠ 0, in order to assure that we have 3 distinct roots. This will allow us to establish the fact that the solution set E forms an Abelian group.

What is a Group? Suppose we have any binary operation, such as addition (+), that is defined for every element in a set G, which is denoted (G, +) Then G is a group with respect to addition if the following conditions hold: 1. ) G is closed under addition: x ∈ G, y ∈ G, imply x + y ∈ G 2. ) + is associative. For all x, y, z, ∈ G, x + (y + z) = (x + y) + z 3. ) G has an identity element e. There is an e in G such that x + e = e + x = x for all x ∈ G. 4. ) G contains inverses. For each x ∈ G, there exists y ∈ G, such that x + y = y + x = e.

What is an Abelian Group An Abelian group contains all the rules of a group, but also must meet the following criteria: 5. ) + is commutative. For all x ∈ G, y ∈ G, x + y = y + x.

3 Cases for Solutions Suppose P, Q ∈ E, where P = (x 1, y 1) and Q = (x 2, y 2), we must consider three cases: 1. ) x 1 ≠ x 2 2. ) x 1 = x 2 and y 1 = - y 2 3. ) x 1 = x 2 and y 1 = y 2 These cases must be considered when defining “addition” for our solution set

Defining Addition on E: Case 1 For the case x 1 ≠ x 2, addition is defined as follows: (x 1, y 1) + (x 2, y 2) = (x 3, y 3) ∈ E where x 3 = λ² - x 1 - x 2 y 3 = λ(x 1 – x 3) - y 1, and λ = (y 2 – y 1) / (x 2 – x 1)

Defining Addition on E : Case 2 For the case x 1 = x 2 and y 1 = - y 2 , addition is defined as follows: (x 1, y 1) + (x 2, y 2) = (x 3, y 3) ∈ E where (x, y) + (x, -y) = O, the point at infinity

Defining Addition on E : Case 3 For the case x 1 = x 2 and y 1 = y 2, addition is defined as follows: (x 1, y 1) + (x 2, y 2) = (x 3, y 3) ∈ E where x 3 = λ² - x 1 - x 2 y 3 = λ(x 1 – x 3) - y 1, and λ = (3 x 12 + a) / 2 y 1

Defining the Identity The point at infinity O, is the identity element. P + O = O + P = P, for all P ∈ E. From Case 2, and the Identity Element, we now have the existence of inverses Beyond the scope here to prove that we have commutativity and associativity as well Therefore the set of solutions E, forms an Abelian group (Importance of this will be shown later)

Elliptic Curves modulo p Let p > 3 be prime. The elliptic curve y² = x³ + ax + b over ℤp is the set of solutions (x, y) ∈ ℤp x ℤp to the congruence: y² ≡ x³ + ax + b (mod p) where a ∈ ℤp, b ∈ ℤp, are constants such that 4 a³ + 27 b² ≢ 0 (mod p), together with a special point O called the point at infinity. Solutions still form an Abelian group

So now for an example Let’s examine the following elliptic curve as an example: y² = x³ + x + 6 over ℤ 11 X 0 1 2 3 4 5 6 7 8 9 10 x³ + x + 6 mod 11 6 8 5 3 8 4 9 7 4 QR? Y N N Y Y N Y 2, 9 3, 8 4, 7 5, 6 2, 9

Generating our group From the previous chart, and including the point at infinity O, we have a group with 13 points. Since the O(E) is prime, the group is cyclic. We can generate the group by choosing any point other then the point at infinity. Let our generator = = (2, 7)

The Group We can generate this by using the rules of addition we defined earlier where 2 = + = (2, 7) 2 = (5, 2) 3 = (8, 3) 4 = (10, 2) 5 = (3, 6) 6 = (7, 9) 7 = (7, 2) 8 = (3, 5) 9 = (10, 9) 10 = (8, 8) 11 = (5, 9) 12 = (2, 4)

Encryption Rules Suppose we let = (2, 7) and choose the private key to be 7 then b = 7 = (7, 2) Encryption: e. K(x, k) = (k( ), x + k(b)) e. K(x, k) = (k(2, 7), x+k(7, 2)) , where x ∈ E and 0 ≤ k ≤ 12

Decryption Rule Decryption: , d. K(y 1 y 2) = y 2 – Kprivy 1 , d. K(y 1 y 2) = y 2 – 7 y 1 This is based on the El. Gamal scheme of elliptic curve encryption

Using this Scheme Suppose Alice wants to send a message to Bob. Plaintext is x = (10, 9) which is a point in E Choose a random value for k, k = 3 So now calculate (y 1, y 2): y 1 = 3(2, 7) = (8, 3) y 2 = (10, 9) + 3(7, 2) = (10, 9) + (3, 5) = (10, 2) Alice transmits y = ((8, 3), (10, 2))

Bob Decrypts Bob receives y = ((8, 3), (10, 2)) Calculates x = (10, 2) – 7(8, 3) = (10, 2) – (3, 5) = (10, 2) + (3, 6) = (10, 9) Which was the plaintext

Real example from the NSA Curve P-192 p = 62771017353866807638578942320766641608390870039024961279 r = 627710173538668076385789423176059013767194773182842284081 a = 3099 d 2 bb bfcb 2538 542 dcd 5 f b 078 b 6 ef 5 f 3 d 6 fe 2 c 745 de 65 b = 64210519 e 59 c 80 e 7 0 fa 7 e 9 ab 72243049 feb 8 deec c 146 b 9 b 1 Gx = 188 da 89 e b 03090 f 6 7 cbf 20 eb 43 a 18800 f 4 ff 0 afd 82 ff 1012 Gy = 07192 b 95 ffc 8 da 78 631011 ed 6 b 24 cdd 5 73 f 977 a 1 1 e 794811

For Further Reading • • http: //postdiluvian. org/~seven/diffie. html AES links http: //www. youtube. com/watch? v=SFXYCT 9 -Se. M (AES) http: //www. youtube. com/watch? v=y. Sq 88 y 0 e 8 u 4&feature=related

• Send your all PPT, Posters, IEEE papers on Knowledge. Wealth at Facebook

Digital Signature Encryption, message authentication and digital signatures are all tools of modern cryptography. A signature is a technique for non-repudiation based on the public key cryptography. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message.

Digital signature process

Properties of Signatures Similar to handwritten signatures, digital signatures must fulfill the following: Recipients must be able to verify them Signers must not be able to repudiate them later In addition, digital signatures cannot be constant and must be a function of the entire document it signs

Types of Signatures Direct digital signature – involves only the communicating parties Assumed that receiver knows public key of sender. Signature may be formed by (1) encrypting entire message with sender’s private key or (2) encrypting hash code of message with sender’s private key. Further encryption of entire message + signature with receiver’s public key or shared private key ensures confidentiality.

The message with sender’s private key

The hash code of message with sender’s private key

Types of Signatures Arbitrated digital signature – involves a trusted third party or arbiter Every signed message from sender, X, to receiver, Y, goes to an arbiter (authority), A, first. A subjects message + signature to number of tests to check origin & content A date the message and sends it to Y with indication that it has been verified to its satisfaction

Digital Signature Standard Public-key technique. User applies the Secure Hash Algorithm (SHA) to the message to produce message digest. User’s private key is applied to message digest using DSA to generate signature.

Digital Signature Standard Exp: LIC Doc

DSA/DSS Key Generation have shared global public key values (p, q, g): – choose a large prime p with 2 L-1 < p < 2 L where L= 512 to 1024 bits and is a multiple of 64 – choose q with 2159 < q < 2160 such that q is a 160 bit prime divisor of (p-1) – choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1 users choose private key & compute public key: – choose x<q //Private Key – compute y = gx mod p //Public Key

DSA Signature Creation to sign a message M the sender: –generates a random signature key k, k<q –k must be random, be destroyed after use, and never be reused then computes signature pair: r = (gk mod p)mod q s = [k-1(H(M)+ xr)] mod q sends signature (r, s) with message M

DSA Signature Verification having received M & signature (r, s) to verify a signature, recipient computes: w = s-1 mod q u 1= [H(M)w ]mod q u 2= (rw)mod q v = [(gu 1 yu 2)mod p ]mod q if v=r then signature is verified

Summary DSA creates a 320 bits signature with 512 -1024 bit data security. smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms

MESSAGE DIGEST

Overview Cryptographic hash functions are functions that: Map an arbitrary-length (but finite) input to a fixed-size output Are one-way (hard to invert) Are collision-resistant (difficult to find two values that produce the same output) Examples: Message digest functions - protect the integrity of data by creating a fingerprint of a digital document Message Authentication Codes (MAC) - protect both the integrity and authenticity of data by creating a fingerprint based on both the digital document and a secret key Chapter 4 Hash Functions 82

Checksums vs. Mess. Digests Checksums: Used to produce a compact representation of a message If the message changes the checksum will probably not match Good: accidental changes to a message can be detected Bad: easy to purposely alter a message without changing the checksum Message digests: Used to produce a compact representation (called the fingerprint or digest) of a message If the message changes the digest will probably not match Good: accidental changes to a message can be detected Good: difficult to alter a message without changing the digest Chapter 4 Hash Functions 83

Hash Functions Message digest functions are hash functions A hash function, H(M)=h, takes an arbitrary-length input, M, and produces a fixed-length output, h Example hash function: H = sum all the letters of an input word modulo 26 Input = a word Output = a number between 0 and 25, inclusive Example: H(“Elvis”) = ((‘E’ + ‘L’ + ‘V’ + ‘I’ + ‘S’) mod 26) H(“Elvis”) = ((5+12+22+9+19) mod 26) H(“Elvis”) = (67 mod 26) H(“Elvis”) = 15 Chapter 4 Hash Functions 84

Collisions For the hash function: H = sum all the letters of an input word modulo 26 There are more inputs (words) than possible outputs (numbers 0 -25) Some different inputs must produce the same output A collision occurs when two different inputs produce the same output: The values x and y are not the same, but H(x) and H(y) are the same Chapter 4 Hash Functions 85

Collisions - Example H(“Jumpsuit”) = 25 (‘J’ + ‘U’ + ‘M’ + ‘P’ + ‘S’ + ‘U’ + ‘I’ + ‘T’) mod 26 (10+21+13+16+19+21+9+20) mod 26 129 mod 26 25 H(“TCB”) = 25 (‘T’ + ‘C’ + ‘B’) mod 26 (20+3+2) mod 26 25 Chapter 4 Hash Functions 86

Collision-Resistant Hash Functions Hash functions for which it is difficult to find collisions are called collision-resistant A collision-resistant hash function, H(M)=h: For any message, M 1 It is difficult to find another message, M 2 such that: M 1 and M 2 are not the same H(M 1) and H(M 2) are the same Chapter 4 Hash Functions 87

One-Way Hash Functions A function, H(M)=h, is one-way if: Forward direction: given M it is easy to compute h Backward direction: given h it is difficult to compute M A one-way hash function: Easy to compute the hash for a given message Hard to determine what message produced a given hash value Chapter 4 Hash Functions 88

Message Digest Functions Message digest functions are collisionresistant, one-way hash functions: Given a message it is easy to compute its digest Hard to find any message that produces a given digest (one-way) Hard to find any two messages that have the same digest (collision-resistant) Chapter 4 Hash Functions 89

Using Message Digest Functions Message digest functions can be used to protect data integrity: A company makes some software available for download over the World Wide Web Users want to be sure that they receive a copy that has not been tampered with Solution: The company creates a message digest for its software The digest is transmitted (securely) to users Users compute their own digest for the software they receive If the digests match the software probably has not been altered Chapter 4 Hash Functions 90

Attacks on Message Digests Brute-force search for a collision: Goal: Find a message that produces a given digest, d Assume: The message digest function is “strong” The message digest function creates n-bit digests Approach: Generate random messages and compute digests for them until one is found with digest d Approximately 2 n random messages must be tried to find one that hashes to d Chapter 4 Hash Functions 91

Attacks on MDs (cont) Birthday attack (based on the birthday paradox): Goal: Find any two messages that produce the same digest Assume: The message digest function is “strong” The message digest function creates n-bit digests Approach: Generate random messages and compute digests for them until two are found that produce the same digest Approximately 2 n/2 random messages must be tried to find one that hashes to d Chapter 4 Hash Functions 92

The Secure Hash Algorithm: A Federal Information Processing Standard (FIPS 180 -1) adopted by the U. S. government in 1995 Based on a message digest function called MD 4 created by Ron Rivest Developed by NIST and the NSA Input: a message of b bits Output: a 160 -bit message digest Chapter 4 Hash Functions 93

SHA - Padding Input: a message of b bits Padding makes the message length a multiple of 512 bits The input is always padded (even if its length is already a multiple of 512) Padding is accomplished by appending to the input: A single bit, 1 Enough additional bits, all 0, to make the final 512 -bit block exactly 448 bits long A 64 -bit integer representing the length of the original message in bits Chapter 4 Hash Functions 94

SHA – Padding Example Consider the following message: M = 01100010 11001010 1001 (20 bits) To pad we append: 1 (1 bit) 427 0 s (427 bits) 64 -bit binary representation of the number 20 (64 bits) Result: Pad(M) = 01100010 11001010 10011000 0000. . . 0000 00010100 (512 bits) 464 0 s have been omitted above (denoted by the ellipsis) Chapter 4 Hash Functions 95

SHA – Constant Init. After padding, constants are initialized to the following hexadecimal values: Five 32 -bit words: H 0 = 67452301 H 1 = EFCDAB 89 H 2 = 98 BADCFE H 3 = 10325476 H 4 = C 3 D 2 E 1 F 0 Eighty 32 -bit words: K 0 – K 19 = 5 A 827999 K 20 – K 39 = 6 ED 9 EBA 1 K 40 – K 59 = 8 F 1 BBCDC K 60 – K 79 = CA 62 C 1 D 6 Chapter 4 Hash Functions 96

SHA – Step 1 The padded message contains a whole number of 512 -bit blocks, denoted B 1, B 2, B 3, . . . , Bn Each 512 -bit block, Bi, of the padded message is processed in turn: Bi is divided into 16 32 -bit words, W 0, W 1, . . . , W 15 W 0 is composed of the leftmost 32 bits in Bi W 1 is composed of the second 32 bits in Bi … W 15 is composed of the rightmost 32 bits in Bi Chapter 4 Hash Functions 97

SHA – Step 2 W 0, W 1, . . . , W 15 are used to compute 64 new 32 -bit words (W 16, W 17, . . . , W 79) Wj (16 < j < 79) is computed by: XORing words Wj-3, Wj-8, Wj-14, and Wj-16 together Circularly left shifting the result one bit for j = 16 to 79 do Wj = Circular_Left_Shift_1(Wj-3 Wj-8 Wj-14 Wj-16) done Chapter 4 Hash Functions 98

SHA – Step 3 The values of H 0, H 1, H 2, H 3, and H 4 are copied into five words called A, B, C, D, and E: A = H 0 B = H 1 C = H 2 D = H 3 E = H 4 Chapter 4 Hash Functions 99

SHA – Step 4 Four functions are defined as follows: For (0 < j < 19): fj(B, C, D) = (B AND C) OR ((NOT B) AND D) For (20 < j < 39): fj(B, C, D) = (B C D) For (40 < j < 59): fj(B, C, D) = ((B AND C ) OR (B AND D) OR (C AND D)) For (60 < j < 79): fj(B, C, D) = (B C D) Chapter 4 Hash Functions 100

SHA – Step 4 (cont) For each of the 80 words, W 0, W 1, . . . , W 79, a 32 -bit word called TEMP is computed The values of the words A, B, C, D, and E are updated as shown below: for j = 0 to 79 do TEMP = Circular_Left_Shift_5(A) + fj(B, C, D) + E + Wj + Kj E = D; D = C; C = Circular_Left_Shift_30(B); B = A; A = TEMP done Chapter 4 Hash Functions 101

SHA – Step 5 The values of H 0, H 1, H 2, H 3, and H 4, are updated: H 0 = H 0 + A H 1 = H 1 + B H 2 = H 2 + C H 3 = H 3 + D H 4 = H 4 + E Chapter 4 Hash Functions 102

SHA - Overview Pad the message Initialize constants For each 512 -bit block (B 1, B 2, B 3, . . . , Bn): Divide Bi into 16 32 -bit words (W 0 – W 15) Compute 64 new 32 -bit words (W 16, W 17, . . . , W 79) Copy H 0 - H 4 into A, B, C, D, and E For each Wj (W 0 – W 79) compute TEMP and update A-E Update H 0 - H 4 The 160 -bit message digest is: H 0 H 1 H 2 H 3 H 4 Chapter 4 Hash Functions 103

Motivation for Message Authentication Codes Want to use a message digest function to protect files on our computer from viruses: Calculate digests for important files and store them in a table Recompute and check from time to verify that the files have not been modified Good: if a virus modifies a file the change will be detected since the digest of that file will be different Bad: the virus could just compute new digests for modified files and install them in the table Chapter 4 Hash Functions 104

Message Authentication Codes A message authentication code (MAC) is a keydependent message digest function MACK(M) = h The output, h, is a function of both the hash function and a key, K The MAC can only be created or verified by someone who knows K Can turn a one-way hash function into a MAC by encrypting the hash value with a symmetric-key cryptosystem Chapter 4 Hash Functions 105

Using MAC can be used to protect data integrity and authenticity: Want to use a MAC to protect files on our computer from viruses: Calculate MAC values for important files and store them in a table Recompute and check from time to verify that the files haven’t been modified Good: if a virus modifies a file the hash of that file will be different Good: virus doesn’t know the proper key so it can’t install new MACs in the table to cover its tracks Chapter 4 Hash Functions 106

Implementing a MAC Can use a block cipher algorithm: Pad the message (if necessary) so that its length is a multiple of the cipher’s block size Divide the message into n blocks equal in length to the cipher’s block size: m 1, m 2, . . . , mn Choose a key, k Encrypt m 1 with k XOR the result with m 2 Encrypt the result with k XOR the result with m 3 … Chapter 4 Hash Functions 107

Implementing a MAC (cont) Chapter 4 Hash Functions 108

Summary Message digests Message digest functions are collision-resistant, one-way hash functions Collision-resistant: hard to find two values that produce the same output One-way: hard to determine what input produced a given output Protects the integrity of a digital document MAC A message authentication code is a key-dependent message digest function The output is a function of both the hash function and a secret key The MAC can only be created or verified by someone who knows the key Protects the integrity and authenticity of a digital document Chapter 4 Hash Functions 109

Kerberos

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980 s Available as open source or in supported commercial software

Why Kerberos? Sending usernames and passwords in the clear jeopardizes the security of the network. Each time a password is sent in the clear, there is a chance for interception.

Firewall vs. Kerberos? Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within. Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.

Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won’t use it). Protect against intercepted credentials.

Cryptography Approach Private Key: Each party uses the same secret key to encode and decode messages. Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is imperative.

How does Kerberos work? Instead of client sending password to application server: Request Ticket from authentication server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT)

How does Kerberos work? : Ticket Granting Tickets

How does Kerberos Work? : The Ticket Granting Service

How does Kerberos work? : The Application Server

Applications Authentication Authorization Confidentiality Within networks and small sets of networks

Weaknesses and Solutions If TGT stolen, can be used to access network services. Only a problem until ticket expires in a few hours. Subject to dictionary attack. Timestamps require hacker to guess in 5 minutes. Very bad if Authentication Server compromised. Physical protection for the server.

The Competition: SSL

Limitation: Scalability Recent modifications attempt to address this problem Public key cryptography for Client Authentication and cross realm authentication Issues are not resolved

Kerberos trusted key server system from MIT provides centralised private-key third-party authentication in a distributed network allows users access to services distributed through network without needing to trust all workstations rather all trust a central authentication server two versions in use: 4 & 5

Kerberos Requirements first published report identified its requirements as: security reliability transparency scalability implemented using an authentication protocol based on Needham-Schroeder

Kerberos 4 Overview a basic third-party authentication scheme have an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) have a Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGT

Kerberos 4 Overview

Kerberos Realms a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server this is termed a realm typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust

Kerberos Version 5 developed in mid 1990’s provides improvements over v 4 addresses environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth and technical deficiencies double encryption, non-std mode of use, session keys, password attacks specified as Internet standard RFC 1510

X. 509 Authentication Service part of CCITT X. 500 directory service standards distributed servers maintaining some info database defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority also defines authentication protocols uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended

X. 509 Certificates issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X. 500 name (CA) period of validity (from - to dates) subject X. 500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v 2+) subject unique identifier (v 2+) extension fields (v 3) signature (of hash of all fields in certificate) notation CA<<A>> denotes certificate for A signed by CA

X. 509 Certificates

Obtaining a Certificate any user with access to CA can get any certificate from it only the CA can modify a certificate because cannot be forged, certificates can be placed in a public directory

CA Hierarchy if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy

CA Hierarchy Use

Certificate Revocation certificates have a period of validity may need to revoke before expiry, eg: 1. 2. 3. CA’s maintain list of revoked certificates user's private key is compromised user is no longer certified by this CA CA's certificate is compromised the Certificate Revocation List (CRL) users should check certs with CA’s CRL

Authentication Procedures X. 509 includes three alternative authentication procedures: One-Way Authentication Two-Way Authentication Three-Way Authentication all use public-key signatures

One-Way Authentication 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message must include timestamp, nonce, B's identity and is signed by A

Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply includes original nonce from A, also timestamp and nonce from B

Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks has reply from A back to B containing signed copy of nonce from B means that timestamps need not be checked or relied upon

X. 509 Version 3 has been recognised that additional information is needed in a certificate email/URL, policy details, usage constraints rather than explicitly naming new fields defined a general extension method extensions consist of: extension identifier criticality indicator extension value

Certificate Extensions key and policy information convey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints allow constraints on use of certificates by other CA’s

Digital Signatures & Authentication Protocols To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often performed by the natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, so to speak, the tainted atmosphere by which they are supposed to be surrounded. —The Golden Bough, Sir James George Frazer

Digital Signatures have looked at message authentication but does not address issues of lack of trust digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities

Digital Signature Properties must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message be practical save digital signature in storage

Direct Digital Signatures involve only sender & receiver assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender’s private-key

Arbitrated Digital Signatures involves use of arbiter A validates any signed message then dated and sent to recipient requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message

Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are confidentiality – to protect session keys timeliness – to prevent replay attacks

Replay Attacks where a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification countermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)

Using Symmetric Encryption as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC) each party shares own master key with KDC generates session keys used for connections between parties master keys used to distribute these to them

Needham-Schroeder Protocol original third-party key distribution protocol for session between A B mediated by KDC protocol overview is: 1. A→KDC: IDA || IDB || N 1 2. KDC→A: EKa[Ks || IDB || N 1 || EKb[Ks||IDA] ] 3. A→B: EKb[Ks||IDA] 4. B→A: EKs[N 2] 5. A→B: EKs[f(N 2)]

Needham-Schroeder Protocol used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A modifications to address this require: timestamps (Denning 81) using an extra nonce (Neuman 93)

Using Public-Key Encryption have a range of approaches based on the use of public- key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces

Denning AS Protocol Denning 81 presented the following: 1. A→AS: IDA || IDB 2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]] note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks

One-Way Authentication required when sender & receiver are not in communications at same time (eg. email) have header in clear so can be delivered by email system may want contents of body protected & sender authenticated

Using Symmetric Encryption can refine use of KDC but can’t have final exchange of nonces, vis: 1. A→KDC: IDA || IDB || N 1 2. KDC→A: EKa[Ks || IDB || N 1 || EKb[Ks||IDA] ] 3. A→B: EKb[Ks||IDA] || EKs[M] does not protect against replays could rely on timestamp in message, though email delays make this problematic

Public-Key Approaches have seen some public-key approaches if confidentiality is major concern, can use: A→B: EKUb[Ks] || EKs[M] has encrypted session key, encrypted message if authentication needed use a digital signature with a digital certificate: A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa] with message, signature, certificate

Digital Signature Standard (DSS) US Govt approved signature scheme FIPS 186 uses the SHA hash algorithm designed by NIST & NSA in early 90's DSS is the standard, DSA is the algorithm a variant on El. Gamal and Schnorr schemes creates a 320 bit signature, but with 512 -1024 bit security depends on difficulty of computing discrete logarithms

DSA Key Generation have shared global public key values (p, q, g): a large prime p = 2 L where L= 512 to 1024 bits and is a multiple of 64 choose q, a 160 bit prime factor of p-1 choose g = h(p-1)/q where h<p-1, h(p-1)/q (mod p) > 1 users choose private & compute public key: choose x<q compute y = gx (mod p)

DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (gk(mod p))(mod q) s = (k-1. SHA(M)+ x. r)(mod q) sends signature (r, s) with message M

DSA Signature Verification having received M & signature (r, s) to verify a signature, recipient computes: w = u 1= u 2= v = s-1(mod q) (SHA(M). w)(mod q) (r. w)(mod q) (gu 1. yu 2(mod p)) (mod q) if v=r then signature is verified see book web site for details of proof why

Summary have considered: digital signatures authentication protocols (mutual & one-way) digital signature standard