View
222
Download
0
Category
Preview:
Citation preview
8/10/2019 Chapter 4( crypto)
1/42
STRONG AND PROVABLE
SECURITY FOR DIGITALSIGNATURES
1
8/10/2019 Chapter 4( crypto)
2/42
People can eavesdrop, intercept, relay, modify, forge or
inject messages.
Try to fool the targeted receivers that the messages are sent by thereal person.
In vulnerable connection, to depend only on cryptography
mechanisms are inadequate.
We need a mechanism which can enable receiver to verify
that a message indeed come from the claimed source andhas not been altered.
Data integrityis the security service against unauthorized
modification of messages.
Data integrity in modern cryptography is closely related to,
and evolves from error-detection code.
The error-detection code is a procedure for detecting
errors which can be introduced into messages due to fault
in communications.
8/10/2019 Chapter 4( crypto)
3/42
Using information which has been modified in a malicious way is
at the same risk as using information which contains defects due
to errors introduce in communication or data processing.
Data integrity and error-detection codes are essentially the same.
A transmitter of a message creates a checking value by
encoding some redundancy into the message to be transmitted
and attaches the checking value to the message. A receiver of the
message then verifies the correctness of the message receivedusing the attached checking value according to a set of rules
agreed with the transmitter.
In Error-detection code: The redundancy is encoded in such a way
that the receiver can use a maximum likelihood detector to
decide which message he should infer as having most likely beentransmitted from the possibly altered codes that were received.
In Data integrity: The redundancy is encoded in such a way that
the attached checking value will be distributed as uniform as
possible to the entire message space of the checking values to
minimize the probability for an attacker to forge a valid checking.
8/10/2019 Chapter 4( crypto)
4/42
Like an encryption algorithm, the
cryptographic transformations for achieving
data integrity should also be parameterized
by keys.
Thus, in the usual sense, a correct data-
integrity verification result will also providethe verifier with the knowledge of the
message source, that is, the principal who had
created the data integrity protection.
However, recently a notion of "data integritywithout source identification" has emerged.
This new notion is important in the study of
public key cryptosystems secure againstadaptive attackers.
8/10/2019 Chapter 4( crypto)
5/42
A digital signature or digital signature scheme is a mathematical
scheme for demonstrating the authenticity of a digital message
or document.
A valid digital signature gives a recipient reason to believe that
the message was created by a known sender, and that it was not
altered in transit.
Commonly used for software distribution, financial transactions,
and in other cases where it is important to detect forgery or
tampering.
A digital signature scheme typically consists of three algorithms:
A key generation algorithm that selects a private key uniformly at random
from a set of possible private keys. The algorithm outputs the private key
and a corresponding public key.
A signing algorithm that, given a message and a private key, produces a
signature.
A signature verifying algorithm that, given a message, public key and a
signature, either accepts or rejects the message's claim to authenticity.
8/10/2019 Chapter 4( crypto)
6/42
8/10/2019 Chapter 4( crypto)
7/42
Digital certificate
Is a multipurpose document developed to be
used primarily over the internet and its used in
either identification or encryption.
Identification : Proves identity (verifies the sender of the information).
Grant the right to access information or other services online.
Includes insuring the identity of all parties involved in a transaction.
Encryption: Used in secure web transactions.
Contain the key used to encrypt the data.
Non-repudiation: the person later deny that he or she send it.
8/10/2019 Chapter 4( crypto)
8/42
Digital signature has two typesAssymetricand Symmetric.
A conventional digital signature uses asymmetric
cryptography to create a tamper-evident seal which enablesdetermining through a simple test whether data has been
altered since the signature was applied, and also the identity
of the private key that was used to encrypt the signature.
More recently, digital signatures are being created with
symmetriccryptography based upon a key that is derivedfrom the identity of the user and is known only to a trusted
server that both creates and verifies the signatures and
generates proof of signature certificates when queried to
verify a signature.
Such symmetric digital signatures share a syntax similar to Message
Authentication Codes ("MAC's")
Symmetric digital signatures have additional advantages over
asymmetric digital signatures of being less processer-intensive than
asymmetric digital signatures and thus are more efficient and cheaper
to maintain.
8/10/2019 Chapter 4( crypto)
9/42
Elgamal signature ElGalmal is a digital signature scheme which is based on the difficulty of
computing discrete logarithms.
Described by Taher ElGamal in 1984
Not to be confused with ElGamal encryption which was also invented by
Taher ElGamal.
The ElGamal signature scheme allows a third-party to confirm the
authenticity of a message sent over an insecure channel.
Attacks on ElGamal is discovered by Bleichenbacher in 1996.
There are a number of ElGamal-like signature schemes. They are
different in details, but have the same basic idea.
Trapdoor one-way function A trapdoor function is a function that is easy to compute in one
direction, yet believed to be difficult to compute in the opposite
direction (finding its inverse) without special information, called
the "trapdoor". Examples: RSA and Rabin
Trapdoor functions are widely used in cryptography.
8/10/2019 Chapter 4( crypto)
10/42
Signcryption is a public-key primitive that simultaneously
performs the functions of both digital signature and encryption.
Offers three frequently used security: Confidentiality, Authenticity, and Non-repudiation
In public key schemes, a traditional method is to digitally sign a
message then followed by an encryption.
It own two problems:
Low efficiency and High cost of such summation.
Signcryption is a relatively new cryptographic technique that is
supposed to fulfill the functionalities of digital signature and
encryption in a single logical step and can effectively decrease
the computational costs and communication overheads in
comparison with the traditional signature-then-encryptionschemes.
Signcryption provides the properties of both digital signatures
and encryption schemes in a way that is more efficient than
signing and encrypting separately.
8/10/2019 Chapter 4( crypto)
11/42
Any signcryption scheme should have the following properties:
Correctness:Any signcryption scheme should be correctly
verifiable. Efficiency:The computational costs and communication costs of
a signcryption scheme should be smaller than those of the best
known signature-then-encryption schemes with the same
provided functionalities.
Security:A signcryption scheme should simultaneously fulfill thesecurity attributes of an encryption scheme and those of a digital
signature.
Such additional properties mainly include:
Confidentiality, Unforgeability, Integrity, and Non-repudiation.
Some signcryption schemes provide further attributes such as:
Public verifiability and Forward secrecy of message confidentiality while
the others do not provide them.
Such properties are the attributes that are required in many
applications while the others may not require them.
8/10/2019 Chapter 4( crypto)
12/42
clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search
attacks
can use Triple-DES but slow, has smallblocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99Rijndael was selected as the AES in Oct-
2000
issued as FIPS PUB 197 standard in Nov-
2001
8/10/2019 Chapter 4( crypto)
13/42
private key symmetric block cipher
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES active life of 20-30 years (+ archival use)
provide full specification & design details
both C & Java implementations
NIST have released all submissions &unclassified analyses
8/10/2019 Chapter 4( crypto)
14/42
initial criteria: security effort for practical cryptanalysis
cost in terms of computational efficiency
algorithm & implementation characteristics
final criteria general security
ease of software & hardware implementation
implementation attacks
flexibility (in en/decrypt, keying, other factors)
8/10/2019 Chapter 4( crypto)
15/42
It is based on Rijndale algorithm.
Use acombinationof substitutionand a couple oftranspositions approaches together with a keyingfunction.
Consists of nroundsof the above said
combination, where n depends on the key length(i.e. unlike DES, the length of AES key variesamongst 3 types).
Use block encryption where 1 block is a fixedsize
of 128 bits. Use symmetric encryption where the size of a key
can either be 128 bits (still double the size of DES64 bits of key!!), 192 bits, or 256 bits, where thenumber of nrounds are 9, 11and 13respectively.
8/10/2019 Chapter 4( crypto)
16/42
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterativerather than feistelcipher
processes data as block of 4 columns of 4 bytes operates on entire data block in every round
designed to be: resistant against known attacks
speed and code compactness on many CPUs design simplicity
8/10/2019 Chapter 4( crypto)
17/42
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multipy of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last
round
with fast XOR & table lookup implementation
8/10/2019 Chapter 4( crypto)
18/42
8/10/2019 Chapter 4( crypto)
19/42
8/10/2019 Chapter 4( crypto)
20/42
8/10/2019 Chapter 4( crypto)
21/42
1. an iterativerather than feistelcipher2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible8. decryption uses keys in reverse order
9. decryption does recover plaintext
10. final round has only 3 stages
8/10/2019 Chapter 4( crypto)
22/42
In AES, the block of 128 bits are treated asindividual 4*4 matrix of bytes(i.e. a total of 16matrices)
Each round in AES consists of 4 steps:-(1) Byte Substitution
by substituting each byte in a block basedon a substitution table.
Byte1 Byte5 Byte9 Byte13
Byte2 Byte6 Byte10 Byte14
Byte3 Byte7 Byte11 Byte15
Byte4 Byte8 Byte12 Byte16
8/10/2019 Chapter 4( crypto)
23/42
a simple substitution of each byte uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
each byte of state is replaced by byte
indexed by row (left 4-bits) & column(right 4-bits)eg. byte {95} is replaced by byte in row 9
column 5
which has value {2A} designed to be resistant to all known
attacks
8/10/2019 Chapter 4( crypto)
24/42
8/10/2019 Chapter 4( crypto)
25/42
8/10/2019 Chapter 4( crypto)
26/42
a circular byte shift in each1strow is unchanged
2ndrow does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this
step permutes bytes between the columns
8/10/2019 Chapter 4( crypto)
27/42
8/10/2019 Chapter 4( crypto)
28/42
each column is processed separately
each byte is replaced by a value dependent
on all 4 bytes in the column
effectively a matrix multiplication in GF(28)using prime poly m(x) =x8+x4+x3+x+1
8/10/2019 Chapter 4( crypto)
29/42
8/10/2019 Chapter 4( crypto)
30/42
8/10/2019 Chapter 4( crypto)
31/42
XOR state with 128-bits of the round key
again processed by column (though
effectively a series of byte operations)
inverse for decryption identical since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
8/10/2019 Chapter 4( crypto)
32/42
8/10/2019 Chapter 4( crypto)
33/42
8/10/2019 Chapter 4( crypto)
34/42
takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend onvalues in previous & 4 places back
in 3 of 4 cases just XOR these together
1stword in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th
back
8/10/2019 Chapter 4( crypto)
35/42
8/10/2019 Chapter 4( crypto)
36/42
designed to resist known attacks
design criteria included knowing part key insufficient to find many more
invertible transformation
fast on wide range of CPUs
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
simplicity of description
8/10/2019 Chapter 4( crypto)
37/42
8/10/2019 Chapter 4( crypto)
38/42
8/10/2019 Chapter 4( crypto)
39/42
AES decryption is not identical to encryptionsince steps done in reverse
but can define an equivalent inverse cipherwith steps as for encryption but using inverses of each step
with a different key schedule
works since result is unchanged when swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
8/10/2019 Chapter 4( crypto)
40/42
8/10/2019 Chapter 4( crypto)
41/42
can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of
256 entries
shift rows is simple byte shift
add round key works on byte XORs
mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use table lookups & byte XORs
8/10/2019 Chapter 4( crypto)
42/42
can efficiently implement on 32-bit CPU redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be
computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables
designers believe this very efficientimplementation was a key factor in its
selection as the AES cipher
Recommended