Embed Size (px)
Citation preview
1
MACs, Digital Signatures, Hash Functions and Digital Certificates
Digital Signatures are used to “Sign” messages to validate the source and
integrity of the contents.
2
Digital signatures provide Message Authentication
Secure communication includesPrivacy/Secrecy/ConfidentialityAuthenticityIntegrityNon-repudiation
Digital signatures provide last three of these security services.
Message authentication and integrity check plays an important role in a variety of applications:Internet protocols Network managementWherever undetected manipulation of messages can have
disastrous effects
3
Digitized Written Signature??
Simply taking a digital picture of a written signature does not provide adequate security.
Such a digitized written signature could easily be copied from one electronic document to another with no way to determine whether it is legitimate.
Electronic signatures, on the other hand, are unique to the message being signed and will not verify if they are copied to another document.
4
Digital signatures are used just like handwritten signatures
Digital signatures are used just like handwritten signatures.
When you add them to a document, you are “signing” that document as a way of endorsing or agreeing with what the document says.
Unlike handwritten signatures, digital signatures are used only with computers. They are electronic signatures that can be used to sign electronic documents, like word processing files or spreadsheets.
5
What is a digital signature? A digital signature is a kind of ID. You can use it on the Internet to identify
yourself in a secure manner. This is extremely useful in areas such as
electronic commerce. For instance, when making a credit card
purchase on the Internet, you can use your digital signature to “sign” that purchase.
This helps to ensure that only you can make purchases with your credit card number.
6
Importance of Digital Signatures
Digital Signatures are a central component of modern cryptographic systems.
In analogy to handwritten signatures on paper documents digital signatures are used to guarantee the authenticity of electronic documents.
Thus they play an important role for example in secure and reliable systems for electronic commerce.
7
Requirements for a Digital Signature
1. The signature must be a bit pattern that depends on the message being signed
2. The signature must use some information unique to the sender, to prevent both forgery and denial.
3. It must be relatively easy to produce digital signature.4. It must be relatively easy to recognize and verify the digital
signature.5. It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message.
6. It must be practical to retain a copy of the digital signature in storage.
8
Message Authentication
Using Plain Encryption
9
Conventional Encryption for Signatures and MACs
There is no shortage of good message authentication codes, beginning with DES-MAC, as defined in FIPS PUB 113.
Conventional (symmetric) encryption could be used for digital signatures - DESMAC specified by FIPS
However, message authentication codes based on encryption functions such as DES, which were designed for hardware implementation, may be somewhat limited in performance for soft-ware, and there is also the question of U.S. export restrictions on encryption functions.
10
Conventional Encryption for MACs
When secret key cryptography is used, a message authentication code (MAC) is calculated from and appended to the data.
To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if they are identical, the verifier has confidence that the data has not been modified by an unauthorized party.
FIPS 113, Computer Data Authentication, specifies a standard technique for calculating a MAC for integrity verification. Microsoft Word
Document
11
DESMAC or DAA
12
Use of Encryption for MAC
Message
Encryption Algorithm
MAC
Message
MAC
Message
MAC
K
Encryption Algorithm
K
MAC
Compare
13
Why not base MACs on Encryption
Message authentication codes based on encryption functions are a bad idea because:Inefficiency of encryption algorithm in softwareUS export restrictions
SolutionUse Message Digests or Use a one-way hash
function to create a fixed size finger print of the variable sized message.
Alice BobP, DA(MD(P))
14
What is a hash function? A hash function H is a transformation
that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)).
Hash functions with just this property have a variety of general computational uses, but when employed in cryptography, the hash functions are usually chosen to have some additional properties.
15
Cryptographic Hash Functions
Cryptographic hash functions are intended to resist inversion -- finding a message with a given hash value -- and collision -- finding two messages with the same hash value.
Message authentication codes, on the other hand, are intended to resist forgery -- computing a message authentication code without knowledge of a secret key.
16
Requirements for Cryptographic Hash Functions The basic requirements for a
cryptographic hash function are as follows.The input can be of any length.The output has a fixed length.H(x) is relatively easy to compute for
any given x.H(x) is one-way.H(x) is collision-free.
17
H(x) is one-way ... A hash function H is said to be one-
way if it is hard to invert, where “hard to invert” means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h.
18
H(x) is collision-free ... If, given a message x, it is
computationally infeasible to find a message y not equal to x such that H(x) = H(y), then H is said to be a weakly collision-free hash function.
A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y).
19
Hash Functions as Message Digests
The hash value represents concisely the longer message or document from which it was computed; this value is called the message digest.
One can think of a message digest as a ``digital fingerprint'' of the larger document.
Examples of well known hash functions are MD2 and MD5 and SHA
20
Compression Function Damgard and Merkle greatly influenced
cryptographic hash function design by defining a hash function in terms of what is called a compression function.
A compression function takes a fixed-length input and returns a shorter, fixed-length output.
Given a compression function, a hash function can be defined by repeated applications of the compression function until the entire message has been processed.
21
Compression Function In this process, a message of arbitrary length is
broken into blocks whose length depends on the compression function, and “padded” (for security reasons) so the size of the message is a multiple of the block size. The blocks are then processed sequentially, taking as input the result of the hash so far and the current message block, with the final output being the hash value for the message.
22
MD5 Hash Function MD5 designed by Ron Rivest, MIT Laboratory
for Computer Science and RSA Data Security, Inc.
MD5 documented in Request for Comments: 1321 dated April 1992
Rfc1321.txt
23
MD5 Steps The following five steps are performed to
compute the message digest of the message. Step 1. Append Padding Bits Step 2. Append Length Step 3. Initialize MD Buffer Step 4. Process Message in 16-Word Blocks Step 5. Output
24
Step 1. Append Padding Bits
The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512.
Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended.
25
Step 2. Append Length A 64-bit representation of b (the length of the
message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.)
26
Step 3. Initialize MD Buffer A four-word buffer
(A,B,C,D) is used to compute the message digest.
Here each of A, B, C, D is a 32-bit register.
These registers are initialized to the following values in hexadecimal, low-order bytes first):
27
Step 4. Process Message in 16-Word Blocks (4 Rounds)
28
Step 4. Continued
(4 Rounds)
2(i) = (1 + 5i)mod 16
3(i) = (5 + 3i)mod 16
4(i) = 7i mod 16
29
Step 4. Round 1 and 2
30
Step 4. Round 3 and 4
31
Step 4. Continued
32
Step 4. Continued
33
The MD5 Boolean Functions The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs.
34
Truth table of logical functions
35
Table T, constructed from the sine function
This step uses a 64-element table T[1 ... 64] constructed from the sine function. Let T[i] denote the i-th element of the table, which is equal to the integer part of 4294967296 times abs(sin(i)), where i is in radians. The elements of the table are given in the following slide.
36
Table T, constructed from the sine function
37
Step 5. Output The message digest produced as output is A, B,
C, D. That is, we begin with the low-order byte of A,
and end with the high-order byte of D.
Strength of MD5 MD5 hash is dependent on all message bits Rivest claims security is good as can be known attacks are:
Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)
Boer & Bosselaers 93 found a pseudo collision (again unable to extend)
Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit)
conclusion is that MD5 looks vulnerable soon
39
Other Message Digest Algorithms
MD4 SHA-1 RIPEMD-160
Secure Hash Algorithm (SHA-1)
SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174nb. the algorithm is SHA, the standard is SHS
produces 160-bit hash values now the generally preferred hash algorithm based on design of MD4 with key differences
SHA Overview1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block &
buffer add output to input to form new buffer value
5. output hash value is the final buffer value
SHA-1 Compression Function
each round has 20 steps which replaces the 5 buffer words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
a,b,c,d refer to the 4 words of the buffer t is the step number f(t,B,C,D) is nonlinear function for round Wt is derived from the message block Kt is a constant value derived from sin
SHA-1 Compression Function
Revised Secure Hash Standard
NIST have issued a revision FIPS 180-2 adds 3 additional hash algorithms SHA-256, SHA-384, SHA-512 designed for compatibility with increased
security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar
SHA-1 verses MD5 brute force attack is harder (160 vs 128 bits for
MD5) not vulnerable to any known attacks (compared
to MD4/5) a little slower than MD5 (80 vs 64 steps) both designed as simple and compact optimised for big endian CPU's (vs MD5 which
is optimised for little endian CPU’s)
46
Relative Performance of Several Hash Functions (coded in C++ on a 266 MHz
Pentium)
47
Secret Key Electronic Signatures Issues
If two parties share a secret key, and one party receives data with a MAC that is correctly verified using the shared key, that party may assume that the other party signed the data.
This assumes, however, that the two parties trust each other. Thus, through the use of a MAC, in addition to data integrity, a form of electronic signature is obtained.
Using additional controls, such as key notarization and key attributes, it is possible to provide an electronic signature even if the two parties do not trust each other.
48
Digital Signatures with Conventional Encryption and Hash Functions
Message
Signature
K
Hash Function
Message Digest
Message
Signature
Message
Signature
Hash Function
Message Digest
K
Compare
49
Big Brother - If parties do not share a secret key
Alic
e
BB
Bob
A, K A(B, R A, t, P)
K B(A, R A, t, P, K BB(A, t, P))
50
Digital Signatures with a Secret Shared Value and Hash Functions
Message
Signature
Hash Function
Message
Signature
Message
Signature
Hash Function
Compare
Shared Secret Value
Shared Secret Value
51
Public Key Electronic Signatures
Another type of electronic signature is implemented using public key cryptography.
Data is electronically signed by applying the originator's private key to the data.
To increase the speed of the process, the private key is applied to a shorter form of the data, called a "hash" or "message digest," rather than to the entire set of data.
The resulting digital signature can be stored or transmitted along with the data.
52
Public Key Electronic Signatures
The signature can be verified by any party using the public key of the signer.
This feature is very useful, for example, when distributing signed copies of virus-free software. Any recipient can verify that the program remains virus-free.
If the signature verifies properly, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer.
53
Digital Signatures with Hash Functions and Public Key Encryption
Message
Signature
KPRIVATE
Hash Function
Message Digest
Message
Signature
Message
Signature
Hash Function
Message Digest
KPUBLIC
Compare
54
Steps in making a digital signature
55
Steps in making a digital signature
1. Joe runs a one-way hash function to create a fixed length message digest from the message to be sent
2. Joe encrypts the message digest with his private key to create a digital signature.
3. Joe sends the signature and the message to Alice
4. Alice decrypts the signature with Joe’s public key to reveal the message digest
5. Alice then applies the same one-way function to the message she received from Joe to produce a message digest
6. Alice compares the message digest she created with the message digest sent by Joe. If they compare the integrity of the messages is verified.
56
Steps in making a digital signature
57
Steps in making a digital signature
P
Alice’s private key
DA
Bob’s public key
EB
Alice’s Computer
DA(P) EB (DA(P))
Bob’s private key
DB
Bob’s public key
EA
Bob’s Computer
DA(P)
P
Transmission Line
58
Digital Signature ProcessSteps Involved in Creating a Digital Signature
1.Sender generates a digest of the message (M) using a one-way hash function (SHA-1, MD5, etc)
2.Sender encrypts the digest with his/her Private Key appends to the message and transmits
3.Receiver decrypts using sender’s Public Key and compares with the digest of the message computed at receiving end
4.A match verifies the signature and vice versa
H(M)
||
INTERNET
M || EKRA(H(M))
M
EKRA
DKUA(EKRA (H(M)))H(M)
Match?
1
2
3
4
Alice
Bob
59
Digital Signature Standard (DSS)
US Govt approved signature scheme FIPS 186 uses the SHA hash algorithm designed by NIST & NSA in early 90's DSS is the standard, DSA is the algorithm a variant on ElGamal and Schnorr schemes creates a 320 bit signature, but with 512-1024 bit
security security depends on difficulty of computing discrete
logarithms
60
DSA Key Generation have shared global public key values (p,q,g):
a large prime p = 2L where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1 choose g = h(p-1)/q
where h<p-1, h(p-1)/q (mod p) > 1
users choose private & compute public key: choose x<q compute y = gx (mod p)
61
DSA Signature Creation to sign a message M the sender:
generates a random signature key k, k<q nb. k must be random, be destroyed after use, and
never be reused
then computes signature pair: r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)
sends signature (r,s) with message M
62
DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q) if v=r then signature is verified see book web site for details of proof why
DSS ProofLet p and q be primes so that q divides p - 1, h a
positive integer less than p,
and g = h(p-1)/q mod p.
Then gq mod p = 1, and if m mod q = n mod q, then gm mod p = gn mod p.
Proof: We have
gq mod p = (h(p-1)/q mod p)q mod p
= h(p-1) mod p
= 163
by Fermat's Little Theorem. Now let m mod q = n mod q, i.e., m = n + kq for some integer k. Then
gm mod p = gn+kq mod p
= (gn gkq) mod p
= ((gn mod p) (gq mod p)k) mod p
= gn mod p
since gq mod p = 1. n
We are now ready to prove the main result.
64
THEOREM. If M’ = M, r’ = r, and s’ = s in the signature verification, then v = r’.
Proof: We have w = (s’)-1 mod q = s-1 mod q u1 = ((SHA-1(M’))w) mod q = ((SHA-1(M))w) mod q u2 = ((r’)w) mod q = (rw) mod q. 10 Now y = gx mod p, so that by the lemma, v = ((gu1 yu2) mod p) mod q = ((gSHA-1(M)w yrw) mod p) mod q = ((gSHA-1(M)w gxrw) mod p) mod q = ((g(SHA-1(M)+xr)w) mod p) mod q.
65
Also
s = (k-1(SHA-1(M) + xr)) mod q.
Hence
w = (k(SHA-1(M) + xr)-1) mod q
(SHA-1(M) + xr)w mod q = k mod q.
Thus by the lemma,
v = (gk mod p) mod q
= r
= r’66
Summary have considered:
Authentication functionsMACHash functionsdigital signaturesauthentication protocols (mutual & one-way)digital signature standard
