Upload
alexzander-ker
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
A. Steffen, 10.4.2000, KSy_Auth.ppt 1
ZürcherHochschuleWinterthurKommunikationssysteme (KSy) - Block 9
Secure Network CommunicationPart III
Authentication and Integrity
Secure Network CommunicationPart III
Authentication and Integrity
Dr. Andreas Steffen
2000 Zürcher Hochschule Winterthur
A. Steffen, 10.4.2000, KSy_Auth.ppt 2
ZürcherHochschuleWinterthurSecure Network Communication – Part III
IntegrityIntegrity
AuthenticationAuthentication
CertificatesCertificates
A. Steffen, 10.4.2000, KSy_Auth.ppt 3
ZürcherHochschuleWinterthurIntegrity of Documents and Messages
Detection of corrupted documents and messages Detection of bit errors caused by unreliable transmission links
or faulty storage media. Solution: Message Digest acting as a unique fingerprint for the
document (similar function as CRC).
Protection against unauthorized modification Without protection a forger could create both an alternative
document and its corresponding correct message digest. Symmetric Key Solution: Message Authentication Code (MAC)
formed by using a keyed message digest function. Asymmetric Key Solution: Digital Signature formed by
encrypting the message digest with the document author‘s private key.
A. Steffen, 10.4.2000, KSy_Auth.ppt 4
ZürcherHochschuleWinterthurMessage Digests based on
One-Way Hash Functions
A single bit change in a document should cause about 50% of the bits in the digest to change their value !
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
Documentor
messageof arbitrary size
1 0 1 1 0 11 0 1 1 0 1Message Digestof fixed size
Hash FunctionHash FunctionOne-Way Function
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
Hash FunctionHash Function
1 0 1 1 0 11 0 1 1 0 10 0 0 1 0 00 0 0 1 0 0
1
A. Steffen, 10.4.2000, KSy_Auth.ppt 5
ZürcherHochschuleWinterthurPopular Hash Functions
SHA - Secure Hash Algorithm, NIST / NSA
Documentor
Message
Message Digest orHash or Fingerprint
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
128 bits128 bits
MD5MD5Hash Function
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
160 bits160 bits
SHASHA
MD5 - Message Digest #5, Ron Rivest, RSA
A. Steffen, 10.4.2000, KSy_Auth.ppt 6
ZürcherHochschuleWinterthurBasic Structure of the
MD5 / SHA One-Way Hash Functions
N x 512 bits
IV 128/160 bit Initialization VectorHash 128/160 bit Hash Value
DocumentDocument PadPad LL
Pad PaddingL 64 bit Document Length
MD5/SHAHash
Function
MD5/SHAHash
Function
Hash
Hash
IVIV
MD5/SHAHash
Function
MD5/SHAHash
Function
Hash
Hash
MD5/SHAHash
Function
MD5/SHAHash
Function
Hash
Hash
Block N
512 bits
Block N
512 bitsBlock 2
512 bits
Block 2
512 bitsBlock 1
512 bits
Block 1
512 bits
A. Steffen, 10.4.2000, KSy_Auth.ppt 7
ZürcherHochschuleWinterthurMessage Authentication Codes based on
Keyed One-Way Hash Functions
Genuineif equal
MACMAC
KeyKey
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
Author
KeyedHash Function
KeyedHash Function
Recipient1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
MACMAC
TransmissionChannel
MACMAC
KeyKey
KeyedHash Function
KeyedHash Function
A. Steffen, 10.4.2000, KSy_Auth.ppt 8
ZürcherHochschuleWinterthur
Inner KeyInner Key
512 bits
Basic Structure of a Keyed One-Way Hash Function (RFC 2104)
MD5 / SHA Hash FunctionMD5 / SHA Hash Function
HashHash
MD5 / SHA Hash FunctionMD5 / SHA Hash Function
HashHash
DocumentDocument
KeyKey
0x36..0x360x36..0x36
XOR
Outer KeyOuter Key
512 bits
0x5C..0x5C0x5C..0x5C
XOR
PadPad 512 bits
Key Length Hash Length MACMACTruncate
to 96 bits
A. Steffen, 10.4.2000, KSy_Auth.ppt 9
ZürcherHochschuleWinterthurDigital Signatures based on
Public Key Cryptosystems
1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
Author
Decryption with Public Key
Decryption with Public Key
Hash ValueHash Value
Hash ValueHash ValueGenuineif equal
TransmissionChannel
Recipient1 0 1 0 1 1 1
0 0 1 0 1 0 0
1 1 0 1 1 1 0 1
0 0 0 1 0 1 0 1
SignatureSignature
Hash ValueHash Value
Hash FunctionHash Function
Encryption with Private Key
Encryption with Private Key
SignatureSignature
A. Steffen, 10.4.2000, KSy_Auth.ppt 10
ZürcherHochschuleWinterthurForging Documents
On average 2m trials are required to find a document having the same hash value as a given one !
OriginalDocument
0 1 0 0 1 1 0 1 0 0 1 1 Hash Valueof m bits
Hash FunctionHash Function
Pay 100 $ to the bearer
AQ - 1545323
Hash FunctionHash Function
1 0 1 1 0 1 01 0 1 1 0 1 00 1 0 0 1 10 1 0 0 1 1
Pay 100‘000 $ to the bearer
XX - XXXXXXX
ForgedDocument
Random Text
A. Steffen, 10.4.2000, KSy_Auth.ppt 11
ZürcherHochschuleWinterthurThe Birthday Paradox
What is the probability of another person having the same birthday as you ?
Probability p = 1/365
How many people must be a in a room so that the probability of at least another person having the same birthday as you is greater than 0.5 ?
n = 253 people364
36505F
HGIKJ n
.
How many people must be in a room so that the probability of at least two of them having the same birthday is greater than 0.5 ?
364
365
1 205F
HGIKJ
n n( ) /. n = 23 people
A. Steffen, 10.4.2000, KSy_Auth.ppt 12
ZürcherHochschuleWinterthurBirthday Attacks against Hash Functions
Looking for Collisions !
Only about 2m/2 trials are required to find two documents having the same hash value MD5 might be insecure !
OriginalDocument
Z Z Z Z Z ZZ Z Z Z Z ZHash Valueof m bits
Hash FunctionHash Function
Pay 100 $ to the bearer
YY - YYYYYYY
Hash FunctionHash Function
1 0 1 1 0 1 01 0 1 1 0 1 0Z Z Z Z Z ZZ Z Z Z Z Z
Pay 100‘000 $ to the bearer
XX - XXXXXXX
ForgedDocument
Random Text
Random Text
A. Steffen, 10.4.2000, KSy_Auth.ppt 13
ZürcherHochschuleWinterthurSecure Network Communication – Part III
IntegrityIntegrity
AuthenticationAuthentication
CertificatesCertificates
A. Steffen, 10.4.2000, KSy_Auth.ppt 14
ZürcherHochschuleWinterthur
ServerPassword File IDID PasswordPassword
Insecure Authentication based onPasswords
PasswordPassword
SaltSalt
SaltSalt
SaltSalt
Hash FunctionHash Function
HashHash
HashHash
Hash FunctionHash Function
Secret passwordtransmitted
over insecurechannel
IDID PasswordPassword
Remote User
IDID PasswordPassword
Salt helps against dictionary attacks.UNIX uses 12 bits of salts, resulting in 4096 hashed password variants
A. Steffen, 10.4.2000, KSy_Auth.ppt 15
ZürcherHochschuleWinterthurSecure Authentication based on
Challenge/Response Protocols
Insecure ChannelUser Server
Keyed Hash Function
Keyed Hash Function
MACMAC
IDUIDU RU
RU
KeyKey
RURUIDU
IDU IDUIDU RU
RU
Response
MACMAC
No secrets are openly transmitted
The random valuesRS and RU shouldnever be repeated !
RSRS
KeyKey Keyed Hash Function
Keyed Hash Function
MACMAC
RSRSRS
RS
Challengerandom value
(Nonce)
A. Steffen, 10.4.2000, KSy_Auth.ppt 16
ZürcherHochschuleWinterthurChallenge/Response Protocol based on
Digital Signatures
Insecure ChannelUser Server
RSRSRS
RS
Challengerandom value
(Nonce)IDU
IDU RURU
HashHash
SigSig
Encryption withPrivate Key
Encryption withPrivate Key
RSRS
HashHash
IDUIDU RU
RU
Response
SigSig
IDUIDU RU
RU
Decryption withPublic Key
Decryption withPublic Key
HashHash
A. Steffen, 10.4.2000, KSy_Auth.ppt 17
ZürcherHochschuleWinterthurSecure Network Communication – Part III
IntegrityIntegrity
AuthenticationAuthentication
CertificatesCertificates
A. Steffen, 10.4.2000, KSy_Auth.ppt 18
ZürcherHochschuleWinterthurTrust Models I
PGP Web of Trust
AliceAlice BobBob
CarolCarol DaveDave
Signed by DaveSigned by Dave
Signed by BobSigned by Bob
Signed by DaveSigned by Dave
Signed by CarolSigned by Carol
Signed by AliceSigned by Alice
Signed by BobSigned by Bob
Can Carol trust Alice ?
Trust
Trust
Trust
Certificate
Certificate
A. Steffen, 10.4.2000, KSy_Auth.ppt 19
ZürcherHochschuleWinterthurTrust Models II
Trust Hierarchy with Certification Authorities
VerisignVerisign SwisskeySwisskey
AmazonAmazon
CarolCarol
Self SignedSelf Signed
VerisignVerisign
Self SignedSelf Signed
SwisskeySwisskey
AliceAlice
AmazonAmazon
BobBob
AmazonAmazon
Root CA
Intermediate CA
ClientCertificates
Trust
A. Steffen, 10.4.2000, KSy_Auth.ppt 20
ZürcherHochschuleWinterthurGeneral Structure of an X.509 Certificate
* specifies algorithm used to sign certificate, e.g. md5RSA
signatureAlgorithm*
Hash Function*Hash Function*
Hash / FingerprintHash / Fingerprint
Encryption withIssuer‘s Private Key*
Encryption withIssuer‘s Private Key*
signature
versionserialNumbersignature*issuervaliditysubjectsubjectPublicKeyInfoissuerUniqueID OPTIONALsubjectUniqueID OPTIONALextensions OPTIONAL
A. Steffen, 10.4.2000, KSy_Auth.ppt 21
ZürcherHochschuleWinterthurGeneral Structure of an X.509 Certificate
ASN.1 using Distinct Encoding Rules (DER)
TBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1(0), serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] Unique Identifier OPTIONAL, subjectUniqueID [2] Unique Identifier OPTIONAL, extensions [3] Extensions OPTIONAL}
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING}
A. Steffen, 10.4.2000, KSy_Auth.ppt 22
ZürcherHochschuleWinterthurX.509 Certificate Handling
Netscape 4.7 Browser
Netscape Menu: Communicator / Tools / Security Info
A. Steffen, 10.4.2000, KSy_Auth.ppt 23
ZürcherHochschuleWinterthurX.509 Certificate Handling - Netscape
Certification Path
A. Steffen, 10.4.2000, KSy_Auth.ppt 24
ZürcherHochschuleWinterthurX.509 Certificate Handling - Netscape
Encrypted and Signed E-Mail (S/MIME)
A. Steffen, 10.4.2000, KSy_Auth.ppt 25
ZürcherHochschuleWinterthurX.509 Certificate Handling
Microsoft Internet Explorer 5.0
Explorer Menu: Tools / Internet Options
A. Steffen, 10.4.2000, KSy_Auth.ppt 26
ZürcherHochschuleWinterthurX.509 Certificate Handling – Internet Explorer
Certification Path
A. Steffen, 10.4.2000, KSy_Auth.ppt 27
ZürcherHochschuleWinterthurX.509 Certificate Structure
V1 Fields and V3 Extensions
A. Steffen, 10.4.2000, KSy_Auth.ppt 28
ZürcherHochschuleWinterthurPublic Key Infrastructure (PKI)
Certification Authority Governed by a Certificate Practice Statement (CPS) Issues and signs Client and Server Certificates Maintains a Certificate Revocation List (CRL) Offers LDAP / WWW based Directory Services
Private Key Management Secure Generation and/or Distribution of Private Keys
Browser or Java Applet generated Keys Hardware generated Keys (Intel 810/820 Chipset, Smart Cards)
Secure Storage of Private Keys Smart Cards, USB Modules, SIM Cards (Sonera)
Key Recovery of lost private keys