Upload
lythuy
View
224
Download
4
Embed Size (px)
Citation preview
Introduction to Computer Security
Instructor: Mahadevan Gomathisankaran
CSCE 4550/5550, Fall 2009 1Lecture 13
Diffie Hellman Key Exchange
• Based on Discrete logarithm problem– Fix large prime p and generator g– Define f(x) = gx mod p– f-1(x) is the “Discrete Logarithm Problem”
CSCE 4550/5550, Fall 2009 Lecture 13 4
Source: Wikipedia
ElGamal• Based on Discrete Logarithm (DH) problem• Key Generation
1. Alice generates cyclic group G and its generator g2. Generates a random number x and computes h = gx
3. Public Key = (h, g, G); Private Key = (x, g, G)• Encryption
1. Bob generates random number y and computer a = gy
2. Ciphertext c = m. hy
3. Sends to Alice (c, a)• Decryption
1. Alice generates b = ax
2. Decrypts the message m = c.b-1
CSCE 4550/5550, Fall 2009 Lecture 13 5
ElGamal Signature Scheme
• Using DH and Fermat’s little theorem• Sender
– Compute h = gx
– Choose a random k s.t 0 < k < p -1 and gcd(k,p-1) = 1– Compute r = gk
– Compute s = (m – xr)k-1 mod (p-1)– Message (m), Signature (r,s) and Public Key (h,g,p)
• Receiver– Verify gm = hrrs
CSCE 4550/5550, Fall 2009 Lecture 13 6
ElGamal Signature• Example• Sender
– p=11, g=2, x=8, m=5– h= 28 mod 11 = 3– choose k=7– r=27 mod 11 = 7– s=(5 – 8.7)3 mod 10 = 7– Message(5), Signature(7,7) and Public Key(3,2,11)
• Receiver– Verify
25 mod 11 = 3777 mod 1110 = (27)(27)(3)(49)(49)(49)(7) mod 1110 = 54 mod 11
CSCE 4550/5550, Fall 2009 Lecture 13 7
Hash Function
• A function that takes variable sized inputs and generates fixed size output
• Properties– it is easy to compute the hash value for any given
message– it is infeasible to find a message that has a given
hash (pre-image resistance)– it is infeasible to modify a message without
changing its hash (second pre-image resistance)– it is infeasible to find two different messages with
the same hash (collision resistance)
CSCE 4550/5550, Fall 2009 Lecture 13 8
Hash Functions• Widely used:
– MD5 (128 bit digest) – as of August 2004: Don’t use this!(doesn’t exhibit strong collision resistance)
– SHA1 (160 bit digest) – as of August 2005: Be skeptical!– SHA-256 (256 bit digest) – also SHA-384 and SHA-512
CSCE 4550/5550, Fall 2009 Lecture 13 9
MAC• Essentially keyed hash functions
– Consider as a shared-secret signature– Common algorithms: HMAC or symmetric cipher in CBC mode
• Typical use (e.g., in SSL):– Protocol uses public key crypto to establish shared secret session
keys– Confidentiality of subsequent session protected by symmetric
crypto with a session key– Integrity of packets protected using a MAC with a shared session
key
• Much less resource-intensive than a public key digital signature
CSCE 4550/5550, Fall 2009 Lecture 13 10
Key Management• Kirckhoff ’s Principle: Security depends on the secrecy of
the key– Analogy: The toughest safe in the world is easy to get into if the
combination is revealed.
• Key management deals with questions like:– How are keys generated?– Where are keys stored (and who has a copy)?– How long are keys used for?– When/how should key material be destroyed?– Can compromised keys be revoked?
• Government/military has a formalized Key Management Infrastructure (KMI) for dealing with these issues
CSCE 4550/5550, Fall 2009 Lecture 13 13
Key Management• Keys should be for a single purpose
– Don’t use encryption keys for signatures, etc.– Reasons:
• Different uses can weaken security• Limit damage from key compromise• Sometimes uses conflict
• Keys should be labeled as to approved use
• Key lifetime (cryptoperiod) should be carefully chosen
• Integrity of keys is also important
CSCE 4550/5550, Fall 2009 Lecture 13 14
Symmetric Key Distribution• Symmetric key encryption is more efficient than
asymmetric cryptography when messages are large.• A single sender needs n different keys to exchange
messages with n people• Total # of keys: n(n-1)/2 → n2 problem!• 2 problems
– # of keys– Distribution of these keys
• Solution: Use session keys distributed by Key Distribution Centers (KDS)
• Example: Kerberos
CSCE 4550/5550, Fall 2009 Lecture 13 15
KDC• Each user in the system has a secret key between
him(her)self and KDC.• Alice sends a request to KDC to acquire a session key
KAlice,Bob• KDC informs Bob of Alice’s request• If Bob agrees, KDC creates a session key KAlice,Bob
and sends it to both Alice and Bob
CSCE 4550/5550, Fall 2009 Lecture 13 16
KDC
Alice
Bob
JohnMary
DaisyKAlice
KJohn
KBob
KMary
KDaisy
Asymmetric Key Distribution
• Public announcement– Web site publication, asking with e-mail, etc.
• Trusted Center– Keeps a large directory of public and private keys
• Certification Authority (CA)– A federal or state organization which issues a certificate
for a public key registration– CA signs the certificate with its private key– E.g. X.509
CSCE 4550/5550, Fall 2009 Lecture 13 17
Certification
• Verification of a signature– In the physical world: notary publics, signature
guarantees, ...– In the digital world, the question is “the public key
authentic?”
• Components of a Certificate– Associates an identity with a public key– Signed by the “Certification Authority” (CA)
• CA is a “trusted third party”• Role is similar to a notary public
– Good for a set time (validity period)– Certificates may be revoked
CSCE 4550/5550, Fall 2009 Lecture 13 18
CA
• A CA can be anyone you trust– Visible and prominent company
• Verisign, Entrust, AOL, ...
– Government organization• Deutsche Telekom
– Organizational CA (used internally)• UNT CA
– Personal knowledge• Personal knowledge, “Joe’s signed certificates”,...
CSCE 4550/5550, Fall 2009 Lecture 13 19
Certificate Chain
CSCE 4550/5550, Fall 2009 Lecture 13 20
Subject: UNT CSE CAUNT CSE Public Key
Issuer: UNT CA
Subject: Jon DoeJon’s Public Key
Issuer: UNT CSE CA
Subject: UNT CAUNT Public KeyIssuer: Verisign
Subject: VerisignVerisign Public Key
Issuer: Verisign (trusted)
Signs
SignsSigns
“Trust Anchor” or “Root CA”
Key Management
CSCE 4550/5550, Fall 2009 Lecture 13 21
From NIST document 800-57: “Recommendation for Key Management”
Cryptoperiod• Definition: The cryptoperiod is the time when a
key is authorized for use by legitimate entities.
• Issues:– In picking cryptoperiod consider:
• Key length• Volume of traffic• Window of vulnerability for compromised key
– Short periods are generally good, but consider key distribution channel – frequent key updates over a marginally secure channel is dangerous!
– Parts of a keypair can have different cryptoperiods
CSCE 4550/5550, Fall 2009 Lecture 13 22
Cryptoperiod
CSCE 4550/5550, Fall 2009 Lecture 13 23
From NIST document 800-57: “Recommendation for Key Management”
Other Results/Directions
• Identity-based encryption– Public key is widely known, non-special value (like an
e-mail address)– Private key for recipient computed by trusted dealer– Advantage: Can send message without looking up long
public key– Disadvantage: Requires trusted third party, and
recipient must have proper software and key
CSCE 4550/5550, Fall 2009 Lecture 13 24
Other Results/Directions
• Threshold cryptography– Secret key split into “shares”, and a particular number of
shares must be present in order to decrypt or sign– Example: Separation of duties / multiple signing
authorities– Example: Intrusion tolerant servers (Stanford project)
CSCE 4550/5550, Fall 2009 Lecture 13 25
Final Notes
• Crypto is very subtle, and not a field for amateurs– Use solid/proven crypto libraries whenever
possible– Problems when done by non-cryptographers,
even when very good technical people (WordPerfect, Netscape, …)
• But: A fun field to become an expert in!
CSCE 4550/5550, Fall 2009 Lecture 13 26