Upload
patience-robinson
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
© Yingjiu Li 2007 2
Review
• RSA– Key generation– Security (key size)– Encryption and decryption with random
padding
• Envelop encryption– RSA+AES
Adversary• Passive adversary
– Eavesdropping: threat to message confidentiality– Solution with encryption (AES, RSA…): an
adversary is not able to understand the message
• Active adversary– Unauthorized modification: threat to message
integrity– Solution: if an adversary modifies the message, it
can always be detected!
© Yingjiu Li 2007 3
© Yingjiu Li 2007 4
Question• Assume that Mallory is an active adversary• Does encryption provide message integrity?
Bob Alice
Mallory
Please transfer $1M to account A…
© Yingjiu Li 2007 5
Solution• Send a small piece of information as proof of
message integrity
Bob Alice
Mallory
Please transfer $1M to account A…, E7582D9C71D5DA1171293EF23FCD
© Yingjiu Li 2007 6
Proof of Message Integrity
• Symmetric proof– Message authentication code (MAC)
• Asymmetric proof– RSA signature
• Both MAC and RSA signature are based on hash
© Yingjiu Li 2007 7
Hash
• Hash function h=H(M)– One-way
• easy to compute but hard to inverse
– Collision resistant• hard to find MM’ such that H(M)=H(M’)
– Fixed length• variable-length M fixed-length h
© Yingjiu Li 2007 9
Attacks to Hash
• Pre-image attack (against one-way feature)– Given h=H(M), find M’ such that H(M’)=h
• Collision attack (against collision resistant feature)– Given H(), find M’ and M’’ such that
H(M’)=H(M’’)
© Yingjiu Li 2007 10
Hash for Integrity Check• Can hash value h=H(M) be used as integrity proof
for M?– Send h together with M over public channel?
– Send h separately over secure channel?
Bob Alice
Mallory
M: Please transfer $1M to account A…,
© Yingjiu Li 2007 11
Hash for Integrity Check• Can hash value h=H(M) be used as integrity proof
for M?– Send h together with M over public channel (No!)
– Send h separately over secure channel (Yes!)
Bob Alice
Mallory
M: Please transfer $1M to account A…,
h: E7582D9C71D5DA1171293EF23FCD
© Yingjiu Li 2007 12
Standard Hash: MD5
• MD5– Output: 128 bits (32 Hex digits, 16 bytes)– internet standard, commonly used to check
integrity of files– 1991: designed by Rivest– 1996: a flaw was discovered– 2004: more serious flaws– 2007: people can create a pair of files that share
the same MD5 hash value
© Yingjiu Li 2007 13
Standard Hash: SHA1• SHA1
– 160 bits (40 hex’s, 20 bytes), NIST standard– 1995: NSA, replaced SHA0 (1993)– 2005: potential weakness was found
• http://www.rsa.com/rsalabs/node.asp?id=2834 • Collision attack: 2^80 2^39 for SHA0, 2^63 for SHA1
– 2010: last year to use as suggested by NIST• SHA2
• SHA224, SHA256, SHA384, SHA512
• SHA3• 2 Nov 2007 – 31 Oct 2008: NIST call for competition• 2012: winner and new standard will be announced
© Yingjiu Li 2007 14
A little bit more detail on SHA1
– Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G)
– Output: 160 bits (5*32)
– Block size: 512 bits (16*32)
– Rounds: 80
© Yingjiu Li 2007 15
MAC• Message authentication code (MAC)
– MAC=H(K,M), where K is secret key (MAC key)
– Alice sends MAC together with message M
– Bob verifies M with K to see whether MAC=H(K,M)
Bob (k)
Alice (k)
Mallory
Please transfer $1M to account A, MAC
Message & MAC
© Yingjiu Li 2007 16
Attack to MAC– Pre-image attack to the key– MAC key should be long enough against brute
force attack
© Yingjiu Li 2007 17
HMAC
• HMAC = H(K,H(K,M))– H can be any hash function
• H=MD5 HMAC-MD5 (128 bits)
• H=SHA-1 HMAC-SHA-1 (160 bits)
– Key size• JCE: HMAC key = 64 bytes (512 bits)
• If key > 64 bytes, key H(key)
• Recommended key > output size of hash function
© Yingjiu Li 2007 18
Encryption-Based MAC
• DES-MAC – DES encryption E(M,K) blk1, blk2,…blkn– MAC = blk1 blk2 …blkn– K is a DES key (56 bits) weak security– DES-MAC is 64 bits
• AES-MAC– What is the key size?– How long is the AES-MAC?
© Yingjiu Li 2007 20
Repudiation Problem with MAC
• If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying
Bob (k)
Alice (k)
Mallory
Please transfer $1M to account A, MAC
Message & MAC
Secret channel
© Yingjiu Li 2007 21
Solution: RSA Signature• Alice with RSA public key (n,e) and private key d
– Compute digital signature sig=H(M)d mod n (only Alice can generate this signature with her private RSA key d)
– Send (M, sig) to Bob
• Bob: – Compute H(M)– Verify sig by comparing if H(M) = sige mod n (anyone can verify
the signature with Alice’s public RSA key e,n)
Bob Alicepublic channel d
d: Alice’s private keyn,e: Alice’s public key
(M, sig = H(M)d mod n)
n,e
© Yingjiu Li 2007 22
Discussion– What is difference between RSA encryption
and RSA signature?– What is the size of an RSA-1024 signature with
SHA-256?– What is the size of HMAC with SHA-256?– In what scenarios should you choose RSA
signature or MAC?
© Yingjiu Li 2007 23
Demo in CrypTool
• Digital signatures/PKI– Sign document (SHA1+RSA-512)– Verify signature
© Yingjiu Li 2007 24
Security of some crypto-algorithmsCryptographic strength
Symmetric
(key length)
Asymmetric (modulus length)
Hashing/MACs (hash value length)
weak DES 40-bit
RC4 40-bit
RSA 256-bit
medium DES 56-bit
CAST 64-bit
RSA 512-bit
D-H 512-bit
DSA 512-bit
ANSI X9.9 MAC 32-bit
strong Triple DES 112-bit
AES 128-bit
IDEA 128-bit
RC4 128-bit
RSA 1024-bit
D-H 1024-bit
DSA 1024-bit
MD4/MD5 128-bit ?
SHA-1 160-bit ?
Very strong AES 192-bit
AES 256-bit
RSA 2048-bit
ECC 300-bit
SHA224,SHA-256
SHA-384
SHA-512
© Yingjiu Li 2007 25
Hands-on Exercise• Download week5.zip into your IS302 directory• Unzip it (extract to week5 directory)• Follow the instructions in Lab.doc
– 2.1• HMAC in JCE
– 2.2• RSA signature in JCE
© Yingjiu Li 2007 26
Review• How long is an RSA-1024 with SHA1 signature
1) 128 bits 2) 160 bits 3) 1024 bits
• Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature?
1) Alice’s private key 2) Alice’s public key 3) Bob’s public key
• How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits