IS 302: Information Security and Trust Week 5: Integrity 2012

IS 302: Information Security and TrustWeek 5: Integrity

2012

© Yingjiu Li 2007 2

Review

• RSA– Key generation– Security (key size)– Encryption and decryption with random

padding

• Envelop encryption– RSA+AES

Adversary• Passive adversary

– Eavesdropping: threat to message confidentiality– Solution with encryption (AES, RSA…): an

adversary is not able to understand the message

• Active adversary– Unauthorized modification: threat to message

integrity– Solution: if an adversary modifies the message, it

can always be detected!



Question• Assume that Mallory is an active adversary• Does encryption provide message integrity?

Bob Alice

Mallory

Please transfer $1M to account A…


Solution• Send a small piece of information as proof of

message integrity

Bob Alice

Mallory

Please transfer $1M to account A…, E7582D9C71D5DA1171293EF23FCD


Proof of Message Integrity

• Symmetric proof– Message authentication code (MAC)

• Asymmetric proof– RSA signature

• Both MAC and RSA signature are based on hash


Hash

• Hash function h=H(M)– One-way

• easy to compute but hard to inverse

– Collision resistant• hard to find MM’ such that H(M)=H(M’)

– Fixed length• variable-length M fixed-length h


Cryptool

• Indiv. procedures hash– MD5– SHA1– Sensitivity to change


Attacks to Hash

• Pre-image attack (against one-way feature)– Given h=H(M), find M’ such that H(M’)=h

• Collision attack (against collision resistant feature)– Given H(), find M’ and M’’ such that

H(M’)=H(M’’)


Hash for Integrity Check• Can hash value h=H(M) be used as integrity proof

for M?– Send h together with M over public channel?

– Send h separately over secure channel?

Bob Alice

Mallory

M: Please transfer $1M to account A…,


Hash for Integrity Check• Can hash value h=H(M) be used as integrity proof

for M?– Send h together with M over public channel (No!)

– Send h separately over secure channel (Yes!)

Bob Alice

Mallory

M: Please transfer $1M to account A…,

h: E7582D9C71D5DA1171293EF23FCD


Standard Hash: MD5

• MD5– Output: 128 bits (32 Hex digits, 16 bytes)– internet standard, commonly used to check

integrity of files– 1991: designed by Rivest– 1996: a flaw was discovered– 2004: more serious flaws– 2007: people can create a pair of files that share

the same MD5 hash value


Standard Hash: SHA1• SHA1

– 160 bits (40 hex’s, 20 bytes), NIST standard– 1995: NSA, replaced SHA0 (1993)– 2005: potential weakness was found

• http://www.rsa.com/rsalabs/node.asp?id=2834 • Collision attack: 2^80 2^39 for SHA0, 2^63 for SHA1

– 2010: last year to use as suggested by NIST• SHA2

• SHA224, SHA256, SHA384, SHA512

• SHA3• 2 Nov 2007 – 31 Oct 2008: NIST call for competition• 2012: winner and new standard will be announced

http://www.rsa.com/rsalabs/node.asp?id=2834


A little bit more detail on SHA1

– Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G)

– Output: 160 bits (5*32)

– Block size: 512 bits (16*32)

– Rounds: 80


MAC• Message authentication code (MAC)

– MAC=H(K,M), where K is secret key (MAC key)

– Alice sends MAC together with message M

– Bob verifies M with K to see whether MAC=H(K,M)

Bob (k)

Alice (k)

Mallory

Please transfer $1M to account A, MAC

Message & MAC


Attack to MAC– Pre-image attack to the key– MAC key should be long enough against brute

force attack


HMAC

• HMAC = H(K,H(K,M))– H can be any hash function

• H=MD5 HMAC-MD5 (128 bits)

• H=SHA-1 HMAC-SHA-1 (160 bits)

– Key size• JCE: HMAC key = 64 bytes (512 bits)

• If key > 64 bytes, key H(key)

• Recommended key > output size of hash function


Encryption-Based MAC

• DES-MAC – DES encryption E(M,K) blk1, blk2,…blkn– MAC = blk1 blk2 …blkn– K is a DES key (56 bits) weak security– DES-MAC is 64 bits

• AES-MAC– What is the key size?– How long is the AES-MAC?


Cryptool

• Indiv. procedures hash HMAC– SHA-256– Double hashing


Repudiation Problem with MAC

• If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying

Bob (k)

Alice (k)

Mallory

Please transfer $1M to account A, MAC

Message & MAC

Secret channel


Solution: RSA Signature• Alice with RSA public key (n,e) and private key d

– Compute digital signature sig=H(M)d mod n (only Alice can generate this signature with her private RSA key d)

– Send (M, sig) to Bob

• Bob: – Compute H(M)– Verify sig by comparing if H(M) = sige mod n (anyone can verify

the signature with Alice’s public RSA key e,n)

Bob Alicepublic channel d

d: Alice’s private keyn,e: Alice’s public key

(M, sig = H(M)d mod n)

n,e


Discussion– What is difference between RSA encryption

and RSA signature?– What is the size of an RSA-1024 signature with

SHA-256?– What is the size of HMAC with SHA-256?– In what scenarios should you choose RSA

signature or MAC?


Demo in CrypTool

• Digital signatures/PKI– Sign document (SHA1+RSA-512)– Verify signature


Security of some crypto-algorithmsCryptographic strength

Symmetric

(key length)

Asymmetric (modulus length)

Hashing/MACs (hash value length)

weak DES 40-bit

RC4 40-bit

RSA 256-bit

medium DES 56-bit

CAST 64-bit

RSA 512-bit

D-H 512-bit

DSA 512-bit

ANSI X9.9 MAC 32-bit

strong Triple DES 112-bit

AES 128-bit

IDEA 128-bit

RC4 128-bit

RSA 1024-bit

D-H 1024-bit

DSA 1024-bit

MD4/MD5 128-bit ?

SHA-1 160-bit ?

Very strong AES 192-bit

AES 256-bit

RSA 2048-bit

ECC 300-bit

SHA224,SHA-256

SHA-384

SHA-512


Hands-on Exercise• Download week5.zip into your IS302 directory• Unzip it (extract to week5 directory)• Follow the instructions in Lab.doc

– 2.1• HMAC in JCE

– 2.2• RSA signature in JCE


Review• How long is an RSA-1024 with SHA1 signature

1) 128 bits 2) 160 bits 3) 1024 bits

• Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature?

1) Alice’s private key 2) Alice’s public key 3) Bob’s public key

• How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits

Documents

IS 302: Information Security and Trust Week 5: Integrity 2012