PKCS ( Public-key cryptography standards )

Códigos y Criptografía Francisco Rodríguez Henríquez

PKCS (Public-key cryptography standards)


Network Access Security Model


Security Levels

• Confidentiality

– Protection from disclosure to unauthorized persons

• Integrity

– Maintaining data consistency

• Authentication

– Assurance of identity of person or originator of data

• Non-repudiation

– Originator of communications can't deny it later

• Authorization– Identity combined with an access policy grants the rights to

perform some action


Security Building Blocks

• Encryption provides

– confidentiality, can provide authentication and integrity protection

• Checksums/hash algorithms provide

– integrity protection, can provide authentication

• Digital signatures provide

– authentication, integrity protection, and non-repudiation


Keys

• Symetric Keys

– Both parties share the same secret key

– A major problem is securely distributing the

key

– DES - 56 bit key considered unsafe for

financial purposes since 1998

– 3 DES uses three DES keys


Keys

• Public/Private keys

– One key is the mathematical inverse of the other

– Private keys are known only to the owner

– Public key are stored in public servers, usually in a X.509 certificate.

– RSA (patent expires Sept 2000), Diffie-Hellman, DSA


A Simplified Model of Conventional Encryption


Public-Key Cryptography


Public-Key Cryptography


Message Digest

• A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block.

• A good message digest algorithm possesses the following qualities– The algorithm accepts any input data length.

– The algorithm produces a fixed length output for any input data.

– The digest does not reveal anything about the input that was used to

generate it. – It is computationally infeasible to produce data that has a specific digest.

– It is computationally infeasible to produce two different unit of data that produce the same digest.


Hash Algorithms

• Reduce variable-length input to fixed-

length (128 or 160bit) output

• Requirements

– Can't deduce input from output

– Can't generate a given output

– Can't find two inputs which produce the

same output


Hash Algorithms

• Used to

– Produce fixed-length fingerprint of arbitrary-length data

– Produce data checksums to enable detection of modifications

– Distill passwords down to fixed-length encryption keys

• Also called message digests or fingerprints


Message Authentication Code MAC

• Hash algorithm + key to make hash value dependant on the key

• Most common form is HMAC (hash MAC)

– hash( key, hash( key, data ))

• Key affects both start and end of hashing process

• Naming: hash + key = HMAC-hash

– MD5 HMAC-MD5

– SHA-1 HMAC-SHA (recommended)


RSA: An Example


Digital Signatures

• Combines a hash with a digital signature algorithm

• To sign– hash the data– encrypt the hash with the sender's private key– send data signer’s name and signature

• To verify– hash the data– decrypt the signature with the sender's public key– the result of which should match the hash


Digital Signatures

• A data string associating a message with an originating entity– Signature generation algorithm– Signature verification algorithm– Signature scheme

• Used for authentication, integrity, and nonrepudiation

• Public key certification is one of the most significant applications


Digital Signature/Verification Schemes






Diffie-Hellman protocol






Key exchange: Diffie-Hellman protocol

1. Picks a GF(p) at random

2. Computes TA = ga mod p

3. Sends TA

4. Receives TB

5. Computes KA = TBa mod p

1. Picks b GF(p) at random

2. Computes TB = gb mod p

3. Receives TA

4. Sends TB

5. Computes KB = TAb mod p

Where K = KA = KB, Because:

TBa = (gb)a = gba = gab = (ga)b = TA

b mod p

Machine A Machine B


Mensaje para Anita en La Jornada

Querida Anita de mi corazón:

Quisiera pedirte que nuestro número primo sea 128903289023 y nuestra g 23489.

Te quiere

Betito.


Middle-person attack.• Consider the following scenario:

Anita Middleperson Betito

ga = 8389 gx = 5876 gb = 9267

8389 5876

5876 9267

Shared key KAX: Shared key KBX

5876a = 8389x 9267x = 5876b • After this exchange, the middle-person attacker simply decrypts any messages sent out by A or B, and then reads any possibly modifies them before re-encrypting with the appropriate key and transmitting them to the correct party.• Middle-person attack is possible due to the fact that DHC does not authenticate the participants. Possible solutions are digital signatures and other protocol variants.


Solution: Mutual authentication

BBAA

I am A, R1

R2, KAB {R1}

KAB{R2}


Reflection attack

T

BBBT

B

I am A, R1

R2, KAB{R1}

I am A, R2

R3, KAB{R2}


Encryption across a packet-switching network


Elements of PKI

• Certificate Authorities (CA)

– OpenSSL, Netscape, Verisign, Entrust, RSA Keon

• Public/Private Key Pairs - Key management

• x.509 Identity Certificates - Certificate management

• LDAP servers


• Public-key cryptography standards (PKCS)• Owned by RSA and motivated to promote RSA• Created in early 1990’s• Numbered from PKCS1 to PKCS15• Some along the way have

– lost interest– folded into other PKCS– taken over by other standards

bodies• Continue to evolve

PKCS


RSA cryptosystem by layers

FP finite field operations : Addition, Squaring,

multiplication, inversion and exponentiationFP

finite field operations : Addition, Squaring, multiplication, inversion and exponentiation

RSA primitive Operations: Encryption: C = Me mod n, Decryption M = Cd mod n.

RSA primitive Operations: Encryption: C = Me mod n, Decryption M = Cd mod n.

PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc

PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc

PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign,

PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign,

Protocols and Applications: SSL, TLS, WTLS, WAP, etc.

Protocols and Applications: SSL, TLS, WTLS, WAP, etc.


• RSA Cryptography Standard

Version 2.0 onwards (1998)

RSA Encryption Standard

Version 1.5 (1993)

PKCS 1


• Specifies how to use the RSA algorithm

securely for encryption and signature

• Why do we need this?

– Padding for encryption

– Different schemes for signature

PKCS 1


• Chosen ciphertext attack based on

multiplicative property of RSA

• Attacker wishes to decrypt c

Choose r, compute c’ = c re mod n

Get victim to decrypt c’ giving cd r mod n

cd r r-1 mod n = cd mod n

• Padding destroys multiplicative property

PKCS 1


RSA: Key Generation


RSA: Encryption, Decryption


RSA: An Example


RSA encryption is deterministic

Attack example: C = (PIN)e mod n, where PIN is 4-digit number.We can find M by a brute force attack within several 10 seconds.

=> We need a semantically secure cryptosystem!

We can check whether M is the message of C by C=Me mod n.

Semantically secure: For two messages M0, M1, and C = Mb2 mod n,

attackers can not guess whether C is encryption of Mb (b=0,1).

An easy way is to pad M with random integer R like M||R, but no security proof!


Chosen Ciphertext Attack (CCA)

Decryption oracle

ciphertext C

Information based on C,dd

An attack example: (0) We assume the decryption oracle computes Ad mod n for a request.(1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to

the decryption oracle. (2) Decryption oracle computes B = Ad mod n and send B back to the attacker. (3) The attacker computes B/R = M mod n and get the message M.

There are several models, which are secure against the chosen ciphertext attack


Side Channel Attacks

Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0)　　　　　 (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;

The time or the power to execute c2 and c*a are different

(side channel information).

Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];


Differential Fault Attack (DFA)

An attacker obtains a decryption which is computed in a wrong way.

nM = Cd mod n

p

dp = d mod (p-1)

Mp = Cdp mod p

dq = d mod (q-1)

Mq =Cdq mod q v = (Mq – Mp) p-1 mod q,

q

n M = Mp + pv mod n.

In the RSA using the CRT, if an attacker can break the computation of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.


Klima-Rosa attack against PGP

Decryption oracle

integer X

Xd mod n’d, n’

An attacker can change the public key n to n’

The attacker can obtain Xd mod n’ for changed n’.He/she can recover d by Silver-Pohlig-Hellman algorithm

PGP dose not encrypt the key file which includes n.


Bleichenbacher’s CCADecryption oracle

any integer C mod n

Cd PKCS-format or not∈d

PKCS-Format for a message m

00 02 random padding 00 message mat least 8 bytes

most significant byte least significant byte

Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C, the value Cd mod n can be computed by about 220 accesses to the decryption oracle, where d is the secret key.


• Version 1.5, 1993 – Encryption padding was found defective in

1998 by Bleichenbacher – Possible to generate valid ciphertext without

knowing corresponding plaintext with reasonable probability of success (chosen ciphertext)

PKCS 1


• Uses Optimal asymmetric encryption protocol (OAEP) by Bellare-Rogoway 1994

– provably secure in the random oracle model.

– Informally, if hash functions are truly random, then an adversary who can recover such a message must be able to break RSA

– plaintext-awareness: to construct a valid OAEP encoded message, an adversary must know the original plaintext

• PKCS 1 version 1.5 padding continues to be allowed for backward compatibility

• Accommodation for multi-prime RSA

– Speed up private key operations

PKCS 1


• Cryptographic primitives

• Cryptographic scheme

– Encryption scheme

– Signature scheme

• Signature with appendix: supported

• Signature with message recovery: not supported

• Encoding and decoding

– Converting an integer message into an octet string for use in encryption or signature scheme and vice versa

PKCS 1


• Cryptographic primitives

• Encrypt RSAEP((n,e),m)

• Decrypt RSADP((n,d),c)

• Sign RSASP1((n,d),m)

• Verify RSAVP1((n,e),s)

Basically exponentiation with differently named

inputs!!

PKCS 1


Encryption scheme

• Combines encryption primitive with an encryption encoding method

• message encoded message integer message representative encrypted message

Decryption scheme

• Combines decryption primitive with a decryption decoding method

• encrypted message integer message representative encoded message message

Original version 1.5 scheme and new version 2.0 scheme

PKCS 1


Encryption scheme• Combines signature primitive with a signature encoding

method.• message encoded message integer message

representative signatureDecryption scheme• Combines verification primitive with a verification

decoding method• signature integer message representative encoded• message messageOriginal version 1.5 scheme

Signature with appendix

PKCS 1


PKCS 1

Symbol Meaning Symbol Meaning

k Length of n in octets EB Encryption block

n The modulus, 28(k-1)≤ n<28k

ED Encrypted data

p, q Prime factors of n BT Block type

e public exp. PS Padding string

d priv exp. S signature

M Message ||X|| Length of X in octets

MD Message digest

MD’ Comp. mess. digest


The data is an octet string D, where ||D|| ≤ k-

11. BT is a single octet whose hex

representation is either 00 or 01. PS is an

octet string with ||PS|| = k -3-||D||. If BT =

00, then all octets in PS are 00; if BT=01,

then all octets in PS are FF.

PKCS Data formatting


PKCS-Format for a message m

00 02 random padding 00 message mat least 8 bytes

most significant byte least significant byte


The formatted data block (called the encryption block) is:EB = 00||BT||PS||00||D.


i. The leading 00 block ensures that the octet

string EB, when interpreted as an integer, is less

than the modulus n.

ii. If the block type is BT = 00, then either D must

begin with a non-zero octet or its legth must be

known, in order to permit unambiguous parsing

of EB.



iii. If BT = 01, then unambiguous parsing is

always possible.

iv. For the reason given in (iii), and to thwart

certain potential attacks on the signature

mechanism, BT = 01 is recommended.



Example: Suppose that n is a 1024-bit

modulus (so k = 128). If ||D|| = 20 octets,

then ||PS|| = 105 octets, so that ||EB|| =

128 octets.



1. Message Hashing. Hash the message M

using the selected message-digest algorithm

to get the octet string MD.

2. Message Digest Encoding. MD and the hash

algorithm identifier are combined into an

ASN.1 (Abstract Syntax Notation) value and

then BER-encoded (Basic Encoded Rules)

to give an octec data string D.

Signature process for PKCS #1


3. Data block formatting. With data string input

D, use the data formatting discussed

previously to form octet string EB.

4. Octet-string2integer conversion. Let the octets

ob EB be EB1|| EB1|| EB2||… ||EBk. Define EB’i

to be the integer whose binary representation

is the octet EBi (LSB bit is on the right).



5. RSA Computation. Compute s = md mod n.

6. Integer2octet-string conversion. Convert s to

an octet string. The signature is S = ED.




5. RSA COmputation5. RSA COmputation

4. OctetString2integer conversion4. OctetString2integer conversion

3. Data block formatting3. Data block formatting

2. Message Digest Encoding2. Message Digest Encoding

1. Message Hashing1. Message Hashing

6. Integer2octetString conversion6. Integer2octetString conversion

MESSAGE

SIGNATURE


1. Octet-string2integer conversion. Reject S if

the bit-length of S is not a multiple of 8.

Convert S to an integer s as in step 4 of the

signature process. Reject the signature is s >

n.

2. RSA Computation. Compute m = se mod n.

Verification process for PKCS #1


3. Integer2octet-string conversion. Convert m to an octet string as in step 6 of the signature process.

4. Parsing. Parse EB into a block type BT, a padding string PS, and the data D.

• Reject if EB cannot be parsed unambiguously.

• Reject if BT is not one of 00 or 01.

• Reject if PS consists of < 8 octets or is inconsistent with BT.



5. Data Decoding.

– BER-decode D to get a message digest MD and

a hash algorithm identifier.

– Reject if the hashing algorithm does not identify

one of MD2 or MD5.

6. Message Digest and Comparison. Hash the message M using the selected message-digest algorithm to get the octet string MD’ and compare it with MD obtained in (5).




5. Data Encoding5. Data Encoding

4. Parsing4. Parsing

3. Integer2octetString conversion3. Integer2octetString conversion

2. RSA Computation2. RSA Computation

1. OctetString2integer conversion1. OctetString2integer conversion

6. Message digesting and comparison6. Message digesting and comparison

Signature and message

SIGNATURE


Probabilistic signature scheme (PSS)

Provably secure in random oracle

model

Natural extension to message recovery

PKCS 1: The Future

Documents

PKCS ( Public-key cryptography standards )