Post on 21-Dec-2015
Authentication & digital signature
Jen-Chang Liu
Adapted fromlecture slides by Lawrie Brown
Model for Network Security
Type of attacks disclosure traffic analysis masquerade 偽裝 content modification sequence modification
Insertion, deletion, reordering timing modification
Delay or replay of message source repudiation destination repudiation
Message confidentiality => ciphers
Message authentication=>Message encryption, Message auth. code, Hash function
不可否認發出訊息Digital signature
不可否認收到訊息
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
Hash functions SHA (secure hash algorithm)
Digital signature
Message Authentication message authentication is concerned
with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute
resolution)
Two-level approach Produce an authenticator: a value to be
used to authenticate a message Authentication protocol (ch 13.2)
訊息來源
來源不可否認發出訊息
Message Encryption message encryption by itself also
provides a measure of authentication symmetric encryption is used:
* A is the only party that possesses K
* Y=DK(X), How to verify that Y is legitimate plaintext?Source: text fileSource: binary file, such as compressed file, …
Symmetric encryption for authentication
Constraint: the plaintext have some well-formed structure
Example 1: frame check sequence (FCS)
Error detection codeFrame check sequenceHash function
Symmetric encryption for authentication (cont.)
Example 2: TCP header
Public-key encryption for authentication
Anyone can access public key – no authentication
Only A has private key, M must be well-formed
A B
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
Hash functions SHA (secure hash algorithm)
Digital signature
Message Authentication Code (MAC)
MAC is a cryptographic checksum MAC=CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator
Message Authentication Codes (cont.)
why use a MAC instead of message encryption? Sometimes only authentication is needed
Ex. Broadcast of shut down message, check MAC is cheaper
Ex. The receiver side cannot afford time to decrypt Ex. Authentication of a program in plaintext
Separation of authentication and confidentiality
Sometimes need authentication to persist longer than the encryption (eg. archival use)
note that a MAC is not a digital signature Both sender and receiver share the same key
Requirements for MACs taking into account the types of
attacks, we need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to forge another message with same MAC
2. MACs should be uniformly distributed For random M and M’, n-bit MAC, the prob.
that CK(M)=CK(M’) is 2-n
3. MAC should depend equally on all bits of the message
Using Symmetric Ciphers for MACs
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
Cipher block chaining
+IV=0
Message + MAC with confidentiality
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
Hash functions (Ch. 12) SHA (secure hash algorithm)
Digital signature
Hash Functions Hash function: h=H(M), h is a fixed-
length code Also called as message digest or hash value usually assume that the hash function is
public and not keyed. cf. MAC which is keyed
MAC alone can be used for authentication; however, hash value alone can’t
hash used to detect changes to message can use in various ways with message,
most often to create a digital signature
Hash functions & symmetric encryption
Hash code provide a structurefor the message
In fact, a MACcode
Hash functions & public-key encryptions
In fact, a digitalsignature
confidentiality
Hash functions & a shared secret value S
Advantage: no encryption is necessary
confidentiality
Requirements for Hash Functions
1. can be applied to any sized message M2. produces fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h
• one-way property• Important if a secret value is hashed. h = H(M || S)
5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance• Prevent forgery
6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance
Simple Hash Functions based on XOR of message blocks
XOR
* Too simple to fit the security requirements
Secure hash algorithm (SHA)
SHA logic
512-bit block
SHA SHA SHA SHA160 160 160 160
160-bit digest
SHA round for 512-bit block
4 differentfunctions:Totally 80steps
5 32- bit words
Elementary SHA operation32 bits 32 bits 32 bits 32 bits 32 bits
From 512-bitinput block
Fixed constant
Circular left shift 5 bits
SHA bitswise functions
Step Function Value Comment
0≤t≤19 If B then C else D
20≤t≤39 Parity bit of B,C, and D
40≤t≤59 2 or 3 of B,C,D is true
60≤t≤79 Parity bit of B,C, and D
)()( DBCB
DCB
)(
)()(
DC
DBCB
DCB
W[0-79] from input 512-bit block
W[0-79]
Security of SHA Against brute-force attack
Produce any message having a given SHA digest is on the order of 2160
Against cryptanalysis No known attacks
Speed Logic operation & addition modulo 232
Fast on 32-bit architecture Simple to implement
Hash Functions & MAC Security
like block ciphers have: brute-force attacks exploiting
strong collision resistance hash have cost 2
m/2
have proposal for h/w MD5 cracker 128-bit hash looks vulnerable, 160-bit is better
MACs with known message-MAC pairs can either attack keyspace (cf key search) or
MAC at least 128-bit MAC is needed for security
Hash Functions & MAC Security (cont.)
cryptanalytic attacks exploit structure like block ciphers want brute-force attacks
to be the best alternative have a number of analytic attacks on
iterated hash functions CVi = f[CVi-1, Mi]; H(M)=CVN
typically focus on collisions in function f like block ciphers is often composed of
rounds attacks exploit properties of round functions
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M), k
is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
Hash functions SHA (secure hash algorithm)
Digital signature Digital signature standard (DSS) : FIPS 186
Motivation Problem with message authentication:
(John sends auth. message to Mary): Mary may forge a different message and
claim that it came from John John can deny sending the message
(source repudiation)
John Mary
Authenticatedmessage
Secret K Secret K messageMAC
forgery
Digital signature digital signatures (analogous to the
handwritten signature) provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve
disputes hence include authentication function
with additional capabilities
Hash functions & public-key encryptions
In fact, a digitalsignature
confidentiality
Digital Signature Properties
must depend on the message signed must use information unique to sender
to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize &
verify be computationally infeasible to forge
with new message for existing digital signature with fraudulent digital signature for given
message be practical save digital signature in
storage
Digital signature standard (DSS)
NIST published the DSS standard in 1992
One of the aims: to make DSS a free piece of digital signature software RSA is not free !!!
Advantage of DSS: faster than (message digest + RSA)
DSS approach
Random number
s: 160 bitsr: 160 bits – Does not dependent oninput message Can be computedahead of time
Global public-keyA B
r
Digital signature standard (DSS)
creates a 320 bit signature (r, s), but with 512-1024 bit security
security depends on difficulty of computing discrete logarithms
160 bits
160 bits
: public
r = (gk mod p) mod q
160 bits512~1024 bits
s=[k-1 (H(M)+xr)] mod q
160-bit userPrivate key
* s is easy to compute