chapter xxx – cryptography and miscellaneous 6th ed topics...
TRANSCRIPT
Cryptography and Cryptography and
Network SecurityNetwork Security
Chapter XXXChapter XXX
SixthSixth EditionEdition
by William Stallingsby William Stallings
Lecture slides by RHBLecture slides by RHB
Chapter XXX Chapter XXX ––
Miscellaneous 6th ED Miscellaneous 6th ED topicstopics
ThatThat’’s enough quotations.s enough quotations.
—— RHBRHB
OutlineOutline
•• will discuss:will discuss:
–– Key wrappingKey wrapping
–– RSARSA--PSS digital signature schemePSS digital signature scheme
–– Elliptic curve digital signature schemeElliptic curve digital signature scheme
–– SHASHA--3 and 3 and KeccakKeccak
Key WrappingKey Wrapping
•• for standardfor standard mass data modes:mass data modes:
–– first cipher block affected by only first data blockfirst cipher block affected by only first data block
–– last data block affects only last cipher blocklast data block affects only last cipher block
•• in a hierarchy of keys, want something in a hierarchy of keys, want something better for transmitting session keys better for transmitting session keys (using master keys) (using master keys)
•• for session keys, want something robust, for session keys, want something robust, providing strong encryption and also providing strong encryption and also authentication (for arbitrary, unstructured authentication (for arbitrary, unstructured bitpatternsbitpatterns))
• Keywrapping gives more confusion and diffusion in encryption of a session key …plus authentication block
• 64 bit authentication block, A, initialised to A6A6A6A6A6A6A6A6
• 64 bit data blocks, P(1) … P(n)
• s = 6 x n rounds
• easy to encrypt / decrypt
A(0) := A6A6A6A6A6A6A6A6
P(1) ... P(n) := plaintext blocks
for t = 0 ... s-1 do
W := AES[MKey, A(t) || P(nxt+1)]
A(t+1) := (t+1) XOR MSB64(W)
P(nx(t+1)+n) := LSB64(W)
P(nx(t+1)+1) ... (nx(t+1)+(n-1)) :=
P(nxt+2) ... (nxt+n)
Output: A(s) , P(nxs+1) ... P(nx(s+1))
RSARSA--PSS Digital SignaturesPSS Digital Signatures
•• raw RSA is raw RSA is ‘‘malleablemalleable’’ …… vulnerable to chosen vulnerable to chosen
ciphertextciphertext attack attack …… because of because of
C(MC(M11) x C(M) x C(M22) = C(M) = C(M11 x Mx M22))
•• RSARSA--PSS invented to give greater security to PSS invented to give greater security to
RSA based signaturesRSA based signatures
•• used to create signaturesused to create signatures
•• includes padding / salt (c.f. OAEP)includes padding / salt (c.f. OAEP)
•• easy to create / verifyeasy to create / verify
RSA-PSS
verify here
RSA-sign
Elliptic Curve Digital SignaturesElliptic Curve Digital Signatures
•• a digital signature scheme, simpler than a digital signature scheme, simpler than DSA, but with similar security propertiesDSA, but with similar security properties
•• uses elliptic curves with large prime orderuses elliptic curves with large prime order
•• global parameters:global parameters:–– a large prime a large prime qq
–– elliptic curve elliptic curve EEqq(a,b(a,b)) specified by specified by a,ba,b
–– base point base point GG =(=(xxgg,y,ygg)) on curve on curve EEqq(a,b(a,b))
–– prime order of base point, prime order of base point, nn , i.e. , i.e. nn is smallest is smallest multiple of multiple of GG such that such that nGnG == OO
•• key generationkey generation …… signer side (Bob)signer side (Bob)
–– select select dd: : 11 <=<= dd <=<= nn--11 …… private key private key
–– compute compute QQ == dGdG in in EEqq(a,b(a,b)) …… public keypublic key
•• signing signing
–– �� select select kk: : 11 <=<= kk <=<= nn--11 , , kk coprimecoprime to to nn
–– compute compute PP == kGkG == ((x,yx,y)) in in EEqq(a,b(a,b))
–– compute compute rr == xx modmod nn …… if if rr == 00 go to go to ��
–– compute compute kk--11 modmod nn
–– compute compute ss == kk--11(H(M)+dr)(H(M)+dr) modmod nn
•• if if ss == 00 go to go to �� …… else else ss coprimecoprime to to nn
–– signature is signature is ((r,sr,s))
•• verifying verifying
–– check (both) check (both) 11 <=<= r,sr,s <=<= nn--11
–– compute compute ww == ss--11 modmod nn
–– compute compute uu11 == H(M)wH(M)w and and uu22 == rwrw
–– compute compute XX =(x=(x11,y,y11)=)= uu11GG ++ uu22QQ in in EEqq(a,b(a,b))
–– if if XX == OO reject reject ……
–– else compute else compute vv == xx11 modmod nn
–– accept signature if accept signature if vv == rr
Elliptic Curve Digital Signature
SHASHA--33
•• the new replacement for SHAthe new replacement for SHA--1 and 1 and SHASHA--2, plug2, plug--compatible with SHAcompatible with SHA--2 2
•• ready and available in case itready and available in case it’’s ever s ever needed due to any weakness in SHAneeded due to any weakness in SHA--2 2 being discovered (none suspected so far)being discovered (none suspected so far)
•• announced in 2012announced in 2012
•• from the same stable that produced AESfrom the same stable that produced AES
SHASHA--3 Hash Operation3 Hash Operation
•• SHASHA--3 uses the idea of a sponge function3 uses the idea of a sponge function
A sponge function uses an internal state with size b bits. This is bigger than the input (and) output block size of r bits, and allows for more complicated transformations of the input to output.
The capacity c = b - r, is a measure of the additional ‘scrambling power’ that can be applied to the input.
The squeezing phase iteratively rehashes the output-so-far until the required length is produced.
Sponge
function
structure
SHASHA--3 and 3 and KeccakKeccak•• the sponge function used in SHAthe sponge function used in SHA--3 is 3 is
called called KeccakKeccak (f in the sponge iteration)(f in the sponge iteration)
•• internal internal blocksizeblocksize = 1600 bits= 1600 bits
SHA-3 Parameters
2512238422562224Second
preimage
resistance
2256219221282112Collision
resistance
1024768512448Capacity c
24242424Number of
Rounds
64646464Word Size
57683210881152Block Size
(bitrate r)
no maximumno maximumno maximumno maximumMessage
Size
512384256224Message
Digest Size
Total is 1600
Each L[x,y] is a ‘lane’ a[x,y,z] … z = 0 … 63
Lanes aggregate to columns C[x] … y = 0 … 4
Keccak internal blockinternal block structure
KeccakKeccak
•• KeccakKeccak (f in the sponge iteration)(f in the sponge iteration) works on works on
the internal statethe internal state
•• internal block (1600 bits) is internal block (1600 bits) is organisedorganised in a in a
3D grid (2D grid of lanes)3D grid (2D grid of lanes)
•• KeccakKeccak (f in the sponge iteration)(f in the sponge iteration) is a is a
composition of fivecomposition of five individual individual
transformations transformations …… applied in 24 roundsapplied in 24 rounds
•• theta (theta (θθ) ) ;; rho (rho (ρρ) ) ;; pi (pi (ππ) ) ;; chi (chi (χχ) ) ;; iota (iota (ιι))
sequential composition
Keccak
function
structure
24 rounds
Step Functions in SHA-3
W[0, 0] is updated by XOR with a round constant.Substitutionι
New value of each bit in each word depends on its current value
and on one bit in next word in the same row and one bit in the
second next word in the same row..
Substitutionχχχχ
Words are permuted in the 5×5 matrix. W[0, 0] is not affected.Permutationππππ
The bits of each word are permuted using a circular bit shift.
W[0, 0] is not affected.Permutationρρρρ
New value of each bit in each word depends its current value
and on one bit in each word of preceding column and one bit of
each word in succeeding column.
Substitution�
DescriptionTypeFunction
Theta
Rho
rho (a[x,y,z]) = a[x,y,(z – (t+1)(t+2)/2 mod 64)]
where 0 <= t <= 24 and
( ) ( ) = ( ) in GF(5)2x2
z dimension manipulated / a[0,0] unchanged
0 1
2 3
1
0
xy
t
�������������� �������������������������
27286210y = 0
205564436y = 1
392543103y = 2
821154541y = 3
145661218y = 4
x = 4x = 3x = 2x = 1x = 0
Pi
pi (L[x,y]) = L[x’,y’]
where
( )( ) = ( )0 1
2 3
x’ xyy’
Chi
chi (C[x]) = C[x] xor ((not C[x+1]) and C[x+2])
Iota
iota (L[0,0]) = L[0,0] xor RC(iround_number)
SHASHA--3 Summary3 Summary
• 3D structure unlike SHA-2 and SHA-1
• each step simple, focusing on one or two dimensions … simpler to analyse for assurance of security
• combination gives a strong hash function