eran tromer slide credits: john mitchell, stanford
DESCRIPTION
Introduction to Information Security 0368-3065, Spring 2014 Lecture 6: Cryptography overview (2/2). Eran Tromer Slide credits: John Mitchell, Stanford. Hash functions and message integrity. Cryptographic hash functions. Length-reducing function h - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/1.jpg)
1
Introduction to Information Security0368-3065, Spring 2014
Lecture 6: Cryptography overview (2/2)
Eran Tromer
Slide credits:John Mitchell, Stanford
![Page 2: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/2.jpg)
2
Hash functions and message integrity
![Page 3: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/3.jpg)
3
Cryptographic hash functions
Length-reducing function h • Map arbitrary strings to strings of fixed length
One way (“preimage resistance”)• Given y, hard to find x with h(x)=y
Collision resistant• Hard to find any distinct m, m’ with h(m)=h(m’)
Also useful: 2nd preimage resistance• Given x, hard to find x’x with h(x’)=h(x)• Collision resistance 2nd preimage resistance
![Page 4: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/4.jpg)
4
Applications of one-way hash
Password files (one way)
Digital signatures (collision resistant)
• Sign hash of message instead of entire message
Data integrity• Compute and securely store hash of some data• Check later by recomputing hash and comparing
Keyed hash for message authentication• MAC – Message Authentication Code
![Page 5: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/5.jpg)
5
Common hash functions: SHA-1, SHA-256
h h h
m[0] m[1] m[2] m[3]
hIV H(m)
Merkle-Damgard construction: (simplified)
64 x
Fixedconstants
(Expanded)message
![Page 6: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/6.jpg)
6
Symmetric-key integrity:MAC (Message Authentication Code)
Goal: message integrity. No confidentiality.
6
Alice Bob
k k
Message m tag
Generate tag: tag S(k, m)
Verify tag: V(k, m, tag) = 0/1
?
note: non-keyed checksum (CRC) is an insecure MAC!
Keygeneration
![Page 7: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/7.jpg)
7
Secure MACs
Attacker’s power: chosen message attack.• for m1,m2,…,mq attacker is given ti S(k,mi)
Attacker’s goal: existential forgery.• produce some new valid message/tag pair (m,t).
(m,t) { (m1,t1) , … , (mq,tq) }
Existential unforgeability security:no feasible attacker can witn the above game with more than negligible probability.
![Page 8: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/8.jpg)
8
Construction 1: ECBC
8
Raw CBC
E(k,) E(k,) E(k,)
m[0] m[1] m[2] m[3]
E(k,)
E(k1,) tagkey = (k, k1)
![Page 9: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/9.jpg)
9 9
Construction 2: HMAC (Hash-MAC)
Most widely used MAC on the Internet.
H: hash function. example: SHA-256 ; output is 256
bits
Building a MAC out of a hash function:
Standardized method: HMAC S( k, m ) = H( kopad || H( kipad || m ))
![Page 10: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/10.jpg)
11
Public-key Cryptography
![Page 11: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/11.jpg)
12
Complexity Classes
Answer in polynomial space may need exhaustive search
If yes, can guess and check in polynomial time
Answer in polynomial time, with high probability
Answer in polynomial time compute answer directly
P
BPP
NP
PSpace
easy
hard
![Page 12: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/12.jpg)
13
Example: RSA
Arithmetic modulo pq• Generate secret primes p, q • Generate secret numbers e, d with xed x mod pq
(typically, e=65537)
Public encryption key n, e• Encrypt(n, e, x) = xe mod n
Private decryption key n, b• Decrypt(n, d, y) = yd mod n
Main properties• This appears to be a “trapdoor permutation”• Cannot compute d from n,e
Apparently, need to factor n = pq
n
![Page 13: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/13.jpg)
14
Why RSA works
Let p, q be two distinct primes and let n=pq• Encryption, decryption based on group Zn
*
• For n=pq, order (n) = (p-1)*(q-1)
Key pair: e, d with ed 1 mod (n)• Encrypt(x) = xe mod n• Decrypt(y) = yd mod n• Since ed 1 mod (n), have xed x mod n
By Eurler’s theorem, generalizing Fermat’s little theorem (if gcd(x,n) != 1, then by “Chinese remainder theorem”)
![Page 14: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/14.jpg)
15
Textbook RSA is insecure
What if message is from a small set (yes/no)?• Can build table
What if I want to outbid you in secret auction?• I take your encrypted bid c and submit c (101/100)e mod n
What if there’s some protocol in which I can learn other message decryptions?
![Page 15: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/15.jpg)
16
OAEP [BR94, Shoup ’01]
Preprocess message for RSA
If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “random oracles”)
In practice: use SHA-1 or MD5 for H and G
H+
G +
Plaintext to encrypt with RSA
rand.Message 01 00..0
Check padon decryption.Reject CT if invalid.
{0,1}n-1
![Page 16: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/16.jpg)
17
Digital Signatures
Public-key encryption• Alice publishes encryption key• Anyone can send encrypted message• Only Alice can decrypt messages with this key
Digital signature scheme• Alice publishes key for verifying signatures• Anyone can check a message signed by Alice• Only Alice can send signed messages
![Page 17: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/17.jpg)
18
Properties of signatures
Functions to sign and verify• Sign(Key-1, message)
• Verify(Key, x, m) =
Resists forgery• Cannot compute Sign(Key-1, m) from m and Key• Resists existential forgery:
given Key, cannot produce Sign(Key-1, m) for any random or arbitrary m
true if x = Sign(Key-1, m)false otherwise
![Page 18: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/18.jpg)
19
RSA Signature Scheme
Publish decryption instead of encryption key• Alice publishes decryption key • Anyone can decrypt a message encrypted by Alice• Only Alice can send encrypt messages
In more detail,• Alice generates primes p, q and key pair e, d• Sign(x) = xd mod n• Verify(y) = ye mod n• Since ed 1 mod (n), have xde x mod n
Generally, sign hash of message instead of full plaintext
![Page 19: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/19.jpg)
20
Public-key infrastructure
![Page 20: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/20.jpg)
21
Public-Key Infrastructure (PKI)
Anyone can send Bob a secret message• Provided they know Bob’s public key
How do we know a key belongs to Bob?• If imposter substitutes another key, can read Bob’s mail
One solution: PKI• Trusted root authority (VeriSign, IBM, United Nations)
Everyone must know the verification key of root authority Check your browser; there are hundreds!!
• Root authority can sign certificates• Certificates identify others, including other authorities• Leads to certificate chains• Most common standard “X.509”
![Page 21: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/21.jpg)
22
Public-Key Infrastructure
Certificate Authority
Client Server
Known public signature verification key Ka
Sign(Ka-1, Ks), Sign(Ks, msg)
CertificateSign(Ka-1, Ks)Ks
Server certificate can be verified by any client that has CA key Ka
Certificate authority is “off line”
Ka
![Page 22: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/22.jpg)
23
CA
![Page 23: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader036.vdocument.in/reader036/viewer/2022070410/5681463f550346895db348ef/html5/thumbnails/23.jpg)
24
Certificate authorities – practical problems
• Certification policy – when to sign server’s certificates?
• Inclusion in database of trusted Cas– Default database in browsers, OSs– Updates
• Transitive trusts, sub-CAs
• Practically:– Lax verification (attacks known)– Lax security (attacks known)– National/commercial bodies with diverse interests