Network Security
Network Security
Essentials
Essentials
Chapter 3
Chapter 3
Fourth Edition
Fourth Edition
by William Stallings
by William Stallings
(Based on
(Based on
Lecture slides by
Lecture slides by
Lawrie Brown
Lawrie Brown
)
)
Public Key Cryptography and
Public Key Cryptography and
RSA
RSA
Every Egyptian received two names,
Every Egyptian received two names,
which were known respectively as the
which were known respectively as the
true name and the good name, or the
true name and the good name, or the
great name and the little name; and
great name and the little name; and
while the good or little name was made
while the good or little name was made
public, the true or great name appears
public, the true or great name appears
to have been carefully concealed.
to have been carefully concealed.
—
—
The Golden Bough,
The Golden Bough,
Sir James George
Sir James George
Frazer
Frazer
Outline
Message authentication
Message authentication
Public-key cryptography
Public-key cryptography
Digital signatures
Digital signatures
Message Authentication
Message Authentication
message authentication is concerned
message authentication is concerned
with:
with:
protecting the integrity of a message
protecting the integrity of a message
validating identity of originator
validating identity of originator
non-repudiation of origin (dispute resolution)
non-repudiation of origin (dispute resolution)
the three alternative functions
the three alternative functions
used:
used:
message encryption
message encryption
hash function
hash function
message authentication code (MAC)
message authentication code (MAC)
Message Authentication Code
MAC
MAC
M
M
=F(K
=F(K
AB
AB
, M)
, M)
Message not altered
Message not altered
The alleged sender confirmed
The alleged sender confirmed
The proper sequence of messages assured
The proper sequence of messages assured
Similar to encryption
Similar to encryption
NIST recommends the use of DES
NIST recommends the use of DES
One difference: authentication algorithm need not be
One difference: authentication algorithm need not be
reversible, less vulnerable
reversible, less vulnerable
Hash Functions
Hash Functions
condenses arbitrary message to fixed
condenses arbitrary message to fixed
size
size
h = H(M)
h = H(M)
No secret key needed
No secret key needed
usually assume hash function is public
usually assume hash function is public
hash used to detect changes to message
hash used to detect changes to message
want a cryptographic hash function
want a cryptographic hash function
computationally infeasible to find data mapping to
computationally infeasible to find data mapping to
specific hash (
specific hash (
one-way
one-way
property)
property)
computationally infeasible to find two data to same hash
computationally infeasible to find two data to same hash
(
(
collision-free
collision-free
property)
property)
Two Simple Insecure Hash
Two Simple Insecure Hash
Functions
Functions
consider two simple insecure hash
consider two simple insecure hash
functions
functions
bit-by-bit exclusive-OR (XOR) of every
bit-by-bit exclusive-OR (XOR) of every
block
block
C
C
i
i
= b
= b
i1
i1
xor b
xor b
i2
i2
xor . . . xor b
xor . . . xor b
im
im
a longitudinal redundancy check
a longitudinal redundancy check
reasonably effective as data integrity check
reasonably effective as data integrity check
one-bit circular shift on hash value
one-bit circular shift on hash value
for each successive
for each successive
n-bit
n-bit
block
block
•
rotate current hash value to left by1bit and XOR block
rotate current hash value to left by1bit and XOR block
good for data integrity but useless for security
good for data integrity but useless for security
Simple Hash Function Using
Bitwise XOR
Hash Function Requirements
Hash Function Requirements
Attacks on Hash Functions
Attacks on Hash Functions
have brute-force attacks and
have brute-force attacks and
cryptanalysis
cryptanalysis
a preimage or second preimage attack
a preimage or second preimage attack
find
find
y
y
s.t.
s.t.
H(y)
H(y)
equals a given hash value
equals a given hash value
collision resistance
collision resistance
find two messages
find two messages
x
x
&
&
y
y
with same hash so
with same hash so
H(x) =
H(x) =
H(y)
H(y)
hence value 2
hence value 2
m/2
m/2
determines strength of
determines strength of
hash code against brute-force attacks
hash code against brute-force attacks
128-bits inadequate, 160-bits suspect
128-bits inadequate, 160-bits suspect
Secure Hash Algorithm
Secure Hash Algorithm
SHA originally designed by NIST & NSA in 1993
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
based on design of MD4 with key differences
produces 160-bit hash values
produces 160-bit hash values
recent 2005 results on security of SHA-1 have
recent 2005 results on security of SHA-1 have
raised concerns on its use in future
raised concerns on its use in future
applications
applications
Revised Secure Hash
Revised Secure Hash
Standard
Standard
NIST issued revision FIPS 180-2 in 2002
NIST issued revision FIPS 180-2 in 2002
adds 3 additional versions of SHA
adds 3 additional versions of SHA
:
:
SHA-256, SHA-384, SHA-512
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided
designed for compatibility with increased security provided
by the AES cipher
by the AES cipher
structure & detail is similar to SHA-1
structure & detail is similar to SHA-1
hence analysis should be similar
hence analysis should be similar
,
,
but security levels are
but security levels are
rather higher
rather higher
NIST FIPS 180-3 (in 2008) adds SHA-224
NIST FIPS 180-3 (in 2008) adds SHA-224
RFC 4634 details SHA-224, -256, -384,
RFC 4634 details SHA-224, -256, -384,
-512
-512
SHA Versions
SHA Versions
SHA-512 Overview
SHA-512 Overview
SHA-512 Compression
SHA-512 Compression
Function
Function
heart of the algorithm
heart of the algorithm
processing message in 1024-bit
processing message in 1024-bit
blocks
blocks
consists of 80 rounds
consists of 80 rounds
updating a 512-bit buffer
updating a 512-bit buffer
using a 64-bit value Wt derived from the current
using a 64-bit value Wt derived from the current
message block
message block
and a round constant based on cube root of first 80
and a round constant based on cube root of first 80
prime numbers
prime numbers
Keyed Hash Functions as MACs
Keyed Hash Functions as MACs
want a MAC based on a hash function
want a MAC based on a hash function
because hash functions are generally faster
because hash functions are generally faster
crypto hash function code is widely available
crypto hash function code is widely available
hash includes a key along with
hash includes a key along with
message
message
original proposal:
original proposal:
KeyedHash = Hash(Key|Message)
KeyedHash = Hash(Key|Message)
some weaknesses were found with this
some weaknesses were found with this
eventually led to development of
eventually led to development of
HMAC
HMAC
HMAC Design Objectives
HMAC Design Objectives
use, without modifications, hash
use, without modifications, hash
functions
functions
allow for easy replaceability of
allow for easy replaceability of
embedded hash function
embedded hash function
preserve original performance of hash
preserve original performance of hash
function without significant degradation
function without significant degradation
use and handle keys in a simple way.
use and handle keys in a simple way.
have well understood cryptographic
have well understood cryptographic
analysis of authentication mechanism
analysis of authentication mechanism
strength
strength
HMAC
HMAC
specified as Internet standard RFC2104
specified as Internet standard RFC2104
uses hash function on the message:
uses hash function on the message:
HMAC
HMAC
K
K
(M)= Hash[(K
(M)= Hash[(K
+
+
XOR opad) ||
XOR opad) ||
Hash[(K
Hash[(K
+
+
XOR ipad) || M)] ]
XOR ipad) || M)] ]
where
where
K
K
+
+
is the key padded out to size
is the key padded out to size
opad
opad
,
,
ipad
ipad
are specified padding constants
are specified padding constants
overhead is just 3 more hash
overhead is just 3 more hash
calculations than the message needs
calculations than the message needs
alone
alone
any hash function can be used
any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC
HMAC
Overview
Overview
HMAC Security
HMAC Security
proved
proved
security of HMAC relates to
security of HMAC relates to
that of the underlying hash
that of the underlying hash
algorithm
algorithm
attacking HMAC requires either:
attacking HMAC requires either:
brute force attack on key used
brute force attack on key used
birthday attack (but since keyed would need to
birthday attack (but since keyed would need to
observe a very large number of messages)
observe a very large number of messages)
choose hash function used based on
choose hash function used based on
speed verses security constraints
speed verses security constraints
CMAC
CMAC
previously saw the DAA (CBC-MAC)
previously saw the DAA (CBC-MAC)
widely used in govt & industry
widely used in govt & industry
but has message size limitation
but has message size limitation
can overcome using 2 keys & padding
can overcome using 2 keys & padding
thus forming the Cipher-based
thus forming the Cipher-based
Message Authentication Code (CMAC)
Message Authentication Code (CMAC)
adopted by NIST SP800-38B
adopted by NIST SP800-38B
CMAC Overview
CMAC Overview
Authenticated Encryption
Authenticated Encryption
simultaneously protect confidentiality
simultaneously protect confidentiality
and authenticity of communications
and authenticity of communications
often required but usually separate
often required but usually separate
approaches
approaches
Hash-then-encrypt: E(K, (M || H(M))
Hash-then-encrypt: E(K, (M || H(M))
MAC-then-encrypt: E(K2, (M || MAC(K1, M))
MAC-then-encrypt: E(K2, (M || MAC(K1, M))
Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
decryption /verification
decryption /verification
straightforward
straightforward
but security vulnerabilities with all
but security vulnerabilities with all
these
these