Network Security
Network Security
Essentials
Essentials
Chapter 3
Chapter 3
Fourth Edition
Fourth Edition
by William Stallings
by William Stallings
(Based on
(Based on
Lecture slides by
Lecture slides by
Lawrie Brown
Lawrie Brown
)
)
Public Key Cryptography and
Public Key Cryptography and
RSA
RSA
Every Egyptian received two names,
Every Egyptian received two names,
which were known respectively as the
which were known respectively as the
true name and the good name, or the
true name and the good name, or the
great name and the little name; and
great name and the little name; and
while the good or little name was made

while the good or little name was made
public, the true or great name appears
public, the true or great name appears
to have been carefully concealed.
to have been carefully concealed.
—
—
The Golden Bough,
The Golden Bough,
Sir James George
Sir James George
Frazer
Frazer
Outline

Message authentication
Message authentication

Public-key cryptography
Public-key cryptography

Digital signatures
Digital signatures
Message Authentication
Message Authentication

message authentication is concerned
message authentication is concerned
with:
with:


protecting the integrity of a message
protecting the integrity of a message

validating identity of originator
validating identity of originator

non-repudiation of origin (dispute resolution)
non-repudiation of origin (dispute resolution)

the three alternative functions
the three alternative functions
used:
used:

message encryption
message encryption

hash function
hash function

message authentication code (MAC)
message authentication code (MAC)
Message Authentication Code

MAC
MAC
M
M
=F(K

=F(K
AB
AB
, M)
, M)

Message not altered
Message not altered

The alleged sender confirmed
The alleged sender confirmed

The proper sequence of messages assured
The proper sequence of messages assured

Similar to encryption
Similar to encryption

NIST recommends the use of DES
NIST recommends the use of DES

One difference: authentication algorithm need not be
One difference: authentication algorithm need not be
reversible, less vulnerable
reversible, less vulnerable
Hash Functions
Hash Functions

condenses arbitrary message to fixed
condenses arbitrary message to fixed

size
size
h = H(M)
h = H(M)



No secret key needed
No secret key needed

usually assume hash function is public
usually assume hash function is public

hash used to detect changes to message
hash used to detect changes to message

want a cryptographic hash function
want a cryptographic hash function

computationally infeasible to find data mapping to
computationally infeasible to find data mapping to
specific hash (
specific hash (
one-way
one-way
property)
property)

computationally infeasible to find two data to same hash
computationally infeasible to find two data to same hash

(
(
collision-free
collision-free
property)
property)
Two Simple Insecure Hash
Two Simple Insecure Hash
Functions
Functions

consider two simple insecure hash
consider two simple insecure hash
functions
functions

bit-by-bit exclusive-OR (XOR) of every
bit-by-bit exclusive-OR (XOR) of every
block
block

C
C
i
i
= b
= b
i1
i1

xor b
xor b
i2
i2
xor . . . xor b
xor . . . xor b
im
im



a longitudinal redundancy check
a longitudinal redundancy check

reasonably effective as data integrity check
reasonably effective as data integrity check

one-bit circular shift on hash value
one-bit circular shift on hash value

for each successive
for each successive
n-bit
n-bit
block
block
•
rotate current hash value to left by1bit and XOR block
rotate current hash value to left by1bit and XOR block


good for data integrity but useless for security
good for data integrity but useless for security
Simple Hash Function Using
Bitwise XOR
Hash Function Requirements
Hash Function Requirements
Attacks on Hash Functions
Attacks on Hash Functions

have brute-force attacks and
have brute-force attacks and
cryptanalysis
cryptanalysis

a preimage or second preimage attack
a preimage or second preimage attack

find
find
y
y


s.t.
s.t.
H(y)
H(y)
equals a given hash value
equals a given hash value


collision resistance
collision resistance

find two messages
find two messages
x
x
&
&
y
y


with same hash so
with same hash so
H(x) =
H(x) =
H(y)
H(y)



hence value 2
hence value 2
m/2
m/2
determines strength of
determines strength of
hash code against brute-force attacks
hash code against brute-force attacks


128-bits inadequate, 160-bits suspect
128-bits inadequate, 160-bits suspect
Secure Hash Algorithm
Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993
SHA originally designed by NIST & NSA in 1993

was revised in 1995 as SHA-1
was revised in 1995 as SHA-1

US standard for use with DSA signature scheme
US standard for use with DSA signature scheme

standard is FIPS 180-1 1995, also Internet RFC3174
standard is FIPS 180-1 1995, also Internet RFC3174

nb. the algorithm is SHA, the standard is SHS
nb. the algorithm is SHA, the standard is SHS

based on design of MD4 with key differences
based on design of MD4 with key differences

produces 160-bit hash values
produces 160-bit hash values

recent 2005 results on security of SHA-1 have
recent 2005 results on security of SHA-1 have
raised concerns on its use in future

raised concerns on its use in future
applications
applications
Revised Secure Hash
Revised Secure Hash
Standard
Standard

NIST issued revision FIPS 180-2 in 2002
NIST issued revision FIPS 180-2 in 2002

adds 3 additional versions of SHA
adds 3 additional versions of SHA
:
:
SHA-256, SHA-384, SHA-512
SHA-256, SHA-384, SHA-512

designed for compatibility with increased security provided
designed for compatibility with increased security provided
by the AES cipher
by the AES cipher

structure & detail is similar to SHA-1
structure & detail is similar to SHA-1

hence analysis should be similar
hence analysis should be similar
,
,

but security levels are
but security levels are
rather higher
rather higher

NIST FIPS 180-3 (in 2008) adds SHA-224
NIST FIPS 180-3 (in 2008) adds SHA-224

RFC 4634 details SHA-224, -256, -384,
RFC 4634 details SHA-224, -256, -384,
-512
-512
SHA Versions
SHA Versions
SHA-512 Overview
SHA-512 Overview
SHA-512 Compression
SHA-512 Compression
Function
Function

heart of the algorithm
heart of the algorithm

processing message in 1024-bit
processing message in 1024-bit
blocks
blocks

consists of 80 rounds

consists of 80 rounds

updating a 512-bit buffer
updating a 512-bit buffer

using a 64-bit value Wt derived from the current
using a 64-bit value Wt derived from the current
message block
message block

and a round constant based on cube root of first 80
and a round constant based on cube root of first 80
prime numbers
prime numbers
Keyed Hash Functions as MACs
Keyed Hash Functions as MACs

want a MAC based on a hash function
want a MAC based on a hash function

because hash functions are generally faster
because hash functions are generally faster

crypto hash function code is widely available
crypto hash function code is widely available

hash includes a key along with
hash includes a key along with
message
message


original proposal:
original proposal:
KeyedHash = Hash(Key|Message)
KeyedHash = Hash(Key|Message)

some weaknesses were found with this
some weaknesses were found with this

eventually led to development of
eventually led to development of
HMAC
HMAC
HMAC Design Objectives
HMAC Design Objectives

use, without modifications, hash
use, without modifications, hash
functions
functions

allow for easy replaceability of
allow for easy replaceability of
embedded hash function
embedded hash function

preserve original performance of hash
preserve original performance of hash
function without significant degradation
function without significant degradation


use and handle keys in a simple way.
use and handle keys in a simple way.

have well understood cryptographic
have well understood cryptographic
analysis of authentication mechanism
analysis of authentication mechanism
strength
strength
HMAC
HMAC

specified as Internet standard RFC2104
specified as Internet standard RFC2104

uses hash function on the message:
uses hash function on the message:
HMAC
HMAC
K
K
(M)= Hash[(K
(M)= Hash[(K
+
+
XOR opad) ||
XOR opad) ||
Hash[(K
Hash[(K

+
+
XOR ipad) || M)] ]
XOR ipad) || M)] ]

where
where
K
K
+
+


is the key padded out to size
is the key padded out to size

opad
opad
,
,
ipad
ipad
are specified padding constants
are specified padding constants

overhead is just 3 more hash
overhead is just 3 more hash
calculations than the message needs
calculations than the message needs
alone

alone

any hash function can be used
any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC
HMAC
Overview
Overview
HMAC Security
HMAC Security

proved
proved
security of HMAC relates to
security of HMAC relates to
that of the underlying hash
that of the underlying hash
algorithm
algorithm

attacking HMAC requires either:
attacking HMAC requires either:

brute force attack on key used
brute force attack on key used

birthday attack (but since keyed would need to

birthday attack (but since keyed would need to
observe a very large number of messages)
observe a very large number of messages)

choose hash function used based on
choose hash function used based on
speed verses security constraints
speed verses security constraints
CMAC
CMAC

previously saw the DAA (CBC-MAC)
previously saw the DAA (CBC-MAC)

widely used in govt & industry
widely used in govt & industry

but has message size limitation
but has message size limitation

can overcome using 2 keys & padding
can overcome using 2 keys & padding

thus forming the Cipher-based
thus forming the Cipher-based
Message Authentication Code (CMAC)
Message Authentication Code (CMAC)

adopted by NIST SP800-38B
adopted by NIST SP800-38B

CMAC Overview
CMAC Overview
Authenticated Encryption
Authenticated Encryption

simultaneously protect confidentiality
simultaneously protect confidentiality
and authenticity of communications
and authenticity of communications

often required but usually separate
often required but usually separate

approaches
approaches

Hash-then-encrypt: E(K, (M || H(M))
Hash-then-encrypt: E(K, (M || H(M))

MAC-then-encrypt: E(K2, (M || MAC(K1, M))
MAC-then-encrypt: E(K2, (M || MAC(K1, M))

Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)

Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)




decryption /verification
decryption /verification
straightforward
straightforward

but security vulnerabilities with all
but security vulnerabilities with all
these
these