Chapter 3 Public-Key Cryptography and Message Authentication Network Security Chapter 3 Public-Key Cryptography and Message Authentication Slides by H. Johnson & S. Malladi- Modified & Translated by Sukchatri P.

Overview Message Authentication Secure Hash Functions and HMAC University of Phayao 17/11/2018 Overview Message Authentication Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algoroithms Digital Signatures Key Management

University of Phayao 17/11/2018 Authentication “A message, file, document or data is said to be authentic when it is genuine and came from its alleged source.” ข้อความ, ไฟล์เอกสารหรือข้อมูลที่มีการกล่าวถึงเป็น จริงเมื่อมันเป็นของแท้และมาจากแหล่งที่ถูกต้อง Encryption prevents against passive attacks ( eavesdropping) การเข้ารหัสป้องกันการโจมตีแบบพาสซีฟ (แอบฟัง) Message Authentication prevents against active attacks or falsification. ข้อความรับรองความถูกต้องป้องกันการ โจมตีที่ใช้งานหรือการกระทำผิด

Message Authentication University of Phayao 17/11/2018 Message Authentication Requirements - must be able to verify that: (ความต้องการ – ต้องสามารถตรวจสอบได้ว่า ) 1. Message came from apparent source or author, ข้อความมาจากแหล่งข้อมูลที่ชัดเจนหรือผู้เขียนจริง 2. Contents have not been altered, เนื้อหาไม่ถูกแก้ไข 3. Sometimes, it was sent at a certain time or sequence. บางครั้งอาจจะถูกส่งไปกับบางช่วงเวลาหรือลำดับ Protection against active attack (falsification of data and transactions) การป้องกันการโจมตีที่ใช้งาน (การกระทำผิดเกี่ยวกับข้อมูลและการทำธุรกรรม)

Approaches to Message Authentication University of Phayao 17/11/2018 Approaches to Message Authentication Authentication Using Conventional Encryption การตรวจสอบการใช้การเข้ารหัสลับแบบปกติดั้งเดิม Only the sender and receiver should share a key เฉพาะผู้ส่ง และผู้รับควรใช้คีย์ร่วมกัน Message Authentication without Message Encryption ข้อความการตรวจสอบสิทธิ์โดยปราศจาก การเข้ารหัสข้อความ An authentication tag is generated and appended to each message แท็กการตรวจสอบจะถูกสร้างและผนวกเข้ากับแต่ละข้อความ Message Authentication Code การตรวจสอบรหัสข้อความ Calculate the MAC as a function of the message and the key. MAC = F(K, M)

Message Authentication University of Phayao 17/11/2018 Message Authentication Using Encryption Assume only sender and receiver share a key สมมติผู้ ส่งเท่านั้นและหุ้นรับสำคัญ Then a correctly encrypted message should be from the sender จากนั้นข้อความที่เข้ารหัสได้อย่างถูกต้องควรจะเป็นจากผู้ ส่ง Usually also contains error-detection code, sequence number and time stamp โดยปกติแล้วยังมีรหัส ข้อผิดพลาดตรวจสอบหมายเลขลำดับและการลงเวลา

University of Phayao 17/11/2018

Message Authentication University of Phayao 17/11/2018 Message Authentication Without Encryption No confidentiality is preferred when: การรักษา ความลับไม่เป็นที่ต้องการเมื่อ Same message is broadcast to many destinations ข้อความเดียวกันนี้มีการถ่ายทอดไปยังปลายทางจำนวนมาก Heavy load and cannot decrypt all messages – some chosen at random ภาระหนักและ ไม่สามารถถอดรหัสข้อความทั้งหมด -- บางส่วนเลือกโดยการสุ่ม No danger in sending plaintext Append authentication tag to each message,ไม่ มีอันตรายในการส่งข้อความ เพิ่มแท็กรับรองความถูกต้องกับแต่ละข้อความได้

Message Authentication University of Phayao 17/11/2018 Message Authentication Message Authentication Code (MAC) Small block of data that is appended to the message บล็อกเล็กของข้อมูลถูกต่อท้ายข้อความ MAC is generated by using a secret key ; MAC จะถูกสร้างขึ้นโดยใช้รหัสลับ Assumes both parties A,B share common secret key KAB Code is function of message and key MACM= F(KAB, M) Message plus code are transmitted

Message Authentication Code University of Phayao 17/11/2018 Message Authentication Code If received code matches calculated code then หากรหัสตรงกับรหัสที่ได้รับการคำนวณแล้ว Receiver is sure message has not been altered ผู้รับ แน่ใจว่าข้อความไม่มีการเปลี่ยนแปลงใดๆ Message is from sender since only sender shares the key ผู้ส่งเท่านั้นที่ให้รหัสไปพร้อมกับการส่งข้อความ If the message includes correct sequence number, that number could not have been altered by hacker ถ้าข้อความหมายมีลำดับที่ถูกต้องรวมถึงจำนวนข้อความที่ไม่ได้ถูก เปลี่ยนแปลงโดยแฮกเกอร์

Message Authentication Code University of Phayao 17/11/2018 Message Authentication Code Different from encryption ที่แตกต่างกันจากการเข้ารหัส MAC does not have to be reversible as the cipher text does in encryption ; MAC ไม่ต้องมีการย้อนกลับและขณะที่ cipher text ทำการเข้ารหัส Because of mathematical properties, it is less vulnerable to being broken than encryption เนื่องจาก คุณสมบัติทางคณิตศาสตร์ จะมีช่องโหวน้อยกว่าการเข้ารหัส 16 to 32 bit code is typical โดยทั่วไปแล้วคือรหัสบิต 16-32

University of Phayao 17/11/2018

University of Phayao 17/11/2018 One-way HASH function Alternative to Message Authentication Code ทางเลือก ในรหัสการตรวจสอบข้อความ Accepts a variable size message M as input and produces a fixed-size message digest H (M) as output ยอมรับตัวแปรขนาด M ข้อความเ ขณะที่การเข้าและการสร้างข้อความ ขนาดคงที่ถูกย่อยออกเป็น H (M)

One-way HASH function University of Phayao 17/11/2018

One-way HASH function University of Phayao 17/11/2018 Secret value is added before the hash and removed before transmission. ค่าความลับจะถูกเพิ่มก่อนที่จะถูกซอยย่อยและลบทิ้งก่อนส่ง

Secure HASH Functions University of Phayao 17/11/2018 Purpose of the HASH function is to produce a “fingerprint” Used in message authentication and digital signatures Properties of a HASH function H : H can be applied to a block of data at any size H produces a fixed length output H(x) is easy to compute for any given x. For any given block x, it is computationally infeasible to find x such that H(x) = h (one-way property) For any given block x, it is computationally infeasible to find with H(y) = H(x). (weak collision resistance) บอบบางต่อความต้านทานการปะทะกัน It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) ( strong collsion resistance)

Simple Hash Function General principle University of Phayao 17/11/2018 Simple Hash Function General principle Input is a sequence of n-bit blocks Input is processed one block at a time to produce an n-bit hash function A simple example is the XOR of each block Ci = bi1  bi2  …  bim Ci is ith bit of hash code 1 <= i <= n m is number of n-bit block in input bij is ith bit in jth block  Is the XOR operation

Simple Hash Function University of Phayao 17/11/2018

Simple Hash Function Improved University of Phayao 17/11/2018 Simple Hash Function Improved To improve- perform a one-bit circular shift on the hash value after each block is processed Initally set the n-bit hash value to zero Process each successive n-bit blok of data by: Rotating current hash value to the left by 1 bit XOR the block into the hash value

SHA-1 Secure Hash Function University of Phayao 17/11/2018 SHA-1 Secure Hash Function The Secure Hash Algorithm( SHA) was developed by the National Institute of Standards and Technology and published in 1993. SHA-1 is 1995 revised version. ฉบับแก้ไขเพิ่มเติม It takes as input a message with maximum length < 264 bits and produces a 160-bit message digest. รองรับข้อความที่เข้ามาได้ถึงความยาวสูงสุด 264 บิตและข้อความย่อยขาออกได้ 160 bit It is processed in 512-bit blocks. มันจะถูกประมวลผลใน บล็อก 512 - bit

Message Digest Generation Using SHA-1 University of Phayao 17/11/2018 Message Digest Generation Using SHA-1

SHA-1 Processing of single 512-Bit Block University of Phayao 17/11/2018

Other Secure HASH functions University of Phayao 17/11/2018 SHA-1 MD5 RIPEMD-160 Digest length 160 bits 128 bits Basic unit of processing 512 bits Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16) Maximum message size 264-1 bits

University of Phayao 17/11/2018 HMAC Use a MAC derived from a cryptographic hash code, such as SHA-1. ใช้ MAC ที่ได้จากการเข้ารหัสลับรหัสแฮช เช่น SHA - 1 Motivations: Cryptographic hash functions executes faster in software than encryptoin algorithms such as DES ฟังก์ชัน แฮช Cryptographic ประมวลผลได้เร็วกว่าในซอฟต์แวร์กว่าขั้นตอนวิธี encryptoin เช่น DES Library code for cryptographic hash functions is widely available มีคลังรหัสสำหรับฟังก์ชันแฮชการเข้ารหัสลับมีใช้อย่าง กว้างขวาง No export restrictions from the US ไม่เข้มงวดในการนำออกจาก US

University of Phayao 17/11/2018 HMAC Structure

Public-Key Cryptography Principles University of Phayao 17/11/2018 The use of two keys has consequences in: key distribution, confidentiality and authentication. The scheme has six ingredients (see Figure 3.7) Plaintext Encryption algorithm Public and private key Ciphertext Decryption algorithm

Encryption using Public-Key system University of Phayao 17/11/2018 Encryption using Public-Key system

Authentication using Public-Key System University of Phayao 17/11/2018

Applications for Public-Key Cryptosystems University of Phayao 17/11/2018 Applications for Public-Key Cryptosystems Three categories: Encryption/decryption: The sender encrypts a message with the recipient’s public key. Digital signature: The sender ”signs” a message with its private key. Key exchange: Two sides cooperate to exhange a session key.

Requirements for Public Key Cryptography University of Phayao 17/11/2018 Requirements for Public Key Cryptography Computationally easy for a party B to generate a pair (public key KUb, private key KRb) Easy for sender to generate ciphertext: Easy for the receiver to decrypt ciphertect using private key:

Requirements for Public Key Cryptography University of Phayao 17/11/2018 Requirements for Public Key Cryptography Computationally infeasible to determine private key (KRb) knowing public key (KUb) Computationally infeasible to recover message M, knowing KUb and ciphertext C Either of the two keys can be used for encryption, with the other used for decryption:

Public Key Algorithms- RSA University of Phayao 17/11/2018 Public Key Algorithms- RSA RSA (1977, Ron Rivest, Adi Shamir and Len Adleman), MIT Most popular and widely implemented Block cipher Plain text and cipher text are integers between 0 and (n-1) for some n C = Me mod n M = Cd mod n = (Me mod n)d = (Med mod n)

Public key Algorithms- RSA University of Phayao 17/11/2018 Public key Algorithms- RSA Both sender and receiver know n and e Only receiver knows d Public key = {e,n} Private key = {d,n} Requirements Should be possible to find e, d, n such that Med = M mod n for all M < n

Requirements continued… University of Phayao 17/11/2018 Requirements continued… Easy to calculate Me and Cd for all M < n Infeasible to determine d, given e and n First two requirements are easy. Third one is also possible if e, n are large

Steps Given in text book including examples University of Phayao 17/11/2018 Steps Given in text book including examples See figure on the next slide We also did some examples in class and in the assignment Please refer solutions for assignment 2

The RSA Algorithm – Key Generation University of Phayao 17/11/2018 The RSA Algorithm – Key Generation Select p,q p and q both prime Calculate n = p x q Calculate Select integer e Calculate d Public Key KU = {e,n} Private key KR = {d,n}

Example of RSA Algorithm University of Phayao 17/11/2018 Example of RSA Algorithm

The RSA Algorithm - Encryption University of Phayao 17/11/2018 The RSA Algorithm - Encryption Plaintext: M<n Ciphertext: C = Me (mod n)

The RSA Algorithm - Decryption University of Phayao 17/11/2018 The RSA Algorithm - Decryption Ciphertext: C Plaintext: M = Cd (mod n)

Public Key Algorithm Diffie-Hellman University of Phayao 17/11/2018 Public Key Algorithm Diffie-Hellman First introduced by Diffie-Hellman in 1976 Mathematical functions rather than simple operations on bit patterns Allows two separate keys Exchange keys securely Compute discrete logarithms Some misconceptions, corrected NOT more secure than symmetric key Does NOT Makes symmetric key obsolete Central agent is needed for both

Diffie-Hellman basics University of Phayao 17/11/2018 Diffie-Hellman basics Pick secret, random Y Pick secret, random X gx mod p gy mod p Alice Bob Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p

Diffie-Hellman Key Echange University of Phayao 17/11/2018 Diffie-Hellman Key Echange

Diffie-Hellman Key exchange algorithm using public and private values University of Phayao 17/11/2018 Diffie-Hellman Key exchange algorithm using public and private values Based on the discrete logarithm problem To understand the discrete logarithm problem Define the primitive root of p to be one whose powers generate all the integers from 1 to (p-1) from some prime number p

DH details i.e. if a is a primitive root of prime p, University of Phayao 17/11/2018 DH details i.e. if a is a primitive root of prime p, a mod p, a2 mod p, … ,ap-1 mod p are distinct and contain 1 through (p-1) in some order For b less than p and a, find unique exponent i such that b = ai mod p 0 <= i <= (p-1)

DH details continued… i is the discrete logarithm Denoted inda,p(b) University of Phayao 17/11/2018 DH details continued… i is the discrete logarithm Denoted inda,p(b) It is hard to calculate it given ai mod p

Other Public-Key Cryptographic Algorithms University of Phayao 17/11/2018 Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key echange Elliptic-Curve Cryptography (ECC) Good for smaller bit size Low confidence level, compared with RSA Very complex

University of Phayao 17/11/2018 Digital signatures A digital signature is an encryption of a document with the creator’s private key It is attached to a document that validates the creator of the document Any one can validate it by decrypting the signature with the claimed creator’s public key

Digital signatures on hashes University of Phayao 17/11/2018 Digital signatures on hashes A more efficient way for a digital signature is by creating an authenticator of the document first (a hash) Then sign the hash (i.e. encrypt the hash using private key) If M is the message (or document), Hash(M) = H sigPV(A)(H) represents sigining H i.e. encrypting H with A’s private key

Digital Signatures: The basic idea University of Phayao 17/11/2018 Digital Signatures: The basic idea public key ? public key private key Alice Bob

Key management ? Distribution of public keys Mallory Alice Bob University of Phayao 17/11/2018 Key management Distribution of public keys Well, what’s the issue? Can’t we just trust Mallory if she claims a key as her public key? Mallory public key ? public key private key Alice Bob

Public keys to exchange secret keys University of Phayao 17/11/2018 Public keys to exchange secret keys Using public-keys to exchange secret keys why exchange secret keys? aren’t public keys sufficient?

Authenticity of public keys University of Phayao 17/11/2018 Authenticity of public keys Bob’s key ? private key Bob Alice public key Problem: How does Alice know that the public key she received is really Bob’s public key?

Public-key certificates University of Phayao 17/11/2018 Public-key certificates Anyone can forge public-keys Therefore, use public-key certificates A public-key certificate is a public-key that was signed by a trusted third party (called a certificate authority or CA) See figure on next slide

Key Management Public-Key Certificate Use University of Phayao 17/11/2018

Public-key distribution of secret keys University of Phayao 17/11/2018 Public-key distribution of secret keys How to establish a secret symmetric key between two strangers? Shall we use Diffie-Hellman Does Diffie-Hellman have authentication before values are exchanged How about Stallings’ idea?

Stallings idea continued… University of Phayao 17/11/2018 Stallings idea continued… Prepare a message Encrypt that message using conventional encryption with a one- time conventional session key Encrypt the session key using public-key encryption with Alice’s public key Attach the encrypted session key to the message and send it to Alice Stallings thinks this is secure Do you think so? Do I think so? Yes Do I think it is meaningful? No

Why? Well it is secure but it serves no purpose University of Phayao 17/11/2018 Why? Well it is secure but it serves no purpose There is no authentication message How does Alice know from whom it came from? Anyone can prepare that message What is the point of a “secure” and secret message if I can’t trust the person who sent it? Would you let your kid accept a gift box that is highly secure (locked etc.) from a stranger and walk home with it after school?

Other problems with public keys University of Phayao 17/11/2018 Other problems with public keys PRIVATE KEY PUBLIC KEY “I am Alice” fresh random challenge C sigAlice(C) Alice Bob Verify Alice’s signature on c Potential problem: Alice will sign anything

Mafia-in-the-Middle Attack (from Anderson’s book) University of Phayao 17/11/2018 Mafia-in-the-Middle Attack (from Anderson’s book) PRIVATE KEY K Picture 143! Bank Buy 10 gold coins XXX Adult entertainment Over 21 only! Prove your age by signing ‘X’ Sign ‘X’ sigK(x) sigK(x) customer Mafia porn site

University of Phayao 17/11/2018 Merci