Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Cryptography and Message Authentication (Slides adopted from Stallings, Network Security Essentials, 4t Ed)

Contents  Message Authentication  Secure Hash Function  Message Authentication Codes  Public-Key Cryptography Principles  Public-Key Cryptography Algorithms  Literature: Stallings, Network Security Essentials, 4 th Ed, Ch. 3

Message Authentication  message authentication is concerned with: protecting the integrity of a message validating identity of originator Note: Authentication is not Confidentiality  Method: Message Authentication Code (MAC) A small secret block of data, derived from the message and a key K shared by the sender and the receiver of the message  MAC is appended to the message  The receiver re-creates the MAC, compares.

Message Authentication Code (MAC)  Receiver: If the received MAC is identical with the MAC sent with the message, the receiver knows:  1. Message wasn’t changed, 2. The sender knows K  3. Only the one who knows K, could send this message

Hash Functions  Hash h = H(M): a fixed size digest of message M  Algorithm public; Infeasible to invert.  h is sent together with the message M  Usage: Receiver can detect changes to message  hash function creates a hash code computationally infeasible to find data mapping to specific hash code (one-way property) computationally infeasible to find two data to same hash code (collision-free property)

One scheme for creating a MAC from hash  Create a hash value (or code) h = H(M)  Construct a MAC by encrypting the hash code  Send both parts o receiver  The question is whether an attacker can change the message without changing the hash code

A simple example of hash code I  Message X is a series of m blocks X = X 1 ||X 2 || ….X m  Sender: hash code is a bit-by bit xor of the blocks H(X) = X 1  X 2  …  X m MAC: encrypt the hash: C K (X) = E K [H(X)] Append C K (X) to X; send X||C K (X)  Suppose Attacker captures X||C K (X). He can replace X by a message Y, with same C K (X), without knowledge of the key K

A simple example of hash code II  Y is constructed as follows: Construct arbitrary Y’ = Y 1 ||Y 2 ||….Y m-1 ||Y m-1 Calculate hash: H(Y’)= Y 1  Y 2  …  Y m-1 Add another block Y m to Y’: Y = Y’||Y m Require: H(Y) = H(Y’||Y m ) = Y’  Y m = H(X) Solution: Y m = Y’  H(X)  Hence: C K (Y) = E K [  (Y)] = E K [  (X)] = C K (X) !!

Secure (cryptographic) Hash Functions

Requirements from a hash function  1. H can be applied to a block of data of any size  2. H produces a fixed length output  3. H(x) is easy to compute for any given x  4. For any given value h, it is computationally infeasible to find x such that H(x) = h The one way (or pre-image resistant) property  5. For any given block x, it is computationally infeasible to find y, y≠ x with H(y) = H(x) The weak collision resistant property

Why the one-way property is important method to create MAC using hash, but no encryption: Add a secret S to the message: M||S. calculate h = H(M||S). send M, and h.  If attacker can extract the (M||S) from h, he can find the secret S.

Why the weak collision property is important  For any given block x, it is computationally infeasible to find y, y≠ x with H(y) = H(x)  If an attacker can find another message with same hash value he can replace the original message

Secure Hash Algorithm: SHA  Originally designed by NIST & NSA in 1993  Revised in 1995 as SHA-1  Produces 160-bit hash values  Revisions: SHA-256, SHA-384, SHA-512  designed for compatibility with increased security provided by the AES cipher  structure & details are similar to SHA-1  Hash code does not depend on any secret or key

SHA Versions

SHA-512 Algorithm Note: Addition is modulo 2 64

SHA-512  Input: message a series of 1024-bit blocks  Processing block after block Input: 1024-bit data block, 512-bit hash of previous block (first block gets an IV) Processing: “Compression Function” F, 80 rounds Output: 512-bit hash of the block  Output of last block is the hash value of the message  Every bit of hash is a function of all bits of the input Unlikely that 2 messages will have the same hash

SHA-1 Processing of one 1024-bit block Buffer size: 512 bits Initial value: abcdefgh 80 rounds; One round is: Data enters from the left 8 Bytes Wt Constant Kt from the right Randomized 8 bytes Operations: +, and, or, xor, shr, rot Last output: The hash

Message Authentication Codes

HMAC: Hash Based Message Authentication Code  Internet standard RFC2104  uses hash function on the (message + key) twice HMAC K (M)=H{(K +  opad) || H[(K +  ipad)||M]}  K + is the key padded with 0’s to block size b  opad, ipad are specified padding constants  Xoring ipad, opad with K + creates from K two keys  hash function H can be replaced by other hash func eg. MD5, SHA-1

HMAC(K, M)  Message M: L blocks, each b bits (e.g. b=1024  Hash: n bits (e.g. 512); K: key, with keylen > n

Cipher-based Message Authentication Code  CMAC  Message n b-bit blocks (e.g for AES: b = 128)  k-bit Key (e.g. for AES k = 128, 192, 256)  MAC size: len  MAC is created by encrypting the message blocks C 1 = E K (M 1 ) C 2 = E K [M 2  C 1 ] C 3 = E K [M 3  C 2 ] … C n = E K [M n  C n-1  K 1 ] MAC = MSB len (C n )

CMAC  Keys K 1, K 2 derived from key K

Authenticated Encryption  Sometime we require Authentication and confidentiality  approaches Hash-then-encrypt: E K (M || H(M)) MAC-then-encrypt: E K 2 (M || MAC(K1, M) Encrypt-then-MAC: C=E K 2 (M), T=MAC K 1 (C) Encrypt-and-MAC: C=E K 2 (M), T=MAC K 1 (M)

Message authenticated & encrypted Counter with Cipher Block Chaining-Message Authentication Code (CCM) ; used in Wi-Fi Authentication: Data = Plaintext + Associated Data (may not be encrypted, e.g. IP header) + Nonce (random value, used to prevent replay) Authentication by CMAC  Tag, length Tlen Encryption: by AES, counter mode Tag encrypted with counter Ctr0 Plaintext encrypted other counter values

Counter with Cipher Block Chaining- Message Authentication Code (CCM)

Public Key Cryptography

Public-Key Cryptography Uses two keys – a public & a private key developed to address two issues: key distribution: Distributing the symmetric key required by symmetric cryptography protocols digital signatures – how to verify a message comes intact from the claimed sender  public-key: may be known by all, and can be used to encrypt messages, and verify signatures  a related private-key: known only to owner, used to decrypt messages, and sign (create) signatures

Encryption with public key (of receiver)

RSA: Rives, Shamir, Adelman (1977)  best known & widely used public-key scheme  uses large integers (eg bits) security due to cost of factoring large numbers  Sender encrypts a message M: obtains public key of recipient PU={e,n} compute: C = M e mod n, where 0 ≤M <n; send C  Recipient decrypts the ciphertext C: computes: M = C d mod n Where d is the private key of the recipient 

RSA Keys Setup  Each user constructs his its own two keys:  Select 2 large prime numbers, p, q. calculate n=pq  compute  (n)=(p-1)(q-1)  select at random his public key e where 1<e<  (n), e prime relative to  (n)  solve following equation to find his private key d e*d =1 mod  (n) and 0 ≤d ≤n  publish his public (encryption) key: PU={e, n}  keep secret his private (decryption) key: PR={d, n}

RSA Example - Key Setup 1. Select primes: p =17 & q =11 2. Calculate n = pq =17 x 11=187   (n)=(p–1)(q-1)=16x10= Select e prime relative to  : choose e=7 5. d must satisfy de=1 mod 160 and d < 160  d=23 since 23x7=161= 1x Publish public key PU={7,187} 7. Keep his private key PR={23,187}

RSA Example – Encryption /Decryption  sample RSA encryption/decryption is:  given message M = 88 (note 88<187 )  encryption: C = 88 7 mod 187 = 11  decryption: M = mod 187 = 88

RSA: Creating & distributing a shared secret key Goal: a secure method for creating and distributing a shared, secret key (called session key) that will be used later in symmetric key algorithms (e.g encryption by AES and message integrity via MAC) Client  Server: Request Server’s Public key Server  Client: Public key of Server Creation: Client creates a random session key Distribution: Encrypt the session key by RSA algorithm (for example) using the Server’s public key, send to Server

Man In the Middle attack on RSA  Client requests Server’s RSA public key  Server  Client: public key; MITM intercepts this.  MITM (posing as Server)  Client: MITM public key  Client  Server: Session key created by Client, encrypted with MITM public key; Intercepted by MITM  MITM (posing as Client)  Server: Session key created by MTM, encrypted with Server’s public key  Server sends a message, encrypted by MITM session key  MITM intercepts; decipher the message then re-send it to Client, encrypted by Client Session key

Man in the Middle Attack on RSA Client doesn’t verify that the identity of the partner is Server and that the public key that he uses belongs to Server Client doesn’t verify that the identity of the partner is Server, and doesn’t verify that the public key that he uses belongs to Server Server does not verify that the identity of the partner is Client

Diffie Hellman Key Exchange  User A calculate: (Y B ) X A (mod q)  User B calculate (Y A ) X B (mod q)  Both get same value: K AB = a X A X B (mod q)  K AB a shared secret key

Diffie-Hellman Example  users Alice & Bob wish to create a shared key:  agree on prime q=353 and a=3  select random secret keys: A chooses X A =97, B chooses X B =233  compute respective public keys: Y A =3 97 mod 353 = 40 (Alice) Y B =3 233 mod 353 = 248(Bob)  compute shared session key as: K AB = Y B X A mod 353 = = 160(Alice) K AB = Y A X B mod 353 = = 160(Bob)

Man in the Middle Attack on D. H. Protocol Darth prepares 2 sets of keys, X D1, Y D1, X D2 Y D2 1. Alice  Bob: Y A ; intercepted by Darth 2. Darth (posing as Alice)  Bob: Y D1 3. Bob  Alice: Y B ; intercepted by Darth. 4. Darth (posing as Bob)  Alice: Y D2, Calculations of shared keys: Bob: K1 = (Y D1 ) X B mod q; Alice: K2 = (Y D2 ) X A mod q Darth: K1 = (Y B ) X D1 mod q, K 2 = (Y A ) X D2 modq Darth communicates with Alice as if he is Bob, and with Bob as if he is Alice. He can intercept, decrypt, re-encrypt, forward all messages between Alice & Bob

Digital Signatures  The issue is lack of trust  Digital signature help answering questions like Is your partner who he claims to be? Even if you know your partner, did the message came from him? If the partner denies sending the message, prove that this is not true Is the message genuine (unchanged)

Digital Signature of a document  a secret piece of data, created by an algorithm that depends on the the private key of the signer (user, process) and the document  Verification of signature: By digital signature verification algorithm that depend on the public key of the signer

Typical signing and verifying signatures  Signature: hash code of the message (generated by SHA***) encrypted by RSA using the private key of the signer  Verification: Decrypt the signature by using RSA using the public key of signer; re-calculate the hash of received message (by SHA***); compare

Appendix: Proof that RSA works

Proof that RSA Works (based on Euler Theorem)  (n): the number of positive int relatively prime to n (For primes p, q   n  (pq) =  (p)*  (q) = (p-1)(q-1)) Euler: x,n relatively prime  x  (n) = 1 (mod n) in RSA: ed = 1(mod  (n)) = 1 + a*  (n), for some a Given C = M e (mod n). Prove that C d (mod n) = M C d (mod n)= M ed (mod n)= M 1+a*  (n) (mod n) = M*(M  (n) ) a (mod n) = M*(b*n +1) a (mod n) = = M*(c*n +1)(mod n) = M mod n

Diffie-Hellman Key ExchangeAlgorithm  Purpose: Secure creation and distribution of a shared secret key (session key)  Key set up:  two users A, B agree on 2 global parameters: large prime integer q, base a  users create their random private keys: X A, X B <q  Users compute their public keys: Y A = a X A mod q; Y B = a X B  Users exchange their public keys