Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004

Computer Science and Engineering Contents (take good notes)  Assignment 2   Assignment 3   Cryptographic Hash Function  Electronic Signatures  Aamer’s Presentation

Computer Science and Engineering Cryptographic Hash Functions  Message Digest Functions  Protect integrity  Users create a message digest or fingerprint of a digital document  Message Authentication Codes (MACs)  Protect both integrity and authenticity  MACs produce fingerprints based on both a given document and a secret key

Computer Science and Engineering Message Digest Functions  Checksums  fingerprint of a message  If the message changes, the checksum will not match  Most checksums are good in detecting accidental changes made to a message  They are not designed to prevent an adversary from intentionally changing a message resulting a message with the same checksum  Message digests are designed to protect against this possibility

Computer Science and Engineering Hash Functions Example M = “Elvis” H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26 H(M) = ( ) mod 26 H(M) = 67 mod 26 H(M) = 15 H M H(M) = h

Computer Science and Engineering Collision Example x = “Viva” Y = “Vegas” H(x) = H(y) = 2 H xH(x) H yH(y) =

Computer Science and Engineering Collision-resistant, One-way hash functions  Given M, it is easy to compute h  Given any h, it is hard to find any M such that H(M) = h  Given M1, it is difficult to find M2 (not identical to M1) such that H(M1) = H(M2) Functions that satisfy these criteria are called message digest. They produce a fixed-length digest (fingerprint)

Computer Science and Engineering The Secure Hash Algorithm (SHA-1) SHA-1 A message composed of b bits 160-bit message digest

Computer Science and Engineering Step 1 -- Padding  Padding  the total length of a padded message is multiple of 512  Every message is padded even if its length is already a multiple of 512

Computer Science and Engineering Padding (cont.) MessageMessage length1zeros 64 bits Multiple of bit

Computer Science and Engineering Padding (cont.) Padding is done by appending to the input:  A single bit, 1  Enough additional bits, all 0, to make the final 512 block exactly 448 bits long  A 64-bit integer representing the length of the original message in bits

Computer Science and Engineering Example  M = (20 bits)  Padding is done by appending to the input:  A single bit, 1  427 0s  A 64-bit integer representing 20  Pad(M) = …

Computer Science and Engineering Example  Length of M = 500 bits  Padding is done by appending to the input:  A single bit, 1  459 0s  A 64-bit integer representing 500  Length of Pad(M) = 1024 bits

Computer Science and Engineering Initialize bit words (Hexa)  H0 =  H1 = EFCDAB89  H2 = 98BADCFE  H3 =  H4 = C3D2E1F0  K0 – K19 = 5A  K20 – K39 = 6ED9EBA1  K40 – K59 = 8F1BBCDC  K60 – K79 = CA62C1D6

Computer Science and Engineering Step 2 -- Dividing Pad(M)  Pad (M) = B 1, B 2, B 3, …, B n  Each B i denote a 512-bit block  Each B i is divided into bit words W 0, W 1, …, W 15

Computer Science and Engineering Step 3 – Use W 0 - W 15 to compute W 16 – W 79  To Compute word W j (16<=j<=79):  W j-3, W j-8, W j-14, W j-16 are XORed  The result is circularly left shifted one bit

Computer Science and Engineering Step 4 – Copy H0 – H4 into A,B,C,D,E  A = H0  B = H1  C = H2  D = H3  D = H4

Computer Science and Engineering Step 5 – Four functions  For j = 0, 19 f j (B,C,D) = (B AND C) OR ( B AND D) OR (C AND D)  For j = 20, 39 f j (B,C,D) = (B XOR C XOR D)  For j = 40, 59 f j (B,C,D) = (B AND C) OR ((NOT B) AND D)  For j = 60, 79 f j (B,C,D) = (B XOR C XOR D)

Computer Science and Engineering Step 6 – Loop For j = 0 to 79 Do TEMP = Circular_left_shift_5 (A) + f j (B,C,D) + E + W j + K j E = D; D = C; C = Circular_left_shift_30(B); B = A; A = TEMP Done +  addition (ignore overflow)

Computer Science and Engineering Step 7 – Final H0 = H0 + A H1 = H1 + B H2 = H2 + C H3 = H3 + D H4 = H4 + E

Computer Science and Engineering Done Once these steps have been performed on each 512-bit block (B 1, B 2, …, B n ) of the padded message in turn, the 160-bit message digest is given by H0 H1 H2 H3 H4

Computer Science and Engineering Message Authentication Codes (MACs)  A message authentication code (MAC) is a key- dependent message digest function: MAC(M,K) = h

Computer Science and Engineering A MAC Based on a Block Cipher M1 Encrypt K M1 Encrypt K XOR M1 Encrypt K XOR … MAC

Computer Science and Engineering Digital Signatures  Like handwritten signatures on physical documents, a digital signature can be interpreted as indicating the signer’s agreement with the contents of an electronic document  Asymmetric Cryptographic techniques are also well suited for creating digital signatures

Computer Science and Engineering Digital Signature Properties  A signature is produced only by the signer deliberately signing the document  Only the signer can produce his/her signature  A signature from one document cannot be moved to another document, nor can a signed document be altered without invalidating the signature  Signatures can be validated by other users, and the signer cannot reasonably claim that he/she did not sign a document bearing his/her signature

Computer Science and Engineering Digital Signature Using RSA  The RSA public-key cryptosystem can be used to create a digital signature for a message m.  The signer must have an RSA public/private key pair.

Computer Science and Engineering RSA Review -C = P e mod n -P = C d mod n -P = C d mod n = (P e ) d mod n = (P d ) e mod n

Computer Science and Engineering Key Choice (RSA Review) -We start by selecting n to be a very large integer (product of two large primes p and q) -Next a large integer e is chosen so that e is relatively prime to (p-1) * (q-1). -Finally, select d such that e * d = 1 mod (p-1) * (q-1)

Computer Science and Engineering Example (RSA Review) 1.Select primes p=11, q=3. 2.n = p* q = 11*3 = 33 3.Choose e = 3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1 therefore gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1 4.Compute d such that e* d = 1 (mod (p-1)*(q-1)) d = 7 5.Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7).

Computer Science and Engineering Signature Generation (Signer) Message SignaturePrivate Key Redundancy Function Formatted Message Encrypt

Computer Science and Engineering Signature Verification Message Signature Public Key Verify Formatted Message Decrypt

Computer Science and Engineering Example (generate signature S) -- Signer end d = 53 e = 413 n = 629 m = 250 Assume that R(X) = X S = R(m) e mod n S = mod 629 = 411

Computer Science and Engineering Example (verify signature with message recovery) Public key (e) = 413 n = 629 S = 411 R(m) = S e mod n R(m) = mod 629 = 250 The verifier then checks that R(m) has the proper redundancy created by R (none in this case) and recover the message: m = R -1 (m) = 250

Computer Science and Engineering Creating a forged signature Choose a random number between 0 and n-1 for S S = 323 Use the signer’s public key to decrypt S R(m) = mod 629 = 85 Invert R(m) to m: m = 85 Note that a valid signature (323) has been created for a random message (85) without the knowledge of the signer’s private key. The choice of a poor redundancy function can make RSA vulnerable to forgery.

Computer Science and Engineering Selecting a Good Redundancy Function  A good redundancy function should make forging signatures much harder.

Computer Science and Engineering Example (generate signature S) -- Signer end d = 53 e = 413 n = 629 m = 7 Assume that R(X) = XX S = R(m) e mod n S = mod 629 = 25

Computer Science and Engineering Example (verify signature with message recovery) Public key (e) = 413 n = 629 S = 25 R(m) = S e mod n R(m) = mod 629 = 77 The verifier then checks that R(m) is of the form XX for some message X. It is, and we recover the message: m = R -1 (m) = 7

Computer Science and Engineering Forging signature (revisited) Choose a random number between 0 and n-1 for S S = 323 Use the signer’s public key to decrypt S R(m) = mod 629 = 85 However, 85 is not a legal value for R(m), so S = 323 is not a valid signature

Computer Science and Engineering Simple Scenario of Digital Signature

Computer Science and Engineering Getting a Message Digest from a document Hash Message Digest

Computer Science and Engineering Generating Signature Message Digest Signature Encrypt using private key

Computer Science and Engineering Appending Signature to document Append Signature

Computer Science and Engineering Verifying Signature Hash Decrypt using public key Message Digest Message Digest