Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Cryptography and Message Authentication (Slides adopted from Stallings,

Published byJuniper Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Cryptography and Message Authentication (Slides adopted from Stallings,"— Presentation transcript:

1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Cryptography and Message Authentication (Slides adopted from Stallings, Network Security Essentials, 4t Ed)

2 Contents  Message Authentication  Secure Hash Function  Message Authentication Codes  Public-Key Cryptography Principles  Public-Key Cryptography Algorithms  Literature: Stallings, Network Security Essentials, 4 th Ed, Ch. 3

3 Message Authentication  message authentication is concerned with: protecting the integrity of a message validating identity of originator Note: Authentication is not Confidentiality  Method: Message Authentication Code (MAC) A small secret block of data, derived from the message and a key K shared by the sender and the receiver of the message  MAC is appended to the message  The receiver re-creates the MAC, compares.

4 Message Authentication Code (MAC)  Receiver: If the received MAC is identical with the MAC sent with the message, the receiver knows:  1. Message wasn’t changed, 2. The sender knows K  3. Only the one who knows K, could send this message

5 Hash Functions  Hash h = H(M): a fixed size digest of message M  Algorithm public; Infeasible to invert.  h is sent together with the message M  Usage: Receiver can detect changes to message  hash function creates a hash code computationally infeasible to find data mapping to specific hash code (one-way property) computationally infeasible to find two data to same hash code (collision-free property)

6 One scheme for creating a MAC from hash  Create a hash value (or code) h = H(M)  Construct a MAC by encrypting the hash code  Send both parts o receiver  The question is whether an attacker can change the message without changing the hash code

7 A simple example of hash code I  Message X is a series of m blocks X = X 1 ||X 2 || ….X m  Sender: hash code is a bit-by bit xor of the blocks H(X) = X 1  X 2  …  X m MAC: encrypt the hash: C K (X) = E K [H(X)] Append C K (X) to X; send X||C K (X)  Suppose Attacker captures X||C K (X). He can replace X by a message Y, with same C K (X), without knowledge of the key K

8 A simple example of hash code II  Y is constructed as follows: Construct arbitrary Y’ = Y 1 ||Y 2 ||….Y m-1 ||Y m-1 Calculate hash: H(Y’)= Y 1  Y 2  …  Y m-1 Add another block Y m to Y’: Y = Y’||Y m Require: H(Y) = H(Y’||Y m ) = Y’  Y m = H(X) Solution: Y m = Y’  H(X)  Hence: C K (Y) = E K [  (Y)] = E K [  (X)] = C K (X) !!

9 Secure (cryptographic) Hash Functions

10 Requirements from a hash function  1. H can be applied to a block of data of any size  2. H produces a fixed length output  3. H(x) is easy to compute for any given x  4. For any given value h, it is computationally infeasible to find x such that H(x) = h The one way (or pre-image resistant) property  5. For any given block x, it is computationally infeasible to find y, y≠ x with H(y) = H(x) The weak collision resistant property

11 Why the one-way property is important method to create MAC using hash, but no encryption: Add a secret S to the message: M||S. calculate h = H(M||S). send M, and h.  If attacker can extract the (M||S) from h, he can find the secret S.

12 Why the weak collision property is important  For any given block x, it is computationally infeasible to find y, y≠ x with H(y) = H(x)  If an attacker can find another message with same hash value he can replace the original message

13 Secure Hash Algorithm: SHA  Originally designed by NIST & NSA in 1993  Revised in 1995 as SHA-1  Produces 160-bit hash values  Revisions: SHA-256, SHA-384, SHA-512  designed for compatibility with increased security provided by the AES cipher  structure & details are similar to SHA-1  Hash code does not depend on any secret or key

14 SHA Versions

15 SHA-512 Algorithm Note: Addition is modulo 2 64

16 SHA-512  Input: message a series of 1024-bit blocks  Processing block after block Input: 1024-bit data block, 512-bit hash of previous block (first block gets an IV) Processing: “Compression Function” F, 80 rounds Output: 512-bit hash of the block  Output of last block is the hash value of the message  Every bit of hash is a function of all bits of the input Unlikely that 2 messages will have the same hash

17 SHA-1 Processing of one 1024-bit block Buffer size: 512 bits Initial value: abcdefgh 80 rounds; One round is: Data enters from the left 8 Bytes Wt Constant Kt from the right Randomized 8 bytes Operations: +, and, or, xor, shr, rot Last output: The hash

18 Message Authentication Codes

19 HMAC: Hash Based Message Authentication Code  Internet standard RFC2104  uses hash function on the (message + key) twice HMAC K (M)=H{(K +  opad) || H[(K +  ipad)||M]}  K + is the key padded with 0’s to block size b  opad, ipad are specified padding constants  Xoring ipad, opad with K + creates from K two keys  hash function H can be replaced by other hash func eg. MD5, SHA-1

20 HMAC(K, M)  Message M: L blocks, each b bits (e.g. b=1024  Hash: n bits (e.g. 512); K: key, with keylen > n

21 Cipher-based Message Authentication Code  CMAC  Message n b-bit blocks (e.g for AES: b = 128)  k-bit Key (e.g. for AES k = 128, 192, 256)  MAC size: len  MAC is created by encrypting the message blocks C 1 = E K (M 1 ) C 2 = E K [M 2  C 1 ] C 3 = E K [M 3  C 2 ] … C n = E K [M n  C n-1  K 1 ] MAC = MSB len (C n )

22 CMAC  Keys K 1, K 2 derived from key K

23 Authenticated Encryption  Sometime we require Authentication and confidentiality  approaches Hash-then-encrypt: E K (M || H(M)) MAC-then-encrypt: E K 2 (M || MAC(K1, M) Encrypt-then-MAC: C=E K 2 (M), T=MAC K 1 (C) Encrypt-and-MAC: C=E K 2 (M), T=MAC K 1 (M)

24 Message authenticated & encrypted Counter with Cipher Block Chaining-Message Authentication Code (CCM) ; used in Wi-Fi Authentication: Data = Plaintext + Associated Data (may not be encrypted, e.g. IP header) + Nonce (random value, used to prevent replay) Authentication by CMAC  Tag, length Tlen Encryption: by AES, counter mode Tag encrypted with counter Ctr0 Plaintext encrypted other counter values

25 Counter with Cipher Block Chaining- Message Authentication Code (CCM)

26 Public Key Cryptography

27 Public-Key Cryptography Uses two keys – a public & a private key developed to address two issues: key distribution: Distributing the symmetric key required by symmetric cryptography protocols digital signatures – how to verify a message comes intact from the claimed sender  public-key: may be known by all, and can be used to encrypt messages, and verify signatures  a related private-key: known only to owner, used to decrypt messages, and sign (create) signatures

28 Encryption with public key (of receiver)

29 RSA: Rives, Shamir, Adelman (1977)  best known & widely used public-key scheme  uses large integers (eg. 1024 bits) security due to cost of factoring large numbers  Sender encrypts a message M: obtains public key of recipient PU={e,n} compute: C = M e mod n, where 0 ≤M <n; send C  Recipient decrypts the ciphertext C: computes: M = C d mod n Where d is the private key of the recipient 

30 RSA Keys Setup  Each user constructs his its own two keys:  Select 2 large prime numbers, p, q. calculate n=pq  compute  (n)=(p-1)(q-1)  select at random his public key e where 1<e<  (n), e prime relative to  (n)  solve following equation to find his private key d e*d =1 mod  (n) and 0 ≤d ≤n  publish his public (encryption) key: PU={e, n}  keep secret his private (decryption) key: PR={d, n}

31 RSA Example - Key Setup 1. Select primes: p =17 & q =11 2. Calculate n = pq =17 x 11=187   (n)=(p–1)(q-1)=16x10=160 4. Select e prime relative to  : choose e=7 5. d must satisfy de=1 mod 160 and d < 160  d=23 since 23x7=161= 1x160+1 6. Publish public key PU={7,187} 7. Keep his private key PR={23,187}

32 RSA Example – Encryption /Decryption  sample RSA encryption/decryption is:  given message M = 88 (note 88<187 )  encryption: C = 88 7 mod 187 = 11  decryption: M = 11 23 mod 187 = 88

33 RSA: Creating & distributing a shared secret key Goal: a secure method for creating and distributing a shared, secret key (called session key) that will be used later in symmetric key algorithms (e.g encryption by AES and message integrity via MAC) Client  Server: Request Server’s Public key Server  Client: Public key of Server Creation: Client creates a random session key Distribution: Encrypt the session key by RSA algorithm (for example) using the Server’s public key, send to Server

34 Man In the Middle attack on RSA  Client requests Server’s RSA public key  Server  Client: public key; MITM intercepts this.  MITM (posing as Server)  Client: MITM public key  Client  Server: Session key created by Client, encrypted with MITM public key; Intercepted by MITM  MITM (posing as Client)  Server: Session key created by MTM, encrypted with Server’s public key  Server sends a message, encrypted by MITM session key  MITM intercepts; decipher the message then re-send it to Client, encrypted by Client Session key

35 Man in the Middle Attack on RSA Client doesn’t verify that the identity of the partner is Server and that the public key that he uses belongs to Server Client doesn’t verify that the identity of the partner is Server, and doesn’t verify that the public key that he uses belongs to Server Server does not verify that the identity of the partner is Client

36 Diffie Hellman Key Exchange  User A calculate: (Y B ) X A (mod q)  User B calculate (Y A ) X B (mod q)  Both get same value: K AB = a X A X B (mod q)  K AB a shared secret key

37 Diffie-Hellman Example  users Alice & Bob wish to create a shared key:  agree on prime q=353 and a=3  select random secret keys: A chooses X A =97, B chooses X B =233  compute respective public keys: Y A =3 97 mod 353 = 40 (Alice) Y B =3 233 mod 353 = 248(Bob)  compute shared session key as: K AB = Y B X A mod 353 = 248 97 = 160(Alice) K AB = Y A X B mod 353 = 40 233 = 160(Bob)

38 Man in the Middle Attack on D. H. Protocol Darth prepares 2 sets of keys, X D1, Y D1, X D2 Y D2 1. Alice  Bob: Y A ; intercepted by Darth 2. Darth (posing as Alice)  Bob: Y D1 3. Bob  Alice: Y B ; intercepted by Darth. 4. Darth (posing as Bob)  Alice: Y D2, Calculations of shared keys: Bob: K1 = (Y D1 ) X B mod q; Alice: K2 = (Y D2 ) X A mod q Darth: K1 = (Y B ) X D1 mod q, K 2 = (Y A ) X D2 modq Darth communicates with Alice as if he is Bob, and with Bob as if he is Alice. He can intercept, decrypt, re-encrypt, forward all messages between Alice & Bob

39 Digital Signatures  The issue is lack of trust  Digital signature help answering questions like Is your partner who he claims to be? Even if you know your partner, did the message came from him? If the partner denies sending the message, prove that this is not true Is the message genuine (unchanged)

40 Digital Signature of a document  a secret piece of data, created by an algorithm that depends on the the private key of the signer (user, process) and the document  Verification of signature: By digital signature verification algorithm that depend on the public key of the signer

41 Typical signing and verifying signatures  Signature: hash code of the message (generated by SHA***) encrypted by RSA using the private key of the signer  Verification: Decrypt the signature by using RSA using the public key of signer; re-calculate the hash of received message (by SHA***); compare

42 Appendix: Proof that RSA works

43 Proof that RSA Works (based on Euler Theorem)  (n): the number of positive int relatively prime to n (For primes p, q   n  (pq) =  (p)*  (q) = (p-1)(q-1)) Euler: x,n relatively prime  x  (n) = 1 (mod n) in RSA: ed = 1(mod  (n)) = 1 + a*  (n), for some a Given C = M e (mod n). Prove that C d (mod n) = M C d (mod n)= M ed (mod n)= M 1+a*  (n) (mod n) = M*(M  (n) ) a (mod n) = M*(b*n +1) a (mod n) = = M*(c*n +1)(mod n) = M mod n

44 Diffie-Hellman Key ExchangeAlgorithm  Purpose: Secure creation and distribution of a shared secret key (session key)  Key set up:  two users A, B agree on 2 global parameters: large prime integer q, base a  users create their random private keys: X A, X B <q  Users compute their public keys: Y A = a X A mod q; Y B = a X B  Users exchange their public keys

Download ppt "Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Cryptography and Message Authentication (Slides adopted from Stallings,"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Public Key Cryptography & Message Authentication By Tahaei Fall 2012.

Public Key Cryptography & Message Authentication By Tahaei Fall 2012.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Chapter3 Public-Key Cryptography and Message Authentication.

Chapter3 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Similar presentations

Ads by Google