Computer security module 3

Computer Security
Deepak John
SJCET-Palai

Key Management
 public-key encryption helps address key distribution problems
 have two aspects of this:
 distribution of public keys
 use of public-key encryption to distribute secret keys
Distribution of Public Keys
 can be considered as using one of:
 public announcement
 publicly available directory
 public-key authority
 public-key certificates

Public Announcement
 users distribute public keys to recipients or broadcast to community at large
 major weakness is forgery
 anyone can create a key claiming to be someone else and broadcast it

Publicly Available Directory
 can obtain greater security by registering
keys with a public directory
 directory must be trusted with properties:
 contains {name, public-key} entries
 participants register securely with
directory
 participants can replace key at any time
 directory is periodically published
 directory can be accessed electronically
 still vulnerable to tampering or forgery

Public-Key Authority
 improve security by tightening control over distribution of keys from directory
 has properties of directory
 assumes that a central authority maintains a dynamic directory of public keys of
all participants.

1. A sends a time stamped message to the public-key authority containing a request
for the current public key of B.
2. The authority responds with a message that is encrypted using the authority's
private key, PRauth.The message includes B's public key-Pub, The original
request, The original timestamp.
3. A stores B's public key and also uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
4. B sends a time stamped message to the public-key authority containing a request
for the current public key of A.

5. B retrieves A's public key from the authority in the same manner as A retrieved
B's public key.
public keys have been securely delivered to A and B, and they may begin their
protected exchange.
6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2) Because only B could have decrypted
message , the presence of N1 in message assures A that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its correspondent is
A.

Public-Key Certificates
 certificates allow key exchange without real-time access to public-key authority
 certificate consists of a public key plus an identifier of the key owner
 with all contents signed by a trusted Certificate Authority (CA)
 A user can present his or her public key to the authority in a secure manner, and
obtain a certificate.
 The user can then publish the certificate. Anyone needed this user's public key can
obtain the certificate and verify that it is valid by way of the attached trusted
signature.
 any other participant, who reads and verifies the certificate as follows:
D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa)

requirements on this scheme:
1. Any participant can read a certificate to determine the name and public key of
the certificate's owner.
2. Any participant can verify that the certificate originated from the certificate
authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.

Distribution of Secret Keys Using Public-Key Cryptography
 use previous methods to obtain public-key
Simple Secret Key Distribution
.
1. A generates a public/private key pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA.
2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.

3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
 A and B can now securely communicate using conventional encryption and the
session key Ks. At the completion of the exchange, both A and B discard Ks

Secret Key Distribution with Confidentiality and Authentication
 provides protection against both active and passive attacks.

1. A uses B's public key to encrypt a message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2) .the presence of N1 in message assures
A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption
of this message with B's public key ensures that only B can read it; encryption
with A's private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.

Hybrid Key Distribution
 retain use of KDC
 shares secret master key with each user
 distributes secret session key encrypted using master key
 public-key used to distribute master keys
 rationale
 performance
 backward compatibility

Diffie-Hellman Key Exchange
 first public-key algorithm by Diffie & Hellman in 1976
 is a practical method for public exchange of a secret key
 used in a number of commercial products
Primitive route
 Let p be a prime. Then b is a primitive root for p if the powers of b:1, b, b^2, b^3,
... include all of the residue classes mod p (except 0).
 Examples: If p=7,
then 3 is a primitive root for p because the powers of 3 are 1, 3, 2, 6, 4, 5 that is,
every number mod 7 occurs except 0.
But 2 isn't a primitive root because the powers of 2 are 1, 2, 4, 1, 2, 4, 1, 2,4...
missing several values.

Diffie-Hellman Example
 users Alice & Bob who wish to swap keys:
 agree on prime q=353 and α=3
 select random secret keys:
 A chooses xA=97, B chooses xB=233
 compute respective public keys:
 yA=3
97
mod 353 = 40(Alice)
 yB=3
233
mod 353 = 248 (Bob)
 compute shared session key as:
 KAB= yB
xA
mod 353 = 248
97
= 160(Alice)
 KAB= yA
xB
mod 353 = 40
233
= 160 (Bob)

Key Exchange Protocols
 users could create random private/public D-H keys each time they communicate
 users could create a known private/public D-H key and publish in a directory,
then consulted and used to securely communicate with them
 both of these are vulnerable to a meet-in-the-Middle Attack
 authentication of the keys is needed

Elliptic Curve Cryptography
 majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials
 imposes a significant load in storing and processing keys and messages
 an alternative is to use elliptic curves
 offers same security with smaller bit sizes

Elliptic Curves
 an elliptic curve is defined by an
equation in two variables x & y, with
coefficients
 consider a cubic elliptic curve of form
 y2 = x3 + ax + b
 where x,y,a,b are all real numbers
 consider set of points E(a , b) that satisfy
 have addition operation for elliptic curve
 geometrically sum of P+Q is reflection
of the intersection R
 Consider elliptic curve
E: y2 = x3 - x + 1
 If P1 and P2 are on E, we can define
P3 = P1 + P2

Finite Elliptic Curves
 Elliptic curve cryptography uses curves whose variables & coefficients are finite
 have two families commonly used:
 prime curves Ep(a , b) defined over Zp
 use integers modulo a prime
 best in software
 binary curves E2m(a , b) defined over GF(2n)
 use polynomials with binary coefficients
 best in hardware

Elliptic Curve Cryptography
 Elliptic curve cryptography [ECC] is a public-key cryptosystem
 Elliptic curves are used as an extension to other current cryptosystems.
 Elliptic Curve Diffie-Hellman Key Exchange
 Elliptic Curve Digital Signature Algorithm
 The central part of any cryptosystem involving elliptic curves is the elliptic
group.

Generic Procedures of ECC
 Both parties agree to some publicly-known data items
 The elliptic curve equation
 values of a and b
 prime, q
 The elliptic group computed from the elliptic curve equation
 A base point, G, taken from the elliptic group
 Similar to the generator used in current cryptosystems
 Each user generates their public/private key pair
 Private Key = an integer, selected from the interval [1, q-1]
 Public Key = product, of private key and base point ( x*B)

Applications of ECC
 Many devices are small and have limited storage and computational power
 Where can we apply ECC?
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the power, storage and
computational power that is necessary for our current cryptosystems

Message Authentication
 message authentication is concerned with:
 protecting the integrity of a message
 validating identity of originator
 non-repudiation of origin (dispute resolution)
 will consider the security requirements
 then three alternative functions used:
 message encryption
 message authentication code (MAC)
 hash function

Message Encryption
 message encryption by
itself also provides a
measure of authentication
 Symmetric Encryption
 Public Key encryption

Message Authentication Code (MAC)
 generated by an algorithm that creates a small fixed-sized block
 depending on both message and some key
 appended to message as a signature
 receiver performs same computation on message and checks it matches the MAC
 provides assurance that message is unaltered and comes from sender
 MAC= C(K, M), where M = input message, C = MAC function and K = shared
secret key

Requirements for MACs
1. knowing a message and MAC, is infeasible to find another message
with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message

Using Symmetric Ciphers for MACs
 can use any block cipher chaining mode
and use final block as a MAC
 Data Authentication Algorithm (DAA)
is a widely used MAC based on DES
 using IV=0
 encrypt message using DES in CBC
mode
 and send just the final block as the
MAC or the leftmost M bits
(16≤M≤64) of final block
 but final MAC is now too small for
security

Hash Functions
 A hash function H accepts a variable-
length block of data as input and produces
a fixed-size hash value
h = H(M)
 hash used to detect changes to message
 The hash code is a function of all the bits of
the message and provides an error-
detection capability: A change to any bit or
bits in the message results in a change to
the hash code.

three desirable properties:
1. One-way: For any given code h, it is computationally infeasible to find x such
that H(x)=h.
2. Weak collision resistance: For any given block x, it is computationally
infeasible to find y ≠ x with H(y) = H(x).
3. Strong collision resistance: It is computationally infeasible to find any pair (x,
y) such that H(x) = H(y).

Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x such that. H(x)=h
5. given x is infeasible to find y such that. H(y)=H(x)
6. is infeasible to find any x,y such that. H(y)=H(x)

Simple Hash Functions
 based on XOR of message blocks
 Ci = bi1 XOR bi2 ...XOR bim
where
Ci = ith bit of the hash code, 1 ≤ i ≤ n
m = number of n-bit blocks in the input
bij = ith bit in jth block

Hash Functions & MAC Security
 brute-force attacks
 Hash function: The strength of a hash function against brute-force attacks
depends solely on the length of the hash code produced by the algorithm
 MAC: with known message-MAC pairs
 cryptanalytic attacks exploit structure
 like block ciphers want brute-force attacks to be the best alternative
 more variety of MACs so harder to generalize about cryptanalysis

Hash and MAC Algorithms
Secure Hash Algorithm
 SHA originally designed by NIST in 1993
 was revised in 1995 as SHA-1 produces 160-bit hash values
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased security provided by the AES cipher
 structure & detail is similar to SHA-1
 but security levels are rather higher

SHA-512 Overview
 takes as input a
message with a
maximum length of
less than 2128 bits and
produces as output a
512-bit message
digest.
 The input is processed
in 1024-bit blocks.

Step 1: Append padding bits and length
 Padding is done by appending to the input
 A single bit, 1
 Enough additional bits, all 0,
 Message length is appended
Step 2: Initialize hash buffer
 512-bit buffer is used to hold intermediate and final results of the hash
function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
 These registers are initialized to the 64-bit integers

Step 3: Process the message
in 1024-bit blocks
 which forms the heart of
the algorithm
 this module is labeled F
 consists of 80 rounds
updating a 512-bit buffer

Step 4: Output the final state value as the resulting hash
 After all N 1024-bit blocks have been processed, the output from the Nth stage is
the 512-bit message digest.

Whirlpool
 is an iterated
cryptographic hash
function,
 that uses a
symmetric-key block
cipher(AES) in place
of the compression
function.

 The processing consists of the following steps:
Step 1: Append padding bits and length
Step 2: Initialize hash matrix
Step 3: Process message in 512-bit (64-byte) blocks, using as its core, the block
cipher W.

Whirlpool Block Cipher W
 designed specifically for hash function
use with security and efficiency of
AES
 but with 512-bit block size and hence
generate a secure hash
 similar structure & functions as AES
but
 input is mapped row wise
 has 10 rounds
 uses different S-box design & values

Performance & Security
 Whirlpool is a very new proposal
 hence little experience with use
 but many AES findings should apply
 does seem to need more h/w than SHA, but with better resulting performance

HMAC
 Hash-based Message Authentication Code
 Design Objectives
 use, without modifications, hash functions
 allow for easy replicability of embedded hash function
 preserve original performance of hash function without significant degradation
 use and handle keys in a simple way.
 have well understood cryptographic analysis of authentication mechanism
strength
 any hash function can be used
 eg. SHA-1,512, Whirlpool etc

Algorithm
 b = number of bits in a block
 K+ is K padded with zeros on the left so that the result is b bits in length.
 ipad is a pad value of 36 hex repeated to fill block
 opad is a pad value of 5C hex repeated to fill block.
 M is the message input
 Yi = ith block of M,
 H = embedded hash function.
 L = number of blocks in M.
 n = length of hash code produced by embedded hash function
 Then HMAC can be represented as:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]

1. Append zeros to the left end of K to
create a b-bit string K+.
2. XOR (bitwise exclusive-OR) K + with
ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step
3.
5. XOR K+ with opad to produce the b-bit
block S0.
6. Append the hash result from step 4 to
So.
7. Apply H to the stream generated in step
6 and output the result.

HMAC Security
 proved security of HMAC relates to that of the underlying hash algorithm
 attacking HMAC requires either:
 brute force attack on key used
 birthday attack
 choose hash function used based on speed verses security constraints

CMAC
 Cipher-based Message Authentication Code (CMAC).
 mode of operation for use with AES and triple DES.
 the operation of CMAC when the message is an integer multiple n of the cipher
block length b .

 If the message is not an integer multiple of the cipher block length, then the final
block is padded to the right (least significant bits) with a 1 and as many 0s as
necessary so that the final block is also of length .The CMAC operation then
proceeds as before, except that a different n-bit key K2 is used instead of K1.

 where
T = message authentication code, also referred to as the tag
Tlen = bit length of T
MSBs(X) = the s leftmost bits of the bit string X

Digital Signatures & Authentication Protocols
Digital Signature
 digital signatures provide the ability
to:
 verify author, date & time of
signature
 authenticate message contents
 be verified by third parties to
resolve disputes
 hence include authentication
function with additional capabilities

Digital Signature Properties
 must depend on the message signed
 must use information unique to sender
 must be relatively easy to produce
 must be relatively easy to recognize & verify
 be computationally infeasible to forge
 with new message for existing digital signature
 with fraudulent digital signature for given message
 be practical save digital signature in storage

 Two approaches : direct and arbitrated.
Direct Digital Signatures
 involve only sender & receiver
 assumed receiver has sender’s public-key
 digital signature made by sender signing entire message or hash with private-key
 can encrypt using receivers public-key
 important that sign first then encrypt message & signature
 security depends on sender’s private-key

Arbitrated Digital Signatures
 involves use of arbiter A
 validates any signed message
 then dated and sent to recipient
 requires suitable level of trust in arbiter
 can be implemented with either private or public-key algorithms
 arbiter may or may not see message

Digital Signature Standard (DSS)
 DSS is the standard, uses the SHA hash algorithm and it cannot be used for
encryption or key exchange
 includes alternative RSA & elliptic curve signature variants
 Two Approaches to Digital Signatures
I. RSA approach
II. DSS approach

Digital Signature Algorithm (DSA)
 creates a 320 bit signature

Authentication Protocols
 used to convince parties of each others identity and to exchange session keys
 may be one-way or mutual
 key issues are
 confidentiality – to protect session keys
 timeliness – to prevent replay attacks

Mutual authentication
 enable communicating parties to satisfy themselves mutually about each other's
identity and to exchange session keys.
Replay Attacks
 where a valid signed message is copied and later resent
 countermeasures include
 use of sequence numbers
 timestamps
 challenge/response

Using Symmetric Encryption
 use a two-level hierarchy of keys
 usually with a trusted Key Distribution Center (KDC)
 each party shares own master key with KDC
 KDC generates session keys used for connections between parties
 master keys used to distribute these to them

Needham-Schroeder Protocol
 used to securely distribute a new session key for
communications between A & B
 key distribution protocol for session between A
and B mediated by KDC
 protocol overview is:
1. A->KDC: IDA || IDB || N1
2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A -> B: EKb[Ks||IDA]
4. B -> A: EKs[N2]
5. A -> B: EKs[f(N2)]
 Ka and Kb:Secret keys
 Ks: session key

Using Public-Key Encryption
 have a range of approaches based on the use of public-key encryption
 need to ensure have correct public keys for other parties
 using a central Authentication Server (AS)
 various protocols exist using timestamps or nonces

Denning AS Protocol
1. A -> AS: IDA || IDB
2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T]
3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]]
 timestamps prevent replay but require synchronized clocks

One-Way Authentication
 required when sender & receiver are not in communications at same time (eg.
email)
 have header in clear so can be delivered by email system
 may want contents of body protected & sender authenticated

Using Symmetric Encryption
 This scheme requires the sender to issue a request to the intended recipient,
await a response that includes a session key, and only then send the message.
1. A->KDC: IDA || IDB || N1
2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A -> B: EKb[Ks||IDA] || EKs[M]

Public-Key Approaches
 have seen some public-key approaches
 if confidentiality is major concern, can use:
A->B: EPUb[Ks] || EKs[M]
 has encrypted session key, encrypted message
 if authentication needed use a digital signature with a digital certificate:
A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa]
 with message, signature, certificate

Computer security module 3

More Related Content

What's hot

Viewers also liked

Similar to Computer security module 3

More from Deepak John

Recently uploaded

Computer security module 3