Embed Size (px)
DESCRIPTION
Lecture 10 Overview. Cryptographic Hash Functions. Message Digest Functions Protect integrity Create a message digest or fingerprint of a digital document MD4, MD5, SHA Message Authentication Codes (MACs) Protect both integrity and authenticity - PowerPoint PPT Presentation
Citation preview
Lecture 10 Overview
Cryptographic Hash Functions• Message Digest Functions – Protect integrity– Create a message digest or fingerprint of a digital
document– MD4, MD5, SHA
• Message Authentication Codes (MACs) – Protect both integrity and authenticity– Produce fingerprints based on both a given
document and a secret key
CS 450/650 Lecture 10: Hash Functions 2
Message Digest Functions• Checksums fingerprint of a message– If message changes, checksum will not match
• Most checksums are good in detecting accidental changes made to a message– They are not designed to prevent an adversary
from intentionally changing a message resulting a message with the same checksum• Message digests are designed to protect against this
possibility
CS 450/650 Lecture 10: Hash Functions 3
Collision-resistant, One-way hash fnc.
• Given M, – it is easy to compute h
• Given any h, – it is hard to find any M such that H(M) = h
• Given M1, it is difficult to find M2 – such that H(M1) = H(M2)
• Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint)
CS 450/650 Lecture 10: Hash Functions 4
A MAC Based on a Block Cipher
•M1
•Encrypt
•k
•M1
•Encrypt
•k
•XOR
•M1
•Encrypt
•k
•XOR
•… •MAC
CS 450/650 Lecture 10: Hash Functions 5
Secure Hash Algorithm (SHA)
• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512
•SHA-1SHA-1•A message A message composed of composed of b bitsb bits
•160-bit 160-bit message message digestdigest
CS 450/650 Lecture 8: Secure Hash Algorithm 6
Step 1 -- Padding• Padding the total length of a padded
message is multiple of 512– Every message is padded even if its length is already
a multiple of 512• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512
block exactly 448 bits long– A 64-bit integer representing the length of the
original message in bits
CS 450/650 Lecture 8: Secure Hash Algorithm 7
Step 2 -- Dividing Pad(M)• Pad (M) = B1, B2, B3, …, Bn
• Each Bi denote a 512-bit block
• Each Bi is divided into 16 32-bit words– W0, W1, …, W15
CS 450/650 Lecture 8: Secure Hash Algorithm 8
Step 3 – Compute W16 – W79
• To Compute word Wj (16<=j<=79)
– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed
– The result is circularly left shifted one bit
CS 450/650 Lecture 8: Secure Hash Algorithm 9
Step 5 – Loop For j = 0 … 79
TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj
E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP
Done
+ addition (ignore overflow)
CS 450/650 Lecture 8: Secure Hash Algorithm 10
Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR (B AND D) OR (C AND D)
• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)
• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)
• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)
CS 450/650 Lecture 8: Secure Hash Algorithm 11
Step 6 – Final • H0 = H0 + A
• H1 = H1 + B
• H2 = H2 + C
• H3 = H3 + D
• H4 = H4 + E
CS 450/650 Lecture 8: Secure Hash Algorithm 12
Done• Once these steps have been performed on
each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by
H0 H1 H2 H3 H4
CS 450/650 Lecture 8: Secure Hash Algorithm 13
SHAOutput
size (bits)
Internal state size
(bits)
Block size
(bits)
Max message size (bits)
Word size
(bits)Rounds Operations Collisions
found
SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes
SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot
None (251 attack)
SHA-2
256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None
512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None
CS 450/650 Lecture 8: Secure Hash Algorithm 14
Lecture 11 Digital Signatures
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
Digital Signatures• A digital signature can be interpreted as
indicating the signer’s agreement with the contents of an electronic document– Similar to handwritten signatures on physical
documents
CS 450/650 Lecture 11: Digital Signatures 16
Digital Signature Properties
CS 450/650 Lecture 11: Digital Signatures 17
• Unforgeable: Only the signer can produce his/her signature
• Authentic: A signature is produced only by the signer deliberately signing the document
Digital Signature Properties• Non-Alterable: A signed document cannot be
altered without invalidating the signature
• Non-Reusable: A signature from one document cannot be moved to another document
• Signatures can be validated by other users– the signer cannot reasonably claim that he/she did
not sign a document bearing his/her signature
CS 450/650 Lecture 11: Digital Signatures 18
Digital Signature Using RSA• The RSA public-key cryptosystem can be used
to create a digital signature for a message m– Asymmetric Cryptographic techniques are well
suited for creating digital signatures
• The signer must have an RSA public/private key pair– c = Me mod n– M = cd mod n
CS 450/650 Lecture 11: Digital Signatures 19
Signature Generation (Signer)
Message
SignaturePrivate Key
RedundancyFunction
Formatted Message
Encrypt
CS 450/650 Lecture 11: Digital Signatures 20
Signature Verification
Message
Signature
Public Key
Verify
Formatted Message
Decrypt
CS 450/650 Lecture 11: Digital Signatures 21
Example• Generate signature S – d = 53– e = 413– n = 629– m = 250– Assume that R(X) = X
• S = R(m)e mod n – S = 25053 mod 629 = 411
CS 450/650 Lecture 11: Digital Signatures 22
Example• Verify signature with message recovery– Public key (e) = 413– n = 629– S = 411
• R(m) = Se mod n – R(m) = 411413 mod 629 = 250
• Verifier checks that R(m) has proper redundancy created by R (none in this case) – m = R-1(m) = 250
CS 450/650 Lecture 11: Digital Signatures 23
Creating a forged signature• Choose a random number between 0 and n-1
for S– S = 323
• Use the signer’s public key to decrypt S – R(m) = 323413 mod 629 = 85
• Invert R(m) to m: m = 85– A valid signature (323) has been created for a
random message (85)
CS 450/650 Lecture 11: Digital Signatures 24
Redundancy Function• The choice of a poor redundancy function can
make RSA vulnerable to forgery
• A good redundancy function should make forging signatures much harder
CS 450/650 Lecture 11: Digital Signatures 25
Example• generate signature S– d = 53– e = 413– n = 629– m = 7– Assume that R(X) = XX
• S = R(m)e mod n – S = 7753 mod 629 = 25
CS 450/650 Lecture 11: Digital Signatures 26
Example• verify signature with message recovery– Public key (e) = 413– n = 629– S = 25
• R(m) = Se mod n – R(m) = 25413 mod 629 = 77
• The verifier then checks that R(m) is of the form XX for some message X– m = R-1(m) = 7
CS 450/650 Lecture 11: Digital Signatures 27
Forging signature (revisited)• Choose a random number between 0 and n-1
for S– S = 323
• Use the signer’s public key to decrypt S – R(m) = 323413 mod 629 = 85
• However, 85 is not a legal value for R(m)– so S = 323 is not a valid signature
CS 450/650 Lecture 11: Digital Signatures 28
Privacy • Signature provides only authenticity.• How can we provide privacy in addition?
CS 450/650 Fundamentals of Integrated Computer Security 29
Simple Scenario of Digital Signature
Getting a Message Digest from a document
Hash MessageDigest
CS 450/650 Lecture 11: Digital Signatures 31
Generating Signature
MessageDigest
Signature
Encrypt using private keyEncrypt using private key
CS 450/650 Lecture 11: Digital Signatures 32
Appending Signature to document
Append
Signature
CS 450/650 Lecture 11: Digital Signatures 33
Verifying Signature
Hash
Decrypt using public keyDecrypt using public key
MessageDigest
MessageDigest
CS 450/650 Lecture 11: Digital Signatures 34
