IEMS5710 Message Authentication and Digital Signature.ppt

Document Sample
IEMS5710  Message Authentication and Digital Signature.ppt Powered By Docstoc
Message Authentication and
Digital Signature

26 Feb 2013
Prof. CHAN Yuen-Yan, Rosanna
Department of Information Engineering
The Chinese University of Hong Kong
                    Message Authentication

n   message authentication is concerned with:
    ¨   protecting the integrity of a message
    ¨   validating identity of originator
    ¨   non-repudiation of origin (dispute resolution)
n   Possible attacks on messages
    ¨   content modification
    ¨   sequence modification
    ¨   timing modification
    ¨   source repudiation
    ¨   destination repudiation
    ¨   masquerade
n   Three often-used functions:
    ¨   hash function
    ¨   message encryption
    ¨   message authentication code (MAC)

                                  IEMS5710 - Lecture 6   2
                          Hash Functions

n   condenses arbitrary message to fixed size
    h = H(M)
n   usually assume hash function is public
n   hash used to detect changes to message
n   want a cryptographic hash function
    ¨   computationally infeasible to find data mapping to specific hash (one
        -way property)
    ¨   computationally infeasible to find two data to same hash (collision-
        free property)

                                IEMS5710 - Lecture 6                            3
            Cryptographic Hash Function

n   can use block ciphers as hash functions
                         IEMS5710 - Lecture 6   4
                    Secure Hash Algorithm

n   SHA originally designed by NIST & NSA in 1993
n   was revised in 1995 as SHA-1
n   US standard for use with DSA signature scheme
    ¨   standard is FIPS 180-1 1995, also Internet RFC3174
    ¨   nb. the algorithm is SHA, the standard is SHS (Secure Hash Standard)
n   produces 160-bit hash values
n   recent 2005 results on security of SHA-1 have raised concerns on
    its use in future applications

                                IEMS5710 - Lecture 6                           5
            Revised Secure Hash Standard

n   NIST adds 3 additional versions of SHA in 2002
    ¨   SHA-256, SHA-384, SHA-512
n   designed for compatibility with increased security
    provided by the AES cipher
n   structure & detail is similar to SHA-1
n   hence analysis should be similar
n   but security levels are rather higher

                          IEMS5710 - Lecture 6           6
SHA Versions

  IEMS5710 - Lecture 6   7
SHA-512 Overview

    IEMS5710 - Lecture 6   8
             Symmetric Message Encryption
n   encryption can also provides authentication:
n   if symmetric encryption is used then:
    ¨   receiver knows sender must have created it
    ¨   since only sender and receiver know key used, content cannot
        have been altered
n   if message has suitable structure, redundancy or a
    checksum to detect any changes

                             IEMS5710 - Lecture 6                      9
            Message Authentication Code (MAC)

n   generated by an algorithm that creates a small fixed-
    sized block
    ¨   depending on both message and some key
    ¨   like encryption though need not be reversible
n   appended to message as a signature
n   receiver performs same computation on message and
    checks it matches the MAC
n   provides assurance that message is unaltered and
    comes from sender

                              IEMS5710 - Lecture 6          10
        Message Authentication Code

Ø a small fixed-sized block of data
  Ø generated from message + secret key
  Ø MAC = C(K,M)
  Ø appended to message when sent

                  IEMS5710 - Lecture 6    11
                        MAC Properties

n   a MAC is a cryptographic checksum
        MAC = CK(M)
    ¨   condenses a variable-length message M
    ¨   using a secret key K
    ¨   to a fixed-sized authenticator
n   is a many-to-one mapping function
    ¨   potentially many messages have same MAC
    ¨   but finding these needs to be very difficult

                              IEMS5710 - Lecture 6     12
                  Requirements for MACs

n       taking into account the types of attacks
n       need the MAC to satisfy the following:
    l     knowing a message and MAC, is infeasible to find another
          message with same MAC
    l     MACs should be uniformly distributed
    l     MAC should depend equally on all bits of the message

                             IEMS5710 - Lecture 6                    13
                   Authenticated Encryption
n   simultaneously protect confidentiality and authenticity of
    ¨   often required but usually separate
n   approaches
    ¨   Hash-then-encrypt: E(K, (M || H(M))
    ¨   MAC-then-encrypt: E(K2, (M || MAC(K1, M))
    ¨   Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
    ¨   Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
n   Cipher Block Chaining-Message Authentication Code
    ¨   NIST standard SP 800-38C for WiFi
    ¨   variation of encrypt-and-MAC approach

                                IEMS5710 - Lecture 6             14
                        Digital Signatures

n   have looked at message authentication
    ¨   but does not address issues of lack of trust
n   digital signatures provide the ability to:
    ¨   verify author, date & time of signature
    ¨   authenticate message contents
    ¨   be verified by third parties to resolve disputes
n   hence include authentication function with additional

                               IEMS5710 - Lecture 6         15
    Public-Key Message Encryption (e.g. RSA)
n   The RSA Digital Signature
n   if public-key cryptography is used:
    ¨   sender “signs” message (encrypt) using their private-key
    ¨   (optional: then encrypts with recipients public key)
n   To verify the signature
    ¨   (Optional: after decrypting the message with receiver’s private
        key, if this optional encryption step has been taken by the
    ¨   “Decrypt” with sender’s (i.e. the signer’s) public key
    ¨   Verify if the decrypted content equals original message

                              IEMS5710 - Lecture 6                        16
Digital Signature Model

      IEMS5710 - Lecture 6   17


            IEMS5710 - Lecture 6             18
                Direct Digital Signatures

n   involve only sender (the signer) & receiver (the verifier)
n   assumed receiver has sender’s public-key
n   digital signature made by sender signing entire message
    or hash with private-key
n   (can then be encrypted using receivers public-key)
n   (important that sign first then encrypt message &
n   security depends on sender’s private-key

                          IEMS5710 - Lecture 6                   19
               Digital Signature Requirements

n   must depend on the message signed
n   must use information unique to sender
     ¨   to prevent both forgery and denial
n   must be relatively easy to produce
n   must be relatively easy to verify
n   be computationally infeasible to forge
     ¨   with new message for existing digital signature
     ¨   with fraudulent digital signature for given message

                                  IEMS5710 - Lecture 6         20
                     Attacks and Forgeries

n   attacks
    ¨   key-only attack
    ¨   known message attack
    ¨   generic chosen message attack
    ¨   directed chosen message attack
    ¨   adaptive chosen message attack
n   break success levels
    ¨   existential forgery
    ¨   selective forgery
    ¨   total break

                              IEMS5710 - Lecture 6   21
                   ElGamal Digital Signatures

n   signature variant of ElGamal, related to D-H
    ¨   so uses exponentiation in a finite (Galois)
    ¨   with security based difficulty of computing discrete logarithms, as in
n   use private key for signing
n   uses public key for verification
n   each user (eg. A) generates their key
    ¨   chooses a secret key (number): 1 < xA < q-1
    ¨   compute the public key (q,a,yA) where yA = a mod q

                                 IEMS5710 - Lecture 6                            22
                      ElGamal Digital Signature

n   Alice signs a message M to Bob by computing
     ¨   the hash m = H(M), 0 <= m <= (q-1)
     ¨   chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
     ¨   compute temporary key: S1 = a mod q
     ¨   compute K-1 the inverse of K mod (q-1)
     ¨   compute the value: S2 = K-1(m-xAS1) mod (q-1)
     ¨   signature is:(S1,S2)
n   any user B can verify the signature by computing
              m m
     ¨   V1 = a mod q
     ¨   V2 = yAS1 S1S2 mod q
     ¨   signature is valid if V1 = V2

n   Note: from Fermat’s little theorem, ai ≡ aj (mod q) iff i ≡ j (mod q – 1)

                                     IEMS5710 - Lecture 6                       23
                ElGamal Signature Example
n   use field GF(19) q=19 and a=10
n   Alice computes her key:
    ¨   A chooses xA=16 & computes yA=10          mod 19 = 4
n   Alice signs message with hash m=14 as (3,4):
    ¨   choosing random K=5 which has gcd(18,5)=1
    ¨   computing S1 = 10 mod 19 = 3
    ¨   finding K-1 mod (q-1) = 5-1 mod 18 = 11
    ¨   computing S2 = 11 (14 - 16 ∙3) mod 18 = 4
n   any user B can verify the signature by computing
    ¨   V1 = 10 mod 19 = 16
    ¨   V2 = 43 ∙34 = 5184 = 16 mod 19
    ¨   since 16 = 16 signature is valid

                              IEMS5710 - Lecture 6             24

n   William Stallings, Cryptography and Network Security
    Principles and Practices, 5/e, Pearson
    ¨   Chapter 11
    ¨   Chapter 12
    ¨   Chapter 13

                         IEMS5710 - Lecture 6              25

Shared By: