session_04_integrity_and_authentication_091308

session_04_integrity_and_authentication_091308 - Integrity...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Integrity and Authentication Cryptography and Network Security TECH 6350 Session 4 Integrity and Authentication Manuel Mogollon m_mogollon@verizon.net Graduate School of Management Information Assurance University of Dallas 0 Integrity and Authentication Session 4 – Contents • Integrity — Message Authentication Code (MAC) — Hash Functions • Authentication — Digital Signature Standard (FIPS 186-2) — DSA (ANSI X9.30 — RSA (ANSI X9.31) — ElGamal — ECDSA (ANSI X9.62) Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 1 M. Mogollon – 01/08 - 1 • In the world of communications, assurance is sought that (1) a message is not accidentally or deliberately modified in transit by replacement, insertion, or deletion; (2) the message is coming from the source from which it claims to come; (3) the message is protected against unauthorized individuals reading information that is supposed to be kept private; and (4) there is a protection against an individual denying she/he sent or received a message. • In this session, methods that can check if a message was modified (hash functions), and ways to verify a sender’s identity by using digital signatures will be explained. 1 Integrity and Authentication Integrity Assurance that a message was not accidentally or deliberately modified in transit by replacement, insertion, or deletion. Integrity Hash Functions SHA MD5 Digital Signature MAC Encryption HMAC SHA-1 SHA-384 DES CBC HMAC-SHA-1-96 SHA-256 SHA-512 AES-XCBCMAC-96 HMAC-MD5-96 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 2 M. Mogollon – 01/08 - 2 • The mechanism for ensuring that data is not altered when transmitted from source to destination, or when it is stored, is called integrity. Message Digest 5 (MD5), Secure Hash Standards (SHA-1, SHA-256, SHA-384, and SHA-512), Message Authentication Codes (MACs), and Keyed-Hash Message Authentication Codes (HMAC) are mechanisms that check the integrity of a message. • Encryption provides intrinsic integrity because if a ciphertext block has been modified, the block will not be deciphered properly. Digital signature also provides integrity because it uses hash functions. 2 Integrity and Authentication What is Integrity? integrity / n. (1) The property of ensuring that data is transmitted from source to destination without undetected alteration. (2) The process of preventing undetected alteration of data. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 3 M. Mogollon – 01/08 - 3 3 Integrity and Authentication Integrity Using a Message Summary I sent you $567.34 with Mary. Message digest (hash) Integrity MAC HASH SHA MD5 Message digest Count money Yes (hash) was $567.34? Yes/No used to prove that the stated amount of money was 4 HMAC Authentication Digital Signatures not M. Mogollon – 01/08 - 4 altered. • When Bob tells Alice that he sent $567.34 with Mary, Alice uses that information to check, count the money, and verify that the amount of money was not altered. • This is similar to a message digest or hash function. 4 Integrity and Authentication Message Authentication Code (MAC) Secret Key, Initial Variable M E S S A G E M E S S A G E Transmit MAC (last ciphertext block) • • • • Secret Key, Initial Variable Integrity MAC HASH SHA Block Cipher (CBC Mode) MAC MAC MAC Block Cipher (CBC Mode) M E S S A G E Compare Both parties share a secret key. Last ciphertext block sent as a hash. IV is zero block (all “0” bits). DES 64-bit hash, AES 128-bit hash used MD5 HMAC Authentication Digital Signatures 5 M. Mogollon – 01/08 - 5 • The mechanisms that provide integrity checks based on a secret key are usually called Message Authentication Codes (MACs). Typically, MACs are used between two parties who share a secret key in order to authenticate information transmitted between these parties. • MAC is a key-dependent one-way hash function. One popular way to construct a MAC algorithm is to use a block cipher in conjunction with the Cipher Block Chaining (CBC) mode of operation with the IV =0. The MAC is the ANSI standard DES-based checksum, also known as the U.S. Government Standard Computer Data Authentication Code, FIPS PUB 113 (Federal Information Processing Standards (FIPS), 1985). • The integrity provided by the MAC is based on the fact that it is not possible to generate a MAC without knowing the cryptographic key. An adversary without knowledge of the key will not be able to modify data and then generate an authentic MAC on the modified data. It is, therefore, crucial that keys be protected so that their secrecy is preserved. If the key is known only by the source and the destination, this algorithm will provide both data origin authentication and data integrity for datagrams sent between the two parties. In addition, only a party with the identical key can verify the hash 5 Integrity and Authentication Using CBC Mode as a Hash Function Cleartext Block + + Block Cipher IV Cleartext Block Block Cipher • Sends last ciphertext block as a hash. • Uses a fixed known Crypto Variable IV. • DES hash: 64 bits. • AES hash: 128 bits Ciphertext Block Last ciphertext block Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 6 M. Mogollon – 01/08 - 6 • The data (e.g., record, file, message, or program) to be authenticated is grouped into contiguous bit blocks: D1, D2,.... Dn. If the number of data bits is not a multiple of n, the block size, then the final input block will be a partial block of data, left justified. with zeroes appended to form a full nbit block. The calculation of the hash is given by the following equations: • 01 = e(D1) • 02 = e(D2 XOR 01) • 03 = e(D3 XOR 02) • On = e(Dn XOR 0n-1) • The Cipher Block Chaining Mode (CBC) with Initialization Vector (IV) = 0 (see FIPS 113) and the n-bit Cipher Feedback Mode with IV = D1 and data equal to D2, D3, ..., Dn (see FIPS PUB 81) both yield the required hash calculation. 6 Integrity and Authentication AES-XCBC-MAC-96 Seed 1 K Seed 2 AES Block Cipher + E(1) + E(0) E(n-2) K3 Last Message Block Mn + E(n-1) K2 or K3 AES K1 Block Cipher AES AES K1 Block Cipher E(1) + + AES K1 Block Cipher K1 Block Cipher E(n-1) E(2) AES Block Cipher K2 Message Block Mn-1 Message Block M2 K K K1 Message Block M1 Seed 3 AES Block Cipher E(n) • RFC 3566 is proposed for use in IPSec, AH and ESP. • E (n) is a 128-bit authenticator value. AES-XCBC-MAC-96 is derived by truncating the 128-bit value in the same way as it is done in HMAC. • The length of 96 bits is the default authenticator length for use with either ESP or AH. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 7 M. Mogollon – 01/08 - 7 • According to RFC 3566, the classic CBC-MAC algorithm, while secure for messages of a preselected fixed length, has been shown to be not secure across messages of varying lengths such as the type found in typical IP datagrams. The new algorithm, AES-XCBC-MAC-96 RFC 3566 (Frankel, & Herbert), specifies the use of AES in CBC mode with a set of extensions to overcome this limitation. • AES-XCBC-MAC-96 is secure for messages of arbitrary length. AES-XCBC-MAC-96 is used as an authentication mechanism within the context of IPsec in the Encapsulating Security Payload (ESP) and the Authentication Header (AH) protocols. • As with MAC, data integrity and data origin authentication, as provided by AES-XCBC-MAC96 depend on the secrecy of the secret key, K, distribution. • Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret key K, as follows: • • K2 = 0x02020202020202020202020202020202 encrypted with Key K • • K1 = 0x01010101010101010101010101010101 encrypted with Key K K3 = 0x03030303030303030303030303030303 encrypted with Key K. For block M[n]: 1. If the blocksize of M[n] is 128 bits: XOR M[n] with E[n-1] and Key K2, the result is encrypted with Key K1, yielding E[n]. 2. If the blocksize of M[n] is less than 128 bits: • Pad M[n] with a single 1 bit, followed by the number of 0 bits (possibly none) required to increase M[n]'s blocksize to 128 bits. • XOR M[n] with E[n-1] and Key K3, then encrypt the result with Key K1, yielding E[n]. 7 Integrity and Authentication Hash Functions – One-way Functions Divisible by block size Message Pad BR = Binary representation of the message length. BR-bit Pad Message Block M1 Initial Value Message Block M2 Last Message Block Mn Compression Function Compression Function Compression Function Hash Take an input m and return a fixed-size string. Hard to invert. Given the hash value, it is computationally infeasible to find the initial value m. Message Digest 5 (MD5) and Secure Hash Algorithm are hash functions. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 8 M. Mogollon – 01/08 - 8 • Hash functions are used to prove that transmitted data was not altered. A hash function H takes an input message m and transforms it to produce a hash value h that is a function of the message h = H (m); the input is a variable string and the output is a fixed-size string. The hash value is also called a message digest or a fingerprint of the message because there is a very low probability that two messages will produce the same hash value. • Hash functions are hard to invert. Given the hash value, it is computationally infeasible to find the initial value m. • A hash function must have the following properties: • The message size can be of any length. • The hash value has a fixed length. • It is relatively easy to compute H(m) for any given message. • It is computationally infeasible, virtually impossible, to • Find the message m from H(m). This is called a one-way function. • Have two messages, m1 and m2, in which H(m1) = H(m2) • Find two messages, m1 and m2, such that H(m1) = H(m2) 8 Integrity and Authentication Checking Integrity with a Hash Function Sender M E E S S A G E Receiver M E E S S A G E Message’s Hash Message’s Hash Message’s Hash Compare Hash Function • The message and the message’s hash are sent to the Message’s Hash Hash Function M E E S S A G E Transmit receiver. • The receiver compares the received hash with a newly generated hash. • If the hashes are the same, it is highly probable that the message has not been changed. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 9 M. Mogollon – 01/08 - 9 • Hash functions are used to prove that the transmitted data was not altered. 9 Integrity and Authentication Secure Hash Standard • On April 17, 1995, the National Institute of Standards and Technology, NIST, approved the Secure Hash Standard, FIPS PUB 180-1,which included one secure hash algorithm, the SHA-1. • On February 1, 2003, a new Secure Hash Signature Standard (SHS) (FIPS PUB 180-2) was approved; it added three hash algorithms, SHA-1, SHA-256, SHA-384, and SHA-512. • The SHA-1 algorithm specified in the FIPS PUB 180-2 is the same algorithm that was specified previously in FIPS 180-1, although some of the notation was modified to be consistent with the notation used in the SHA-256, SHA384, and SHA-512 algorithms. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 10 M. Mogollon – 01/08 - 10 • The Secure Hash Standard is required for use with the Digital Signature Algorithm (DSA), as specified in the Digital Signature Standard (DSS), and, also, whenever a secure hash algorithm is required for federal applications. • FIPS PUB 180-2 (Federal Information Processing Standards (FIPS), 1995b) specifies four secure hash algorithms, SHA-1, SHA-256, SHA-384, and SHA-512. The message digests range in length from 160 to 512 bits, depending on the algorithm. The SHA-1 algorithm specified in the FIPS PUB 180-2 is the same algorithm that was specified previously in FIPS 180-1, although some of the notation was modified to be consistent with the notation used in the SHA-256, SHA-384, and SHA-512 algorithms. • All four of the algorithms are iterative, i.e., one-way hash functions that can process a message in a condensed representation called a message digest. They are called secure because according to the standard, it is computationally infeasible (1) to find a message that corresponds to a given message digest, or (2) to find two different messages that produce the same message digest. Therefore, these hash algorithms enable the determination of a message’s integrity: any change to the message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). 10 Integrity and Authentication Basic properties of all four SHAs Algorithm Message Size (bits) Block Size (bits) Word Size (bits) Message Digest Size (bits) Security (bits) SHA-1 < 264 512 32 160 80 SHA-256 < 264 512 32 256 128 SHA-384 < 2128 1024 64 384 192 SHA-512 < 2128 1024 64 512 256 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 11 M. Mogollon – 01/08 - 11 • The number of bits of security that are provided for the data being hashed is directly related to the message digest length. When a secure hash algorithm is used in conjunction with another algorithm, the FIPS PUB 180-2 recommends the use of the hash algorithm that corresponds according to the number of bits of security. For example, if a message is being signed with a digital signature algorithm that provides 128 bits of security, then that signature algorithm may require the use of a secure hash algorithm that also provides 128 bits of security (e.g., SHA-256). Table 6-1 presents the basic properties of all four secure hash algorithms. 11 Integrity and Authentication Key Length Equivalent Strengths Security (Bits) Symmetric Encryption Algorithm Hash Algorithm Block Size (Bits) Word Size (Bits) Diffie-Hellman and RSA Modulus Size ECC 80 SKIPJACK SHA-1 512 32 1024 160 112 3DES SHA-1 512 32 2048 224 128 AES-128 SHA-256 512 32 3072 256 192 AES-256 SHA-384 1024 64 7680 384 256 AES-512 SHA-512 1024 64 15360 512 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 12 M. Mogollon – 01/08 - 12 • Where hash functions are used, there are two approaches to try to break the hash, exploiting a weakness in the hash algorithm design, i.e., collision attacks, or using brute force attacks. Brute force involves exhaustive procedures that try all password possibilities, one-by-one. Brute force programs will attempt to crack the password using every combination of numeric, alphabetic, and special characters available no matter how long it takes. • There have been several reports questioning the resiliency of the MD5 (128-bit) and, more recently, the SHA-1 (160-bits) hashing algorithms. New algorithms have called into question the resiliency of the SHA-1 hashing algorithm because those new algorithms can find collisions in an estimated work factor of 269 hash computations. • The current NIST recommendation is to consider migrating to the stronger hash functions (SHA256, SHA-512). There is no immediate risk to products in deploying SHA-1, especially for message authentication requirements. In fact, companies might be forced to support SHA-1 for legacy support in customer networks. • The National Institute of Standards and Technology (NIST) has specified in FIPS 180-2 the correct combination of hash size, AES key size, and public-key modulo for specific authentication levels of security. For example, if a message is being signed with a digital signature algorithm that provides 128 bits of security, then that signature algorithm may require the use of a secure hash algorithm that also provides 128 bits of security (e.g., SHA-256). • In table above, the minimum RSA public-key size refers to the bit-length of the RSA modulo. The RSA public key algorithm uses a nonprime large number, RSA modulo n, that is equal to the product of the two large prime factors p and q. 12 Integrity and Authentication SHA Operations • Bitwise logical word operations — — — — x ^ y = bitwise logical "and" of x and y. x ν y = bitwise logical "inclusive-or" of x and y. x XOR y = bitwise logical "exclusive-or" of x and y. ¬ x = bitwise logical "complement" of x. • Addition modulo 2w — X + Y is defined as follows: words x and y represent integers X and Y, where 0 ≤ X ≤ 2w and 0 ≤ Y ≤ 2w. For positive integers U and V, let U mod V be the remainder upon dividing U by V. Compute Z = (X + Y) mod 2w. Then 0 ≤ Z ≤ 2w. Convert Z to a word, z, and define z = x + y. • ROTLn(x) = (x << n) v (x >> w - n). (Circular left shift operation) — x << n is obtained as follows: discard the left-most n bits of X and then pad the result with n zeroes on the right (the result will still be w bits). — x >> w - n is obtained by discarding the right-most w - n bits of X and then padding the result with n zeroes on the left. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 13 M. Mogollon – 01/08 - 13 • The AND function sets the resulting bit to 1, if the corresponding bit in both operands is 1, otherwise the result is 0. • Inclusive OR means that if either or both of the operands are 1, the result is 1, otherwise the result is 0. • Exclusive OR means that if just one of the operands is 1 the result is 1, otherwise the result is 0. • The Complement operator inverts the value of each bit of the operand: if the operand bit is 1 the result is 0 and if the operand bit is 0 the result is 1. • The following table shows AND, Inclusive OR, and Exclusive OR functions p q p^q (AND) pvq (OR) pq (XOR) 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1 1 1 1 0 13 Integrity and Authentication Secure Hash Algorithm SHA-1 • SHA-1 is used to generate a condensed representation of a message called a message digest. • The SHA-1 is required for use with the Digital Signature Algorithm (DSA), as specified in the Digital Signature Standard (DSS), and whenever a secure hash algorithm is required for federal applications. • The SHA-1 sequentially processes blocks of 512 bits when computing the message digest; padding is required, even if the message is a multiple of 512. Padding is done as follows: — Append a “1” bit followed by a “0” bits until the length is 64 bits less than a multiple of 512 (length = 448 mod 512). — Append a 64-bit representation of the pre-padded message length. • The padded message length is 512 × n. Integrity MAC HASH SHA MD5 Hash functions are used to prove that the transmitted data was not altered. HMAC Authentication Digital Signatures 14 M. Mogollon – 01/08 - 14 • The National Institute of Standards and Technology, NIST, developed the Secure Hash Algorithm (SHA-1). The current FIPS PUB 180-1 supersedes FIPS PUB 180, published on May 11, 1993. The SHA-1 is required for use with the Digital Signature Algorithm (DSA), as specified in the Digital Signature Standard (DSS), and whenever a secure hash algorithm is required for federal applications. • The SHA-1 is designed so it is computationally infeasible to find a message, which corresponds to, a given message digest, or to find two different messages which produce the same message digest. • The SHA-1: • Works on messages up to 264 in length. • Produces a 160-bit message digest. • Pads a message to a multiple of 512 bits (length = 448 mod 512). • Carries eighty operations on its main algorithm. • Performs a non-linear operation on three of the five variables A, B, C, D, and E in each operation. 14 Integrity and Authentication Computing SHA-1 Message Digest 512 bits Message Block M(N) 512 bits Message Block M1 8 bits 8 bits 8 bits .. 8 bits 8 bits Word [0] 8 bits H0(0) H1(0) H2(0) H3(0) H4(0) 8 bits a = H0(0) b = H1(0) c = H2(0) d = H3(0) e = H4(0) MAC 8 bits 8 bits New H Values H0(1) = a + H0(0) H1(1) = b + H1(0) H2(1) = c + H2(0) H3(1) = d + H3(0) H4(1) = e + H4(0) HASH 8 bits .. 8 bits Word [0] Message Block M(2) Compression Function Integrity 8 bits Word [15] Message Block M(1) Initial H Values 8 bits Compression Function a = H0(1) b = H1(1) c = H2(1) d = H3(1) e = H4(1) SHA MD5 8 bits 8 bits 8 bits Word [15] Message Block M(N) New H Values ... HMAC New H Values a = H0(N - 1) b = H1(N - 1) c = H2(N - 1) d = H3(N - 1) e = H4(N - 1) H0(2) = a + H0(1) H1(2) = b + H1(1) H2(2) = c + H2(1) H3(2) = d + H3(1) H4(2) = e + H4(1) Compression Function H0(N) = a + H0(N - 1) H1(N) = b + H1(N - 1) H2(N) = c + H2(N - 1) H3(N) = d + H3(N - 1) H4(N) = e + H4(N - 1) Authentication Digital Signatures 15 M. Mogollon – 01/08 - 15 • The SHA-1 sequentially processes blocks of 512 bits when computing the message digest and padding is required, even if the message is a multiple of 512. Suppose that the length of the message, M, is l bits and k is the number of zero bits. Padding is done as follows: • A 1 bit followed by 0 bits are appended until the length is 64 bits less than a multiple of 512, (l + 1 + k = 448 mod 512). • A 64-bit block that is equal to the number l expressed using a binary representation is appended. The padded message length is 512 × n. • The message is divided in 512-bit message blocks, and each block into 16 words W[0], W[1], ... , W[15], where W[0] is the left-most word. • The initial H values do not change. • H [0] = 67452301 • H [1] = EFCDAB89 • H [2] = 98BADCFE • H [3] = 10325476 • H [4] = C3D2E1F0. • After the first message block is compressed, each word is added to the initial H word values. • The new H values become the initial H values for the second block. The process continues in the same manner. • The last H values are concatenated and become the hash value. 15 Integrity and Authentication SHA-1 Compression Function Initialization H0(0) = 67452301 H1(0) = EFCDAB89 H2(0) = 98BADCFE H3(0) = 10325476 H4(0) = C3D2E1F0 Buffer 1 H0(0) H1(0) H2(0) H3(0) H4(0) a b c d e Initial H0(0) H1(0) H20) H30) H40) Buffer 2 t 0 - t 79 at bt ct dt t=0 et t = 78 t = 79 a79 b79 c79 + + + H0(0) H0 Integrity MAC 1 d79 e79 + + H1(0) H2(0) H3(0) H1 HASH 1 H2 1 H3 SHA 1 a = T; T = ROTL5(a) + ft (b,c,d) + e + W t + Kt; c = ROTL30 (b) H4(0) H4 1 Next Block M(2) MD5 HMAC Authentication Digital Signatures 16 M. Mogollon – 01/08 - 16 • The SHA-1 computation uses two buffers, each consisting of five 32-bit words, and a sequence of eighty 32-bit words. The words of the first 5-word buffer are labeled H0, H1, H2, H3, H4. The words of the second 5-word buffer are labeled a, b, c, d, and e. • After the last round, the a, b, c, d, and e words are added to the initial H word values. • The new H values are used as the new initialization vectors for the next block. • After the last message block, Mn, has been processed, the message digest is the 160-bit string represented by the 5 words Hn[0] Hn[1] Hn[2] Hn[3] Hn[4]. 16 Integrity and Authentication 512 bits Message Block M1 SHA-1 Rounds 8 bits 8 bits 8 bits 8 bits .. 8 bits W0 8 bits 8 bits 8 bits W15 For t = 0 to 16 let Wt equal to the message W0 …W15 For t = 16 to 79 let a b c d Initial H0(0) H1(0) H20) H30) Wt = ROTL1 (Wt-3 XOR Wt-8 XOR Wt-14 XOR e Wt-16) H40) For t = 0 to 79 do a = T; b = a; c = ROTL30 (b); d = c; e = d; t=0 Where: T = ROTL5(a) + ft (b,c,d) + e + Wt + Kt; t = 78 ROTL5(a) = (a << 5) v (a >> 32-5) Kt = 5A827999 (0 ≤ t ≤19) Kt = 6ED9EBA1 t = 79 (20 ≤ t ≤39) Kt = 8F1BBCDC (40 ≤ t ≤59) Kt = CA62C1D6 (60 ≤t ≤79) f t (b, c, d) = ( b ∧ c ) ⊕ (¬ b ∧ d ) f t (b, c, d) = b ⊕ c ⊕ d f t (b, c, d) = ( b ∧ c ) ⊕ ( b ∧ d ) ⊕ ( c ∧ d ) f t (b, c, d) = b ⊕ c ⊕ d Integrity MAC HASH SHA MD5 HMAC Authentication (0 ≤ t ≤ 19) (20 ≤ t ≤ 39) (40 ≤ t ≤ 59) (60 ≤ t ≤ 79). Digital Signatures 17 M. Mogollon – 01/08 - 17 • There are 80 rounds in SHA-1. • In each round, the words A, B, C, D, and E are transformed according to specific formulas. • As the arrows indicate, A becomes B, C becomes D, and D becomes E. • The new A value is calculated according to the T formula. • The new C value is calculated according the formula c = ROTL30 (b); • ROTL30(b) = (b << 30) v (b >> 32 - 30). • b << 30 is obtained as follows: discard the left-most 30 bits of b and then pad the result with 30 zeroes on the right (the result will still be 32 bits). • b >> 32 - 30 is obtained by discarding the right-most 2 bits of b and then padding the result with 2 zeroes on the left. • Thus ROTL 30(b) is equivalent to a circular shift of b by 30 positions to the left. 17 Integrity and Authentication MD5 • MD2, MD4, and MD5 are message-digest algorithms developed by Ronald Rivest in 1989, 1990, and 1991. • All three algorithms produce a 128-bit message digest of the message input that may have any length, but, in reality it is expected that the message will have less than 264 bits. • The MD5 sequentially processes blocks of 512 bits when computing the message digest, and padding is required even if the message is a multiple of 512. Padding is done as follows: — Append a “1” bit followed by a “0” bits until the length is 64 bits less than a multiple of 512 (length = 448 mod 512). — Append a 64-bit representation of the pre-padded message length • The padded message length is 512 × n. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 18 M. Mogollon – 01/08 - 18 18 Integrity and Authentication Computing MD5 Message Digest 512 bits Message Block M1 8 bits 8 bits 8 bits .. 8 bits 8 bits Word [0] 8 bits 512 bits Message Block Mn 8 bits 8 bits 8 bits Message Block M2 Initial Values Compression Function A B C D AA1[64] BB1[64] CC1[64] DD1[64] MAC 8 bits New A,B,C,D Values HASH .. 8 bits AA2[64] BB2[64] CC2[64] DD2[64] SHA 8 bits 8 bits 8 bits Word [15] Message Block Mn Compression Function A = A + AA1[64] B = B + BB1[64] C = C + CC1[64] D = D + DD1[64] 8 bits Word [0] Word [15] Message Block M1 Integrity 8 bits New A,B,C,D Values A = A + AA2[64] B = B + BB2[64] C = C + CC2[64] D = D + DD2[64] MD5 HMAC ... Compression Function AAn[64] BBn[64] CCn[64] DDn[64] Authentication New A,B,C,D Values A = A + AAn[64] B = B + BBn[64] C = C + CCn[64] D = D + DDn[64] Digital Signatures 19 M. Mogollon – 01/08 - 19 • MD5 sequentially processes blocks of 512 bits when computing the message digest and padding is required, even if the message is a multiple of 512. Padding is similar to SHA-1 and it is done as follows: • A single 1 bit followed by 0 bits is appended until the length is 64 bits less than a multiple of 512 (length = 448 mod 512), then, • A 64-bit representation of the pre-padded message length is appended. • The padded message length is 512 × n. • The message is divided in 512-bit message blocks, and each block into 16 words W[0], W[1], ... , W[15], where W[0] is the left-most word. • MD5 uses a four-word buffer (A, B, C, and D) to compute the message digest. A, B, C, and D are 32-bit registers and are initialized with the following values in hexadecimal: A = 01 23 45 67 B = 89 ab cd ef C = fe dc ba 98 D = 76 54 32 10 • After the first message block is compressed, each word AA, BB, CC, and DD, is added to the initial A, B, C, and D word values. • The new A, B, C, and D values become the initial A, B, C, and D values for the second block. The process continues in the same manner. • The last A, B, C, and D values are concatenated and become the message digest value. 19 Integrity and Authentication MD5 Implementation Initialization A = 01 B = 89 C = fe D = 76 Buffer 1 A B C 45 cd ba 32 67 ef 98 10 D A Buffer 2 Round 1 23 ab dc 54 t 0 - t 15 At Bt Ct Dt t 0 - t 15 At Bt Ct BB CC DD C D an Dt AA B Buffer 2 Round 4 Integrity MAC HASH SHA After the last message block, Mn, has been processed, the message digest is the 128-bit string represented by the 4 words A B C D. Next Block MD5 HMAC Authentication Digital Signatures 20 M. Mogollon – 01/08 - 20 • MD5 has four rounds and each round has 16 transformations. • In each round, the words A, B, C, and D are transformed according to specific formulas. • As the arrows indicate, B becomes C, C becomes D, and D becomes A. • The new B value is calculated according to the function an • The function an is different for each round. 20 Integrity and Authentication MD5 Rounds Round 1 B C D = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) a2 = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s) Round 3 A a1 Round 2 a3 = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s) Round 4 a4 = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s) Where: an F(b,c,d) = bc v not (b) d G(b,c,d) = bd v c not (d) H(b,c,d) = b xor c xor d I (b,c,d) = c xor (b v not (d)) X[k] represents the kth sub-block of the message (from 0 to 15). T[i] is the integer part of 4294967296 times abs(sin(i)), where I is in radians. Note 4294967296 is 232. <<< s represents a left shift of s bits Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 21 M. Mogollon – 01/08 - 21 21 Integrity and Authentication SHA-1 and MD5 Comparison Secure Hash Algorithm (SHA-1) Message Digest 5 (MD5) • Developed by NSA and is required for use with the Digital Signature Algorithm (DSA) 1991 (MD2 in 89, MD4 in 90). • Works on messages up to 264 in • Works on messages up to 264 in length. length. • Produces a 128-bit message • Produces a 160-bit message digest. digest. • Processes block messages of 512 • Processes block messages of 512 bits. bits. • Has four rounds of sixteen • Has four rounds of twenty operations in main loop of algorithm. operations in main loop of algorithm. • Performs a non-linear operation • Performs a non-linear operation on three of the four variables A, B, C, D in each operation on three of the five variables a, b, c, d, e in each operation Integrity MAC HASH SHA • Developed by Ronald Rivest in MD5 HMAC Authentication Digital Signatures 22 M. Mogollon – 01/08 - 22 • Hash functions are used to prove that the transmitted data was not altered. • SHA-1 is better than MD5 because it has a longer message digest and because it performs more linear operations on more variables than MD5. • Besides, MD5 has been deprecated because it has a known collision weakness. 22 Integrity and Authentication Keyed-Hash Message Authentication Code (HMAC) IP Header AH Message PAD Hash Function SHA-1 or MD5 Shared Key 128 bit 160 or 128 bits Hash Function SHA-1 or MD5 160 or 128 bits • HMAC is cryptographically strong way to use a specific hash function for MAC calculation. • The hash function is applied twice in succession. — In the first round, the input to the hash function is the shared secret key and the message. — The 160-bit or 128-bit output hash value and the key are input again to the hash function in the second round. • HMAC output could be truncated (i.e., the length of the MAC used is less than the length of the output of the MAC function). If HMAC is truncated to 96 bits, it is then called HMAC-MD5-96 or HMAC-SHA-1-96 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 23 M. Mogollon – 01/08 - 23 • The Federal Information Processing Standards FIPS PUB 198 (2002) describes HMAC as a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any approved cryptographic hash function in combination with a shared secret key. The cryptographic strength of a HMAC depends on the properties of the underlying hash function. The HMAC specified in FIPS PUB 198 is a generalization of Internet RFC 2104 (Krawczyk, Bellare, & Canetti, 1997), HMAC, “Keyed-Hashing for Message Authentication,” and ANSI X9.71, “Keyed Hash Message Authentication Code.” • In HMAC a shared secret and the message are mixed into the digest, H(S+M). At he destination, the recipient use his own copy of S to create H'(S+M). • When HMAC is used, the strength of the integrity protection depends on the secrecy of S and the inability of the attacker to figure out S. Kerberos’ tickets can be used as the shared secret. • HMAC provides message integrity. 23 Integrity and Authentication HMAC Implementation B Block size (in bytes) of the hash function input. An approved hash function. Inner pad; 00110110 (the byte 36 in hexadecimal) repeated B times. K Secret key shared between the originator and the intended receiver(s). K0 The key K after any necessary pre-processing to form a B byte key. L Byte-length of the hash function output. opad Outer pad; 01011100 (the byte 5c in hexadecimal repeated B times. t The number of bytes of MAC. text The data on which the HMAC is calculated; text does not include the padded key. The length of text is n bits, where 0 ≤ n < 2B - 8B. x’N’ Hexadecimal notation, where each symbol in the string ‘N’ represents 4 binary bits. || Concatenation XOR Exclusive-Or operation. H ipad Determine K0 K0 XOR ipad K0 XOR ipad text H ((K0 XOR ipad) || text ) K0 XOR opad K0 XOR opad H ((K0 XOR ipad) || text ) B (Bytes) L (Bytes) MD5 64 16 SHA-1 64 20 DES 8 8 3DES 8 8 H ((K0 XOR opad) || H ((K0 XOR ipad) || text ) MAC (text)t = Leftmost “t” bytes of H ((K0 XOR opad) || H ((K0 XOR ipad) || text ) Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 24 M. Mogollon – 01/08 - 24 • The hash function is applied twice in succession. • In the first round, the input to the hash function is the shared secret key and the message. • The 128-bit output hash value and the key is input again to the hash function in the second round. • The two rounds are highlighted in green. • The table shows B (block byte length) and L (byte length) of the different approved hash functions used with HMAC. A byte is equal to 8 bits. • Some HMAC implementation truncates the output H to a given length t, so only part of the hash is outputted. RFC-2104 (Krawczyk, Bellare, & Canetti, 1997) recommends that t should not be less than half of the original hash output. The HMAC notation is as follows: HMAC – Hash algorithm – t. For example, HMAC-SHA-1-96 is a HMAC that uses SHA-1 for its hash function, and the resulting hash is truncated to 96 bits. The SHA-1 output is 160 bits. 24 Integrity and Authentication What is Authentication? authentication / n. (1) The act of identifying or verifying the entity that originated the message or the corroboration (proof) of the sender's identity, i.e., that he is who he claims to be. Written messages are authenticated with a handwritten signature so the receiver of the message is able to validate the message. (2) access. The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. digital signature / n. electronic equivalent of a signature on a message. It combines a one-way hash function with public key cryptography. A digital signature must be a function of the documents it signs. A Digital Signature is created by taking the hash function of a message and encrypting it with the sender’s private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 25 M. Mogollon – 01/08 - 25 • Authentication is the act of identifying or verifying the entity that originated the message. It can also mean the corroboration (proof) of the sender's identity and authenticity, that he is the one he claims to be. When a written message is sent, the message is authenticated with a handwritten signature so the receiver of the message is able to validate the message. • While passwords can be used for establishing identity, it is better to use public-key digital signatures, such as the DSS and the RSA because of their strong authentication mechanisms. • When using public-key digital signatures, each entity requires a public key and a private key. Certificates are an essential part of a digital signature authentication mechanism. Certificates bind a specific entity's identity (be it host, network, user, or application) to its public keys and, possibly, to other security-related information such as privileges, clearances, and compartments. Authentication based on digital signatures requires a trusted third party or certificate authority to create, sign, and properly distribute certificates. 25 Integrity and Authentication Authentication Assurance that the message is coming from the source from which it claims to be. Authentication Digital Signatures MD5 ElGamal RSA Digital signatures provide authentication, non-repudiation, and integrity. DSA RSA Hash Functions SHA SHA DSA ECDSA A digital signature is created by taking the message’s hash and encrypting it with the sender’s private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 26 M. Mogollon – 01/08 - 26 • The DSS standard specifies a suite of algorithms which can be used to generate a digital signature. Those algorithms are: DSA, RSA, and ECDSA. • Note that the ElGamal digital signature signs the message and not the message’s hash, as do RSA and the DSA. 26 Integrity and Authentication Digital Signatures • A digital signature is the electronic analogue of a handwritten signature. Digital signatures provide the following: — Authentication -It should be possible for the recipient of a message to ascertain its origin. — Non-repudiation -A sender should not be able to later deny having sent and signed the message. — Integrity -It should be possible for the recipient of the message to verify that it has not been modified in transit. • A digital signature must provide the following assurances: — The signature is not forgeable. — The signature can be validated. — Once a message is signed, the sender must not be able to repudiate it. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 27 M. Mogollon – 01/08 - 27 • Digital signatures provide a way to verify that a message has not been altered in transit, and for a recipient to be certain of the originator's identity. 27 Integrity and Authentication Digital Signatures Alice’s Private Key Hash Encipher Alice’s Public Key Digital Signature Digital Signature Hash Decipher Hash Function Verification Cleartext Message Cleartext Message Message Alice (Sender) Hash Function Hash Bob (Recipient) If both values are equal, the message is from Alice and it has not been tampered with. A Digital Signature is created by taking the hash function of a message and encrypting it with the sender’s private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 28 M. Mogollon – 01/08 - 28 • A Digital Signature is created by hashing the message and taking the hash result and encrypting (signing) it with the sender’s private key. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The cleartext message is concatenated with the digital signature. • The figure above shows how authentication is achieved using digital signatures. Alice hashes the message and the hash is encrypted using Alice’s private key. Alice transmits the message in clear concatenated with the digital signature. When Bob receives the message, he deciphers the digital signature using Alice’s public key and obtains the message hash. Bob then hashes the cleartext message and compares both hashes. If both hashes are the same, then the message has not been modified and it came from Alice. • The following are the requirements for a digital signature: • The signature must be a bit pattern that depends on the message being signed. • The signature must use some information unique to the sender, the sender’s private key, to prevent both forgery and denial. • It must be very easy to produce. • It must be very easy to recognize and verify. • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. • It must be possible to store a copy. 28 Integrity and Authentication Digital Signatures • The Digital Signature Standard (DSS), FIPS Pub 186-2, prescribes three algorithms suitable for digital signatures: — Digital Signature Algorithm (DSA) – Standard for digital authentication. – Initial 512-bit key size increased to 1024 for better security. — RSA algorithm – Uses MD5 as a hash and RSA public Key for signing. — ECDSA algorithm. – Described in Appendix 6 of the FIPS Pub 186-2 are the recommended Elliptic Curves for Federal Government use. • ElGamal — Signs the message, not the message digest of the message. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 29 M. Mogollon – 01/08 - 29 • The FIPS Pub 186-2, issued on January 27, 2000, is the specification for the Digital Signature Standard (DSS), which prescribes three algorithms suitable for digital signatures: the Digital Signature Algorithm (DSA), the RSA algorithm, the ECDSA algorithm. • For a digital signature to work, the signatory and the verifier need to have their public and private keys. The private key is used in the signature generation process, and the public key is used in the signature verification process. Also, the Secure Hash Algorithms (SHA), specified in FIPS 180-2 are used for both signature generation and verification. • If a message is signed with Alice’s private key, then it is possible to assume that only Alice signed the message because she is the only one who has that private key. A spoofer, who does not know Alice’s private key, cannot generate Alice’s correct signature. In other words, digital signatures cannot be forged. In the same way, if a message is enciphered with Bob’s public key, only Bob will be able to decipher the message because it is assumed that only Bob has Bob’s private key. • Because there is the possibility that a spoofer may post his own public key as Alice’s or Bob’s, it is necessary to have a means of associating a user's identity and the user's public key. A mutually trusted party, a certifying authority, could sign credentials containing the user’s public key and identity by creating a digital certificate that binds the certificate to the user. 29 Integrity and Authentication Digital Signature Algorithm (DSA) Alice Bob p, q, g, y p, q, g x y = gx mod p k r = (g mod p) mod q s = (k -1(H(m) + x r)) mod q Send Message m and Alice’s signature, r and s H (m) = Secure Hash Algorithm of message m Bob verifies signature by computing w = (s′)-1 mod q u1 = ((H(m′) w) mod q u2 = ((r′) w) mod q v = ((g u1 y u2) mod p) mod q p, q, and g can be public. x is an integer with 0 < x < q. Alice’s private and public keys are x and y. x and k must be secret. k must be changed for each signature. Integrity MAC HASH SHA MD5 If v = r, then the signature is verified. m′, r′, and s′ are the received versions of m, r, and s, HMAC Authentication Digital Signatures 30 M. Mogollon – 01/08 - 30 • If you are not interested in the mathematics involved, just remember that Alice and Bob need to agree on the integers p, q, and g, which can be public and can be common to a group of users. • Alice generates her private and public keys, x and y, respectively, and then calculates two numbers r and s that are sent to Bob. • Parameters x and k are used for signature generation only, and must be kept secret. Parameter k must be changed for each signature –message signed. • Bob makes several calculations, based on the numbers sent by Alice, and he arrives at a value v. If the value v, calculated by Bob, and the value r, sent by Alice, are the same, then the signature is validated and the message has not been changed. • DSS, some times called Digital Signature Algorithm (DSA), cannot be used for encryption or key distribution. The algorithm gets its security from the difficulty of computing discrete logarithms in a Galois field. p is a prime modulus, where 2L-1 < p < 2L. q is a 160-bit prime factor of p – 1, where 2159 < q <2160. g = h (p - 1) / q mod p, where h is any number 1 < h < p such that h (p - 1) / q mod q > 1. • x = a randomly or pseudo randomly generated integer with 0 < x < q. • y = gx mod p. • k = a randomly or pseudo randomly generated integer with 0 < k < q. H (m) = Secure Hash algorithm. 30 Integrity and Authentication Authentication and Confidentiality Encipher Session Key Sender’s Private Key Hash Encipher RSA Digital Signature RSA Digital Envelope Encipher Cleartext Message Hash SHA-1 Signed Cipher Message (Symmetric) Sender’s Certificate Message Sender Digital Envelope Recipient Decipher Decipher Sender’s Public Key DSS / RSA Digital Signature Hash Hash SHA-1 Hash Verification Integrity MAC HASH Session Key Sender’s Certificate Decipher Symmetric Signed Cipher Message Deciphered Message Yes/No SHA MD5 HMAC Authentication Digital Signatures 31 M. Mogollon – 01/08 - 31 • Some protocols rely on cryptography and digital certificates to ensure message confidentiality and authentication. Whenever end-users, and Certificate Authorities are exchanging information, either to get a certificate, to place orders, or to request payment authorization, the information is secured using digital signatures, digital envelopes and encryption. • The following steps describe the authentication and confidentiality: • The sender generates a random session. The session key is a one-time secret key used to encipher the message by encrypting it with a symmetric encryption algorithm. • The message is hashed using SHA-1 and signed using RSA with the sender’s private key creating a digital signature. • The cleartext message is concatenated with the digital signature and the sender’s certificate. • The cleartext message, digital signatures, and certificate are enciphered with a symmetric algorithm (AES) using the one-time secret key generated previously by the sender. • The one-time session key is enciphered with RSA using the recipient’s public key. The enciphered one-time session key is called a Digital Envelope. • The enciphered session key is concatenated with the signed cipher message. • To decipher and authenticate the message, the receiver performs the above steps in reverse. 31 Integrity and Authentication RSA Encryption and Digital Signature Receiver’s Public Key Plaintext Message Message Sender Encipher Encipher Signed Cipher Message Digital Signature Hash MD5 Decipher Digital Signature Encipher Sender’s Private Key Tr is sm an o si n M ia ed Receiver’s Private Key Deciphered Message Hash MD5 Digital Signature Decipher Sender’s Public Key Receiver Hash Verification Yes/No Hash Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 32 M. Mogollon – 01/08 - 32 • A Digital Signature is created by taking the hash function of a message and encrypting it with the sender’s private key. • The digital signature and message are concatenated and enciphered with the receiver’s public key. • The receiver deciphers the encrypted information using his private key and gets the plaintext message and the digital signature. • The receiver deciphers the digital signature using the sender’s public key and gets the message’s hash. • The receiver creates a message hash using the deciphered plaintext and compares both hashes. 32 Integrity and Authentication ElGamal Digital Signature Alice • Let M be a document to be signed, where 0 ≤ m ≤ p - 1. Bob • Select a large prime number as p, the modulo. • Choose a random number RA, uniformly between • Alice sends M, VA, and SA to Bob 0 and p - 1, such that gcd (RA, p - 1) = 1. • Compute • For authentication, Bob V A = a R A mod p M, VA, SA computes M C B = a mod p where a, the base, is a primitive root modulus p. • Generate the private and public keys according to Diffie-Hellman S C B′ = [ PubV A * V A A ] mod p A • If CB = CB′, then M is Pub A = a Priv A mod p authentic. • Find IRA, the multiplicative inverse of RA such that RA * IRA ≡ 1 [mod (p - 1)] • Compute SA, the signature S A = [ I RA * ( M - V A * Priv A ) ] mod (p - 1) Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 33 M. Mogollon – 01/08 - 33 • Alice selects a random number RA, computes VA, and generates her private and public key according to Diffie-Hellman. • Then, Alice finds IRA, the multiplicative inverse of RA and computes SA. • Alice sends M (message), VA, and SA. • Bob calculates CB and CB’ and if both are the same, then M is authentic. 33 Integrity and Authentication To Probe Further • • MD5 Message Digest Algorithm, RFC 1321 • Kohnfelder, L. M. (February 1978). On the Signature Reblocking Problem in Public-Key Cryptosystems (p. 179). Communications of the ACM, Vol. 21, No. 2. • National Institute of Standards and Technology (1995). Secure Hash Standard. FIPS PUB 180-1. • National Institute of Standards and Technology (1995). The Keyed-Hash Message Authentication Code. FIPS PUB 198 • National Institute of Standards and Technology (2000). Digital Signature Standard. FIPS PUB 186-2 • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for Network Security (pp. 12-13). IEEE Network Magazine, Vol. 1, No. 2. ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms (pp. 469-472). IEEE Transactions on Information Theory, Vol. IT-31. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 34 M. Mogollon – 01/08 - 34 34 ...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online