Anda di halaman 1dari 7

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall

– Fall 2003 – Class 5 – 9/23/03

One-Way Hash Functions Birthday Attacks


Take a variable-length input M and produce fixed-length Sometimes what we also need is collision resistance:
output (hash value or message digest) it is hard to find two random
messages M and M1 such that H(M)=H(M1)
h = H (M )
This is called birthday attack and is based on a
The idea is to fingerprint M birthday paradox
Given M easy to compute h How many people must be in a room until the probability is


Given h very hard to compute M greater than 0.5 that two of them
have the same birthday? 23
One-bit change in M changes many bits in h


For a hash function that produces m bit hash,




Good one-way hash function is collision-free: given M it is very




it takes 2m/2 trials to find two messages that


hard to find M ′ such that H(M)=H(M′) hash to the same value
One-way hash function is public We need large m, currently 128-160


1 2

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

One-Way Hash Functions MD5


Divide M into 512-bit blocks


Divide M into blocks, generate hash value iteratively Pad M with string of 1 and many zeros so that it is
64 bit short of multiple of 512
Mi
H hi Concatenate original length as 64-bit number
hi-1 

Blocks are processed sequentially


Hash value of the whole message is obtained in the Last result is hash value for the whole message


last step and is 128-bit long

3 4

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

MD5 MD5 One Block Processing


For each message block:


Variables A, B, C, D are initialized (for first block


they are constant values) A A
B Round1 Round2 Round3 Round4 B
Go through 4 rounds; each round repeats the C C
following operation 16 times: D D
Performs non-linear function on three variables


Sums the result, the fourth variable, message subblock




(32-bits) and a constant


Rotates the result to the left, adds it to one of the


variables and replaces this variable

5 6

1
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

MD5 One Round SHA


Similar to MD5 but:


Has 20 operations per round


A Mj ti Operations are different than in MD5 but along
B similar lines
C Non-linear
function
<< S Each message block (16*32-bits) is expanded
D (80*32 bits)
Produces 160-bit hash value

7 8

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Message Authentication Code (MAC)


Digital Signatures
Key-dependent one-way hash function


Proof of authorship or agreement with




Only someone with a correct key can verify the contents of a document
hash value
Signature is authentic (noone but Alice could
Easy way to turn one-way hash function into have signed a document with her signature)
MAC is to encrypt hash value with symmetric
Signature is unforgeable
algorithm
Signature is not reusable
Signed document in unalterable
Signature cannot be repudiated

9 10

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Arbitrated Signatures Public-Key Signatures


Alice wants to sign a message and send it to Bob Alice encrypts the document with her private key
 

Alice and Trent share KA, Bob and Trent share KB 

Sends the signed document to Bob who decrypts


Alice encrypts the message with KA and sends it to it with her public key
Trent This signature is reusable, Bob can take the same
He decrypts it, adds a statement that he has received message and claim he received it multiple times →
this from Alice, encrypts it with KB and sends it to add timestamps
Bob Signing the whole document with public key is slow
Bob can also prove to Carol that he received the → sign a hash of the document produced by one-way
message from Alice but he needs to involve Trent hash function
again
11 12

2
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Digital Signature Algorithm (DSA) Digital Signature Algorithm (DSA)


To sign a message M, Alice:
US standard by NIST


Generates a random number k, k<q




Choose public values p, q, and g




Generates signatures r and s




p is a prime number, L bits long (64 ≤ L ≤ 128, r = ( g k mod p ) mod q


L=k*64) s = (k −1 ( H ( M ) + x * r )) mod q
q is a 16-bit prime factor of p-1 To verify signatures r and s, Bob computes
G=h(p-1)/q where h is any number such that w = s −1 mod q
h(p-1)/q mod p > 1 u1 = ( H ( M ) * w) mod q
Choose private key x and public key y so that u 2 = (r * w) mod q


x is a number less than q v = (( g u1 * y u2 ) mod p ) mod q


y =gx mod p If v = r then signature is verified
13 14

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Digital Signature Algorithm (DSA) DSA vs. RSA


To sign a message M, Alice: Values r and k-1 can be precomputed so DSA signatures
Generates a random number k, k<q can be made very fast


Generates signatures r and s




However verification is slower than RSA


r = ( g k mod p ) mod q
RSA can be done through DSA
s = (k −1 ( H ( M ) + x * r )) mod q
With modulus n, message M and public key e for RSA, just do


To verify signatures r and s, Bob computes p=q=n, g=M, k=e, x=h=0


−1
w=s mod q
Returned value r will be ciphertext


u1 = ( H ( M ) * w) mod q
DSA is public, RSA used to be patented
u 2 = (r * w) mod q
u1 u2
v = (( g * y ) mod p ) mod q
If v = r then signature is verified
15 16

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Terminology Digital Signatures with Encryption


Combining digital signatures with public-key


cryptography we gain security and authenticity


M M,S M
Alice SA(M) VA(C) Bob Alice first signs the message (or message digest) with
her private key: SA(M)
K1 K2
Alice encrypts the signed message with Bob’s public
M – message
K1 – Alice’s private key key: EB(SA(M))
SA(M) – message M is signed by Alice Bob decrypts the message with his private key:
K2 – Alice’s public key DB(EB(SA(M))) = SA(M)
VA(M) – signature of the message M (generated by Alice) is verified Bob verifies Alice’s signature
VA (SA(M)) = M
17 18

3
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Digital Signatures with Encryption Revisiting Cryptography Goals


Only Bob can decrypt the message (security) and Protect private communication in the public world


he knows that Alice has sent the message (Symmetric and public key cryptography)
Alice and Bob are shouting messages in a crowded room


(authenticity)
No guest can understand what they are saying


If Alice encrypted message digest he can also




Authentication (Digital signatures)


verify that the message has not been changed 

Bob can verify that Alice has created the message




If Alice added timestamps he can also verify that Integrity (Message digests)
Bob can verify that message has not been modified


the message has not been replayed


Non-repudiation (Digital signatures + timestamps)
Alice cannot deny that she indeed sent the message


19 20

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Revisiting Cryptography Threats Revisiting Common Practices


Ciphertext-only attack Alice and Bob exchange symmetric key


Known plaintext attack using:


Public-key encryption
Chosen plaintext attack


If they first send each other public keys,




Adaptive chosen plaintext attack Mallory can do man-in-the-middle attack


If they obtain public keys from a database,


Man-in-the-middle attack


Mallory can poison public-key database


with bad keys
Substitute, modify, drop, replay messages
Diffie-Hellman key exchange
Mallory can do man-in-the-middle attack


21 22

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Man-in-the-Middle Attack Key Exchange with


on Key Exchange Interlock Protocol
First four steps are the same


Alice to Bob her public key Pub(A)




Alice to Bob her public key Pub(A)


Mallory captures this and sends to Bob Pub(M)


Mallory captures this and sends to Bob Pub(M)


Bob sends to Alice his public key Pub(B) Bob sends to Alice his public key Pub(B)


Mallory captures this and sends to Alice Pub(M) Mallory captures this and sends to Alice Pub(M)
Alice encrypts a message in Pub(M) but sends


Now Alice and Bob correspond through Mallory




half to Bob – Mallory cannot recover this


who can read all their messages message and duplicate it
This works if Mallory cannot mimic Alice’s


23 and Bob’s messages 24

4
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Delayed Key Exchange Authentication


Alice and Bob need not exchange keys directly How does Alice prove her identity?
 

to communicate When she logs on


Alice generates a random session key K When she sends messages to Bob
She obtains Bob’s public key from a database and
encrypts K with that EB(K)
She sends both the message encrypted with K,
EK(M) and a key EB(K) to Bob
This is how most real-world protocols work


25 26

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Authentication on Log-on Authentication on Log-on


Alice inputs her password, computer verifies Hackers can compile a list of frequently used
 

this against list of passwords passwords, apply one-way function to each and


If computer is broken into, hackers can learn store them in a table – dictionary attack
everybody’s passwords Host adds random salt to password, applies


Use one-way functions, store the result for every one-way function to that and stores result and
valid password salt value
Perform one-way function on input, compare result
against the list

27 28

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Authentication on Log-on Authentication on Log-on


SKEY – Alice will have different password each Someone sniffing on the network can learn the


time she logs on password


To set-up the system, Alice enters random number R Host keeps a file of every user’s public key
Host calculates x0=f(R), x1=f(f(R)), x2=f(f(f(R))),..., x100 Users keep their private keys
When Alice attempts to log on, host sends her a
Alice keeps this list, host sets her password to x101 random number R
Alice logs on with x100, host verifies f(x100)=x101, Alice encrypts R with her private key and sends to
resets password to x100 host
Next time Alice logs on with x99 Host can now verify her identity by decrypting the
message and retrieving R
29 30

5
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Authentication and Key Exchange Arbitrated Key Exchange


Alice wants to exchange keys with Bob


Trent will play the role of trusted authority




How can she be sure that she is talking to Bob?


He will arbitrate key exchange and guarantee for
How is this solved in the real world?


Alice’s and Bob’s identity


Bob gets his ID from a trusted authority –
government, DMV
Bob shows his ID to Alice

31 32

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Key Exchange with Digital Signatures Needham-Schroeder Key Exchange


Trent signs both Alice’s and Bob’s public keys – he Alice sends message to Trent with her name, Bob’s
generates public-key certificate name and a random number A, B, RA
Trent generates session key K, encrypts K, A with key
When they receive keys they verify the signature
he shares with Bob ETB(K, A), he then encrypts this
Everyone has Trent’s public key


message, K, B and RA with key he shares with Alice


Mallory cannot impersonate Alice or Bob because his ETA(K, B, RA, ETB(K, A))
key is signed as Mallory’s Alice decrypts the message, verifies RA and sends
Certificate usually contains more than the public key ETB(K, A) to Bob


Name, network address, organization Bob decrypts the message, generates a random
Trent is known as Certificate Authority (CA) number RB and sends to Alice EK(RB)
Alice decrypts the message, sends to Bob EK(RB-1)
33 34

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Kerberos Authentication Service Kerberos Authentication Service


Kerberos is trusted authority with whom everyone A ticket is used to pass securely to the server the
shares keys identity of the client
It is good for a single client and single server for some


When a client on a network wants to talk to a server, period of time


he issues a request for a ticket to Kerberos’ Ticket 

It contains client’s name and network address, server’s


Granting Server (TGS) name, timestamp and a session key, all encrypted with a
Client uses this ticket always when he talks to the key server shares with Kerberos
server, sometimes he also sends authenticators An authenticator is generated whenever a client
Clients and servers do not trust each other requests some service from the server
It is good only for one request


It contains client’s name, a timestamp and an optional




additional key, all encrypted with session key


35 36

6
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Kerberos Authentication Service Kerberos Authentication Service


To get initial ticket To get ticket for specific server
Alice sends a message with her name and a name of a Alice sends a request with her name and server’s name to
 

Ticket Granting Server (TGS) to Kerberos TGS, encrypted with KATGS, accompanied with TGT and


Kerberos generates a session key KATGS to be used between authenticator


her and TGS and also generates Ticket Granting Ticket TGS decrypts TGT with his secret key and retrieves KATGS


(TGT) 

TGS uses KATGS to decrypt authenticator and compare


Kerberos encrypts KATGS with Alice’s secret key and Alice’s information in authenticator with information in


encrypts TGT with TGS’s secret key, sends both to Alice TGT, and compare timestamps
Alice retrieves KATGS and saves it and TGT If everything matches he generates a session key KAS to be
 

used between her and server and a valid ticket TAS


TGS encrypts KAS with KATGS and encrypts TAS with server’s


secret key, sends both to Alice


37 38

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

Kerberos Authentication Service


To request service
Alice sends a valid ticket TAS and authenticator


Server decrypts TAS with his secret key and retrieves KAS


Server uses KAS to decrypt authenticator and compare




Alice’s information in authenticator with information in


TAS, and compare timestamps
If everything matches he grants the request


For applications that require mutual authentication server




will send to Alice a timestamp encrypted with KAS

39