Anda di halaman 1dari 7

# CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall

## One-Way Hash Functions Birthday Attacks

Take a variable-length input M and produce fixed-length Sometimes what we also need is collision resistance:
output (hash value or message digest) it is hard to find two random
messages M and M1 such that H(M)=H(M1)
h = H (M )
This is called birthday attack and is based on a
The idea is to fingerprint M birthday paradox
Given M easy to compute h How many people must be in a room until the probability is


Given h very hard to compute M greater than 0.5 that two of them
have the same birthday? 23
One-bit change in M changes many bits in h






## it takes 2m/2 trials to find two messages that

hard to find M ′ such that H(M)=H(M′) hash to the same value
One-way hash function is public We need large m, currently 128-160


1 2

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## One-Way Hash Functions MD5

Divide M into 512-bit blocks


Divide M into blocks, generate hash value iteratively Pad M with string of 1 and many zeros so that it is
64 bit short of multiple of 512
Mi
H hi Concatenate original length as 64-bit number
hi-1 

## Blocks are processed sequentially

Hash value of the whole message is obtained in the Last result is hash value for the whole message


## last step and is 128-bit long

3 4

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## MD5 MD5 One Block Processing

For each message block:


## Variables A, B, C, D are initialized (for first block

they are constant values) A A
B Round1 Round2 Round3 Round4 B
Go through 4 rounds; each round repeats the C C
following operation 16 times: D D
Performs non-linear function on three variables




## (32-bits) and a constant

Rotates the result to the left, adds it to one of the


## variables and replaces this variable

5 6

1
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## MD5 One Round SHA

Similar to MD5 but:


## Has 20 operations per round

A Mj ti Operations are different than in MD5 but along
B similar lines
C Non-linear
function
<< S Each message block (16*32-bits) is expanded
D (80*32 bits)
Produces 160-bit hash value

7 8

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Message Authentication Code (MAC)

Digital Signatures
Key-dependent one-way hash function


## Proof of authorship or agreement with



Only someone with a correct key can verify the contents of a document
hash value
Signature is authentic (noone but Alice could
Easy way to turn one-way hash function into have signed a document with her signature)
MAC is to encrypt hash value with symmetric
Signature is unforgeable
algorithm
Signature is not reusable
Signed document in unalterable
Signature cannot be repudiated

9 10

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Arbitrated Signatures Public-Key Signatures

Alice wants to sign a message and send it to Bob Alice encrypts the document with her private key
 

## Sends the signed document to Bob who decrypts

Alice encrypts the message with KA and sends it to it with her public key
Trent This signature is reusable, Bob can take the same
He decrypts it, adds a statement that he has received message and claim he received it multiple times →
this from Alice, encrypts it with KB and sends it to add timestamps
Bob Signing the whole document with public key is slow
Bob can also prove to Carol that he received the → sign a hash of the document produced by one-way
message from Alice but he needs to involve Trent hash function
again
11 12

2
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Digital Signature Algorithm (DSA) Digital Signature Algorithm (DSA)

To sign a message M, Alice:
US standard by NIST








## p is a prime number, L bits long (64 ≤ L ≤ 128, r = ( g k mod p ) mod q

L=k*64) s = (k −1 ( H ( M ) + x * r )) mod q
q is a 16-bit prime factor of p-1 To verify signatures r and s, Bob computes
G=h(p-1)/q where h is any number such that w = s −1 mod q
h(p-1)/q mod p > 1 u1 = ( H ( M ) * w) mod q
Choose private key x and public key y so that u 2 = (r * w) mod q


## x is a number less than q v = (( g u1 * y u2 ) mod p ) mod q

y =gx mod p If v = r then signature is verified
13 14

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Digital Signature Algorithm (DSA) DSA vs. RSA

To sign a message M, Alice: Values r and k-1 can be precomputed so DSA signatures
Generates a random number k, k<q can be made very fast




## However verification is slower than RSA

r = ( g k mod p ) mod q
RSA can be done through DSA
s = (k −1 ( H ( M ) + x * r )) mod q
With modulus n, message M and public key e for RSA, just do


## To verify signatures r and s, Bob computes p=q=n, g=M, k=e, x=h=0

−1
w=s mod q
Returned value r will be ciphertext


u1 = ( H ( M ) * w) mod q
DSA is public, RSA used to be patented
u 2 = (r * w) mod q
u1 u2
v = (( g * y ) mod p ) mod q
If v = r then signature is verified
15 16

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Terminology Digital Signatures with Encryption

Combining digital signatures with public-key


## cryptography we gain security and authenticity

M M,S M
Alice SA(M) VA(C) Bob Alice first signs the message (or message digest) with
her private key: SA(M)
K1 K2
Alice encrypts the signed message with Bob’s public
M – message
K1 – Alice’s private key key: EB(SA(M))
SA(M) – message M is signed by Alice Bob decrypts the message with his private key:
K2 – Alice’s public key DB(EB(SA(M))) = SA(M)
VA(M) – signature of the message M (generated by Alice) is verified Bob verifies Alice’s signature
VA (SA(M)) = M
17 18

3
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Digital Signatures with Encryption Revisiting Cryptography Goals

Only Bob can decrypt the message (security) and Protect private communication in the public world


he knows that Alice has sent the message (Symmetric and public key cryptography)
Alice and Bob are shouting messages in a crowded room


(authenticity)
No guest can understand what they are saying




## Authentication (Digital signatures)

verify that the message has not been changed 

## Bob can verify that Alice has created the message



If Alice added timestamps he can also verify that Integrity (Message digests)
Bob can verify that message has not been modified


## the message has not been replayed

Non-repudiation (Digital signatures + timestamps)
Alice cannot deny that she indeed sent the message


19 20

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Revisiting Cryptography Threats Revisiting Common Practices

Ciphertext-only attack Alice and Bob exchange symmetric key


## Known plaintext attack using:

Public-key encryption
Chosen plaintext attack




## Adaptive chosen plaintext attack Mallory can do man-in-the-middle attack

If they obtain public keys from a database,


Man-in-the-middle attack


## Mallory can poison public-key database

Substitute, modify, drop, replay messages
Diffie-Hellman key exchange
Mallory can do man-in-the-middle attack


21 22

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Man-in-the-Middle Attack Key Exchange with

on Key Exchange Interlock Protocol
First four steps are the same




## Alice to Bob her public key Pub(A)

Mallory captures this and sends to Bob Pub(M)


## Mallory captures this and sends to Bob Pub(M)

Bob sends to Alice his public key Pub(B) Bob sends to Alice his public key Pub(B)


Mallory captures this and sends to Alice Pub(M) Mallory captures this and sends to Alice Pub(M)
Alice encrypts a message in Pub(M) but sends




## half to Bob – Mallory cannot recover this

who can read all their messages message and duplicate it
This works if Mallory cannot mimic Alice’s


## 23 and Bob’s messages 24

4
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Delayed Key Exchange Authentication

Alice and Bob need not exchange keys directly How does Alice prove her identity?
 

## to communicate When she logs on

Alice generates a random session key K When she sends messages to Bob
She obtains Bob’s public key from a database and
encrypts K with that EB(K)
She sends both the message encrypted with K,
EK(M) and a key EB(K) to Bob
This is how most real-world protocols work


25 26

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Authentication on Log-on Authentication on Log-on

Alice inputs her password, computer verifies Hackers can compile a list of frequently used
 

this against list of passwords passwords, apply one-way function to each and


If computer is broken into, hackers can learn store them in a table – dictionary attack


Use one-way functions, store the result for every one-way function to that and stores result and
Perform one-way function on input, compare result
against the list

27 28

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Authentication on Log-on Authentication on Log-on

SKEY – Alice will have different password each Someone sniffing on the network can learn the


## time she logs on password

To set-up the system, Alice enters random number R Host keeps a file of every user’s public key
Host calculates x0=f(R), x1=f(f(R)), x2=f(f(f(R))),..., x100 Users keep their private keys
When Alice attempts to log on, host sends her a
Alice keeps this list, host sets her password to x101 random number R
Alice logs on with x100, host verifies f(x100)=x101, Alice encrypts R with her private key and sends to
Next time Alice logs on with x99 Host can now verify her identity by decrypting the
message and retrieving R
29 30

5
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Authentication and Key Exchange Arbitrated Key Exchange

Alice wants to exchange keys with Bob




## How can she be sure that she is talking to Bob?

He will arbitrate key exchange and guarantee for
How is this solved in the real world?


## Alice’s and Bob’s identity

Bob gets his ID from a trusted authority –
government, DMV
Bob shows his ID to Alice

31 32

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Key Exchange with Digital Signatures Needham-Schroeder Key Exchange

Trent signs both Alice’s and Bob’s public keys – he Alice sends message to Trent with her name, Bob’s
generates public-key certificate name and a random number A, B, RA
Trent generates session key K, encrypts K, A with key
When they receive keys they verify the signature
he shares with Bob ETB(K, A), he then encrypts this
Everyone has Trent’s public key


## message, K, B and RA with key he shares with Alice

Mallory cannot impersonate Alice or Bob because his ETA(K, B, RA, ETB(K, A))
key is signed as Mallory’s Alice decrypts the message, verifies RA and sends
Certificate usually contains more than the public key ETB(K, A) to Bob


Name, network address, organization Bob decrypts the message, generates a random
Trent is known as Certificate Authority (CA) number RB and sends to Alice EK(RB)
Alice decrypts the message, sends to Bob EK(RB-1)
33 34

CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Kerberos Authentication Service Kerberos Authentication Service

Kerberos is trusted authority with whom everyone A ticket is used to pass securely to the server the
shares keys identity of the client
It is good for a single client and single server for some


## When a client on a network wants to talk to a server, period of time

he issues a request for a ticket to Kerberos’ Ticket 

## It contains client’s name and network address, server’s

Granting Server (TGS) name, timestamp and a session key, all encrypted with a
Client uses this ticket always when he talks to the key server shares with Kerberos
server, sometimes he also sends authenticators An authenticator is generated whenever a client
Clients and servers do not trust each other requests some service from the server
It is good only for one request




## additional key, all encrypted with session key

35 36

6
CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03 CIS 659 – Introduction to Network Security – Fall 2003 – Class 5 – 9/23/03

## Kerberos Authentication Service Kerberos Authentication Service

To get initial ticket To get ticket for specific server
Alice sends a message with her name and a name of a Alice sends a request with her name and server’s name to
 

Ticket Granting Server (TGS) to Kerberos TGS, encrypted with KATGS, accompanied with TGT and


## Kerberos generates a session key KATGS to be used between authenticator

her and TGS and also generates Ticket Granting Ticket TGS decrypts TGT with his secret key and retrieves KATGS


(TGT) 

## TGS uses KATGS to decrypt authenticator and compare

Kerberos encrypts KATGS with Alice’s secret key and Alice’s information in authenticator with information in


encrypts TGT with TGS’s secret key, sends both to Alice TGT, and compare timestamps
Alice retrieves KATGS and saves it and TGT If everything matches he generates a session key KAS to be
 

## used between her and server and a valid ticket TAS

TGS encrypts KAS with KATGS and encrypts TAS with server’s


37 38

## Kerberos Authentication Service

To request service
Alice sends a valid ticket TAS and authenticator


Server decrypts TAS with his secret key and retrieves KAS




## Alice’s information in authenticator with information in

TAS, and compare timestamps
If everything matches he grants the request




39