Network Security Lec5


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Security Lec5

  1. 1. Network Security Lecture 5
  2. 2. Public Key Cryptography and messae authentication <ul><li>Message authentication codes and hash function to provide message authentication. </li></ul><ul><li>Public Key encryption and two specific public-key algoritihms. </li></ul><ul><li>Public-Key encryption to produce digital signatures. </li></ul>
  3. 3. Information Integrity Problems <ul><li>Content Modification : Adversary inserts/modifies/deletes message content </li></ul>Insert new record for Darth’s salary of $1,000,000 Salary Database E D E
  4. 4. Information Integrity Problems <ul><li>Masquerade : Adversary sends message claimed to be from someone else </li></ul>Masquerading as Alice “ Give Darth a $10,000 raise -- Alice” E
  5. 5. Information Integrity Problems <ul><li>Timing Modification Adversary intercepts message and replays it later </li></ul>“ Open the front gate. -- Alice” E
  6. 6. Information Integrity Problems <ul><li>Simplest case: Detecting modification </li></ul><ul><ul><li>Message M stored in public location </li></ul></ul><ul><ul><li>M not encrypted </li></ul></ul><ul><li>How can we prove/detect whether adversary has replaced message M with fake message M ´ ? </li></ul>Public storage M M ´
  7. 7. Information Integrity Problems <ul><li>One solution: store protected copy of M </li></ul><ul><ul><li>Compare M to copy to detect changes </li></ul></ul><ul><ul><li>Implausible if M very large </li></ul></ul>Public storage M M
  8. 8. Message Digest <ul><li>Created from message M using hashing function y = h ( M ) </li></ul><ul><li>Like “ fingerprint ” for messages </li></ul><ul><ul><li>Different messages  different fingerprints </li></ul></ul><ul><ul><li>Much more compact than messages: size of y < size of M </li></ul></ul><ul><ul><li>Plausible for secure storage </li></ul></ul>
  9. 9. Message Digest <ul><li>Same concept as error detection in network transmission </li></ul><ul><li>Error detection bits = function of message </li></ul><ul><ul><li>Example: parity bit depends on even/odd of 1’s in message </li></ul></ul><ul><li>If error detection bits do not match message, request message resend </li></ul><ul><li>Key difference: Unlike noise, adversary intelligent </li></ul>Message Error detection bits
  10. 10. Modification Detection Code: MDC <ul><li>Used to detect modification </li></ul><ul><ul><li>Apply hash to message in storage to get h( M ´ ) </li></ul></ul><ul><ul><li>Compare with stored h( M ) </li></ul></ul><ul><ul><li>If h( M’ )  h( M ) message has been modifed </li></ul></ul><ul><li>Modification Detection Code (MDC) </li></ul>Public storage M ´ h( M ´ ) h compare h( M )
  11. 11. Message Authentication Code:MAC <ul><li>Hash applied to message by sender and recipient </li></ul><ul><li>If no match , message has been tampered with </li></ul><ul><li>Problem: Requires MDC sent securely Otherwise, adversary could modify it as well! </li></ul>
  12. 12. Message Authentication Code <ul><li>Using secret key to prevent adversary from creating message digest to match false message </li></ul><ul><ul><li>Creates MAC as h ( M , k ) </li></ul></ul><ul><ul><li>Can also encrypt message , but not necessary </li></ul></ul>
  13. 13. Solving Integrity Problems <ul><li>Content Modification If adversary modifies message, will no longer match message digest </li></ul><ul><li>Authentication Adversary cannot send false message since cannot generate corresponding digest </li></ul><ul><li>Timing Modification Sender can add timestamp to message which adversary cannot modify without generating corresponding message digest </li></ul>
  14. 14. Preimage Attack <ul><li>Adversary finds message M ´ with same MDC h( M ´) = h( M ) </li></ul><ul><li>Impossible to detect or prove changes! </li></ul>Public storage M ´ h( M ´ ) h Same! h( M )
  15. 15. Preimage Attack <ul><li>Adversary can “tweak” new message M ´ until h( M ´) = h( M ) </li></ul><ul><li>Example: Give Darth a salary increase of $1000 Award Mr. Vader some raise … $2000 Present Darth Vader … bonus $3000 … … … $4000 … </li></ul>“ I’ll find some combination of these so they can’t detect the difference!”
  16. 16. Collision Attack <ul><li>Adversary finds two messages M 1 and M 2 with same MDC h( M 1 ) = h( M 2 ) </li></ul><ul><li>M 1 is harmless message “We like kittens” </li></ul><ul><li>M 2 has advantage for adversary “Give Darth a $5000 raise” </li></ul>
  17. 17. Collision Attack <ul><li>Darth gets job in organization </li></ul><ul><ul><li>Presents M 1 to boss for approval </li></ul></ul><ul><ul><li>Boss stores h( M 1 ) </li></ul></ul><ul><ul><li>Darth actually stores/sends M 2 </li></ul></ul><ul><li>Boss has no way to prove he didn’t approve M 2 </li></ul>“We like kittens” h( “We like kittens” ) “ Give Darth a $5000 raise”
  18. 18. Digests and Networks <ul><li>Same hash applied to message by sender and recipient </li></ul><ul><ul><li>Sender creates digest and sends along with message </li></ul></ul><ul><ul><li>Recipient creates digest from received message, and compares to received digest </li></ul></ul><ul><ul><li>If no match , message has been tampered with en route </li></ul></ul>M 
  19. 19. Digests and Networks <ul><li>Problem: Adversary can easily intercept digest and change it to match new message </li></ul><ul><ul><li>Must assume adversary knows hash function we use! </li></ul></ul>M  h( M  )
  20. 20. Message Authentication Codes <ul><li>Using secret key to create digest </li></ul><ul><ul><li>Creates MAC as h ( M , k ) </li></ul></ul><ul><ul><li>Without k , adversary cannot substitute M   and then duplicate the h ( M  , k ) that recipient will use to check message integrity </li></ul></ul>
  21. 21. Message Authentication Codes <ul><li>Provides authentication of sender </li></ul><ul><ul><li>Only person with correct key k can produce h ( M , k ) that matches message M </li></ul></ul><ul><ul><li>Also provides nonrepudiation protection </li></ul></ul><ul><ul><ul><li>Sender cannot later claim they did not send message unless key stolen </li></ul></ul></ul>M h ( M , k ) h ( M , k ) M h k h ( M , k ) compare “ If they match, then sender must have same key k as I do”
  22. 22. Authentication and Confidentiality <ul><li>Can also encrypt message with different key </li></ul><ul><ul><li>Hash plaintext before encryption </li></ul></ul><ul><ul><li>Hash ciphertext after encryption </li></ul></ul><ul><ul><ul><li>Allows authentication to take place without decryption (usually much faster) </li></ul></ul></ul>h h h h h h h
  23. 23. Prefix/Postfix MAC <ul><li>Key = “extra bits” at beginning or end of message h ( M , k ) = h ( M | k ) or h ( k | M ) </li></ul><ul><li>Attack by exhaustive key search : </li></ul><ul><ul><li>Adversary intercepts M and MAC h ( M , k ) </li></ul></ul><ul><ul><li>Adversary tries all key values k  to find h ( M , k  ) = MAC </li></ul></ul><ul><ul><li>Key size must be large enough to prevent this! </li></ul></ul><ul><li>Hash algorithm used must have “avalanche effect” </li></ul><ul><ul><li>Changing few bits at beginning/end changes most bits of MAC </li></ul></ul><ul><ul><li>Better if key “spread out” over message rather than at known fixed location </li></ul></ul>Message
  24. 24. Nested MAC <ul><li>Hashing applied multiple times </li></ul><ul><ul><li>Concatenate key with message: k | M </li></ul></ul><ul><ul><li>Run through hash: h ( k | M ) </li></ul></ul><ul><ul><li>Concatenate key again: k | h ( k | M ) </li></ul></ul><ul><ul><li>Run through hash again: MAC = h ( k | h ( k | M )) </li></ul></ul><ul><li>Changes in key have greater avalanche effect on final MAC </li></ul>
  25. 25. Chained MAC (CMAC) <ul><li>“ Hashless” MAC </li></ul><ul><ul><li>Uses an encryption algorithm (DES, AES, etc.) to generate MAC </li></ul></ul>
  26. 26. Chained MAC (CMAC) <ul><li>Based on same idea as cipher block chaining </li></ul><ul><ul><li>Message broken into N blocks </li></ul></ul><ul><ul><li>Each block fed into an encryption algorithm with key </li></ul></ul><ul><ul><li>Result XOR’d with next block before encryption to make final MAC depend on all blocks </li></ul></ul><ul><li>Main difference: compresses result to size of single block </li></ul>
  27. 27. Chained MAC (CMAC) <ul><li>Final stage uses “additional key” </li></ul><ul><ul><li>Derived from cipher key but hides relationship to key: </li></ul></ul><ul><ul><ul><li>Encrypting all 0’s </li></ul></ul></ul><ul><ul><ul><li>Multiplying by x or x 2 over GF ( 2 n ) </li></ul></ul></ul>
  28. 28. Chained MAC (CMAC) <ul><li>Additional key XOR’d with final block </li></ul><ul><li>Crucial to use different key for last XOR </li></ul><ul><ul><li>Avoids differential cryptanalysis of 2 messages with same beginning </li></ul></ul><ul><li>MAC = leftmost n bits of result </li></ul>
  29. 29. Chained MAC (CMAC) <ul><li>Advantages: </li></ul><ul><ul><li>Can use existing encryption functions </li></ul></ul><ul><ul><li>Encryption functions have properties that resist preimage and collision attacks </li></ul></ul><ul><ul><ul><li>Ciphertext designed to appear like “random noise” – good approximation of random oracle model </li></ul></ul></ul><ul><ul><ul><li>Most exhibit strong avalanche effect – minor change in message gives great change in resulting MAC </li></ul></ul></ul><ul><li>Disadvantage: </li></ul><ul><ul><li>Encryption algorithms (particularly when chained) can be much slower than hash algorithms </li></ul></ul>
  30. 30. Compression Functions <ul><li>Function that compresses message of arbitrary length to m -bit digest </li></ul><ul><li>Following must be computationally infeasible: </li></ul><ul><ul><li>Given message M , find M ´ such that h ( M ) = h ( M ´ ) </li></ul></ul><ul><ul><li>Finding any M 1 and M 2 such that h ( M 1 ) = h ( M 1 ) </li></ul></ul><ul><li>Difficult to assure for arbitrary compression </li></ul>f Message of arbitrary size m -bit digest
  31. 31. Compression Functions <ul><li>Easier to create function that compresses block of fixed size k > m </li></ul><ul><li>Break message into blocks of fixed size </li></ul>f k -bit message m -bit digest
  32. 32. Iterated Hash Function Merkle-Damgard scheme If the compression function in Merkle-Damgard scheme is collision resistant, the Hash function is also collision resistant
  33. 33. Iterated Hash Function <ul><li>Compression function of form h ( M i , H i-1 ) </li></ul><ul><ul><li>M i = i th message block </li></ul></ul><ul><ul><li>H i-1 = previous message digest </li></ul></ul><ul><ul><li>H 0 = initial vector known to sender, recipient </li></ul></ul><ul><li>If f is collision resistant, so is entire algorithm </li></ul>f n -bit message block M i m -bit digest H i m -bit digest H i-1
  34. 34. Types of Hash Algorithms <ul><li>“ Made from scratch” </li></ul><ul><ul><li>Specifically designed for hashing </li></ul></ul><ul><ul><li>Often no clear structure for maximum confusion </li></ul></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>Message Digest ( MD ) designed by Ron Rivest </li></ul></ul></ul><ul><ul><ul><li>Secure Hash Algorithm ( SHA ) </li></ul></ul></ul><ul><li>Based on block ciphers </li></ul><ul><ul><li>Rebuild existing cipher into compression function </li></ul></ul><ul><ul><li>Already has desirable properties of cryptographic hash </li></ul></ul><ul><ul><li>Example: Whirlpool </li></ul></ul>
  35. 35. Block Ciphers for Hashing <ul><li>Rabin scheme </li></ul><ul><ul><li>“ Plaintext” = output of previous stage </li></ul></ul><ul><ul><li>“ Key” = current message block </li></ul></ul><ul><li>Potentially vulnerable to “ meet in middle ” attack </li></ul><ul><ul><li>Since encryption reversible , could work backwards from final message digest to find another M  with same digest </li></ul></ul>
  36. 36. Block Ciphers for Hashing <ul><li>Miyaguchi-Preneel scheme (used by Whirlpool) </li></ul><ul><ul><li>Output of each stage based on XOR of: </li></ul></ul><ul><ul><ul><li>Output of encryption function </li></ul></ul></ul><ul><ul><ul><li>Output of previous stage </li></ul></ul></ul><ul><ul><ul><li>Current message </li></ul></ul></ul><ul><ul><li>Prevents “meet in middle” attacks </li></ul></ul><ul><ul><ul><li>Cannot work backwards through encryption functions </li></ul></ul></ul>