Key Management, Message Authentication, Hash Function &

Key Management, Message Authentication,

Hash Function &

Key Management

In cryptography, key management includes all of the provisions made in a cryptosystem design, in cryptographic protocols in that design, in user procedures, and so on, which are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys.

There is a distinction between key management, which concerns keys at the users' level (i.e., passed between systems or users or both), and key scheduling which is usually taken to apply to the handling of key material within the operation of a cipher.

Scenario

Scenario

KEY MANAGEMENTKEY MANAGEMENT

We never discussed how secret keys in symmetric-key We never discussed how secret keys in symmetric-key cryptography and how public keys in asymmetric-key cryptography and how public keys in asymmetric-key cryptography are distributed and maintained. In this cryptography are distributed and maintained. In this section, we touch on these two issues. We first discuss section, we touch on these two issues. We first discuss the distribution of symmetric keys; we then discuss the the distribution of symmetric keys; we then discuss the distribution of asymmetric keys.distribution of asymmetric keys.

Symmetric-Key DistributionPublic-Key Distribution

Topics discussed in this section:Topics discussed in this section:

A small club has only 100 members.

1.How many secret keys are needed if all members of the club need to send secret messages to each other?

2.How many secret keys are needed if everyone trusts the presidents of the club? If a member needs to send a message to another member, she first sends it to president; the president then sends the message to another member.

3.How many secret keys are needed if the president decides that the two members who need to communicate should contact him first? The president then created a temporary key to be used between the two. Temporary key is encrypted and sent to both members.

Class Discussion

Key Management

Key Management on Symmetric-key

Key Distribution Centre

A session symmetric key between two parties is used only once.

Note

Creating a session key between Alice and Bob using KDC

Kerberos servers

Kerberos example

More DetailsIn Week 5

Suppose Alice, Bob, Buffy and Spike want to communicate with one another securely. Using symmetric cryptography how many unique keys must be distributed to make this possible?

Example 1 - Question

Suppose Alice, Bob, Buffy and Spike want to communicate with one another securely. Using symmetric cryptography how many unique keys must be distributed to make this possible?

(Private key cryptography requires pair-wide key exchange. This is N(N-1)/2 or, in this case, 6 different keys.

Example 1 - Answer

Key Management

Key Management on Asymmetric-key

Key Management

public-key encryption helps address key distribution problems

have two aspects of this:

distribution of public keys

use of public-key encryption to distribute secret keys

This is one of the most critical areas in security systems - on many

occasions systems have been broken, not because of a poor encryption

algorithm, but because of poor key selection or management. It is

absolutely critical to get this right!

In public-key cryptography, everyone has access to everyone’s public key;

public keys are available to the public.

Note

Distribution of Public Keys

can be considered as using one of:

Public announcement

Publicly available directory

Public-key authority

Public-key certificates

Announcing a public key / public Announcement

website

localnewspaper

Announcing a public key / public Announcement

users distribute public keys to recipients or broadcast to community at largeeg. append PGP keys to email messages or post to news groups or email list

major weakness is forgery:anyone can create a key claiming to be someone else and broadcast ituntil forgery is discovered can masquerade as claimed user

Example:Eve could make such a public announcement, before bob can react, damage could be done.Eve can fool Alice into sending her message that is intended for Bob.Eve could also sign a document with a corresponding forged private key and make everyone believe it was assigned by Bob. The approach is also vulnerable if Alice directly request Bob’s public key. Eve can intercept Bob’s response and substitute her own forged public key for Bob’s public key.



Public announcement




Trusted center / Publicly Available Directory

Trusted centre retain a directory keys.

Trusted center / Publicly Available Directory

can obtain greater security by registering keys with a public directory

directory must be trusted with properties:

contains {name, public-key} entries

participants register securely with directory

participants can replace key at any time

directory is periodically published

directory can be accessed electronically

still vulnerable to tampering or forgery



Public announcement




Controlled trusted center /Publicly Key Authority


improve security by tightening control over distribution of keys from directory

has properties of directory

and requires users to know public key for the directory

then users interact with directory to obtain any desired public key securely

does require real-time access to directory when keys are needed




Public announcement




Certification authority / Public-Key Certificates


certificates allow key exchange without real-time access to public-key authority

a certificate binds identity to public key

usually with other info such as period of validity, rights of use etc

with all contents signed by a trusted Public-Key or Certificate Authority (CA)

can be verified by anyone who knows the public-key authorities public-key


Public-Key Distribution of Secret Keys

use previous methods to obtain public-key

can use for secrecy or authentication

but public-key algorithms are slow

so usually want to use private-key encryption to protect message contents

hence need a session key

have several alternatives for negotiating a suitable session

Simple Secret Key Distribution

proposed by Merkle in 1979A generates a new temporary public key pair

A sends B the public key and their identity

B generates a session key K sends it to A encrypted using the supplied public key

A decrypts the session key and both use

problem is that an opponent can intercept and impersonate both halves of protocol

Simple Secret Key DistributionSimple use of public-key encryption to establish a session key.

1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier of A, IDA.

2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.

3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks.

4. A discards PUa and PRa and B discards PUa.


if have securely exchanged public-keys:


if have securely exchanged public-keys:

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely.

2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.

3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.

4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it.

5. B computes D(PUa, D(PRb, M)) to recover the secret key.

Public-Key Algorithms

• Diffie Hellman Key-Exchange

• Elliptic Curve Arithmetic

• Elliptic Curve Cryptography

Diffie-Hellman Key Exchange

first public-key type scheme proposed

by Diffie & Hellman in 1976 along with the exposition of public key concepts

note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970

is a practical method for public exchange of a secret key

used in a number of commercial products


a public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants

value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easysecurity relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Diffie-Hellman Setup

all users agree on global parameters:large prime integer or polynomial q

α a primitive root mod q

each user (eg. A) generates their keychooses a secret key (number): xA < q

compute their public key: yA = αxA mod q

each user makes public that key yA


shared session key for users A & B is KAB: KAB = α

xA.xB mod q

= yA

xB mod q (which B can compute)

= yB

xA mod q (which A can compute)

KAB is used as session key in private-key encryption scheme between Alice and Bobif Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys attacker needs an x, must solve discrete log

Diffie-Hellman Example

users Alice & Bob who wish to swap keys:agree on prime q=353 and α=3select random secret keys:

A chooses xA=97, B chooses xB=233compute public keys:

yA=397 mod 353 = 40 (Alice)

yB=3233 mod 353 = 248 (Bob)

compute shared session key as:

KAB= yB

xA mod 353 = 24897 = 160 (Alice)

KAB= yA

xB mod 353 = 40233 = 160 (Bob)

Key Management

Message Authentication


message authentication is concerned with: protecting the integrity of a message

validating identity of originator

non-repudiation of origin (dispute resolution)

will consider the security requirements

then three alternative functions used:message encryption

message authentication code (MAC)

hash function

Security Requirements

disclosure

traffic analysis

masquerade

content modification

sequence modification

timing modification

source repudiation

destination repudiation

Message AuthenticationMessage Authentication

Message Encryption


Hash FunctionHash FunctionMessage Authentication Code Message Authentication Code Message EncryptionMessage Encryption

Message Encryption

message encryption by itself also provides a measure of authentication

if symmetric encryption is used then:receiver know sender must have created it

since only sender and receiver now key used

know content cannot of been altered

if message has suitable structure, redundancy or a checksum to detect any changes

Message Encryption

if public-key encryption is used:

encryption provides no confidence of sender

since anyone potentially knows public-key

however if sender signs message using their private-key

then encrypts with recipients public key

have both secrecy and authentication

again need to recognize corrupted messages

but at cost of two public-key uses on message

Key ManagementKey Management


Message Authentication:Message Encryption

Message Authentication:Message Encryption

Message Authentication:Message Authentication

Code

Message Authentication:Message Authentication

Code

Message Authentication:Hash functions

Message Authentication:Hash functions

Alice

SenderReceiver

Charlie

CertificationAuthority

Reggie

RegistrationAuthority

Eve

Hacker/Adversary

Bob

ReceiverSender

51

Cartoon Actors

52


“Is protect the integrity of messages”

M

interferes with the transmission(modifies the message, or inserts a new one)

interferes with the transmission(modifies the message, or inserts a new one)

AliceBob

How can Bob be sure that M really comes from Alice?How can Bob be sure that

M really comes from Alice?

Eve

53

Sometimes: more important than secrecy!

Alice Banktransfer 1000 $ to Evetransfer 1000 $ to Eve

transfer 1000 $ to Bobtransfer 1000 $ to Bob

Of course: usually we want both secrecy and integrity.

Eve

54

Does encryption guarantee message integrity?

Idea:

1. Alice encrypts m and sends c=Enc(k,m) to Bob.2. Bob computes Dec(k,m), and if it “makes sense” accepts it.

Intuiton: only Alice knows k, so nobody else can produce a valid

ciphertext.

It does not work!

Example: Caesar Cipher.

transfer 1000 $ to Bob

key K

ciphertext C

transfer 1000 $ to Eve

“Eve” xor “Bob”

plaintext

xor

Eve can see (m, t=Tagk(m))

She should not be able to compute a valid tag t’ on any other message m’.

55

Message authentication

Alice Bob

(m, t=Tagk(m))(m, t=Tagk(m))

kk

mverifies ift=Tagk(m)verifies ift=Tagk(m)

Eve

56

Message authentication – multiple messages

Alice Bob

(m1, t=Tagk(m1))(m1, t=Tagk(m1))

Eve should not be able to compute a valid tag t’ on any other message m’.

k k

(m2, t=Tagk(m2))(m2, t=Tagk(m2))m2

m1

(mw, t=Tagk(mw))(mw, t=Tagk(mw))mt

. . .

. . .

Eve

Message Authentication Code (MAC)

A bit string that is a function of both data (either plaintext or ciphertext) and a secret key, and that is attached to the data in order to allow data authentication.

The function used to generate the message authentication code must be a one-way function.

Data associated with an authenticated message allowing a receiver to verify the integrity of the message. Or other words: MAC is a short piece of information used to authenticate a message.

Also, it is authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message.

Behaviors

MAC functions are similar to keyed hash functions, they posses different security requirements.

MAC differ from digital signature, as MAC values are both generated and verified using the same secret key.

MAC algorithms can be constructed from other cryptographic primitives, such as cryptographic hash functions (as in the case HMAC) or from block cipher algorithms (OMAC, CBC-MAC and PMAC).

Operations

This technique assumes that two communicating parties, say A and B share a common secret key.

MAC = Ck(M):

M = input message (Variable-length)C = MAC functionK = shared secret keyMAC = message authentication code

The message plus MAC are transmitted to the intended recipient.

The recipient performs the same calculation on the received message, using: the same secret key: to generate a new MAC.

The received MAC is compared to the calculated MAC.

Operations

Methods:

Assume that only the receiver and the sender know the identity of the secret key.

The received MAC matches the calculated MAC

Therefore:

The receiver is assured that the message has not been altered. The receiver is assured that the message is from the alleged sender. The sequence number is assured.

61

Alice Bob

(m, t=Tagk(m))(m, t=Tagk(m))

k k

m є {0,1}*m є {0,1}*

k is chosen randomly from some set T

k is chosen randomly from some set T

Vrfyk(m) є {yes,no}Vrfyk(m) є {yes,no}

Message Authentication Codes – the idea

A mathematical view

K – key spaceM – plaintext spaceT - set of tags

A MAC scheme is a pair (Tag, Vrfy), whereTag : K × M → T is an tagging algorithm,Ver: K × M × T → {yes, no} is an decryption algorithm.

A MAC scheme is a pair (Tag, Vrfy), whereTag : K × M → T is an tagging algorithm,Ver: K × M × T → {yes, no} is an decryption algorithm.

We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t).

Correctness

it should always holds that:Vrfyk(m,Tagk(m)) = yes.

Message Authentication Code (MAC)

MESSAGE

MAC Algorithm[with key (K)]

MESSAGE

MAC

MAC

MESSAGE

MAC Algorithm[with key (K)]

MAC

=?MAC

AuthenticateIntegrity

Yes

DeclineNo

Message Authentication Code

Message Authentication Codes

as shown the MAC provides confidentiality

can also use encryption for secrecy

generally use separate keys for each

can compute MAC either before or after encryption

is generally regarded as better done before

why use a MAC?

sometimes only authentication is needed

sometimes need authentication to persist longer than the encryption (eg. archival use)

note that a MAC is not a digital signature

Requirements for MACs

taking into account the types of attacks

need the MAC to satisfy the following:1. knowing a message and MAC, is infeasible to find another message

with same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the message

Conventions

If Tag is deterministic, then Vrfy just computes Tag and compares the result.

In this case we do not need to define Vrfy explicitly.

If Vrfyk(m,t) = yes then we say that t is a valid tag on the message m.

68

Therefore we assume that

1. The adversary is allowed to chose m1,...,mw.

2. The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠ m1,...,mw.

Therefore we assume that

1. The adversary is allowed to chose m1,...,mw.

2. The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠ m1,...,mw.

How to define security?

We need to specify:

1. how the messages m1,...,mw are chosen,

2. what is the goal of the adversary.

Good tradition: be as pessimistic as possible!

69

Warning: MACs do not offer protection against the “replay attacks”.

AliceBob

(m, t)(m, t)

(m, t)

(m, t)

(m, t)

(m, t)

(m, t)

(m, t)

. . .Since Vrfy has no state (or

“memory”) there is no way to detect that (m,t) is not fresh!

Since Vrfy has no state (or “memory”) there is no way to detect that (m,t) is not fresh!

This problem has to be solved by the higher-level application(methods: time-stamping, sequence numbers...).This problem has to be solved by the higher-level application(methods: time-stamping, sequence numbers...).

Eve

70

Authentication and EncryptionUsually we want to authenticate and encrypt at the same

time.

What is the right way to do it? There are several options:

• Encrypt-and-authenticate:c ← Enck1(m) and t ← Mack2 (m)

• Authenticate-then-encrypt:t ← Mack2 (m) and c ← Enck1(m||t)

• Encrypt-then-authenticate:c ← Enck1(m) and t ← Mack2 (c)

By the way: never use the same key for Enc and Mac: k1 and k2 have to be “independent”!

wrongwrong

betterbetter

the bestthe best

71

Constructing a MAC

1. There exist MACs that are secure even if the adversary is infinitely-powerful.These constructions are not practical.

2. MACs can be constructed from the block-ciphers. We will now discuss to constructions:– simple (and not practical),– a little bit more complicated (and practical) – a CBC-MAC

1. MACs can also be constructed from the hash functions (NMAC, HMAC).

How Do You Want Protect Your Network System

Thank YouSee You Next Week

Have A Nice Weekend

Documents

Key Management, Message Authentication, Hash Function &