TCN 5080 Secure Telecom Transactions

TCN 5080 Secure Telecom Transactions

Florida International University

1

Chapter 5Hashes and Message Digests

2

Overview

3

Birthday Problem

• Strong collision resistant:

– How many tries to find two messages with same digest, if hash results are random?

• Generally, n inputs, k possible outputs

– n(n-1)/2 pairs of inputs

– Each pair has 1/k probability to share same output

– Need about k/2 pairs to have 50% probability for a matching pair, i.e. n >

4

Applications of Hash

• Authentication

• Computing MAC with hash

– Difference between MAC and hash: with and without secret key

• Encryption with message digest

• Using secret key for hash

5

MD2

• Input: an arbitrary number of octets

• Output: 128-bit message digest

• Basic idea:

– Pad message to be a multiple of 16 octets.

– Calculate and append a 16-octet checksum.

– Final pass to calculate digest.

6

MD2 Padding

• Number of padding octets

– 16 octets: if message is a multiple of 16 octets.

– number of octets (1-15) to make the message a multiple of 16 octets: otherwise.

– Each padding octet specifies number of octets padded.

7

MD4 Message Padding

• Message with padding must be a multiple of 16 32-bit words (i.e. 512 bits).

– Adding a 1 bit, followed 0 bits to leave message 64 bits less than a multiple of 512 bits.

– A 64-bit quantity representing number of bits in unpadded message, mod 264, is appended.

8

MD4 Digest Computation

• Digest has 128 bits or 4 32-bit words.

• Message processed in 512-bit (16 32-bit words) blocks.

• Final result as digest.

• Each stage makes three passes over message block.

9


10


• Input to each stage

– 16-word message: m0, m1, m2,...m15

– 4-word digest: d0, d1, d2, d3

– Initialization before first stage: d0 = 6745230116, d1

= efcdab8916, d2 = 98badcfe16, and d3 = 1032547616

– Each pass modifies d0, d1, d2, d3 using m0, m1, m2,...m15

11


• Operations

– : floor of number x

– ~x: bitwise complement

– x∧y: bitwise and

– x∨y: bitwise or

– x⊕y: bitwise exclusive or

– x+y: binary sum, with carry out bit discarded

– x y: rotate x to left by y bits

12

MD4 Message Digest Pass 1

• Selection function: F(x,y,z)=(x∧y)∨(~x∧z)

• For each word i of message: d(-i)∧3 = (d(-i)∧3 + F(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mi) S1(i∧3)

• where S1(i) = 3 + 4i so cycling over 3, 7, 11, 15

13


• Majority function: G(x,y,z)=(x∧y)∨(x∧z) ∨(y∧z)

• For each word i of message: d(-i)∧3 = (d(-i)∧3 + G(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mX(i) + c) S2(i∧3)

• where X(i)= 4i – 15 , exchanging low order and high order pairs of bits in 4-bit number i

• c = = 5a82799916

• S2(0) = 3, S2(1) = 5, S2(2) = 9, S2(3) = 13

14


• Function H(x,y,z)=x⊕y⊕z

• For each word i of message: d(-i)∧3 = (d(-i)∧3 + H(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mR(i) + c’) S2(i∧3)

• where R(i) = , i.e. reversing order of bits in 4-bit number i

• c’ = = 6ed9eba116

• S3(0) = 3, S3(1) = 9, S3(2) = 11, S3(3) = 15

15

MD5 Message Digest Computation

• Message padding same as in MD4

• Digest has 128 bits or 4 32-bit words

– Initialized to d0 = 6745230116, d1 = efcdab8916, d2 = 98badcfe16, and d3 = 1032547616

• Message processed in 512-bit (16 32-bit words) blocks

• Each stage takes four passes over message block

– each pass modifies d0, d1, d2, d3 using m0, m1, m2,...m15

16


• F(x,y,z)=(x∧y)∨(~x∧z)

• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + F(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mi + Ti) S1(i∧3)

• where S1(i) = 7 + 5i

• E.g.

17


• G(x,y,z)=(x∧y)∨(x∧z) ∨(y∧z)

• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + G(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(5i+1)∧15 + Ti+17) S2(i∧3)

• where S2(i) = i(i+7)/2 + 5

• E.g.

18


• H(x,y,z)=x⊕y⊕z

• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + H(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(3i+5)∧15 + Ti+33) S3(i∧3)

• where S3(0) = 4, S3(1) = 11, S3(2) = 16, S3(3) = 23

• E.g.

19


• I(x,y,z)=y⊕(x∨~z)

• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + I(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(7i)∧15 + Ti+49) S4(i∧3)

• where S4(i) = (i+3)(i+4)/2

• E.g.

20

SHA-1

• Input: message length at most 264 bits

• Output: 160-bit digest, as 5 32-bit words ABCDE

– Initialized as A = 6745230116, B = efcdab8916, C = 98badcfe16, D = 1032547616, E = c3d2e1f016

21

SHA-1 Operation

• Padding same as MD4 and MD5

• 512-bit message block used to create 5*512-bit chunk

– First 512 bits are original block

– Otherwise, Wn = (Wn-3 ⊕Wn-8 ⊕Wn-14 ⊕Wn-16) 1

– Now 80 words W0, W1, ...W79

22

SHA-1 Operation

• For each word wt t = 0 to 79, update ABCDE

• B = old A

• C = old B 30

• D = old C

• E = old D23

SHA-1 Operation

• A = E + (A 5) + Wt + Kt + f(t,B,C,D)

– where

and

24

SHA-256

• Message is processed in 512-bit blocks sequentially, just like SHA-1

• Message digest 256 bits instead of SHA-1’s 160 bits

• 64 rounds instead of 80 rounds of compression

• Algorithm structure same as SHA-1– Step 1: Padding bits

– Step 2: Appending length as 64 bit unsigned

– Step 3: Buffer initiation

– Step 4: Processing of message

– Step 5: Output

25

SHA-256 Round:

26

HMAC Operation

• Input: variable-length key, variable-size message

• Output: fixed-size MAC, depending on algorithm

• Idea:

– Prepend key to

message, digest it

– Prepend key to

result, digest it

27

HMAC Operation

• Key processing

– If fewer than 512 bits, pad 0 to 512 bits

– If more than 512 bits, digest key first then pad 0

• Input of first digest

–⊕ padded key with constant of value 3616

– Concatenate key with message

• Input of second digest

–⊕ padded key with constant of value 5c16

– Concatenate key with first digest28

29

Chapter 6Public Key Algorithms

30

Overview

• Traditional secret/single/private key cryptography uses one key.

– Symmetric, since parties are equal.

• Public key cryptography uses two keys

– Public key: known to everyone

– Private key: known to owner only

– Asymmetric since parties are not equal.

31

Overview

• Different public key algorithms have different functions

– Encryption and digital signatures: RSA, ECC

– Digital signatures: DSS, ElGamal

– Key establishment: Diffie-Hellman

– Authentication: zero knowledge proof systems

32

Modular Arithmetic

• Most public key algorithms are based on modular arithmetic.

• Modular arithmetic uses the non-negative integers less than some positive integer n, performs ordinary arithmetic operations, and then replaces the result with its remainder when divided by n.

– x modulo n or mod n

33

Modular Arithmetic

• Modular addition, example

– 2 + 2 = 4

– 3 + 9 = 2

– Can be used

as a cipher

• Modular subtraction can be done by adding x's additive inverse (-x).

– Since 4 + 6 = 0, -4 = 6

34

Modular Arithmetic

• Modular multiplication

– Multiplication by 1, 3, 7, or 9 works as a cipher.

– Multiplication by any other number will not.

35

Modular Arithmetic

• Modular division can be done by multiplying x's multiplicative inverse (x-1).

– Only the numbers {1, 3, 7, 9} have multiplicative inverses mod 10.

– Since 3 * 7 = 1, 3-1 =7

– Generally, Euclid's Algorithm to find multiplicative inverse.

36

Modular Arithmetic

• What's special about the numbers {1, 3, 7, 9}?

– Relatively prime to 10

– x relatively prime to y: gcd(x, y) = 1

– gcd(3, 10) = 1, gcd(6, 10) = 2

• In general, for mod n, all numbers relatively prime to n will have multiplicative inverses, and none of the other numbers will.

– mod n multiplication by any number x relatively prime to n will work as a cipher.

37

Modular Arithmetic

• How many numbers less than n are relatively prime to n?

• Totient function: φ(n)

– If n is prime, then all the integers {1, 2,...n-1} are relatively prime to n, so φ(n) = n-1.

– If n is a product of two distinct primes, say p and q, then there are (p-1)(q-1) numbers relatively prime to n, so φ(n) = (p-1)(q-1).

38

Modular Arithmetic

• Modular exponentiation is ordinary exponentiation mod n.

– 46 = 6 mod 10, since 46 = 4096 & 4096 = 6 mod 10

39

Modular Arithmetic

• Exponentiation by 3 would work as a cipher.

• Exponentiation by 2 would not.

• How to find exponentiative inverse?

• xy mod n is the same as x(y mod φ(n)) mod n

– Columns 1 and 5 are the same, and 2 and 6 are the same, and 3 and 7 are the same.

• Euler's Theorem: if y = 1 mod φ(n), then for any number x with gcd(x, n) = 1, x y = x mod n.

40

RSA

• Named after inventors: Rivest, Shamir, and Adleman

• Variable key length

– Commonly used key length 512-2048 bits

– Longer key for enhanced security

• Variable block size in RSA

– Plaintext block must be smaller than key length.

– Ciphertext block will be the length of the key.

41

RSA

• Much slower than secret key algorithms like DES and IDEA.

• Not tend to encrypt long messages:

– Encrypt a secret key for key distribution, and then secret key cryptography to encrypt message.

– Encrypt hash of message as digital signature.

42

RSA

• Choose two large primes p and q

– Secret, easy to break if known

• n = p * q

– Hard to factor large numbers

• Public key <e,n>

– e: relatively prime to φ(n) = (p-1)(q-1)

• Private key <d,n>

– d: multiplicative inverse of e mod φ(n)

43

RSA

• Encryption: c = me mod n

• Decryption: m = cd mod n

• Sign message: s = md mod n

• Verify signature: m = se mod n

44

RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Compute n = pq =17 x 11=187

3. Compute ø(n)=(p–1)(q-1)=16 x 10=160

4. Select e: gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160Value is d=23 since 23x7=161= 1x160+1

6. Publish public key PU={7,187}

7. Keep secret private key PR={23,187}

45

RSA Example - En/Decryption

1. sample RSA encryption/decryption is:

2. given message M = 88 (note 88<187)

3. encryption:

C = 887 mod 187 = 11

4. decryption:

M = 1123 mod 187 = 88

46

Extended Euclidean Algorithm

• Calculate multiplicative inverse: d = e-1 mod n

• Notations:

– # of steps: 0, 1, 2…

– qi: quotient at step i

– pi: p0 = 0, p1 = 1, pi = pi-2 - pi-1 qi-2 (mod n)

47


• Algorithm description:

– Start by Dividing greater # by less one

– In each following step, replace greater # by less one, and less # by reminder

– If the last non-zero remainder occurs at step k, then if this remainder is 1, e has an inverse and it is pk+2.

– If the remainder is not 1, then e does not have an inverse.

48


• Example: 15-1 mod 26

Step 0: 26 = 15*1 + 11 p0 = 0

Step 1: 15 = 11*1 + 4 p1 = 1

Step 2: 11 = 4*2 + 3 p2 = 0 - 1*1 mod 26 = 25

Step 3: 4 = 3*1 + 1 p3 = 1 - 25*1 mod 26 = -24 mod 26 = 2

Step 4: 3 = 1*3 + 0 p4 = 25 - 2*2 mod 26 = 21

p5 = 2 - 21*1 mod 26 = -19 mod 26 = 7

49

Why Does RSA Work?

• RSA does arithmetic mod n, where n = pq.

• d is multiplicative inverse of e mod φ(n) = (p-1)(q-1)

• de = 1 mod φ(n), and thus xde = x mod n

• Decryption: cd mod n = (me mod n)d mod n

= med mod n

= m mod n

• Signature: se mod n = med mod n = m mod n

50

Why is RSA Secure?

• Factoring a big number is hard.

– To factor a 512-bit number with best known techniques would take about 30,000 MIPS-years.

• If you can factor quickly, you can break RSA.

– Given public key <e,n>

– Factor n to obtain p and q, s.t. n = p * q

– Calculate φ(n) = (p-1)(q-1)

– Calculate d = e-1 mod φ(n)

– Get private key <d,n>

51

Possible Misuse of RSA

• Send Alice a message, which is the name of a person in the class.

• Encrypt the name with Alice’s public key.

• Attacker cannot decrypt the ciphertext.

• But can encrypt every name in the class and compare it with the ciphertext.

– Brute force attack.

• How to improve?

52

Efficiency of RSA

• Encryption, decryption, signing, and verifying signatures all involve

– taking a large number,

– raising it to a large power, and

– finding the remainder mod a large number.

• 12354 mod 678

– Direct calculation: 12354 has about 100 digits

– Fast

53

Efficiency of RSA

• Faster

• If exponent not a power of 2

– 54 is 1101102. Compute 123 raised to a sequence of powers: 12, 112, 1102, 11012, 110112, 1101102.

– Each successive power is either twice the preceding power or one more than.

54

Efficiency of RSA

• Faster

• In other words

– 54 =(((((1)2+1)2)2+1)2+1)2, so

– 12354 = (((((123)2123)2)2123)2123)2 = 87 mod 678

55

Efficiency of RSA

• In general, to perform exponentiation of a base to an exponent, start with your value set to 1.

• As read the exponent in binary bit by bit from high-order bit to low-order bit, square your value, and if the bit is a 1 you then multiply by the base.

• Perform modular reduction after each operation to keep the intermediate results small.

56

Exponentiation

f = 1

for i = k downto 0

do f = (f x f) mod n

if bi == 1 then

f = (f x a) mod n

return f

a: base

b = bk…b0: binary exponent

k: number of bits for power

f: result

57

Generating RSA Keys

• p and q are primes, which thin out as numbers get big.

– probability of random number n being prime: 1/ln n

• Test whether a number is prime.

– Naive method: divide n by all numbers

• Test the probability of a number being prime.

– Euler's Theorem: For any a relatively prime to n, aφ(n) = 1 mod n.

– If n is a prime, φ(n) = n – 1.

– Fermat's Theorem: If p is prime and 0 < a < p, ap-1 = 1 mod p.

58

Generating RSA Keys

• For a number n, pick a number a < n, compute an-1 mod n, and see if the answer is 1.

– If it is not 1, n is certainly not prime.

– If it is 1, n may or may not be prime.

– If n is a randomly generated number of about a hundred digits, the probability that n isn't prime but an-1 mod n = 1 is about 1 in 1013.

59

Generating RSA Keys

• Cost of such a mistake.

– RSA might fail; could not decrypt a message.

– Attacks might compute private key easier.

• If risk of 1 in 1013 is unacceptable, the primality test can be made more reliable.

– By trying many values for a, we can make the probability of falsely identifying n as prime inconceivably small.

60

Generating RSA Keys

• Find e that is relatively prime to (p-1)(q-1)

– After p and q are selected, choose e at random. Test if e is relatively prime to (p-1)(q-1). If not, continue.

– Don't pick p and q first. Instead, first choose e, then select p and q carefully so that (p-1) and (q-1) are guaranteed to be relatively prime to e.

• e can be small or even constant, since d is hard to calculate.

– But d must not be small, why?

61

Generating RSA Keys

• Popular value of e: 3

– Fast encryption

– If m is small, needs to be padded with a random number before encryption; otherwise, m =

– Can choose p or q by selecting an odd number, multiplying by 3 and add 2.

• Popular value of e: 65537

– 216+1, two 1s in binary format, easy encryption

– Large prime number

62

RSA Threats

• x < n is a signature of xe mod n.

• Smooth number: product of small primes.

• If the attacker sees signature on m1 and m2, she can compute signature on m1·m2, and on m1/m2, and m1

j, and on m1j·m2

k.

– (m12)d mod n = (m1

d)2 mod n = (m1d mod n)2 mod n

63

RSA Threats

• If e = 3

– Attacker sees m3 mod n1, m3 mod n2, and m3 mod n3 and knows <3, n1>, <3, n2>, <3, n3>.

– Attacker can compute m3 mod n1n2n3.

– Since m is smaller than each ni, m3 will be smaller

than n1n2n3, so m3 mod n1n2n3 will just be m3.

– Therefore, the bad guy can compute the ordinary cube root of m3, giving m.

64

Example

• Perform encryption and decryption using the RSA algorithm for: p = 11, q = 11, e = 7, M = 5.

65

Public-Key Cryptography Standard (PKCS)

• A set of standards tor recommend encodings for RSA

• Threats that PKCS deals with:

– encrypting guessable messages

– signing smooth numbers

– multiple recipients of a message when e = 3

– encrypting messages that are less than a third the length of n when e = 3

– signing messages where the information is in the high-order part and e = 3

66


• Encryption: standard for formatting a message to be encrypted with RSA.

– First octet guarantees message smaller than n

– Second octet: PKCS type for encryption

– Nonzero second octet guarantees to be more than a third the length of n

– Random padding infeasible for attacker to guess

– Different paddings for different recipients

67


• Signing: standard for formatting a message to be encrypted with RSA

– First octet of 0 ensures quantity be less than n

– Second octet: PKCS type for signing

– Padding ensures a non-smooth number

– Digest type to indicate digest function

68

Diffie-Hellman

• Oldest public key system.

• Allow two individuals to agree a shared key.

– Start with on secrets.

– Exchange messages only in public.

• Weakness: no authentication

– Will see an attack later.

69

Diffie-Hellman

• Publicly known: p and g

– p is a large prime, g is a number less than p

• Each chooses a 512-bit number at random and keeps it secret, SA and SB.

– TA = mod p

– TB = mod p

– Exchange TA and TB to calculate shared key

70

Diffie-Hellman

• Nobody else can calculate in a reasonable amount of time,

• Even though they know and .

– Discrete logarithms are hard.

71

Diffie-Hellman Example

• users A & B who wish to swap keys:

• agree on prime p=353 and g=3

• select random secret keys:– A chooses SA=97, B chooses SB=233

• compute respective public keys:– TA=3

97 mod 353 = 40 (Alice)

– TB=3233

mod 353 = 248 (Bob)

• compute shared session key as:– KAB= TB

SA mod 353 = 24897

= 160 (A)

– KAB= TASB mod 353 = 40

233= 160 (B)

72

Man-in-the-Middle Attack

• No way for Alice to know TB is from Bob.

• Assume Mr. X in the middle between A and B.

– X intercepts and , and sends instead

73

Defenses Against Man-in-the-Middle Attack

• Diffie-Hellman alone cannot detect the intruder in the middle.

• Published Diffie-Hellman numbers:

– Use permanent public and secret number.

– Every one publishes public number.

– Compute key by own secret number and public number of other party.

• Authenticated Diffie-Hellman.

74

Encryption with Diffie-Hellman

• Communicate without active exchange first.

• Bob publishes <pB, gB, TB>, TB = mod pB

• Alice Selects SA

– Compute mod pB and KAB = mod pB

– Use KAB to encrypt message

• Bob

– Compute KAB = mod pB

– Use KAB to decrypt message

75

ElGamal Signatures

• Each has long-term public/private key pair.

– Public key: <g, p, T>

– Secret key: S, where gS mod p = T

• Different public/private key pair for each msg

– For message m, choose random number Sm and compute gSm mod p = Tm.

– Compute message digest of dm = MD(m|Tm)

– Calculate signature X = Sm + dmS mod (p-1)

76

ElGamal Signatures

• Transmit m, X, and Tm, to verify signature,

– Compute dm

– Check that gX = TmTdm mod p, because

77

Digital Signature Standard (DSS)

• NIST proposed the Digital Signature Algorithm (DSA). As a standard it is known as DSS.

• Based on ElGamal but faster.

• DSS allows the signer to precalculate its inverse before it even has a message.

– Taking inverses is the most computationally expensive part of DSS.

78


• Generate p and q (which will be public).

– q: 160-bit prime, p: 512-bit prime p of the form kq+1

– Expensive operation, but not often.

• Generate g (which will be public).

– gq = 1 mod p

– Done by taking random h, g = h(p-1)/q, gq = hp-1 = 1

• Choose long-term public/private key pair <T, S>.

– Choose random S < q and set T = gS mod p

79


• Choose a per message public/private key pair <Tm, Sm>.

– Choose random Sm and set Tm = ((gSm mod p) mod q)

– Can calculate Sm-1 mod q in advance

• Calculate a message digest dm of the message.

– Hash algorithm SHS (Secure Hash Standard) generates 160-bit digest.

• Compute the signature X = Sm-1(dm + STm) mod q.

80


• Transmit all relevant information:

– message m, per msg public number Tm, signature X.

– T, p, q, and g are publicly known.

• Verify the signature:

– Calculate the mod q inverse of the signature, X-1

– Calculate dm

– Calculate x = dm· X-1 mod q

– Calculate y = Tm· X-1 mod q

– Calculate z = (gx · Ty mod p) mod q

– If z = Tm, then the signature is verified.

81

Why Does the Verification Procedure Work

• Let v = (dm + STm)-1 mod q. Then

– X-1 = (Sm-1(dm + STm))-1 = Sm(dm + STm)-1 = Smv mod q,

– x = dm· X-1 = dmSmv mod q,

– y = Tm· X-1 = TmSmv mod q,

–

82

Why Is This Secure

• Difficulty of discrete logarithms.

• Signing something does not divulge the private key S.

• Nobody should be able to generate a signature for a given message without knowing S.

• Nobody should be able to generate a message that matches a given signature.

• Nobody should be able to modify a signed message in a way that keeps the same signature valid.

83

Per-Message Secret Number

• Unique secret number per message Sm

• If Sm is known

– Xm = Sm-1(dm + STm) mod q

– Tm = gSm mod p mod q

– (XmSm - dm)Tm-1 mod q = S mod q

• If m and m' are signed using the same Sm

– (Xm - Xm')-1(dm - dm') mod q = Sm mod q

84

Elliptic Curve Cryptography (ECC)

• Secure with much smaller key sizes

• Define arithmetic operation based on elliptic curves

– Addition, multiplication, exponentiation

• Two types of arithmetic

– Zp arithmetic (modular arithmetic with large prime p as modulus): for hardware implementation

– GF(2n) arithmetic, which can be done with shifts and ⊕s: for software implementaion

85

Comparable Key Sizes for Equivalent Security

Symmetric

scheme

(key size in bits)

ECC-based

scheme

(size of n in bits)

RSA

(modulus size in

bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 1536086

Documents

TCN 5080 Secure Telecom Transactions