Network and computer security-

MODULE 3 MCA-501 Computer Security ADMN 2012-‘15

Dept. of Computer Science And Applications, SJCET, Palai Page 60

3.1 KEY MANAGEMENT

public-key encryption helps address key distribution problems

have two aspects of this:

distribution of public keys

use of public-key encryption to distribute secret keys

Distribution of Public Keys

can be considered as using one of:

public announcement

publicly available directory

public-key authority

public-key certificates

Public Announcement

users distribute public keys to recipients or broadcast to community at large

major weakness is forgery

anyone can create a key claiming to be someone else and broadcast it

Fig 3.1 public announcement

Publicly Available Directory

can obtain greater security by registering keys with a public directory

directory must be trusted with properties:

contains {name, public-key} entries

participants register securely with directory

participants can replace key at any time

directory is periodically published

directory can be accessed electronically

still vulnerable to tampering or forgery



Fig 3.2 public available directory

Public-Key Authority

improve security by tightening control over distribution of keys from directory

has properties of directory

Assumes that a central authority maintains a dynamic directory of public keys of all participants.

Fig 3.3 public key authority

1. A sends a time stamped message to the public-key authority containing a request for the current

public key of B.

2. The authority responds with a message that is encrypted using the authority's private key,

PRauth.The message includes B's public key-Pub, The original request, and the original timestamp.

3. A stores B's public key and also uses it to encrypt a message to B containing an identifier of A

(IDA) and a nonce (N1), which is used to identify this transaction uniquely.



4. B sends a time stamped message to the public-key authority containing a request for the current

public key of A.

5. B retrieves A's public key from the authority in the same manner as A retrieved B’s public key.

public keys have been securely delivered to A and B, and they may begin their protected exchange.

6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce

generated by B (N2) Because only B could have decrypted message , the presence of N1 in message

assures A that the correspondent is B.

7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.

Public-Key Certificates

certificates allow key exchange without real-time access to public-key authority

certificate consists of a public key plus an identifier of the key owner

with all contents signed by a trusted Certificate Authority (CA)

A user can present his or her public key to the authority in a secure manner, and obtain a certificate.

The user can then publish the certificate. Anyone needed this user's public key can obtain the

certificate and verify that it is valid by way of the attached trusted signature.

any other participant, who reads and verifies the certificate as follows:

D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa)

Fig 3.4 Public-Key Certificates

Requirements on this scheme:

1. Any participant can read a certificate to determine the name and public key of the certificate's

owner.

2. Any participant can verify that the certificate originated from the certificate authority and is not

counterfeit.



3. Only the certificate authority can create and update certificates.

3.1.1 Distribution of Secret Keys Using Public-Key Cryptography

use previous methods to obtain public-key

Simple Secret Key Distribution

.

Fig 3.5 Simple Secret Key Distribution

1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa

and an identifier of A, IDA.

2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.

3. A computes D (PRa, E (PUa, Ks)) to recover the secret key. Because only A can decrypt the

message, only A and B will know the identity of Ks.

A and B can now securely communicate using conventional encryption and the session key Ks. At

the completion of the exchange, both A and B discard Ks

Secret Key Distribution with Confidentiality and Authentication

Provides protection against both active and passive attacks.

Fig 3.6 Secret Key Distribution with Confidentiality and Authentication

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce

(N1), which is used to identify this transaction uniquely.

2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce

generated by B (N2) .the presence of N1 in message assures A that the correspondent is B.

3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.



4. A selects a secret key Ks and sends M = E (PUb, E (PRa, Ks)) to B. Encryption of this message

with B's public key ensures that only B can read it; encryption with A's private key ensures that

only A could have sent it.

5. B computes D (PUa, D (PRb, M)) to recover the secret key.

Hybrid Key Distribution

retain use of KDC

shares secret master key with each user

distributes secret session key encrypted using master key

public-key used to distribute master keys

rationale

performance

backward compatibility

3.2 DIFFIE-HELLMAN KEY EXCHANGE

first public-key algorithm by Diffie & Hellman in 1976

is a practical method for public exchange of a secret key

used in a number of commercial products

Primitive route

Let p be a prime. Then b is a primitive root for p if the powers of b:1, b, b^2, b^3, ... include all of

the residue classes mod p (except 0).

Examples: If p=7,

Then 3 is a primitive root for p because the powers of 3 are 1, 3, 2, 6, 4, 5 that is, every number mod 7

occurs except 0.

But 2 isn't a primitive root because the powers of 2 are 1, 2, 4, 1, 2, 4, 1, 2, 4... Missing several values.

The Algorithm

For this scheme, there are two publicly known numbers: a prime number and an integer α that is a

primitive root of . Suppose the users A and B wish to exchange a key. User A selects a random integer and

computes similarly, user B independently selects a random integer and computes. Each side keeps the

value private and makes the value available publicly to the other side. User A computes the key as and user

B computes the key as .These two calculations produce identical results:



Fig 3.7 the Diffie-Hellman Key Exchange Algorithm

Diffie-Hellman Example

users Alice & Bob who wish to swap keys:

agree on prime q=353 and α=3

select random secret keys:

A chooses xA=97, B chooses xB=233

compute respective public keys:

yA=397

mod 353 = 40 (Alice)

yB=3233

mod 353 = 248 (Bob)

compute shared session key as:

KAB= yBxA

mod 353 = 24897

= 160 (Alice)

KAB= yAxB

mod 353 = 40233

= 160 (Bob)

Key Exchange Protocols

users could create random private/public D-H keys each time they communicate

users could create a known private/public D-H key and publish in a directory, then consulted and

used to securely communicate with them



both of these are vulnerable to a meet-in-the-Middle Attack

authentication of the keys is needed

Fig 3.8 Diffie-Hellman Key Exchange

3.3 ELLIPTIC CURVE ARITHMETIC

majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very

large numbers/polynomials

imposes a significant load in storing and processing keys and messages

an alternative is to use elliptic curves

offers same security with smaller bit sizes

Elliptic Curves

an elliptic curve is defined by an equation in two variables x & y, with coefficients

consider a cubic elliptic curve of form

y2 = x

3 + ax + b



where x,y,a,b are all real numbers

consider set of points E(a , b) that satisfy

have addition operation for elliptic curve

geometrically sum of P+Q is reflection of the intersection R

Fig 3.9 elliptic curve

Consider elliptic curve

E: y2 = x

3 - x + 1

If P1 and P2 are on E, we can define

P3 = P1 + P2

Finite Elliptic Curves

Elliptic curve cryptography uses curves whose variables & coefficients are finite

have two families commonly used:

prime curves Ep(a , b) defined over Zp

use integers modulo a prime

best in software

binary curves E2m(a , b) defined over GF(2n)

use polynomials with binary coefficients

best in hardware

3.4 ELLIPTIC CURVE CRYPTOGRAPHY

Elliptic curve cryptography [ECC] is a public-key cryptosystem

Elliptic curves are used as an extension to other current cryptosystems.

Elliptic Curve Diffie-Hellman Key Exchange

Elliptic Curve Digital Signature Algorithm

The central part of any cryptosystem involving elliptic curves is the elliptic group.

Generic Procedures of ECC



Both parties agree to some publicly-known data items

The elliptic curve equation

values of a and b

prime, q

The elliptic group computed from the elliptic curve equation

A base point, G, taken from the elliptic group

Similar to the generator used in current cryptosystems

Each user generates their public/private key pair

Private Key = an integer, selected from the interval [1, q-1]

Public Key = product, of private key and base point ( x*B)

Fig 3.10 ECC Diffie-Hellman Key Exchange

Applications of ECC

Many devices are small and have limited storage and computational power

Where can we apply ECC?

Wireless communication devices

Smart cards



Web servers that need to handle many encryption sessions

Any application where security is needed but lacks the power, storage and computational

power that is necessary for our current cryptosystems

Security of Elliptic Curve Cryptography

The security of ECC depends on how difficult it is to determine given and.This is referred to as the

elliptic curve logarithm problem. The fastest known technique for taking the elliptic curve logarithm is

known as the Pollard rho method.

3.5 MESSAGE AUTHENTICATION

Message authentication is concerned with:

protecting the integrity of a message

validating identity of originator

non-repudiation of origin (dispute resolution)

will consider the security requirements

then three alternative functions used:

a) message encryption

b) message authentication code (MAC)

c) hash function

Message Encryption

message encryption by itself also provides a measure of authentication

Symmetric Encryption

Public Key encryption

Fig 3.11 symmetric and public key encryption

Message Authentication Code (MAC)

generated by an algorithm that creates a small fixed-sized block



depending on both message and some key

appended to message as a signature

receiver performs same computation on message and checks it matches the MAC

provides assurance that message is unaltered and comes from sender

MAC= C(K, M), where M = input message, C = MAC function and K = shared secret key

Fig 3.12 Message authentication code

Requirements for MACs

1. knowing a message and MAC, is infeasible to find another message with same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the message

Using Symmetric Ciphers for MACs

can use any block cipher chaining mode and use final block as a MAC

Data Authentication Algorithm (DAA) is a widely used MAC based on DES

using IV=0

encrypt message using DES in CBC mode

and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block

but final MAC is now too small for security

Fig 3.13 Data Authentication Algorithm (DAA)



3.6 HASH FUNCTIONS

A hash function H accepts a variable-length block of data as input and produces a fixed-size hash

value

h = H (M)

hash used to detect changes to message

The hash code is a function of all the bits of the message and provides an error-detection capability:

A change to any bit or bits in the message results in a change to the hash code.

Fig 3.14 Black Diagram of Cryptographic Hash Function

Three desirable properties:

1. One-way: For any given code h, it is computationally infeasible to find x such that H(x)=h.

2. Weak collision resistance: For any given block x, it is computationally infeasible to find y ≠ x with

H(y) = H(x).

3. Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) =

H(y).

Requirements for Hash Functions

1. can be applied to any sized message M

2. produces fixed-length output h

3. is easy to compute h=H(M) for any message M

4. Given h is infeasible to find x such that. H(x)=h

5. Given x is infeasible to find y such that. H(y)=H(x)

6. Is infeasible to find any x, y such that. H(y)=H(x)



Simple Hash Functions

based on XOR of message blocks

Ci = bi1 XOR bi2 ...XOR bim

Where

Ci = ith bit of the hash code, 1 ≤ i ≤ n

m = number of n-bit blocks in the input

bij = ith bit in jth block

Hash Functions & MAC Security

brute-force attacks

Hash function: The strength of a hash function against brute-force attacks depends solely on

the length of the hash code produced by the algorithm

MAC: with known message-MAC pairs

cryptanalytic attacks exploit structure

like block ciphers want brute-force attacks to be the best alternative

more variety of MACs so harder to generalize about cryptanalysis

3.7 HASH AND MAC ALGORITHMS

3.7.1 Secure Hash Algorithm

SHA originally designed by NIST in 1993

was revised in 1995 as SHA-1 produces 160-bit hash values

adds 3 additional versions of SHA ,SHA-256, SHA-384, SHA-512

designed for compatibility with increased security provided by the AES cipher

structure & detail is similar to SHA-1

but security levels are rather higher

SHA-512 Overview

Takes as input a message with a maximum length of less than 2128

bits and produces as output a

512-bit message digest.

The input is processed in 1024-bit blocks.

Step 1: Append padding bits and length

Padding is done by appending to the input

A single bit, 1

Enough additional bits, all 0,

Message length is appended



Step 2: Initialize hash buffer

512-bit buffer is used to hold intermediate and final results of the hash function.

The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).

These registers are initialized to the 64-bit integers

Fig 3.15 SHA 512

Step 3: Process the message in 1024-bit blocks

which forms the heart of the algorithm

this module is labeled F

consists of 80 rounds updating a 512-bit buffer

Step 4: Output the final state value as the resulting hash

After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit

message digest.

3.7.2 Whirlpool

is an iterated cryptographic hash function,

That uses a symmetric-key block cipher (AES) in place of the compression function.

The processing consists of the following steps:

Step 1: Append padding bits and length

Step 2: Initialize hash matrix

Step 3: Process message in 512-bit (64-byte) blocks, using as its core, the block cipher W.



Fig 3.16 whirpool

Whirlpool Block Cipher W

designed specifically for hash function use with security and efficiency of AES

but with 512-bit block size and hence generate a secure hash

similar structure & functions as AES but

input is mapped row wise

has 10 rounds

uses different S-box design & values

Fig 3.17 Whirlpool Block Cipher W

Performance & Security

Whirlpool is a very new proposal

hence little experience with use

but many AES findings should apply



does seem to need more h/w than SHA, but with better resulting performance

3.7.3 HMAC

Hash-based Message Authentication Code

Design Objectives

use, without modifications, hash functions

allow for easy replicability of embedded hash function

preserve original performance of hash function without significant degradation

Use and handle keys in a simple way.

have well understood cryptographic analysis of authentication mechanism strength

any hash function can be used

eg. SHA-1,512, Whirlpool etc

Algorithm

b = number of bits in a block

K+ is K padded with zeros on the left so that the result is b bits in length.

ipad is a pad value of 36 hex repeated to fill block

opad is a pad value of 5C hex repeated to fill block.

M is the message input

Yi = ith block of M,

H = embedded hash function.

L = number of blocks in M.

n = length of hash code produced by embedded hash function

Then HMAC can be represented as:

HMACK = Hash [(K+ XOR opad) || Hash [(K

+ XOR ipad)||M)]]

1. Append zeros to the left end of K to create a b-bit string K+.

2. XOR (bitwise exclusive-OR) K + with ipad to produce the b-bit block Si.

3. Append M to Si.

4. Apply H to the stream generated in step 3.

5. XOR K+ with opad to produce the b-bit block S0.

6. Append the hash result from step 4 to So.

7. Apply H to the stream generated in step 6 and output the result.



Fig 3.18 HMAC

HMAC Security

proved security of HMAC relates to that of the underlying hash algorithm

attacking HMAC requires either:

brute force attack on key used

birthday attack

choose hash function used based on speed verses security constraints

3.7.4 CMAC

Cipher-based Message Authentication Code (CMAC).

Mode of operation for use with AES and triple DES.

The operation of CMAC when the message is an integer multiple n of the cipher block length b .

Fig 3.19 CMAC

If the message is not an integer multiple of the cipher block length, then the final block is padded to

the right (least significant bits) with a 1 and as many 0s as necessary so that the final block is also

of length .The CMAC operation then proceeds as before, except that a different n-bit key K2 is used

instead of K1.



Fig 3.20 CMAC

where

T = message authentication code, also referred to as the tag

Tlen = bit length of T

MSBs(X) = the s leftmost bits of the bit string X

3.8 DIGITAL SIGNATURES & AUTHENTICATION PROTOCOLS

3.8.1 Digital Signature

digital signatures provide the ability to:

verify author, date & time of signature

authenticate message contents

be verified by third parties to resolve disputes

hence include authentication function with additional capabilities

Fig 3.21 Digital signature



Digital Signature Properties

must depend on the message signed

must use information unique to sender

must be relatively easy to produce

must be relatively easy to recognize & verify

be computationally infeasible to forge

with new message for existing digital signature

with fraudulent digital signature for given message

be practical save digital signature in storage

Two approaches: direct and arbitrated.

Direct Digital Signatures

involve only sender & receiver

assumed receiver has sender’s public-key

digital signature made by sender signing entire message or hash with private-key

can encrypt using receivers public-key

important that sign first then encrypt message & signature

security depends on sender’s private-key

Arbitrated Digital Signatures

involves use of arbiter A

validates any signed message

then dated and sent to recipient

requires suitable level of trust in arbiter

can be implemented with either private or public-key algorithms

arbiter may or may not see message

Digital Signature Standard (DSS)

DSS is the standard, uses the SHA hash algorithm and it cannot be used for encryption or key

exchange

includes alternative RSA & elliptic curve signature variants

Two Approaches to Digital Signatures

I. RSA approach

II. DSS approach



Fig 3.22 digital signature approaches

Digital Signature Algorithm (DSA)

creates a 320 bit signature



Fig 3.23 digital signature algorithm

DSS Overview

Fig 3.24 DSS overview

3.8.2 Authentication Protocols

used to convince parties of each other’s identity and to exchange session keys

may be one-way or mutual

key issues are

confidentiality – to protect session keys

timeliness – to prevent replay attacks

Mutual authentication



Enable communicating parties to satisfy themselves mutually about each other's identity and to

exchange session keys.

Replay Attacks

where a valid signed message is copied and later resent

countermeasures include

use of sequence numbers

timestamps

challenge/response

Using Symmetric Encryption

use a two-level hierarchy of keys

usually with a trusted Key Distribution Center (KDC)

each party shares own master key with KDC

KDC generates session keys used for connections between parties

master keys used to distribute these to them

Needham-Schroeder Protocol

used to securely distribute a new session key for communications between A & B

key distribution protocol for session between A and B mediated by KDC

protocol overview is:

1. A->KDC: IDA || IDB || N1

2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]

3. A -> B: EKb[Ks||IDA]

4. B -> A: EKs[N2]

5. A -> B: EKs[f(N2)]

Ka and Kb:Secret keys

Ks: session key

Using Public-Key Encryption

have a range of approaches based on the use of public-key encryption

need to ensure have correct public keys for other parties

using a central Authentication Server (AS)

various protocols exist using timestamps or non

Denning AS Protocol

1. A -> AS: IDA || IDB

2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T]

3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]]



timestamps prevent replay but require synchronized clocks

One-Way Authentication

required when sender & receiver are not in communications at same time (eg. email)

have header in clear so can be delivered by email system

may want contents of body protected & sender authenticated

Using Symmetric Encryption

This scheme requires the sender to issue a request to the intended recipient, await a response that

includes a session key, and only then send the message.

1. A->KDC: IDA || IDB || N1

2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]

3. A -> B: EKb[Ks||IDA] || EKs[M]

Public-Key Approaches

have seen some public-key approaches

if confidentiality is major concern, can use:

A->B: EPUb[Ks] || EKs[M]

has encrypted session key, encrypted message

if authentication needed use a digital signature with a digital certificate:

A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa]

with message, signature, certificate

Education

Network and computer security-