Computer Security(CP24158)

Public-Key Cryptography and Message

Authentication (RSA)

부산대학교 공과대학
정보컴퓨터공학부
 Learning Objectives
 Discuss Technical Detail Concerning:
 Secure Hash Functions and HMAC

 RSA & Diffie-Hellman Public-Key Algorithms

2
 Simple Hash Functions
 Purpose is to produce a “fingerprint” of a file, message, or other
block of data

 A one-way or secure hash function used in message authentication,

digital signatures

 Accepts a variable-size message M as input and produces a fixed-

size message digest H(M) as output in an iterative fashion

 One of simplest hash functions is the bit-by-bit exclusive-OR

(XOR) of each block

Ci = bi1  bi2  . . . bim

 Effective data integrity check on random data

 Less effective on more predictable data

3
 Cryptograph Hash Function
 A cryptographic hash function takes a message of arbitrary length
and creates a message digest of fixed length.

 There are two most promising cryptographic hash algorithms -

SHA-512 and Whirlpool.

 Iterated Cryptographic Hash Function

 The best way to create such function is using iteration, and used a necessary
number of times.

 A compression function transforms one large fixed-length input into a shorter,

fixed-length output.
• Compresses an n-bit string to create an m-bit string, where n > m.

 The design of a compression function must be collision resistant.

4
 Cryptograph Hash Function
 Properties of
Secure Hash • H can be applied to a block of data of any size.
1.
Functions
 To be useful for • H produces a fixed-length output.
2.
message
authentication,
• H(x) is relatively easy to compute for any given x, making both hardware and
a hash function 3. software implementations practical.
H must have
the following • For any given code h, it is computationally infeasible to find x such that H(x)
= h. A hash function with this property is referred to as one-way or
properties: 4. preimage resistant.

• For any given block x, it is computationally infeasible to find y≠x with H(y) =
H(x). A hash function with this property is referred to as weak collision
5. resistant.

• It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
• A hash function with this property is referred to as collision resistant or strong
6. collision resistant.

5
 Cryptograph Hash Function
 Two Groups of Compression Functions
 The compression function is made from scratch.
 A symmetric-key block cipher serves as a compression function.

Groups of
Compression
Functions

Hash Functions Hash Functions

Made from Based on Block
Scratch Ciphers

Message Digest Secure Hash Matyas-Meyer Miyaguchi-

Rabin Scheme
(MD) Algorithms (SHA) Oseas Scheme Preneel Scheme

• MD5: Divides message into blocks of 512 bits, and creates a 128-bit digest.
– The digest size of 128-bit is too small to resist collision attack.

6
 Iterated Cryptographic Hash Function
 Merkle-Damagard Scheme

 Rabin Scheme

7
 Iterated Cryptographic Hash Function
 Matyas-Meyer-Oseas Scheme

 Miyaguchi-Preneel Scheme

8
 SHA
 Secure Hash Algorithms (SHAs)
 Originally developed by NIST/NSA in 1993
 Was revised in 1995 as SHA-1
• US standard for use with DSA(digital signature algorithm) signature scheme
• standard is FIPS 180-1 1995, also Internet RFC3174
• produces 160-bit hash values

 NIST issued revised FIPS 180-2 in 2002

• adds 3 additional versions of SHA
• SHA-256, SHA-384, SHA-512
• with 256/384/512-bit hash values
• same basic structure as SHA-1 but greater security

 NIST phased out SHA-1 use

 Characteristics of SHAs

9
 SHA-512 Structure
 SHA-512 creates a 512-bit message digest out of a message less
than 2128.
 SHA-512 is based on the Merkle-Damgard scheme.

 Compression function in SHA-512

 Values of constants in message digest

Initialization of SHA-512

10
 SHA-512 Structure
 Padding and Length Field in SHA-512

 What is the number of padding bits if the length of the original message is
2590 bits?
• The padding consists of one 1 followed by 353 0’s.

 A message block and the digest as words

 Word expansion in SHA-512

11
 SHA-512 Structure
 Word Expansion in SHA-512

 How W60 is made

• Each word in the range W16 to W79 is made from four previously-made
words.

• W60 is made as

12
 SHA-512 Structure
 Structure of Each Round in  Eighty constant, K0 to K79, used for
SHA-512 eight rounds in SHA-512

13
 Other Secure Hash Functions
 Most based on iterated hash function design
 If compression function is collision resistant, so is resultant iterated hash
function

 MD5 (RFC1321)
 was a widely used hash developed by Ron Rivest

 produces 128-bit hash, now too small

 also have cryptanalytic concerns

 Whirlpool (NESSIE endorsed hash)

 developed by Vincent Rijmen & Paulo Barreto

 an iterated cryptographic hash function, based on the Miyaguchi-Preneel scheme,

that uses AES derived W block cipher in place of the compression function.

 produces 512-bit hash

14
 Whirlpool
 Whirlpool hash function

 General idea of the Whirlpool cipher

15
Whirlpool

16
 HMAC
 Interest a MAC using a cryptographic hash
 Due to speed and code availability

 Must incorporate key into use of hash algorithm

 HMAC (RFC2104) widely supported

 used in IPsec, TLS & SET

 HMAC treats hash as “black box”

 HMAC proven secure if embedded hash function has reasonable

cryptographic strength

17
 Nested Message Authentication Code (MAC)
 Message Authentication Code
 The security of a MAC depends on the security of the underlying hash algorithm

 Nested MAC

18
 HMAC Structure
 Details of HMAC  Details of CMAC

19
 Security of HMAC
 Security based on underlying hash strength

 Either attacker computes output even with random secret IV

 Brute force key O(2n), or use birthday attack

 Or attacker finds collisions in hash function even when IV is

random and secret
 i.e. find M and M‘’ such that H(M) = H(M‘’)

 birthday attack O(2n/2)

• A birthday attack is a type of cryptographic attack that exploits the mathematics behind
the birthday problem in probability theory. (from wikipedia)
– The attack depends on the higher likelihood of collisions found between random attack
attempts and a fixed degree of permutation.

– With a birthday attack, it is possible to find a collision of a hash function in 2n/2 being the
classical preimage resistance security.

20
Key Management: Diffie-Hellman Key Exchange
 First published public-key algorithm

 A number of commercial products employ this key exchange

technique

 Purpose of the algorithm is to enable two users to exchange a

secret key securely that then can be used for subsequent encryption
of messages
 The algorithm itself is limited to the exchange of the keys

 Depends for its effectiveness on the difficulty of computing

discrete logarithms

21
 Key Management: Diffie-Hellman Key Exchange
 A Key Exchange Protocol
 provide a secure way for two communicating party to share a symmetric key (so
called a session key)

 This session key is then used to provide privacy and authentication for
subsequent message flow.

 History: problem first posed by Merkle at UC Berkeley, Diffie and Hellman came
up with the protocol:

Alice Bob
a<p b<p
ga mod p

gb mod p

Shared Session Key = gab mod p

• W. Diffie, M. E. Hellman, “New directions in Cryptography”, IEEE Trans. Information Theory, IT-22, pp. 64-654, Nov 1976.

22
Key Management: Diffie-Hellman Key Exchange
 Example
 Let us give a trivial example to make the procedure clear. Our example uses
small numbers, but note that in a real situation, the numbers are very large.
Assume that g = 7 and p = 23. The steps are as follows:

1. Alice chooses x = 3 and calculates R1 = 7^3 mod 23 = 21.

2. Bob chooses y = 6 and calculates R2 = 7^6 mod 23 = 4.

3. Alice sends the number 21 to Bob.

4. Bob sends the number 4 to Alice.

5. Alice calculates the symmetric key K = 4^3 mod 23 = 18.

6. Bob calculates the symmetric key K = 21^6 mod 23 = 18.

7. The value of K is the same for both Alice and Bob;

gxy mod p = 7^(18) mod 35 = 18.

23
 Security of Diffie-Hellman
 Man-in-the-middle (MITM) attack

24
 RSA Public-Key Encryption
 By Rivest, Shamir & Adleman of MIT in 1977
 Best known & widely used public-key algorithm
 Uses exponentiation of integers modulo a prime
 It works in group 𝑍𝑛∗
 Based on the assumed one-way property of modular powering

 Public-key encryption algorithm with

 Public key PU = {e, n} & private key PR = {d, n}.
 Encrypt: C = Me mod n  easy
 Decrypt: M = Cd mod n = (Me)d mod n = M  hard
 Both sender and receiver know values of n and e
 Only receiver knows value of d
25
 RSA Public-Key Encryption
 Complexity of operations in RSA

 Encryption, decryption, and key generation in RSA

26
 RSA Public-Key Encryption
 Two Algebraic Structures
R = <Zn , +, × >
 Encryption/Decryption Ring:

 Key-Generation Group: G = <Z f(n)∗, × >

 Proof of RSA
 Looking for a trapdoor: (xe)d mod n = x
• If d is a number such that ed=1 mod f(n), then ed=kf(n)+1 for some k, and

 Because of Euler's Theorem:

• aø(n)mod N = 1
– where gcd(a, N)=1
• In RSA have:
– N=p.q, ø(N)=(p-1)(q-1)
– carefully chosen e & d to be inverses mod ø (N)
– Hence, e·d=1+k.ø(N) for some k
• Hence :
Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q = M1 = M mod N

27
 RSA Public-Key Encryption
 RSA Key Setup
 Each user generates a public/private key pair by:
• selecting two large primes at random - p, q

• computing their system modulus N=p·q

– note ø (N)=(p-1)(q-1)

• selecting at random the encryption key e

– where 1<e<ø(N), gcd(e, ø (N))=1

• solving following equation to find decryption key d

– e·d=1 mod ø (N) and 0≤d≤N

 Publish their public encryption key: KU={e, N}

 Keep secret private decryption key: KR={d, p, q}

28
 RSA Public-Key Encryption
 Pseudo Code of Encryption

 Pseudo Code of Decryption

 Pseudo Code of RSA Key Generation

29
 RSA Example
 Jennifer creates a pair of keys for herself. She chooses p = 397 and
q = 401. She calculates n = 159197. She then calculates f(n) =
158400. She then chooses e = 343 and d = 12007. Show how
Ted can send a message to Jennifer if he knows e and n.
 Suppose Ted wants to send the message “NO” to Jennifer. He changes each
character to a number (from 00 to 25), with each character coded as two digits.
He then concatenates the two coded characters and gets a four-digit number.
The plaintext is 1314.

30
Attacks on RSA

31
 Other Public-Key Algorithms
 Digital Signature Standard (DSS)
 FIPS PUB 186 from 1991, revised 1993 & 96

 uses SHA-1 in a new digital signature algorithm

 cannot be used for encryption

 Elliptic Curve Cryptography (ECC)

 equal security for smaller bit size than RSA

 seen in standards such as IEEE P1363

 still very new, but promising

 based on a mathematical construct known as the elliptic curve

32
33