Computer system security

Chapter 3
Public-Key Cryptography and
Message Authentication

1
 Overview
• Message Authentication
• Secure Hash Functions and HMAC
• Public-Key Cryptography Principles
• Public-Key Cryptography Algoroithms
• Digital Signatures
• Key Management
 Authentication
• In addition to confidentiality, message
authentication is an important security function
• “A message, file, document or data is said to be
authentic when it is genuine and came from its
alleged source.”
• Encryption prevents against passive attacks
(eavesdropping)
• Message Authentication prevents against active
attacks or falsification.
 Message Authentication
• Message authentication is concerned with:
– protecting the integrity of a message
– validating identity of originator
– non-repudiation of origin (dispute resolution)
• The three alternative functions used:
– hash function
– message encryption
– message authentication code (MAC)
 Message Authentication
• Requirements - must be able to verify that:
1. Message came from apparent source or
author
2. Contents have not been altered
3. Timeliness – that it was sent at a certain
time or sequence.

• Protection against active attack (falsification of

data and transactions)
 Approaches to Message
Authentication
• Authentication Using Conventional Encryption
– Only the sender and receiver should share a key
• Message Authentication without Message
Encryption
– An authentication tag is generated and appended to
each message
• Message Authentication Code
– Calculate the MAC as a function of the message and
the key.
MAC = F(K, M)
 Message Authentication
• Using Encryption
– Assume only sender and receiver share a key
– Then a correctly encrypted message should be from
the sender
• Usually also contains error-detection code,
sequence number and time stamp
• Encryption alone is not suitable for
authentication. Blocks could have been
reordered, changing meaning
 Message Authentication
• Without Encryption
No confidentiality is preferred when:
1. Same message is broadcast to many
destinations
2. Heavy load and cannot decrypt all messages
– some chosen at random
3. No danger in sending plaintext
Append authentication tag to each message
 Message Authentication
• Message Authentication Code (MAC)
– Small block of data that is appended to
the message
– MAC is generated by using a secret key
– Assumes both parties A,B share common
secret key KAB
– Code is function of message and key
MACM= F(KAB, M)
– Message plus code are transmitted
 Message Authentication
Code
• Recipient uses key to compute new code
• If received code matches calculated
code then
– Receiver is sure message has not been
altered
– Message is from sender, since only sender
shares the key
– If the message includes correct sequence
number, that number could not have been
altered by hacker
 Message Authentication
Code
• Different from encryption
– MAC does not have to be reversible as the
cipher text does in encryption
– Because of mathematical properties, it is
less vulnerable to being broken than
encryption
• 16 to 32 bit code is typical
 Hash Function
• Condenses arbitrary message to fixed size
h = H(M)
• Usually assume hash function is public
• Hash used to detect changes to message
• Want a cryptographic hash function
• computationally infeasible to find data
mapping to specific hash (one-way property)
• computationally infeasible to find two data to
same hash (collision-free property)
 Secure HASH Functions
• Purpose of the HASH function is to produce a “fingerprint”
• Properties of a HASH function H :
1. H can be applied to a block of data at any size
2. H produces a fixed length output
3. H(x) is easy to compute for any given x.
4. For any given block x, it is computationally infeasible to find x
such that H(x) = h (one-way property)
5. For any given block x, it is computationally infeasible to find
with H(y) = H(x). (weak collision resistance)
6. It is computationally infeasible to find any pair (x, y) such
that H(x) = H(y) (strong collsion resistance)
 Simple Hash Function
• A weak hash function satisfies the first 5
properties.
• A strong hash function also satisfies the
6th property (strong collision resistance)
– Effective against the birthday attack
• Message Digest provides both
authentication and integrity
Hash Function Requirements
 Security of Hash Functions
• Attacking a secure hash function can be done by
using cryptanalysis or brute force.
• Strength of function depends on the length of
the hash code produced by the algorithm.
• For example:
– A search machine can find a collision for 128 bit code
length in 24 days – considered inadequate
– With 160 bits, finding a collision might take 4000
years ( or less with today’s speeds)
 Simple Hash Function
• General principle
– Input is a sequence of n-bit blocks
– Input is processed one block at a time to
produce an n-bit hash function
– A simple example is the XOR of each block
Ci = bi1  bi2  …  bim
Ci is ith bit of hash code 1 <= i <= n
m is number of n-bit block in input
bij is ith bit in jth block
 Is the XOR operation
Simple Hash Function
 Public-Key Cryptography
Features
• Knowing the public key, anyone can encrypt
messages or verify signatures, but cannot
decrypt messages or create signatures
• Use of two keys has consequences in the
areas of confidentiality, key distribution,
and authentication.
• Based on mathematical functions rather
than on operations on bit patterns.
 Misconceptions
• Public–key encryption is more secure
– Security of any scheme depends on:
• Length of the key
• Computational work involved in breaking the cipher
• Public-key makes conventional encryption
obsolete:
– Computational overhead of public-key
encryption is high
– Both require similar key distribution protocols
• Both encryption schemes can offer security
 Why Public-Key
Cryptography?
• Developed by Whitfield Diffie & Martin
Hellman at Stanford University in 1976
– known earlier in classified community
• Developed to address two key issues:
– key distribution – how to have secure
communications in general without having to
trust a Key Distribution Center with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
 Public-Key Cryptography
Principles
• Public key is made public for others to use, to
encrypt messages and verify signatures
• Private key is known only to owner and is used to
decrypt messages and create signatures
• The scheme has six ingredients:
– Plaintext – readable message
– Encryption algorithm – transforms plaintext into ciphertext
– Public and private key
– Ciphertext - scrambled message - output
– Decryption algorithm – reverse of encryption
Encryption using Public-Key
system
 Essential Steps in
Encryption
1. Each user generates a pair of keys to be used
for encryption/decryption
2. Each user places public key in a public register or
file
3. To send a private message to A, B encrypts the
message using A’s public key
4. When A receives the message, A uses her
private key to decrypt it. ( No one else can
decrypt it, without that private key.)
 Encryption Using Public-Key
System
Features:
• All participants have access to public keys
• Private keys are generated locally and do
not need to be distributed
• As long as a user protects the private key,
incoming communication is secure
• A user can change keys at any time and re-
publish the public key.
Encryption Using Public-Key
System
Symmetric vs Public-Key
 Applications for Public-Key
Cryptosystems
• Three categories:
– Encryption/decryption: The sender
encrypts a message with the recipient’s
public key.
– Digital signature: The sender ”signs” a
message with its private key.
– Key exchange: Two sides cooperate to
exhange a session key.
 Requirements for Public Key
Cryptography
1. Computationally easy for a party B to
generate a pair (public key PUb, private
key PRb)
2. Easy for sender to generate ciphertext
C = E( PUb, M)
3. Easy for the receiver to decrypt
ciphertext using private key:
M = D( PRb, C) = D[PRb, E(PUb, M)]
 Requirements for Public Key
Cryptography
4. Computationally infeasible to determine
private key (PRb) knowing public key (PUb)
5. Computationally infeasible to recover message
M, knowing PUb and ciphertext C
6. *Either of the two keys can be used for
encryption, with the other used for
decryption:
M = D[PUb, E (PRb, M)] = D[PRb, E(PUb, M)]
* 6th requirement is useful but not necessary
 Public Key Algorithms- RSA
• Both sender and receiver know n and e
• Only receiver knows d
• Public key = {e,n}
• Private key = {d,n}
• Requirements
– Should be possible to find e, d, n such that
Med = M mod n for all M < n
– Relatively easy to calculate Me, Cd for all M <n
– Should be infeasible to determine d, given e
and n
 Requirements continued…
• Easy to calculate Me and Cd for all M < n

• Infeasible to determine d, given e and n

• First two requirements are easy.

• Third one is also possible if e, n are large

 Key Exchange Protocols
• Users could create random private/public
D-H keys each time they communicate
• Users could create a known private/public
D-H key and publish in a directory, then
consulted and used to securely
communicate with them
• Both of these are vulnerable to a Man-in-
the-Middle Attack
• Authentication of the keys is needed
 Digital Signatures: The basic idea

public
key

public
key
? private
key

Alice Bob

Vulnerable to man in the middle attack

 Digital Signatures
• Diffie-Hellman vulnerability can be
overcome with the use of digital signatures
and public-key certificates.
• Digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• Digital signatures include authentication
function with additional capabilities
 Key Exchange Protocols
Consider a simple protocol that makes use of the
Diffie-Hellman calculation:
• Suppose that user A wishes to set up a
connection with user B and use a secret key to
encrypt messages on that connection.
• User A can generate a one-time private key XA,
calculate YA, and send that to user B.
• User B responds by generating a private value
XB, calculating YB, and sending YB to user A. Both
users can now calculate the key.
 Key Exchange Protocols
• These public values together with global
values for q and a are stored in a central
directory
• Both users can now calculate the key
• If the central directory is trusted, this
provides confidentiality and some
authentication
• It does not protect against replay attacks
 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key
to Bob. Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared
key (with Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public
key to Alice. Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key
(with Darth instead of Bob)
 Darth can then intercept, decrypt, re-encrypt, forward
all messages between Alice & Bob
 Other Public-Key
Cryptographic Algorithms
• Digital Signature Standard (DSS)
– Makes use of the SHA-1
– Not for encryption or key exchange
• Elliptic-Curve Cryptography (ECC)
– Good for smaller bit size
– Low confidence level, compared with RSA
– Very complex
 Digital Signatures
• As E-commerce grows, so does the need
for a high degree of authentication
• “Digital signature is a construct that
authenticates both the origin and
contents of a message in a manner that is
provable to a disinterested third party.”
( Bishop)

42
 Digital signatures
• A digital signature is an encryption of a
document with the creator’s private key
• It is attached to a document that
validates the creator of the document
• Any one can validate it by decrypting the
signature with the claimed creator’s
public key
 Digital Signatures:
The Basic Idea
• Bob can sign a message using a digital
signature generation algorithm.
• The inputs to the algorithm are the
message and Bob's private key.
• Any other user, say Alice, can verify the
signature using a verification algorithm,
whose inputs are the message, the
signature, and Bob's public key.
Components of
the Digital
Signature
Model
Digital Signature Model
 Digital Signature
• Message Digest: The representation of
text in the form of a single string of
digits, created using a formula called a
one-way hash function.
• Encrypting a message digest with a
private key creates a digital signature,
which is an electronic means of
authentication.
47