1

Chapter 2 Advanced Cryptography (Part C)

Message integrity Cryptanalysis

2

Message integrity Parity bits and Hash functions have been used in protocols

to detect modifications in streams of bits as they are passed from one computer to another To detect unintentional modifications.

Parity bit a binary digit that indicates whether the number of bits

with value of one in a given set of bits is even or odd. are used as the simplest error detecting code.

• Hash functions • used to produce a checksum – a small, fixed number of

bits – against a block of data is computed and appended before transmission or

storage, and verified afterwards by the recipient to confirm that no changes occurred on transit.

3

One-way Hash (review)

A one-way hash is a function that takes a variable-lengthstring, and produces a fixed-length hash value. The function is run in only one direction The hash value is also called message digest or fingerprint.

4

How does one-way hash work?

5

Various Hashing Algorithms (1)

MD2 is a one-way hash function designed by Ron Rivest that creates a 128-bit message digest value very slow in MD family

MD4 is used for high-speed computation

MD5 the newer version of MD4 algorithm, more complex, and harder to break

6

Various Hashing Algorithms (2)

Secure Hash Algorithm (SHA) was designed by NIST and NSA is the successor to MD5 produces a 160-bit hash value, then inputted

into an asymmetric algorithm, which computes the signature for a message.

Version: SHA-0, SHA-1 and SHA-2 SHA-1 is the most widely employed of the SHA family.

It forms part of several widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec.

In 2005, security flaws were identified in SHA-1. A possible mathematical weakness might exist.

7

Various Hashing Algorithms (3)

NIST published four additional hash functions in the SHA family each with longer digests, collectively known as SHA-2.

Algorithm andvariant

Output size (bits) Block size (bits) Rounds Collision

SHA-0 160 512 80 Yes

SHA-1 160 512 80 263 attack

SHA-2SHA-256/224 256/224 512 64 None

SHA-512/384 512/384 1024 80 None

8

Characteristics of good hash functions

Four characteristics of good hash functions Should be computed over the entire message.

Should be a one-way function so that messages are not disclosed by their values.

Given a message and its hash value, computing another message with the same hash value should be impossible.

Should be resistant to birthday attacks (details next)

9

Attack Against One-Way Hash Functions

If the hash algorithm produces the same hash value for two distinctly different messages, this is called a collision.

An attacker can attempt to force a collision, which is referred to as a birthday attack.

Birthday paradox

Q: How many people must be in the same room for the probability is more than 50% that at least two of them will have the same birthday?

10

Birthday paradox

Given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday.

For 60 or more people, the probability is greater than 99%, although it cannot actually be 100% unless there are at least 366 people

11

Birthday paradox

Q: What is the implication of birthday paradox to hash functions?

12

Birthday attack Attackers can find the corresponding hashing value that

matches a specific message is through a brute force attack.

Q: Why?

If an attacker finds two messages with the same hash values, it is equivalent to finding two people with the same birthday.

Birthday attack is a type of brute force attack. Based on birthday paradox, if the output of a hashing

algorithm is n bits, finding two messages that hash to the same value would require check of only 2^n/2 messages.

e.g., SHA-1 generates a 160-bit hash value. The attacker need approximately 2^80 computation to find a collision.

A larger bit hash value is less vulnerable to brute force attack.

13

Detecting Intentional Modification

Q: Could Parity bits and Hash functions prevent intentional modifications?

Ans: No. Attacker can intercept data, alter it, and calculate and new parity bits or CRC, and retransmit the modified data.

The solution Message authentication code Digital signature

14

Message authentication code (MAC)

We need to use message authentication code (MAC), a.k.a. message integrity code (MIC)

A symmetric key is involved in MAC

The use of the symmetric key ensures that the only person who can verify the integrity of the message is the person who has a copy of this key.

No one else can verify the data’s integrity

15

Message authentication code (MAC)

Any modifications would be detected by the receiver.

If someone were to make a change to the data, he could not generate the MAC value the receiver would be looking for.

MAC provides a form of authentication. It provides data origin authentication.

Two types of MACs Hash MAC (HMAC) CBC-MAC

16

Hash MAC (HMAC)

The only difference between HMAC and a “plain” hash function is that

the message is concatenated with a symmetric key before put through

a hashing function.

17

CBC-MAC (1) In CBC mode, the sender encrypts the message

with a symmetric block cipher. The output of the final block of cipher text is used

as the MAC. MAC attached to plaintext message is sent.

The receiver receives the plaintext message and encrypts it with the same symmetric block cipher in CBC mode and calculates an independent MAC value.

Note that CBC-MAC does not use a hashing algorithm.

18

CBC-MAC (2)

IV

19

Digital Signatures

Digital signature: encrypt the hash value with the sender’s private key.

20

Digital Signatures

The hashing function ensures the integrity of the message the signing of the hash value provides

authentication and nonrepudiation.

Digital signature standard (DSS) In 1991, NIST proposed a federal standard called the

Digital Signature Standard (DSS). RSA and DSA are the best known and most widely used

digital signature algorithms.

21

Nonrepudiation

Construct that authenticated origin, contents of message in a manner provable to a disinterested third party (“judge”)

Sender cannot deny having sent message (service is “nonrepudiation”)

Limited to technical proofs Inability to deny one’s cryptographic key was used to

sign One could claim the cryptographic key was stolen or

compromised Legal proofs, etc., probably required; not dealt with

here

22

Is this a digital signature ?

Alice, Bob share key k Alice sends m || { m }k to Bob

Q: Is this a digital signature ?

NO!Third party cannot determine whether Alice or Bob generated message

23

Classical Digital Signatures

Require trusted third party Alice, Bob each share keys with trusted party

Cathy, but not with each other To resolve dispute, judge gets { m } kAlice, { m } kBob, and has

Cathy decipher them; if messages matched, contract was signed.

Alice Bob

Cathy Bob

Cathy Bob

{ m }kAlice

{ m }kAlice

{ m }kBob

24

Public Key Digital Signatures

25

Public Key Digital Signatures

Alice’s keys are dAlice, eAlice

Alice sends Bobm || { H(m) } dAlice

In case of dispute, judge computes{ { H(m) } dAlice } eAlice

and if it is m, Alice signed message She’s the only one who knows dAlice!

26

Chapter 2 Advanced Cryptography (Part C)

Message integrity Cryptanalysis

27

Passive attacks vs. Active attacks

Passive attacks Eavesdropping and sniffing data as it passes over a

network; the attacker is not affecting the protocol, algorithm, key,

message, or any parts of the encryption system; hard to detect. In most cases methods are put in place to

try to prevent them rather than detect and stop them.

Active attacks Altering messages, modifying system files, and

masquerading as another individual are usually used to gain information prior to carrying out

an active attack.

28

Scenarios for cryptanalysis

Cryptanalysis can be performed under a number of assumptions about

how much can be observed or found out about the system under attack

Ciphertext-Only Attack easy to get ciphertext by sniffing traffic Very difficult to figure out the key

Known-Plaintext Attack The attacker has a few pairs of plaintext and ciphertext

Chosen-Plaintext Attack The attacker can choose the plaintext and get the corresponding

ciphertextds Chosen-Ciphertext Attack

The attacker can choose the ciphertext and get the corresponding decrypted plaintext

29

Cryptanalysis Cryptanalysis is the study of methods for obtaining the

meaning of encrypted information. Typically, cryptanalysis involves finding the secret key Cryptanalysis has coevolved together with cryptography.

Frequency analysis is the basic tool for breaking classical ciphers.

In natural languages, certain letters of the alphabet appear more frequently than others

E.g., in English, "E" is likely to be the most common letter in any given sample of text. Similarly, the digraph "TH" is the most likely pair of letters.

30

Cryptanalysis

Asymmetric cryptography rely on "hard" mathematical

problems as the basis. If an improved algorithm can be found to solve the problem,

then the system is weakened. E.g. RSA security

In 1980, factoring a 50-digit number needs 10^12 computer operations. By 1984, factoring algorithms had advanced. A 75-digit number can be factored in the same number of operations.

Advances in computing technology mean that the operations could be performed much faster.

By the start of the 21st century, 150-digit numbers were no longer considered a large enough key size for RSA.

31

Replay Attack

In replay attack, an attacker captures some type of data and resubmits it with the hopes of fooling the receiving device into thinking it is legitimate information.

Timestamps and sequence numbers are two countermeasures – keep the freshness of packets

32

Side Channel Attacks

A side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms -- cryptanalysis

power consumption, radiation emissions, and the time it takes for certain types of data processing