Information System Information System SecuritySecurity

Lecture 4Lecture 4

Message Authentication and Digital Message Authentication and Digital SignatureSignature

22

OutlineOutline

1.1. Message authenticationMessage authentication

2.2. Authentication functionsAuthentication functions Message EncyprtionMessage Encyprtion Hash functionsHash functions MACMAC

3.3. Digital signatureDigital signature– Arbitrated digital signatureArbitrated digital signature

– True digital signatureTrue digital signature RSA – based signatureRSA – based signature ElGamal – based signature (DSA) ElGamal – based signature (DSA)

33

ReferencesReferences

[1] Cryptography and Network Security, By W. Stallings. Prentice Hall, 2003.

[2] Handbook of applied Cryptography by A. Menezes, P. Van Oorschot and S. Vanstone. 5th printing, 2001http://www.cacr.math.uwaterloo.ca/hac

44

1. Message Authentication1. Message Authentication

Message authenticationMessage authentication is a procedure to verify that received is a procedure to verify that received messages come from the pretended source and have not been messages come from the pretended source and have not been altered. altered. – Also called Also called data origin authenticationdata origin authentication

– It provides integrityIt provides integrity

– Entity authentication (identification) is similar but entities are online. Entity authentication (identification) is similar but entities are online.

Message Authentication can thwart the following attacks:Message Authentication can thwart the following attacks:– MasqueradeMasquerade

– Content modificationContent modification

– Sequence modificationSequence modification

– Timing modification: Message delay or replay Timing modification: Message delay or replay

Message authentication produces anMessage authentication produces an authenticatorauthenticator: a value to be : a value to be used to authenticate a message.used to authenticate a message.

55

Authentication functionsAuthentication functions

Three types of functions that may be used to produce an Three types of functions that may be used to produce an authenticator:authenticator:1.1. Message encryption: The ciphertext of the entire message serves as its Message encryption: The ciphertext of the entire message serves as its

authenticator. authenticator.

2.2. Hash functionHash function: a public function that maps a message of any length into : a public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator .a fixed-length hash value, which serves as the authenticator .

3.3. Message Authentication Code (MACMessage Authentication Code (MAC)): a public function of the message : a public function of the message and a secret key that produces a fixed-length value that serves as the and a secret key that produces a fixed-length value that serves as the authenticator.authenticator.

66

Message encryptionMessage encryption

Message encryption provides authentication:Message encryption provides authentication:– Symmetric encryption: if the encryption/decryption key is not known to Symmetric encryption: if the encryption/decryption key is not known to

any other party (except the sender and receiver).any other party (except the sender and receiver).

– Asymmetric encryption: the sender should uses its private key to encrypt Asymmetric encryption: the sender should uses its private key to encrypt the message. The sender’s public key is then used to decrypt the message. the message. The sender’s public key is then used to decrypt the message. This helps providing only authentication This helps providing only authentication

If we need authentication and confidentiality, then the sender If we need authentication and confidentiality, then the sender should encrypt the message twice: should encrypt the message twice: – 11stst: with its private key (authentication): with its private key (authentication)

– 22ndnd: with the receiver’s public key (confidentiality) : with the receiver’s public key (confidentiality)

77

2. Hash function2. Hash function

A hash function produces a fixed-size output for a variable-size A hash function produces a fixed-size output for a variable-size message message mm as an input. as an input.– It is denoted H(It is denoted H(mm) (the hash code).) (the hash code).

– A hash code is also referred asA hash code is also referred as message digestmessage digest oror hash valuehash value. .

It takes as input only the message itself.It takes as input only the message itself. It is a one-way function.It is a one-way function. H(H(mm) provides error-detection capability.) provides error-detection capability.

Hash code provides message authentication if used as follows:Hash code provides message authentication if used as follows:1.1. (H((H(mm) || ) || mm ) encrypted using symmetric encryption. ) encrypted using symmetric encryption.

2.2. H(H(mm) encrypted using symmetric encryption.) encrypted using symmetric encryption.– It’s a digital signatureIt’s a digital signature

88

2. Hash function2. Hash function

3.3. H(H(mm) encrypted using asymmetric encryption and the sender’s private ) encrypted using asymmetric encryption and the sender’s private key.key.

4.4. H(H(mm||S), where S is secret key shared between the sender and receiver.||S), where S is secret key shared between the sender and receiver.– No encryptionNo encryption

Examples of hash algorithms (more info in Ch.12 of [1]):Examples of hash algorithms (more info in Ch.12 of [1]):– MD5: MD5: ([RFC 1321]([RFC 1321]**, 1992), 1992)

Input: any message of arbitrary lengthInput: any message of arbitrary length Output: 128-bit message digestOutput: 128-bit message digest

– SHA: SHA: ([FIPS 180]([FIPS 180]****, 1993, [RFC 3174]), 1993, [RFC 3174]) Input: any message < 2Input: any message < 26464 bits bits Output: 160-bit message digestOutput: 160-bit message digest

– SHA is more secure than MD5 but slowerSHA is more secure than MD5 but slower

Hash functions are much faster than symmetric ciphersHash functions are much faster than symmetric ciphers

MD5128-bit message digest

Message of any length

**: : http://www.ietf.org ****: US Federal Information Processing : US Federal Information Processing Standard Standard

SHA160-bit message digest

Message,

length < 264 bits

99

3. Message Authentication Code 3. Message Authentication Code (MAC)(MAC) MAC is a technique to provide authentication using a shared MAC is a technique to provide authentication using a shared

secret key to generate a small fixed-size block of datasecret key to generate a small fixed-size block of data– The MAC is also known as a The MAC is also known as a cryptographic checksumcryptographic checksum

– It is appended to the message.It is appended to the message.

A MAC can be viewed as a hash function with a secret key.A MAC can be viewed as a hash function with a secret key.

If A wants to send an authentic message If A wants to send an authentic message mm to B, using MAC: to B, using MAC:– A and B must share a secret key, A and B must share a secret key, KK

– A computes the MAC as a function of A computes the MAC as a function of mm and and KK,, i.e., MAC = i.e., MAC = CCKK(M)(M)

– A sends B A sends B mm plus the MAC plus the MAC

1010

3. Message Authentication Code 3. Message Authentication Code (MAC)(MAC) MACs assures:MACs assures:

1.1. Message hasn’t been altered during transmission.Message hasn’t been altered during transmission.

2.2. Message coming from the pretended sender.Message coming from the pretended sender.

3.3. Sequence number hasn’t been ltered during transmission if the message Sequence number hasn’t been ltered during transmission if the message includes a sequence number.includes a sequence number.

Examples of MACs: Examples of MACs: – HMAC HMAC ([RFC 2104], and Ch.12 of [1]):([RFC 2104], and Ch.12 of [1]):

1111

4. Digital signature4. Digital signature

A digital signature is a technique for establishing the origin of a particular message in order to settle later disputes about what message (if any) was sent. – DG includes measures that counter source repudiation.– DG can prevent destination repudiation attack if used in combination DG can prevent destination repudiation attack if used in combination

with specific protocols. with specific protocols.

The purpose of a digital signature is thus for an entity to bind its identity to a message.

We use the term signer for an entity who creates a digital signature, and the term verifier for an entity who receives a signed message and attempts to check whether the digital signature is “correct” or not.  

1212

Digital signatureDigital signature

A digital signature on a message provides:A digital signature on a message provides:– Message authentication: message’s origin is known + integrityMessage authentication: message’s origin is known + integrity

– Non-repudiationNon-repudiation

the digital signature takes as input parameters the message itself the digital signature takes as input parameters the message itself and a secret value, known only to the signer.and a secret value, known only to the signer.

A digital signature must be:A digital signature must be:– Easy to compute by the signer.Easy to compute by the signer.

– Easy to verify by anyone.Easy to verify by anyone.

– Hard to compute by anyone except the signer.Hard to compute by anyone except the signer.

1313

Types of digital signaturesTypes of digital signatures

There are 2 types of digital signaturesThere are 2 types of digital signatures arbitrated digital arbitrated digital signaturesignature andand true digital signaturetrue digital signature

Arbitrated digital signature is based on a trusted third party Arbitrated digital signature is based on a trusted third party (arbiter). There are 2 types:(arbiter). There are 2 types:– Based on symmetric keyBased on symmetric key

– Based on public-keyBased on public-key

– Example:Example:

MAC KS

Signer, S Verifier, V

Arbiter, A

message

message

MACKV

MACKS

–KKss shared between A and S, shared between A and S, kV shared between A and V

1414

True digital signatureTrue digital signature

The vast majority of digital signature techniques do not involve communication through a trusted arbitrator.

A true digital signature is one that can be sent directly from the signer to the verifier.

For the rest of this unit when we say “digital signature” we mean “true digital signature”.

A digital signature may be formed by encrypting the entire message with the signer’s private key or by encrypting a hash code of the message with sender’s private key. Signer’s public key should be available to the verifier.

We’ll see two schemesWe’ll see two schemes– RSA-based schemeRSA-based scheme

– ElGamal- based scheme (or DSA)ElGamal- based scheme (or DSA)

1515

RSA SignatureRSA Signature

message

hash function

hash

(RSA)

signature

Signer’s private key

message

signature

Signed message

RSA signature is similar to RSA encryption with inverse roles of keys, i.e., for signing, the sender’s private key is used and for verification, the sender’s public key is used.

Example: RSA is used to encrypt the hashed code with the sender’s private key.

1616

Verification of a RSA Verification of a RSA SignatureSignature

message

signature

(RSA) verification keyhash

function

= ?

Decision

The verifier decrypts the signature with the sender’s public key and then compares the result with the message’s hash code.

1717

Digital Signature Algorithm Digital Signature Algorithm (DSA)(DSA)

In 1991, the DSA has been published by the US NIST (National Institute of Standardizations and Technology) and become a US FIPS-186 under the name DSS (Digital Signature Standard).

DSS is the 1st digital signature scheme to be recognized by any government.

DSS is a variant of ElGamal signature scheme

DSS makes use of SHA

1818

DSS ApproachDSS Approach

DSS depends on: DSS depends on: – A hash function HA hash function H

– a random number a random number kk, (used once)., (used once).

– The sender’s key pair (The sender’s key pair (Kv: private, Kp: public)

– Global Public parameters, Global Public parameters, KGP

M ||

H Sig

M

sr

H

Ver

Compare

Kp

KGP

Kv

KGP

kSignature generation

Signature verification

1919

DSS parameter generationDSS parameter generation

Global Public (GP) parameters (Global Public (GP) parameters (q,p,gq,p,g): ): – qq: a 160-bit prime number: a 160-bit prime number

– pp: a prime number; such that 2: a prime number; such that 2512512 ≤≤ pp ≤≤ 2 210241024 and and qq||(p-1)(p-1)

– gg: : = h= h(p-1)/q(p-1)/q mod p; and mod p; and g > 1 g > 1 hh is an integer: is an integer: 1 < h < p-11 < h < p-1

– ((q,p,gq,p,g) can be common to a group of users) can be common to a group of users

User’s private key User’s private key Kv

– xx: A random integer, 1 < : A random integer, 1 < xx < < qq

User’s public key User’s public key Kp

– y y = = ggxx mod mod pp

2020

DSS signature generationDSS signature generation

Signing: if an entity A wants to send a signed message m to Signing: if an entity A wants to send a signed message m to another entity B. another entity B. – Assume that (Assume that (p,q,gp,q,g): the global public parameters, ): the global public parameters, xx: A’s private key, and : A’s private key, and

yy: A’s public key.: A’s public key.

– 11stst A randomly picks an integer A randomly picks an integer kk: 1 < : 1 < kk < < qq

– 22ndnd A computes A computes r r and and s s rr = ( = (ggkk mod mod p) p) modmod q q s s = = kk-1-1 (H( (H(mm) + ) + xrxr) mod ) mod qq

– The signature is (The signature is (r,sr,s))

– A sends to B [A sends to B [mm || ( || (r,sr,s)])]

2121

DSS signature verificationDSS signature verification

Verification:Verification: assume that B receives [ assume that B receives [mm’+(’+(rr’,’,ss’)], ’)], i.e.i.e., , mm’, ’, rr’ ,’ ,ss’ are the ’ are the received versions of received versions of mm, , rr, , ss..

– Assume that B has an authentic copy of A’s public key, Assume that B has an authentic copy of A’s public key, yy, and GP , and GP parameters (parameters (p, q, gp, q, g).).

– 11stst, , B computes B computes w, uw, u11 , u , u22 such that : such that : ww = ( = (ss’)’)-1-1 mod mod q, q, uu11 = = w.w.H(H(mm’) mod ’) mod q,q,

uu22 = ( = (rr’)’)ww mod mod qq

– 22ndnd B computesB computes v v = [( = [(ggu1u1yyu2u2) mod ) mod pp] mod ] mod qq

– 33rdrd B checks if B checks if vv = = r’ r’ then signature is authenticthen signature is authentic