Date post: | 19-Nov-2014 |
Category: |
Technology |
Upload: | ali-habeeb |
View: | 440 times |
Download: | 0 times |
Information System Information System SecuritySecurity
Lecture 4Lecture 4
Message Authentication and Digital Message Authentication and Digital SignatureSignature
22
OutlineOutline
1.1. Message authenticationMessage authentication
2.2. Authentication functionsAuthentication functions Message EncyprtionMessage Encyprtion Hash functionsHash functions MACMAC
3.3. Digital signatureDigital signature– Arbitrated digital signatureArbitrated digital signature
– True digital signatureTrue digital signature RSA – based signatureRSA – based signature ElGamal – based signature (DSA) ElGamal – based signature (DSA)
33
ReferencesReferences
[1] Cryptography and Network Security, By W. Stallings. Prentice Hall, 2003.
[2] Handbook of applied Cryptography by A. Menezes, P. Van Oorschot and S. Vanstone. 5th printing, 2001http://www.cacr.math.uwaterloo.ca/hac
44
1. Message Authentication1. Message Authentication
Message authenticationMessage authentication is a procedure to verify that received is a procedure to verify that received messages come from the pretended source and have not been messages come from the pretended source and have not been altered. altered. – Also called Also called data origin authenticationdata origin authentication
– It provides integrityIt provides integrity
– Entity authentication (identification) is similar but entities are online. Entity authentication (identification) is similar but entities are online.
Message Authentication can thwart the following attacks:Message Authentication can thwart the following attacks:– MasqueradeMasquerade
– Content modificationContent modification
– Sequence modificationSequence modification
– Timing modification: Message delay or replay Timing modification: Message delay or replay
Message authentication produces anMessage authentication produces an authenticatorauthenticator: a value to be : a value to be used to authenticate a message.used to authenticate a message.
55
Authentication functionsAuthentication functions
Three types of functions that may be used to produce an Three types of functions that may be used to produce an authenticator:authenticator:1.1. Message encryption: The ciphertext of the entire message serves as its Message encryption: The ciphertext of the entire message serves as its
authenticator. authenticator.
2.2. Hash functionHash function: a public function that maps a message of any length into : a public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator .a fixed-length hash value, which serves as the authenticator .
3.3. Message Authentication Code (MACMessage Authentication Code (MAC)): a public function of the message : a public function of the message and a secret key that produces a fixed-length value that serves as the and a secret key that produces a fixed-length value that serves as the authenticator.authenticator.
66
Message encryptionMessage encryption
Message encryption provides authentication:Message encryption provides authentication:– Symmetric encryption: if the encryption/decryption key is not known to Symmetric encryption: if the encryption/decryption key is not known to
any other party (except the sender and receiver).any other party (except the sender and receiver).
– Asymmetric encryption: the sender should uses its private key to encrypt Asymmetric encryption: the sender should uses its private key to encrypt the message. The sender’s public key is then used to decrypt the message. the message. The sender’s public key is then used to decrypt the message. This helps providing only authentication This helps providing only authentication
If we need authentication and confidentiality, then the sender If we need authentication and confidentiality, then the sender should encrypt the message twice: should encrypt the message twice: – 11stst: with its private key (authentication): with its private key (authentication)
– 22ndnd: with the receiver’s public key (confidentiality) : with the receiver’s public key (confidentiality)
77
2. Hash function2. Hash function
A hash function produces a fixed-size output for a variable-size A hash function produces a fixed-size output for a variable-size message message mm as an input. as an input.– It is denoted H(It is denoted H(mm) (the hash code).) (the hash code).
– A hash code is also referred asA hash code is also referred as message digestmessage digest oror hash valuehash value. .
It takes as input only the message itself.It takes as input only the message itself. It is a one-way function.It is a one-way function. H(H(mm) provides error-detection capability.) provides error-detection capability.
Hash code provides message authentication if used as follows:Hash code provides message authentication if used as follows:1.1. (H((H(mm) || ) || mm ) encrypted using symmetric encryption. ) encrypted using symmetric encryption.
2.2. H(H(mm) encrypted using symmetric encryption.) encrypted using symmetric encryption.– It’s a digital signatureIt’s a digital signature
88
2. Hash function2. Hash function
3.3. H(H(mm) encrypted using asymmetric encryption and the sender’s private ) encrypted using asymmetric encryption and the sender’s private key.key.
4.4. H(H(mm||S), where S is secret key shared between the sender and receiver.||S), where S is secret key shared between the sender and receiver.– No encryptionNo encryption
Examples of hash algorithms (more info in Ch.12 of [1]):Examples of hash algorithms (more info in Ch.12 of [1]):– MD5: MD5: ([RFC 1321]([RFC 1321]**, 1992), 1992)
Input: any message of arbitrary lengthInput: any message of arbitrary length Output: 128-bit message digestOutput: 128-bit message digest
– SHA: SHA: ([FIPS 180]([FIPS 180]****, 1993, [RFC 3174]), 1993, [RFC 3174]) Input: any message < 2Input: any message < 26464 bits bits Output: 160-bit message digestOutput: 160-bit message digest
– SHA is more secure than MD5 but slowerSHA is more secure than MD5 but slower
Hash functions are much faster than symmetric ciphersHash functions are much faster than symmetric ciphers
MD5128-bit message digest
Message of any length
**: : http://www.ietf.org ****: US Federal Information Processing : US Federal Information Processing Standard Standard
SHA160-bit message digest
Message,
length < 264 bits
99
3. Message Authentication Code 3. Message Authentication Code (MAC)(MAC) MAC is a technique to provide authentication using a shared MAC is a technique to provide authentication using a shared
secret key to generate a small fixed-size block of datasecret key to generate a small fixed-size block of data– The MAC is also known as a The MAC is also known as a cryptographic checksumcryptographic checksum
– It is appended to the message.It is appended to the message.
A MAC can be viewed as a hash function with a secret key.A MAC can be viewed as a hash function with a secret key.
If A wants to send an authentic message If A wants to send an authentic message mm to B, using MAC: to B, using MAC:– A and B must share a secret key, A and B must share a secret key, KK
– A computes the MAC as a function of A computes the MAC as a function of mm and and KK,, i.e., MAC = i.e., MAC = CCKK(M)(M)
– A sends B A sends B mm plus the MAC plus the MAC
1010
3. Message Authentication Code 3. Message Authentication Code (MAC)(MAC) MACs assures:MACs assures:
1.1. Message hasn’t been altered during transmission.Message hasn’t been altered during transmission.
2.2. Message coming from the pretended sender.Message coming from the pretended sender.
3.3. Sequence number hasn’t been ltered during transmission if the message Sequence number hasn’t been ltered during transmission if the message includes a sequence number.includes a sequence number.
Examples of MACs: Examples of MACs: – HMAC HMAC ([RFC 2104], and Ch.12 of [1]):([RFC 2104], and Ch.12 of [1]):
1111
4. Digital signature4. Digital signature
A digital signature is a technique for establishing the origin of a particular message in order to settle later disputes about what message (if any) was sent. – DG includes measures that counter source repudiation.– DG can prevent destination repudiation attack if used in combination DG can prevent destination repudiation attack if used in combination
with specific protocols. with specific protocols.
The purpose of a digital signature is thus for an entity to bind its identity to a message.
We use the term signer for an entity who creates a digital signature, and the term verifier for an entity who receives a signed message and attempts to check whether the digital signature is “correct” or not.
1212
Digital signatureDigital signature
A digital signature on a message provides:A digital signature on a message provides:– Message authentication: message’s origin is known + integrityMessage authentication: message’s origin is known + integrity
– Non-repudiationNon-repudiation
the digital signature takes as input parameters the message itself the digital signature takes as input parameters the message itself and a secret value, known only to the signer.and a secret value, known only to the signer.
A digital signature must be:A digital signature must be:– Easy to compute by the signer.Easy to compute by the signer.
– Easy to verify by anyone.Easy to verify by anyone.
– Hard to compute by anyone except the signer.Hard to compute by anyone except the signer.
1313
Types of digital signaturesTypes of digital signatures
There are 2 types of digital signaturesThere are 2 types of digital signatures arbitrated digital arbitrated digital signaturesignature andand true digital signaturetrue digital signature
Arbitrated digital signature is based on a trusted third party Arbitrated digital signature is based on a trusted third party (arbiter). There are 2 types:(arbiter). There are 2 types:– Based on symmetric keyBased on symmetric key
– Based on public-keyBased on public-key
– Example:Example:
MAC KS
Signer, S Verifier, V
Arbiter, A
message
message
MACKV
MACKS
–KKss shared between A and S, shared between A and S, kV shared between A and V
1414
True digital signatureTrue digital signature
The vast majority of digital signature techniques do not involve communication through a trusted arbitrator.
A true digital signature is one that can be sent directly from the signer to the verifier.
For the rest of this unit when we say “digital signature” we mean “true digital signature”.
A digital signature may be formed by encrypting the entire message with the signer’s private key or by encrypting a hash code of the message with sender’s private key. Signer’s public key should be available to the verifier.
We’ll see two schemesWe’ll see two schemes– RSA-based schemeRSA-based scheme
– ElGamal- based scheme (or DSA)ElGamal- based scheme (or DSA)
1515
RSA SignatureRSA Signature
message
hash function
hash
(RSA)
signature
Signer’s private key
message
signature
Signed message
RSA signature is similar to RSA encryption with inverse roles of keys, i.e., for signing, the sender’s private key is used and for verification, the sender’s public key is used.
Example: RSA is used to encrypt the hashed code with the sender’s private key.
1616
Verification of a RSA Verification of a RSA SignatureSignature
message
signature
(RSA) verification keyhash
function
= ?
Decision
The verifier decrypts the signature with the sender’s public key and then compares the result with the message’s hash code.
1717
Digital Signature Algorithm Digital Signature Algorithm (DSA)(DSA)
In 1991, the DSA has been published by the US NIST (National Institute of Standardizations and Technology) and become a US FIPS-186 under the name DSS (Digital Signature Standard).
DSS is the 1st digital signature scheme to be recognized by any government.
DSS is a variant of ElGamal signature scheme
DSS makes use of SHA
1818
DSS ApproachDSS Approach
DSS depends on: DSS depends on: – A hash function HA hash function H
– a random number a random number kk, (used once)., (used once).
– The sender’s key pair (The sender’s key pair (Kv: private, Kp: public)
– Global Public parameters, Global Public parameters, KGP
M ||
H Sig
M
sr
H
Ver
Compare
Kp
KGP
Kv
KGP
kSignature generation
Signature verification
1919
DSS parameter generationDSS parameter generation
Global Public (GP) parameters (Global Public (GP) parameters (q,p,gq,p,g): ): – qq: a 160-bit prime number: a 160-bit prime number
– pp: a prime number; such that 2: a prime number; such that 2512512 ≤≤ pp ≤≤ 2 210241024 and and qq||(p-1)(p-1)
– gg: : = h= h(p-1)/q(p-1)/q mod p; and mod p; and g > 1 g > 1 hh is an integer: is an integer: 1 < h < p-11 < h < p-1
– ((q,p,gq,p,g) can be common to a group of users) can be common to a group of users
User’s private key User’s private key Kv
– xx: A random integer, 1 < : A random integer, 1 < xx < < qq
User’s public key User’s public key Kp
– y y = = ggxx mod mod pp
2020
DSS signature generationDSS signature generation
Signing: if an entity A wants to send a signed message m to Signing: if an entity A wants to send a signed message m to another entity B. another entity B. – Assume that (Assume that (p,q,gp,q,g): the global public parameters, ): the global public parameters, xx: A’s private key, and : A’s private key, and
yy: A’s public key.: A’s public key.
– 11stst A randomly picks an integer A randomly picks an integer kk: 1 < : 1 < kk < < qq
– 22ndnd A computes A computes r r and and s s rr = ( = (ggkk mod mod p) p) modmod q q s s = = kk-1-1 (H( (H(mm) + ) + xrxr) mod ) mod qq
– The signature is (The signature is (r,sr,s))
– A sends to B [A sends to B [mm || ( || (r,sr,s)])]
2121
DSS signature verificationDSS signature verification
Verification:Verification: assume that B receives [ assume that B receives [mm’+(’+(rr’,’,ss’)], ’)], i.e.i.e., , mm’, ’, rr’ ,’ ,ss’ are the ’ are the received versions of received versions of mm, , rr, , ss..
– Assume that B has an authentic copy of A’s public key, Assume that B has an authentic copy of A’s public key, yy, and GP , and GP parameters (parameters (p, q, gp, q, g).).
– 11stst, , B computes B computes w, uw, u11 , u , u22 such that : such that : ww = ( = (ss’)’)-1-1 mod mod q, q, uu11 = = w.w.H(H(mm’) mod ’) mod q,q,
uu22 = ( = (rr’)’)ww mod mod qq
– 22ndnd B computesB computes v v = [( = [(ggu1u1yyu2u2) mod ) mod pp] mod ] mod qq
– 33rdrd B checks if B checks if vv = = r’ r’ then signature is authenticthen signature is authentic