Public-Key Cryptography and Message Authentication

OUTLINE Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management Approaches to Message Authentication Secure Hash Functions and HMAC

Public-Key Cryptography Principles The use of two keys has consequences key distribution, confidentiality and authentication. The scheme has six ingredients Plaintext Encryption algorithm Public key private key Ciphertext Decryption algorithm

Encryption using Public-Key system

Authentication using Public-Key System

Public-Key Cryptosystems Stallings Figure 9.4 “Public-Key Cryptosystems: Secrecy and Authentication” illustrates the essential elements of a public-key encryption scheme. Note that public-key schemes can be used for either secrecy or authentication, or both (as shown here). In this case, separate key pairs are used for each of these purposes. The receiver owns and creates secrecy keys, sender owns and creates authentication keys. In practice typically DO NOT do this, because of the computational cost of public-key schemes. Rather encrypt a session key which is then used with a block cipher to encrypt the actual message, and separately sign a hash of the message as a digital signature - this will be discussed more later.

Applications for Public-Key Cryptosystems Three categories: Encryption/decryption The sender encrypts a message with the recipient’s public key. Digital signature The sender ”signs” a message with its private key. Key echange Two sides cooperate to exhange a session key.

Requirements for Public-Key Cryptography Computationally easy for a party B to generate a pair (public key KUb, private key KRb) Easy for sender to generate ciphertext: Easy for the receiver to decrypt ciphertect using private key:

Requirements for Public-Key Cryptography Computationally infeasible to determine private key (KRb) knowing public key (KUb) Computationally infeasible to recover message M, knowing KUb and ciphertext C Either of the two keys can be used for encryption, with the other used for decryption:

Public-Key Cryptographic Algorithms RSA and Diffie-Hellman RSA Ron Rives, Adi Shamir and Len Adleman at MIT, 1977 RSA is a block cipher The most widely implemented Diffie-Hellman Echange a secret key securely Compute discrete logarithms

RSA Algorithm Select p,q p and q both prime Calculate n = p x q Select integer e: Calculate d: , Public Key KU = {e,n} Private key KR = {d,n} Plaintext: M < n Ciphertext: C = Me (mod n) Ciphertext: C Plaintext: M = Cd (mod n)

Example of RSA Algorithm Select p = 17, q = 11 (both primes) Calculate n = p x q = 187 Calculate = 160 Select integer e = 7, relatively prime to 160 Calculate d: dxe mod 160 = 1  dxe = k 160 + 1 23 x 7 = 161 = 1 x 160 + 1, d = 23 Public Key KU = {e,n} = {7, 187} Private key KR = {d,n} = {23, 187}

Example of RSA Algorithm Given message M = 88 (88 < 187) Encryption C = 88^7 mod 187 = ? = [(88^4 mod 187) x (88^2 mod 187) x (88^1 mod 187)] mod 187 = [(59,969,536 mod 187) x (7744 mod 187) x (88)] mod 187 = (132 x 77 x 88) mod 187 = 894,432 mod 187 = 11 Decryption M = C^23 mod 187 = 88 Exponentiation: 23 = 16 (=8 + 8) + 4 + 2 + 1

Diffie-Hellman Key Exchange First public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 is a practical method for public exchange of a secret key used in a number of commercial products The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. The concept had been previously described in a classified report in 1970 by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99].

Diffie-Hellman Key Exchange A public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants Secret key depends on the participants their private and public key information based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms.

Diffie-Hellman Setup All users agree on global parameters: large prime integer or polynomial q  being a primitive root mod q Each user (eg. A) generates their key chooses a secret key (number): xA < q compute their public key: yA = xA mod q Each user makes public that key yA In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard.

Diffie-Hellman Key Exchange Shared session key for users A & B is KAB: KAB = xA.xB mod q = yAxB mod q (which B can compute) = yBxA mod q (which A can compute) KAB is used as a session key in a secret-key encryption scheme between Alice and Bob If Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys To determine the private key of B, attacker must solve discrete log XB = dlog α,q (YB) The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.

Diffie-Hellman Key Echange Prove equal?

Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime q=353 and =3 select random secret keys: A chooses xA=97, B chooses xB=233 compute respective public keys: yA=397 mod 353 = 40 (Alice) yB=3233 mod 353 = 248 (Bob) compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice) KAB= yAxB mod 353 = 40233 = 160 (Bob) Here is an example of Diffie-Hellman from the text.

Other Public-Key Cryptographic Algorithms Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key exchange Elliptic-Curve Cryptography (ECC) Good for smaller bit size Low confidence level, compared with RSA Very complex

Public-Key Distribution Digital Certificate

X.509 CA Hierarchy If X<<A>>, then (i) A knows X’s public key and (ii) A can get all the public keys signed by X. A establishes a certification path to B: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>> B establishes a certification path to A: Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>>

Authentication Requirements - must be able to verify that: 1. Message came from apparent source or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions)

Approaches to Message Authentication Authentication Using Conventional Encryption Only the sender and receiver should share a key Message Authentication without Message Encryption An authentication tag is generated and appended to each message Message Authentication Code Calculate the MAC as a function of the message and the key MAC = F(K, M)

Uses of Message Encryption

Hash Functions h = H(M) Hash is used to Condenses arbitrary message to fixed size Usually assume that the hash function is public and not keyed MAC needs to be keyed Hash is used to detect changes to message most often to create a digital signature A variation on the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value.

Hash Functions & Digital Signatures Stallings Figure 11.5c “Basic Uses of Hash Functions” shows the hash being “signed” with the senders private key, thus forming a digital signature.

Requirements for Hash Functions Purpose of the HASH function is to produce a ”fingerprint” Can be applied to any sized message M Produces fixed-length output h Easy to compute h=H(M) for any message M Given h, infeasible to find x s.t. H(x)=h one-way property Weak collision resistance given x, infeasible to find y s.t. H(y)=H(x) Strong collision resistance infeasible to find any x,y s.t. H(y)=H(x) The purpose of a hash function is to produce a “fingerprint”of a file, message, or other block of data. These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

One-way HASH function

One-way HASH function Secret value is added before the hash and removed before transmission.

Hash Algorithm Structure Most important modern hash functions follow the basic structure shown in this figure, Stallings Figure 11.9. This has proved to be a fundamentally sound structure, and newer designs simply refine the structure and add to the hash code length. Within this basic structure, two approaches have been followed in the design of the compression function, as mentioned previously, which is the basic building block of the hash function.

Simple Hash Function Improvement One-bit circular shift on the hash value after each block is processed

Secure Hash Algorithm SHA 3 additional versions of SHA originally designed by NIST & NSA in 1993 revised in 1995 as SHA-1 based on design of MD4 with key differences 3 additional versions of SHA SHA-256, SHA-384, SHA-512 structure & detail is similar to SHA-1 The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In 2005, a research team described an attack in which two separate messages could be found that deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result should hasten the transition to newer, longer versions of SHA.

Comparison of Secure HASH functions SHA-1 MD5 RIPEMD-160 Digest length 160 bits 128 bits Basic unit of processing 512 bits Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16) Maximum message size 264-1 bits

HMAC HMAC (hash-based MAC) Motivations: Incorporate a secret key into an existing hash algorithm Use a MAC derived from a cryptographic hash code Keyed hash digest Any hash function can be used eg. MD5, SHA-1, RIPEMD-160, Whirlpool Motivations: Speed hash functions faster than encryptoin algorithms DES is much slower Availability Library code for cryptographic hash functions is widely available No export restrictions from the US