Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.
Digital Signatures and Hash Functions. Digital Signatures.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Chapter 31 Network Security
Lecture 4.2: Key Distribution CS 436/636/736 Spring 2014 Nitesh Saxena.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Unit 1: Protection and Security for Grid Computing Part 2
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Chapter 21 Distributed System Security Copyright © 2008.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Cryptographic Hash Functions and Protocol Analysis
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Computer and Network Security - Message Digests, Kerberos, PKI –
Lecture 5.1: Message Authentication Codes, and Key Distribution
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Lecture 4.2: Key Distribution
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Lecture 4.1: Hash Functions, and Message Authentication Codes
Lecture 4: Hash Functions
Presentation transcript:

Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures by Nasir Memon

1/23/2006Lecture 4: Hash Functions and Key Distribution2 Course Admin HW#3 to be posted very soon Sorry for the delay Solutions will be posted soon Regarding programming portions of the homework Submit the whole modified code that you used to measure timings Comment the portions in the code where you modified the code Include a small “readme” for us to understand this If you did not submit the code for HW#2, do so now Upload it on MyPoly Break during the lecture?

1/23/2006Lecture 4: Hash Functions and Key Distribution3 Outline of Today’s lecture Hash Functions Properties Known Hash Function SHA-1 Message Authentication using hash fns: HMAC “Private Key” Distribution “Public Key” Distribution: PKI Certification Revocation

1/23/2006Lecture 4: Hash Functions and Key Distribution4 Cryptographic Hash Functions Requirements of cryptographic hash functions: Can be applied to data of any length. Output is fixed length. Relatively easy to compute h(x), given x. Infeasible to get x, given h(x). One-wayness property Given x, infeasible to find y such that h(x) = h(y). Weak collision property. Infeasible to find any pair x and y such that h(x) = h(y). Strong collision property.

1/23/2006Lecture 4: Hash Functions and Key Distribution5 Hash Output Length How long should be the output (n bits) of a cryptographic hash function? To find collision - randomly select messages and check if hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? Birthday paradox - a collision can be found in roughly sqrt(N) = 2 (n/2) trials for an n bit hash In a group of 23 )(~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) Hence n should be at least 160

1/23/2006Lecture 4: Hash Functions and Key Distribution6 Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is:

1/23/2006Lecture 4: Hash Functions and Key Distribution7 Generic Hash Function

1/23/2006Lecture 4: Hash Functions and Key Distribution8

1/23/2006Lecture 4: Hash Functions and Key Distribution9

1/23/2006Lecture 4: Hash Functions and Key Distribution10

1/23/2006Lecture 4: Hash Functions and Key Distribution11

1/23/2006Lecture 4: Hash Functions and Key Distribution12

1/23/2006Lecture 4: Hash Functions and Key Distribution13

1/23/2006Lecture 4: Hash Functions and Key Distribution14

1/23/2006Lecture 4: Hash Functions and Key Distribution15

1/23/2006Lecture 4: Hash Functions and Key Distribution16

1/23/2006Lecture 4: Hash Functions and Key Distribution17 Other Hash Functions Many other hash functions MD5 – Message Digest algorithm 5 Very similar to SHA – study on your own RIPEM MD4 MD6 Etc.

1/23/2006Lecture 4: Hash Functions and Key Distribution18 Current Security of MD5 and SHA-1 SHA-1 B’day attack requires 2 80 calls Faster attacks 2 69 calls 2-yao.pdfhttp:// 2-yao.pdf MD5 Output is 128-bits, so B’day attack requires 2 64 calls only Faster attacks to find a collision: Better use stronger versions, such as SHA-256 Although, these attacks are still not practical – they only find two random messages that collide

1/23/2006Lecture 4: Hash Functions and Key Distribution19 Message Authentication Codes Integrity as well as authentication (m, MAC) We want MAC to be as small and as secure as possible Security based on the length of the key and also how the MAC is computed A MAC can be constructed based on any “good” symmetric cipher – though this can be computationally expensive.

1/23/2006Lecture 4: Hash Functions and Key Distribution20 Recall MAC Using DES in CBC mode

1/23/2006Lecture 4: Hash Functions and Key Distribution21 Security notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack

1/23/2006Lecture 4: Hash Functions and Key Distribution22 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc.

1/23/2006Lecture 4: Hash Functions and Key Distribution23 HMAC Block size b bits. K + - K padded with bits on the left to make b bits. ipad – (ox36) repeated b/8 times. opad – (0x5c) repeated b/8 times. Essentially HMAC K = H[(K + xor opad) || H[(K + xor ipad) || M]]

1/23/2006Lecture 4: Hash Functions and Key Distribution24 Security of HMAC Proven secure under assumptions stronger than that of being able to find collisions of the underlying hash function Finding collisions even when the IV is secret and random Computing the hash value even when the IV is secret and random See HMAC paper, if interested in details

1/23/2006Lecture 4: Hash Functions and Key Distribution25 HMAC – An Efficient Implementation

1/23/2006Lecture 4: Hash Functions and Key Distribution26 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost!

1/23/2006Lecture 4: Hash Functions and Key Distribution27 “Private Key” Distribution: attempt 1 Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E K A (K) to Alice and E K B (K) to Bob. Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack!

1/23/2006Lecture 4: Hash Functions and Key Distribution28 Session Key Exchange with KDC – Needham-Schroeder Protocol A -> KDC ID A || ID B || N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E K A ( K || ID B || N 1 || E K B (K || ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E K B (K || ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(N 2 )) (Sure I can!) Dennig-Sacco (replay) attack on the protocol

1/23/2006Lecture 4: Hash Functions and Key Distribution29 Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A || ID B || N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E K A ( K || ID B || N 1 || E K B (TS1, K || ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2), E K B (TS1, K || ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1) (OK Alice, here is a proof that I am really Bob)

1/23/2006Lecture 4: Hash Functions and Key Distribution30 Kerberos - Goals Security Next slide. Reliability Transparency Minimum modification to existing network applications. Scalability Modular distributed architecture.

1/23/2006Lecture 4: Hash Functions and Key Distribution31 Kerberos – Security Goals No cleartext passwords over network. No cleartext passwords stored on servers. Minimum exposure of client and server keys. Compromises should only affect current session. Require password only at login.

1/23/2006Lecture 4: Hash Functions and Key Distribution32 Kerberos - Assumptions Global clock. There is a way to distribute authorization data. Kerberos provides authentication and not authorization.

1/23/2006Lecture 4: Hash Functions and Key Distribution33 Kerberos Key Distribution (1) JoeKDC I would like to Talk to the File Server KDC Step 1 Joe to KDC Step 2 KDC Session key for User Session key for service

1/23/2006Lecture 4: Hash Functions and Key Distribution34 Kerberos Key Distribution (2) Step 3 KDC Session Key for Joe Dear Joe, This key for File server Box 1 Locked With Joe’s key Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key JoeKDC Step 4 KDC to Joe Box 1Box 2

1/23/2006Lecture 4: Hash Functions and Key Distribution35 Kerberos Distribution (3) Dear Joe, This key for File server Opened Box 1 Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key Step 5 Joe Step 6 Joe Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key Dear File server, The time is 3:40 pm Box 3 Locked With Session key

1/23/2006Lecture 4: Hash Functions and Key Distribution36 Kerberos Distribution (4) Joe File Server Step 7 Joe to File server Box 2Box 3 Step 8 File server Dear File server, This key for Use with Joe Unlocked Box 2 Dear File server, The time is 3:40 pm Unlocked Box 3

1/23/2006Lecture 4: Hash Functions and Key Distribution37 Kerberos Key Distribution (5) For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe. Box 2 is called ticket. KDC issues ticket only after authenticating password To avoid entering passwords every time access needed, KDC split into two – authenticating server and ticket granting server.

1/23/2006Lecture 4: Hash Functions and Key Distribution38 Kerberos– One Slide Overview

1/23/2006Lecture 4: Hash Functions and Key Distribution39 Version 4 summary

1/23/2006Lecture 4: Hash Functions and Key Distribution40 Kerberos - Limitations Every network service must be individually modified for use with Kerberos. Requires a global clock Requires secure Kerberos server. Requires continuously available or online server.

1/23/2006Lecture 4: Hash Functions and Key Distribution41 Public Key Distribution Public announcements (such as ) Can be forged Public directory Can be tampered with Public-key certification authority (CA) (such as verisign) This is what we use in practice CA issues certificates to the users

1/23/2006Lecture 4: Hash Functions and Key Distribution42 Naming and Certificates Certification authority’s vouch for the identity of an entity - Distinguished Names (DN). /O=Polytechnic University/OU=CS/CN=John Doe Although CN may be same, DN is different. Policies of certification Authentication policy What level of authentication is required to identify the principal. Issuance policy Given the identity of principal will the CA issue a certificate?

1/23/2006Lecture 4: Hash Functions and Key Distribution43 Types of Certificates CA’s vouch at some level the identity of the principal. Example – Verisign: Class 1 – address Class 2 – Name and address verified through database. Class 3- Background check.

1/23/2006Lecture 4: Hash Functions and Key Distribution44 Public Key Certificate Public Key Certificate – Signed messages specifying a name (identity) and the corresponding public key. Signed by whom – Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA’s public key. CA could be Internal CA. Outsourced CA. Trusted Third-Party CA.

1/23/2006Lecture 4: Hash Functions and Key Distribution45 Public Key Certificate Note: Mechanism of certification and content of certificate, will vary but at the minimum we have verification and contains ID and Public Key.

1/23/2006Lecture 4: Hash Functions and Key Distribution46 Certificate Verification/Validation

1/23/2006Lecture 4: Hash Functions and Key Distribution47 Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) – a list of every certificate that has been revoked but not expired. CRL’s quickly grow large! CRL’s distributed periodically. What about time period between revocation and distribution of CRL? Other mechanisms OCSP (online certificate status protocol)

1/23/2006Lecture 4: Hash Functions and Key Distribution48 X.509 Clearly, there is a need for standardization – X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA).

1/23/2006Lecture 4: Hash Functions and Key Distribution49 X.509 Certificate

1/23/2006Lecture 4: Hash Functions and Key Distribution50 Advantages of CA Over KDC CA does not need to be on-line! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well.

1/23/2006Lecture 4: Hash Functions and Key Distribution51 Internet Certificate Hierarchy Internet Policy Registration Authority Policy Certification Authorities Certification Authority Individuals/roles/orgs.

1/23/2006Lecture 4: Hash Functions and Key Distribution52 Types of certificates Organizational Certificates Principal’s affiliation with an organization Residential certificates Principal’s affiliation with an address Persona Certificates Principal’s Identity Principal need not be a person. It could be a role.

1/23/2006Lecture 4: Hash Functions and Key Distribution53 Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust – PKI providers. Your own PKI using Netscape/Microsoft certificate servers

1/23/2006Lecture 4: Hash Functions and Key Distribution54 Problems with PKI – Private Key Where and how is private key stored? Host – encrypted with pass phrase Host – encrypted by OS or application Smart Card Assumes secure host or tamper proof smartcard.

1/23/2006Lecture 4: Hash Functions and Key Distribution55 Problems with PKI - Conflicts X.509, PGP and IPRA remain silent on conflicts. They assume CA’s and PCA’s will ensure that no conflicts arise. But in practice conflicts may exist – John A. Smith and John B. Smith may live at the same address.

1/23/2006Lecture 4: Hash Functions and Key Distribution56 Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled  How do you trust CA from country XYZ (your favorite prejudice).

1/23/2006Lecture 4: Hash Functions and Key Distribution57 Further Reading MIT Kerberos site: Kerberos RFC: RFC-1510 X.509 page charter.html charter.html Ten Risks of PKI -

1/23/2006Lecture 4: Hash Functions and Key Distribution58 Some questions Schnorr signatures (SK=x in Z q, PK=y=g x mod p) Signing Choose random k in Z q Compute r = g k mod p, Set c = H(m,r) S = k + cx mod q Output (m, r, s) Verification? c = H(m,r) g^s = r.(y^c) mod p What is the length of an RSA certificate? a DSS certificate? a Schnorr certificate?

1/23/2006Lecture 4: Hash Functions and Key Distribution59 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do?

1/23/2006Lecture 4: Hash Functions and Key Distribution60 Some questions SHA-1 collisions can be found in 2 69 operations. Does this mean that HMAC (using SHA-1) can be forged in 2 69 operations too? DES CBC MAC is than HMAC, computationally (for same key sizes)?

1/23/2006Lecture 4: Hash Functions and Key Distribution61 Sometimes when you access an https web- site, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? Computation time to MD-5 a 100bytes long file is the same as for a 100MB file. Right?

1/23/2006Lecture 4: Hash Functions and Key Distribution62 Does DES use any modular arithmetic? Can I use a DL-based key pairs, when the CA issuing me a certificate uses RSA keys? Alice has only a DL-based key pairs, while Bob has only RSA keys. Can they ever be able to communicate securely?