Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Slides:



Advertisements
Similar presentations
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Authentication Methods: From Digital Signatures to Hashes.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Announcements: 1. Class cancelled tomorrow 2. HW7 due date moved to Thursday. Questions? This week: Birthday attacks, Digital signatures Birthday attacks,
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Announcements: 1. Short “pop” quiz on Ch 3 (not today) 2. Term project groups and topics due tomorrow midnight Waiting for posts from 22 of you. 3. HW6:
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Chapter3 Public-Key Cryptography and Message Authentication.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.
Announcements: 1. Pass in HW7 now. 2. Project rubrics posted (peruse together) 3. Teams choose presentation dates now Questions? This week: Birthday attacks,
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:
Announcements: 1. Term project groups and topics formed 2. HW6 due tomorrow. Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs,
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Behzad Akbari Spring In the Name of the Most High.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Chapter 21 Public-Key Cryptography and Message Authentication.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Prepared by Dr. Lamiaa Elshenawy
14-1 Last time Internet Application Security and Privacy Basics of cryptography Symmetric-key encryption.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Homework #2 J. H. Wang Oct. 31, 2012.
Lecture 9 Overview. RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman (MIT) Two keys e and d used for Encryption and Decryption.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Cryptography and Network Security Chapter 13
Key Exchange References: Applied Cryptography, Bruce Schneier
Public-Key Cryptography and Message Authentication
DTTF/NB479: Dszquphsbqiz Day 26
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
DTTF/NB479: Dszquphsbqiz Day 27
Presentation transcript:

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions Hash Functions DTTF/NB479: DszquphsbqizDay 26

ElGamal Bob publishes ( , p,  ), where 1 < m < p and  =  a Alice chooses secret k, computes and sends to Bob the pair (r,t) where r=  k (mod p) t =  k m (mod p) Bob finds: tr -a =m (mod p) 1.Show that Bob’s decryption works Plug in values for t, r, and . 2.Eve would like to know k. Show that knowing k allows decrpytion. Why? m=  -k t 3.Why can’t Eve compute k from r or t? Need to calculate a discrete log to do so, which is hard when p is large 4.Challenge: Alice should randomize k each time. If not, and Eve gets hold of a plaintext / ciphertext (m 1, r 1, t 1 ), she can decrypt other ciphertexts (m 2, r 2, t 2 ). Show how. Use m 1, t 1 to solve for  k. Then use  -k and t 2 to find m 2 5.If Eve says she found m from (r,t), can we verify that she really found it, using only the public key (and not k or a)? Explain. Not easily (see next slide) Name: ______________________ Notes:

Known plaintext attack Bob publishes ( , p,  ), where 1 < m < p and  =  a Alice chooses secret k, computes and sends to Bob the pair (r,t) where r=  k (mod p) r=  k (mod p) t =  k m (mod p) t =  k m (mod p) Bob finds: tr -a =m (mod p) Why does this work? If Eve got hold of a plaintext/ciphertext (m 1, r 1, t 1 ), she can decrypt other ciphertexts (m 2, r 2, t 2 ): Answer: r=  k (mod p), t 1 =  k m 1 (mod p), t 2 =  k m 2 (mod p) So You can solve for m 2, since everything else in the proportion is known. Alice should randomize k each time.

Tying everything together Bob publishes ( , p,  ), where 1 < m < p and  =  a Alice chooses secret k, computes and sends to Bob the pair (r,t) where r=  k (mod p) r=  k (mod p) t =  k m (mod p) t =  k m (mod p) Bob finds: tr -a =m (mod p) Why does this work? If Eve says she found m from (r,t), can we verify that she really found it, using just m,r,t and the public key? Decision D-H  Validity of (mod p) ElGamal ciphertexts. Computational D-H  Decrypting (mod p) ElGamal ciphertexts. Not easily!

Cryptographic hash functions shrink messages into a digest Goal: to provide a unique “fingerprint” of the message. Message m (long) Message digest, y (Shorter fixed length) Cryptographic hash Function, h Shrinks data, so 2 messages can have the same digest: m 1 != m 2, but h(m 1 ) = h(m 2 ) 1

Cryptographic hash functions must satisfy three properties to be useful and secure 1. Fast to compute y from m. 2. One-way: given y = h(m), can’t find any m’ satisfying h(m’) = y easily. 3. Strongly collision-free: Can’t find any pair m 1 ≠ m 2 such that h(m 1 )=h(m 2 ) easily 4. (Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’). Message m (long) Message digest, y (Shorter fixed length) Cryptographic hash Function, h Shrinks data, so 2 messages can have the same digest: m 1 != m 2, but h(m 1 ) = h(m 2 ) 2

Hash functions can be used for digital signatures and error detection Why do we care about these properties? Use #1: Digital signatures If Alice signs h(m), what if Bob could find m’ ≠ m, such that h(m) = h(m’)? He could claim Alice signed m’! Consider two contracts… 3 properties: 1. Fast to compute 2. One-way: given y = h(m), can’t find any m’ satisfying h(m’) = y easily. 3. Strongly collision- free: Can’t find m 1 ≠ m 2 such that h(m 1 )=h(m 2 ) Use #2: Error detection – simple example: Alice sends (m, h(m)), Bob receives (M, H). Bob checks if H=h(M). If not, there’s an error. 3

Hash function examples Examples: 1. h(m) = m (mod n) 2. h(x) =  x (mod p) for large prime p, which doesn’t divide  3. Discrete log hash Given large prime p, such that q=(p-1)/2 is also prime, and primitive roots  and  for p: where m = m 0 + m 1 q EHA (next) EHA (next) SHA-1 (tomorrow) SHA-1 (tomorrow) MD4, MD5 (weaker than SHA; won’t discuss) MD4, MD5 (weaker than SHA; won’t discuss) 3 properties: 1. Fast to compute 2. One-way: given y = h(m), can’t find any m’ satisfying h(m’) = y easily. 3. Strongly collision-free: Can’t find m 1 ≠ m 2 such that h(m 1 )=h(m 2 ) For first 2 examples, please check properties a-b

Easy Hash Algorithm (EHA) isn’t very secure! Break m into n-bit blocks, append zeros to get a multiple of n. There are L of them, where L =|m|/n Fast! But not very secure. Does performing a left shift on the rows first help? Defineas left- shifting m by y bits Defineas left- shifting m by y bits Then Then =h(m)

Exercise: 1.Show that the basic (unrotated) version doesn’t satisfy properties 2 and 3. 2.What about the version that uses rotations? 3 properties: 1. Fast to compute 2. One-way: given y = h(m), can’t find any m’ satisfying h(m’) = y easily. 3. Strongly collision- free: Can’t find m 1 m 2 such that h(m 1 )=h(m 2 ) 3. Strongly collision- free: Can’t find m 1 ≠ m 2 such that h(m 1 )=h(m 2 ) 4c Easy Hash Algorithm (EHA) isn’t very secure!

Plus-deltas Thanks for your thoughtful feedback