ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 4: ePayment Security I
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS ePayment Security Keep financial data secret from unauthorized parties (privacy) –CRYPTOGRAPHY Verify that messages have not been altered in transit (integrity) –HASH FUNCTIONS Prove that a party engaged in a transaction (nonrepudiation) –DIGITAL SIGNATURES Verify identity of users (authentication) –PASSWORDS, DIGITAL CERTIFICATES
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Outline Message digest (hash) algorithms –Secure Hash Algorithm –HMACs –Passwords, nonces Symmetric encryption –DES and variations –AES: Rijndael
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Hash Functions HASH SPACE (ALL POSSIBLE HASHED MESSAGES) MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” A “HASH” IS A SHORT FUNCTION OF A MESSAGE (USUALLY 160 BITS) THE ORIGINAL MESSAGE CAN BE VERY LONG (MEGABYTES) “AF0E891B293” MUST NOT BE REVERSIBLE ?
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Hash Functions HASH SPACE (ALL POSSIBLE HASHED MESSAGES) “AF0E891B293” MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” HASH FUNCTIONS ARE NOT ONE-TO-ONE AND NOT REVERSIBLE MANY MESSAGES HAVE THE SAME HASH
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS One-Way Hash Functions For any string s, H(s), the hash of s, is of fixed length (shorter than s), sometimes called a message digest Easy to compute “One-way”: computationally difficult to invert: can’t find any message corresponding to a given hash Diffusion property: Altering any bit of the message changes many bits of the hash –This prevents trying similar messages to see if they hash to the same thing One-way hashes are not reversible
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Uses of One-Way Hash Functions Password verification Message authentication (message digests) Prevention of replay attack Digital signatures
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Secure Hash Algorithm SHA-1 Federal Information Processing Standard (NIST) For any message shorter than 2 64 bits, produces a 160-bit message digest Uses exclusive-OR operation A = B = A B = Exclusive-OR is lossy; knowing A B does not reveal even one bit of either A or B Regular OR: If a bit of A B is zero, then both corresponding bits of both A and B were zero
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Information Hiding with Exclusive-OR x y = 1 if either x or y is 1 but not both: If x y = 1 we can’t tell which one is a 1 Can’t trace backwards to determine values If x y = 1 then BOTH x and y are 1 xyxy x y
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Single Step of SHA-1 Operates on 16-word (512-bit) blocks Expands 16 words to 80 words W t Performs 80 operations as shown for t = a, b, c, d, e are special constants K t are special constants SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY INITIALLY CONSTANTS 80 WORDS INPUT HERE, 1 EACH STEP MAGIC CONSTANTS “<<< 5” means “cyclic left shift 5 bits” REVISED CONSTANTS FOR NEXT STEP
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Secure Hash Algorithm Flow LONG MESSAGE TO BE HASHED TAKE FIRST 16 WORDS (512 BITS) EXPAND TO 80 WORDS (2560 BITS) STARTING HASH FIVE 32-BIT WORDS (160 BITS) REPEAT 79 MORE TIMES … FINAL HASH (160 BITS) REPEAT FOR EACH 512-BIT BLOCK
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Secure Hash Algorithm SHA-1 Pad M so it is a multiple of 512 bits long Process M in blocks of 512 bits (16 32-bit words): W(0)... W(15) Expand 16-word block to 80 words for j = by W(j) = W(j - 3) W(j - 8) W(j - 14) W(j - 16) Perform 4 rounds of 20 operations each using these functions f t (X,Y,Z) on three words at a time: Rounds 0-19(X Y) (Z X) Rounds 20-39X Y Z Rounds 40-59(X Y) (X Z) (Y Z) Rounds 60-79X Y Z
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Secure Hash Algorithm SHA-1 INITIALIZE “MAGIC” HEX CONSTANTS (8 HEX DIGITS = 32 BITS): A= ; B=efcdab89; C=98badcfe; D= ; E=c3d2e1f0; K 0-19 =5a827999; K =6ed9eba1; K =8f1bbdcd; K =ca62c1d6; PROCESS THE MESSAGE IN 512-BIT BLOCKS: For each block B of 16 words in message M Expand B to 80 words For t = 0 to 79 MIX UP PARTS OF THE 80 WORDS: TEMP = (a <<< 5) + f t (b,c,d) + e + W(t) + K t e = d; d = c; c = b <<< 30; b = a; a = TEMP; ADD RESULTS TO OUTPUT FROM PREVIOUS BLOCK: A = A+a; B = B+b; C = C+c; D= D+d; E = E+e; FINAL DIGEST IS CONCATENATION OF PARTIAL DIGESTS: H(M) = A | B | C | D | E (5 words = 160 bits)
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Key-Hashed Message Authentication Codes (HMACs) Shared Key HMAC Original Plaintext Key-Hashed Message Authentication Code (HMAC) Appended to Plaintext Before Transmission Hashing with MD5, SHA, etc. Note: No encryption; only hashing
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Key-Hashed Message Authentication Codes (HMACs) Shared Key Computed HMAC Received Original Plaintext Hashing with same algorithm Receiver Repeats the HMAC Computation On the Received Plaintext Received HMAC If computed and received HMACs are the same, The sender must know the key and so is authenticated AND the message has not been altered COMPARE
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Math Break: A Birthday Problem Dave’s birthday is Feb. 1. How many people can there be in a room for the probability to be > 1/2 that someone else was born on Feb. 1? Probability that 1 person was not born on Feb. 1 = 364/365. Probability that n people were not born on Feb. 1 is p(n) = (364/365) n. Now choose n so that p(n) < 0.5 log p(n) < n log (364/635) n > log(1/2)/log(364/365) 253 If n = 183 (half of 366), p(n) = Less then 40% chance that someone else has same birthday
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS A Generalized Birthday Problem Suppose a year has d days. How many people must be in a room for the probability to be > 1/2 that some pair of people have the same birthday? Label the people 1 … n Probability p(n) that person i has no birthday in common with people 1 … i -1 is (d - i + 1)/d, so If d = 365 and n = 23, p(n) If d = 365 and n = 50, p(n) For large d, taking n 1.17 gives p(n) > 1/2
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Attacking Hash Algorithms If two strings M and M* can be found such that H(M) = H(M*) then a hash algorithm can be compromised Let M = PO for $100; M* = PO for $100,000 John digitally signs H(M), so it can’t be altered! If H(M*) = H(M) then we can “prove” in court that John signed the $100,000 PO Birthday attack: If the hash length is b bits, then d = 2 b ; = 2 b/2 Try about 2 b/2 small variations of the message. Prob. ~ 50% we will find one that hashes to the same value If the digest is 64 bits, try 2 32 variations. Possible!
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Nonce to Prevent Replay Attack Time-dependent value used in challenge-response protocols to prevent replay attack Random numbers, timestamps System sends a nonce, e.g. “ ” User sends a hash of username|password|nonce System computes what the hash should be, verifies user Replay fails since the nonce will be different when the attacker tries to gain access Nonce is an obsolete word: “for the nonce” means “for the time being,” “just for now”
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Cryptography MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” CODE SPACE (ALL POSSIBLE ENCRYPTED MESSAGES) “1822UX S4HHG7 803TG 0J71D2 MK8A36 18PN1” MUST BE REVERSIBLE (BUT ONLY IF YOU KNOW THE SECRET)
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Cryptography MESSAGE SPACE (ALL POSSIBLE PLAINTEXT MESSAGES) “TRANSFER $5000 TO MY SAVINGS ACCOUNT” CODE SPACE (ALL POSSIBLE ENCRYPTED MESSAGES) “1822UX S4HHG7 803TG 0J71D2 MK8A36 18PN1” ENCRYPTION IS ONE-TO-ONE AND REVERSIBLE EVERY CODE CORRESPONDS TO EXACTLY ONE MESSAGE ENCRYPTION IS SECURE IF ONLY AUTHORIZED PEOPLE KNOW HOW TO REVERSE IT
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Data Encryption Standard (DES) Symmetric, key-based encryption-decryption standard. No public keys Block cipher: operates on 64-bit blocks Uses 56-bit key 16 “rounds” -- key for each round is a 48-bit function of the original 56-bit key. Each key bit participates in an average of 14 rounds Completely symmetric. Same algorithm decrypts. Fast implementation in hardware: 1 gigabit/second
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Encryption “Rounds” X r1r1 Key r2r2 r n-1 rnrn r3r3 Y r n-2 k1k1 k2k2 k n-1 knkn k3k3 k n-2 K KE Key Expansion Round Keys Encryption Rounds r 1 … r n u Key K is expanded to a set of n round keys k i u Input block X undergoes n rounds of operations (each operation is based on value of the n th round key), until it reaches the final round r n u Strength of algorithm: difficulty of going backwards from the intermediate result of round m+1 to round m without knowing the round key r m. SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Classical Feistel Encryption Network SOURCE: WILLIAM STALLINGS
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS DES Encryption SOURCE: WILLIAM STALLINGS
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Data Encryption Standard (DES) 64 BITS OF MESSAGE INPUT PERMUTATION INVERSE OF INPUT PERMUTATION SUBKEYS: EACH IS A 48-BIT FUNCTION OF A 56-BIT KEY OUTPUT: 64 BITS OF ENCRYPTED TEXT LEFT HALF OF BLOCK (32 BITS) f IS A COMPLICATED FUNCTION INVOLVING VARIOUS PERMUTATIONS SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY IS EXCLUSIVE-OR
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Years To Crack Symmetric Encryption SOURCE: WILLIAM STALLINGS Key Length
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Cipher Block Chaining Example In ECB mode, the same input text always produces the same output. This creates risk of partial decryption. INITIALIZATION STRING PLAINTEXT BLOCK 1 DES CIPHERTEXT BLOCK 1 PLAINTEXT BLOCK 2 DES CIPHERTEXT BLOCK 2 etc.
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Modes of DES Use ECB - Electronic Codebook Mode –Straight DES. Independent groups of 64 bit. Weakness: same 64 bits always encrypts to the same ciphertext CFB - Cipher Feedback Mode –XOR next plaintext block before encrypting CBC - Cipher Block Chaining –encrypt previous block, XOR with plaintext OFB - Output Feedback Mode –XOR encrypted plaintext with next plaintext block 3DES - Triple DES –Encrypt with K 1, decrypt with K 2, encrypt with K 3 Windows NT uses DES, DES-CBC and 3DES
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Meet-in-the-Middle Attack (Diffie-Hellman, 1977) Suppose we use two DES keys K1 and K2 Pick an input text block x Let y = E K2 (E K1 (x)) – the encryption of x D K2 (y) = E K1 (x) – the “middle” Generate two lists: –encrypt x with all 2 56 possible keys K1 –decrypt y with all 2 56 possible keys K2 Check matches on each list; see if the match works for a new ciphertext/plaintext pair Now know BOTH K1, K2 in 2 57 tests, not 2 112
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Triple DES Security can be increased by encrypting multiple times with different keys Double DES is not much more secure than single DES because of a “meet-in-the-middle” attack 3DES (168 bits of keys) can be cracked by trying 112 bits of keys If K 1 = K 2 = K 3 this is just single DES DES ENCRYPT DES ENCRYPT DES DECRYPT PLAINTEXT BLOCK 1 CIPHERTEXT BLOCK 1 K1K1 K2K2 K3K3
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS AES, the DES Replacement AES = Advanced Encryption Standard DES has weaknesses: –slow (by modern standards) –weak (can be broken by fast computers) NIST ran a competition to replace DESNIST Winner: Rijndael, invented by Vincent Rijmen and Joan Daeman (both male) No patenting allowed Round block cipher of similar structure to DES but faster, more secure
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael Detailed view of round n u Each round consists of: u ByteSub: each 8 bits of input is replaced with a different 8 bits u ShiftRow: each row of the block matrix is cyclically shifted u MixColumn u AddRoundKey ByteSubShiftRowMixColumnAddRoundKey knkn Result from round n-1 Pass to round n+1 SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael: ByteSub Each byte at the input of a round is transformed as follows: Substitution (“S”)-box: SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael: ShiftRow Depending on block length, each row of the block is cyclically shifted according to this table: SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael: MixColumn Each column is multiplied by a fixed polynomial C(x) = ’03’*X 3 + ’01’*X 2 + ’01’*X + ’02’ This corresponds to matrix multiplication b(x) = c(x) a(x): SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael: Key Expansion and Addition Each block is XOR’ed with the expanded round key k i SOURCE: MEL TSAI
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Rijndael Allows 128, 192, and 256-bit key sizes Variable block length: 128, 192, or 256 bits. All nine combinations of key/block length possible. –A block is the smallest data size the algorithm will encrypt VERY FAST, much faster than DES –Software: 8416 bytes/sec on a 20MHz 8051 –Software: 53 Mbytes/sec on a 800MHz Pentium –Hardware: currently up to 25 Gbps
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Major Ideas Secure hash algorithms create message digests Encryption algorithms are complex –must be studied carefully (by cryptographers) –subject to sophisticated attacks Symmetric encryption is fast AES is the new standard symmetric encryption algorithm – very fast Nonce is a defense against replay attacks
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Q A &