IS 302: Information Security and Trust Week 5: Integrity 2012

© Yingjiu Li Review RSA –Key generation –Security (key size) –Encryption and decryption with random padding Envelop encryption –RSA+AES

Adversary Passive adversary –Eavesdropping: threat to message confidentiality –Solution with encryption (AES, RSA…): an adversary is not able to understand the message Active adversary –Unauthorized modification: threat to message integrity –Solution: if an adversary modifies the message, it can always be detected! © Yingjiu Li 20073

4 Question Assume that Mallory is an active adversary Does encryption provide message integrity? Bob Alice Mallory Please transfer $1M to account A…

© Yingjiu Li Solution Send a small piece of information as proof of message integrity Bob Alice Mallory Please transfer $1M to account A…, E7582D9C71D5DA EF23FCD

© Yingjiu Li Proof of Message Integrity Symmetric proof –Message authentication code (MAC) Asymmetric proof –RSA signature Both MAC and RSA signature are based on hash

© Yingjiu Li Hash Hash function h=H(M) –One-way easy to compute but hard to inverse –Collision resistant hard to find M  M’ such that H(M)=H(M’) –Fixed length variable-length M  fixed-length h

© Yingjiu Li Cryptool Indiv. procedures  hash –MD5 –SHA1 –Sensitivity to change

© Yingjiu Li Attacks to Hash Pre-image attack (against one-way feature) –Given h=H(M), find M’ such that H(M’)=h Collision attack (against collision resistant feature) –Given H(), find M’ and M’’ such that H(M’)=H(M’’)

© Yingjiu Li Hash for Integrity Check Can hash value h=H(M) be used as integrity proof for M? –Send h together with M over public channel? –Send h separately over secure channel? Bob Alice Mallory M: Please transfer $1M to account A…,

© Yingjiu Li Hash for Integrity Check Can hash value h=H(M) be used as integrity proof for M? –Send h together with M over public channel (No!) –Send h separately over secure channel (Yes!) Bob Alice Mallory M: Please transfer $1M to account A…, h: E7582D9C71D5DA EF23FCD

© Yingjiu Li Standard Hash: MD5 MD5 –Output: 128 bits (32 Hex digits, 16 bytes) –internet standard, commonly used to check integrity of files –1991: designed by Rivest –1996: a flaw was discovered –2004: more serious flaws –2007: people can create a pair of files that share the same MD5 hash value

© Yingjiu Li Standard Hash: SHA1 SHA1 –160 bits (40 hex’s, 20 bytes), NIST standard –1995: NSA, replaced SHA0 (1993) –2005: potential weakness was found Collision attack: 2^80  2^39 for SHA0, 2^63 for SHA1 –2010: last year to use as suggested by NIST SHA2 SHA224, SHA256, SHA384, SHA512 SHA3 2 Nov 2007 – 31 Oct 2008: NIST call for competition 2012: winner and new standard will be announced

© Yingjiu Li A little bit more detail on SHA1 –Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G) –Output: 160 bits (5*32) –Block size: 512 bits (16*32) –Rounds: 80

© Yingjiu Li MAC Message authentication code (MAC) –MAC=H(K,M), where K is secret key (MAC key) –Alice sends MAC together with message M –Bob verifies M with K to see whether MAC=H(K,M) Bob (k) Alice (k) Mallory Please transfer $1M to account A, MAC Message & MAC

© Yingjiu Li Attack to MAC –Pre-image attack to the key –MAC key should be long enough against brute force attack

© Yingjiu Li HMAC HMAC = H(K,H(K,M)) –H can be any hash function H=MD5  HMAC-MD5 (128 bits) H=SHA-1  HMAC-SHA-1 (160 bits) –Key size JCE: HMAC key = 64 bytes (512 bits) If key > 64 bytes, key  H(key) Recommended key > output size of hash function

© Yingjiu Li Encryption-Based MAC DES-MAC –DES encryption E(M,K)  blk1, blk2,…blkn –MAC = blk1 blk2 …blkn –K is a DES key (56 bits)  weak security –DES-MAC is 64 bits AES-MAC –What is the key size? –How long is the AES-MAC?

© Yingjiu Li Cryptool Indiv. procedures  hash  HMAC –SHA-256 –Double hashing

© Yingjiu Li Repudiation Problem with MAC If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying Bob (k) Alice (k) Mallory Please transfer $1M to account A, MAC Message & MAC Secret channel

© Yingjiu Li Solution: RSA Signature Alice with RSA public key (n,e) and private key d –Compute digital signature sig=H(M) d mod n (only Alice can generate this signature with her private RSA key d) –Send (M, sig) to Bob Bob : –Compute H(M) –Verify sig by comparing if H(M) = sig e mod n (anyone can verify the signature with Alice’s public RSA key e,n) Bob Alice public channel d d: Alice’s private key n,e: Alice’s public key (M, sig = H(M) d mod n) n,e

© Yingjiu Li Discussion –What is difference between RSA encryption and RSA signature? –What is the size of an RSA-1024 signature with SHA-256? –What is the size of HMAC with SHA-256? –In what scenarios should you choose RSA signature or MAC?

© Yingjiu Li Demo in CrypTool Digital signatures/PKI  –Sign document (SHA1+RSA-512) –Verify signature

© Yingjiu Li Security of some crypto-algorithms Cryptographic strength Symmetric (key length) Asymmetric (modulus length) Hashing/MACs (hash value length) weakDES 40-bit RC4 40-bit RSA 256-bit mediumDES 56-bit CAST 64-bit RSA 512-bit D-H 512-bit DSA 512-bit ANSI X9.9 MAC 32-bit strongTriple DES 112-bit AES 128-bit IDEA 128-bit RC4 128-bit RSA 1024-bit D-H 1024-bit DSA 1024-bit MD4/MD5 128-bit ? SHA bit ? Very strongAES 192-bit AES 256-bit RSA 2048-bit ECC 300-bit SHA224,SHA-256 SHA-384 SHA-512

© Yingjiu Li Hands-on Exercise Download week5.zip into your IS302 directory Unzip it (extract to week5 directory) Follow the instructions in Lab.doc –2.1 HMAC in JCE –2.2 RSA signature in JCE

© Yingjiu Li Review How long is an RSA-1024 with SHA1 signature 1) 128 bits 2) 160 bits 3) 1024 bits Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature? 1) Alice’s private key 2) Alice’s public key 3) Bob’s public key How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits