Chapter 2 Advanced Cryptography (Part C) Message integrity Cryptanalysis

Message integrity To detect unintentional modifications. Parity bit Parity bits and Hash functions have been used in protocols to detect modifications in streams of bits as they are passed from one computer to another To detect unintentional modifications. Parity bit a binary digit that indicates whether the number of bits with value of one in a given set of bits is even or odd. are used as the simplest error detecting code. Hash functions used to produce a checksum – a small, fixed number of bits – against a block of data is computed and appended before transmission or storage, and verified afterwards by the recipient to confirm that no changes occurred on transit.

One-way Hash (review) A one-way hash is a function that takes a variable-length string, and produces a fixed-length hash value. The function is run in only one direction The hash value is also called message digest or fingerprint.

How does one-way hash work?

Various Hashing Algorithms (1) MD2 is a one-way hash function designed by Ron Rivest that creates a 128-bit message digest value very slow in MD family MD4 is used for high-speed computation MD5 the newer version of MD4 algorithm, more complex, and harder to break

Various Hashing Algorithms (2) Secure Hash Algorithm (SHA) was designed by NIST and NSA is the successor to MD5 produces a 160-bit hash value, then inputted into an asymmetric algorithm, which computes the signature for a message. Version: SHA-0, SHA-1 and SHA-2 SHA-1 is the most widely employed of the SHA family. It forms part of several widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. In 2005, security flaws were identified in SHA-1. A possible mathematical weakness might exist.

Various Hashing Algorithms (3) Algorithm and variant Output size (bits) Block size (bits) Rounds Collision SHA-0 160 512 80 Yes SHA-1 263 attack SHA-2 SHA-256/224 256/224 64 None SHA-512/384 512/384 1024 NIST published four additional hash functions in the SHA family each with longer digests, collectively known as SHA-2.

Characteristics of good hash functions Four characteristics of good hash functions Should be computed over the entire message. Should be a one-way function so that messages are not disclosed by their values. Given a message and its hash value, computing another message with the same hash value should be impossible. Should be resistant to birthday attacks (details next)

Attack Against One-Way Hash Functions If the hash algorithm produces the same hash value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. Birthday paradox Q: How many people must be in the same room for the probability is more than 50% that at least two of them will have the same birthday?

Birthday paradox Given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday. For 60 or more people, the probability is greater than 99%, although it cannot actually be 100% unless there are at least 366 people

Birthday paradox Q: What is the implication of birthday paradox to hash functions?

Birthday attack Attackers can find the corresponding hashing value that matches a specific message is through a brute force attack. Q: Why? If an attacker finds two messages with the same hash values, it is equivalent to finding two people with the same birthday. Birthday attack is a type of brute force attack. Based on birthday paradox, if the output of a hashing algorithm is n bits, finding two messages that hash to the same value would require check of only 2^n/2 messages. e.g., SHA-1 generates a 160-bit hash value. The attacker need approximately 2^80 computation to find a collision. A larger bit hash value is less vulnerable to brute force attack.

Detecting Intentional Modification Q: Could Parity bits and Hash functions prevent intentional modifications? Ans: No. Attacker can intercept data, alter it, and calculate and new parity bits or CRC, and retransmit the modified data. The solution Message authentication code Digital signature

Message authentication code (MAC) We need to use message authentication code (MAC), a.k.a. message integrity code (MIC) A symmetric key is involved in MAC The use of the symmetric key ensures that the only person who can verify the integrity of the message is the person who has a copy of this key. No one else can verify the data’s integrity

Message authentication code (MAC) Any modifications would be detected by the receiver. If someone were to make a change to the data, he could not generate the MAC value the receiver would be looking for. MAC provides a form of authentication. It provides data origin authentication. Two types of MACs Hash MAC (HMAC) CBC-MAC

Hash MAC (HMAC) The only difference between HMAC and a “plain” hash function is that the message is concatenated with a symmetric key before put through a hashing function.

CBC-MAC (1) In CBC mode, the sender encrypts the message with a symmetric block cipher. The output of the final block of cipher text is used as the MAC. MAC attached to plaintext message is sent. The receiver receives the plaintext message and encrypts it with the same symmetric block cipher in CBC mode and calculates an independent MAC value. Note that CBC-MAC does not use a hashing algorithm.

CBC-MAC (2) IV

Digital Signatures Digital signature: encrypt the hash value with the sender’s private key.

Digital Signatures The hashing function ensures the integrity of the message the signing of the hash value provides authentication and nonrepudiation. Digital signature standard (DSS) In 1991, NIST proposed a federal standard called the Digital Signature Standard (DSS). RSA and DSA are the best known and most widely used digital signature algorithms.

Nonrepudiation Construct that authenticated origin, contents of message in a manner provable to a disinterested third party (“judge”) Sender cannot deny having sent message (service is “nonrepudiation”) Limited to technical proofs Inability to deny one’s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here

Is this a digital signature ? Alice, Bob share key k Alice sends m || { m }k to Bob Q: Is this a digital signature ? NO! Third party cannot determine whether Alice or Bob generated message

Classical Digital Signatures Require trusted third party Alice, Bob each share keys with trusted party Cathy, but not with each other To resolve dispute, judge gets { m } kAlice, { m } kBob, and has Cathy decipher them; if messages matched, contract was signed. { m }kAlice Alice Bob { m }kAlice Cathy Bob { m }kBob Cathy Bob

Public Key Digital Signatures

Public Key Digital Signatures Alice’s keys are dAlice, eAlice Alice sends Bob m || { H(m) } dAlice In case of dispute, judge computes { { H(m) } dAlice } eAlice and if it is m, Alice signed message She’s the only one who knows dAlice!

Chapter 2 Advanced Cryptography (Part C) Message integrity Cryptanalysis

Passive attacks vs. Active attacks Eavesdropping and sniffing data as it passes over a network; the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system; hard to detect. In most cases methods are put in place to try to prevent them rather than detect and stop them. Active attacks Altering messages, modifying system files, and masquerading as another individual are usually used to gain information prior to carrying out an active attack.

Scenarios for cryptanalysis Cryptanalysis can be performed under a number of assumptions about how much can be observed or found out about the system under attack Ciphertext-Only Attack easy to get ciphertext by sniffing traffic Very difficult to figure out the key Known-Plaintext Attack The attacker has a few pairs of plaintext and ciphertext Chosen-Plaintext Attack The attacker can choose the plaintext and get the corresponding ciphertextds Chosen-Ciphertext Attack The attacker can choose the ciphertext and get the corresponding decrypted plaintext

Cryptanalysis Cryptanalysis is the study of methods for obtaining the meaning of encrypted information. Typically, cryptanalysis involves finding the secret key Cryptanalysis has coevolved together with cryptography. Frequency analysis is the basic tool for breaking classical ciphers. In natural languages, certain letters of the alphabet appear more frequently than others E.g., in English, "E" is likely to be the most common letter in any given sample of text. Similarly, the digraph "TH" is the most likely pair of letters.

Cryptanalysis Asymmetric cryptography rely on "hard" mathematical problems as the basis. If an improved algorithm can be found to solve the problem, then the system is weakened. E.g. RSA security In 1980, factoring a 50-digit number needs 10^12 computer operations. By 1984, factoring algorithms had advanced. A 75-digit number can be factored in the same number of operations. Advances in computing technology mean that the operations could be performed much faster. By the start of the 21st century, 150-digit numbers were no longer considered a large enough key size for RSA.

Replay Attack In replay attack, an attacker captures some type of data and resubmits it with the hopes of fooling the receiving device into thinking it is legitimate information. Timestamps and sequence numbers are two countermeasures – keep the freshness of packets

Side Channel Attacks A side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms -- cryptanalysis power consumption, radiation emissions, and the time it takes for certain types of data processing