Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 Digital Signatures and Hashing

Published byMatthew Montgomery Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 4095 Digital Signatures and Hashing"— Presentation transcript:

1 CSE 4095 Digital Signatures and Hashing

2 Outline Will introduce Diffie-Hellman based encryption
Digital Signatures (using ideas from Diffie-Hellman) Hash Functions

3 Diffie-Hellman Key Exchange
First published public-key algorithm “New Directions in Cryptography,” 1976 A number of commercial products employ this key exchange technique Purpose: key establishment Effectiveness: depends on the difficulty of computing discrete logarithms Given gx mod p hard to determine x The first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally referred to as Diffie-Hellman key exchange. A number of commercial products employ this key exchange technique. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent symmetric encryption of messages. The algorithm itself is limited to the exchange of secret values. The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. Briefly, we can define the discrete logarithm in the following way. Recall from Chapter 8 that a primitive root of a prime number p is one whose powers modulo p generate all the integers from 1 to p That is, if a is a primitive root of the prime number p , then the numbers a mod p , a2 mod p , , ap-1 mod p are distinct and consist of the integers from 1 through p - 1 in some permutation. For any integer b and a primitive root a of prime number p , we can find a unique exponent i such that b = ai (mod p ) where 0 ≤ i ≤ (p - 1) The exponent i is referred to as the discrete logarithm of b for the base a , mod p . We express this value as dloga,p (b ). See Chapter 8 for an extended discussion of discrete logarithms.

4 Diffie-Hellman protocol
Alice and Bob want to construct a private key over a public channel. Both agree on a public prime p and generator g modulo p. Alice Bob gx gy Both parties compute: gxy mod p Alice does (gy)x mod p Bob does (gx)y mod p y, gy x, gx

5 Security of Diffie-Hellman Protocol
Discrete logarithm problem: Given g, p, and gx mod p, find x Diffie-Hellman problem: Given g, p, gx mod p, and gy mod p, find gxy mod p One way to solve DHP is to solve DLP Other ways? Not very likely (so far) Solving DLP seems to be hard for large p Image from “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice” by Adrian et al.

6 Person-in-the-middle attack
Alice Bob Eve ga gb gd gc Key1 = gad Key2 = gcb Eve gets to listen to everything. Diffie-Hellman isn’t secure unless you know identity of other party

7 ElGamal Invented in 1984 T. Elgamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, Proc. of Crypto, 1984 Used in digital signature standard (DSS), S/MIME standard

8 ElGamal Encryption Key generation: Encryption (using public key):
Parameters: (safe) prime p and generator g Private key: x Public key: p, g, y = gx mod p Encryption (using public key): Generate random k r = gk mod p (k and r are ephemeral key pair) s = yk · m mod p Ciphertext c = (r, s) Decryption: m = s · r −x mod p, s= yk m= rx m r−x = g −kx = y−k mod p Can think of this as the sender creating a Diffie-Hellman pair The basic idea is to use Diffie-Hellman to establish a secret key and then use any symmetric-key ciphers. In this version, only multiplication is used.

9 ElGamal example Key generation:
p=19, g=10 Private key: x=5 Public key: p, g, y = 10 5 mod 19=3 Encryption (using public key) message m=17: Generate random k, suppose k=6 r = gk mod p =106 mod 19=11 s = yk · m mod p =36 *17 mod 19 = 7*17 mod 19=5 Ciphertext c = (11, 5) Decryption: m = s · r−x mod p = 5*(115 mod 19)-1 mod 19=5*7-1 mod 19 =5*11 mod 19=17 The basic idea is to use Diffie-Hellman to establish a secret key and then use any symmetric-key ciphers. In this version, only multiplication is used.

10 About ElGamal Security relies on the discrete log problem and not on factoring Find private key using public key Discover one time key k Ciphertext twice as long as the plaintext Secure random number generator required for k Non-deterministic encryption: the same plaintext will always result in different ciphertexts

11 Digital Signatures In a public key encryption we were providing confidentiality, hiding a message from an observer The goal of a digital signature is primarily to provide integrity, be sure that no one has altered a message plaintext plaintext, signature K A signing algorithm verification Alice’s key vk sk plaintext, signature

12 Exercise: Signature security
Consider possible security goals and adversary powers for a signature scheme (similar to our exercise for encryption)

13 Signature Security Possible goals: Possible capabilities: Recover key
Create new signature for same message Create signature for random message Create signature for chosen message Possible capabilities: See public key See a single signature See multiple signatures for random messages See multiple signatures for chosen messages See signatures for adaptively chosen messages Known as chosen message unforgeability under chosen message attack (EU-CMA)

14 Constructing Digital Signatures
Possible to create a digital signature from the factoring and discrete logarithm assumptions Don’t assume that swapping encryption and decryption will give you a digital signature algorithm Often requires use of a cryptographic hash function (later this class)

15 Diffie-Hellman based Signature
Signing Input m, secret key skA=x (random value) Sample random value k Compute r = gk mod p Compute s = (H(m) - skA*r)/k mod p Output (r,s) Verification: Input m, r, s, pkA =gx Check if gH(m) = pkAr*rs mod p =gxr*gks = gxr*gk(H(m) - skA*r)/k= = gxr*g(H(m) - x*r)=gH(m)

16 Current trends in asymmetric crypto
Both RSA and Diffie-Hellman are showing their 40 year age Cryptanalytic attacks are getting better Increasing key size frequently is difficult (for usability reasons) Quantum computers can efficiently break both schemes Still primary mechanisms on the internet Timing and side-channels are major problems Researchers are designing new systems that are resistant to quantum computer attacks

17 Hash Functions Used to compress length of data
Many different applications that require different properties Denoted H: {0,1}*-> {0,1}256 (may have different length output 80,128, 512) Should be easy to compute

18 Definitions of security
Also known as message digest Preimage resistant (one-way property): given H(m), but not m, it is find an m. Second preimage resistant (weak collision resistant): Given m1, it is difficult to find m2 s.t. H(m2)=H(m1). (Strong) Collision resistant: Computationally infeasible to find m1, m2, s.t. H(m1)=H(m2)

19 Relationship of properties
Strong collision resistance Weak collision resistance One way Each implication is proper (unless the input size is small), there are: weak collision resistant functions that aren’t strong One-way resistant functions that aren’t weak

20 Brute force attacks Why attack to strong collision is much easier?

21 Birthday “paradox” How many people does it take so that the probability that two of them share the same birthday is larger than 50%? 23 Same birthday as me? For hash function with n-bit output, it suffices to test 1.2 x 2n/2 inputs to find a collision.

22 Length of hash function output
Due to birthday attack, the length of hash outputs in general should double the key length of block ciphers SHA-256, SHA-384, SHA-512 to match the new key lengths (128,192,256) in AES

23 Construction: iterated hash function

24 Iterated hash function
Partition message into L fixed-size b-bit blocks Compression function f: take two inputs Chaining variable (n bits) from previous step b-bit block, b > n (compression) Can be constructed from block ciphers, must be collision resistant Motivation If the compression function is collision resistant, then so is the iterated hash function Designing secure hash function reduces to designing collision-resistant compression function that takes fixed-size input cf. [Merkle, Crypto 89] and [Damgard, Crypto 89]

25 Merkle-Damgård construction
Given: compression function F: {0,1}n x {0,1}b {0,1} n; n-bit constant IV Input: message M Break M into b-bit blocks, M1, …, Mk; add padding if necessary Let Mk+1 be encoding of |M| Let h0=IV Let hi=F(hi-1,Mi), i=1,…, k+1, output hk+1 Damgaard : dam ‘gaw

26 Commonly used hash functions
MD5 SHA family SHA-0, SHA-1, SHA-2, and SHA-3 (different construction paradigm) Whirlpool Tiger RIPEMD-128,160,256,320 Improved version of RIPEMD

27 Compression Function of SHA2
Have 8 intermediate registers a,…, h Kj are constants for the round and Wj are the message This function is computed 64 times (in SHA-256)

28 Attacks: MD5 MD4: 128 bits, 1990. Broken
MD5: 128 bits, Wide Usage. Flaw found in 1996, collision attacks in 2004 Current best attacks: Xie-Feng (2009) in 220 Preimage attacks : still hard ~ (Sasaki-Aoki)

29 Attack: the SHA Family SHA-0: made a standard by NIST in 1993
based on Merkle-Damgard design. 160 bits In 1998 collisions against SHA-0 were demonstrated in 261 steps SHA-1: US standard [NIST, FIPS PUB 180-1] 160-bit message digest Collisions were found in 269 steps Wang, Yin, Yu, Crypto 2005 NIST requires federal agencies to move to SHA-2 after 2010 SHA-1 was considered broken [De Caniere and Rechberger’06] - towards more structured collisions for SHA-1 • In 2009 claims for 2^52 were made (?).

30 SHA-2 SHA-224, SHA-256, SHA-384, SHA-512
Outputs 224, 256, 384, and 512 bits, respectively No real security concerns, yet Similar design principle as SHA-1 (and MD5) the length of hash outputs in general should double the key length of block ciphers SHA-224 matches the 112-bit strength of triple-DES (encryption 3 times using DES) SHA-256, SHA-384, SHA-512 match the new key lengths (128,192,256) in AES

31 SHA-3 2007: Request for submissions of new hash functions
2008: Submissions deadline. Received 64 entries. Announced first-round selections of 51 candidates 2009: First SHA-3 candidate conference in Feb. Announced 14 Second Round Candidates in July 2010: After one year public review of the algorithms, the second SHA-3 candidate conference was held in Aug. Announced 5 third-round candidates in Dec 2011: Public comment for final round 2012: October 2, NIST selected Keccak as SHA-3

32 Applications of hash functions
Password hashing Many other applications Message Integrity Digital signature Pseudo-random string generation/key derivation Commitment Message authentication codes (MAC) can be built out of hash functions provide “symmetric” signatures

33 Review of crypto functionality
Symmetric Encryption: provides confidentiality in the setting where two parties share a cryptographic key Needs to be construction from block cipher, mode of operation matters Message authentication code: provides integrity in the setting where two parties share a cryptographic key Public-key encryption: provides confidentiality where receiver’s identity is public Digital signature: provides integrity when sender’s identity is public Hash function: provides fixed length representation of data, hard to find collisions or preimages

Download ppt "CSE 4095 Digital Signatures and Hashing"

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.

Similar presentations

Ads by Google