Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS 302: Information Security and Trust Week 5: Integrity 2012.

Published byPatience Robinson Modified over 9 years ago

Similar presentations

Presentation on theme: "IS 302: Information Security and Trust Week 5: Integrity 2012."— Presentation transcript:

1 IS 302: Information Security and Trust Week 5: Integrity 2012

2 © Yingjiu Li 20072 Review RSA –Key generation –Security (key size) –Encryption and decryption with random padding Envelop encryption –RSA+AES

3 Adversary Passive adversary –Eavesdropping: threat to message confidentiality –Solution with encryption (AES, RSA…): an adversary is not able to understand the message Active adversary –Unauthorized modification: threat to message integrity –Solution: if an adversary modifies the message, it can always be detected! © Yingjiu Li 20073

4 4 Question Assume that Mallory is an active adversary Does encryption provide message integrity? Bob Alice Mallory Please transfer $1M to account A…

5 © Yingjiu Li 20075 Solution Send a small piece of information as proof of message integrity Bob Alice Mallory Please transfer $1M to account A…, E7582D9C71D5DA1171293EF23FCD

6 © Yingjiu Li 20076 Proof of Message Integrity Symmetric proof –Message authentication code (MAC) Asymmetric proof –RSA signature Both MAC and RSA signature are based on hash

7 © Yingjiu Li 20077 Hash Hash function h=H(M) –One-way easy to compute but hard to inverse –Collision resistant hard to find M  M’ such that H(M)=H(M’) –Fixed length variable-length M  fixed-length h

8 © Yingjiu Li 20078 Cryptool Indiv. procedures  hash –MD5 –SHA1 –Sensitivity to change

9 © Yingjiu Li 20079 Attacks to Hash Pre-image attack (against one-way feature) –Given h=H(M), find M’ such that H(M’)=h Collision attack (against collision resistant feature) –Given H(), find M’ and M’’ such that H(M’)=H(M’’)

10 © Yingjiu Li 200710 Hash for Integrity Check Can hash value h=H(M) be used as integrity proof for M? –Send h together with M over public channel? –Send h separately over secure channel? Bob Alice Mallory M: Please transfer $1M to account A…,

11 © Yingjiu Li 200711 Hash for Integrity Check Can hash value h=H(M) be used as integrity proof for M? –Send h together with M over public channel (No!) –Send h separately over secure channel (Yes!) Bob Alice Mallory M: Please transfer $1M to account A…, h: E7582D9C71D5DA1171293EF23FCD

12 © Yingjiu Li 200712 Standard Hash: MD5 MD5 –Output: 128 bits (32 Hex digits, 16 bytes) –internet standard, commonly used to check integrity of files –1991: designed by Rivest –1996: a flaw was discovered –2004: more serious flaws –2007: people can create a pair of files that share the same MD5 hash value

13 © Yingjiu Li 200713 Standard Hash: SHA1 SHA1 –160 bits (40 hex’s, 20 bytes), NIST standard –1995: NSA, replaced SHA0 (1993) –2005: potential weakness was found http://www.rsa.com/rsalabs/node.asp?id=2834 Collision attack: 2^80  2^39 for SHA0, 2^63 for SHA1 –2010: last year to use as suggested by NIST SHA2 SHA224, SHA256, SHA384, SHA512 SHA3 2 Nov 2007 – 31 Oct 2008: NIST call for competition 2012: winner and new standard will be announced

14 © Yingjiu Li 200714 A little bit more detail on SHA1 –Input: 0~2^64 -1 bits (2^20~1M, 2^30~1G) –Output: 160 bits (5*32) –Block size: 512 bits (16*32) –Rounds: 80

15 © Yingjiu Li 200715 MAC Message authentication code (MAC) –MAC=H(K,M), where K is secret key (MAC key) –Alice sends MAC together with message M –Bob verifies M with K to see whether MAC=H(K,M) Bob (k) Alice (k) Mallory Please transfer $1M to account A, MAC Message & MAC

16 © Yingjiu Li 200716 Attack to MAC –Pre-image attack to the key –MAC key should be long enough against brute force attack

17 © Yingjiu Li 200717 HMAC HMAC = H(K,H(K,M)) –H can be any hash function H=MD5  HMAC-MD5 (128 bits) H=SHA-1  HMAC-SHA-1 (160 bits) –Key size JCE: HMAC key = 64 bytes (512 bits) If key > 64 bytes, key  H(key) Recommended key > output size of hash function

18 © Yingjiu Li 200718 Encryption-Based MAC DES-MAC –DES encryption E(M,K)  blk1, blk2,…blkn –MAC = blk1 blk2 …blkn –K is a DES key (56 bits)  weak security –DES-MAC is 64 bits AES-MAC –What is the key size? –How long is the AES-MAC?

19 © Yingjiu Li 200719 Cryptool Indiv. procedures  hash  HMAC –SHA-256 –Double hashing

20 © Yingjiu Li 200720 Repudiation Problem with MAC If Alice denies sending message to Bob, Bob cannot prove to any third-party authority that Alice’s lying Bob (k) Alice (k) Mallory Please transfer $1M to account A, MAC Message & MAC Secret channel

21 © Yingjiu Li 200721 Solution: RSA Signature Alice with RSA public key (n,e) and private key d –Compute digital signature sig=H(M) d mod n (only Alice can generate this signature with her private RSA key d) –Send (M, sig) to Bob Bob : –Compute H(M) –Verify sig by comparing if H(M) = sig e mod n (anyone can verify the signature with Alice’s public RSA key e,n) Bob Alice public channel d d: Alice’s private key n,e: Alice’s public key (M, sig = H(M) d mod n) n,e

22 © Yingjiu Li 200722 Discussion –What is difference between RSA encryption and RSA signature? –What is the size of an RSA-1024 signature with SHA-256? –What is the size of HMAC with SHA-256? –In what scenarios should you choose RSA signature or MAC?

23 © Yingjiu Li 200723 Demo in CrypTool Digital signatures/PKI  –Sign document (SHA1+RSA-512) –Verify signature

24 © Yingjiu Li 200724 Security of some crypto-algorithms Cryptographic strength Symmetric (key length) Asymmetric (modulus length) Hashing/MACs (hash value length) weakDES 40-bit RC4 40-bit RSA 256-bit mediumDES 56-bit CAST 64-bit RSA 512-bit D-H 512-bit DSA 512-bit ANSI X9.9 MAC 32-bit strongTriple DES 112-bit AES 128-bit IDEA 128-bit RC4 128-bit RSA 1024-bit D-H 1024-bit DSA 1024-bit MD4/MD5 128-bit ? SHA-1 160-bit ? Very strongAES 192-bit AES 256-bit RSA 2048-bit ECC 300-bit SHA224,SHA-256 SHA-384 SHA-512

25 © Yingjiu Li 200725 Hands-on Exercise Download week5.zip into your IS302 directory Unzip it (extract to week5 directory) Follow the instructions in Lab.doc –2.1 HMAC in JCE –2.2 RSA signature in JCE

26 © Yingjiu Li 200726 Review How long is an RSA-1024 with SHA1 signature 1) 128 bits 2) 160 bits 3) 1024 bits Alice sends a message with an RSA signature to Bob. Which key should be used to generate the signature? 1) Alice’s private key 2) Alice’s public key 3) Bob’s public key How long is AES-MAC? 1) 128 bits 2) 160 bits 3) 1024 bits

Download ppt "IS 302: Information Security and Trust Week 5: Integrity 2012."

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Similar presentations

Ads by Google