Presentation is loading. Please wait.

Presentation is loading. Please wait.

Códigos y Criptografía Francisco Rodríguez Henríquez PKCS (Public-key cryptography standards)

Published byClaribel Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "Códigos y Criptografía Francisco Rodríguez Henríquez PKCS (Public-key cryptography standards)"— Presentation transcript:

1 Códigos y Criptografía Francisco Rodríguez Henríquez PKCS (Public-key cryptography standards)

2 Códigos y Criptografía Francisco Rodríguez Henríquez Network Access Security Model

3 Códigos y Criptografía Francisco Rodríguez Henríquez Security Levels Confidentiality –Protection from disclosure to unauthorized persons Integrity –Maintaining data consistency Authentication –Assurance of identity of person or originator of data Non-repudiation –Originator of communications can't deny it later Authorization –Identity combined with an access policy grants the rights to perform some action

4 Códigos y Criptografía Francisco Rodríguez Henríquez Security Building Blocks Encryption provides –confidentiality, can provide authentication and integrity protection Checksums/hash algorithms provide –integrity protection, can provide authentication Digital signatures provide –authentication, integrity protection, and non- repudiation

5 Códigos y Criptografía Francisco Rodríguez Henríquez Keys Symetric Keys –Both parties share the same secret key –A major problem is securely distributing the key –DES - 56 bit key considered unsafe for financial purposes since 1998 –3 DES uses three DES keys

6 Códigos y Criptografía Francisco Rodríguez Henríquez Keys Public/Private keys –One key is the mathematical inverse of the other –Private keys are known only to the owner –Public key are stored in public servers, usually in a X.509 certificate. –RSA (patent expires Sept 2000), Diffie- Hellman, DSA

7 Códigos y Criptografía Francisco Rodríguez Henríquez A Simplified Model of Conventional Encryption

8 Códigos y Criptografía Francisco Rodríguez Henríquez Public-Key Cryptography

9 Códigos y Criptografía Francisco Rodríguez Henríquez Public-Key Cryptography

10 Códigos y Criptografía Francisco Rodríguez Henríquez Message Digest A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block. A good message digest algorithm possesses the following qualities –The algorithm accepts any input data length. –The algorithm produces a fixed length output for any input data. –The digest does not reveal anything about the input that was used to generate it. –It is computationally infeasible to produce data that has a specific digest. –It is computationally infeasible to produce two different unit of data that produce the same digest.

11 Códigos y Criptografía Francisco Rodríguez Henríquez Hash Algorithms Reduce variable-length input to fixed- length (128 or 160bit) output Requirements –Can't deduce input from output –Can't generate a given output –Can't find two inputs which produce the same output

12 Códigos y Criptografía Francisco Rodríguez Henríquez Hash Algorithms Used to –Produce fixed-length fingerprint of arbitrary- length data –Produce data checksums to enable detection of modifications –Distill passwords down to fixed-length encryption keys Also called message digests or fingerprints

13 Códigos y Criptografía Francisco Rodríguez Henríquez Message Authentication Code MAC Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) –hash( key, hash( key, data )) Key affects both start and end of hashing process Naming: hash + key = HMAC-hash –MD5 1 HMAC-MD5 –SHA-1 1 HMAC-SHA (recommended)

14 Códigos y Criptografía Francisco Rodríguez Henríquez RSA: An Example

15 Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signatures Combines a hash with a digital signature algorithm To sign –hash the data –encrypt the hash with the sender's private key –send data signer’s name and signature To verify –hash the data –decrypt the signature with the sender's public key –the result of which should match the hash

16 Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signatures A data string associating a message with an originating entity –Signature generation algorithm –Signature verification algorithm –Signature scheme Used for authentication, integrity, and nonrepudiation Public key certification is one of the most significant applications

17 Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

18 Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

19 Códigos y Criptografía Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

20 Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol

21 Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol

22 Códigos y Criptografía Francisco Rodríguez Henríquez Diffie-Hellman protocol

23 Códigos y Criptografía Francisco Rodríguez Henríquez Key exchange: Diffie-Hellman protocol 1.Picks a  GF(p) at random 2.Computes T A = g a mod p 3.Sends T A 4. Receives T B 5. Computes K A = T B a mod p 1.Picks b  GF(p) at random 2.Computes T B = g b mod p 3.Receives T A 4. Sends T B 5. Computes K B = T A b mod p Where K = K A = K B, Because: T B a = (g b ) a = g ba = g ab = (g a ) b = T A b mod p Machine AMachine B

24 Códigos y Criptografía Francisco Rodríguez Henríquez Mensaje para Anita en La Jornada Querida Anita de mi corazón: Quisiera pedirte que nuestro número primo sea 128903289023 y nuestra g 23489. Te quiere Betito.

25 Códigos y Criptografía Francisco Rodríguez Henríquez Middle-person attack. Consider the following scenario: AnitaMiddleperson Betito g a = 8389 g x = 5876 g b = 9267 8389 5876 58769267 Shared key K AX :Shared key K BX 5876 a = 8389 x 9267 x = 5876 b After this exchange, the middle-person attacker simply decrypts any messages sent out by A or B, and then reads any possibly modifies them before re-encrypting with the appropriate key and transmitting them to the correct party. Middle-person attack is possible due to the fact that DHC does not authenticate the participants. Possible solutions are digital signatures and other protocol variants.

26 Códigos y Criptografía Francisco Rodríguez Henríquez Solution: Mutual authentication B B A A I am A, R 1 R 2, K AB {R 1 } K AB {R 2 }

27 Códigos y Criptografía Francisco Rodríguez Henríquez Reflection attack T B B B T B I am A, R 1 R 2, K AB {R 1 } I am A, R 2 R 3, K AB {R 2 }

28 Códigos y Criptografía Francisco Rodríguez Henríquez Encryption across a packet-switching network

29 Códigos y Criptografía Francisco Rodríguez Henríquez Elements of PKI Certificate Authorities (CA) –OpenSSL, Netscape, Verisign, Entrust, RSA Keon Public/Private Key Pairs - Key management x.509 Identity Certificates - Certificate management LDAP servers

30 Códigos y Criptografía Francisco Rodríguez Henríquez Public-key cryptography standards (PKCS) Owned by RSA and motivated to promote RSA Created in early 1990’s Numbered from PKCS1 to PKCS15 Some along the way have –lost interest –folded into other PKCS –taken over by other standards bodies Continue to evolve PKCS

31 Códigos y Criptografía Francisco Rodríguez Henríquez RSA cryptosystem by layers F P finite field operations : Addition, Squaring, multiplication, inversion and exponentiation RSA primitive Operations: Encryption: C = M e mod n, Decryption M = C d mod n. PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign, Protocols and Applications: SSL, TLS, WTLS, WAP, etc.

32 Códigos y Criptografía Francisco Rodríguez Henríquez RSA Cryptography Standard Version 2.0 onwards (1998) RSA Encryption Standard Version 1.5 (1993) PKCS 1

33 Códigos y Criptografía Francisco Rodríguez Henríquez Specifies how to use the RSA algorithm securely for encryption and signature Why do we need this? –Padding for encryption –Different schemes for signature PKCS 1

34 Códigos y Criptografía Francisco Rodríguez Henríquez Chosen ciphertext attack based on multiplicative property of RSA Attacker wishes to decrypt c Choose r, compute c’ = c  r e mod n Get victim to decrypt c’ giving c d  r mod n c d  r  r -1 mod n = c d mod n Padding destroys multiplicative property PKCS 1

35 Códigos y Criptografía Francisco Rodríguez Henríquez RSA: Key Generation

36 Códigos y Criptografía Francisco Rodríguez Henríquez RSA: Encryption, Decryption

37 Códigos y Criptografía Francisco Rodríguez Henríquez RSA: An Example

38 Códigos y Criptografía Francisco Rodríguez Henríquez RSA encryption is deterministic Attack example: C = (PIN) e mod n, where PIN is 4-digit number. We can find M by a brute force attack within several 10 seconds. => We need a semantically secure cryptosystem! We can check whether M is the message of C by C=M e mod n. Semantically secure: For two messages M 0, M 1, and C = M b 2 mod n, attackers can not guess whether C is encryption of M b (b=0,1). An easy way is to pad M with random integer R like M||R, but no security proof!

39 Códigos y Criptografía Francisco Rodríguez Henríquez Chosen Ciphertext Attack (CCA) Decryption oracle ciphertext C Information based on C,d d An attack example: (0) We assume the decryption oracle computes A d mod n for a request. (1) Attacker computes A = R e C mod n for a random R in Zn, and sends A to the decryption oracle. (2)Decryption oracle computes B = A d mod n and send B back to the attacker. (3)The attacker computes B/R = M mod n and get the message M. There are several models, which are secure against the chosen ciphertext attack

40 Códigos y Criptografía Francisco Rodríguez Henríquez Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent d = (d k,d k-1,…,d 0 ) (d k is the most significant bit) Output: c = a d in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c 2 ; 4. If d i =1 then c = c*a; 5. Return c; The time or the power to execute c 2 and c*a are different (side channel information). Algorithm Coron’s exponentiation Input: a in G, exponent d = (d k,d k-1,…,d l0 ) Output: c = a d in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0] 2 ; 4. c[1] = c[0]*a; 5. c[0] = c[d i ]; 6. Return c[0];

41 Códigos y Criptografía Francisco Rodríguez Henríquez Differential Fault Attack (DFA) An attacker obtains a decryption which is computed in a wrong way. n M = C d mod n p dp = d mod (p-1) Mp = C dp mod p dq = d mod (q-1) Mq =C dq mod q v = (Mq – Mp) p -1 mod q, q n M = Mp + pv mod n. In the RSA using the CRT, if an attacker can break the computation of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.

42 Códigos y Criptografía Francisco Rodríguez Henríquez Klima-Rosa attack against PGP Decryption oracle integer X X d mod n’ d, n’ An attacker can change the public key n to n’ The attacker can obtain X d mod n’ for changed n’. He/she can recover d by Silver-Pohlig-Hellman algorithm PGP dose not encrypt the key file which includes n.

43 Códigos y Criptografía Francisco Rodríguez Henríquez Bleichenbacher’s CCA Decryption oracle any integer C mod n C d ∈ PKCS-format or not d PKCS-Format for a message m 0002 random padding 00message m at least 8 bytes most significant byte least significant byte Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C, the value C d mod n can be computed by about 2 20 accesses to the decryption oracle, where d is the secret key.

44 Códigos y Criptografía Francisco Rodríguez Henríquez Version 1.5, 1993 –Encryption padding was found defective in 1998 by Bleichenbacher –Possible to generate valid ciphertext without knowing corresponding plaintext with reasonable probability of success (chosen ciphertext) PKCS 1

45 Códigos y Criptografía Francisco Rodríguez Henríquez Uses Optimal asymmetric encryption protocol (OAEP) by Bellare-Rogoway 1994 –provably secure in the random oracle model. –Informally, if hash functions are truly random, then an adversary who can recover such a message must be able to break RSA –plaintext-awareness: to construct a valid OAEP encoded message, an adversary must know the original plaintext PKCS 1 version 1.5 padding continues to be allowed for backward compatibility Accommodation for multi-prime RSA –Speed up private key operations PKCS 1

46 Códigos y Criptografía Francisco Rodríguez Henríquez Cryptographic primitives Cryptographic scheme –Encryption scheme –Signature scheme Signature with appendix: supported Signature with message recovery: not supported Encoding and decoding –Converting an integer message into an octet string for use in encryption or signature scheme and vice versa PKCS 1

47 Códigos y Criptografía Francisco Rodríguez Henríquez Cryptographic primitives Encrypt RSAEP((n,e),m) Decrypt RSADP((n,d),c) Sign RSASP1((n,d),m) Verify RSAVP1((n,e),s) Basically exponentiation with differently named inputs!! PKCS 1

48 Códigos y Criptografía Francisco Rodríguez Henríquez Encryption scheme Combines encryption primitive with an encryption encoding method message  encoded message  integer message representative  encrypted message Decryption scheme Combines decryption primitive with a decryption decoding method encrypted message  integer message representative  encoded message  message Original version 1.5 scheme and new version 2.0 scheme PKCS 1

49 Códigos y Criptografía Francisco Rodríguez Henríquez Encryption scheme Combines signature primitive with a signature encoding method. message  encoded message  integer message representative  signature Decryption scheme Combines verification primitive with a verification decoding method signature  integer message representative  encoded message  message Original version 1.5 scheme Signature with appendix PKCS 1

50 Códigos y Criptografía Francisco Rodríguez Henríquez PKCS 1 SymbolMeaningSymbolMeaning kLength of n in octetsEBEncryption block nThe modulus, 2 8(k- 1) ≤ n<2 8k EDEncrypted data p, qPrime factors of nBTBlock type epublic exp.PSPadding string dpriv exp.Ssignature MMessage||X||Length of X in octets MDMessage digest MD’Comp. mess. digest

51 Códigos y Criptografía Francisco Rodríguez Henríquez The data is an octet string D, where ||D|| ≤ k- 11. BT is a single octet whose hex representation is either 00 or 01. PS is an octet string with ||PS|| = k -3-||D||. If BT = 00, then all octets in PS are 00; if BT=01, then all octets in PS are FF. PKCS Data formatting

52 Códigos y Criptografía Francisco Rodríguez Henríquez PKCS-Format for a message m 0002 random padding 00message m at least 8 bytes most significant byte least significant byte PKCS Data formatting The formatted data block (called the encryption block) is: EB = 00||BT||PS||00||D.

53 Códigos y Criptografía Francisco Rodríguez Henríquez i.The leading 00 block ensures that the octet string EB, when interpreted as an integer, is less than the modulus n. ii.If the block type is BT = 00, then either D must begin with a non-zero octet or its legth must be known, in order to permit unambiguous parsing of EB. PKCS Data formatting

54 Códigos y Criptografía Francisco Rodríguez Henríquez iii.If BT = 01, then unambiguous parsing is always possible. iv.For the reason given in (iii), and to thwart certain potential attacks on the signature mechanism, BT = 01 is recommended. PKCS Data formatting

55 Códigos y Criptografía Francisco Rodríguez Henríquez Example: Suppose that n is a 1024-bit modulus (so k = 128). If ||D|| = 20 octets, then ||PS|| = 105 octets, so that ||EB|| = 128 octets. PKCS Data formatting

56 Códigos y Criptografía Francisco Rodríguez Henríquez 1.Message Hashing. Hash the message M using the selected message-digest algorithm to get the octet string MD. 2.Message Digest Encoding. MD and the hash algorithm identifier are combined into an ASN.1 (Abstract Syntax Notation) value and then BER-encoded (Basic Encoded Rules) to give an octec data string D. Signature process for PKCS #1

57 Códigos y Criptografía Francisco Rodríguez Henríquez 3.Data block formatting. With data string input D, use the data formatting discussed previously to form octet string EB. 4.Octet-string2integer conversion. Let the octets ob EB be EB 1 || EB 1 || EB 2 ||… ||EB k. Define EB’ i to be the integer whose binary representation is the octet EB i (LSB bit is on the right). Signature process for PKCS #1

58 Códigos y Criptografía Francisco Rodríguez Henríquez 5.RSA Computation. Compute s = m d mod n. 6.Integer2octet-string conversion. Convert s to an octet string. The signature is S = ED. Signature process for PKCS #1

59 Códigos y Criptografía Francisco Rodríguez Henríquez Signature process for PKCS #1 5. RSA COmputation 4. OctetString2integer conversion 3. Data block formatting 2. Message Digest Encoding 1. Message Hashing 6. Integer2octetString conversion MESSAGE SIGNATURE

60 Códigos y Criptografía Francisco Rodríguez Henríquez 1.Octet-string2integer conversion. Reject S if the bit-length of S is not a multiple of 8. Convert S to an integer s as in step 4 of the signature process. Reject the signature is s > n. 2.RSA Computation. Compute m = s e mod n. Verification process for PKCS #1

61 Códigos y Criptografía Francisco Rodríguez Henríquez 3.Integer2octet-string conversion. Convert m to an octet string as in step 6 of the signature process. 4.Parsing. Parse EB into a block type BT, a padding string PS, and the data D. Reject if EB cannot be parsed unambiguously. Reject if BT is not one of 00 or 01. Reject if PS consists of < 8 octets or is inconsistent with BT. Verification process for PKCS #1

62 Códigos y Criptografía Francisco Rodríguez Henríquez 5.Data Decoding. –BER-decode D to get a message digest MD and a hash algorithm identifier. –Reject if the hashing algorithm does not identify one of MD2 or MD5. 6.Message Digest and Comparison. Hash the message M using the selected message- digest algorithm to get the octet string MD’ and compare it with MD obtained in (5). Verification process for PKCS #1

63 Códigos y Criptografía Francisco Rodríguez Henríquez Verification process for PKCS #1 5. Data Encoding 4. Parsing 3. Integer2octetString conversion 2. RSA Computation 1. OctetString2integer conversion 6. Message digesting and comparison Signature and message SIGNATURE

64 Códigos y Criptografía Francisco Rodríguez Henríquez Probabilistic signature scheme (PSS) Provably secure in random oracle model Natural extension to message recovery PKCS 1: The Future

Download ppt "Códigos y Criptografía Francisco Rodríguez Henríquez PKCS (Public-key cryptography standards)"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)

Cryptography Basic (cont)
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Similar presentations

Ads by Google