Network Security Network Security Essentials Essentials Chapter 3 Chapter 3 Fourth Edition Fourth Edition by William Stallings by William Stallings (Based on (Based on Lecture slides by Lecture slides by Lawrie Brown Lawrie Brown ) ) Public Key Cryptography and Public Key Cryptography and RSA RSA Every Egyptian received two names, Every Egyptian received two names, which were known respectively as the which were known respectively as the true name and the good name, or the true name and the good name, or the great name and the little name; and great name and the little name; and while the good or little name was made while the good or little name was made public, the true or great name appears public, the true or great name appears to have been carefully concealed. to have been carefully concealed. — — The Golden Bough, The Golden Bough, Sir James George Sir James George Frazer Frazer Outline  Message authentication Message authentication  Public-key cryptography Public-key cryptography  Digital signatures Digital signatures Message Authentication Message Authentication  message authentication is concerned message authentication is concerned with: with:  protecting the integrity of a message protecting the integrity of a message  validating identity of originator validating identity of originator  non-repudiation of origin (dispute resolution) non-repudiation of origin (dispute resolution)  the three alternative functions the three alternative functions used: used:  message encryption message encryption  hash function hash function  message authentication code (MAC) message authentication code (MAC) Message Authentication Code  MAC MAC M M =F(K =F(K AB AB , M) , M)  Message not altered Message not altered  The alleged sender confirmed The alleged sender confirmed  The proper sequence of messages assured The proper sequence of messages assured  Similar to encryption Similar to encryption  NIST recommends the use of DES NIST recommends the use of DES  One difference: authentication algorithm need not be One difference: authentication algorithm need not be reversible, less vulnerable reversible, less vulnerable Hash Functions Hash Functions  condenses arbitrary message to fixed condenses arbitrary message to fixed size size h = H(M) h = H(M)  No secret key needed No secret key needed  usually assume hash function is public usually assume hash function is public  hash used to detect changes to message hash used to detect changes to message  want a cryptographic hash function want a cryptographic hash function  computationally infeasible to find data mapping to computationally infeasible to find data mapping to specific hash ( specific hash ( one-way one-way property) property)  computationally infeasible to find two data to same hash computationally infeasible to find two data to same hash ( ( collision-free collision-free property) property) [...]... revision FIPS 180-2 in 2002      adds 3 additional versions of SHA: SHA-256, SHA -38 4, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar, but security levels are rather higher NIST FIPS 180 -3 (in 2008) adds SHA-224  RFC 4 634 details SHA-224, -256, -38 4, -512 SHA Versions SHA-512 Overview SHA-512... against brute-force attacks  128-bits inadequate, 160-bits suspect Secure Hash Algorithm    SHA originally designed by NIST & NSA in 19 93 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme      standard is FIPS 180-1 1995, also Internet RFC3174 nb the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005... integers modulo a prime    nb exponentiation takes O((log n) 3) operations (easy) uses large integers (eg 1024 bits) security due to cost of factoring large numbers  nb factorization takes O(e log n log log n) operations (hard) RSA En/decryption  to encrypt a message M the sender:    to decrypt the ciphertext C the owner:    obtains public key of recipient PU={e,n} computes: C = Me mod n,... DAA (CBC-MAC) widely used in govt & industry but has message size limitation can overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC) adopted by NIST SP800 -38 B CMAC Overview Authenticated Encryption  simultaneously protect confidentiality and authenticity of communications   approaches      often required but usually separate Hash-then-encrypt: E(K,... M), T=MAC(K1, M) decryption /verification straightforward  but security vulnerabilities with all these Counter with Cipher Block Chaining-Message Authentication Code (CCM)    NIST standard SP 800 -38 C for WiFi variation of encrypt-and-MAC approach algorithmic ingredients     AES encryption algorithm CTR mode of operation CMAC authentication algorithm single key used for both encryption & MAC... also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender Public-Key Cryptography      probably most significant advance in the 30 00 year history of cryptography uses two keys – a public & a private key asymmetric since parties are not equal uses clever application of number theoretic concepts to function complements rather than... uses hash function on the message: HMACK(M)= Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)] ]  where K+ is the key padded out to size  opad, ipad are specified padding constants   overhead is just 3 more hash calculations than the message needs alone any hash function can be used  eg MD5, SHA-1, RIPEMD-160, Whirlpool HMAC Overview HMAC Security   proved security of HMAC relates to that of the . higher rather higher  NIST FIPS 180 -3 (in 2008) adds SHA-224 NIST FIPS 180 -3 (in 2008) adds SHA-224  RFC 4 634 details SHA-224, -256, -38 4, RFC 4 634 details SHA-224, -256, -38 4, -512 -512 SHA Versions SHA. issued revision FIPS 180-2 in 2002  adds 3 additional versions of SHA adds 3 additional versions of SHA : : SHA-256, SHA -38 4, SHA-512 SHA-256, SHA -38 4, SHA-512  designed for compatibility. DSA signature scheme  standard is FIPS 180-1 1995, also Internet RFC3174 standard is FIPS 180-1 1995, also Internet RFC3174  nb. the algorithm is SHA, the standard is SHS nb. the algorithm