Authentication Methods: From Authentication Methods: From Digital Signatures to Hashes Digital Signatures to Hashes Lecture Motivation Lecture Motivation  We have looked at confidentiality services, and also examined the information theoretic framework for security.  Confidentiality between Alice and Bob only guarantees that Eve cannot read the message, it does not address: – Is Alice really talking to Bob? – Is Bob really talking to Alice?  In this lecture, we will look at the following problems: – Entity Authentication: Proof of the identity of an individual – Message Authentication: (Data origin authentication) Proof that the source of information really is what it claims to be – Message Signing: Binding information to a particular entity – Data Integrity: Ensuring that information has not been altered by unknown entities Lecture Outline Lecture Outline  Discrete Logarithms and ElGamal – Primitive elements and some more number theory (quickly) – DLOG – ElGamal, another Public Key Algorithm…  Digital Signatures: – The basic idea – RSA Signatures and ElGamal Signatures – Inefficiencies: Hashing and Signing  Hash Functions: – Definitions and terminology – CHP Hash – SHA-1  Message Authentication Codes Note: Some attacks will be discussed. More attacks and cryptanalysis will come later in the semester Primitive Roots Primitive Roots  Consider the following powers of 3 (mod 7): Note that we obtain all non-zero numbers mod 7. When this happens, we call 3 a primitive root (or generator) mod 7.  Is a number always a primitive root? No.  If p is prime there are φ(p-1) primitive roots mod p.  How to find them? Good homework problem…   Proposition: Let g be a primitive root for the prime p 1. If n is an integer, then g n =1 (mod p) if and only if and only if n=0 (mod p-1) . 2. If j and k are integers, then g j =g k (mod p) if and only if j=k (mod p-1). Proof: We sketch (1) on the board. )7(mod13,53,43,63,23,33 654321 ====== Discrete Logarithms Discrete Logarithms  Let p be a prime, and α and β nonzero integers (mod p) with  The problem of finding x is called the discrete logarithm problem, and is written:  Often α will be a primitive root mod p.  The discrete log behaves like the normal log in many ways:  Generally, finding the discrete log is a hard problem.  f(x) = α x (mod p) is an example of a one-way function. )p(mod x α=β ( ) β= α Lx ( ) ( ) ( ) 2121 LLL β+β=ββ ααα ElGamal Public Key Cryptosystem ElGamal Public Key Cryptosystem  One way functions are often used to construct public key cryptosystems. We saw one in RSA, we now show an example using the DLOG problem.  Alice wants to send m to Bob. Bob chooses a large prime p and a primitive root α. We assume 0 < m < p. Bob also chooses a secret integer a and computes β=α a (mod p).  Bob’s Public key is: (p, α, β)  Alice does: 1. Chooses a secret random integer k and computes r=α k (mod p) 2. Computes t=β k m (mod p). 3. Sends (r,t) to Bob.  Bob decrypts by: )p(modmtr a = − ElGamal Public Key Cryptosystem, pg. 2 ElGamal Public Key Cryptosystem, pg. 2  Important issues… – a must be kept secret, else Eve can decrypt – Eve sees (r,t): t is the product of two random numbers and is hence random. Knowing r does not really help as Eve would need to be able to solve DLOG in order to get k.  Very important: A different random k must be used for each message! – If we have m 1 and m 2 , and use the same k, then the ciphertexts will be (r,t 1 ) and (r,t 2 ) – If Eve ever finds m 1 then she has m 2 also!!! ( ) pmodt/mtmm/tm/t 112222 k 11 =⇒=β= Overview of Digital Signatures Overview of Digital Signatures  Suppose you have an electronic document (e.g. a Word file). How do you sign the document to prove to someone that it belongs to you?  You can’t use a scanned signature at the end– this is easy to forge and use elsewhere.  Conventional signing can’t work in the digital world.  We require a digital signature to satisfy: 1. Digital signatures can’t be separated from the message and attached to another message. 2. Signature needs to be verified by others. An Application for Digital Signatures An Application for Digital Signatures  Suppose we have two countries, A and B, that have agreed not to test any nuclear bombs (which produce seismic waves when detonated). How can A monitor B by using seismic sensors? 1. The sensors need to be in country B, but A needs to access them. There is a conflict here. 2. Country B wants to make sure that the message sent by the seismic sensor does not contain “other” data (espionage). 3. Country A, however, wants to make sure that the data has not been altered by country B. (Assumption: the sensor itself is tamper proof). How can we solve this problem? Treaty Verification Example Treaty Verification Example  RSA provides a solution: 1. Country A makes an RSA public/private key. (n,e) are given to B but (p,q,d) are kept private in the tamper-proof sensor. 2. Sensor collects data x and uses d to encrypt: y=x d (mod n), and sends x and y to country B. 3. Country B takes x and y and calculates z=y e (mod n). 4. If z=x, then B can be sure that the encrypted message corresponds to x. B then forwards (x,y) to A. 5. Country A checks that y e (mod n)=x. If so, then A is sure that x has not been modified, and A can trust x as being authentic.  In this example, it is hard for B to forge (x,y) and hence if (x,y) verifies A can be sure that data came unaltered from the sensor. [...]... guaranteed that Alice signed m RSA Signatures, pg 2  Suppose Eve wants to attach Alice’s signature to another message m 1 She cannot simply use (m1, y) since e y A ≠ m1 ( mod n )  Therefore, she needs y1 with y1eA=m1 (mod n)  m1 looks like a ciphertext and y1 like a plaintext In order for Eve to make a fake y1 she needs to be able to decrypt m1 to get y1!!! She can’t due to hardness of RSA  Existential... whether there is an underlying “language” structure Blind RSA Signatures  Sometimes we might want Alice to sign a document without knowing its contents (e.g privacy concerns: purchaser does not want Bank to know what is being purchased, but wants Bank to authorize purchase)  We can accomplish this with RSA signatures (Bob wants Alice to sign a document m): 1 Alice generates an RSA public and private key... message into a smaller representation and sign that  Enter: Hash functions Hash Functions  Straight-forward application of digital signatures can be expensive when the message is large  In general, many security protocols benefit from using a “digested” or “compressed” representative of a message – We typically need additional cryptographic properties in order for the compression operation to be useful... etc.)  Why all these possibilities? If you tie the message to the specific context, then it is harder for an adversary to manipulate context fields to forge  Make certain, though, that you have clear rules on how to split concatenations (d||m) back into d and m Problems with Hashes  We must be careful when using hash functions, they are subject to some “attacks”  Length Extension Attack: Consider a... plain signatures  In signature schemes with appendix, where we attach the signature to the end of the document, we increase the communication overhead  If we have a long message m=[m1,m2,…,mN], then our signed document is {[m1,m2,…,mN],[sigA(m1),…,sigA(mN)]}  This doubles the overhead!  We don’t want to do this when communication resources are precious (which is always!)  Solution: We need to shrink... sub-function In systems, such as authentication applications, where we calculate h(X||m), Eve can append extra text to m and also update the hash  Partial Message Collision Attack: Suppose we are able to find m and m’ such that h(m)=h(m’) If a system uses h(m||X) as an authentication parameter, then due to the iterative nature h(m||X)=h(m’||X) An adversary can replace m with m’ during authentication  In general... length of m in a fixed-length format 2 Pad s to be a multiple of block size 3 Apply CBC-MAC to the padded string s 4 Output the last ciphertext block Do not output any intermediate block values!  CBC-MAC can reuse same code as confidentiality (encryption) functions  CBC-MAC is generally tough to use correctly, though HMAC   We may also use hash functions to build MACs We cannot simply use MACK(m)=h(K||m)... initial value, and Xl is the message digest SHA-1, pg 2  In SHA-1, we pad according to the rule: – Start with a message m of arbitrary length and break it into nbit blocks – The last block is padded with a 1 followed by enough 0 bits to make the new message 64 bits short of a multiple of 512 bits in length – Into the 64 unfilled bits of the last block, we append the 64bit representation of the length... arbitrary size m  Ideally, a MAC should be a random mapping from all possible inputs to n-bits of output  The uncertainty (and security) of the MAC is directly associated with the size of the key K – Remember: to Eve, the message is known, so it’s the key that contains the security CBC-MAC  CBC-MAC is a method for turning a block cipher into a MAC: – Idea: encrypt m using CBC mode and throw away all...RSA Signatures  The treaty example is an example of RSA signatures We now formalize it with Alice and Bob  Alice publishes (n,eA) and keeps private (p,q,dA)  Alice signs m by calculating y=mdA (mod n) The pair (m,y) is the signed document  Bob can check that Alice signed m by: 1 Downloading Alice’s (n,eA) from a trusted third party Guaranteeing that he . Authentication Methods: From Authentication Methods: From Digital Signatures to Hashes Digital Signatures to Hashes Lecture Motivation Lecture. ) pmodt/mtmm/tm/t 112222 k 11 =⇒=β= Overview of Digital Signatures Overview of Digital Signatures  Suppose you have an electronic document (e.g. a Word file). How do you sign the document to prove