1 / 134

Hash Function, Digital Signature Public Key

Infrastructure

Review Security Requirements

- In the context of communications across a

network, the following attacks can be identified - disclosure
- traffic analysis
- masquerade
- content modification
- sequence modification
- timing modification
- source repudiation
- destination repudiation

Symmetric/Asymmetric cryptography

Generally regarded as Message Authentication

Come under the heading of digital signature

Require a combination of the use of digital

signature and protocol design

Review Security Services

- Authentication Provides the assurance of

someones identity - Confidentiality Protects against disclosure to

unauthorized identities - Non-Repudiation Protects against communications

originator to later deny it - Integrity Protects from unauthorized data

alteration

Review Services, Mechanisms, Algorithms

A typical security protocol provides one or more

services

Services

SSL, IPSEC, TLS, SSH, etc...

Mechanisms

Signatures

Encryption

Hashing

Algorithms

DSA

RSA

RSA

DES

SHA

MD5

Services are built from Mechanisms Mechanisms are

implemented using Algorithms

Review Message Authentication

Message Authentication

Hash Function

Message Authentication Code

Message Encryption

Message Authentication Hash functions

Hash Functions

- Can use for encryption, authentication and

digital signature. - Hash function accepts a variable-size message M

as input and produces - a fixed-size output, referred to as a hash

code H(M). - A cryptographic hash function h takes as input a

message or arbitrary - length and produces as output a message

digest of fixed length, for - example 160 bits as depicted in Figure.

Defining Hashing

If you were to give someone the number 1,765,335

and ask he/she to determine your original number,

it would be virtually impossible for he/she to

work backwards and derive to the original

number of 12,345. If you give her/him the

multiplier (143), she could easily determine the

original number.

Input Value

Multiplier

Formula

Result

12,345

143

Value Multiplier

1,765,335

Plaintext

Key

Algorithm

Ciphertext

A Practical Use of Hash Algorithm

Hashed value Store on card

123456 PIN entered on keypad

459384502392 123456 hashed

A Practical Use of Hash Algorithm

Hashed value Store on card

459384502392 123456 hashed

123456 PIN entered on keypad

Use Hashing Algorithm The hash value is based on

algorithm

Haval MD2 MD4 MD5 SHA Hash Functions (SHA-1,

SHA-2)

One-way HASH function

Hash Functions

- Hash code does not use a key.
- Hash code is a function only of the input

message. - Hash code is also referred to as a message

digest or hash value. - The hash code is a function of all the bits of

the message and provides - an error-detection capability.
- A change to any bit or bits in the message

results in a change to the - hash code.

Hash Function Properties

- a Hash Function produces a fingerprint of some

file/message/data - h H(M)
- condenses a variable-length message M
- to a fixed-sized fingerprint
- assumed to be public

Requirements for Hash Functions

- Purpose of the HASH function is to produce a

fingerprint. - Properties of a HASH function H
- H can be applied to a block of data at any size
- H produces a fixed length output
- H(x) is easy to compute for any given x.
- For any given block x, it is computationally

infeasible to find x such that H(x) h - One-way property
- For any given block x, it is computationally

infeasible to find with H(y) H(x). - Weak collision resistance
- It is computationally infeasible to find any pair

(x, y) such that H(x) H(y) - Strong collision resistance

Simple Hash Functions

- are several proposals for simple functions
- based on XOR of message blocks
- not secure since can manipulate any message and

either not change hash or change hash also - need a stronger cryptographic function

Hash Functions Operations(In term of Hashing,

Signing, and Applications)

- One useful application of hash functions is to

make signature schemes - more efficient.
- The hash function is made public.
- Starting with a message m, Alice calculates the

hash h(m). This output h(m) - is significantly smaller, and hence signing

the hash may be done more - quickly than signing the entire message.
- Alice calculates the signed message sig(h(m))

for the hash function and - uses it as the signature of the message.
- The pair (m, sig(h(m))) now conveys basically

the same knowledge as the - original signature scheme did.
- It has the advantages that it is faster to

create (under the reasonable - assumption that the hash operation is quick)

and requires less resources - for transmission or storage.

In Term of Security

- Suppose Eve has possession of Alices signed

message (m, sig(h(m))). - She has another message m to which she wants

she to add Alices - signature.
- This means that she needs sig(h(m))

sig(h(m)) in particular, she needs - h(m) h(m).
- If the hash function is one-way, Eve will find

it hard to find any such m. - The chance that her desired m will work is very

small. Moreover, - since we require our hash function to be

strongly collision-free, it is - unlikely that eve can find two messages m1 ?

m2 with the same - signatures.
- Of course, if she did, she could have Alice sign

m1, then transfer her - signature to m2. But Alice would get

suspicious since m1 (and m2) - would very likely be meaningless messages.

Check on Data Integrity

- Hash function also can be employed as a check on

data integrity. - The question of data integrity comes up in

basically two scenarios. - First when the data (encrypted or not) are

being transmitted to another - person and a noisy communication channel

introduces errors to the data. - Second An observer rearranges the transmission

in some manner - before it gets to the receiver. Either way,

the data have become corrupted. - Example
- Suppose Alice sends Bob long messages about

financial transactions - with Eve and encrypts them in blocks.
- Perhaps Eve deduces that the tenth block of each

message lists the - amount of money that is to be deposited to

Eves account. - She could easily substitute the tenth block from

one message into - another and increase the deposit.

Check on Data Integrity

- Another situation
- Alice might send Bob a message consisting of

several blocks of - data, but one of the blocks is lost during

transmission. Bob might - not ever realize that the block is missing.
- Here is how function can be used. Say we send

(m, h(m)) over the - communications channel and it is received as

(M, H). To check - whether errors might have occurred, the

recipient computes h(M) - and sees whether it equals H. If any errors

occurred, it is likely that - h(M) ? H, because of the collision-free

properties of h.

List of Cryptographic Hash Function

- Haval
- MD2
- MD4
- MD5
- N-Hash
- RIPEMD-160
- SHA Hash Functions (SHA-0, SHA-1, SHA-2)
- Snefru
- Tiger
- Whirlpool

Other Secure HASH functions

SHA-1 MD5 RIPEMD-160

Digest length 160 bits 128 bits 160 bits

Basic unit of processing 512 bits 512 bits 512 bits

Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16)

Maximum message size 264-1 bits

Digital Signature / Signature Schemes

Signature schemes

- digital signature schemes

MACs in the public-key setting

Problem Authentication

24

Problem Authentication

25

Scenario

26

Scenario

27

Scenario

28

Scenario

29

Scenario

30

Digital Signatures

- have looked at message authentication
- but does not address issues of lack of trust
- A few scenarios (transfer funds, mail message)
- digital signatures provide the ability to

(properties) - verify author, date time of signature
- authenticate message contents
- be verified by third parties to resolve disputes
- hence include authentication function with

additional capabilities

Digital Signature Properties

- must depend on the message signed
- must use information unique to sender
- to prevent both forgery and denial
- must be relatively easy to produce
- must be relatively easy to recognize verify
- be computationally infeasible to forge
- with new message for existing digital signature
- with fraudulent digital signature for given

message - be practical save digital signature in storage

Digital Signatures Categories

Digital signatures

Arbitrated Digital Signature

Direct Digital Signature

Direct Digital Signatures

- involve only sender receiver
- assumed receiver has senders public-key
- digital signature made by sender signing entire

message or hash with private-key - can encrypt using receivers public-key
- important that sign first then encrypt message

signature - security depends on senders private-key

Arbitrated Digital Signatures

- involves use of arbiter A
- validates any signed message
- then dated and sent to recipient
- requires suitable level of trust in arbiter
- can be implemented with either private or

public-key algorithms - arbiter may or may not see message

Authentication Protocols

- used to convince parties of each others identity

and to exchange session keys - may be one-way or mutual
- key issues are
- confidentiality to protect session keys
- timeliness to prevent replay attacks

Replay Attacks

- where a valid signed message is copied and later

resent - simple replay
- repetition that can be logged
- repetition that cannot be detected
- backward replay without modification
- countermeasures include
- use of sequence numbers (generally impractical)
- timestamps (needs synchronized clocks)
- challenge/response (using unique nonce)

Using Symmetric Encryption

- as discussed previously can use a two-level

hierarchy of keys - usually with a trusted Key Distribution Center

(KDC) - each party shares own master key with KDC
- KDC generates session keys used for connections

between parties - master keys used to distribute these to them

Needham-Schroeder Protocol

- original third-party key distribution protocol
- for session between A B mediated by KDC
- protocol overview is
- 1. A?KDC IDA IDB N1
- 2. KDC?A EKaKs IDB N1 EKbKsIDA
- 3. A?B EKbKsIDA
- 4. B?A EKsN2
- 5. A?B EKsf(N2)

Needham-Schroeder Protocol

- used to securely distribute a new session key for

communications between A B - but is vulnerable to a replay attack if an old

session key has been compromised - then message 3 can be resent convincing B that is

communicating with A - modifications to address this require
- timestamps (Denning 81)
- using an extra nonce (Neuman 93)

Using Public-Key Encryption

- have a range of approaches based on the use of

public-key encryption - need to ensure have correct public keys for other

parties - using a central Authentication Server (AS)
- various protocols exist using timestamps or nonces

Denning AS Protocol

- Denning 81 presented the following
- 1. A?AS IDA IDB
- 2. AS?A EKRasIDAKUaT EKRasIDBKUbT

- 3. A?B EKRasIDAKUaT EKRasIDBKUbT

EKUbEKRasKsT - note session key is chosen by A, hence AS need

not be trusted to protect it - timestamps prevent replay but require

synchronized clocks

One-Way Authentication

- required when sender receiver are not in

communications at same time (eg. email) - have header in clear so can be delivered by email

system - may want contents of body protected sender

authenticated

Using Symmetric Encryption

- can refine use of KDC but cant have final

exchange of nonces, vis - 1. A?KDC IDA IDB N1
- 2. KDC?A EKaKs IDB N1 EKbKsIDA
- 3. A?B EKbKsIDA EKsM
- does not protect against replays
- could rely on timestamp in message, though email

delays make this problematic

Public-Key Approaches

- have seen some public-key approaches
- if confidentiality is major concern, can use
- A?B EKUbKs EKsM
- has encrypted session key, encrypted message
- if authentication needed use a digital signature

with a digital certificate - A?B M EKRaH(M) EKRasTIDAKUa
- with message, signature, certificate

Digital Signature Standard (DSS)

- US Govt approved signature scheme FIPS 186
- uses the SHA hash algorithm
- designed by NIST NSA in early 90's
- DSS is the standard, DSA is the algorithm
- a variant on ElGamal and Schnorr schemes
- creates a 320 bit signature, but with 512-1024

bit security - security depends on difficulty of computing

discrete logarithms

DSA Key Generation

- have shared global public key values (p,q,g)
- a large prime p 2L
- where L 512 to 1024 bits and is a multiple of 64

- choose q, a 160 bit prime factor of p-1
- choose g h(p-1)/q
- where hltp-1, h(p-1)/q (mod p) gt 1
- users choose private compute public key
- choose xltq
- compute y gx (mod p)

DSA Signature Creation

- to sign a message M the sender
- generates a random signature key k, kltq
- nb. k must be random, be destroyed after use, and

never be reused - then computes signature pair
- r (gk(mod p))(mod q)
- s (k-1.SHA(M) x.r)(mod q)
- sends signature (r,s) with message M

DSA Signature Verification

- having received M signature (r,s)
- to verify a signature, recipient computes
- w s-1(mod q)
- u1 (SHA(M).w)(mod q)
- u2 (r.w)(mod q)
- v (gu1.yu2(mod p)) (mod q)
- if vr then signature is verified
- see book web site for details of proof why

Summary

- have considered
- digital signatures
- authentication protocols (mutual one-way)
- digital signature standard

Message Authentication Codes the idea

(m, tTagk(m))

m ? 0,1

Vrfyk(m) ? yes,no

Alice

Bob

k

k

k is chosen randomly from some set K

51

Signature Schemes

(m, tTagk(m))

m ? 0,1

Vrfyk(m) ? yes,no

Alice

Alice

Bob

Bob

k

pk

k

sk

(pk,sk) Gen(1n)

1n

Advantages of the signature schemes

- Digital signatures are
- publicly verifiable
- transferable
- provide non-repudiation

Anyone can verify the signatures

Sign(sk3,m)

P2

public register

P3

sk3

pk1

pk2

pk3

pk4

pk5

1. Sign(sk3,m)

Sign(sk3,m)

P4

2. reads pk3

P1

3. computes Vrfy(pk3,m)

P5

Look at the MACs...

k

k

(m, tTagk(m))

m ? 0,1

Alice

Bob

- Why shall I trust you?
- You could have created t yourself (because you

know k) - I dont know k, so how can I verify the tag?

Look, I got (m,t) from Alice

Carol

Signatures are publicly-verifiable!

skA

pkA

(m, s Signsk(m))

m ? 0,1

Alice

Bob

Look, I got (m,s) from Alice

I can calculate Vrfy(pkA,m,s) and check.

Carol

So, the signatures are transferable

Alice

skA

Alice signed m

Alice signed m

Alice signed m

s Sign(sk3,m)

I believe it!

I believe it!

I believe it!

(m,s)

(m,s)

(m,s)

pkA

pkA

pkA

pkA

P2

P1

P4

P3

Non-repudiation

skA

pkA

(m, s Signsk(m))

m ? 0,1

Alice

Bob

Ive got (m,s) from Alice

Its not true!I never signed m!

Vrfy(pk,m,s) yesso you cannot repudiate

signing m...

Judge

Digital Signature Schemes

A digital signature scheme is a tuple

(Gen,Sign,Vrfy) of poly-time algorithms, such

that

- the key-generation algorithm Gen takes as input a

security parameter 1n and outputs a pair

(pk,sk), - the signing algorithm Sign takes as input a key

sk and a message m?0,1 and outputs a signature

s, - the verification algorithm Vrfy takes as input a

key pk, a message m and a signature s, and

outputs a bit b ? yes, no.

If Vrfypk(m,s) yes then we say that s is a

valid signature on the message m.

Correctness

- We require that it always holds that
- Vrfypk(m,Signsk(m)) yes
- What remains is to define security of a MAC.

Other popular signature schemes

- Based on discrete log
- ElGamal signatures
- Digital Signature Standard (DSS)
- (also based on other groups elliptic curves)

Public Key Infrastructure

Overview

- Simple Fundamental
- Qualified signatures
- PKI and trust management
- Introduction to the key establishment protocols

Public Key Infrastructures

Alice

Charlie

Reggie

Eve

Bob

Sender Receiver

Certification Authority

Registration Authority

Hacker

Receiver Sender

Public Key Infrastructures

- Alice and Bob, want to be able to communicate

securely by sending messages to each other. - They want to be able to use trustworthy digital

signature technology to protect the integrity of

their messages, and they may also want to use

encryption to keep the contents of their messages

secret. To achieve all this, they've decided to

use a PKI (Public Key Infrastructure) system, and

digital certificates.

Public Key Infrastructures

- Alice and Bob, want to enroll in a PKI system.
- Charlie runs a Certification Authority (CA), and

will be issuing certificates to Alice and Bob. - To make Charlie's job easier, he relies on his

twin brother Reggie, a Registration Authority

(RA), who interacts with Alice and Bob on

Charlie's behalf.

Public Key Infrastructures

- Alice and Bob want to enroll in a PKI system, and

have decided to purchase certificates from

Charlie, a Certification Authority. - To do this, they'll first need to contact Reggie,

a Registration Authority who has an agreement

with Charlie, to prove their identities. (Having

Reggie conduct part of the enrolment proceedings

makes Charlie's job a little easier.) But before

they do that, they'll each have to generate a

signing key for themselves.

CA

RA

Public Key Infrastructures

- Let's see the procedure Alice goes through to

enroll in the PKI. Bob will have to go through

the exact same process. - First Alice asks her computer to generate a

private signing key and a public key. Her private

key is for her use only, and she must never share

it with anyone. Her public key can be available

to the world (in fact it will be included in the

certificate issued by Charlie), and anyone can

use it to verify her digital signature on a

message.

Alices Public Key

Alices Private Key

Public Key Infrastructures

- Next, she goes to visit Reggie, a Registration

Authority, at his office. It is Reggie's duty to

verify Alice's identity, so that he can say to

Charlie that he has made sure that Alice is

Alice. Since Charlie will be issuing a

certificate to her, and the certificate conveys a

high level of assurance that - Alice is who she says she is, and people will be

trusting that, Charlie needs Reggie to be very

careful about this. - Alice shows Reggie proof of government-issued

photo identification.

RA

- Since Reggie trusts the government that issued

these identification cards, he is extremely

certain that Alice is who she says she is he has

authenticated Alice's identity. Next, he must

transfer this knowledge to Charlie.

Public Key Infrastructures

- Reggie has a secure encrypted computer link to

his twin brother Charlie, the CA, so it is easy

for him to notify Charlie of Alice's enrolment,

and to let him know that he has authenticated her

identity. - He makes up a reference number for Alice's

account, gives it to her, and also uses this

number to enroll her with Charlie over the

encrypted link. In return, over the same

encrypted link, Charlie sends Reggie an

authorization code that Alice will use later.

Alices enrolment Information

Authorization Code For Alice

CA

RA

- Instead of giving Alice the authorization code,

he sends it to her office voicemail box. This is

an extra check to make sure that Alice has

supplied appropriate contact information.

Public Key Infrastructures

- Alice can now return to her office. She uses her

computer to create a certificate-request form.

This form includes the following - her enrolment information, as given to Reggie

earlier (name, address, etc.) - the authorization code that Charlie made, which

Reggie left in her voicemail - her public key
- Then, she digitally signs her certificate-request

form, using her private key. This is very

important, because she needs to prove that she

possesses the private key that corresponds to the

certificate that Charlie will be issuing her. If

she can't prove she has the private key, Charlie

won't issue the certificate.

Reference Number and Certificate Request

RA

Public Key Infrastructures

- Charlie can check her signature using her public

key. - Alice logs into Charlie's web site using her

reference number and submits her certificate

request form. - After receiving Alice's certificate request, he

has to do some checking to make sure it's OK. - First, he checks to make sure the reference

number and authorization code match what they are

supposed to. - The authorization code inside Alice's certificate

request must be the same as what Charlie has on

file.

Reference Number and Certificate Request

RA

Public Key Infrastructures

- Since Reggie had verified Alice's identity when

the authorization code was given to her, Charlie

knows that the certificate request came from

Alice, and not somebody else pretending to be

Alice. - Next, he takes the public key from the

certificate request, and uses it to verify the

digital signature on the request. If the

signature is correct, then he knows Alice does

possess her private key. - Having authenticated her identity, and verified

that she has the right private key, Charlie

issues the certificate in Alice's name and sends

it back to her.

Certification Approved

Subject Alice Name Alice Issuer

Charlie

CA

Issued 21-08-2008

Public Key Infrastructures

- Charlie also publishes the certificate in his

public repository, so that anybody receiving a

message from Alice can check her certificate. - After Bob has his certificate too, Alice and Bob

can use digital signatures to ensure the

integrity and sender's identity of their

messages.

Public Key Infrastructures

- If Alice and Bob want to use encryption to keep

the contents of their messages secret, then they

will also need a separate set of encryption keys

and certificates for that purpose. - They can obtain these certificates at the same

time as they obtain their signing certificates.

Overview

- Simple Fundamental
- Qualified signatures
- PKI and trust management
- Introduction to the key establishment protocols

QuestionHow to maintain the public register?

- We start with the case when the public keys are

used for signing that is legally binding. - Then we consider other cases.

A problem

skA

pkA

(m, s Signsk(m))

m ? 0,1

Alice

Bob

I got (m,s) from Alice

Its not true!I never signed m!

Vrfy(pk,m,s) yesso you cannot repudiate

signing m...

But pk is not my public key!

Judge

Solution certification authorities

- A simplified view

comes with her ID and pkAlice

(pkCert,skCert)

Certification Authority

Alice

checks the ID of Alice and issues a

certificate SignskCert(pkAlice is a public key

of Alice)

Now, everyone can verify that pkAlice is a public

key of Alice. So Alice can attach it to every

signature

really everyone?

What is needed to verify the certificate

- To verify the certificate coming from Cert one

needs - to know the public key of the Cert
- to trust Cert.
- It is better if Cert also keeps a document
- I, Alice certify that pkAlice is my public key
- with a written signature of Alice.

How does it look from the legal point of view?

- What matters at the end is if you can convince

the judge. - Many countries have now a special law regulating

these things. - In Malaysia it isMCMC

Malaysian Certificate Authorities

- Digicert

So, what to do if you want to issue the qualified

signatures?

- You have to go to one of this companies and get a

qualified certificate (it costs!). - The certificate is valid just for some given

period.

What if the secret key is lost?

- In this case you have to revoke the

certificate.Every authority maintains a list of

revoked certificates. - The certificates come with some insurance.

Plan

- Qualified signatures
- PKI and trust management
- Introduction to the key establishment protocols

In many case one doesnt want to use the

qualified signatures

- The certificates cost.
- Its risky to use them
- How do you know what your computer is really

signing?Computers have viruses, Trojan horses,

etc. - You can use external (trusted) hardware but it

should have a display (so you can see what is

signed). - Remember qualified signatures are equivalent to

the written ones!

Practical solution

In many cases the qualified signatures are an

overkill.

Instead, people use non-qualified signatures.

The certificates are distributed using a

public-key infrastructure (PKI).

Users can certify keys of the other users

knows pk2

knows pk3

P2

P1

P3

pk3

pk1

pk2

trusts P2

P1 believesthat pk3 is a public key of P3

P2 certifies that pk3 is a public key of P3

signature of P2

this should be done only if P2 really met P3 in

person and verified his identity

Users can certify keys of the other users

knows pk2

knows pk3

knows pk4

P2

P1

P3

P4

pk1

pk4

pk3

pk2

trusts P2

trusts P3

P2 certifies that pk3 is a public key of P3

signature of P2

P1 believesthat pk3 is a public key of P3

P3 certifies that pk4 is a public key of P4

signature of P3

knows pk2

knows pk3

knows pk4

knows pk5

P2

P1

P3

P4

P5

pk3

pk1

pk4

pk4

pk2

trusts P2

trusts P3

This is called acertificate chain

trusts P4

P2 certifies that pk3 is a public key of P3

signature of P2

P1 believesthat pk3 is a public key of P3

P3 certifies that pk4 is a public key of P4

signature of P3

P4 certifies that pk5 is a public key of P5

signature of P4

A problem

knows pk2

knows pk3

knows pk4

P2

P1

P3

P4

pk3

pk1

pk4

pk2

trusts P2

trusts P3

- What if P1 does not know P3?
- How can he trust him?
- Answer P2 can recommend P3 to P1.

A question is trust transitive?

Does

P2

P1

P3

pk3

pk1

pk2

trusts P2

trusts P3

imply

P2

P1

P3

pk3

pk1

pk2

?

trusts P3

Example

I can recommend P3

P2

P1

P3

pk3

pk1

pk2

trusts thatP2 is a veryhonest person

trusts thatP3 is a veryhonest person

P2

P1

P3

pk3

pk1

pk2

doesnt trust that P3 is honest, because he

thinks that P2 is honest but naive

Moral

- Trust is not transitive
- P1 trusts in the certificates issued by P2
- is not the same as saying
- P1 trusts that
- if
- P2 says you can trust the certificates issued by

P3 - then
- one can trust the certificates issued by P3

Recommendation levels

level 1 recommendation A you can trusts in

all the certificates issued by B level 2

recommendation A you can trust that all the

level 1 recommendations issued by B level 3

recommendation B you can trust that all the

level 2 recommendations issued by B and so on.

. .

- Recursively
- level i1 recommendation
- A you can trust that all the level i

recommendations issued by B

Now, if

P2

P1

P3

P4

P2 issues a recommendation of level 2 for P3

P3 issues a recommendation of level 1 for P4

P2 trust in all the recommendations issued by P2

then

P2

P4

P1

P3

trusts the certificates issued by P4

Of course the recommendations also need to be

signed. Starts to look complicated...

How is it solved in practice?

- In popular standard is X.509 the recommendation

is included into a certificate. - Here the level of recommendations is bounded

using a field called basic constraints. - X.509 is used for example in SSL.
- SSL is implemented is implemented in every

popular web-browser. - So, lets look at it.

(No Transcript)

(No Transcript)

(No Transcript)

(No Transcript)

(No Transcript)

Concrete example

- Lets go to the Banca Di Roma website

a certificatechain

(No Transcript)

(No Transcript)

(No Transcript)

The typical picture

web browser knows these certificates

. . .

Verisign

DigiCert

Entrust

- Implicit assumptions
- the author of the browser is honest,
- the author of the browser is competent
- nobody manipulated the browser

is it always true?

VerisignEurope

VerisignUSA

VerisignItaly

a certificate path

Banca di Roma

(No Transcript)

Is it so important to check it?

- Yes!
- For example the last element in the chain can be

anybody (who paid to Verising for a certificate). - For sure we do not want to trust the certificates

issued by anyone.

So, what happens when a user contacts the bank?

sends(cert1,..., certn)

Alice

Bank

If Alices browser knows cert1 it canverify the

chain and read the public key of the bank from

certn

What happens if the certification path is invalid?

- For example if the first certificate in the path

is not known to the user. - Experiment lets delete the Verisign

certificate for the configuration of the

browser...

(No Transcript)

What happens?

Another popular PKI

- Pretty Good Privacy (PGP) every user can act as

a certification authority. - Hence the name
- Web of Trust

Introduction to the key establishment protocols

Suppose Alice and Bob want to authenticate to

each other...

internet

Bob

Alice

Observation authentication itself is not very

useful.More useful key establishment

Protocols for key establishment

- Suppose Alice and Bob want to establish a fresh

session key in an authentic way. - When is it possible?
- Using symmetric cryptography Alice and Bob can

use some trusted server S. - Using asymmetric cryptography e.g. using PKI.

Symmetric cryptography

share a private keyKAS

share a private keyKBS

server S

Alice

Bob

- The server can help Alice and Bob to establish a

session key. - (in reality its not so trivial to design a

secure protocol)

The public-key cryptography

sends(cert1,..., certn)

sends(cert1,..., certn)

Alice

Bob

- If they accepted the certificate paths they can

establish a session key - Alice selects a random key K.
- Alice encrypts K with Bobs public key, and sign

is it with her private key, and sends it to Bob. - Bob verifies the signature and decrypts the K.
- Again in reality its not that simple...

What if one of the parties doesnt have a

certificate?

- Typical situation in real life...
- E.g. a bank can verify authenticity of Alice by

asking her for a secret password. - This password is provided to her (in a physical

way) when she opened an account. - How to prevent the dictionary attacks?
- Not so trivial...

Designing the key establishment protocols

- It is an active area of research.
- Its more complicated than one may think...
- On the next slides we show some common errors.

An idea (1)

key shared by Alice and the server KAS

key shared by Bob and the server KBS

server S

(A,B)

selects a random KAB

EncKAS(KAB), EncKBS(KAB)

(EncKBS (KAB),A)

Alice

Bob

An attack

key shared by Alice and the server KAS

key shared by Bob and the server KBS

server S

(A,B)

Im talking to D

selects a random KAB

EncKAS(KAB), EncKBS(KAB)

(EncKBS(KAB),A)

(EncKBS (KAB),D)

Alice

Bob

An idea (2)

key shared by Alice and the server KAS

key shared by Bob and the server KBS

server S

(A,B)

selects a random KAB

EncKAS(KAB,B), EncKBS(KAB,A)

EncKBS(KAB,A)

Bob

Alice

A replay attack

the adversary stores the values that the server

sent in the previous session and replays

them. So, the key is not fresh...

(A,B)

EncKAS(KAB,B), EncKBS(KAB,A)

EncKBS(KAB,A)

Alice

Bob

How to protect against the replay attacks?

- Nonce number used once.
- Nonce is a random number generated by one party

and returned to that party to show that a message

is newly generated.

An idea (3) Needham Schreoder 1972.

key shared by Alice and the server KAS

key shared by Bob and the server KBS

server S

(A,B,NA)

selects a random KAB

EncKAS(KAB, B, NA, EncKBS(KAB,A))

EncKBS(KAB,A)

EncKAB(NB)

EncKAB(NB 1)

Bob

Alice

An attack on Needham Schroeder

Assume that an old session key KAB is known to

the adversary.

EncKBS(KAB,A)

EncKAB(NB)

EncKAB(NB 1)

Bob

The final solution

key shared by Alice and the server KAS

key shared by Bob and the server KBS

server S

(A,B,NA,NB)

selects a random KAB

EncKAS(KAB, B, NA) EncKBS(KAB, A, NB)

(B,NB)

EncKBS(KAB, A, NB)

Alice

Bob

Other desirable features

- Forward-securityif an adversary breaks into the

machine at some time t the previous session keys

remain secret. - DeniabilityA user can always deny that he sent

some message. - Resistance to denial-of-service attacks(dont

put to much work on the server!).

Another (real-life) problem

- Alice and Bob may use different versions of the

protocol. - Therefore at the beginning of the protocol they

have to agree on the ciphers that they will use. - How to do agree in a secure way?

Alice I prefer to use AES, but I can also use

DES

Alice I can only use DES,

Bob I can only use DES,

Bob I prefer to use AES, but I can also use

DES

Alice

Bob

Theyll end up using DES!

Protocols used in practice

- Symmetric Kerberos
- Asymmetric SSL, SSH, IPSec...

Thank You See You Next Week Have A Nice Weekend

How Do You Want Protect Your Network System