Download Cryptographic Hashing: Security for Message Authentication and Signatures and more Study notes Computer Graphics in PDF only on Docsity!
CMPS 290X, UC Santa Cruz (Spring 2001)
Authentication, Digital Signatures,
and Passwords
Well, who are you? (Who are you? Who, who, who, who?) I really wanna know (Who are you? Who, who, who, who?) Tell me, who are you? (Who are you? Who, who, who, who?) 'Cause I really wanna know (Who are you? Who, who, who, who?) The Who, Who Are You? 1978
Today’s class
� Using computers to provide & improve trust
� Hashing
� Authentication
� Certificates
� Digital signatures
� Passwords
CMPS 290X, UC Santa Cruz (Spring 2001) 3
What is hashing?
� Hashing is the generation of a fixed-size number
from a variable-sized block of input
� Many-to-one mapping
� Even distribution: for random input, each output value is
(approximately) equally likely
� Efficient: hash function is easy to compute
� Cryptographic hash functions
� One-way: given the hash function H , and a hash value h ,
it’s hard to find x such that H ( x ) = h
� Collision resistance
� Weak collision resistance: given x , it’s hard to find y ≠ x such that H ( y ) = H ( x ) � Strong collision resistance: it’s hard to find any x and y ≠ x such that H ( y ) = H ( x )
Using cryptographic hashes
� Alice wants to send Bob an “I owe you” message
� Bob wants to be able to show the message to a judge to
compel Alice to pay up
� Alice wants to prevent Bob from changing the contents of the
message or making up his own IOU from Alice
“I, Alice, owe Bob $50, and will pay on or before 7/1/2001”
CMPS 290X, UC Santa Cruz (Spring 2001) 7
IOU protocol, third try
M E KR A [ H ( M )]
Alice
M
Judge
Knows KU (^) A
E KR A [ H ( M )]
{KU A , KR A }
Public (KU) & private (KR) pair
Bob can verify H ( M ) by decrypting, but can’t forge M , E (^) KR A [ H ( M )] pair without knowing KR (^) A
Bob
Knows KU (^) A
Weak collision resistance
� Suppose we use: H (char s []) = ( s [0] – ‘a’) mod 10
� Alice sends Bob: “I, Alice, owe Bob $50.”, E (^) KR A [ H ( M )] � Bob sends Judge: “I, Alice, owe Bob $5000000.”, EKRA [ H ( M )] � Judge validates E (^) KU A [ E (^) KR A [ H ( M )] ] = H (“I, Alice, owe Bob $5000000.”) and makes Alice pay
� Given x , it should be hard to find y ≠ x such that H ( y ) = H ( x )
� Similar to a block cipher, but without the need for a secret
key
� Changing any bit of x should change most of H ( x ) � The mapping between x and H ( x ) should be confusing (complex and non-linear)
CMPS 290X, UC Santa Cruz (Spring 2001) 9
Is there a better hash function?
� Use H ( x ) = DES ( x , 0)
� Weak collision resistance?
� Given x , it should be hard to find y ≠ x such that
H ( y ) = H ( x )
� This is the case for DES because DES is one-to-one
� There is (by definition) no such y
� Is this a good hash function?
� No!
� Its output is as big as the message
� Doesn’t summarize the message
� We need a hash function that
� Produces a small number of bits (64-256)
� Depends on the message in a confusing, non-linear way
Hash using cipher block chaining
� Cipher block chaining
� Each ciphertext block depends on the previous one � Still too long!
� Use the last block from CBC mode
� Still depends on all previous plaintext data � Fixed length
DES
P 1
IV
C 1
K DES
P 2
C 2
K DES
Pn
C (^) n
K
C (^) n-
Use this value as the hash value
CMPS 290X, UC Santa Cruz (Spring 2001) 13
Strong collision resistance
� It is hard to find any x and y ≠ x such that
H ( y ) = H ( x )
� Difference from weak collision resistance
� Attacker gets to choose both x and y , not just y
� Scenario
� Bob writes IOU message and sends it to Alice for signing
� Bob can use exploit weak collision to cheat Alice
IOU request protocol
M 1
E KR A [ H ( M 1 )]
Alice
M 2
Judge
knows KU (^) A
E KR A [ H ( M 1 )]
{KU A , KR A }
Bob picks M 1 and M 2 such that H ( M 1 ) = H ( M 2 )
Bob
knows KU (^) A
CMPS 290X, UC Santa Cruz (Spring 2001) 15
Finding M 1 and M 2
� Bob generates 2 10 different agreeable (to Alice ) messages
I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker },
{ will pay | agree to pay } Bob { the sum of | the amount of }
{ $50 | $50.00 | 50 dollars | fifty dollars } { prior to | before }
{ July 1st | 1 July | 7/1 | 07/01 } { 2001 | 2001 AD}.
� Bob generates 2 10 different agreeable (to Bob ) messages:
I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker },
{ will pay | agree to pay } Bob { the sum of | the amount of }
{ $5,000,000 | $5,000,000.00 | $5 million | five million dollars
} { prior to | before } { July 1st | 1 July | 7/1 | 07/01 } { 2001 |
2001 AD}.
Who wants to be a millionaire? Bob?
� For each message M 1 i and M 2 i , Bob computes
hM 1 i = H ( M 1 i ) and hM 2 i = H ( M 2 i )
� If hM 1 i = hM 2 j for some i and j
� Bob sends Alice M 1 i
� Alice produces EKR A [ h ( M )] and returns it to Bo
� Bob sends the judge M 2 i || EKR A [ h ( M )]
� The judge checks the signed hash value, and awards
Bob $5 million!
� How could we avoid this?
CMPS 290X, UC Santa Cruz (Spring 2001) 19
How big should a hash value be?
� P( n , k ) = 1 – n !/(( n – k )! nk
� Given k random selections from n possible values, P( n , k )
gives the probability of at least one duplicate
� We can derive an easier to calculate formula:
P( n , k ) > 1 – e – k ( k –1)/2 n
� This was derived using (1 – x ) ≤ e – x
� Example: 2 70 objects, 160 bit hash (like SHA)
� For large k , k –1 ≈ k � For example, k^2 /2 n = 2 – � P(2^160 , 2 70 ) > 9.5 × 10 –7^ => chance of at least 1 duplicate � 2 70 objects is a trillion objects per second for 30 years!
� With big enough hash values and public key encryption, we
get digital signatures!
Certificates
� Use hashing and public keys to build a tree of trust
� Must trust at least one public key (certificate authority) � CA signs keys, allowing them to be trusted � If you trust a signed key, it too can be used to sign keys…
KU A TrustMe.com KU^ B
Alice (^) Bob
C (^) A = E (^) KRT [ H (“Alice”||KU (^) A )] C (^) B = E (^) KR T [ H (“Bob”||KU (^) B )]
C A
C B
CMPS 290X, UC Santa Cruz (Spring 2001) 21
How are certificates checked?
� TrustMe.com’s certificate is well-known
� Incorporated into the browser!
� Decrypt the certificate using KU T and check the hash value
TrustMe.com
Alice Bob
C B || KU B
KU B
C (^) B = E (^) KR T [ H (“Bob”||KU (^) B )]
D (^) KU T(CB) = H (“Bob”||KU (^) B ) Check against received values
What if a key is compromised?
� Since certificates are self-contained, it’s hard to revoke them
� Solution: certificates have times attached
� Times included in signed hash � After time has expired, certificate is no good � User has to get a new certificate � If the key is compromised, no certificate will be reissued
� Advantages
� Certificates not good forever � Certificate authorities can make more money!
� Disadvantages
� It takes time for a certificate to be disavowed � Workaround: present certificate to CA for verification � Slow, so not done normally
CMPS 290X, UC Santa Cruz (Spring 2001) 25
Authentication problems
� Need to store the passwords somewhere
� Must rely on the file remaining secure
� Legitimate users could perhaps read the file, allowing
them to impersonate someone else
� Could be encrypted, but then where would the key be
kept?
� Need to transmit passwords from user to host
� Use a secure line: no remote logins (or difficult at best)
� Encrypt the transmission?
Encrypted passwords
Trusted
subsystem
Trusted subsystem compares
to stored value
Terminal
Login: gwbush Password: rangersfan
Login sends <“gwbush”, DES(0, “rangersfan”)>
Problem: anyone could simply look up DES(0, “rangersfan”) in the password file and send that value…
CMPS 290X, UC Santa Cruz (Spring 2001) 27
Encrypted passwords redux
Trusted
subsystem
Trusted subsystem computes
DES(0, “rangersfan”) and
compares to stored value
Terminal
Login: gwbush Password: rangersfan
Login sends <“gwbush”, “rangersfan”>
Making brute force attacks harder
� Use a slower encryption algorithm
� DES is pretty slow � Limits the speed with which attackers can compute strings from passwords
� Even slower: run DES many times
� Unix uses DES 25 (0, password) � Not more secure, but a lot slower…
� Require longer passwords
� DES key is only 56 bits long, so it only uses the first 7.5 ASCII characters of the password
� Brute force is unlikely to work with DES^25 and all possible 8-
letter passwords
� Are all 8-letter passwords likely to occur?
CMPS 290X, UC Santa Cruz (Spring 2001) 31
Multiple users with the same password
� What if two people have the same password?
� DES^25 will result in the same value!
� Must guard against this!
� Solution: add “salt”
� 12 random bits added to password before encryption
� Same password results in different outcome because of
different salt value
� Unix uses this scheme, but with DES+ (salt-
dependent E-tables)
Problem: what about Eve?
� Eve can spy on transmissions between user and system
� Eve can capture user name and password and replay them
� No need to even see password file
� How can we guard against this?
� Answer next time…
Trusted
system
<“gwbush”, “rangersfan”>
George W
Eve
CMPS 290X, UC Santa Cruz (Spring 2001) 33
Summary
� Authentication is a difficult problem
� We’ve only scratched the surface!
� Use many tools for authentication
� Trees (or web) of trust
� Public-key encryption
� Message authentication codes
� Passwords
� Be careful!
� Passwords are easy to crack!
� Good passwords are hard to choose!
For next time
� Security protocols for the real world
� SSH
� PGP
� SSL
� Make sure those project proposals are in!
� Homework #1 due
� Homework #2 handed out (online)
