computer security module 3
TRANSCRIPT
![Page 1: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/1.jpg)
Computer Security
Deepak John
SJCET-Palai
![Page 2: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/2.jpg)
Key Management
public-key encryption helps address key distribution problems
have two aspects of this:
distribution of public keys
use of public-key encryption to distribute secret keys
Distribution of Public Keys
can be considered as using one of:
public announcement
publicly available directory
public-key authority
public-key certificates
![Page 3: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/3.jpg)
Public Announcement
users distribute public keys to recipients or broadcast to community at large
major weakness is forgery
anyone can create a key claiming to be someone else and broadcast it
![Page 4: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/4.jpg)
Publicly Available Directory
can obtain greater security by registering keys with a public directory
directory must be trusted with properties:
contains {name, public-key} entries
participants register securely with directory
participants can replace key at any time
directory is periodically published
directory can be accessed electronically
still vulnerable to tampering or forgery
![Page 5: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/5.jpg)
Public-Key Authority
improve security by tightening control over distribution of keys from directory
has properties of directory
assumes that a central authority maintains a dynamic directory of public keys of
all participants.
![Page 6: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/6.jpg)
![Page 7: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/7.jpg)
1. A sends a time stamped message to the public-key authority containing a request
for the current public key of B.
2. The authority responds with a message that is encrypted using the authority's
private key, PRauth.The message includes B's public key-Pub, The original
request, The original timestamp.
3. A stores B's public key and also uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
4. B sends a time stamped message to the public-key authority containing a request
for the current public key of A.
![Page 8: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/8.jpg)
5. B retrieves A's public key from the authority in the same manner as A retrieved
B's public key.
public keys have been securely delivered to A and B, and they may begin their
protected exchange.
6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2) Because only B could have decrypted
message , the presence of N1 in message assures A that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its correspondent is
A.
![Page 9: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/9.jpg)
Public-Key Certificates
certificates allow key exchange without real-time access to public-key authority
certificate consists of a public key plus an identifier of the key owner
with all contents signed by a trusted Certificate Authority (CA)
A user can present his or her public key to the authority in a secure manner, and
obtain a certificate.
The user can then publish the certificate. Anyone needed this user's public key can
obtain the certificate and verify that it is valid by way of the attached trusted
signature.
any other participant, who reads and verifies the certificate as follows:
D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa)
![Page 10: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/10.jpg)
![Page 11: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/11.jpg)
requirements on this scheme:
1. Any participant can read a certificate to determine the name and public key of
the certificate's owner.
2. Any participant can verify that the certificate originated from the certificate
authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.
![Page 12: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/12.jpg)
Distribution of Secret Keys Using Public-Key Cryptography
use previous methods to obtain public-key
Simple Secret Key Distribution
.
1. A generates a public/private key pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA.
2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
![Page 13: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/13.jpg)
3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
A and B can now securely communicate using conventional encryption and the
session key Ks. At the completion of the exchange, both A and B discard Ks
![Page 14: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/14.jpg)
Secret Key Distribution with Confidentiality and Authentication
provides protection against both active and passive attacks.
![Page 15: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/15.jpg)
1. A uses B's public key to encrypt a message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2) .the presence of N1 in message assures
A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption
of this message with B's public key ensures that only B can read it; encryption
with A's private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.
![Page 16: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/16.jpg)
Hybrid Key Distribution
retain use of KDC
shares secret master key with each user
distributes secret session key encrypted using master key
public-key used to distribute master keys
rationale
performance
backward compatibility
![Page 17: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/17.jpg)
Diffie-Hellman Key Exchange
first public-key algorithm by Diffie & Hellman in 1976
is a practical method for public exchange of a secret key
used in a number of commercial products
Primitive route
Let p be a prime. Then b is a primitive root for p if the powers of b:1, b, b^2, b^3,
... include all of the residue classes mod p (except 0).
Examples: If p=7,
then 3 is a primitive root for p because the powers of 3 are 1, 3, 2, 6, 4, 5 that is,
every number mod 7 occurs except 0.
But 2 isn't a primitive root because the powers of 2 are 1, 2, 4, 1, 2, 4, 1, 2,4...
missing several values.
![Page 18: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/18.jpg)
Algorithm
![Page 19: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/19.jpg)
![Page 20: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/20.jpg)
Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and α=3
select random secret keys:
A chooses xA=97, B chooses xB=233
compute respective public keys:
yA=397
mod 353 = 40 (Alice)
yB=3233
mod 353 = 248 (Bob)
compute shared session key as:
KAB= yB
xA mod 353 = 24897
= 160 (Alice)
KAB= yA
xB mod 353 = 40233
= 160 (Bob)
![Page 21: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/21.jpg)
Key Exchange Protocols
users could create random private/public D-H keys each time they communicate
users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them
both of these are vulnerable to a meet-in-the-Middle Attack
authentication of the keys is needed
![Page 22: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/22.jpg)
Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
![Page 23: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/23.jpg)
Elliptic Curves
an elliptic curve is defined by an equation in two variables x & y, with coefficients
consider a cubic elliptic curve of form
y2 = x3 + ax + b
where x,y,a,b are all real numbers
consider set of points E(a , b) that satisfy
have addition operation for elliptic curve
geometrically sum of P+Q is reflection of the intersection R
Consider elliptic curve
E: y2 = x3 - x + 1
If P1 and P2 are on E, we can define
P3 = P1 + P2
![Page 24: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/24.jpg)
Finite Elliptic Curves
Elliptic curve cryptography uses curves whose variables & coefficients are finite
have two families commonly used:
prime curves Ep(a , b) defined over Zp
use integers modulo a prime
best in software
binary curves E2m(a , b) defined over GF(2n)
use polynomials with binary coefficients
best in hardware
![Page 25: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/25.jpg)
Elliptic Curve Cryptography
Elliptic curve cryptography [ECC] is a public-key cryptosystem
Elliptic curves are used as an extension to other current cryptosystems.
Elliptic Curve Diffie-Hellman Key Exchange
Elliptic Curve Digital Signature Algorithm
The central part of any cryptosystem involving elliptic curves is the elliptic group.
![Page 26: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/26.jpg)
Generic Procedures of ECC
Both parties agree to some publicly-known data items
The elliptic curve equation
values of a and b
prime, q
The elliptic group computed from the elliptic curve equation
A base point, G, taken from the elliptic group
Similar to the generator used in current cryptosystems
Each user generates their public/private key pair
Private Key = an integer, selected from the interval [1, q-1]
Public Key = product, of private key and base point ( x*B)
![Page 27: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/27.jpg)
ECC Diffie-Hellman
![Page 28: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/28.jpg)
Applications of ECC
Many devices are small and have limited storage and computational power
Where can we apply ECC?
Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
![Page 29: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/29.jpg)
Message Authentication
message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
will consider the security requirements
then three alternative functions used:
message encryption
message authentication code (MAC)
hash function
![Page 30: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/30.jpg)
Message Encryption
message encryption by
itself also provides a
measure of authentication
Symmetric Encryption
Public Key encryption
![Page 31: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/31.jpg)
Message Authentication Code (MAC)
generated by an algorithm that creates a small fixed-sized block
depending on both message and some key
appended to message as a signature
receiver performs same computation on message and checks it matches the MAC
provides assurance that message is unaltered and comes from sender
MAC= C(K, M), where M = input message, C = MAC function and K = shared
secret key
![Page 32: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/32.jpg)
Requirements for MACs
1. knowing a message and MAC, is infeasible to find another message
with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
![Page 33: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/33.jpg)
Using Symmetric Ciphers for MACs
can use any block cipher chaining mode and use final block as a MAC
Data Authentication Algorithm (DAA) is a widely used MAC based on DES
using IV=0
encrypt message using DES in CBC mode
and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for security
![Page 34: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/34.jpg)
Hash Functions
A hash function H accepts a variable-
length block of data as input and produces
a fixed-size hash value
h = H(M)
hash used to detect changes to message
The hash code is a function of all the bits of
the message and provides an error-
detection capability: A change to any bit or
bits in the message results in a change to
the hash code.
![Page 35: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/35.jpg)
three desirable properties:
1. One-way: For any given code h, it is computationally infeasible to find x such that H(x)=h.
2. Weak collision resistance: For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x).
3. Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
![Page 36: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/36.jpg)
Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x such that. H(x)=h
5. given x is infeasible to find y such that. H(y)=H(x)
6. is infeasible to find any x,y such that. H(y)=H(x)
![Page 37: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/37.jpg)
Simple Hash Functions
based on XOR of message blocks
Ci = bi1 XOR bi2 ...XOR bim
where
Ci = ith bit of the hash code, 1 ≤ i ≤ n
m = number of n-bit blocks in the input
bij = ith bit in jth block
![Page 38: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/38.jpg)
Hash Functions & MAC Security
brute-force attacks
Hash function: The strength of a hash function against brute-force attacks
depends solely on the length of the hash code produced by the algorithm
MAC: with known message-MAC pairs
cryptanalytic attacks exploit structure
like block ciphers want brute-force attacks to be the best alternative
more variety of MACs so harder to generalize about cryptanalysis
![Page 39: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/39.jpg)
Hash and MAC Algorithms
Secure Hash Algorithm
SHA originally designed by NIST in 1993
was revised in 1995 as SHA-1 produces 160-bit hash values
adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided by the AES cipher
structure & detail is similar to SHA-1
but security levels are rather higher
![Page 40: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/40.jpg)
SHA-512 Overview
takes as input a
message with a
maximum length of
less than 2128 bits and
produces as output a
512-bit message
digest.
The input is processed
in 1024-bit blocks.
![Page 41: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/41.jpg)
Step 1: Append padding bits and length
Padding is done by appending to the input
A single bit, 1
Enough additional bits, all 0,
Message length is appended
Step 2: Initialize hash buffer
512-bit buffer is used to hold intermediate and final results of the hash
function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to the 64-bit integers
![Page 42: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/42.jpg)
Step 3: Process the message
in 1024-bit blocks
which forms the heart of
the algorithm
this module is labeled F
consists of 80 rounds
updating a 512-bit buffer
![Page 43: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/43.jpg)
Step 4: Output the final state value as the resulting hash
After all N 1024-bit blocks have been processed, the output from the Nth stage is
the 512-bit message digest.
![Page 44: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/44.jpg)
Whirlpool
is an iterated
cryptographic hash
function,
that uses a
symmetric-key block
cipher(AES) in place
of the compression
function.
![Page 45: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/45.jpg)
The processing consists of the following steps:
Step 1: Append padding bits and length
Step 2: Initialize hash matrix
Step 3: Process message in 512-bit (64-byte) blocks, using as its core, the block
cipher W.
![Page 46: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/46.jpg)
Whirlpool Block Cipher W
designed specifically for hash function
use with security and efficiency of
AES
but with 512-bit block size and hence
generate a secure hash
similar structure & functions as AES
but
input is mapped row wise
has 10 rounds
uses different S-box design & values
![Page 47: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/47.jpg)
SubBytes
ShiftColumns
![Page 48: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/48.jpg)
MixRows
AddRoundKey
![Page 49: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/49.jpg)
Performance & Security
Whirlpool is a very new proposal
hence little experience with use
but many AES findings should apply
does seem to need more h/w than SHA, but with better resulting performance
![Page 50: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/50.jpg)
HMAC
Hash-based Message Authentication Code
Design Objectives
use, without modifications, hash functions
allow for easy replicability of embedded hash function
preserve original performance of hash function without significant degradation
use and handle keys in a simple way.
have well understood cryptographic analysis of authentication mechanism
strength
any hash function can be used
eg. SHA-1,512, Whirlpool etc
![Page 51: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/51.jpg)
Algorithm
b = number of bits in a block
K+ is K padded with zeros on the left so that the result is b bits in length.
ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill block.
M is the message input
Yi = ith block of M,
H = embedded hash function.
L = number of blocks in M.
n = length of hash code produced by embedded hash function
Then HMAC can be represented as:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
![Page 52: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/52.jpg)
1. Append zeros to the left end of K to
create a b-bit string K+.
2. XOR (bitwise exclusive-OR) K + with
ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step
3.
5. XOR K+ with opad to produce the b-bit
block S0.
6. Append the hash result from step 4 to
So.
7. Apply H to the stream generated in step
6 and output the result.
![Page 53: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/53.jpg)
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm
attacking HMAC requires either:
brute force attack on key used
birthday attack
choose hash function used based on speed verses security constraints
![Page 54: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/54.jpg)
CMAC
Cipher-based Message Authentication Code (CMAC).
mode of operation for use with AES and triple DES.
the operation of CMAC when the message is an integer multiple n of the cipher
block length b .
![Page 55: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/55.jpg)
If the message is not an integer multiple of the cipher block length, then the final
block is padded to the right (least significant bits) with a 1 and as many 0s as
necessary so that the final block is also of length .The CMAC operation then
proceeds as before, except that a different n-bit key K2 is used instead of K1.
![Page 56: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/56.jpg)
where
T = message authentication code, also referred to as the tag
Tlen = bit length of T
MSBs(X) = the s leftmost bits of the bit string X
![Page 57: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/57.jpg)
Digital Signatures & Authentication Protocols
Digital Signature
digital signatures provide the ability to:
verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes
hence include authentication function with additional capabilities
![Page 58: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/58.jpg)
Digital Signature Properties
must depend on the message signed
must use information unique to sender
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
![Page 59: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/59.jpg)
Two approaches : direct and arbitrated.
Direct Digital Signatures
involve only sender & receiver
assumed receiver has sender’s public-key
digital signature made by sender signing entire message or hash with private-key
can encrypt using receivers public-key
important that sign first then encrypt message & signature
security depends on sender’s private-key
![Page 60: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/60.jpg)
Arbitrated Digital Signatures
involves use of arbiter A
validates any signed message
then dated and sent to recipient
requires suitable level of trust in arbiter
can be implemented with either private or public-key algorithms
arbiter may or may not see message
![Page 61: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/61.jpg)
Digital Signature Standard (DSS)
DSS is the standard, uses the SHA hash algorithm and it cannot be used for encryption or key exchange
includes alternative RSA & elliptic curve signature variants
Two Approaches to Digital Signatures
I. RSA approach
II. DSS approach
![Page 62: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/62.jpg)
![Page 63: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/63.jpg)
Digital Signature Algorithm (DSA)
creates a 320 bit signature
![Page 64: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/64.jpg)
![Page 65: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/65.jpg)
![Page 66: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/66.jpg)
DSS Overview
![Page 67: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/67.jpg)
Authentication Protocols
used to convince parties of each others identity and to exchange session keys
may be one-way or mutual
key issues are
confidentiality – to protect session keys
timeliness – to prevent replay attacks
![Page 68: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/68.jpg)
Mutual authentication
enable communicating parties to satisfy themselves mutually about each other's
identity and to exchange session keys.
Replay Attacks
where a valid signed message is copied and later resent
countermeasures include
use of sequence numbers
timestamps
challenge/response
![Page 69: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/69.jpg)
Using Symmetric Encryption
use a two-level hierarchy of keys
usually with a trusted Key Distribution Center (KDC)
each party shares own master key with KDC
KDC generates session keys used for connections between parties
master keys used to distribute these to them
![Page 70: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/70.jpg)
Needham-Schroeder Protocol
used to securely distribute a new session key for
communications between A & B
key distribution protocol for session between A
and B mediated by KDC
protocol overview is:
1. A->KDC: IDA || IDB || N1
2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A -> B: EKb[Ks||IDA]
4. B -> A: EKs[N2]
5. A -> B: EKs[f(N2)]
Ka and Kb:Secret keys
Ks: session key
![Page 71: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/71.jpg)
Using Public-Key Encryption
have a range of approaches based on the use of public-key encryption
need to ensure have correct public keys for other parties
using a central Authentication Server (AS)
various protocols exist using timestamps or nonces
![Page 72: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/72.jpg)
Denning AS Protocol
1. A -> AS: IDA || IDB
2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T]
3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]]
timestamps prevent replay but require synchronized clocks
![Page 73: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/73.jpg)
One-Way Authentication
required when sender & receiver are not in communications at same time (eg.
email)
have header in clear so can be delivered by email system
may want contents of body protected & sender authenticated
![Page 74: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/74.jpg)
Using Symmetric Encryption
This scheme requires the sender to issue a request to the intended recipient,
await a response that includes a session key, and only then send the message.
1. A->KDC: IDA || IDB || N1
2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A -> B: EKb[Ks||IDA] || EKs[M]
![Page 75: Computer security module 3](https://reader038.vdocuments.mx/reader038/viewer/2022103018/55a58f031a28ab686c8b469d/html5/thumbnails/75.jpg)
Public-Key Approaches
have seen some public-key approaches
if confidentiality is major concern, can use:
A->B: EPUb[Ks] || EKs[M]
has encrypted session key, encrypted message
if authentication needed use a digital signature with a digital certificate:
A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa]
with message, signature, certificate