A. Steffen, 10.4.2000, KSy_Auth.ppt 1 Zürcher Hochschule Winterthur Kommunikationssysteme (KSy) - Block 9 Secure Network Communication Part III Authentication.

A. Steffen, 10.4.2000, KSy_Auth.ppt 1

ZürcherHochschuleWinterthurKommunikationssysteme (KSy) - Block 9

Secure Network CommunicationPart III

Authentication and Integrity

Secure Network CommunicationPart III

Authentication and Integrity

Dr. Andreas Steffen

2000 Zürcher Hochschule Winterthur


ZürcherHochschuleWinterthurSecure Network Communication – Part III

IntegrityIntegrity

AuthenticationAuthentication

CertificatesCertificates


ZürcherHochschuleWinterthurIntegrity of Documents and Messages

Detection of corrupted documents and messages Detection of bit errors caused by unreliable transmission links

or faulty storage media. Solution: Message Digest acting as a unique fingerprint for the

document (similar function as CRC).

Protection against unauthorized modification Without protection a forger could create both an alternative

document and its corresponding correct message digest. Symmetric Key Solution: Message Authentication Code (MAC)

formed by using a keyed message digest function. Asymmetric Key Solution: Digital Signature formed by

encrypting the message digest with the document author‘s private key.


ZürcherHochschuleWinterthurMessage Digests based on

One-Way Hash Functions

A single bit change in a document should cause about 50% of the bits in the digest to change their value !

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

Documentor

messageof arbitrary size

1 0 1 1 0 11 0 1 1 0 1Message Digestof fixed size

Hash FunctionHash FunctionOne-Way Function

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

Hash FunctionHash Function

1 0 1 1 0 11 0 1 1 0 10 0 0 1 0 00 0 0 1 0 0

1


ZürcherHochschuleWinterthurPopular Hash Functions

SHA - Secure Hash Algorithm, NIST / NSA

Documentor

Message

Message Digest orHash or Fingerprint

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

128 bits128 bits

MD5MD5Hash Function

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

160 bits160 bits

SHASHA

MD5 - Message Digest #5, Ron Rivest, RSA


ZürcherHochschuleWinterthurBasic Structure of the

MD5 / SHA One-Way Hash Functions

N x 512 bits

IV 128/160 bit Initialization VectorHash 128/160 bit Hash Value

DocumentDocument PadPad LL

Pad PaddingL 64 bit Document Length

MD5/SHAHash

Function

MD5/SHAHash

Function

Hash

Hash

IVIV

MD5/SHAHash

Function

MD5/SHAHash

Function

Hash

Hash

MD5/SHAHash

Function

MD5/SHAHash

Function

Hash

Hash

Block N

512 bits

Block N

512 bitsBlock 2

512 bits

Block 2

512 bitsBlock 1

512 bits

Block 1

512 bits


ZürcherHochschuleWinterthurMessage Authentication Codes based on

Keyed One-Way Hash Functions

Genuineif equal

MACMAC

KeyKey

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

Author

KeyedHash Function

KeyedHash Function

Recipient1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

MACMAC

TransmissionChannel

MACMAC

KeyKey

KeyedHash Function

KeyedHash Function


ZürcherHochschuleWinterthur

Inner KeyInner Key

512 bits

Basic Structure of a Keyed One-Way Hash Function (RFC 2104)

MD5 / SHA Hash FunctionMD5 / SHA Hash Function

HashHash

MD5 / SHA Hash FunctionMD5 / SHA Hash Function

HashHash

DocumentDocument

KeyKey

0x36..0x360x36..0x36

XOR

Outer KeyOuter Key

512 bits

0x5C..0x5C0x5C..0x5C

XOR

PadPad 512 bits

Key Length Hash Length MACMACTruncate

to 96 bits


ZürcherHochschuleWinterthurDigital Signatures based on

Public Key Cryptosystems

1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

Author

Decryption with Public Key

Decryption with Public Key

Hash ValueHash Value

Hash ValueHash ValueGenuineif equal

TransmissionChannel

Recipient1 0 1 0 1 1 1

0 0 1 0 1 0 0

1 1 0 1 1 1 0 1

0 0 0 1 0 1 0 1

SignatureSignature

Hash ValueHash Value


Encryption with Private Key

Encryption with Private Key

SignatureSignature


ZürcherHochschuleWinterthurForging Documents

On average 2m trials are required to find a document having the same hash value as a given one !

OriginalDocument

0 1 0 0 1 1 0 1 0 0 1 1 Hash Valueof m bits


Pay 100 $ to the bearer

AQ - 1545323


1 0 1 1 0 1 01 0 1 1 0 1 00 1 0 0 1 10 1 0 0 1 1

Pay 100‘000 $ to the bearer

XX - XXXXXXX

ForgedDocument

Random Text


ZürcherHochschuleWinterthurThe Birthday Paradox

What is the probability of another person having the same birthday as you ?

Probability p = 1/365

How many people must be a in a room so that the probability of at least another person having the same birthday as you is greater than 0.5 ?

n = 253 people364

36505F

HGIKJ n

.

How many people must be in a room so that the probability of at least two of them having the same birthday is greater than 0.5 ?

364

365

1 205F

HGIKJ

n n( ) /. n = 23 people


ZürcherHochschuleWinterthurBirthday Attacks against Hash Functions

Looking for Collisions !

Only about 2m/2 trials are required to find two documents having the same hash value MD5 might be insecure !

OriginalDocument

Z Z Z Z Z ZZ Z Z Z Z ZHash Valueof m bits


Pay 100 $ to the bearer

YY - YYYYYYY


1 0 1 1 0 1 01 0 1 1 0 1 0Z Z Z Z Z ZZ Z Z Z Z Z

Pay 100‘000 $ to the bearer

XX - XXXXXXX

ForgedDocument

Random Text

Random Text



IntegrityIntegrity




ZürcherHochschuleWinterthur

ServerPassword File IDID PasswordPassword

Insecure Authentication based onPasswords

PasswordPassword

SaltSalt

SaltSalt

SaltSalt


HashHash

HashHash


Secret passwordtransmitted

over insecurechannel

IDID PasswordPassword

Remote User

IDID PasswordPassword

Salt helps against dictionary attacks.UNIX uses 12 bits of salts, resulting in 4096 hashed password variants


ZürcherHochschuleWinterthurSecure Authentication based on

Challenge/Response Protocols

Insecure ChannelUser Server

Keyed Hash Function

Keyed Hash Function

MACMAC

IDUIDU RU

RU

KeyKey

RURUIDU

IDU IDUIDU RU

RU

Response

MACMAC

No secrets are openly transmitted

The random valuesRS and RU shouldnever be repeated !

RSRS

KeyKey Keyed Hash Function

Keyed Hash Function

MACMAC

RSRSRS

RS

Challengerandom value

(Nonce)


ZürcherHochschuleWinterthurChallenge/Response Protocol based on

Digital Signatures

Insecure ChannelUser Server

RSRSRS

RS

Challengerandom value

(Nonce)IDU

IDU RURU

HashHash

SigSig

Encryption withPrivate Key

Encryption withPrivate Key

RSRS

HashHash

IDUIDU RU

RU

Response

SigSig

IDUIDU RU

RU

Decryption withPublic Key

Decryption withPublic Key

HashHash



IntegrityIntegrity




ZürcherHochschuleWinterthurTrust Models I

PGP Web of Trust

AliceAlice BobBob

CarolCarol DaveDave

Signed by DaveSigned by Dave

Signed by BobSigned by Bob

Signed by DaveSigned by Dave

Signed by CarolSigned by Carol

Signed by AliceSigned by Alice

Signed by BobSigned by Bob

Can Carol trust Alice ?

Trust

Trust

Trust

Certificate

Certificate


ZürcherHochschuleWinterthurTrust Models II

Trust Hierarchy with Certification Authorities

VerisignVerisign SwisskeySwisskey

AmazonAmazon

CarolCarol

Self SignedSelf Signed

VerisignVerisign

Self SignedSelf Signed

SwisskeySwisskey

AliceAlice

AmazonAmazon

BobBob

AmazonAmazon

Root CA

Intermediate CA

ClientCertificates

Trust


ZürcherHochschuleWinterthurGeneral Structure of an X.509 Certificate

* specifies algorithm used to sign certificate, e.g. md5RSA

signatureAlgorithm*

Hash Function*Hash Function*

Hash / FingerprintHash / Fingerprint

Encryption withIssuer‘s Private Key*

Encryption withIssuer‘s Private Key*

signature

versionserialNumbersignature*issuervaliditysubjectsubjectPublicKeyInfoissuerUniqueID OPTIONALsubjectUniqueID OPTIONALextensions OPTIONAL


ZürcherHochschuleWinterthurGeneral Structure of an X.509 Certificate

ASN.1 using Distinct Encoding Rules (DER)

TBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1(0), serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] Unique Identifier OPTIONAL, subjectUniqueID [2] Unique Identifier OPTIONAL, extensions [3] Extensions OPTIONAL}

Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING}


ZürcherHochschuleWinterthurX.509 Certificate Handling

Netscape 4.7 Browser

Netscape Menu: Communicator / Tools / Security Info


ZürcherHochschuleWinterthurX.509 Certificate Handling - Netscape

Certification Path


ZürcherHochschuleWinterthurX.509 Certificate Handling - Netscape

Encrypted and Signed E-Mail (S/MIME)


ZürcherHochschuleWinterthurX.509 Certificate Handling

Microsoft Internet Explorer 5.0

Explorer Menu: Tools / Internet Options


ZürcherHochschuleWinterthurX.509 Certificate Handling – Internet Explorer

Certification Path


ZürcherHochschuleWinterthurX.509 Certificate Structure

V1 Fields and V3 Extensions


ZürcherHochschuleWinterthurPublic Key Infrastructure (PKI)

Certification Authority Governed by a Certificate Practice Statement (CPS) Issues and signs Client and Server Certificates Maintains a Certificate Revocation List (CRL) Offers LDAP / WWW based Directory Services

Private Key Management Secure Generation and/or Distribution of Private Keys

Browser or Java Applet generated Keys Hardware generated Keys (Intel 810/820 Chipset, Smart Cards)

Secure Storage of Private Keys Smart Cards, USB Modules, SIM Cards (Sonera)

Key Recovery of lost private keys

A. Steffen, 10.4.2000, KSy_Auth.ppt 1 Zürcher Hochschule Winterthur Kommunikationssysteme (KSy) - Block 9 Secure Network Communication Part III Authentication.

Documents

bits hash function

bits md5 hash function

hash function rfc

hash value md5

hash value document

oneway hash functions

hash functions genuine

initialization vector