Códigos y Criptografía Francisco Rodríguez Henríquez PKCS (Public-key cryptography standards)
Códigos y Criptografía Francisco Rodríguez Henríquez
PKCS (Public-key cryptographystandards)
Códigos y Criptografía Francisco Rodríguez Henríquez
Network Access Security Model
Códigos y Criptografía Francisco Rodríguez Henríquez
Security Levels
• Confidentiality
– Protection from disclosure to unauthorized persons• Integrity
– Maintaining data consistency• Authentication
– Assurance of identity of person or originator of data• Non-repudiation
– Originator of communications can't deny it later• Authorization
– Identity combined with an access policy grants the rights toperform some action
Códigos y Criptografía Francisco Rodríguez Henríquez
Security Building Blocks
• Encryption provides– confidentiality, can provide authentication and
integrity protection
• Checksums/hash algorithms provide– integrity protection, can provide authentication
• Digital signatures provide– authentication, integrity protection, and non-
repudiation
Códigos y Criptografía Francisco Rodríguez Henríquez
Keys
• Symetric Keys
– Both parties share the same secret key
– A major problem is securely distributing thekey
– DES - 56 bit key considered unsafe forfinancial purposes since 1998
– 3 DES uses three DES keys
Códigos y Criptografía Francisco Rodríguez Henríquez
Keys
• Public/Private keys
– One key is the mathematical inverse of theother
– Private keys are known only to the owner– Public key are stored in public servers,
usually in a X.509 certificate.– RSA (patent expires Sept 2000), Diffie-
Hellman, DSA
Códigos y Criptografía Francisco Rodríguez Henríquez
A Simplified Model of ConventionalEncryption
Códigos y Criptografía Francisco Rodríguez Henríquez
Public-Key Cryptography
Códigos y Criptografía Francisco Rodríguez Henríquez
Public-Key Cryptography
Códigos y Criptografía Francisco Rodríguez Henríquez
Message Digest• A message digest, also known as a one-way hash function, is a fixed
length computionally unique identifier corresponding to a set of data.That is, each unit of data (a file, a buffer, etc.) will map to a particularshort block, called a message digest. It is not random: digesting the sameunit of data with the same digest algorithm will always produce the sameshort block.
• A good message digest algorithm possesses the following qualities– The algorithm accepts any input data length.– The algorithm produces a fixed length output for any input data.
– The digest does not reveal anything about the input that was used togenerate it.
– It is computationally infeasible to produce data that has a specific digest.– It is computationally infeasible to produce two different unit of data that
produce the same digest.
Códigos y Criptografía Francisco Rodríguez Henríquez
Hash Algorithms
• Reduce variable-length input to fixed-length (128 or 160bit) output
• Requirements
– Can't deduce input from output
– Can't generate a given output
– Can't find two inputs which produce thesame output
Códigos y Criptografía Francisco Rodríguez Henríquez
Hash Algorithms
• Used to– Produce fixed-length fingerprint of arbitrary-
length data– Produce data checksums to enable detection
of modifications– Distil passwords down to fixed-length
encryption keys
• Also called message digests orfingerprints
Códigos y Criptografía Francisco Rodríguez Henríquez
Message AuthenticationCode MAC
• Hash algorithm + key to make hash valuedependant on the key
• Most common form is HMAC (hash MAC)– hash( key, hash( key, data ))
• Key affects both start and end of hashing process
• Naming: hash + key = HMAC-hash– MD5 1 HMAC-MD5– SHA-1 1 HMAC-SHA (recommended)
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA: An Example
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signatures• Combines a hash with a digital signature
algorithm• To sign
– hash the data– encrypt the hash with the sender's private key– send data signer’s name and signature
• To verify– hash the data– decrypt the signature with the sender's public key– the result of which should match the hash
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signatures
• A data string associating a message with anoriginating entity– Signature generation algorithm– Signature verification algorithm– Signature scheme
• Used for authentication, integrity, andnonrepudiation
• Public key certification is one of the mostsignificant applications
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signature/VerificationSchemes
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signature/VerificationSchemes
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signature/VerificationSchemes
Códigos y Criptografía Francisco Rodríguez Henríquez
Diffie-Hellman protocol
Códigos y Criptografía Francisco Rodríguez Henríquez
Diffie-Hellman protocol
Códigos y Criptografía Francisco Rodríguez Henríquez
Diffie-Hellman protocol
Códigos y Criptografía Francisco Rodríguez Henríquez
Key exchange: Diffie-Hellman protocol
1. Picks a ∈ GF(p) at random2. Computes TA = ga mod p3. Sends TA
4. Receives TB
5. Computes KA = TBa mod p
1. Picks b ∈ GF(p) at random2. Computes TB = gb mod p3. Receives TA
4. Sends TB
5. Computes KB = TAb mod p
Where K = KA = KB, Because:TB
a = (gb)a = gba = gab = (ga)b = TAb mod p
Machine A Machine B
Códigos y Criptografía Francisco Rodríguez Henríquez
Mensaje para Anita en La Jornada
Querida Anita de mi corazón: Quisiera pedirte que nuestro número primo
sea 128903289023 y nuestra g 23489. Te quiere
Betito.
Códigos y Criptografía Francisco Rodríguez Henríquez
Middle-person attack.• Consider the following scenario:
Anita Middleperson Betitoga = 8389 gx = 5876 gb = 9267
8389 58765876 9267
Shared key KAX: Shared key KBX
5876a = 8389x 9267x = 5876b
• After this exchange, the middle-person attacker simply decrypts any messages sent out by A or B, and then reads any possibly modifies them before re-encrypting with the appropriate key and transmitting them to the correct party.• Middle-person attack is possible due to the fact that DHC does not authenticate the participants. Possible solutions are digital signatures and other protocol variants.
Códigos y Criptografía Francisco Rodríguez Henríquez
Solution: Mutual authentication
BA
I am A, R1
R2, KAB {R1}
KAB{R2}
Códigos y Criptografía Francisco Rodríguez Henríquez
Reflection attack
T
BBT
B
I am A,R1R2, KAB{R1}
I am A, R2
R3, KAB{R2}
Códigos y Criptografía Francisco Rodríguez Henríquez
Encryption across apacket-switching network
Códigos y Criptografía Francisco Rodríguez Henríquez
Elements of PKI
• Certificate Authorities (CA)– OpenSSL, Netscape, Verisign, Entrust, RSA Keon
• Public/Private Key Pairs - Key management
• x.509 Identity Certificates - Certificatemanagement
• LDAP servers
Códigos y Criptografía Francisco Rodríguez Henríquez
• Public-key cryptography standards (PKCS)• Owned by RSA and motivated to promote RSA• Created in early 1990’s• Numbered from PKCS1 to PKCS15• Some along the way have
– lost interest– folded into other PKCS– taken over by other standards bodies
• Continue to evolve
PKCS
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA cryptosystem by layers
FP finite field operations : Addition, Squaring,
multiplication, inversion and exponentiation
RSA primitive Operations: Encryption: C = Me mod n,Decryption M = Cd mod n.
PKCS Primitives: PKCS1_OAEP_Encode,PKCS1_OAEP_Decode, etc
PKCS User Functions:PKCS1_OAEP_Encrypt,PKCS1_OAEP_Decrypt, PKCS1_v15_Sign,
Protocols and Applications: SSL, TLS, WTLS, WAP,etc.
Códigos y Criptografía Francisco Rodríguez Henríquez
• RSA Cryptography Standard
Version 2.0 onwards (1998)
RSA Encryption Standard
Version 1.5 (1993)
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
• Specifies how to use the RSA algorithmsecurely for encryption and signature
• Why do we need this?
– Padding for encryption
– Different schemes for signature
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
• Chosen ciphertext attack based onmultiplicative property of RSA
• Attacker wishes to decrypt cChoose r, compute c’ = c⋅ re mod n
Get victim to decrypt c’ giving cd ⋅ r mod n
cd ⋅ r ⋅ r-1 mod n = cd mod n
• Padding destroys multiplicative property
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA: Key Generation
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA: Encryption, Decryption
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA: An Example
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA encryption isdeterministic
Attack example: C = (PIN)e mod n, where PIN is 4-digit number.We can find M by a brute force attack within several 10 seconds.
=> We need a semantically secure cryptosystem!
We can check whether M is the message of C by C=Me mod n.
Semantically secure: For two messages M0, M1, and C = Mb2 mod n,
attackers can not guess whether C is encryption of Mb (b=0,1).
An easy way is to pad M with random integer R like M||R, but no security proof!
Códigos y Criptografía Francisco Rodríguez Henríquez
Chosen Ciphertext Attack (CCA)
Decryption oracle
ciphertext C
Information based on C,dd
An attack example:(0) We assume the decryption oracle computes Ad mod n for a request.(1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to
the decryption oracle.(2) Decryption oracle computes B = Ad mod n and send B back to the
attacker.(3) The attacker computes B/R = M mod n and get the message M.
There are several models, which are secure against the chosen ciphertext attack
Códigos y Criptografía Francisco Rodríguez Henríquez
Side Channel AttacksAlgorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0)
(dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;
The time or the power to execute c2 and c*a are different
(side channel information).
Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];
Códigos y Criptografía Francisco Rodríguez Henríquez
Differential Fault Attack(DFA)
An attacker obtains a decryption which is computed in a wrong way.
nM = Cd mod n
p dp = d mod (p-1)
Mp = Cdp mod p
dq = d mod (q-1)
Mq =Cdq mod q v = (Mq – Mp) p-1 mod q,
q
n M = Mp + pv mod n.
In the RSA using the CRT, if an attacker can break the computation of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.
Códigos y Criptografía Francisco Rodríguez Henríquez
Klima-Rosa attack againstPGP
Decryption oracle
integer X
Xd mod n’d, n’
An attacker can change the public key n to n’
The attacker can obtain Xd mod n’ for changed n’.He/she can recover d by Silver-Pohlig-Hellman algorithm
PGP dose not encrypt the key file which includes n.
Códigos y Criptografía Francisco Rodríguez Henríquez
Bleichenbacher’s CCADecryption oracle
any integer C mod n
Cd PKCS-format or notd
PKCS-Format for a message m
00 02 random padding 00 message mat least 8 bytes
most significant byte least significant byte
Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C, the value Cd mod n can be computed by about 220 accesses to the decryption oracle, where d is the secret key.
Códigos y Criptografía Francisco Rodríguez Henríquez
• Version 1.5, 1993– Encryption padding was found defective in
1998 by Bleichenbacher– Possible to generate valid ciphertext without
knowing corresponding plaintext withreasonable probability of success (chosenciphertext)
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
• Uses Optimal asymmetric encryption protocol (OAEP) byBellare-Rogoway 1994– provably secure in the random oracle model.– Informally, if hash functions are truly random, then an
adversary who can recover such a message must be ableto break RSA
– plaintext-awareness: to construct a valid OAEP encodedmessage, an adversary must know the original plaintext
• PKCS 1 version 1.5 padding continues to be allowed forbackward compatibility
• Accommodation for multi-prime RSA– Speed up private key operations
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
• Cryptographic primitives• Cryptographic scheme
– Encryption scheme– Signature scheme
• Signature with appendix: supported• Signature with message recovery: not supported
• Encoding and decoding– Converting an integer message into an octet string
for use in encryption or signature scheme and viceversa
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
• Cryptographic primitives
• Encrypt RSAEP((n,e),m)
• Decrypt RSADP((n,d),c)
• Sign RSASP1((n,d),m)
• Verify RSAVP1((n,e),s)
Basically exponentiation with differently namedinputs!!
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
Encryption scheme• Combines encryption primitive with an encryption
encoding method• message → encoded message → integer message
representative → encrypted messageDecryption scheme• Combines decryption primitive with a decryption
decoding method• encrypted message → integer message representative →
encoded message → messageOriginal version 1.5 scheme and new version 2.0 scheme
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
Encryption scheme• Combines signature primitive with a signature encoding
method.• message → encoded message → integer message
representative → signatureDecryption scheme• Combines verification primitive with a verification
decoding method• signature → integer message representative → encoded• message → messageOriginal version 1.5 scheme
Signature with appendix
PKCS 1
Códigos y Criptografía Francisco Rodríguez Henríquez
PKCS 1
Comp. mess. digestMD’Message digestMD
Length of X in octets||X||MessageMsignatureSpriv exp.dPadding stringPSpublic exp.eBlock typeBTPrime factors of np, q
Encrypted dataEDThe modulus, 28(k-
1)≤ n<28kn
Encryption blockEBLength of n in octetskMeaningSymbolMeaningSymbol
Códigos y Criptografía Francisco Rodríguez Henríquez
The data is an octet string D, where ||D|| ≤ k-11. BT is a single octet whose hexrepresentation is either 00 or 01. PS is anoctet string with ||PS|| = k -3-||D||. If BT =00, then all octets in PS are 00; if BT=01,then all octets in PS are FF.
PKCS Data formatting
Códigos y Criptografía Francisco Rodríguez Henríquez
PKCS-Format for a message m
00 02 random padding 00 message mat least 8 bytes
most significant byte least significant byte
PKCS Data formattingThe formatted data block (called the encryption block) is:
EB = 00||BT||PS||00||D.
Códigos y Criptografía Francisco Rodríguez Henríquez
i. The leading 00 block ensures that the octetstring EB, when interpreted as an integer, isless than the modulus n.
ii. If the block type is BT = 00, then either D mustbegin with a non-zero octet or its length mustbe known, in order to permit unambiguousparsing of EB.
PKCS Data formatting
Códigos y Criptografía Francisco Rodríguez Henríquez
iii. If BT = 01, then unambiguous parsing isalways possible.
iv. For the reason given in (iii), and tothwart certain potential attacks on thesignature mechanism, BT = 01 isrecommended.
PKCS Data formatting
Códigos y Criptografía Francisco Rodríguez Henríquez
Example: Suppose that n is a 1024-bitmodulus (so k = 128). If ||D|| = 20 octets,then ||PS|| = 105 octets, so that ||EB|| =128 octets.
PKCS Data formatting
Códigos y Criptografía Francisco Rodríguez Henríquez
1. Message Hashing. Hash the message Musing the selected message-digest algorithmto get the octet string MD.
2. Message Digest Encoding. MD and thehash algorithm identifier are combined intoan ASN.1 (Abstract Syntax Notation) valueand then BER-encoded (Basic EncodedRules) to give an octec data string D.
Signature process for PKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
3. Data block formatting. With data stringinput D, use the data formatting discussedpreviously to form octet string EB.
4. Octet-string2integer conversion. Let theoctets ob EB be EB1|| EB1|| EB2||… ||EBk.Define EB’i to be the integer whose binaryrepresentation is the octet EBi (LSB bit ison the right).
Signature process for PKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
5. RSA Computation. Compute s = md mod n.
6. Integer2octet-string conversion. Convert s
to an octet string. The signature is S = ED.
Signature process for PKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
Signature process for PKCS #1
5. RSA COmputation
4. OctetString2integer conversion3. Data block formatting
2. Message Digest Encoding
1. Message Hashing
6. Integer2octetString conversion
MESSAGE
SIGNATURE
Códigos y Criptografía Francisco Rodríguez Henríquez
1. Octet-string2integer conversion. Reject S ifthe bit-length of S is not a multiple of 8.Convert S to an integer s as in step 4 of thesignature process. Reject the signature is s >n.
2. RSA Computation. Compute m = se mod n.
Verification process forPKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
3. Integer2octet-string conversion. Convert mto an octet string as in step 6 of thesignature process.
4. Parsing. Parse EB into a block type BT, apadding string PS, and the data D.
• Reject if EB cannot be parsed unambiguously.• Reject if BT is not one of 00 or 01.• Reject if PS consists of < 8 octets or is
inconsistent with BT.
Verification process forPKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
5. Data Decoding.– BER-decode D to get a message digest MD and
a hash algorithm identifier.
– Reject if the hashing algorithm does not identifyone of MD2 or MD5.
6. Message Digest and Comparison. Hash themessage M using the selected message-digest algorithm to get the octet string MD’and compare it with MD obtained in (5).
Verification process forPKCS #1
Códigos y Criptografía Francisco Rodríguez Henríquez
Verification process forPKCS #1
5. Data Encoding
4. Parsing3. Integer2octetString conversion
2. RSA Computation
1. OctetString2integer conversion
6. Message digesting and comparison
Signature and message
SIGNATURE
Códigos y Criptografía Francisco Rodríguez Henríquez
Probabilistic signature scheme (PSS)
Provably secure in random oracle model
Natural extension to message recovery
PKCS 1: The Future